Hacking a computer in 3 seconds. Making a USB duck from scratch on Arduino

DIY USB radio extender

Of course you can! There are absolutely no difficulties in this. All you need is:

When the soldering is successfully completed, there are no breaks or unsoldered ends, move the heat shrinks to the place of the solder and heat them with an industrial hair dryer, one by one, until they are completely shrunken and adhere to the soldering place. Anyone who doesn’t know what an industrial hair dryer looks like always uses a regular lighter. Allow each heat shrink to cool, then gather everything into a neat bundle and do the same procedure with the large heat shrink, over the entire solder area.

There is nothing complicated. However, before connecting any expensive device for the first time, it would be a good idea to ring the contacts with a tester, again asked from the kind IT people. In general, they always have a lot of things you can ask for. Golden people!

We are confident that our simple recommendations will save you some money, and in return will give you many fun minutes spent doing something that you have never done before and are unlikely to ever do again.

Attention! You perform all work at your own peril and risk. We do not bear any responsibility for your wasted time, your damaged nerves, cut or burned limbs, damaged office equipment, etc. It’s better to trust the professionals and buy a finished product, which will certainly be more beautiful, more functional, more reliable and faster.

What file system is used on flash drives?

Most flash drives come already formatted in FAT32 for compatibility with Windows, Mac and Linux. But the FAT32 file system has a significant drawback - the size of one file cannot be more than 4GB, so you cannot write HD video or any large TrueCrypt file container to such a flash drive.

You can format your flash drive to NTFS, then you will be able to write significantly larger files and significantly increase reliability. The NTFS file system is supported by default on all versions of Windows, starting with NT/2000, and is also partially supported on Mac and Linux. At the same time, most home media centers and TVs do not support the NTFS system.

There is also the exFAT file system, created by Microsoft specifically for flash drives. exFAT reduces the number of rewrites of the same sector, which will extend the life of flash drives, and there is no problem with 4GB files. The exFAT file system is supported in Windows XP with Service Pack 2 and 3 after installing update KB955704, and in all versions of Windows older than Vista SP1, as well as in Mac OS X Snow Leopard starting from version 10.6.5.

Homemade twisted pair USB extension cable for WEB camera or 3G modem.

how to make a USB when, while experimenting, I myself extended the USB cord of a regular web camera by 18 meters for simple video surveillance, (more details) . That is, I extended a regular web camera to a distance of 18 meters from the laptop! This is an excellent result, since at first I was not able to extend the USB webcam even by a meter. Using the same homemade USB extender, I subsequently extended the 3 G modem and other USB devices - everything works fine.

USB extension cord that worked smoothly in fifteen minutes and cost mere pennies. At the same time, on sale, a two-meter high-quality high-speed USB 2.0 cord with ferrite filters costs about $15. At the same time, it is not yet known whether it will work normally with all USB devices. I have repeatedly seen meter-long USB extension cords through which only mice and keyboards worked normally. Even flash drives didn’t want to be identified through them. Therefore, I started thinking about how to make a working USB extender for a web camera, 3G modem and other remote USB devices.

Changing a computer program

1) Open the file C:\OpenRobo\set-led.c
2) You need to learn how to send more complex messages to the microcontroller, upon receiving which it will perform the necessary functions. Now only 2 messages are sent in the isOn variable - 0 = turn off the LED, 1 = turn on the LED. Let's also learn how to send code 2 = set the LEDs through one on port B (in the previous example, we prepared a microcontroller to process this code, now we’ll just send it with a program from a computer).

3) Edit the file set-led.c

insert from the top of the line

the following code which adds a new call code 2 for the microcontroller function

The code sends command 2 to the microcontroller, which causes the disco to start there. We rebuild the program for the computer and a new command becomes available to us - discoteka
.
This way you can insert any other codes and functions for them. In C++ there is a function Sleep(1000);
it sets the execution delay in milliseconds, for example 1000 is 1 second. It's useful and you can also use it to make the LEDs blink. This feature will come in handy in the future.

Pay attention to the usb_control_msg

, in it you can pass 2 changeable parameters (in the first we pass 2 or the isOn variable, which is equal to 1 or 0), the next number (there is 0) can pass 1 more value, for example, 1 variable can still be the original command on or off, and the second variable can be passed, for example, the port number that should be enabled. These parameters can be accessed in the microcontroller program by the names p1 and p2, for this example p1=2, p2=0.

What to make a USB extension cable from.

What to make a USB - at first, I tried to make a USB extension cable from double shielded microphone wire of various brands. I sent D+ and D- USB signals through the central cores of the cable, and 5 volt “+” and “-” power through the shielding braids. I tried other options for a USB extension cable using shielded wires. But nothing came of it. On such a USB extension cable, devices were not detected even on a meter-long cord. It would seem - a good shielded wire, channels D+ and D- are separated and have separate screens, what else is needed? But USB devices did not work on it! Fruitless experiments with USB and shielded wires continued until I realized that a differential signal was simultaneously transmitted D+ and D- . This means that for a USB extender you need to use a symmetrical line - twisted pair !

What should I do if I accidentally deleted files from a flash drive?

Stop! Whatever you do next, do not write anything to this flash drive under any circumstances. After that, you should evaluate how important your data is so that you can try to recover the data yourself. If you decide that the data is too valuable to risk, then it is better to take the flash drive to a professional data recovery company.

If you want to try to recover data yourself, then look at the section of our website “Programs for flash drive recovery.”

USB signal at the physical level.

signal is a differential signal . Two signals traveling along the D+ and D- pair of wires simultaneously in antiphase (inverted). Without the participation of a common wire. An example of a differential signal is the signal output from a transformer winding. The amplitude of such a signal is not the amplitude relative to the common wire, but the amplitude relative to these two conductors. Accordingly, the signal diff receiver records the amplitude between these two inverted signals, and not the amplitude between the signal wire and the negative of the power supply.

The USB bus is a symmetrical communication line. A high-quality method of transmitting high-frequency signals without losses and common-mode interference, carried out over a pair of wires without the participation of a common wire. The method has increased noise immunity due to the fact that the noise acts equally on two antiphase conductors simultaneously, being subtracted from the useful signal in the end.

Therefore, a reliable USB extension cable must be made from twisted pair cable . The most affordable twisted pair option for a USB extension cable is twisted pair for computer networks, a regular “network” wire.

We get burner image

The next important step is to select a suitable burner image (8051 binary responsible for dumping and uploading firmware to the device). Typically their names look something like this:

BNxxVyyyz.BIN

Where xx is the version number of the controller (for example, in the case of PS2251-03 it will be 03), yyy is the version number (not important), and z reflects the size of the memory page and can be as follows:

• 2KM - for 2K NAND chips;
• 4KM - for 4K NAND chips;
• M - for 8K NAND chips.

Where to look for a suitable burner image for your flash drive, you can see this link.

Homemade twisted pair USB extension cable.

a homemade twisted pair USB extension cable as follows: - I had a piece of PRIME CAT5 E UTP cable - 18 meters. Conventional unshielded computer twisted pair cable for indoor installation. The cheapest network cable. To connect the web camera via USB, I needed a piece of cable 10 meters long, but I decided not to cut the piece I had and connect it all - for the experiment. As it turned out, it was quite successful.

the twisted-pair USB extension cable with dismountable female and male USB connectors purchased at a radio store.

Important point! I connected the blue pair of cable wires to D+ and D-. Why blue? – All four twisted pairs of the cable cores have different lay pitches. This is clearly visible if you remove the overall sheath of 10 - 15 centimeters from the UTP cable. So, the USB extension cable worked perfectly if the D+ and D- signals were sent through a blue or green pair of wires . If we put D+ and D- on the orange pair, then the USB extension cable did not work at all. The brown pair worked intermittently. Probably, the laying pitch of the blue and green pair of cores is ideal for the passage of a high-frequency USB signal (resonance, impedance, etc.).

I paralleled the other three pairs of cable cores and ran power through them - three colored wires plus, three striped wires minus.

A homemade twisted-pair USB extension cable works great - all USB devices connected to it are detected and work without problems. USB flash drive , USB card reader , USB Wi- Fi adapter , 3 MTS modem EasyCap – video capture device, USB DVB- T receiver – SDR radio, USB web camera . This is all that I tested on this homemade USB extension cable .

After a series of unsuccessful experiments with a short shielded wire, the functionality of the 18-meter USB extension cable seemed unrealistic. Subsequently, I made many USB extenders using this technology, and they all worked up to a length of 20 meters . For a longer length, I was never able to get the USB extension cord to work properly. USB devices are no longer detected.

Transformation

As you understand, today we will try to turn an ordinary flash drive into a pentester’s secret weapon!

First of all, we need a suitable device. Since the code is posted only for a specific microcontroller, we have two options - either find a flash drive controlled by this controller, or carry out the very difficult work of researching and flashing any other microcontroller. This time we will choose the easier path and try to find a suitable flash drive (and here is a list of vulnerable equipment). The controller is quite common, so even by some miracle I found a suitable one among a dozen flash drives at home.

Maximum length of USB extension cable.

According to the standard, USB cables and extension cables should not exceed five meters for Full-Speed ​​mode (12 Mbit/s speed). But this is a general case - the minimum specification for guaranteed operation of any USB device.

In practice, everything is much more interesting. It all depends on the specific UTP cable - the pitch of the twisted pair, the thickness of the conductors, the single-core or multi-core conductors, the material of the conductors and insulation, the presence of a screen. The operation of a USB extender is subject to the complex theory of high-frequency signal transmission. That is, physically, a USB cable is not just a cord of four wires, but a high-frequency symmetrical communication line .

The maximum length of a USB extension cable is also affected by the drop in supply voltage. Therefore, 5 volt power in the USB extension cable must be supplied over three parallel twisted pairs to increase the cross-section of the power line.

The principle of operation of a USB flash drive and its components.

As I wrote above, a USB drive is based on NAND or NOR flash memory. In turn, flash memory contains a silicon crystal on which field-effect transistors with floating and control insulated gates are placed. It is worth saying that field-effect transistors have a drain and a source. So, the floating gate of a transistor is capable of holding a charge (electrons).

During data recording, a positive voltage is applied to the control gate and some of the electrons are directed (moved) from drain to source, deflecting towards the floating gate. Some electrons overcome the thin layer of insulator and penetrate into the floating gate, where they remain for a long period of storage. The storage time of information is measured in years, but one way or another it is limited.

USB flash devices are quite compact, mobile and allow you to connect to any computer that has a USB connector. Manufacturers go to great lengths to please potential buyers, combining a USB drive with all kinds of keychains, jewelry, toys and pens...

The USB Flash drive device consists of the following electronic components:

1. USB connector.
2. Microcontroller.
3. Control points.
4. Flash memory chip.
5. Quartz resonator.
6. Light-emitting diode.
7. Switch (write protection).
8. Space for memory chip (optional space).

Next, I would like to dwell in more detail on the main components of a USB flash drive and describe some characteristic symptoms of unstable operation of a USB Flash drive.

Why the USB extension cable does not work - reasons:

1) The wires of the USB extension cable are not twisted pair.

No shielded microphones, etc. You should not use wires for a USB extension cable! Twisted pair only! The best cable for a USB extender is a standard computer twisted pair UTP made of solid copper wires (not soft stranded patchcord wires). Lines D+ and D- MUST be a twisted pair of wires. Precisely a twisted pair of wires.

It is also possible that you will come across a low-quality twisted pair cable with high signal attenuation. In this case, if all the options below do not help, you need to take a UTP cable of a different brand, manufacturer, etc.

2) The wrong twisted pair of wires is used for the D+ and D- signals of the USB extender.

A “ computer twisted pair UTP ” cable, under its sheath, has four twisted pairs of wires with different lay pitches. This is done to reduce the parasitic effects of pairs on each other in the cable. However, the laying pitch of the pair also affects the parameters of the passage of a high-frequency signal through it. Therefore, for the D+ and D- line, it is advisable to try all four pairs and determine on which of them USB devices work most stably. When making USB extension cables, I most often had luck with blue or green twisted pair cables. The D+ and D- line on these twisted pair cables worked almost always perfectly. Probably, these conductors of the pair have the “right” lay pitch. But for some reason, the orange pair of wires most often failed on long USB extension cables (15-20 meters).

3) Large drop in supply voltage on the USB extension cable.

For power circuits, it is necessary to parallel the wires of the USB extension cable! Power to the USB device via a USB extension cable must be supplied via the remaining three twisted pairs in parallel - to increase the cross-section of the wires and reduce their resistance. If the 5 volt supply voltage drop on the extension cord is significant, then the USB device will not be able to work normally. It will not be detected by the computer. This is the truism of Ohm's Law !

4) The USB extension cable is not connected to the main USB sockets of the PC.

The USB extension cable must be connected to the USB sockets located on the back of the PC case! It makes a difference where you connect the USB extension cable! Additional PC USB connectors located on the case are most often connected to the motherboard using regular wires rather than twisted pair. Therefore, naturally, the symmetrical signal D+ and D- is greatly distorted on such wires, causing interference. But the USB sockets located on the back of the PC (mounted directly on the motherboard) will not distort the D+ and D- lines.

Let's start doing magic

Having found a suitable device (which you don’t mind losing in case of failure), you can begin to transform it. First of all, we need to download the sources that the guys posted. In principle, the content is listed on their official wiki, but just in case, let me remind you once again what they posted on GitHub:

• DriveCom is an application for interacting with flash drives based on the Phison controller;
• EmbedPayload is an application designed for embedding RubberDucky inject.bin scripts into custom firmware for their subsequent execution when a flash drive is connected;
• Injector is an application that extracts addresses from the firmware and embeds the patch code into the firmware;
• firmware - custom 8051 firmware written in C;
• patch is a collection of 8051 patches written in C.

We check and analyze functionality

It's time to check if any of the boards broke during soldering. We connect the Arduino Micro Pro to the computer and wait until the universal driver for the HID device is installed. Arduino should signal with two red and one green LEDs.

From your phone, tablet or laptop, look at the list of Wi-Fi access points. There should be a new AP called WiFi Duck. If we see it, then everything is working. You can throw up your hands and shout “It's Alive!” and laugh devilishly in the flashes of lightning.

Let's connect to it. The password is quackquack (this is the default, you can change it in the settings). Now open the browser, go to 192.168.4.1 (this is the default address of the ESP-8266EX in AP mode) and see the control panel of our device.

Everything on the web interface is spartan, nothing superfluous. Four pages, or tabs, two working and two informational:

• Scripts. This tab is designed to work with ready-made scripts. Initially, it is empty, but using the UPLOAD NEW SCRIPT button you can load the written sketch in .ino and .txt formats from the memory of the device (from which you logged in), and then execute it at any convenient time. You can write scripts yourself or find ready-made solutions on the Internet, for example here. Not all of them are working; you will need to test them in advance (the shell allows you to edit them). There is plenty of memory for all this - almost 3 MB.

• Live Execute. On this page there is a field in which we write the sketch. It can be executed immediately or saved. When saved, it will appear on the Scripts page. The language for writing a sketch differs from the usual one in Arduino, so below the input field there are instructions with commands and a description of each of them.

• Settings. This is the access point settings page. Here you can change the name of the access point, password, and make it hidden. You can also specify a script that will be executed immediately when the device is connected to the computer.

• Info. This page is for informational purposes only. Here is a link to the author of the project, SDK, web server, scripts and their interpreter. You can also update the ESP8266 firmware version over the air

Parts List

This is what the final parts list looks like.

Main details

• Common sense - 1 pc. Try to protect yourself and others from various dangers;
• ATtiny85 — 1 pc. (from Digispark clone);
• resistance at 68 Ohm - 2 pcs. (from Digispark clone);
• resistance at 1.5 kOhm - 1 pc. (from Digispark clone);
• Zener diode 3.6 V - 2 pcs. (from Digispark clone);
• MOS transistor (MOSFET) IRLML2502 - 1 pc. (there are different options here. For example, ZXMN2F34FHTA will also work well);
• resistance is approximately 680 ohms (see important safety note in assembly instructions).

Optional Parts and Tools

• An old retractable flash drive. We will need its case and USB plug;
• printed circuit board for prototyping SMTpad 50x50 (this is what I used, more experienced comrades will probably find a better way to assemble the circuit);
• copper tape (I used it to shorten the connections on the board);
• solder, solder paste, rosin;
• soldering iron or soldering station.

Payload details

• It all depends entirely on what you are going to add. The payload will receive a voltage of 5 V for the duration of time that you configure (at least while the device is connected, if necessary, add a battery).
• For something like a "sonic grenade" you can connect the 5V connectors directly.
• For something dramatic like smoke bombs... I'll probably omit this information so that some of the readers don't do anything stupid. Sorry, but I’ll have to do something similar with the text in a couple more places.

High voltage programmer

If you choose the route with a high-voltage programmer, then there is a large selection of devices - for example, $60. However, you can get by with an Arduino Nano v3 for $4 and a development board. Someone made an Arduino sketch that automatically clears the safety bits, which is very convenient for us. Steps 1-3 from the tutorial for this operation led me to the desired result.

Instead of connecting the ATtiny directly to the breadboard, I used the SOIC-8 clamp to program the chip directly. I also replaced the twelve volt battery with a five volt booster for 5 bucks. I used all this so much that I moved it from the breadboard to the more permanent ProtoBoard.

Uploading the firmware

As soon as we have a ready-made payload in our hands, the time will come to implement it in the firmware. This is done with the following two commands:

copy CFW.bin hid.bin tools\EmbedPayload.exe inject.bin hid.bin

Please note that the firmware is first copied to hid.bin, and only then flashed. This is done this way because the payload can only be implemented into the firmware once, so the original CFW.bin must be kept intact.

After such manipulation, we will have a custom firmware file hid.bin with a payload embedded in it. All that remains is to upload the resulting firmware to the flash drive:

tools\DriveCom.exe /drive=F /action=SendFirmware /burner=BN03V104M.BIN /firmware=hid.bin

where F is, again, the letter of the drive.

We remove the five-second delay at start

One of the annoying things about Digispark is the five-second delay when loading. It is this delay that allows new sketches to be loaded when connected. If you remove it, then to load the program you will need to short-circuit two ATtiny pins. To combat the delay, you will need a new bootloader. You can load it using the programmer, but it's much more fun to use the NOP slide vulnerability to load it from memory, which is usually used for sketches. However, to write the firmware you will still need to remove some fuses inside the chip. And this, unfortunately, still requires the use of a high-voltage (12 V) programmer. They say that in some versions of Digispark the fuse bits are not set, but in mine they were.

Implementing Bad USB using off-the-shelf devices

I would especially like to emphasize that Bad USB is not some recently discovered problem at the level of the interface itself. The point is only that thanks to the work of several geeks, it has become much easier for a user without appropriate qualifications to interfere with the operation of the controllers of some devices that allow firmware updates without the use of specialized equipment.

If previously those who wanted to slip a virtual keyboard or network controller under the guise of a flash drive used piece copies of such devices, now they can be stamped at home. Little-known methods that were the prerogative of intelligence services and advanced hacker groups have become more accessible - that’s all.

It’s hard for me to see anything negative in the very possibility of doing this. Some users will gain a deeper understanding of the operation of modern devices and another incentive to be more careful. It’s just that now a flash drive cannot be considered safe, even if its disk partition is completely clean.

Source: Computerra.ru - https://www.computerra.ru/108106/bad-usb-on-some-devices/

Published: November 7, 2014

Alternative options

In addition to using the HID nature of the flash drive and turning it into a keyboard that types our payloads, we can do a few more tricks. For example, you can create a hidden partition on your device, reducing the amount of space that the OS can see. To do this, you first need to get the device size in logical blocks:

tools\DriveCom.exe /drive=E /action=GetNumLBAs

Then in the patch folder you need to find the base.c file, uncomment the line #define FEATURE_EXPOSE_HIDDEN_PARTITION and add another define directive specifying a new LBA number: #define NUM_LBAS 0xE6C980UL (this number must be even, so if in the previous step you got, say, 0xE6C981, then you can reduce the number to 0xE6C940, for example).

After editing the sources, you need to place the firmware that you want to patch into the patch folder under the name fw.bin and run build.bat, which will create a modified firmware file fw.bin in patch\bin\. All that remains is to upload it to the flash drive.

Password Path and No Boot Mode Patch are done in the same way, about which you can look in more detail on the project’s Github. My main goal was to teach the flash drive to perform given actions, which is what you and I achieved.

Checking BadUSB WiFi Ducky

It's time to check if any of the boards broke during soldering. We connect the Arduino Micro Pro to the computer and wait until the universal driver for the HID device is installed. Arduino should signal with two red and one green LEDs.

From your phone, tablet or laptop, look at the list of WiFi access points. There should be a new AP called WiFi Duck. If we see it, then everything is working.

WiFi Duck Hotspot

Let's connect to it. The password is quackquack (this is the default password, you can change it in the settings). Now open the browser, go to 192.168.4.1 (this is the default address of the ESP-8266EX in AP mode) and see the control panel of our device.

Better than Rubber Ducky

You've probably already heard about Rubber Ducky. This is a BadUSB device for HID attack. Devices of this kind can emulate a keyboard and allow you to send any commands as if they were typed by the current user.

These devices have a simple microcontroller and memory into which the sketch (code for Arduino and similar development boards) is written. It contains the function of emulating the desired device and a set of actions it performs. As practice shows, this is usually the keyboard and the sequence of keys “pressed” on it.

Of course, these devices also have their drawbacks. First, you need to carefully reconnoiter the complete configuration of the victim computer. Secondly, before a real attack, you need to check how it will be performed on a test system that is as similar as possible, and make the necessary adjustments - in particular, select the optimal delays. In real conditions, it will most likely be problematic to approach the attacked computer a second time, and if even one key scan code is sent at the wrong time, then everything will be in vain. Thirdly, you can only use one sketch. You cannot add a function on the fly or interrupt and restart a set of actions. In this article I will show how to create a device that is free of these disadvantages.

Preparing payload

Now it's time to think about what functionality we want to get from our flash drive. If you remember Teensy, there is a separate toolkit for it, Kautilya, which allows you to automate the creation of payloads. There is a whole website for USB Rubber Ducky that allows you to create scripts for the device to your liking directly online using a convenient web interface. And this is in addition to the list of ready-made scripts that are on the project’s Github. Luckily for us, Ducky scripts can be converted into binary form and then integrated into the firmware. For this we will need the Duck Encoder utility.

As for the scripts themselves, there are several options:

• you can sketch out the required script yourself, since the syntax used is not difficult to master (see the official website of the project);
• use ready-made options posted on GitHub, fortunately there is a reverse shell and other goodies there - all that remains is to correct and convert to binary form;
• or use the above-mentioned site, which will guide you step-by-step through all the settings and allow you to download the finished script in the form of a Ducky script (or already in converted binary form).