Skip to content

Latest commit

 

History

History
196 lines (112 loc) · 14 KB

README.md

File metadata and controls

196 lines (112 loc) · 14 KB

Update:

In 2019, I brought two surprises with me to DEFCON.

1 - A small batch of the very first O.MG Cable prototypes for sale. (now on https://o.mg.lol )

2 - A bunch of low cost DIY soldering kits packed into dime bags. The point of the kit was to build a very primitive malicious USB cable. Nothing like the O.MG Cable. No wifi or any of the other magic that O.MG Cable could pull off. Just the ability to transmit a very tiny keystroke injection payload on a PCB small enough to fit inside of a cable. The kit allowed you choose your own difficulty, down to soldering on every component to the PCB. With a candle and spoon, if you dared.

Named DemonSeed (yes, after another NIN track), this PCB used a circuit that was based on my very early malicious cable designs. DemonSeed represented the early research I had been doing. It was never up to the standards of a professional tool. It was more of a hobby grade novelty, lacking many of the features I wanted to see. But it held a special place in my journey.

As O.MG Cable stepped into the light as a proper product, completely replacing everything about the DemonSeed, it felt like the perfect time to let DemonSeed out at DEFCON as a fun DIY kit.

Below is an archive of the original DemonSeed kit instructions.

=================

v1 DemonSeed info below

=================

D̴̹̭͂ë̷̗́̃̿̓̾͜ṃ̸͔͚̗̙̪̎̄̋ȏ̸̝̤̱͜n̶͇͇͙̻̩͑͑S̴̳̩̮̥͚̥̚ė̸̟̃͋͂͝e̷̪̲̪̰̣̿̀͠d̵̡̂͗

Instructions and License for the v1 kit from DEFCON2019.

DemonSeed is minimal malicious USB cable. Not to be confused with the O.MG Cable (https://o.mg.lol), which is a very differient piece of hardware that does a whole lot more, and is coming very soon :)

For those with the DEFCON 2019 DemonSeed kit, there are 3 separate build difficulties to choose from. And you have the possibility of ending up with 2 functional implant boards when finished.

Table of Contents

Intro

In 2017 I started playing around with miniaturizing HID attack hardware inside of USB cables. (https://mg.lol/blog/badusb-cables/) Since then, I have a lot of people request an easier way to reproduce this work, especially after someone ripped off the basic idea from private messages I sent them and started selling a modified version for hundreds of dollars. (hi kevin!) I don't think such a basic circuit is worth that much, but I do think it's a great way to learn about some hardware hacking basics by building your own.

Yes, "DemonSeed" is another NIN reference :)

When assembled, these cables allow you to program a HID payload that is triggered on power up. The device plugged into the other end will receive power for charging. This makes for a decent educational demo.

Here is a demo video demonstrating what your cable will look like and be capable of: https://twitter.com/_MG_/status/1054929638621757441

Materials

This year (2019) at DEFCON I will have a bunch of these as build kits. So come find me! https://twitter.com/_MG_ In addition to the build kit, you will need some/all of the following depending on what level of build you choose:

  • For Basic assembly:

    • A soldering iron & solder
    • A sacrificial USB cable to implant into. These kits are designed to work with white lightning cables made by Apple, but any cable that fits inside the strain relief should work.
    • Some Blu Tack/Mounting Putty will make soldering much easier. https://www.amazon.com/s?k=blu+tack
  • For bootloader programming:

  • For assembly of the unpopulated PCB:

    • Solder Paste
    • A hot air reflow station, hot plate, reflow oven, a spoon (not really), or any heat source that is appropriate for solder paste reflow.

Don't have a build kit? Want to source your own parts?

Assembly Instructions

If you have a kit, then you have 2 boards that allow you to choose your own adventure here.

Full difficulty: You can use the unassembled board and do 100% of the assembly. You will need solder paste and a heat source sufficient for solder reflow to start here.

Medium difficulty: You can use the additional assembled board in the kit and skip directly to the pogo programmer assembly. You will need a soldering iron, ISP programmer, something like blu tack/mounting putty to help hold things together while you solder, and a computer with avrdude installed.

Easiest difficulty: You can also use the same assembled board and skip directly to cable assembly because I preprogrammed all of these boards with a bootloader already. You will need a soldering iron and a computer with the Arduino IDE.

DEFCON 2019 kit:

Board Assembly

You will need to use solder paste with a heat source to reflow the solder. Hand soldering is going to be very difficult, especially with the center pad of the QFN ATTiny component. Your board should look like this. The two 68 ohm resistors (marked with "680") and one 1.5k ohm resistor (marked with "188") do not require a specific orientatation. However, the diodes need to have the orientation towards the inside of the board. The ATTiny will also need to have the orientation mark lined up as seen in the picture.

Pogo Programmer Assembly

Solder up the 2x3 pin header and the pogo pins as shown in the picture. Make sure the solder stays on the outer brass of the pogo pin and does not bleed over to the tips. Using some blu tack will help a lot when trying to keep everything lined up. The smaller board is intended to help keep the pins lined up while soldering. So place the pogo pins through both boards and hold them into position with the blu tack (as seen in the picture) before you start soldering the pogo pins on.

Cable Assembly

STOP! Have you programmed the bootloader? If not, you will probably want run through the bootloader programming section (scroll down) before moving on to cable assembly. You can still program the bootloader after you have attached the board to the connector, but solder sometimes fills in the small holes on the 2 pogo pads, which makes it a little more difficult to keep the programmer in position.

Now, the first step is to solder the board into the USB connector. Apply a layer of solder to the connector before trying to solder the two together, this will help. Then position the board onto the connector. It helps to turn the assembly on its back, secured on a bed of blu tack, when doing this. But before you start doing this:

There are two types of USB connectors and their pins are reversed from eachother. I have made this board "universal" so that it can be used on either type. However, this means you can install the board backwards and short it out. So make sure you know which orientation you need with your connector. For the kit provided during DEFCON 2019, the orientation will look like this:

STOP! At this point, I recommend verifying that you can interface with DemonSeed via USB. Run through the "Programming a Payload" section (scroll down) and verify that it works.

Once all functionality is confirmed, you can attach a cable and close up the implant.

Take your target cable and cut off the USB A connector:

Add the shell, then the strain relief. Then strip the ends of the cable and remove any of the shielding. Most cables have an outer layer of braided wires and an sheet of metalic plastic (mylar). This should be removed. Make sure you do NOT cut off the inner stranded wires that are often bare. These are the ground wires.

Now, shorten the data wires (usually white and green). Solder the power and ground wires (make sure you have the correct polarity or you will potentially damage the phone (or any device connected) and/or computer! I recommend doing some research here, but what I have been doing is simply soldering the data wires together (not attatched to the board in any way). For all the devices I have tested, this allows them to successfully pull a charge from the cable.

I suggest testing all functionality of the cable at this point. Then, you can close up the enclosure! It helps to add a bit of adhesive to the wires just before you close things up so that they do not get pulled from the solder connections.

And you are done!

Programming Instructions

There are two programming requirements. A blank ATTiny85 will need a bootloader flashed and the fuse bits set properly. After that, you can program HID payloads.

Programming the Bootloader

If you are using the board that came preassembled in a kit, you can technically skip this step because I flashed the bootloader already. However, it is still worth learning how to do this. If you have assembled the empty board with components, the ATTiny is empty so you will want to install a bootloader.

First, install avr dude:https://learn.adafruit.com/usbtinyisp/avrdude

Then, download a copy of the ATTiny85 binary from the micronucleus project here: https://raw.githubusercontent.com/micronucleus/micronucleus/master/firmware/releases/t85_default.hex Micronucleus provides a really convenient functionality: It allows us to push payloads over a USB interface so we only need to use the pogo programmer once.

Now, connect your ISP programmer to the 2x3 header on the pogo programmer using the jumper cables. Please make note of the labeled pins. This 2x3 connector does not use a standard ISP pinout (sorry), so you need to ensure the proper pins are connected

Then press the pogo pins against the board. Two of the pads have small holes in the center that help the tips of the pogo pins click into place and keep them there. The operation will look like this:

Verify connectivity by running avrdude -c usbasp -p attiny85 (note: you will want to change out "usbasp" to match whatever ISP you are using)

If connectivity is working, you can flash the bootloader and set the fuse bits by running avrdude -c usbasp -p attiny85 -U flash:w:t85_default.hex:i -U lfuse:w:0xe1:m -U hfuse:w:0xdd:m -U efuse:w:0xfe:m (note: you will want to change out "usbasp" to match whatever ISP you are using)

Programming a Payload

Install Arduino IDE if you don't already have it.

If you don't already have the DigiStump board manager installed, do so using these instructions. Then select board DigiSpark (Default - 16.5mhz) and select programmer Micronucleus.

You can generate a payload script in a variety of ways. I recommend starting with a DuckyScript payload and then converting it with digiQuack which will output the converted Arduino/DigiSpark sketch for you. Not sure which payload to try? Try this: https://github.com/CedArctic/DigiSpark-Scripts/blob/master/RickRoll_Update/RickRoll_Update.ino

LICENSE:

These are intended for personal use and education in a nonprofit way. Please ask if you want utilize these for profit.