Project

General

Profile

Actions
History

Wiki »

Input/HID devices

Disassembled devices

Truly Ergonomic keyboard

Apple USB Mighty Mouse Model-No. A1152

  • Chip: Cypress cy7c63743
  • Contains EPROM memory, can only be written once
  • => Not vulnerable

Logitech RX250 optical mouse

  • Chip: Cypress cy7c63813
  • Product page: http://www.cypress.com/?mpn=CY7C63813-PXC
  • Datasheet: http://www.cypress.com/?docID=41007
  • M8C core (a simple 8 bit microcontroller core from Cypress)
  • 8 KiB flash memory, 256 bytes Ram, 24 MHz clock
  • Reprogrammable via USB bootloader
  • Documentation is available from Cypress, it should not be too difficult to write a malicious firmware upgrade
  • Device should be able to act as a HID keyboard entering a predefined keystroke sequence, e.g. to download a Powershell script from the Internet.
Bootloader information:
http://www.cypress.com/?rID=12994

The term "user code" refers to the actual firmware of the device
providing the intended functionality such as a USB HID mouse.

On powerup, the bootloader verifies a 16 bit checksum of the user code.
If it matches, it jumps to the user code.

If it does not match, the device goes to bootloader mode and
communicates with the computer via USB. There are commands for reading
and writing the flash contents.

Unfortunately, the bootloder requires an 8 byte bootloader key. However,
the key verification is done on a byte-by-byte basis (assembly listings
are available in the ZIP file from Cypress) and so it could be
incrementally guessed by counting the number of clock cycles until the
verification fails. It is likely that the bootloader key is equal for a
large number of produced units and so it would probably be enough to
extract it in a lab setup for a few units.

In a lab setup, it is probably possible to make the flash checksum
verification fail e.g. via voltage glitching, clock glitching, extreme
temperatures or UV/X-Ray radiation so that the device boots into
bootloader code. Then the bootloader key can be extracted by guessing
bytes and counting the number of clock cycles the verification takes.
After that, it should be possible to extract the firmware binary for
reverse engineering. Once the firmware is available, it may be possible
to find a hidden command which allows switching the device to bootloader
mode via a special USB command (so that other identical devices can be
reprogrammed via USB).

*Update:* It looks like the controller itself has a proprietary non-USB 
programming protocol. The USB bootloader from http://www.cypress.com/?rID=12994 
is optional and I do not know how many actual devices come shipped with a 
USB bootloader at all.

The integrated programming functionality can be accessed with a programmer,
which is available for 30$ from Cypress:
http://www.cypress.com/?rID=37459

The following document describes the update process:
http://www.cypress.com/?docID=19520

If there is no bootloader, the chips can still be reflashed via the USB contacts
using a custom (non-USB) protocol with a MiniProg programming adapter.

However, the controller does have flash protection fuses. I do not know
whether these fuses are set for typical low cost USB devices.

*Update 20141107:*
I have tried to read out the chip with a Cypress Miniprog adapter. Unfortunately,
the flash protection fuses are set and I could only read one 64-byte block of the
flash memory. Since I cannot dump the firmware, I can't tell whether there is a 
USB bootloader on the chip or not.

USB Mouse Tchibo

  • ApexOne A2624D, Chip is sold as an ASIC just for USB mouse application
  • datasheet does not indicate that there is any microcontroller.
    => Most likely not vulnerable

USB Laser Mouse Generalkeys

  • Chip-on-Board, no label

USB Mouse Logilink

  • Chip without label, could be cypress like in the Logitech mouse

Noname USB numeric Keypad

  • Chip-on-Board, no label

Hama mini USB mouse

Noname mini optical mouse

  • 1bcf:0007 Sunplus Innovation Technology Inc. Optical Mouse => Datasheet for Sunplus devices mention that it contains a µC, but no indication about upgradeability or any persistent storage found
  • Chip label: C2165 => Datasheet available 6502 µC [http://en.wikipedia.org/wiki/MOS_Technology_6502]
  • No leaked tools

Microsoft Comfort 2000 keyboard v1.0

  • Chip-on-Board, no label

Speedlink SL-6535-BK Game pad controller (Mediamarkt 20141106)

  • Chip-on-Board without label
  • Bus 001 Device 012: ID 0079:0006 DragonRise Inc. Generic USB Joystick
  • No further info found

Speedlink ACUTE Presenter (Mediamarkt 20141106)

  • Receiver: SL-6198-RRBK 433.92 Mhz
  • Chip1: Missing label, 8 pins SOIC, connected to USB
  • Chip2: 4608\n1320, connected to antenna
  • Bus 001 Device 014: ID 1223:3f07 SKYCABLE ENTERPRISE. CO., LTD.
  • No further info found

Logitech G5 mouse

  • Was sold from around 2007-20012 for about 35-60 Euro
  • Official firmware upgrade from Logitech available: G5Update12.exe
  • Contains large text area with hex format, similar to ihex
  • Contains valid USB Descriptors and interesting strings after decoding: "D:\Project\Mecha\FW_Current Version\bin\jw32.abs","ICP"
  • Could be MC68HC908JW32 => architecture M68HC05
  • => Most likely vulnerable

Logitech G502 Proteus Core Gaming Mouse (launched in 2014, current price: 65 Euro)

  • Official software (Logitech Gaming Software) contains firmware update utility: G502Update_v16.exe
  • Contains area valid USB Descriptors (Device, Configuration and String descriptors)
  • http://pclab.pl/art57551-7.html
  • PCB Shots show chip label: ARM STM32L100\nR8T6 => STM32L100R8
  • ARM Microcontroller with USB, 64 KiB internal flash, 2 KiB eeprom and 8 KiB RAM
    => STM documentation show that the controller does support DFU (Device firmware upgrade) standard
  • => Most likely vulnerable

Updated by Karsten about 10 years ago · 1 revisions