Hackbat

In the cybersecurity field, engineers are always looking for vulnerabilities in order to fix them and prevent other actors could taking advantage of them. The tools used by these engineers can be expensive and, on many occasions, the tools don't fit exactly with the requirements that engineers need. In this project, I want to present an open-source hardware platform with some tools used in cybersecurity, especially in pen testing. The board is named Hackbat and features an RF transceiver, NFC communication, SD card, USB, and WIFI. All of this is managed by the Raspberry PI microcontroller RP2040. The schematic and the PCB design are open-source and are available on GitHub. Let's take a part-by-part look at the Hackbat.

RP2040

The Raspberry Pi microcontroller RP2040 is the brain of the Hackbat. The main features of this MCU are:

• Dual-core Arm Cortex-M0+ processor, flexible clock running up to 133 MHz 264kB on-chip SRAM
• 2 × UART
• 2 × SPI controllers
• 2 × I2C controllers
• 16 × PWM channels
• 1 × USB 1.1 controller and PHY, with host and device support
• 8 × Programmable I/O (PIO) state machines for custom peripheral support
• Operating temperature -40°C to +85°C
• Drag-and-drop programming using mass storage over USB
• Low-power sleep and dormant modes
• Temperature sensor
• Accelerated integer and floating-point libraries on-chip

The RP2040 can be programmed using Arduino IDE, Python or C++.

The RP2040 does not have an internal FLASh memory so we need to add it externally. The default memory is the Wibond W25Q32JVZP. It is a 32Mbit memory which will be enough for many projects. If we need more memory, we can use larger memories as 128 Mbits using the same package.

To program the RP2040, the hackbat uses a pushbutton that must be pushed in the power-up-. This button holds the FLASH memory so the RP2040 loads the bootloader. Then, in the host, an external storage device will be created. To write a program on the device we just need to drag and drop the u2f file to the storage device.

Display

The OLED display used in the HackBat is 128x64 pixels, with the driver SH110X. The device also allows OLED with SSD1306, but notice that the VCC and GND pins are reversed, so you need to change the 0-ohm resistors of those pins.

Both OLED drivers are connected to the RP2040 over an I2C. To use the displays we can use the Adafruit libraries (SH110x, SSD1306).

RF

The Hackbat features a CC1101 from Texas Instruments. CC1101 is a low-cost sub-1 GHz transceiver. It has been designed to operate in frequency bands at 315, 433, 868, and 915 MHz.

For the Hackbat, the RF balun is configured for 433 MHz, however, by changing the passive components values we can make it work with 868MHz.

The default antenna is soldered to the board.

However, if you need more gain, the hackbat also allows you to solder an SMA connector and use an external antenna.

NFC

For the NCF communication, the Hackbat uses an external board with the PN532. This IC uses the 13.56 MHz band, the same used with NFC cards and tags. The PN532 allows to read, write, clone, and emulate NFC cards so it can be used also as an NFC card.

Since the NFC interface requires an antenna, I decided to use an external module that includes the integrated circuit and all the external elements needed for the NFC communication.

The module allows to connect to the PN532 over UART, i2C ans SPI.

The module is connected on the back side of the Hackbat.

SD Card

On the back of the Hackbat, we can find an SD Card socket. This can be used to store the keyboard injection files, or external apps that can be run into the device.

The SD card uses an SPI interface, different from the interface used for CC1101. In addition, the socket used has a card detection pin, so we can detect when an SD card is inserted.

WIFI

For the WIFI interface, Hackbat features an ESP-12F module, which is based on the ESP8266, a microcontroller with 2.4GHz WIFI. One advantage of using this module instead of just the ESP8266 is that the antenna is integrated into the module as long as the oscillator and almost all the external components needed by the IC. In the hackbat board, we just need to add some external pull-up resistors in the reset and the enable inputs, and a pull-down resistor in the GPIO15. Also, there is a pushbutton connected to the GPIO0 to activate the bootloader and allow to program the IC.

The ESP-12F module is programmed through a UART interface. Usually these modules are connected to a USB-UART bridge, but this will add an extra USB connector to the board so the Hackbat uses the RP2040 to program the ESP-12F module. To do that we just need to load into the RP2040 the code to create a dual port USB-UART bridge. On GitHub we can find the pico uart bridge project, which does exactly what we need. Since this program generates two different UART ports, the Hackbat has an external connector with the other interface, so we can use the Hackbat as a USB-UART bridge.

DIO

In order to interact with the board, it has 5 push buttons, besides the programming buttons, as well as two LEDs connected to the RP2040, and another led connected to the ESP-12F module.

Those push buttons are placed in a cross way, so they can be used as a controller for the menu.

Get Yours

The Hackbat is open-source, so you can use the output files to manufacture your own in JLCPCB. You just need to compress the /output_files directory of the repository and upload it to JLCPCB.

Remember to change the Surface Finish to LeadFree HASL to make your board ROHS compliant.

Then you have to add the PCB Assembly service and upload the centroid file, and the BOM.