The Microsoft Surface is an awesome Tablet PC, but it has one problem: there is just one USB port on it. There is an additional port, though: a connector for the Surface Touch Keyboard connector. That’s what [Edward Shin] is looking into, with the long-term intention of creating an adapter that allows him to connect a Thinkpad keyboard to this proprietary connector. His initial work identified the connector as using Microsoft’s own HID over I2C protocol, which sends the standard USB HID protocol over an I2C connection. So far so good, but it seems to get a little odd after that, with a serial connection running at nearly 1 Mbps and sending 9 bits per transfer with 1 stop bit. Presumably this is because Microsoft had planned to release other devices that used this connector, but this hasn’t panned out so far.
Anybody want to help him out? He has posted some captured data from the connection for analysis, and is looking for assistance. We hope he manages to build his converter: a Microsoft Surface with a decent keyboard and an open USB port would be a great portable setup. Bonus: for those teardown fans among you, he has done a great teardown of a Touch Cover keyboard that reveals some interesting stuff, including a lot of well-labelled test points.
All laptops have a working keyboard and mouse built into them, the only problem is that you can’t use these tools on other computers that don’t have them. At least, until now. [Peter] has created the KeyMouSerial in order to use his laptop’s keyboard and mouse as physical devices on his Raspberry Pi, finally freeing the bonds holding our laptops’ human interface devices back.
The software for KeyMouSerial copies keystroke and mouse information and sends this out via a serial port on his laptop (using a USB to serial adapter). From there the information is translated by an Arduino into HID commands which are sent via USB to the target computer, in this case a Raspberry Pi. It’s a pretty elegant solution to carrying a bulky keyboard and mouse along just for a Raspberry Pi, or for any computer that might not have access to a network and SSH.
[Peter] has also been working on using his iPod as a serial-to-USB converter, so if you’re a Rockbox developer and want to help out then drop him a line. All of the software is available (for Windows, Mac, or Linux) including the Arduino sketch if you want to try this software out for yourself. And, if you don’t want to turn a computer into a keyboard and want to go the other direction and turn a keyboard into a computer, that is also an option.
[Dan Williams] built a belt that holds up your pants while remembering your passwords. This was his project while camped out at the Hackaday Hardware Villiage at the 2015 TC Disrupt Hackathon last weekend.
The idea started with the concept of a dedicated device to carry a complicated password; something that you couldn’t remember yourself and would be difficult to type. [Dan] also decided it would be much better if the device didn’t need its own power source, and if the user interface was dead simple. The answer was a wrist-band made up of a USB cable and a microcontroller with just one button.
To the right you can see the guts of the prototype. He is using a Teensy 2.0 board, which is capable of enumerating as an HID keyboard. The only user input is the button seen at the top. Press it once and it fires off the stored password. Yes, very simple to implement, but programming is just one part of a competition. The rest of his time was spent refining it into what could reasonably be considered a product. He did such a good job of it that he received an Honorable Mention from Hackaday to recognize his execution on the build.
[Dan] came up with the idea to have a pair of mating boards for the Teensy 2.0. One on top hosts the button, the other on the bottom has a USB port which is used as the “clasp” of the belt buckle. One side of the USB cable plugs into the Teensy, the other into this dummy-port. Early testing showed that this was too bulky to work as a bracelet. But [Dan] simply pivoted and turned it into a belt.
[Kenji Larsen] helped [Dan] with the PCB-sandwich. Instead of mounting pin sockets on the extra boards, they heated up the solder joints on a few of the Teensy pins and pushed them through with some pliers. This left a few pins sticking up above the board to which the button add-on board could be soldered.
To finish out the build, [Dan] worked with [Chris Gammell] to model a 2-part case for the electronics. He also came up with a pandering belt buckle which is also a button-cap. It’s 3D printed with the TechCrunch logo slightly recessed. He then filled this recess with blue painter’s tape for a nice contrast.
[Dan] on-stage presentation shows off the high-level of refinement. There’s not a single wire (excluding the USB belt cable) or unfinished part showing! Since he didn’t get much into the guts of the build during the live presentation we made sure to seek him out afterward and record a hardware walk through which is embedded below.
[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.
The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.
[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.
Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.
[Lou]’s entry for the Trinket EDC Contest is a great addition to the ubiquitous digital calipers found on workbenches and eBay resellers the world over. It translates the value displayed on the calipers to a USB HID interface for logging all those tricky measurements at the push of a button.
Most of the digital calipers you’ll find at Harbor Freight or on eBay are pretty much the same. There are two pads on the caliper’s PCB that give any microcontroller the ability to read what is being measured. It’s done with a 24-bit encoding scheme, where each bit is a nearly-BCD measurement in units of 1/1000 of an inch or 1/100 of a millimeter. After decoding the value, [Lou]’s trinket sends a few numbers to a computer over a USB HID interface.
Simply sending a measurement to a computer over USB wasn’t enough for [Lou]. He added three buttons to the project for typing multiple characters. The first button just sends Enter to the computer, the second sends a comma, and the third sends “/2 (Enter)”, exactly what you need to input the radius of something when measuring the diameter.
This was a project for the Trinket EDC Contest that ended a few hours ago. Nobody knows who the winner is, but there are some pretty cool prizes up for grabs including the new Rigol scope, a Fluke 179, and a soldering station.
Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.
We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.
The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.
The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.
With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.
Continue reading “Plug Into USB, Get a Reverse Shell”
Moving the cursor around your computer screen is an everyday occurrence that we humans do not give much of a second thought to. But what if you didn’t have to move your hands from the keyboard anymore? Sure there are keyboards with Track Point or even track pads not to far from the keys, which isn’t too bad. What if you could just slightly point your face in the desired direction the mouse would move? The [Sci-Spot] folks wondered that same question and came up with a DIY Head Mouse.
The concept is pretty darn simple; a web cam is mounted to the user’s head and points at the computer screen. Mounted on top of the screen is one IR LED. Our eyes can not see the IR light so it is not annoying or distracting. The camera, however, is filtered to only see IR by placing a couple of layers of camera film negative over the lens. Before you go complaining about strapping a camera to your noggin just think of building it into a hat, which we’ve seen used for adaptive technologies like this PS3 controller.
Custom software was written to move the mouse cursor; see the black window in the above dialog box? That represents the webcam’s field of view and the white spot is the IR LED. When the user’s head moves, the IR LED moves in relation to the camera’s field of view, in turn telling the computer to move the cursor a certain amount. There are a couple of options available like ‘magnification’ which changes how much the cursor moves with a given amount of head movement and ‘deadzone’ that ignores extremely small movements that can result from breathing.
There is no mention of how button clicks are recorded but we think a couple of buttons right below the space bar would be great. The control software is available for download on the Sci-Spot page for those who want to make their own.