Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”

Taking a U2F Hardware Key from Design to Production

Building a circuit from prototyping to printed circuit board assembly is within the reach of pretty much anyone with the will to get the job done. If that turns out to be something that everyone else wants, though, the job gets suddenly much more complex. This is what happened to [Conor], who started with an idea to create two-factor authentication tokens and ended up manufacturing an selling them on Amazon. He documented his trials and tribulations along the way, it’s both an interesting and perhaps cautionary tale.

[Conor]’s tokens themselves are interesting in their simplicity: they use an Atmel ATECC508A specifically designed for P-256 signatures and keys, a the cheapest USB-enabled microcontroller he could find: a Silicon Labs EFM8UB1. His original idea was to solder all of the tokens over the course of one night, which is of course overly optimistic. Instead, he had the tokens fabricated and assembled before being shipped to him for programming.

Normally the programming step would be straightforward, but using identical pieces of software for every token would compromise their security. He wrote a script based on the Atmel chip and creates a unique attestation certificate for each one. He was able to cut a significant amount of time off of the programming step by using the computed values with a programming jig he built to flash three units concurrently. This follows the same testing and programming path that [Bob Baddeley] advocated for in his Tools of the Trade series.

From there [Conor] just needed to get set up with Amazon. This was a process worthy of its own novel, with Amazon requiring an interesting amount of paperwork from [Conor] before he was able to proceed. Then there was an issue of an import tariff, but all-in-all everything seems to have gone pretty smoothly.

Creating a product from scratch like this can be an involved process. In this case it sounds like [Conor] extracted value from having gone through the entire process himself. But he also talks about a best-case-scenario margin of about 43%. That’s a tough bottom line but a good lesson anyone looking at building low-cost electronics.

A Real Turn Off

[Newbrain] had a small problem. He’d turn off the TV, but would leave the sound system turned on. Admittedly, not a big problem, but an annoyance, none the less. He realized the TV had a USB port that went off when it did, so he decided to build something that would sense when the USB port died and fake a button press into the amplifier.

He posted a few ideas online and, honestly, the discussion was at least as interesting as the final project. The common thread was to use an optoisolator to sense the 5 V from the USB port. After that, everyone considered a variety of ICs and discretes and even did some Spice modeling.

In the end, though, [Newbrain] took the easy way out. An ATtiny 84 is probably overkill, but it easy enough to press into service. With only three other components, he built the whole thing into a narrow 24-pin socket and taped it to the back of the audio unit’s wired remote control.

Continue reading “A Real Turn Off”

Custom Gaming Keypad Developed with PSoC and Fusion 360

There was a time when building something yourself probably meant it didn’t look very much like a commercial product. That’s not always a bad thing. We’ve seen many custom builds that are nearly works of art. We’ve also seen plenty of builds that are–ahem–let’s say were “hacker chic”.

[AlexanderBrevig] decided to take on a project using a PSoC development board he picked up. In particular, he wanted to build a custom game keypad. He prototyped a number of switches with the board and got the firmware working so that the device looks like a USB HID keyboard.

Continue reading “Custom Gaming Keypad Developed with PSoC and Fusion 360”

The USB Killer Now Has Commercial Competition

With a proliferation of USB Flash disk drives has come a very straightforward attack vector for a miscreant intent on spreading malware onto an organisation’s computer network. Simply drop a few infected drives in the parking lot, and wait for an unsuspecting staff member to pick one up and plug it into their computer. The drives are so familiar that to a non-tech-savvy user they appear harmless, there is no conscious decision over whether to trust them or not.

A diabolical variant on the exploit was [Dark Purple]’s USB Killer. Outwardly similar to a USB Flash drive, it contains an inverter that generates several hundred volts from the USB’s 5 volts, and repeatedly discharges it into the data lines of whatever it is plugged into. Computers whose designers have not incorporated some form of protection do not last long when subjected to its shocking ministrations.

Now the original has a commercial competitor, in the form of Hong Kong-based usbkill.com. It’s a bit cheaper than the original, but that it has appeared at all suggests that there is an expanding market for this type of device and that you may be more likely to encounter one in the future. They are also selling a test shield, an isolated USB port add-on that allows the device to be powered up without damaging its host.

From the hardware engineer’s point of view these devices present a special challenge. We are used to protecting USB ports from high voltage electrostatic discharges with TVS diode arrays, but those events have an extremely high impedance and the components are not designed to continuously handle low-impedance high voltages. It’s likely that these USB killers will result in greater sales of protection thermistors and more substantially specified Zener diodes in the world of USB interface designers.

We covered the original USB Killer prototype when it appeared, then its second version, and finally its crowdfunding campaign. This will probably not be the last we’ve heard of these devices and they will inevitably become cheaper, so take care what you pick up in that parking lot.

[via Extremetech]

Convert Any USB Keyboard to Bluetooth

[DastardlyLabs] saw a video about converting a PS/2 keyboard to Bluetooth and realized he didn’t have any PS/2 keyboards anymore. So he pulled the same trick with a USB keyboard. Along the way, he made three videos explaining how it all works.

The project uses a stock DuinoFun USB mini host shield with a modification to allow it to work on 5V. An Arduino mini pro provides the brains. A FT-232 USB to serial board is used to program the Arduino. A standard Bluetooth module has to have HID firmware installed. [Dastardly] makes a homemade daughterboard–er, shield–to connect it to the Arduino.

The result is a nice little sandwich with a USB plug, a Bluetooth antenna, and some pins for reprogramming if necessary. Resist the urge to solder the Bluetooth board in–since it talks on the same port as the Arduino uses for programming, you’ll have to remove it before uploading new code.

If you need help reprogramming the HC-05 Bluetooth module, we’ve covered that before. This project drew inspiration from [Evan’s] similar project for PS/2 keyboards.

Continue reading “Convert Any USB Keyboard to Bluetooth”

Big Brother and Others Are Watching Your Car

We are all (hopefully) aware that we can be watched while we’re online. Our clicks are all trackable to some extent, whether it’s our country’s government or an advertiser. What isn’t as obvious, though, is that it’s just as easy to track our movements in real life. [Saulius] was able to prove this concept by using optical character recognition to track the license plate numbers of passing cars half a kilometer away.

To achieve such long distances (and still have clear and reliable data to work with) [Saulius] paired a 70-300 mm telephoto lens with a compact USB camera. All of the gear was set up on an overpass and the camera was aimed at cars coming around a corner of a highway. As soon as the cars enter the frame, the USB camera feeds the information to a laptop running openALPR which is able to process and record license plate data.

The build is pretty impressive, but [Saulius] notes that it isn’t the ideal setup for processing a large amount of information at once because of the demands made on the laptop. With this equipment, monitoring a parking lot would be a more feasible situation. Still, with even this level of capability available to anyone with the cash, imagine what someone could do with the resources of a national government. They might even have long distance laser night vision!