NoNameBadge 2020: monitors air quality around you

NoNameBadge 2020: monitors air quality around you

8 August 2020
Embedded, AppSec, BadgeLife

NoNameBadge 2020
NoNameBadge 2020

Our last year’s badge for NoNameCon received surprisingly positive feedback from conference visitors. A whole fan community emerged around it that has since created numerous projects using badge hardware. Now that we have a certain level of expectations set let’s dive deep into implementation 😎

This year, the concept of the badge has changed a bit. We decided not to use ready-made dev boards, but to develop the entire board from scratch.

This increased the cost of the badge by about 50 percent. On the other hand, after receiving the batch from the Chinese PCB warehouse, the only thing we need to do is flash the firmware. Say goodbye to heroic volunteer suffering and hurting fingers from soldering for numerous hours.


Two versions diff
Two versions diff

DC-DC - red badge only
DC-DC - red badge only

Red & black #

The development was done in two iterations. There’s nothing special to be described: slightly simplified the battery supply scheme, added power protection, and a killswitch. Everything else turned out to be working in both versions.

Creators Edition #

Creators Edition badges
Creators Edition badges

The badge was designed for a specific functionality - air quality monitoring, which includes temperature, humidity, pressure, and indoor air quality indicator (IAQ), which use volatile organic compounds (VOCs) measurements as well.

VOCs are organic chemicals that have a high vapor pressure under normal conditions - this allows them to be present in the air in significant concentrations. VOCs include a wide range of organic compounds such as hydrocarbons, aldehydes, alcohols, ketones, terpenoids, and others.

This functionality is optional, available only to those who have purchased NoNameBadge Supporter Ticket. Everybody else will be able to buy additional components (available in numerous hardware stores) and solder them by themselves.

What does NoNameBadge Supporter Ticket include?

  • BME680 environmental sensor
  • 2 OLED screens
  • 2 joysticks
  • 18650 battery holder and power switch
  • USB Type-C cable for connecting the badge to the power supply or computer
  • our gratitude for the development support (a tiny surprise)
  • keyring with logo from the badge visor

TechMaker keyring
TechMaker keyring

Kidding :) We’ll keep the logo keyrings.

Badge firmware automatically detects the presence of sensors and displays. The display will show Temperature (C), Humidity (%), Pressure (hPa), and IAR (index). LEDs on the badge work in a “traffic lights” style to give an understanding of whether everything is good, not so much, or very bad :)

Do you see yellow? - ventilate the room 😝 Do you see red? - time to take out the garbage 😁

Optionally, you can take our firmware and modify it to work with your own server via HTTP or MQTT.

⚠️⚡ The 18650 battery terminals together with the metal lid of your laptop can relatively easily create an unforgettable experience of observing the electric welding process. ⚡⚠️

⚠️⚡ CAUTION! DO NOT SHORT CIRCUIT THE BATTERY! ⚡⚠️

Or do that, film it, get burnt and earn millions of views on social networks ¯\_(ツ)_/¯

Basic Edition #

Basic badge
Basic badge

The basic version contains touchpads for RGB LEDs control, a couple of regular LEDs, and a minimal set of components for power and programming ESP32 via USB Type-C. The firmware contains CTF tasks that start after establishing a connection to the badge via minicom / miniterm / putty / screen or similar serial terminal utilities.

For further firmware modifications and badge upgrades, we provide the source code of the public part of the firmware (without CTF) and the schematic of the badge hardware.

Bonus: there’s a footprint for soldering CAN bus module and a terminal block. We have an internal joke that whatever we do turns into CAN bus reverse engineering 🤨

Capture the Flag #

Capture the Baloon
Capture the Baloon

This section will be updated after the start of the conference. So far it is known that there will be 6-7 tasks related to cybersecurity of embedded systems. Some of the tasks are re-done due to COVID-19 epidemic, social distancing rules, and the absence of the offline part of the conference.

It is well known that all tasks are based on real vulnerabilities that we have encountered during our research and product development. Among them were industrial machines, network equipment, elements of the “smart home”, and some automotive products.

Last year we saw interesting approaches and problem-solving techniques. We hope that someone will be able to complete the 2020 set of tasks in the given time. The tasks are difficult but possible to solve. Some solutions have been tested for 3-4 months :) This is a period of time over which you forget the details and write the exploit from scratch rather than remember the nuances of implementation.

Special thanks to those who agreed to test the complexity of the tasks, sacrificing the pleasure of surprise and the spirit of competition!

Hardware Details #

ESP32-WROOM-32D
ESP32-WROOM-32D

The badge is based on the Espressif ESP32-WROOM-32D module, documentation for it can be found on the official website.

From a hardware point of view, the PCB in Creators Edition and Basic Edition are the same - the only difference is that not all components / modules are populated in Basic Edition. In the schematic, such components are labeled DNM (do not mount).

Black Badge Schematic (v2.1) in PDF format

Schematic page 1/3
Schematic page 1/3
Schematic Page 2/3
Schematic Page 2/3
Schematic page 3/3
Schematic page 3/3

We couldn’t live without hotfixes :) We did not put protection against the reverse polarity of the battery, so Creators Edition ready-made boards were modified and soldered.

Battery reverse polarity hotfix
Battery reverse polarity hotfix

ESP32-WROOM Pinout #

All pin functions of the ESP32-WROOM module are well described in the article by Random Nerd Tutorials. In general, due to usage of GPIO Matrix, you can set any peripheral output to any pin of the module. The image below shows the names of the pins and their main functions.

ESP32-WROOM-32D pin functions
ESP32-WROOM-32D pin functions

Badge Pinout #

All the main modules on the badge are connected to the pins of the microcontroller. Screenshot from the black badge schematic:

Badge ESP32 connections
Badge ESP32 connections

UART for Programming #

PinFunction
IO1 (U0TXD)UART Tx
IO3 (U0RXD)UART Rx
ENUART DTR
IO0 (BOOT)UART RTS

The ESP32 MCU has an option to update the firmware via the UART interface. The board uses the CP2102N USB-UART converter to update the firmware, communicate with the badge via console and output logs. Pin EN performs the function of a microcontroller reset, MCU powers up when this pin has 3.3V on it. If during bootup pin IO0 has 3.3V voltage applied, the chip will start executing code, if 0V applied - it enters bootloader for firmware update. To automatically switch ESP32 to bootloader mode and back, the EN and IO0 pins are connected to the Harware Flow Control of CP2102N. They are also connected to “RST” and “BOOT” buttons for manual control.

I2C Bus #

PinFunction
IO16I2C0 SCL
IO17I2C0 SDA
IO25I2C1 SCL
IO26I2C1 SDA

The following devices are connected to the I2C0 bus:

  • BME680 - environmental sensor, has the address 0x77
  • PCA9539PW - GPIO expander with joysticks connected, has the address 0x74

BME680 Environmental sensor
BME680 Environmental sensor
PCA9539 + 5-position joysticks
PCA9539 + 5-position joysticks

The following devices are connected to the I2C1 bus:

  • SSD1306 OLED 0.96" screen (left), has an address of 0x3D
  • SSD1306 OLED 0.96" screen (right), has an address of 0x3C

SSD1306 OLED 0.96" display
SSD1306 OLED 0.96" display

During firmware start, I2C0 and I2C1 buses are scanned for devices present. For Creators Edition badge you will see the following output:

I2C0: detected 2 devices
      [0x74] GPIO expander (Joysticks)
      [0x77] BME680
I2C1: detected 2 devices
      [0x3C] OLED right
      [0x3D] OLED left

TouchPads #

PinFunction
IO2 (TP2)Down
IO15 (TP3)Up
IO13 (TP4)Right
IO12 (TP5)Left
IO14 (TP6)Chip (right)

The black badge has five touch buttons: four arrows and a right-side TechMaker chip. The left-side chip is connected to the IO5 pin, which, unfortunately, does not have TouchPad functionality, so it is not available ¯\_(ツ)_/¯.

Five touchpads
Five touchpads

Buttons \ LEDs #

PinFunction
ENRST Button
IO0BOOT Button
IO18WS2812 LEDs
IO23Blue LED

WS2812B-MINI-V3 addressable LEDs (also known as Neopixels) are used, and they are connected in series. There are total of 18 LEDs and the output of the last one is routed to the J4 connector so it’s possible to connect additional external LED strips \ matrices \ rings.

WS2812B LED strips
WS2812B LED strips

CAN Bus #

PinFunction
IO21CAN Rx
IO22CAN Tx

It is possible to connect the CAN bus transceiver module with a screw terminal block on the badge, but they are not included in any edition. The connector is made suitable for the CJMCU-2551 module, which is based on MCP2551 with 5V power supply.

CJMCU-2551 CAN bus transceiver
CJMCU-2551 CAN bus transceiver

Shitty Addon Connector #

PinFunction
IO16I2C0 SCL
IO17I2C0 SDA
IO32GPIO1
IO33GPIO2

To expand the functionality of the badges on we added the DEFCON popular Shitty Addon Connector v1.69bis.

Shitty Addon
Shitty Addon

Where to buy #

Modules can be purchased on Aliexpress, or in maker stores like Adafruit, Sparkfun, etc.

Stay tuned #

Here we will post links to additional materials: diagrams, code, instructions, etc.

These are the guys you wanna punch in case your badge is faulty:

TechMaker team: Sasha, Andrey, Artem
TechMaker team: Sasha, Andrey, Artem


We write about such stuff on TechMaker Facebook page and teach it at Courses