Plug Into USB, Get a Reverse Shell

Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.

We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.

The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.

The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.

With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.

Continue reading “Plug Into USB, Get a Reverse Shell”

MIDI Keyboard with Frickin’ Laser Keys

MIDI instruments are cool, but they’re not laser cool. That is, unless you’ve added lasers to your MIDI instrument like [Lasse].

[Lasse] started out with an old MIDI keyboard. The plan was to recycle an older keyboard rather than have to purchase something new. In this case, the team used an ESi Keycontrol 49. They keyboard was torn apart to get to the creamy center circuit boards. [Lasse] says that most MIDI keyboards come withe a MIDI controller board and the actual key control board.

Once the key controller board was identified, [Lasse] needed to figure out how to actually trigger the keys without the physical keyboard in place. He did this by shorting out different pads while the keyboard was hooked up to the computer. If he hit the correct pads, a note would play. Simple, but effective.

The housing for the project is made out of wood. Holes were drilled in one piece to mount 12 laser diodes. That number is not arbitrary. Those familiar with music theory will know that there are 12 notes in an octave. The lasers were powered via the 5V source from USB. The lasers were then aimed at another piece of wood.

Holes were drilled in this second piece wherever the lasers hit. Simple photo resistors were mounted here. The only other components needed for each laser sensor were a resistor and a transistor. This simple discreet circuit is enough to simulate a key press when the laser beam is broken. No programming or microcontrollers required. Check out the demonstration video below to see how it works. Continue reading “MIDI Keyboard with Frickin’ Laser Keys”

Vintage Apple Keyboard Revived As Standalone Computer

Many of our readers are familiar with the gold standard of classic PC keyboards – the bunker with switches known as the IBM Model M. The Model M’s Apple contemporary is the Apple Extended Keyboard and they are just as highly sought-after by their respective enthusiasts. Though discontinued almost 25 years ago and incompatible with anything made in the last 15, the codenamed “Saratoga” is widely considered the best keyboard Apple ever made.

[Ezra] has made a hobby of modernizing these vintage heartthrobs and rescuing them from their premature obsolescence. In a superbly documented tutorial he not only shows how to convert them to USB (a popular and trivial hack), but teaches you how and where to smuggle a Raspberry Pi in as well.

After disassembly, the project requires only a little bit of chisel and Dremel work before the soldering iron comes out. [Ezra] was fairly meticulous in removing or redirecting the Pi’s connectors and hardwiring the internals. Only 3 pins need to be traced from the original keyboard and [Ezra]’s ADB–>USB Rosetta Stone of choice is the Hasu Converter running on a Atmega 32u4 clone. Balancing cost, range, and power draw from the Pi, he settled on the TP-LINK WN722N for his WiFi solution which is also tucked away inside the case. A single pullup resistor to finish it off and [Ezra] was delighted to discover it worked the first time he plugged it in.

Keyboards from this era use actual momentary switches that audibly click twice per keypress. In our world of screens-as-keys celebrating the lack of tactile constraints, using beasts like the Model M or the AEK to force transistors to do your bidding is like racking a shotgun during a game of lasertag – comically obtuse but delightfully mechanical.

If you are looking to expand on [Ezra]’s tinkering, he has already made a wishlist of additions: a toggle switch to lobotomize the Pi back into a plain USB keyboard, an internal USB hub, and a power switch.

Hear the video of an AEK in action after the break (or loop it to sound productive while you nap).

Continue reading “Vintage Apple Keyboard Revived As Standalone Computer”

Simple Terminal Hack is Fit For Hollywood

We’ve all seen the cheesy hacker scenes in movies and on TV. Three dimensional file system browsers, computer chip cityscapes, and other ridiculous visualizations to make the dull act of sitting at a keyboard look pretty on the silver screen. While real hackers know those things are often silly and impractical, sometimes we do go out of our way to pretty things up a bit.

Hollywood might be able to learn a thing or two from this latest hack. [Yuri] modified his Linux terminal to change the color of the back lights on his laptop’s keyboard. It’s the kind of thing that actually would look good in a modern hacker movie, and [Yuri] is living proof that it’s something that a real-life hacker would actually use!

[Yuri] has been running Simple Terminal. The Simple Terminal project aims to build a replacement for the default xterm program that removes all of the unnecessary features and simplifies the source code. It also aims to make your terminal experience prettier. Part of making things prettier means that you can choose the font color for your terminals, and of course each terminal window can have its own color if you so choose.

[Yuri] happens to own an Alienware laptop. This laptop comes with RGB LEDs behind the keyboard, allowing you to light them up just about any color you could ever want. [Yuri] thought it would be cool if his keyboard color matched the font color of his terminal windows. Thanks to AlienFX, he was able to write a simple patch for Simple Terminal that does exactly this. Now whenever he selects a terminal window, the keyboard automatically switches colors to match the text in that window. Be sure to check out the video below. Continue reading “Simple Terminal Hack is Fit For Hollywood”

[Sprite_TM]’s Keyboard Plays Snake

Hackaday Prize judge, hacker extraordinaire, and generally awesome dude [Sprite_TM] spends a lot of time at his computer, and that means a lot of time typing on his keyboard. He recently picked up a board with the latest fad in the world of keyboards, a board with individually addressable LEDs. He took this board to work and a colleague jokingly said, ‘You’ve had this keyboard for 24 hours now, and it has a bunch of LEDs and some arrow keys. I’m disappointed you haven’t got Snake running on it yet.” Thus began the quest to put the one game found on all Nokia phones on a keyboard.

The keyboard in question is a Coolermaster Quickfire Rapid-I, a board that’s marketed as having an ARM Cortex CPU. Pulling apart the board, [Sprite] found a bunch of MX Browns, some LEDs, and a 72MHz ARM Cortex-M3 with 127k of Flash and 32k of RAM. That’s an incredible amount of processing power for a keyboard, and after finding the SWD port, [Sprite] attempted to dump the Flash. The security bit was set. There was another way, however.

Coolermaster is actively working on the firmware, killing bugs, adding lighting modes, and putting all these updates on their website. The firmware updater is distributed as an executable with US and EU versions; the EU version has another key. Figuring the only difference between these versions would be the firmware itself, [Sprite] got his hands on both versions, did a binary diff, and found only one 16k block of data at the end of the file was different. There’s the firmware. It was XOR encrypted, but that’s obvious if you know what to look for.

flashdata The firmware wasn’t complete, though; there were jumps to places outside the code [Sprite] had and a large block looked corrupted. There’s another thing you can do with an executable file: run it. With USBPcap running in the background while executing the firmware updater, [Sprite] could read exactly what was happening when the keyboard was updating. With a small executable that gets around the weirdness of the updater, [Sprite] had a backup copy of the keyboard’s firmware. Even if he bricked the keyboard, he could always bring it back to a stock state. It was time to program Snake.

The first part of writing new firmware was finding a place that had some Flash and RAM to store the new code. This wasn’t hard; there was 64k of Flash free and 28K of unused RAM. The calls to the Snake routine were modified from the variables the original firmware had. If, for example, the original keyboard had a call to change the PWM, [Sprite] could change that to the Snake routine.

Snake is fun, but with a huge, powerful ARM in a device that people will just plug into their keyboard, there’s a lot more you can do with a hacked keyboard. Keyloggers and a BadUSB are extremely possible, especially with firmware that can be updated from a computer. To counter that, [Sprite] added the requirement for a physical condition in order to enter Flash mode. Now, the firmware will only update for about 10 seconds after pressing the fn+f key combination.

There’s more to playing Snake on a keyboard; Sprite has also written a new lighting mode, a fluid simulation thingy that will surely annoy anyone who can’t touch type. You can see the videos of that below.

Continue reading “[Sprite_TM]’s Keyboard Plays Snake”

Walkman-esque Human Interface Device

Cheap keyboards never come with extra buttons, and for [Pengu MC] this was simply unacceptable. Rather than go out and buy a nice keyboard, a microcontroller was found in the parts drawer and put to work building this USB multimedia button human interface device that has the added bonus of looking like an old-school Walkman.

The functions that [Pengu MC] wants don’t require their own drivers. All of the buttons on this device are part of the USB standard for keyboards: reverse, forward, play/pause, and volume. This simplifies the software side quite a bit, but [Pengu MC] still wrote his own HID descriptors, tied all of the buttons to the microcontroller, and put it in a custom-printed enclosure.

If you’re looking to build your own similar device, the Arduino Leonardo, Micro, or Due have this functionality built in, since the USB controller is integrated on the chip with everything else. Some of the older Arduinos can be programmed to do the same thing as well! And, with any of these projects, you can emulate any keypress that is available, not just the multimedia buttons.

Hacklet 17 – Keyboards

This week on The Hacklet we’re featuring some of the best keyboard hacks from Hackaday.io!

Hackers are really into their keyboards. Everyone has a favorite, and those favorites vary wildly. Mechanical, soft touch, ergonomic, QWERTY, DVORAK, chorded, you name it, there is a hacker, maker, or engineer who loves it, or absolutely hates it. For some, no commercial product is perfect. All is not lost though, as a custom keyboard is just a hack away!

ergo60

[Warren Janssens] gets things rolling with Ergo60, his 60 key ergonomic keyboard. [Warren’s] layout is a pair of 25 key hand clusters, each with a matching 5 key thumb cluster. This layout minimizes lateral wrist movement. With the reduced key count and stacked keys, the user’s hands never move from the home row. [Warren] rolled his own PCBs for Ergo60. A Teensy 2.0 running a fork of TMK serves as Ergo60’s controller. [Warren’s] is running Cherry Black switches and his keycaps are from Signature Plastics. [Warren] is using Ergo60 as his daily driver these days, so it’s no surprise that he’s set the “Completed Project” tag.

keycaps

Some say he needs no keyboard at all, and that his heartbeat sounds just like an IBM Model M. All we know is he’s called [Brian Benchoff]. [Brian’s] created a pair of minimalist keyboard projects. The Unhappy Hacking Keyboard takes us back to basics. After all, computers run on 1’s and 0’s, right? What more could a person need? Apparently just a space and return. Unhappy Hacking Keyboard uses an ATtiny85 with V-USB as the controller and the interface. Keys are cherry MX blues. The keycaps are [Brian’s] own Hackaday Cherry MX Keycaps printed by Shapeways.

zxkeyboardAn entire generation of hackers don’t know the joy of typing on a tiny rubber keyboard. [Alistair MacDonald] aimed to fix that, so he turned an old computer into a keyboard with his ZX Keyboard. [Alistair] started with a broken ZX Spectrum. He gutted the original electronics and added an Ardunio Pro Mini running the V-USB library. [Alistair] directly wired the row and column I/O lines from the keyboard to his Arduino. The result is a keyboard which is the perfect size for cell phones, Raspberry Pi’s and the like.

chordkey[Servo] teaches us new ways to type with Chordy KEY, his chording keyboard project. Chordy Key is meant to be used in the left hand. Five finger buttons and three thumb buttons are all that is needed to chord out 64 different letters and symbols. [Servo] utilized an ATmega32U4 powered Sparkfun pro micro to control his keyboard. Chordy Key is a proof of concept, but with [Servos’s] use of 3D printed parts, Chordy Key looks like it’s ready for your next wearable computing project!

chord2[jmptable] is also working on a chorded keyboard design. Chord Keyboard uses only 7 keys to send the entire ASCII character set and a few control combinations. [jmptable] used an ATmega328P as his processor. Chord keyboard isn’t wired though. An RN-42-HID module provides bluetooth connectivity to the world.

[jmptable] has provided an amazing amount of detail on his research, including one of his goals of adding a chorded keyboard to the Gameboy Advance. They keyboard itself would be mounted on the spine of a game cartridge. We would love to see that idea come to fruition, [Servo]!

 

mightyFinally we have [Gertlex], who just wanted a scroll wheel embedded in his keyboard. He got there with the help of an Apple Mighty Mouse. Keyboard with Apple Mouse Scroll Ball is one of those hacks that looks like it original equipment. [Gertlex] took a drill to a Targus slim USB keyboard, putting a small hole right between the ESC and F1 keys. He fit the scroll ball from his Apple Mighty Mouse in the hole. Electronics are as simple as plugging the mouse and keyboard into the same USB hub. The only downside to the design is that [Gertlex’s] keyboard doesn’t recognize fast enough to send key presses during the boot process.

That’s just about enough keystrokes for this episode of The Hacklet. As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

Update – check our our keyboard list right here!