Hello fellow Bsides CBR 2021 peeps and other visitors. This is our first-ever badge hacking post!!! The BSides CBR 2021 badge is sooooooo awesome. It has an eInk display which is something we have been wanting to get to play with at home so we are extra excited.
Dad helped us a LOT working all the stuff out below cause it’s our first time really doing much with one of the conference badges but we love electronics and are having heaps of fun playing with stuff. Plus we just started coding python a few weeks ago so was excited to see the badge flashing code was in python. A lot we don’t understand yet but some we do.
This article is just about how to restore the badge in case you kill it hacking it or want the original stuff back. We wanted to do this first before we tried to write our own simple hacks so we could get the badge back later. Also now we understand a bit about how to flash the badge so we can use some of the code from Penten to flash our own code later. We will start out simple and probably just try and get some pictures on the screen before we try and make badges that take over the world!!! :p
WARNING: We take no responsibility for your badges or this working. Use at your own risk. We are kids and don’t know much about electronics at all so this is what we hacked together with dad in a couple of hours mostly Googling and trying stuff out. He doesn’t know much either so don’t blame him, but he’s really good with the Googles 😉
To reflash the badge you will need the firmware which you can download from the 2021 Badge Git repository. You can also get the schematics and other stuff from here which will help with your own hacking.
Once you have downloaded the firmware you can start.
We recommend taking the top cover and frame off so you have easy access to the buttons and also you can see labels on the PCB. When you take the cover off it looks like this:
Getting the Python Modules
First, we need to check if we have all the python modules so we can run the script that flashes the badge. We need to check that all these modules have been installed:
- import argparse
- import json
- import logging
- import os
- import pathlib
- import pprint
- import subprocess
- import sys
- import termios
- import threading
- import box
- import colorlog
- import esptool
- import pyudev
- import serial
The only ones that were missing for us are in red above. The easiest way to check is to run python and then try and import each module. You will get a ‘No Module named’ error if it’s not installed, like this one.
$ python
Python 3.8.5 (default, Sep 4 2020, 07:30:14)
[GCC 7.3.0] :: Anaconda, Inc. on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import box
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'box'
>>>
You can use pip to install each one using pip install module_name but the box module had an error so we Googled and found this command will install it:
pip install --upgrade python-box[all]
Changing the Log Level
We had to do a LOT of Googling to work out how to flash the ESP as we hadn’t used this chip before. One thing we advise is in the scripts/daemon.py script, change:
LOG_LEVEL = logging.WARNING
to
LOG_LEVEL = logging.DEBUG
This way you get all the info as the script runs otherwise it’s hard to know what the issue is if something goes wrong.
Enable the ESP for Flashing
To enable the ESP ready for flashing, you need to hold down the ‘ESP BOOT’ button on the badge and then press the ‘ESP EN’ button at the same time. This sets the chip ready for flashing. If you want to see if it’s actually ready you can use a terminal program. We used tio on Linux. If you run tio /dev/ttyUSB0 you will get logging sent to the terminal from the badge. When you press the ESP BOOT and ESP EN buttons you should see:
rst:0x1 (POWERON_RESET),boot:0x3 (DOWNLOAD_BOOT(UART0/UART1/SDIO_REI_REO_V2))
waiting for download
ttp://downloads.arduino.cc/Hourly/samd/package_samd-hourly-build_index.jsonMake sure you close the terminal program before running the python script.
We found that pressing the ESP BOOT and ESP EN buttons wasn’t enough and we got a warning:
WARNING: Unable to detect ESP device at '/dev/ttyUSB0'
More Googling and found that people flashing this chip had to keep holding down the ESP BOOT button. We found we only had to hold it till we saw:
DETECT: Detected ESP device at '/dev/ttyUSB0'
Then you can let go of the button. So… putting all the stuff above together:
The Mos and Boo Secret Badge Programming Combo 😉
- Plug USB cable from badge “DUAL UART and POWER/CHARGE” plug to the computer
- Press and hold down ‘ESP BOOT’ button
- Press ‘ESP EN’ button
- Let go of ‘ESP EN’ button but keep holding down ‘ESP BOOT’ button
- Run daemon.py from the main folder
- When you see ‘
Detected ESP device at '/dev/ttyUSB0'let go of the ‘ESP BOOT’ button - Watch the badge get flashed. Well… watch the logging on your computer screen
If it all works you should see this below. At the end, we had to hit CTRL-C a few times to exit as it seems to just sit there.
./daemon.py
[badge.daemon] @ 2021-04-07 18:15:35,004 INFO: Detected CP2015 USB-UART at '/dev/ttyUSB0'
[badge.daemon] @ 2021-04-07 18:15:35,004 INFO: Attempting to scan for ESP device
[badge.daemon] @ 2021-04-07 18:15:35,329 DETECT: Detected ESP device at '/dev/ttyUSB0'
[badge.daemon] @ 2021-04-07 18:15:35,658 INFO: Download stub running on ESP at '/dev/ttyUSB0'
[badge.daemon] @ 2021-04-07 18:15:35,715 INFO: Flashing application image to ESP at '/dev/ttyUSB0'
[badge.daemon] @ 2021-04-07 18:16:01,632 SUCCESS: Finished flashing ESP at '/dev/ttyUSB0'
Enable the SAMD for Flashing (Update)
Just added this section as we didn’t realise you need to flash both chips separately. There is a second chip on the badge, an ATSAMD21 which also needs flashing. Looking at the info on the badge this chip controls the 8 RGB LEDs, the 3 user LEDs, 8 capacitive touch buttons, add on header and infrared receiver.
To put the SAMD in programming mode you double press the ‘SAM RST’ button and LED6 will glow blue and flash very slowly. Plug the badge into the second USB port labelled ‘SAMD USB (NO POWER)’ and run the ‘daemon.py’ script that you ran above. This time it will flash the SAMD chip. Make sure you have the badge power switch on or it won’t work as you don’t get power through this USB port.
Hope this helps someone. We have a feeling we will use this a lot as we break our badges trying new stuff 😀
0 Comments
Trackbacks/Pingbacks