TROOPERS conference badge
Electronic badges are all the rage at IT security conferences these days. I think DEFCON started it all with badges made by Joe Grand, but there have been many others, like the Sputnik RFID tags at 25C3, the expandable bunny badges at Easter Hegg, Munich, by lilafisch and friends, and Travis Goodspeed's badge for The Next Hope.
I created 210 interactive badges for the TROOPERS11 IT-sec conference in Heidelberg last month. They feature some ethereal vintage vacuum glassware - IN-16 nixie tubes made at the Reflector factory in Saratov in the former USSR in 1989. I purchased them new-old-stock from some handy guys in Lithuania.
A video of the badge in action:
Each conference attendee starts on zero. As they unlock achievements at the con - like sending postcards to their families, meeting the speakers, unlocking the secret in the badge, attending my SMT soldering workshop, etc, attendees level-up. Those who reached the highest levels were entered into a prize draw to win hacker goodies. I designed this levelling-up concept to connect with the central themes of the TROOPERS conference - personal progression, education, and becoming better IT security professionals. Florian did an amazing job of weaving the badge and the game concept into the very fabric of the conference.
The badge hangs around the neck from a CAT5 cable, rocking the network security image. Red for the speakers, green for everyone else. Here I am wearing the bare, prototype PCB. Have you any idea how difficult it is to find 750mm CAT5 cables? It's quite difficult.
As well as being the LANyard (sorry) the cable functions as the power switch, levelling-up mechanism, programming interface and debug output (and attack vector for intrepid hardware hackers!). When an attendee unlocked an achievement, he took his badge to the information desk where one of the organising staff would plug in a special dongle to update his score. The dongle is simply a TI Launchpad (MSP430G2231) with a CAT5 cable soldered on, running some custom firmware to transmit a magic byte over SPI to the badge.
The batteries and electronics are on the back of the badge.
My original, crappy, control scheme. The green trace is the DCDC output voltage. The red trace is a moving average of this voltage to take out a bit of noise. The setpoint (desired voltage) is in blue, and the value of the PWM signal delivered to the FET is shown in turquoise. The output voltage roughly follows the setpoint, but it is very wobbly when the setpoint is low, and can't quite keep up when it is high.
Note I am ramping the setpoint up and down to get the nixie to fade in and out.The change in gradient near the top of the peak is deliberate - it makes the fading look more consistent to the human eye.
Please ignore the x axis label. It isn't actually graduated in seconds. This whole graph probably shows about 5 seconds of data, not several hours!
|The PID control scheme is a dramatic improvement. The output voltage (green) tracks the setpoint (blue) perfectly. To achieve this, the PWM value (turquoise) is being adjusted in a much more subtle way than before. The red trace shows the error (difference between the true output voltage and the setpoint).|
|Next I worked on the microphone noise cancellation. The blue trace is the microphone voltage (recorded in silence). Note the "blob" of noise when the nixie voltage (red) is high. The green trace is a very long moving average used to establish the DC level of the microphone reading. The turquoise trace shows the PWM values being delivered to the FET. I used this signal as the basis of the cancellation function because its shape is very similar to the noise "blob" in the microphone data..|
|Here are the results. The blue trace is the input, as before.The yellow trace is the processed signal. On the left I was silent. The DCDC-induced noise "blob" is successfully filtered out, but speech (right half) is largely passed through. Sensitivity is pretty crap when the DCDC voltage is high, but it's the best I can do without a hardware fix!|
The firmware is written in C, compiled under linux with avr-gcc, and flashed to the badge with avr-dude. I use the AVR Dragon programmer, but there are other options available. At the con, Kevin Redon dumped the firmware binary out using a Bus Pirate, made some modifications, and pumped it back in. He also scored himself an instant 9 by editing the EEPROM image. Respect. Several other guys performed some simple hardware hacks too, shorting segments on, etc., but Kevin's work was the most impressive I saw.
If you're a masochist, you can also debug the AVR over Debugwire using avarice and gdb. It's unbelievably flaky, though.
The firmware is highly modular and fairly self-explanatory. It is largely interrupt based, making extensive use of the timer peripherals.
Lots of people asked me about this. It's just an empty bit of board with some 0.1" spaced through hole pads and 0.05" spaced SMT pads where you can solder on your own components. The conference attendees are mostly software guys. I wanted to give them a platform that is really easy to hack so that those with budding hardware hacking interests have a low barrier to entry. For maximum flexibility, no electrical connectivity is provided. You can just use wire. I also broke out every pin of the AVR to a pair of through-hole solder points for maximum hackability. So say you want to make your badge into a clock, you could solder a crystal onto the AVR's clock pins. Or if you want to add some radio functionality you could solder your radio chip onto the hacking area, and wire it up to the AVR. Go nuts - totally freeform hacking space.
The high voltage section is insulated with heatshrink sleeving and self-levelling silicone encapsulant (great stuff, by the way). If you dig your way through it is possible to get a mildly painful shock, but there isn't enough energy stored in the DCDC to do you any harm. Don't take my word for it, though. If you're ancient / part cyborg / whatever, I wouldn't push your luck!
That was quite some undertaking! I outsourced the manufacture and assembly of the PCB's, of course, but I placed the nixies myself. All 210. This entailed trimming the nixie legs to the right length, soldering all 13 of them to the PCB (6 on the front, 7 on the back), adding heatshrink sleeving and insulating the finished item with silicone. I made some lovely jigs to process the nixie tubes, cut precise lengths of heatshrink and hold everything in place during soldering. Check out these videos:
A closeup of the assembly jig. The perspex assembly (rear) holds the nixie perfectly centred within the cutout in the PCB. The spring steel, aluminium and FR4 assembly (front) clamps the legs down onto the PCB, leaving both of my hands free to solder.
It turns out that 210 is quite a lot of things.
So if you're the lucky owner of a TROOPERS badge, I hope this information inspires you to hack it to do something new! At the very least, please take care of your nixie tube! They are a scarce resource. They haven't been manufactured since the early nineties.
I held a little SMT soldering workshop at the con, where attendees could upgrade their badge to speaker status by soldering on the extra LED's, resistors and microphone. Someone remarked that it was probably the most romantic soldering workshop ever! (Thanks to Insinuator for the photo).
Once again, many thanks to Florian, Enno, Daniel and all at ERNW - thoroughly enjoyed it!
Please ask questions in the comments / by email / twitter, and I'll help you out. If you're running your own con, and would like some similarly insane badges, give me a shout.
Have a look at my flickr account / youtube channel for more media.