HairClog Posted April 17, 2010 Share Posted April 17, 2010 I recieved this today. It appears that American Express has already built their own USB duckys. In this you can see that this usb card is a HID keyboard that brings up the windows Run command and keys in their webpage. I took this thing apart to see the what was on the board. Up close to the chip I haven't been able to find out about the chip that is on the board but it would be great to see if they can be acquired! Quote Link to comment Share on other sites More sharing options...
Jerico_Tyler Posted April 17, 2010 Share Posted April 17, 2010 the really meat is probably under the black spot Quote Link to comment Share on other sites More sharing options...
crazyren Posted April 17, 2010 Share Posted April 17, 2010 its could be one of these chip... ( http://www.hexwax.com/products.aspx ) Quote Link to comment Share on other sites More sharing options...
HairClog Posted April 17, 2010 Author Share Posted April 17, 2010 Tried fire, prying, cutting. The black spot is stronger plastic than the board itself. Any ideas, or is it tamper proof. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 17, 2010 Share Posted April 17, 2010 Tried fire, prying, cutting. The black spot is stronger plastic than the board itself. Any ideas, or is it tamper proof. I'm pretty sure you can't get it off without completely destroying it...... ;) Quote Link to comment Share on other sites More sharing options...
Elementix Posted April 17, 2010 Share Posted April 17, 2010 The black stuff is epoxy. It can be removed without damaging the chip. Here you go: Now get it off so we can see what they've got under there! :) Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 17, 2010 Share Posted April 17, 2010 Oh yeah, it is just epoxy isn't it.... oops... Quote Link to comment Share on other sites More sharing options...
Paul Stoffregen Posted April 17, 2010 Share Posted April 17, 2010 The visible chip is probably an AT24C02A 256 byte EEPROM memory chip. Many companies make this "24C02" chip, so the first 2 letters (denoting the manufacturer) may not necessarily be "AT" for Atmel. http://search.digikey.com/scripts/DkSearch...02A-10TI-2.7-ND Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 17, 2010 Share Posted April 17, 2010 This is great. Seriously. When big names like Amex start using methods like these to "secure the users" it becomes an accepted practice to allow foreign HIDs. Much like the convenience of having optical media autorun, because otherwise grandma might get confused if nothing happens when she pops in the Kodak Picture CD the grand kids sent over into the computamajiggy. Convenience. Trust. Pwnage. To be honest the weakest link, causing everything else to compromise security, is between most keyboards and chairs. We need to rethink users and I believe only genetics can solve this problem. (j/k) Quote Link to comment Share on other sites More sharing options...
crazyren Posted April 17, 2010 Share Posted April 17, 2010 according to this post ( http://catless.ncl.ac.uk/Risks/25.83.html#subj12 ) It identified itself on the USB chain as: Bus 003 Device 003: ID 05ac:020b Apple, Inc. Pro Keyboard [Mitsumi, A1048/US layout] Quote Link to comment Share on other sites More sharing options...
Netshroud Posted April 17, 2010 Share Posted April 17, 2010 Ooh, I bet they're praying that Apple doesn't find out. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 18, 2010 Share Posted April 18, 2010 That's what the Ducky should default to, an apple keyboard. Ya know, for kicks. Quote Link to comment Share on other sites More sharing options...
1n5aN1aC Posted April 18, 2010 Share Posted April 18, 2010 Defiantly, so that apple keyboards get blocked ;) (okay, they won't, but everyone will think apple keyboards glitch a lot, or something....) Quote Link to comment Share on other sites More sharing options...
crazyren Posted April 18, 2010 Share Posted April 18, 2010 That's what the Ducky should default to, an apple keyboard. Ya know, for kicks. i was wondering what if we randomize the vendor name and product name.. after every use, using a huge list of all famous drive and yea... then possibilities of getting pwned is hard.. Quote Link to comment Share on other sites More sharing options...
nxt471 Posted April 18, 2010 Share Posted April 18, 2010 (edited) That's what the Ducky should default to, an apple keyboard. Ya know, for kicks. What would be even better is to disguise it as a Dell or Microsoft keyboard, they can be found almost everywhere in offices and blocking them would cause a whole load of keyboards to not work, also, nobody suspects Dell or Microsoft keyboards to be hacking them, right? :) Edited April 18, 2010 by nxt471 Quote Link to comment Share on other sites More sharing options...
Elementix Posted April 18, 2010 Share Posted April 18, 2010 i was wondering what if we randomize the vendor name and product name.. after every use, using a huge list of all famous drive and yea... then possibilities of getting pwned is hard.. I like this idea, but how much space would that use up? Quote Link to comment Share on other sites More sharing options...
hacker07 Posted April 25, 2010 Share Posted April 25, 2010 okay im confused. How would i change the vendor on my teensy? Quote Link to comment Share on other sites More sharing options...
bigk Posted April 30, 2010 Share Posted April 30, 2010 Interesting. Hairclog, in your picture it appears your resonator (crystal) is gone. It's a 3 pin ceramic package that is mounted just above the epoxied chip. Another interesting thing is mine has the same markings on the board and the same landings, but does not have the serial eeprom at all. When I plug it in it acts like a keyboard, brings up the run command and types in www.ppprg.com which forwards to American Express. I wonder if the 4 contacts on the bottom of the board are for programing the device. Quote Link to comment Share on other sites More sharing options...
Paul Stoffregen Posted May 1, 2010 Share Posted May 1, 2010 okay im confused. How would i change the vendor on my teensy? All USB devices have a 16 bit Vendor ID and 16 bit Product ID number. In Teensy, these numbers (and pretty much everything else) is definable by programming. If you're programming using Arduino with Teensyduino, look inside your Arduino IDE's installation directory, in hardware/teensy/cores/teensy_hid/usb_private.h. You'll find this near the top: #define VENDOR_ID 0x16C0 #define PRODUCT_ID 0x0482 A little farther down, you'll find this: #define STR_PRODUCT L"Teensy Keyboard/Mouse" You'll also find there's lots of editable stuff inside usb.c, also in that directory. Those "descriptors" are the actual data the PC reads when it's detecting the USB device (the process is called "enumeration" in USB lingo). You can change it to absolutely anything you desire, though you might want to read chapter 5 and 9 of the USB specification, and maybe review the HID spec and usage tables.... all of which are free downloads at www.usb.org in the developer section. Those numbers are compile-time constants, which are placed into arrays of bytes stored in read-only flash memory. You can't change them while the Teensy is running. However, if you really felt ambitious, you could change the code which reads the memory and transmit it to the PC. It's located in the giant endpoint0 interrupt routine, in usb.c. In fact, here it is: if (bRequest == GET_DESCRIPTOR) { list = (const uint8_t *)descriptor_list; for (i=0; ; i++) { if (i >= NUM_DESC_LIST) { UECONX = (1<<STALLRQ)|(1<<EPEN); //stall return; } pgm_read_word_postinc(desc_val, list); if (desc_val != wValue) { list += sizeof(struct descriptor_list_struct)-2; continue; } pgm_read_word_postinc(desc_val, list); if (desc_val != wIndex) { list += sizeof(struct descriptor_list_struct)-4; continue; } pgm_read_word_postinc(desc_addr, list); desc_length = pgm_read_byte(list); break; } len = (wLength < 256) ? wLength : 255; if (len > desc_length) len = desc_length; list = desc_addr; do { // wait for host ready for IN packet do { i = UEINTX; } while (!(i & ((1<<TXINI)|(1<<RXOUTI)))); if (i & (1<<RXOUTI)) return; // abort // send IN packet n = len < ENDPOINT0_SIZE ? len : ENDPOINT0_SIZE; for (i = n; i; i--) { pgm_read_byte_postinc(UEDATX, list); } len -= n; usb_send_in(); } while (len || n == ENDPOINT0_SIZE); return; } That code is responsible for sending all the descriptors, so if you tweaked it for only 1 descriptor, be sure to make that a special case test and fall back to the normal code for the other cases, since the PC needs to read all the descriptors. Of course, intentionally setting the ID numbers to mimic a well known product is ethically questionable, and also violates the USB-IF adapter's agreement, and might be bad karma too.... Quote Link to comment Share on other sites More sharing options...
dmsmith1991 Posted May 2, 2010 Share Posted May 2, 2010 If the vendor_id and product_id's are changed, doesn't that mean teensy loader won't detect the teensy when it is plugged in? Quote Link to comment Share on other sites More sharing options...
Netshroud Posted May 2, 2010 Share Posted May 2, 2010 That's what the button is for. Quote Link to comment Share on other sites More sharing options...
dmsmith1991 Posted May 4, 2010 Share Posted May 4, 2010 That's what the button is for. So your saying that the bootloader has a seperate set of ID's which aren't replaced when you change the ID's in usb_private.h? Quote Link to comment Share on other sites More sharing options...
Netshroud Posted May 4, 2010 Share Posted May 4, 2010 Yep, the bootloader shows up as a composite device (Product 0x0878 Vendor 0x16c0), rather than whatever you set it to. Quote Link to comment Share on other sites More sharing options...
Sl45h3R Posted May 4, 2010 Share Posted May 4, 2010 Yeah, thats how the teensy loader knows that the HalfKey loader is running. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.