A TROOPER’s Keyboard, part2

Greetings fellow TROOPERs,

TROOPERS14 has come to an end, and it’s finally time to let you have a go at the Badge’s source code. As promised, it was slightly modified and extended, to show you the full potential of your new gadget. I’ve added some nice payloads from Nikhil Mittal and a few own ones. Above that, for those who took their parts for soldering home, I’ve also added a few quick instructions on how to do the soldering.

Blending Gold with Silver

Soldering our TR14 Badge is quickly done, you just need to add 16 parts. When opening your bag of parts you ought to find 4 (maybe just 2) push buttons, 4 blue resistors (4.7kOhm), 4 turquoise resistors (1kOhm) and 4 LEDs.

  • The push buttons can be soldered on any way round (as long as they fit the holes!)
  • The blue resistors (4.7kOhm) go onto the 4 slots on the bottom half of the Badge
    It does not matter which way round you place them!
  • The turquoise resistors (1kOhm) go onto the top half of the Badge
    It does not matter which way round you place them!
  • The LEDs come in two different colours, a set of 3 in the same colour and a single one in a different colour
    If the LED’s cases are all transparent, the single LED should have slightly bent legs!
    The single LED, a status LED, goes onto the left LED spot, the other three go on the right
    As you can see, the drawing for the LEDs on the Badge is flat on one side, the LED itself is the same! Be sure to check where the flat side is, as this is the correct way to place the LED

To be on the safe side, you should remove the Arduino before soldering! Simply and carefully pull it away from the Badge in a straight line (you might need a reasonable amount of force to do so!).

You may want to listen to this song while soldering.

The Flash a-ah

You will probably want to flash your very own blend of payloads onto the Badge, which can be done very quickly. Your best solution will be to download a copy of the Arduino IDE and install it. You can then open the work.ino from our source code archive (further down).

In the top left corner you will see a button with an horizontal arrow pointing to the right. This is the button that will flash your badge. You might also have to press the reset button on your Badge, which is on the Arduino board, just next to the USB socket.

The flash process will not change your TROOPERS14 authID as this is stored safely in the chips EEPROM.

Utilizing the whole Payloadset

That’s your challenge! You will have to adjust a few lines of code to enable full functionality. Just check the comments in the source code.

Adding own Payloads

To add new payloads, simply add the functions to the payloads tab (or add an own one). Payloads are called via the do_payload(byte id) function, where the byte is the payload’s id, so you will also have to add your payload here. The payload overview in the serial menu is placed in the sprint_payloads() function in the payload_descriptions tab. Surely it’s not a must to add your payload here, but will increase usability if you ever pass it on to someone else.

A description on how payloads are actually written can be found in the first blogpost on the TROOPERS14 Badge.

Badge Recovery

If you seem to have bricked your badge, you might need to clear the EEPROM (it will overwrite your TROOPERS14 authID). This can be done with just a few lines of code.

#include <EEPROM.h>
void setup(){
  for (int i=0; i<1500; i++){    EEPROM.write(i,””);   }
void loop(){}

This will erase your Badge’s EEPROM and reset all configuration data to NULL. When reattaching the Badge, it will bring up a serial menu, where you need to go through our provisioning process. You may just type a random string, and it will be stored as your new authID.

Otherwise you could use the erasemem command from the serial menu.

A Warning Disclaimer

Always be careful when using the Badge against any kind of system. It should be obvious that you must not use the Badge on any system that does not belong to you, but even when using it against your own, keep the consequences in mind. You don’t want an admin account called “Owned” with the Password “0wn3d” on your live system. Best only use it against lab systems or be sure to know how to clean up your system afterwards.

Mitigating Controls

To protect a system from malicious keyboard input, all USB ports should be deactivated and the device’s keyboard removed. What is necessary for a successful attack? The core aspect is access to an input window (shell, powershell, cmd, you name it…). This attack vector is just as trivial as the resulting control: Lock your system! An attacker will not be able to run commands on your device, if he can’t access it (unless of course there are actual exploits available) he won’t be able to type and execute any malicious commands. One always has to keep in mind, that the Badge does not do any magic at all, nor does it use magic functions. It types just as we all do, just quicker and skipping the physical keyboard. It’s only advantage is it’s speed. While normal person would maybe need 5min to execute some commands, the Badge will do it in seconds. So the fact that you’re “only going to get a cup of coffee” is not safe enough!

A Quick Offer

As there was quite some interest in carrying on using the Badge and utilizing it for internal presentations and awareness campaigns, if you need any further advice or support, feel free to contact us!

The Final Thank You

Thank you all for the great time during TROOPERS14 and the awesome feedback! I hope you’re all going to have some fun with the Badge, if you decide to extend or modify it, don’t forget to let us know!


Download me!


We’ll shortly add an extra link to a GitHub project right here!