Updated README/ToDo/Changelog + comments in python test script

RoganDawes · Sep 18, 2019 · da0e4f8 · da0e4f8
1 parent 58855d9
commit da0e4f8
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,7 @@ see https://devzone.nordicsemi.com/f/nordic-q-a/52297/fds-read-order-fds_record_
     - example (not generic ... directly writing to `/dev/rawhid0`) in `companion2.py`
 - some changes to logging for Flash Data Storage operations
 - increased log buffers size, to account for dropped messages    
-- known issue: If storing a script to flash aborts in the middle, because there's no remaining space, partially
+- known issue: If storing a script to flash fails in the middle, because there's no remaining space, partially
 written data of the script isn't removed from flash.
 
 # LOGITacker v0.2.0-beta

diff --git a/README.md b/README.md
@@ -54,6 +54,9 @@ again, the associated data (including the AES key) is restored from flash.
 - Live decryption: In passive enumeration mode, encrypted keyboard RF frames are automatically decrypted if the link
 Encryption key is known (could be added manually or obtained from sniffed pairing). This could be combined nicely with 
 USB pass-thorugh modes.
+- *experimental* covert channel for air-gap bridging with "keystroke injectable" client agent to deploy the channel
+for a Windows host with Logitech receiver (demo with receiver implanted into USB cable: https://youtu.be/79SogcYbpNA) 
+- usable for pure USB keystroke injection (RubberDucky fashion), programming features are still usable
 - USB pass-through: An USB serial based CLI is not the best choice, when it comes to processing of raw or decrypted RF
 data. To circumvent this, LOGITacker supports the following pass-through modes:
     - USB keyboard pass-through: If enabled, received RF keyboard frames are forwarded to LOGITacker's USB keyboard 

diff --git a/ToDo.md b/ToDo.md
@@ -18,7 +18,7 @@ The firmware evolves as needed by myself (on-stage demos, experiments). **No fea
     1) [done] devices with sniffed pairing and encryption capability (chances are low to capture pairing in flight --> must have)
     2) [done] devices which respond to plain keystroke injection during active enum
     3) [done] devices for which plain key reports have been captured during passive enum (f.e. R400 doesn't reveal injection vuln during active enum, but send plain keyboard reports)
-- extensive testing of device flash storage, definition of upper limits (nobody needs 1000 devices on the dongle, as they could be barely handled interactively)
+- [done, fixed issue] extensive testing of device flash storage, definition of upper limits (nobody needs 1000 devices on the dongle, as they could be barely handled interactively)
 - maybe: Introduce user provided meta data, like "site name" for discover and custom device name, to make it easier to re-identify specific devices stored on flash
 (raw RF addresses require noting down additional info) - this is low prio, as it requires additional relationships for data stored on flash, which means runtime-reference-creation
 and thus brings all nice errors of pointer arithmetic (missing Golang here)
@@ -40,6 +40,13 @@ and thus brings all nice errors of pointer arithmetic (missing Golang here)
 - implement `options pair-sniff pass-through-raw`
 - [done] remove unneeded modules in root folder (refactoring)
 - [done] add GCC build scripts for MDK and MDK dongle
+- RF based control of USB injection mode with Logitech devices (f.e. presentation clicker to iterate over payloads and
+execute on-demand --> use PRX mode)
+
+# bugs / issues
+
+- if storing a script to flash fails in the middle, because there's no remaining space, partially written data of the 
+script isn't removed from flash. Logic has to be added, to delete already written flash recors in error case.
 
 # further analysis
 - capabilities to send in new HID++ messages (maybe re-write device capabilities)

diff --git a/companion2.py b/companion2.py
@@ -3,6 +3,13 @@
 import struct
 import time
 
+'''
+Important: This is a test script for LOGITacker's HID based programming interface.
+The script assumes the raw HID interface accessible on /dev/hidraw0 and writes data to
+this dev-file. There is no proper implementation to directly interface with LOGITacker on 
+the USB HID layer, neither is the protocol finalized.
+'''
+
 # report types
 REPORT_TYPE_COMMAND = 0x02