Input devices » History » Version 1
Karsten, 11/11/2014 03:28 PM
| 1 | 1 | Karsten | h1. Input/HID devices |
|---|---|---|---|
| 2 | 1 | Karsten | |
| 3 | 1 | Karsten | h2. Disassembled devices |
| 4 | 1 | Karsten | |
| 5 | 1 | Karsten | h3. Truly Ergonomic keyboard |
| 6 | 1 | Karsten | |
| 7 | 1 | Karsten | * Product page: https://trulyergonomic.com/store/products |
| 8 | 1 | Karsten | * Architecture: unknown [TODO, need Windows to run .exe] |
| 9 | 1 | Karsten | * has a dip switch to allow/disallow firmware update |
| 10 | 1 | Karsten | |
| 11 | 1 | Karsten | h3. Apple USB Mighty Mouse Model-No. A1152 |
| 12 | 1 | Karsten | |
| 13 | 1 | Karsten | * Chip: Cypress cy7c63743 |
| 14 | 1 | Karsten | * Contains EPROM memory, can only be written once |
| 15 | 1 | Karsten | * => %{color:green}Not vulnerable% |
| 16 | 1 | Karsten | |
| 17 | 1 | Karsten | h3. Logitech RX250 optical mouse |
| 18 | 1 | Karsten | |
| 19 | 1 | Karsten | * Chip: Cypress cy7c63813 |
| 20 | 1 | Karsten | * Product page: http://www.cypress.com/?mpn=CY7C63813-PXC |
| 21 | 1 | Karsten | * Datasheet: http://www.cypress.com/?docID=41007 |
| 22 | 1 | Karsten | * M8C core (a simple 8 bit microcontroller core from Cypress) |
| 23 | 1 | Karsten | * 8 KiB flash memory, 256 bytes Ram, 24 MHz clock |
| 24 | 1 | Karsten | * Reprogrammable via USB bootloader |
| 25 | 1 | Karsten | * Documentation is available from Cypress, it should not be too difficult to write a malicious firmware upgrade |
| 26 | 1 | Karsten | * Device should be able to act as a HID keyboard entering a predefined keystroke sequence, e.g. to download a Powershell script from the Internet. |
| 27 | 1 | Karsten | |
| 28 | 1 | Karsten | <pre> |
| 29 | 1 | Karsten | Bootloader information: |
| 30 | 1 | Karsten | http://www.cypress.com/?rID=12994 |
| 31 | 1 | Karsten | |
| 32 | 1 | Karsten | The term "user code" refers to the actual firmware of the device |
| 33 | 1 | Karsten | providing the intended functionality such as a USB HID mouse. |
| 34 | 1 | Karsten | |
| 35 | 1 | Karsten | On powerup, the bootloader verifies a 16 bit checksum of the user code. |
| 36 | 1 | Karsten | If it matches, it jumps to the user code. |
| 37 | 1 | Karsten | |
| 38 | 1 | Karsten | If it does not match, the device goes to bootloader mode and |
| 39 | 1 | Karsten | communicates with the computer via USB. There are commands for reading |
| 40 | 1 | Karsten | and writing the flash contents. |
| 41 | 1 | Karsten | |
| 42 | 1 | Karsten | Unfortunately, the bootloder requires an 8 byte bootloader key. However, |
| 43 | 1 | Karsten | the key verification is done on a byte-by-byte basis (assembly listings |
| 44 | 1 | Karsten | are available in the ZIP file from Cypress) and so it could be |
| 45 | 1 | Karsten | incrementally guessed by counting the number of clock cycles until the |
| 46 | 1 | Karsten | verification fails. It is likely that the bootloader key is equal for a |
| 47 | 1 | Karsten | large number of produced units and so it would probably be enough to |
| 48 | 1 | Karsten | extract it in a lab setup for a few units. |
| 49 | 1 | Karsten | |
| 50 | 1 | Karsten | In a lab setup, it is probably possible to make the flash checksum |
| 51 | 1 | Karsten | verification fail e.g. via voltage glitching, clock glitching, extreme |
| 52 | 1 | Karsten | temperatures or UV/X-Ray radiation so that the device boots into |
| 53 | 1 | Karsten | bootloader code. Then the bootloader key can be extracted by guessing |
| 54 | 1 | Karsten | bytes and counting the number of clock cycles the verification takes. |
| 55 | 1 | Karsten | After that, it should be possible to extract the firmware binary for |
| 56 | 1 | Karsten | reverse engineering. Once the firmware is available, it may be possible |
| 57 | 1 | Karsten | to find a hidden command which allows switching the device to bootloader |
| 58 | 1 | Karsten | mode via a special USB command (so that other identical devices can be |
| 59 | 1 | Karsten | reprogrammed via USB). |
| 60 | 1 | Karsten | |
| 61 | 1 | Karsten | *Update:* It looks like the controller itself has a proprietary non-USB |
| 62 | 1 | Karsten | programming protocol. The USB bootloader from http://www.cypress.com/?rID=12994 |
| 63 | 1 | Karsten | is optional and I do not know how many actual devices come shipped with a |
| 64 | 1 | Karsten | USB bootloader at all. |
| 65 | 1 | Karsten | |
| 66 | 1 | Karsten | The integrated programming functionality can be accessed with a programmer, |
| 67 | 1 | Karsten | which is available for 30$ from Cypress: |
| 68 | 1 | Karsten | http://www.cypress.com/?rID=37459 |
| 69 | 1 | Karsten | |
| 70 | 1 | Karsten | The following document describes the update process: |
| 71 | 1 | Karsten | http://www.cypress.com/?docID=19520 |
| 72 | 1 | Karsten | |
| 73 | 1 | Karsten | If there is no bootloader, the chips can still be reflashed via the USB contacts |
| 74 | 1 | Karsten | using a custom (non-USB) protocol with a MiniProg programming adapter. |
| 75 | 1 | Karsten | |
| 76 | 1 | Karsten | |
| 77 | 1 | Karsten | However, the controller does have flash protection fuses. I do not know |
| 78 | 1 | Karsten | whether these fuses are set for typical low cost USB devices. |
| 79 | 1 | Karsten | |
| 80 | 1 | Karsten | |
| 81 | 1 | Karsten | *Update 20141107:* |
| 82 | 1 | Karsten | I have tried to read out the chip with a Cypress Miniprog adapter. Unfortunately, |
| 83 | 1 | Karsten | the flash protection fuses are set and I could only read one 64-byte block of the |
| 84 | 1 | Karsten | flash memory. Since I cannot dump the firmware, I can't tell whether there is a |
| 85 | 1 | Karsten | USB bootloader on the chip or not. |
| 86 | 1 | Karsten | </pre> |
| 87 | 1 | Karsten | |
| 88 | 1 | Karsten | h3. USB Mouse Tchibo |
| 89 | 1 | Karsten | |
| 90 | 1 | Karsten | * ApexOne A2624D, Chip is sold as an ASIC just for USB mouse application |
| 91 | 1 | Karsten | * datasheet does not indicate that there is any microcontroller. |
| 92 | 1 | Karsten | => %{color:green}Most likely not vulnerable% |
| 93 | 1 | Karsten | |
| 94 | 1 | Karsten | h3. USB Laser Mouse Generalkeys |
| 95 | 1 | Karsten | |
| 96 | 1 | Karsten | * Chip-on-Board, no label |
| 97 | 1 | Karsten | |
| 98 | 1 | Karsten | h3. USB Mouse Logilink |
| 99 | 1 | Karsten | |
| 100 | 1 | Karsten | * Chip without label, could be cypress like in the Logitech mouse |
| 101 | 1 | Karsten | |
| 102 | 1 | Karsten | h3. Noname USB numeric Keypad |
| 103 | 1 | Karsten | |
| 104 | 1 | Karsten | * Chip-on-Board, no label |
| 105 | 1 | Karsten | |
| 106 | 1 | Karsten | h3. Hama mini USB mouse |
| 107 | 1 | Karsten | |
| 108 | 1 | Karsten | * USB + Sensor integrated into one package, Label: A1198 TSP635B |
| 109 | 1 | Karsten | * http://nutsandboltsandflyingsparks.blogspot.de/2012_07_01_archive.html => Pin Layout, no more info found |
| 110 | 1 | Karsten | * Bus 001 Device 011: ID 062a:0003 Creative Labs |
| 111 | 1 | Karsten | |
| 112 | 1 | Karsten | h3. Noname mini optical mouse |
| 113 | 1 | Karsten | |
| 114 | 1 | Karsten | * 1bcf:0007 Sunplus Innovation Technology Inc. Optical Mouse => Datasheet for Sunplus devices mention that it contains a µC, but no indication about upgradeability or any persistent storage found |
| 115 | 1 | Karsten | * Chip label: C2165 => Datasheet available 6502 µC [http://en.wikipedia.org/wiki/MOS_Technology_6502] |
| 116 | 1 | Karsten | * No leaked tools |
| 117 | 1 | Karsten | |
| 118 | 1 | Karsten | h3. Microsoft Comfort 2000 keyboard v1.0 |
| 119 | 1 | Karsten | |
| 120 | 1 | Karsten | * Chip-on-Board, no label |
| 121 | 1 | Karsten | |
| 122 | 1 | Karsten | h3. Speedlink SL-6535-BK Game pad controller (Mediamarkt 20141106) |
| 123 | 1 | Karsten | |
| 124 | 1 | Karsten | * Chip-on-Board without label |
| 125 | 1 | Karsten | * Bus 001 Device 012: ID 0079:0006 DragonRise Inc. Generic USB Joystick |
| 126 | 1 | Karsten | * No further info found |
| 127 | 1 | Karsten | |
| 128 | 1 | Karsten | h3. Speedlink ACUTE Presenter (Mediamarkt 20141106) |
| 129 | 1 | Karsten | |
| 130 | 1 | Karsten | * Receiver: SL-6198-RRBK 433.92 Mhz |
| 131 | 1 | Karsten | * Chip1: Missing label, 8 pins SOIC, connected to USB |
| 132 | 1 | Karsten | * Chip2: 4608\n1320, connected to antenna |
| 133 | 1 | Karsten | * Bus 001 Device 014: ID 1223:3f07 SKYCABLE ENTERPRISE. CO., LTD. |
| 134 | 1 | Karsten | * No further info found |
| 135 | 1 | Karsten | |
| 136 | 1 | Karsten | h3. Logitech G5 mouse |
| 137 | 1 | Karsten | |
| 138 | 1 | Karsten | * Was sold from around 2007-20012 for about 35-60 Euro |
| 139 | 1 | Karsten | * Official firmware upgrade from Logitech available: G5Update12.exe |
| 140 | 1 | Karsten | * Contains large text area with hex format, similar to ihex |
| 141 | 1 | Karsten | * Contains valid USB Descriptors and interesting strings after decoding: "D:\Project\Mecha\FW_Current Version\bin\jw32.abs","ICP" |
| 142 | 1 | Karsten | * Could be MC68HC908JW32 => architecture M68HC05 |
| 143 | 1 | Karsten | * %{color:red}=> Most likely vulnerable% |
| 144 | 1 | Karsten | |
| 145 | 1 | Karsten | h3. Logitech G502 Proteus Core Gaming Mouse (launched in 2014, current price: 65 Euro) |
| 146 | 1 | Karsten | |
| 147 | 1 | Karsten | * Official software (Logitech Gaming Software) contains firmware update utility: G502Update_v16.exe |
| 148 | 1 | Karsten | * Contains area valid USB Descriptors (Device, Configuration and String descriptors) |
| 149 | 1 | Karsten | * http://pclab.pl/art57551-7.html |
| 150 | 1 | Karsten | * PCB Shots show chip label: ARM STM32L100\nR8T6 => STM32L100R8 |
| 151 | 1 | Karsten | * ARM Microcontroller with USB, 64 KiB internal flash, 2 KiB eeprom and 8 KiB RAM |
| 152 | 1 | Karsten | => STM documentation show that the controller does support DFU (Device firmware upgrade) standard |
| 153 | 1 | Karsten | * %{color:red}=> Most likely vulnerable% |