NSEC26 Badge Shenanigans - Thu, May 28, 2026 - Marx314

This is not the write up you're looking for | Badge Physical | Nsec26

Signifiant Other: pas encore un autre badge, vous allez avoir un torticoli avec ça au coup

Another year, another badge, now that I’ve decided to keep it, I must use it for the greater good.

The little one doesn’t use a screen to put music

badge flashing on the use of Victor Timberlake ID Card

The little one taps a card on a glowing magic thing and the music box just plays.

No unlock screen. No YouTube rabbit hole. They walk up, taps, and Petit poney from Dieudonné or whatever has currently colonized their my brain fills the room.

2025 CTF Number Station vibe

The little one walks away satisfied, and I stand there, equal parts proud and mildly destroyed by the song choice.

This is the story of how a NorthSec conference badge became the most useful annoying thing in the room.

I came home from a NorthSec 2026 conference with a badge and a vague sense of guilt

Every year I go to NorthSec. Every year I come back with hardware I’m slightly embarrassed about not using. This year the badge was perfect: an ESP32-S3, an NFC front-end. Hardware that deserved better than a shelf. Also I have a some spare claude tokens to burn until I cancel my subscription.

NorthSec 2026 Badge

The actual problem: screens lead to more screens

My spawn has opinions about music. Best listened on repeat. I wanted to give the little one some freedom. I wanted the little one to be able to pick music, without asking me to reach the Sonos app god I hate this ecosystem, and without getting sucked into a screen. The badge was still on the shelf.

Into the firmware

I’m not going to lie here
I asked claude to do a barrel roll make my badge do cool stuff. I will not pretend this was elegant. The whole thing is “vibecoded” because that is the correct word for what happened. I opened PlatformIO. I found the ST25R3916 driver docs. I found that the 2026 badge doesn’t wire a hardware IRQ line to the MCU, so I had to patch the vendored chip driver to work in polled mode. I learned what “RFAL abstraction layer” means the hard way.

badge nfc close up, wait is it 21 or 22, the llm overlord asked me to check if the 22 pin is wired IRQ
The llm overlord asked me to check if pin 22 is wired to the ESP32. Pin 22 has a trace but it goes into a middle layer? Ask some llm overlord to fix it for me. I prompt it to reverse the initial firmware. It ranted something about SPI.

After a few iterations of back and forth, brute-forcing GPIO, guessing how to play with the NFC chip. The overlord did it.		 There were evenings. There was coffee. There were moments where a tag left sitting on the reader would randomly replay its webhook every ten minutes because the chip re-averages its field baseline and re-classifies the card as new. (I added edge-triggering. It watches for the field to go quiet before re-firing. The README has a warning about this anyway, because some people will make a stand for their NFC reader and I respect that choice.)

badge access point
There it is, after 3 days of various back and forth, it works, I think? The part I’m actually proud of: the badge hosts its own small web UI. Wi-Fi credentials, webhook URL, LED brightness, the hours it’s awake all configurable through a browser, no reflashing required. You set it up once and you’re done.

The green flash

At some point, it worked.

full demo, scan, webhook, to music bar petit poney from Dieudonné isn’t available in this region, yet
Card tap. LED ring pulses green, me happy. Sonos plays.

The little one tapped the thing, the magic happened, the little one is also happy!		 I watched my child figure it out in about four seconds. They tapped. Green flash, music. They tapped a different card. Green flash, different song. They ran to get another card. They has since developed a system. I am not entirely in control of the playlist in my own home and I have never been happier about it.

The price of a pet project
Sample project for mapping.json, testing and setting things up. So I wrote a README. A real one, with tables and power numbers and a section on what to do when nothing scans. I wrote a small PHP server that maps NFC UIDs to webhooks, with a browser UI for editing the mapping. I wrote a pure-nginx alternative for people who don’t want PHP. I wrote the bit about the htaccess comment I accidentally left visible in the README.

mapping.json mapping for the badge

Now onto the good part!

one does not simply hack the badge, you must make it fun!

Shortly after I’ve ordered some NFC stickers The price of shipping something cool is documentation getting arts and crafty!

Signifiant Other: qu’est que t’as commandé encore?

I’m still waiting for the stickers…

still waiting

Update Ding dong here’s your package!

After a short trip to Carta Magica, my local MtG store, for some card sleeves.

SO: C’est quoi cette carte?

The “C’est la vie” card is a suppose to be Mickey Mouse outline.

TLDR: the little one associated Mickey Mouse to a song during a sugar shack this season.

Significant Other: C’est quoi ce dessin sur la carte?

me: J’ai presque échouer art plastique au secondaire, je fais de mon mieux pour dessiner Mickey Mouse

Significant Other: donne moi un ti-papier là

aren’t you impress at my Zoboomafoo drawing

Significant Other: Je vais faire le QA des prochaines cartes

At least my Zoboomafoo card was accepted like the rest of the project!

I’ll integrate the screen in a future update.

If you want to build one

The firmware is on GitLab, MIT licensed, with a README that tries to be honest about what you’re getting into:

gitlab.com/marx314/nsec-badge-2026-nfc-webhook

If you have the NorthSec 2026 badge, you can flash the prebuilt binary without installing anything except esptool.py.

If you just want the server side to map UIDs to webhooks, the server/ folder has both the PHP and nginx versions and a docker-compose that gets you running in one command.

It fires a POST with the card UID. Your server decides what to do with it. That’s the whole contract.

My setup:

badge -> raspberry pi with the php mapping -> the node-sonos-http-api -> the sonos bar

If you want me to flash it and you’re near Montréal:

  1. via email -> badge@maubry.ca
  2. via NorthSec Discord, look up for Marx314.

The badge was made by the amazing NorthSec team. The firmware is mine yours. The music choices are… and I’ve made peace with that.

This is the end, for now. final form!

What it is now
I have to get crafty for when the sticker arrive. I got some Dragon Shield Perfect Fit Clear from my local MtG store and hard sleeves, so double sleeved as per MtG standard.
• I have to find a way to make it more childproof (a case? protect the wiring?),
  ◦ Should I buy a 3D printer or is there a better way?
I have to get the approval of my Signifiant Other
  ◦ Highly dependant on the childproof

If you have suggestion, I’ll take them!		 The badge lives in the living room. It has a job. It’s wired on a USB cable but sleeps between 23:00 and 07:00, and wakes up ready. It updates over Wi-Fi when I push new firmware. I have not plugged it into a USB cable since I set it up.

My daughter has a small collection of NFC cards. Each one is a different playlist or song. She manages this collection with the seriousness of a librarian.

Could I have bought a YotoPlay or a Toonies? Sure, but I wouldn’t have the same satisfaction.

Side node:

Back to Home