Human-Interfacing Devices: HID Over I2C

In the previous two HID articles, we talked about stealing HID descriptors, learned about a number of cool tools you can use for HID hacking on Linux, and created a touchscreen device. This time, let’s talk about an underappreciated HID standard, but one that you might be using right now as you’re reading this article – I2C-HID, or HID over I2C.

HID as a protocol can be tunneled over many different channels. If you’ve used a Bluetooth keyboard, for instance, you’ve used tunneled HID. For about ten years now, I2C-HID has been heavily present in laptop space, it was initially used in touchpads, later in touchscreens, and now also in sensor hubs. Yes, you can expose sensor data over HID, and if you have a clamshell (foldable) laptop, that’s how the rotation-determining accelerometer exposes its data to your OS.

This capacitive touchscreen controller is not I2C-HID, even though it is I2C. By [Raymond Spekking], CC-BY-SA 4.0
Not every I2C-connected input device is I2C-HID. For instance, if you’ve seen older tablets with I2C-connected touchscreens, don’t get your hopes up, as they likely don’t use HID – it’s just a complex-ish I2C device, with enough proprietary registers and commands to drive you crazy even if your logic analysis skills are on point. I2C-HID is nowhere near that, and it’s also way better than PS/2 we used before – an x86-only interface with limited capabilities, already almost extinct from even x86 boards, and further threatened in this increasingly RISCy world. I2C-HID is low-power, especially compared to USB, as capable as HID goes, compatible with existing HID software, and ubiquitous enough that you surely already have an I2C port available on your SBC.

In modern world of input devices, I2C-HID is spreading, and the coolest thing is that it’s standardized. The standardization means a lot of great things for us hackers. For one, unlike all of those I2C touchscreen controllers, HID-I2C devices are easier to reuse; as much as information on them might be lacking at the moment, that’s what we’re combating right now as we speak! If you are using a recent laptop, the touchpad is most likely I2C-HID. Today, let’s take a look at converting one of those touchpads to USB HID.

A Hackable Platform

Continue reading “Human-Interfacing Devices: HID Over I2C”

Human-Interfacing Devices: Packing For The Descriptor Heist

We started with figuring out HID descriptors a week ago, and I’ve shown you how to send raw HID packets using a MicroPython fork. We do still have the task in front of us – making a touchscreen device. For that, let’s give you the tools to capture an existing descriptor from a touchscreen, then show you how to tweak it and how it turns out in the end.

Packing For The Heist

When it comes to this kind of adventure, we can’t go without tools and weapons – it could be dangerous! Without them, you could even abandon your project halfway! Here’s enough high-precision tools and ammunition to last you through whatever obstacles you might encounter. Except for the web-based tools, these tools are for Linux, but please remember that you can always use a virtual machine or a Raspberry Pi. Nobody would use Windows for a heist anyway, what’s with all the telemetry and such.

The first tool is for reading descriptors – we need one to learn from, it’s just like a keycard you can flash to a security guard and scan at the vault entry. Of course, with RFID, you want to have enough examples, compare bits between a few cards and all. For now, HID descriptors don’t have authenticity checks, but it looks like that might just change in the future. Leave it to Apple and Microsoft to add them, as usual. On Linux, seeing descriptors is simple – as root, go into /sys/bus/usb/devices/, find your device by its lsusb device tree path, then follow the directory with the VID/PID in it. That directory will contain a report_descriptor file – hexdump it. The entire command could look like this:

sudo hexdump -v -e '/1 "%02X "' /sys/bus/usb/devices/3-6.2/3-6.2\:1.1/0003\:0C40\:8000.0022/report_descriptor`

Again, you might need root to even find this path, so use sudo -i if you must. The format string in the hexdump command gives you parser-friendly output. Specifically, for parsing, I use this webpage – it’s wonderful, even adding tabs that delineate different sections of the descriptor, making its output all that more readable! You can also save this webpage locally, it’s a very neat tool. Other than that, you can try other local tools like this one!

Continue reading “Human-Interfacing Devices: Packing For The Descriptor Heist”

Human-Interfacing Devices: The Descriptor Heist

Today, we’ll build our own input devices. And they will be easy to create and write firmware for, they will work perfectly, and they will be cross-platform. We can do that with help of the Human Interface Device (HID) standard, and by way of introduction, so that you never get confused by what a “descriptor” means, and we’ll build our own HID device — a Human Interface Device device. The way we build them won’t require reading specifications – instead, I’ll teach your how to steal HID descriptors from existing devices, tweak them for our purposes, and use them in our devices to harness the power of HID.

For decades now, it’s been possible to build a HID mouse or keyboard by using a library or two, and it’s been a godsend for hackers all around the world. However, these libraries are typically confined to a certain template and inflexible, and we hackers often go outside of what’s expected. HID allows for much more than a simple keyboard or a mouse. That’s why today we’re building a touchscreen – something not yet covered online or by libraries.

HID lets you build devices that are friendly. They don’t need drivers, they are plug and play, and they do what you expect them to do. At its core, the HID standard is as simple as is ubiquitous. You can tunnel HID over USB, Bluetooth, I2C, and modern-day operating systems support all three of these. Today, let’s go through the basics of HID, and then build a USB touchscreen out of a SPI-connected resistive touchscreen, with help of the usual RP2040+MicroPython combo. I will also give you a toolkit for how to debug a Human Interface Device device as thoroughly as possible – specifically on Linux, showing all the HID debug and introspection capabilities that Linux gives you. But it’ll work on Windows too through the beauty of standardization.

Continue reading “Human-Interfacing Devices: The Descriptor Heist”

Latency Meter For Accurate Gaming

The gaming world experienced a bit of a resurgence in 2020 that is still seen in the present day. Even putting aside the effects from the pandemic, the affordability and accessibility has arguably never been better. Building a gaming PC can have its downsides, though, and a challenging issue to troubleshoot is input lag or input latency. This is something that’s best measured with standalone hardware, and if this is an issue on your setup you may want to take a look at this latency meter.

Unlike other measurement devices that use the time between a mouse button input and the monitor’s display of a bullet or shooting event, this one looks at mouse movement and the change in the scene instead. This makes it much more versatile than other methods since it’s independent of specific actions, and can be used in any game without any specific events needed to perform the measurement. A camera phototransistor is placed on the monitor’s top edge and the Arduino-based device sends mouse commands to the computer while measuring the time between those commands and the shift in the image on the monitor.

The project is open source, so with the right hardware it’s possible to build one to troubleshoot latency issues or just to learn more about a particular hardware configuration’s behavior. Arduinos and other microcontrollers have been doing all kinds of things by pretending to be human interface devices like this for a while now. One of our favorites of late was this effects pedal that replicates musical effects on mice and keyboards.

Bespoke Implants Are Real—if You Put In The Time

A subset of hackers have RFID implants, but there is a limited catalog. When [Miana] looked for a device that would open a secure door at her work, she did not find the implant she needed, even though the lock was susceptible to cloned-chip attacks. Since no one made the implant, she set herself to the task. [Miana] is no stranger to implants, with 26 at the time of her talk at DEFCON31, including a couple of custom glowing ones, but this was her first venture into electronic implants. Or electronics at all. The full video after the break describes the important terms.

The PCB antenna in an RFID circuit must be accurately tuned, which is this project’s crux. Simulators exist to design and test virtual antennas, but they are priced for corporations, not individuals. Even with simulators, you have to know the specifics of your chip, and [Miana] could not buy the bare chips or find a datasheet. She bought a pack of iCLASS cards from the manufacturer and dissolved the PVC with acetone to measure the chip’s capacitance. Later, she found the datasheet and confirmed her readings. There are calculators in lieu of a simulator, so there was enough information to design a PCB and place an order.

The first batch of units can only trigger the base station from one position. To make the second version, [Miana] bought a Vector Network Analyzer to see which frequency the chip and antenna resonated. The solution to making adjustments after printing is to add a capacitor to the circuit, and its size will tune the system. The updated design works so a populated board is coated and implanted, and you can see an animated loop of [Miana] opening the lock with her bare hand.

Biohacking can be anything from improving how we read our heart rate to implanting a Raspberry Pi.

Continue reading “Bespoke Implants Are Real—if You Put In The Time”

Modular Keyboard And Custom Game Controller

Most video games, whether on console or PC, have standardized around either a keyboard and mouse or an analog controller of some sort, with very little differences between various offerings from the likes of Sony, Microsoft, Nintendo, or even Valve. This will get most of us through almost all video games, but for those looking to take their gameplay up a notch or who are playing much more complex games, certain specialized controllers are available, but they might not meet everyone’s specific needs. Thanks to this custom, modular keyboard anyone should be able to make exactly the controller they need.

The device features a grid of 15 interfaces where modules like buttons, potentiometers, encoders, and joysticks can be placed. Each module can be customized to a significant extent on their own, and they can be placed anywhere on the grid. The modules themselves can be assigned to trigger keyboard presses or gamepad motions depending on the needs of the user. A Raspberry Pi handles the inputs and translates them to the computer, so in that regard it functions no differently than a standard keyboard or gamepad would. Programming is done by sending commands via a USB serial port, with the ability to save various configurations as well.

The modular controller is open-source in terms of hardware and software, with easy assembly using through-hole components and a customizable 3D printed cover for anyone looking to make their own. The project’s creator [Daniel] had flight simulators in mind when designing the device, which often benefit from having more specialized controllers, but any game with lots of specific inputs from Starcraft to League of Legends could benefit from a custom controller or keyboard like this. Flight simulators are more often the targets of specialized and unique controls, though, like this custom yoke or this physical control panel.

An Almost Invisible Desktop

When you’re putting together a computer workstation, what would you say is the cleanest setup? Wireless mouse and keyboard? Super-discrete cable management? How about no visible keeb, no visible mouse, and no obvious display?

That’s what [Basically Homeless] was going for. Utilizing a Flexispot E7 electronically raisable standing desk, an ASUS laptop, and some other off-the-shelf parts, this project is taking the idea of decluttering to the extreme, with no visible peripherals and no visible wires.

There was clearly a lot of learning and much painful experimentation involved, and the guy kind of glazed over how a keyboard was embedded in the desk surface. By forming a thin layer of resin in-plane with the desk surface, and mounting the keyboard just below, followed by lots of careful fettling of the openings meant the keys could be depressed. By not standing proud of the surface, the keys were practically invisible when painted. After all, you need that tactile feedback, and a projection keeb just isn’t right.

ChatGPT-inspired machine learning mouse emulator

Moving on, never mind an ultralight gaming mouse, how about a zero-gram mouse? Well, this is a bit of a cheat, as they mounted a depth-sensing camera inside a light fitting above the desk, and built a ChatGPT-designed machine-learning model to act as a hand-tracking HID device. Nice idea, but we don’t see the code.

The laptop chassis had its display removed and was embedded into the bottom of the desk, along with the supporting power supplies, a couple of fans, and a projector. To create a ‘floating’ display, a piece of transparent plastic was treated to a coating of Lux labs “ClearBright” transparent display film, which allows the image from the projector to be scattered and observed with sufficient clarity to be usable as a PC display. We have to admit, it looks a bit gimmicky, but playing Minecraft on this setup looks a whole lotta fun.

Many of the floating displays we’ve covered tend to be for clocks (after all timepieces are important) like this sweet HUD hack.

Continue reading “An Almost Invisible Desktop”