USB Armory Debian base - HID Keyboard mode
573 views
Skip to first unread message
Superjcvd
Feb 20, 2018, 10:22:27 AM2/20/18
to USB armory
Hello
I received my USB armory key a few days ago.
I tested it so far with Debian image (https://github.com/inversepath/usbarmory-debian-base_image/releases)
My experience
Get a SSH connectivity from the guest computer
Get a fake keyboard emulation (BadUSB) for fun and exploits
I received my USB armory key a few days ago.
I tested it so far with Debian image (https://github.com/inversepath/usbarmory-debian-base_image/releases)
My experience
Get a SSH connectivity from the guest computer
- Emulate a network card with g_ether module (default image configuration)
- Works great with Linux
- Works under Windows 10 by adding "idVendor=0x04b3 idProduct=0x4010" options at the end of /etc/modprobe.d/usbarmory.conf (g_ether options)
- Emulate a RNDIS network card with ConfigFS and composite USB Gadget
- Not tested with Linux
- Works great with Windows 10
- Emulate a ECM network card with ConfigFS and composite USB Gadget
- Should work with Linux (not tested)
- Doesn't work with Windows 10 (the device is detected but no driver is available)
Get a fake keyboard emulation (BadUSB) for fun and exploits
- Emulate a HID keyboard with ConfigFS and composite USB Gadget (only method I heard about so far)
- Not working at all
- Based on this website (and a lot of tries) https://www.rmedgar.com/blog/using-rpi-zero-as-keyboard-setup-and-device-definition
- I tried 100x different configuration variations but I can't make it works.
- Sometimes I even get segmentation faults
Do you have any idea why this is not working ? Do we have a problem with the current Debian kernel ?
(4.9.80 in this case, but in 4.9.75 that was not working neither)
I copied the SH script I am using to activate different USB gadgets (Only HID is not working)
Regards
Gael
Andrej Rosano
Feb 20, 2018, 11:57:17 AM2/20/18
to Superjcvd, USB armory
Hi,
On 2018-02-20, Superjcvd wrote:
> Hello
>
> I received my USB armory key a few days ago.
> I tested it so far with Debian image
> (https://github.com/inversepath/usbarmory-debian-base_image/releases)
>
>
> *My experience*
>
> *Get a SSH connectivity from the guest computer*
>
> - Emulate a network card with *g_ether* module (default image
> configuration)
> - Works great with Linux
> - Works under Windows 10 by adding "idVendor=0x04b3 idProduct=0x4010"
> - Not tested with Linux
> - Works great with Windows 10
>
>
> - Emulate a ECM network card with ConfigFS and composite USB Gadget
> - Should work with Linux (not tested)
> - Doesn't work with Windows 10 (the device is detected but no driver
> is available)
>
>
>
> *Get a fake keyboard emulation (BadUSB) for fun and exploits*
>
>
> - Emulate a HID keyboard with ConfigFS and composite USB Gadget (only
> - Based on this website (and a lot of tries)
> https://www.rmedgar.com/blog/using-rpi-zero-as-keyboard-setup-and-device-definition
> - I tried 100x different configuration variations but I can't make it
> works.
> - Sometimes I even get segmentation faults
the 4.14 one.
In case you are using the default Debian distribution on your USB armory
you can update the kernel in the following way:
# apt-get update
# apt-get install apt-transport-https dirmngr
# apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys CEADE0CF01939B21
Add the USB armory Debian kernel repo to /etc/apt/sources.list:
deb https://inversepath.github.io/debian stable usbarmory
# apt-get update
# apt-get install linux-image-4.14-usbarmory
Then you would need to manually change the
# cd /boot
# mv zImage zImage.old ; ln -s zImage-4.14.20-0-usbarmory zImage
# mv imx53-usbarmory.dtb imx53-usbarmory.dtb.old ; ln -s imx53-usbarmory-default-4.14.20-0.dtb imx53-usbarmory.dtb
# reboot
Cheers,
Andrej
>
>
>
>
> I copied the SH script I am using to activate different USB gadgets (Only
> HID is not working)
>
>
>
>
>
>
> Regards
>
>
>
>
> Gael
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/308d7f0a-bf8b-44c3-a9c1-722d84c9556f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> #!/bin/bash -e
>
>
> # Remove old Modules kernels and use USB Gadget mode instead
> modprobe -r g_ether usb_f_ecm u_ether
> modprobe libcomposite
>
>
>
> cd /sys/kernel/config/usb_gadget/
>
> # Create the USB Gadget
> mkdir g && cd g
>
> echo 0x1d6b > idVendor # Linux Foundation
> echo 0x0104 > idProduct # Multifunction Composite Gadget
> echo 0x0100 > bcdDevice # v1.0.0
> echo 0x0200 > bcdUSB # USB 2.0
>
> # Make Windows OS recognize the USB devices
> echo 0xEF > bDeviceClass # miscellaneous
> echo 0x02 > bDeviceSubClass #
> echo 0x01 > bDeviceProtocol #
>
>
> # Configuration files
> mkdir -p strings/0x409
> mkdir configs/c.1/strings/0x409
> echo "0000000000000666" > strings/0x409/serialnumber
> echo "usbarmory" > strings/0x409/manufacturer
> echo "USB Gadget" > strings/0x409/product
>
> # Activate Serial port / Network / Keyboard emulations
> mkdir -p functions/acm.usb0 # serial
> #mkdir -p functions/rndis.usb0 # network rndis (chose one between ecm and rndis)
> mkdir -p functions/ecm.usb0 # network ecm
> mkdir -p functions/hid.usb0 # keyboard
>
> # Power settings
> mkdir -p configs/c.1
> echo 250 > configs/c.1/MaxPower
>
> # OS descriptors
> echo 1 > os_desc/use
> echo 0xcd > os_desc/b_vendor_code
> echo MSFT100 > os_desc/qw_sign
>
> ## setup rndis parameter for the network card
> echo RNDIS > functions/rndis.usb0/os_desc/interface.rndis/compatible_id
> echo 5162001 > functions/rndis.usb0/os_desc/interface.rndis/sub_compatible_id
> echo 1a:55:89:a2:69:41 > functions/rndis.usb0/dev_addr
> echo 1a:55:89:a2:69:42 > functions/rndis.usb0/host_addr
>
> ## setup hid parameters for the keyboard function
> echo 1 > functions/hid.usb0/protocol
> echo 1 > functions/hid.usb0/subclass
> echo 8 > functions/hid.usb0/report_length
> echo -ne "\x05\x01\x09\x06\xA1\x01\x05\x07\x19\xE0\x29\xE7\x15\x00\x25\x01\x75\x01\x95\x08\x81\x02\x95\x01\x75\x08\x81\x03\x95\x05\x75\x01\x05\x08\x19\x01\x29\x05\x91\x02\x95\x01\x75\x03\x91\x03\x95\x06\x75\x08\x15\x00\x25\x65\x05\x07\x19\x00\x29\x65\x81\x00\xC0" > functions/hid.usb0/report_desc
>
> ## setup ecm parameters for network card mac address
> #echo 1a:55:89:a2:69:41 > functions/ecm.usb0/dev_addr
> #echo 1a:55:89:a2:69:42 > functions/ecm.usb0/host_addr
>
>
> # Activate the configuration
> ln -s functions/acm.usb0 configs/c.1/
> #ln -s functions/rndis.usb0 configs/c.1/
> ln -s functions/ecm.usb0 configs/c.1/
> ln -s functions/hid.usb0 configs/c.1/
>
>
> # Load the driver
> #ln -s configs/c.1 os_desc
> udevadm settle -t 5 || :
> ls /sys/class/udc/ > UDC
--
Andrej Rosano
Hardware Security | Inverse Path | F-Secure
www.inversepath.com | www.f-secure.com
5BB8 574E 68E8 D841 E18F D5E9 CEAD E0CF 0193 9B21
On 2018-02-20, Superjcvd wrote:
> Hello
>
> I received my USB armory key a few days ago.
> I tested it so far with Debian image
> (https://github.com/inversepath/usbarmory-debian-base_image/releases)
>
>
>
> *Get a SSH connectivity from the guest computer*
>
> - Emulate a network card with *g_ether* module (default image
> configuration)
> - Works great with Linux
> - Works under Windows 10 by adding "idVendor=0x04b3 idProduct=0x4010"
> options at the end of /etc/modprobe.d/usbarmory.conf (g_ether options)
>
>
> - Emulate a RNDIS network card with ConfigFS and composite USB Gadget
>
>
> - Not tested with Linux
> - Works great with Windows 10
>
>
> - Emulate a ECM network card with ConfigFS and composite USB Gadget
> - Should work with Linux (not tested)
> - Doesn't work with Windows 10 (the device is detected but no driver
> is available)
>
>
>
> *Get a fake keyboard emulation (BadUSB) for fun and exploits*
>
>
> - Emulate a HID keyboard with ConfigFS and composite USB Gadget (only
> method I heard about so far)
> - Not working at all
> - Based on this website (and a lot of tries)
> https://www.rmedgar.com/blog/using-rpi-zero-as-keyboard-setup-and-device-definition
> - I tried 100x different configuration variations but I can't make it
> works.
> - Sometimes I even get segmentation faults
>
>
>
>
>
> Do you have any idea why this is not working ? Do we have a problem with
> the current Debian kernel ?
>
> (4.9.80 in this case, but in 4.9.75 that was not working neither)
>
For some reason the USB gadgets have issues on 4.9.x kernels, please try
>
>
>
>
> Do you have any idea why this is not working ? Do we have a problem with
> the current Debian kernel ?
>
> (4.9.80 in this case, but in 4.9.75 that was not working neither)
>
the 4.14 one.
In case you are using the default Debian distribution on your USB armory
you can update the kernel in the following way:
# apt-get update
# apt-get install apt-transport-https dirmngr
# apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys CEADE0CF01939B21
Add the USB armory Debian kernel repo to /etc/apt/sources.list:
deb https://inversepath.github.io/debian stable usbarmory
# apt-get update
# apt-get install linux-image-4.14-usbarmory
Then you would need to manually change the
# cd /boot
# mv zImage zImage.old ; ln -s zImage-4.14.20-0-usbarmory zImage
# mv imx53-usbarmory.dtb imx53-usbarmory.dtb.old ; ln -s imx53-usbarmory-default-4.14.20-0.dtb imx53-usbarmory.dtb
# reboot
Cheers,
Andrej
>
>
>
>
> I copied the SH script I am using to activate different USB gadgets (Only
> HID is not working)
>
>
>
>
>
>
> Regards
>
>
>
>
> Gael
>
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/308d7f0a-bf8b-44c3-a9c1-722d84c9556f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> #!/bin/bash -e
>
>
> # Remove old Modules kernels and use USB Gadget mode instead
> modprobe -r g_ether usb_f_ecm u_ether
> modprobe libcomposite
>
>
>
> cd /sys/kernel/config/usb_gadget/
>
> # Create the USB Gadget
> mkdir g && cd g
>
> echo 0x1d6b > idVendor # Linux Foundation
> echo 0x0104 > idProduct # Multifunction Composite Gadget
> echo 0x0100 > bcdDevice # v1.0.0
> echo 0x0200 > bcdUSB # USB 2.0
>
> # Make Windows OS recognize the USB devices
> echo 0xEF > bDeviceClass # miscellaneous
> echo 0x02 > bDeviceSubClass #
> echo 0x01 > bDeviceProtocol #
>
>
> # Configuration files
> mkdir -p strings/0x409
> mkdir configs/c.1/strings/0x409
> echo "0000000000000666" > strings/0x409/serialnumber
> echo "usbarmory" > strings/0x409/manufacturer
> echo "USB Gadget" > strings/0x409/product
>
> # Activate Serial port / Network / Keyboard emulations
> mkdir -p functions/acm.usb0 # serial
> #mkdir -p functions/rndis.usb0 # network rndis (chose one between ecm and rndis)
> mkdir -p functions/ecm.usb0 # network ecm
> mkdir -p functions/hid.usb0 # keyboard
>
> # Power settings
> mkdir -p configs/c.1
> echo 250 > configs/c.1/MaxPower
>
> # OS descriptors
> echo 1 > os_desc/use
> echo 0xcd > os_desc/b_vendor_code
> echo MSFT100 > os_desc/qw_sign
>
> ## setup rndis parameter for the network card
> echo RNDIS > functions/rndis.usb0/os_desc/interface.rndis/compatible_id
> echo 5162001 > functions/rndis.usb0/os_desc/interface.rndis/sub_compatible_id
> echo 1a:55:89:a2:69:41 > functions/rndis.usb0/dev_addr
> echo 1a:55:89:a2:69:42 > functions/rndis.usb0/host_addr
>
> ## setup hid parameters for the keyboard function
> echo 1 > functions/hid.usb0/protocol
> echo 1 > functions/hid.usb0/subclass
> echo 8 > functions/hid.usb0/report_length
> echo -ne "\x05\x01\x09\x06\xA1\x01\x05\x07\x19\xE0\x29\xE7\x15\x00\x25\x01\x75\x01\x95\x08\x81\x02\x95\x01\x75\x08\x81\x03\x95\x05\x75\x01\x05\x08\x19\x01\x29\x05\x91\x02\x95\x01\x75\x03\x91\x03\x95\x06\x75\x08\x15\x00\x25\x65\x05\x07\x19\x00\x29\x65\x81\x00\xC0" > functions/hid.usb0/report_desc
>
> ## setup ecm parameters for network card mac address
> #echo 1a:55:89:a2:69:41 > functions/ecm.usb0/dev_addr
> #echo 1a:55:89:a2:69:42 > functions/ecm.usb0/host_addr
>
>
> # Activate the configuration
> ln -s functions/acm.usb0 configs/c.1/
> #ln -s functions/rndis.usb0 configs/c.1/
> ln -s functions/ecm.usb0 configs/c.1/
> ln -s functions/hid.usb0 configs/c.1/
>
>
> # Load the driver
> #ln -s configs/c.1 os_desc
> udevadm settle -t 5 || :
> ls /sys/class/udc/ > UDC
--
Andrej Rosano
Hardware Security | Inverse Path | F-Secure
www.inversepath.com | www.f-secure.com
5BB8 574E 68E8 D841 E18F D5E9 CEAD E0CF 0193 9B21
Superjcvd
Feb 20, 2018, 2:18:09 PM2/20/18
to USB armory
Thanks a lot
I was searching how to switch the kernel.
I through that I had to rebuild the SD card image from scratch :)
I will try this tomorrow and let you know.
Thanks a lot
I was searching how to switch the kernel.
I through that I had to rebuild the SD card image from scratch :)
I will try this tomorrow and let you know.
Thanks a lot
Superjcvd
Feb 22, 2018, 11:17:02 AM2/22/18
to USB armory
Thank you a lot !!!
It is working perfectly with kernel 4.14
It is working perfectly with kernel 4.14
Le mardi 20 février 2018 16:22:27 UTC+1, Superjcvd a écrit :
petr.f....@gmail.com
Mar 21, 2018, 12:28:20 PM3/21/18
to USB armory
вторник, 20 февраля 2018 г., 19:57:17 UTC+3 пользователь Andrej Rosano написал:
# apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys CEADE0CF01939B21
I got:
gpg: requesting key 01939B21 from hkp server keys.gnupg.net
gpgkeys: key CEADE0CF01939B21 can't be retrieved
gpg: no valid OpenPGP data found.
and after apt-get update:
Reading package lists... Done
W: GPG error: https://inversepath.github.io stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4F5DE4BCF3DCF19C
Any change of mistyping?
Message has been deleted
Andrej Rosano
Mar 22, 2018, 4:51:04 AM3/22/18
to petr.f....@gmail.com, USB armory
On 2018-03-21, petr.f....@gmail.com wrote:
>
> вторник, 20 февраля 2018 г., 19:57:17 UTC+3 пользователь Andrej Rosano
> написал:
> >
> >
> > # apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys
> > CEADE0CF01939B21
> >
> >
> I got:
>
> gpg: requesting key 01939B21 from hkp server keys.gnupg.net
> > gpgkeys: key CEADE0CF01939B21 can't be retrieved
> > gpg: no valid OpenPGP data found.
gpg --keyserver hkp://keys.gnupg.net --search-keys CEADE0CF01939B21
Thanks,
Andrej
>
>
> and after apt-get update:
>
> Reading package lists... Done
> > W: GPG error: https://inversepath.github.io stable Release: The following
> > signatures couldn't be verified because the public key is not available:
> > NO_PUBKEY 4F5DE4BCF3DCF19C
> >
>
> Any change of mistyping?
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/58f11e33-3e3f-4910-acac-85b85d745630%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
--
Andrej Rosano
E5DF 7810 AD63 A215 2D0E AF56 53C7 A2CB 7B47 0744
petr kartsev
Mar 25, 2018, 4:12:27 PM3/25/18
to USB armory
Hi, thanks, it works
and the second try was successful.
and the second try was successful.
Reply all
Reply to author
Forward
0 new messages