Logitech unifying compatible keyboard with NRF24 #55
Comments
|
Logitacker includes all the logic required to pair, as well as sending
keystrokes, as far as I understand it. So this is a pretty reasonable place
to discuss it if you want to.
…On Sat, Apr 11, 2020, 13:03 bilogic ***@***.***> wrote:
Hi,
While I understand LOGITacker to be a sniffer tool, I was wondering if the
expertise here can be re-purposed to create a logitech unifying compatible
keyboard using the NRF24 via a Arduino/ESP8266/32.
I need info on the unifying RF protocol, especially on pairing and
transmission of data. So far, I have some success with
https://github.com/ronangaillard/logitech-mouse. Do also let me know if
there is a better place to discuss this.
Thank you.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#55>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABHBC34HZIN72IMXSLL3EDRMBFBBANCNFSM4MF6SY2Q>
.
|
|
Cool, perhaps you can help point me in the right direction? The code at https://github.com/ronangaillard/logitech-mouse managed to pair with the receiver, but as a keyboard instead of mouse. Furthermore, after pairing, the mouse does not move like documented. I'm thinking to get that sorted out before going to encrypted keyboard stuff. There are some payload definitions for pairing at https://github.com/ronangaillard/logitech-mouse/blob/f29452d2ca9783224597d9dee1050bd4a14cfda5/logitech-mouse.h#L39, do you know where can I find the relevant material in this repo? Thank you. |
|
I made some progress, but still 2 fundamental problems:
After the timeout, my code restarts itself and on every 4th attempt, the response becomes Thank you. |
|
I fixed up the code, pairs as a mouse, reconnects and able to move cursor now. Also managed to pair as a keyboard, however, sending plain keystroke packets are not generating key presses on my PC.
Any idea which devices accepts the following plain keystroke packets? I already set device type during pairing to be 0x4 (unifying compatible, no encryption). The plain keystrokes packets I'm sending as follows: Thank you. |
|
You can send unencrypted keystrokes to the same endpoint as the mouse. If
you want to send encrypted keystrokes, send to the keyboard endpoint.
…On Sun, 12 Apr 2020 at 13:45 bilogic ***@***.***> wrote:
I fixed up the code, pairs as a mouse, reconnects and able to move cursor
now. Also managed to pair as a keyboard, however, sending plain keystroke
packets are not generating key presses on my PC.
Logitech Unifying Software is showing the orange badge on my device, i.e.
packets are being received.
Any idea which devices accepts the following plain keystroke packets? I
already set device type during pairing to be 0x4 (unifying compatible, no
encryption).
The plain keystrokes packets I'm sending as follows:
uint8_t key_down[] = {0x0, 0xC1, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x22};
uint8_t key_up[] = {0x0, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3F};
Thank you.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABHBC76JPU2Z4ILH6UIO6DRMGSWBANCNFSM4MF6SY2Q>
.
|
|
I paired as a mouse, it was able to move, but nothing happens when sending the |
|
Based on the jargon of LOGITacker, my logs of REQ1, 2, 3 and RSP1, 2 and final in pairing as a mouse and subsequently sending |
|
Make sure the format of the keystroke packet is correct?
I’ve not actually worked with LOGITacker or MouseJack at that low a level
yet, but I imagine that the report should look pretty similar to a usb
keyboard report.
1 byte modifier, 1 byte reserved (0x00), 6 bytes for down keys, or 0x00.
The whole prefixed with a report identifier or endpoint identifier.
Eg 0x04 for key A down.
…On Sun, 12 Apr 2020 at 14:37 bilogic ***@***.***> wrote:
I paired as a mouse, it was able to move, but nothing happens when sending
the key_down and key_up packets. Any idea where I should start looking?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABHBC526GOASMZAAA7BJEDRMGYXLANCNFSM4MF6SY2Q>
.
|
|
On receiver's patched against MouseJack, a device paired as mouse would not be allowed to send unencrypted key strokes, even if it reports keyboard capabilities. LOGITacker was updated to pair a keyboard with mouse capabilities, a while back, to account for this: |
|
@mame82 I have 3 dongles
Any idea which is patched?
|
|
Also LOGITacker always uses encrypted keyboard payloads, unless the receiver is a G700. The latter uses unencrypted payloads, although an encryption key is generated while pairing takes place. For LIGHTSPEED (G900) receivers, not only keyboard payloads have to be encrypted, but HID++, too. This is to account for keyboard macro injection on the devices. Also LIGHTSPEED encryption is slightly different: it uses two AES CTR keys per transmitted frames. |
|
I did try encrypted keyboard payloads, but keystrokes not received by OS as well, I thought it was easier to make sure I got everything correct in plain text first. Let me try the encrypted payloads. I suppose it is pointless to try the C-U0008 dongle? |
|
Sorry, what is the key portion that I should be looking at here? Thanks! |
|
For mouse report format: They differ between devices/receivers, f.e. X-/Y-Axes resolution could either be 8bit or 12bit. Rogan is right: Keyboard and mouse payloads on RF are similar to resulting YSB HID reports. In addition the RF version includes headers, like:
|
That the device type of the device to pair was changed from mouse to keyboard with this patch. The data structure is used to build/encode the pairing request |
|
It is currently not possible for me to provide all the info needed by you to do the correct payload encoding. Suggestion: Use two LOGITacker devices. Use one to pair a device, the other to sniff the pairing and you should get a good picture on how data has to be encoded. The rest is in the code |
|
Suggest read 1 (parsing of sniffed pairing requests/responses): |
|
Suggest read 2 (code used to generate requests for device pairing): Also pay attention, that in between pairing request special frames are send one or multiple times, to pull a response from the receiver (response payload is part of ack frame). Pairing continues to the next step, once the respective response was received, otherwise the "pull" frame is sent again |
|
@mame82, I have managed to pair as a keyboard, this is the latest logs based on your remarks, I'm trying to generate the encrypted payloads now. |
|
I think my question is, I managed to pair as a keyboard, my challenge is in generating the encrypted payload. Can I ask why you are suggesting I read the pairing code? Are you suspecting I missed something? I have gotten through REQ1, 2, 3 and RSP1, 2, 3 (Final). |
|
In addition, here's an outdated and incomplete analysis of a SDR captured pairing (most recent and complete info is in LOGITacker code): |
Yes, I have been running through all these docs today which is why I managed to pair and move the OS mouse cursor. Am I missing something in the pairing? I'm thinking to just dive straight to the encrypted payloads. |
Only to assure you fully understand the meaning of device type vs capabilities A device could be a mouse with keyboard features or the other way around. |
|
For payload encryption/decryption look here: |
I have device type as 0x1 (keyboard) and caps as 0x5 (unifying + encryption). All good yes? |
|
I'm just after unifying, not lightspeed. Does it make more sense for me to just look at LOGITacker/logitacker/logitacker_devices.c Line 823 in cbc3c5a Or do I have to go to Thanks. |
|
Ok, I think I know why my earlier encrypted payloads did not work, I merely copied the SDR captured payloads. I need to derive my device_key and encrypt my own payloads. |
|
I need some help:
Thank you. |
|
Hi, I have confirmed my AES ECB encryption from .2 to .3 is correct using http://aes.online-domain-tools.com/ Can help me check if the Sending a keydown Currently, my OS does not receive any keys. Thank you. |
|
I'm trying to respond to the 10 bytes ACK + payloads documented here slide 39 of 86 https://initrd.net/stuff/mousejack/doc/pdf/DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice.slides.pdf Where can I find the code that decodes them? Thank you. |
|
Sorry about the earlier post, my alt key was virtually stuck from all the hacking. I managed to hack together a sniffer and captured the following, of interest is 2nd line, CH: 62. |
2nd frame seems malformed, so ignore it. All frames are directed device to dongle, thus the device index is 0x00 (offset 0) Offset 1 is the report type (this byte actually is a mix of a bit mask and a type field, but I won't go into great detail here, just keep in mind that the bit6 == 0x40 means keep-alive if set) The rest is payload, length depends 9n report type, the very last byte is an 8bit Logitech CRC. The first report of type 0x40 is a pure keep-alive with the 2 byte payload 0x0014 (=20ms till next keep alive). The next reports of type 0xD3 are encrypted keyboard payloads, but they look wrong to me. The first 8 payload bytes ( Now here the counter is constant, instead of counting up ... this works only for receivers still vulnerable to Keyjack (counter reuse). The 8 encrypted bytes reflect this (data looks the same except one or two bytes == same key used for each frame). The bytes which change are at offset 4 and 5 of the encrypted payload. Although this could work (for keyjack), it looks weird to me, as those would map to HID key 4 and 5 of the plain (out of 6 HID keys which could be pressed at the same time) I assume the report which has 0x85 as encrypted key is a key release (because it occurs repeatedly), but having two adjacent releases is still weird. This simply looks wrong to me. For sure this data is not generated by LOGITacker |
|
|
You got all the information required to answer your questions (either in code or on comments).
|
|
None of the described issues applies to LOGITacker. Pairing and device emulation is implemented correctly and confirmed to be working |
|
Yes, I do apologize that my questions are not specific to LOGITacker, but this seems to be the only place that has the expertise. Thanks to your guidance, I managed to work out all the issues except 1, if you could please bear with me for just 1 last question, I would most appreciate it.
When using the latest patched dongles
Just to be clear, I'm not trying to impersonate the paired Logitech K800, instead my device is pairing as itself and has gotten to the point where battery levels, charge status and firmware are showing up correctly in the Unifying software. I also know that my AES_ECB routines are correct because keystrokes show up on the OS when paired with a vulnerable dongle, Thank you. |
|
Start counter after power cycle is totally random. I'm pretty sure your encryption is broken or - to be more precise - the cipher in use for the specific frame does not match the counter |
|
Also I forgot to reference my talk on the topic. It includes details on Unifying crypto. The slides are linked in the video comments (pay attention to the ones illustrating the key generation and the counter re-use issues |
Thanks for the talk, it did not appear in any of my earlier searches.
I checked, and C1 == C2. Thank you. |
@RoganDawes I'm re-visiting this issue in hopes of completing my project. |
|
I suggest you read Marc Newlin's Mousejack paper. (I really should have read it too! :-) ) DEFCON-24-Marc-Newlin-MouseJack-Injecting-Keystrokes-Into-Wireless-Mice.whitepaper.pdf When saying endpoint, I should have said dongle address, using an Unencrypted Keystroke Payload packet format (table 8) |
|
@RoganDawes I see. Thanks. Yes I have gone through all the materials but still unable to find out what I'm missing.
Would you be able to confirm that C-U0007, 012.001.00032 accepts encrypted payloads from LOGITacker? P.S. Pt 1 means that I'm able to encrypt properly, so I wouldn't question the encryption routines unless the encryption has changed in .00032, which I'm certainly not aware of. |
|
I'm afraid not. My understanding of the LOGItacker codebase is severely
lacking.
…On Wed, 21 Oct 2020 at 14:08, bilogic ***@***.***> wrote:
@RoganDawes <https://github.com/RoganDawes> I see. Thanks.
Yes I have gone through all the materials but still unable to find out
what I'm missing.
My project behavior is as follows:
1. Sending *encrypted* keystrokes payload C-U0007, 012.001.00019 -
working
2. Sending *encrypted* keystrokes payload C-U0007, 012.001.00032 - not
working
Would you be able to confirm that LOGITacker is able to transmit encrypted
payloads to C-U0007, 012.001.00032?
Thank you.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABHBCYJDXF5KNKSGBAN7A3SL3FNRANCNFSM4MF6SY2Q>
.
|
Hi,
While I understand LOGITacker to be a sniffer tool, I was wondering if the expertise here can be re-purposed to create a logitech unifying compatible keyboard using the NRF24 via a Arduino/ESP8266/32.
I need info on the unifying RF protocol, especially on pairing and transmission of data. So far, I have some success with https://github.com/ronangaillard/logitech-mouse. Do also let me know if there is a better place to discuss this.
Thank you.
The text was updated successfully, but these errors were encountered: