Input devices » History » Version 1
Karsten, 11/11/2014 03:28 PM
| 1 | 1 | Karsten | h1. Input/HID devices |
|---|---|---|---|
| 2 | |||
| 3 | h2. Disassembled devices |
||
| 4 | |||
| 5 | h3. Truly Ergonomic keyboard |
||
| 6 | |||
| 7 | * Product page: https://trulyergonomic.com/store/products |
||
| 8 | * Architecture: unknown [TODO, need Windows to run .exe] |
||
| 9 | * has a dip switch to allow/disallow firmware update |
||
| 10 | |||
| 11 | h3. Apple USB Mighty Mouse Model-No. A1152 |
||
| 12 | |||
| 13 | * Chip: Cypress cy7c63743 |
||
| 14 | * Contains EPROM memory, can only be written once |
||
| 15 | * => %{color:green}Not vulnerable% |
||
| 16 | |||
| 17 | h3. Logitech RX250 optical mouse |
||
| 18 | |||
| 19 | * Chip: Cypress cy7c63813 |
||
| 20 | * Product page: http://www.cypress.com/?mpn=CY7C63813-PXC |
||
| 21 | * Datasheet: http://www.cypress.com/?docID=41007 |
||
| 22 | * M8C core (a simple 8 bit microcontroller core from Cypress) |
||
| 23 | * 8 KiB flash memory, 256 bytes Ram, 24 MHz clock |
||
| 24 | * Reprogrammable via USB bootloader |
||
| 25 | * Documentation is available from Cypress, it should not be too difficult to write a malicious firmware upgrade |
||
| 26 | * Device should be able to act as a HID keyboard entering a predefined keystroke sequence, e.g. to download a Powershell script from the Internet. |
||
| 27 | |||
| 28 | <pre> |
||
| 29 | Bootloader information: |
||
| 30 | http://www.cypress.com/?rID=12994 |
||
| 31 | |||
| 32 | The term "user code" refers to the actual firmware of the device |
||
| 33 | providing the intended functionality such as a USB HID mouse. |
||
| 34 | |||
| 35 | On powerup, the bootloader verifies a 16 bit checksum of the user code. |
||
| 36 | If it matches, it jumps to the user code. |
||
| 37 | |||
| 38 | If it does not match, the device goes to bootloader mode and |
||
| 39 | communicates with the computer via USB. There are commands for reading |
||
| 40 | and writing the flash contents. |
||
| 41 | |||
| 42 | Unfortunately, the bootloder requires an 8 byte bootloader key. However, |
||
| 43 | the key verification is done on a byte-by-byte basis (assembly listings |
||
| 44 | are available in the ZIP file from Cypress) and so it could be |
||
| 45 | incrementally guessed by counting the number of clock cycles until the |
||
| 46 | verification fails. It is likely that the bootloader key is equal for a |
||
| 47 | large number of produced units and so it would probably be enough to |
||
| 48 | extract it in a lab setup for a few units. |
||
| 49 | |||
| 50 | In a lab setup, it is probably possible to make the flash checksum |
||
| 51 | verification fail e.g. via voltage glitching, clock glitching, extreme |
||
| 52 | temperatures or UV/X-Ray radiation so that the device boots into |
||
| 53 | bootloader code. Then the bootloader key can be extracted by guessing |
||
| 54 | bytes and counting the number of clock cycles the verification takes. |
||
| 55 | After that, it should be possible to extract the firmware binary for |
||
| 56 | reverse engineering. Once the firmware is available, it may be possible |
||
| 57 | to find a hidden command which allows switching the device to bootloader |
||
| 58 | mode via a special USB command (so that other identical devices can be |
||
| 59 | reprogrammed via USB). |
||
| 60 | |||
| 61 | *Update:* It looks like the controller itself has a proprietary non-USB |
||
| 62 | programming protocol. The USB bootloader from http://www.cypress.com/?rID=12994 |
||
| 63 | is optional and I do not know how many actual devices come shipped with a |
||
| 64 | USB bootloader at all. |
||
| 65 | |||
| 66 | The integrated programming functionality can be accessed with a programmer, |
||
| 67 | which is available for 30$ from Cypress: |
||
| 68 | http://www.cypress.com/?rID=37459 |
||
| 69 | |||
| 70 | The following document describes the update process: |
||
| 71 | http://www.cypress.com/?docID=19520 |
||
| 72 | |||
| 73 | If there is no bootloader, the chips can still be reflashed via the USB contacts |
||
| 74 | using a custom (non-USB) protocol with a MiniProg programming adapter. |
||
| 75 | |||
| 76 | |||
| 77 | However, the controller does have flash protection fuses. I do not know |
||
| 78 | whether these fuses are set for typical low cost USB devices. |
||
| 79 | |||
| 80 | |||
| 81 | *Update 20141107:* |
||
| 82 | I have tried to read out the chip with a Cypress Miniprog adapter. Unfortunately, |
||
| 83 | the flash protection fuses are set and I could only read one 64-byte block of the |
||
| 84 | flash memory. Since I cannot dump the firmware, I can't tell whether there is a |
||
| 85 | USB bootloader on the chip or not. |
||
| 86 | </pre> |
||
| 87 | |||
| 88 | h3. USB Mouse Tchibo |
||
| 89 | |||
| 90 | * ApexOne A2624D, Chip is sold as an ASIC just for USB mouse application |
||
| 91 | * datasheet does not indicate that there is any microcontroller. |
||
| 92 | => %{color:green}Most likely not vulnerable% |
||
| 93 | |||
| 94 | h3. USB Laser Mouse Generalkeys |
||
| 95 | |||
| 96 | * Chip-on-Board, no label |
||
| 97 | |||
| 98 | h3. USB Mouse Logilink |
||
| 99 | |||
| 100 | * Chip without label, could be cypress like in the Logitech mouse |
||
| 101 | |||
| 102 | h3. Noname USB numeric Keypad |
||
| 103 | |||
| 104 | * Chip-on-Board, no label |
||
| 105 | |||
| 106 | h3. Hama mini USB mouse |
||
| 107 | |||
| 108 | * USB + Sensor integrated into one package, Label: A1198 TSP635B |
||
| 109 | * http://nutsandboltsandflyingsparks.blogspot.de/2012_07_01_archive.html => Pin Layout, no more info found |
||
| 110 | * Bus 001 Device 011: ID 062a:0003 Creative Labs |
||
| 111 | |||
| 112 | h3. Noname mini optical mouse |
||
| 113 | |||
| 114 | * 1bcf:0007 Sunplus Innovation Technology Inc. Optical Mouse => Datasheet for Sunplus devices mention that it contains a µC, but no indication about upgradeability or any persistent storage found |
||
| 115 | * Chip label: C2165 => Datasheet available 6502 µC [http://en.wikipedia.org/wiki/MOS_Technology_6502] |
||
| 116 | * No leaked tools |
||
| 117 | |||
| 118 | h3. Microsoft Comfort 2000 keyboard v1.0 |
||
| 119 | |||
| 120 | * Chip-on-Board, no label |
||
| 121 | |||
| 122 | h3. Speedlink SL-6535-BK Game pad controller (Mediamarkt 20141106) |
||
| 123 | |||
| 124 | * Chip-on-Board without label |
||
| 125 | * Bus 001 Device 012: ID 0079:0006 DragonRise Inc. Generic USB Joystick |
||
| 126 | * No further info found |
||
| 127 | |||
| 128 | h3. Speedlink ACUTE Presenter (Mediamarkt 20141106) |
||
| 129 | |||
| 130 | * Receiver: SL-6198-RRBK 433.92 Mhz |
||
| 131 | * Chip1: Missing label, 8 pins SOIC, connected to USB |
||
| 132 | * Chip2: 4608\n1320, connected to antenna |
||
| 133 | * Bus 001 Device 014: ID 1223:3f07 SKYCABLE ENTERPRISE. CO., LTD. |
||
| 134 | * No further info found |
||
| 135 | |||
| 136 | h3. Logitech G5 mouse |
||
| 137 | |||
| 138 | * Was sold from around 2007-20012 for about 35-60 Euro |
||
| 139 | * Official firmware upgrade from Logitech available: G5Update12.exe |
||
| 140 | * Contains large text area with hex format, similar to ihex |
||
| 141 | * Contains valid USB Descriptors and interesting strings after decoding: "D:\Project\Mecha\FW_Current Version\bin\jw32.abs","ICP" |
||
| 142 | * Could be MC68HC908JW32 => architecture M68HC05 |
||
| 143 | * %{color:red}=> Most likely vulnerable% |
||
| 144 | |||
| 145 | h3. Logitech G502 Proteus Core Gaming Mouse (launched in 2014, current price: 65 Euro) |
||
| 146 | |||
| 147 | * Official software (Logitech Gaming Software) contains firmware update utility: G502Update_v16.exe |
||
| 148 | * Contains area valid USB Descriptors (Device, Configuration and String descriptors) |
||
| 149 | * http://pclab.pl/art57551-7.html |
||
| 150 | * PCB Shots show chip label: ARM STM32L100\nR8T6 => STM32L100R8 |
||
| 151 | * ARM Microcontroller with USB, 64 KiB internal flash, 2 KiB eeprom and 8 KiB RAM |
||
| 152 | => STM documentation show that the controller does support DFU (Device firmware upgrade) standard |
||
| 153 | * %{color:red}=> Most likely vulnerable% |