It’s the moment you hard-core hardware nerds have been waiting for: the reveal of the 2025 Hackaday Supercon Communicator Badge. And this year, we’ve outdone ourselves, but that’s thanks to help from stellar collaboration with folks from the community, and help from sponsors. This badge is bigger than the sum of its parts, and we’ve planned for it to be useful for you to hack on in the afterlife. Indeed, as always, you are going to be the final collaborator, so we can’t wait to see what you’ll do with it.
We’re going out – wide out – on a limb and trying to create a dense mesh network of badges talking to each other at Supercon. It’s going to be like a badge-hosted collection of chat rooms, as connected as we can make them without talking over each other.
You look up a topic, say Retro Computing or SAO trading, punch in the channel number on the numpad, and your badge starts listening to everything going on around that topic. But they also listen to everything else, and repeat anything they hear on to their neighbors. Like IRC, but LoRa.
If I’m honest with myself, I don’t really need access to an off-grid, fault-tolerant, mesh network like Meshtastic. The weather here in New Jersey isn’t quite so dynamic that there’s any great chance the local infrastructure will be knocked offline, and while I do value my privacy as much as any other self-respecting hacker, there’s nothing in my chats that’s sensitive enough that it needs to be done off the Internet.
But damn it, do I want it. The idea that everyday citizens of all walks of life are organizing and building out their own communications network with DIY hardware and open source software is incredibly exciting to me. It’s like the best parts of a cyberpunk novel, without all the cybernetic implants, pollution, and over-reaching megacorps. Well, we’ve got those last two, but you know what I mean.
Meshtastic maps are never exhaustive, but this gives an idea of node density in Philly versus surrounding area.
Even though I found the Meshtastic concept appealing, my seemingly infinite backlog of projects kept me from getting involved until relatively recently. It wasn’t until I got my hands on the Hacker Pager that my passing interest turned into a full blown obsession. But it’s perhaps not for the reason you might think. Traveling around to different East Coast events with the device in my bag, it would happily chirp away when within range of Philadelphia or New York, but then fall silent again once I got home. While I’d get the occasional notification of a nearby node, my area had nothing like the robust and active mesh networks found in those cities.
Well, they say you should be the change you want to see in the world, so I decided to do something about it. Obviously I wouldn’t be able to build up an entire network by myself, but I figured that if I started standing up some nodes, others might notice and follow suit. It was around this time that Seeed Studio introduced the SenseCAP Solar node, which looked like a good way to get started. So I bought two of them with the idea of putting one on my house and the other on my parent’s place down the shore.
The results weren’t quite what I expected, but it’s certainly been an interesting experience so far, and today I’m even more eager to build up the mesh than I was in the beginning.
A Meshtastic node has been one of the toys of the moment over the last year, and since they are popular with radio amateurs there’s a chance you’ll already live within range of at least one. They can typically run from a lithium-ion or li-po battery, so it’s probable that like us you’ve toyed with the idea of running one from a solar panel. It’s something we have in common with [saveitforparts], whose experiments with a range of different solar panels form the subject of a recent video.
He has three different models: one based around a commercial solar charger, another using an off-the-shelf panel, and a final one using the panel from a solar garden light. As expected the garden light panel can’t keep an ESP32 with a radio going all day, but the other two manage even in the relatively northern climes of Alaska.
As a final stunt he puts one of the nodes out on a rocky piece of the southern Alaskan coastline, for any passing hacker to find. It’s fairly obviously in a remote place, but it seems passing cruise ships will be within its range. We just know someone will take up his challenge and find it.
BornHack is a week-long summer hacker camp in a forest on the Danish island of Fyn, that consistently delivers a very pleasant experience for those prepared to make the journey. This year’s version was the tenth iteration of the camp and it finished a week ago, and having returned exhausted and dried my camping gear after a Biblical rainstorm on the last day, it’s time to take a look at the badges. In case you are surprised by the plural, indeed, this event had not one badge but two. Last year’s badge suffered some logistical issues and arrived too late for the camp, so as a special treat it was there alongside the 2025 badge for holders of BornHack 2024 tickets. So without further ado, it’s time to open the pack for Hackaday and see what fun awaits us. Continue reading “Two For The Price Of One: BornHack 2024 And 2025 Badges”→
It should come as no surprise that the hacker community has embraced the Meshtastic project. It’s got a little bit of everything we hold dear: high quality open source software, fantastic documentation, a roll-your-own hardware ethos, and just a dash of counterculture. An off-grid communications network cobbled together from cheap parts, some of which being strategically hidden within the urban sprawl by rogue operators, certainly sounds like the sort of thing you’d read about it in a William Gibson novel.
But while the DIY nature of Meshtastic is one of its most endearing features for folks like us, it can also be seen as one of its weak spots. Right now, the guidance for those looking to get started is to pick a compatible microcontroller development board, 3D print a case for it, screw on an antenna from AliExpress, flash your creation with the latest firmware, and then spend some quality time with the documentation and configuration tools to actually get it on the air. No great challenge for the average Hackaday reader, but a big ask for the weekend adventurer that’s just looking for a way to keep in touch with their friends while camping.
Quality hardware that offers a turn-key experience will be critical to elevating Meshtastic from a hobbyist’s pastime to something that could actually be fielded for applications such as search and rescue. Plus, let’s be honest, even those of us who like to put together our own gadgets can appreciate a more consumer-oriented piece of hardware from time to time. Especially if that hardware happens to be open source and designed to empower the user rather than hold them back.
Enter the Hacker Pager from exploitee.rs. As the name implies, it’s still very much a device intended for hackers — a piece of hardware designed for the halls of DEF CON rather than trekking through the wilderness. But it’s also an important step towards a new generation of Meshtastic hardware that meets the high standard of quality set by the software itself.
Meshtastic just released an eye-watering 9.5 CVSS CVE, warning about public/private keys being re-used among devices. And I’m the one that wrote the code. Not to mention, I triaged and fixed it. And I’m part of Meshtastic Solutions, the company associated with the project. This is is the story of how we got here, and a bit of perspective.
First things first, what kind of keys are we talking about, and what does Meshtastic use them for? These are X25519 keys, used specifically for encrypting and authenticating Direct Messages (DMs), as well as optionally for authorizing remote administration actions. It is, by the way, this remote administration scenario using a compromised key, that leads to such a high CVSS rating. Before version 2.5 of Meshtastic, the only cryptography in place was simple AES-CTR encryption using shared symmetric keys, still in use for multi-user channels. The problem was that DMs were also encrypted with this channel key, and just sent with the “to” field populated. Anyone with the channel key could read the DM.
I re-worked an old pull request that generated X25519 keys on boot, using the rweather/crypto library. This sentence highlights two separate problems, that both can lead to unintentional key re-use. First, the keys are generated at first boot. I was made painfully aware that this was a weakness, when a user sent an email to the project warning us that he had purchased two devices, and they had matching keys out of the box. When the vendor had manufactured this device, they flashed Meshtastic on one device, let it boot up once, and then use a debugger to copy off a “golden image” of the flash. Then every other device in that particular manufacturing run was flashed with this golden image — containing same private key. sigh
This week Jonathan and Aaron chat with Ben Meadors and Garth Vander Houwen about Meshtastic! What’s changed since we talked to them last, where is the project going, and what’s coming next? Listen to find out!
We’re going out – wide out – on a limb and trying to create a dense mesh network of badges talking to each other at Supercon. It’s going to be like a badge-hosted collection of chat rooms, as connected as we can make them without talking over each other.
