diff --git a/CHANGELOG.md b/CHANGELOG.md index 809e849..c91a574 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ see https://devzone.nordicsemi.com/f/nordic-q-a/52297/fds-read-order-fds_record_ - example (not generic ... directly writing to `/dev/rawhid0`) in `companion2.py` - some changes to logging for Flash Data Storage operations - increased log buffers size, to account for dropped messages -- known issue: If storing a script to flash aborts in the middle, because there's no remaining space, partially +- known issue: If storing a script to flash fails in the middle, because there's no remaining space, partially written data of the script isn't removed from flash. # LOGITacker v0.2.0-beta diff --git a/README.md b/README.md index faa790d..6b90b63 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,9 @@ again, the associated data (including the AES key) is restored from flash. - Live decryption: In passive enumeration mode, encrypted keyboard RF frames are automatically decrypted if the link Encryption key is known (could be added manually or obtained from sniffed pairing). This could be combined nicely with USB pass-thorugh modes. +- *experimental* covert channel for air-gap bridging with "keystroke injectable" client agent to deploy the channel +for a Windows host with Logitech receiver (demo with receiver implanted into USB cable: https://youtu.be/79SogcYbpNA) +- usable for pure USB keystroke injection (RubberDucky fashion), programming features are still usable - USB pass-through: An USB serial based CLI is not the best choice, when it comes to processing of raw or decrypted RF data. To circumvent this, LOGITacker supports the following pass-through modes: - USB keyboard pass-through: If enabled, received RF keyboard frames are forwarded to LOGITacker's USB keyboard diff --git a/ToDo.md b/ToDo.md index b5cf549..3b850cf 100644 --- a/ToDo.md +++ b/ToDo.md @@ -18,7 +18,7 @@ The firmware evolves as needed by myself (on-stage demos, experiments). **No fea 1) [done] devices with sniffed pairing and encryption capability (chances are low to capture pairing in flight --> must have) 2) [done] devices which respond to plain keystroke injection during active enum 3) [done] devices for which plain key reports have been captured during passive enum (f.e. R400 doesn't reveal injection vuln during active enum, but send plain keyboard reports) -- extensive testing of device flash storage, definition of upper limits (nobody needs 1000 devices on the dongle, as they could be barely handled interactively) +- [done, fixed issue] extensive testing of device flash storage, definition of upper limits (nobody needs 1000 devices on the dongle, as they could be barely handled interactively) - maybe: Introduce user provided meta data, like "site name" for discover and custom device name, to make it easier to re-identify specific devices stored on flash (raw RF addresses require noting down additional info) - this is low prio, as it requires additional relationships for data stored on flash, which means runtime-reference-creation and thus brings all nice errors of pointer arithmetic (missing Golang here) @@ -40,6 +40,13 @@ and thus brings all nice errors of pointer arithmetic (missing Golang here) - implement `options pair-sniff pass-through-raw` - [done] remove unneeded modules in root folder (refactoring) - [done] add GCC build scripts for MDK and MDK dongle +- RF based control of USB injection mode with Logitech devices (f.e. presentation clicker to iterate over payloads and +execute on-demand --> use PRX mode) + +# bugs / issues + +- if storing a script to flash fails in the middle, because there's no remaining space, partially written data of the +script isn't removed from flash. Logic has to be added, to delete already written flash recors in error case. # further analysis - capabilities to send in new HID++ messages (maybe re-write device capabilities) diff --git a/companion2.py b/companion2.py index 54ef106..5ec6616 100755 --- a/companion2.py +++ b/companion2.py @@ -3,6 +3,13 @@ import struct import time +''' +Important: This is a test script for LOGITacker's HID based programming interface. +The script assumes the raw HID interface accessible on /dev/hidraw0 and writes data to +this dev-file. There is no proper implementation to directly interface with LOGITacker on +the USB HID layer, neither is the protocol finalized. +''' + # report types REPORT_TYPE_COMMAND = 0x02