Injecting Code Into Mouse Firmware Should Be Your Next Hack

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around  $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.

Unholy Mashup Of SpaceMouse And Sculpt Keyboard Is Rather Well Done

What do you do if you have a pair of input device peripherals for your computer, but they are from different manufacturers and thus not available as a single unit? If you are [Marco van Nieuwenhoven], you combine the two to make a mashup single peripheral.

[Marco]’s two peripherals were a 3Dconnexion SpaceMouse Wireless, and a Microsoft Sculpt Keyboard. His mashup isn’t featured here because it simply is a mashup, after all anyone with a hot glue gun could combine the two, instead he’s created a single peripheral that almost looks as though it could have been manufactured that way. It’s not complexity we’re looking at here, but elegance!

The Sculpt keyboard fortunately has a large palm rest in which the electronics and batteries sit, and he’s carefully measured the footprint of the top half of the SpaceMouse before hand cutting a very neat aperture to take it. The SpaceMouse PCB is attached below the aperture, and the bottom of the palm rest is attached with a little bit of padding to ensure a snug fit. The result: a combined input device to be proud of!

Of course, if this keyboard isn’t special enough for you, how about a typewriter?

DIY Shortcut Keyboard

Working with CAD programs involves focusing on the task at hand and keyboard shortcuts can be very handy. Most software packages allow the user to customize these shortcuts but eventually, certain complex key combination can become a distraction.

[awende] over at Sparkfun has created a Cherry MX Keyboard which incorporates all of the Autodesk Eagle Shortcuts to a single 4×4 matrix. The project exploits the Arduino Pro Mini’s ability to mimic an HID device over USB thereby enabling the DIY keyboard. Pushbuttons connected to the GPIOs are read by the Arduino and corresponding shortcut key presses are sent to the host machine.

Additional functionality is implemented using two rotary encoders and the Teensy encoder library. The first knob functions as a volume control with the push-button working as a mute button. The encoder is used to control the grid spacing and the embedded button is used to switch between imperial and metric units. The entire code, as well as the schematic, is available on GitHub for your hacking pleasure. It’s a polished project just ready for you to adapt.

The project can be extended to be used with other computer software such as Gimp and the keys may be replaced by capacitive touch sensors making it more sturdy. Bluetooth can be added to make things wireless and you can check out the Double Action Keyboard to extend functionality further. Continue reading “DIY Shortcut Keyboard”

Only 90s Kids Will Appreciate This Prototype

[Madox] is a trackball user, which is fine; we at Hackaday respect and appreciate those who live alternative lifestyles. As you would expect, there aren’t many makes and models of trackballs being sold, and [Madox] wanted something ergonomic. A DIY solution was necessary, but how to you model something ‘ergonomic’ before printing it out? Floam, apparently.

Highly advanced 3D prototyping skills

Floam is a sticky, moldable goo originally sold as the follow-up to Nickelodeon’s Gak in the early 1990s. It consists of styrofoam pellets held together with a colored binder that doesn’t leave a mess and doesn’t dry out. While the Nickelodeon version is lost to the sands of time, a Floam-like substance is available at any toy store. [Madox] picked up a few blister packs and began modeling his ideal trackball.

With the proper shape in hand, [Madox] needed a way to get this design into a computer. Photogrammetry is the solution, and while earlier experiments with Autodesk Catch were successful, Autodesk has morphed and rebranded their photogrammetry software into Autodesk ReMake. Turing a pile of styrofoam balls into a 3D model is as simple as taking a bunch of pictures and uploaded to Autodesk’s ‘cloud’ service.

In just a few minutes, a proper 3D mesh arrived from the Autodesk mothership, and [Madox] took to importing this model into Fusion 360, fiddling with chamfers, and eventually got to the point where a 3D printer was necessary. It took a few revisions, but now [Madox] has a custom designed trackball that was perfectly ergonomic.

Tightwad Hacks Label Printer, Beats Manufacturer at Own Game

Sometimes we hack for the thrill of making something new, and sometimes we hack to push back the dark veil of ignorance to shed fresh light on a problem. And sometimes, like when turning a used label printer into a point-of-sale receipt printer, we hack because we’re cheapskates.

We say that with the utmost respect and affection — there’s nothing to be ashamed of when your motive is strictly pecuniary. In [Dan Herlihy]’s case, hacking a cheap Brother label printer to use thermal paper meant saving $300 on a dedicated receipt printer. But it also meant beating Brother at their “Razor and Blades” business model that keeps you buying their expensive proprietary labels. A pattern of holes in the plastic label roll tells the printer what size labels are loaded, so [Dan] defeated that by breaking off a piece of the plastic and gluing it on the sensor. To convince the printer that plain thermal paper is label stock, he printed up a small strip of paper with the same pattern of black registration stripes that appear on the back of the labels. Pretty clever stuff, and it lets him print high-resolution receipts for his electronics shop on the seriously cheap.

[Dan]’s hack is simple, but may suffer from wear on the paper encoder strip. Perhaps this Brother hack using the gears as encoders will provide some inspiration for long-term fix.

Continue reading “Tightwad Hacks Label Printer, Beats Manufacturer at Own Game”

DIY USB Power Bank

USB power banks give your phone some extra juice on the go. You can find them in all shapes and sizes from various retailers, but why not build your own?

[Kim] has a walkthrough on how to do just that. This DIY USB Power Bank packs 18650 battery cells and a power management board into a 3D printed case. The four cells provide 16,000 mAh, which should give you a few charges. The end product looks pretty good, and comes in a bit cheaper than buying a power bank of similar capacity.

The power management hardware being used here appears to be a generic part used in many power bank designs. It performs the necessary voltage conversions and manages charge and discharge to avoid damaging the cells. A small display shows the state of the battery pack.

You might prefer to buy a power bank off the shelf, but this design could be perfect solution for adding batteries to other projects. With a few cells and this management board, you have a stable 5 V output with USB charging. The 2.1 A output should be enough to power most boards, including Raspberry Pis. While we’ve seen other DIY Raspberry Pi power banks in the past, this board gets the job done for $3.


The Tiniest Mechanical Keyboard Ever

Owning a mechanical keyboard makes you a better person. It puts you above everyone else. Of course, owning a mechanical keyboard does come with some downsides. Carrying a mechanical keyboard around all the time to tell everyone else you’re better than them is usually impractical, but [cahbtexhuk Joric] has come up with a solution. It’s a miniature Bluetooth mechanical keyboard that’s also a keychain.

Continue reading “The Tiniest Mechanical Keyboard Ever”