Jump to content

[Info] American Express Usb Ad


HairClog
 Share

Recommended Posts

I recieved this today. It appears that American Express has already built their own USB duckys. In this

you can see that this usb card is a HID keyboard that brings up the windows Run command and keys in their webpage. I took this thing apart to see the what was on the board.

p1040229.th.jpg

p1040230t.th.jpg

backx.th.jpg

Up close to the chip

chipp.jpg

I haven't been able to find out about the chip that is on the board but it would be great to see if they can be acquired!

Link to comment
Share on other sites

This is great. Seriously. When big names like Amex start using methods like these to "secure the users" it becomes an accepted practice to allow foreign HIDs.

Much like the convenience of having optical media autorun, because otherwise grandma might get confused if nothing happens when she pops in the Kodak Picture CD the grand kids sent over into the computamajiggy.

Convenience. Trust. Pwnage.

To be honest the weakest link, causing everything else to compromise security, is between most keyboards and chairs. We need to rethink users and I believe only genetics can solve this problem. (j/k)

Link to comment
Share on other sites

That's what the Ducky should default to, an apple keyboard. Ya know, for kicks.

i was wondering what if we randomize the vendor name and product name.. after every use, using a huge list of all famous drive and yea... then possibilities of getting pwned is hard..

Link to comment
Share on other sites

That's what the Ducky should default to, an apple keyboard. Ya know, for kicks.

What would be even better is to disguise it as a Dell or Microsoft keyboard, they can be found almost everywhere in offices and blocking them would cause a whole load of keyboards to not work, also, nobody suspects Dell or Microsoft keyboards to be hacking them, right? :)

Edited by nxt471
Link to comment
Share on other sites

Interesting. Hairclog, in your picture it appears your resonator (crystal) is gone. It's a 3 pin ceramic package that is mounted just above the epoxied chip. Another interesting thing is mine has the same markings on the board and the same landings, but does not have the serial eeprom at all. When I plug it in it acts like a keyboard, brings up the run command and types in www.ppprg.com which forwards to American Express. I wonder if the 4 contacts on the bottom of the board are for programing the device.

Link to comment
Share on other sites

okay im confused. How would i change the vendor on my teensy?

All USB devices have a 16 bit Vendor ID and 16 bit Product ID number. In Teensy, these numbers (and pretty much everything else) is definable by programming.

If you're programming using Arduino with Teensyduino, look inside your Arduino IDE's installation directory, in hardware/teensy/cores/teensy_hid/usb_private.h. You'll find this near the top:

#define VENDOR_ID               0x16C0
#define PRODUCT_ID              0x0482

A little farther down, you'll find this:

#define STR_PRODUCT             L"Teensy Keyboard/Mouse"

You'll also find there's lots of editable stuff inside usb.c, also in that directory. Those "descriptors" are the actual data the PC reads when it's detecting the USB device (the process is called "enumeration" in USB lingo). You can change it to absolutely anything you desire, though you might want to read chapter 5 and 9 of the USB specification, and maybe review the HID spec and usage tables.... all of which are free downloads at www.usb.org in the developer section.

Those numbers are compile-time constants, which are placed into arrays of bytes stored in read-only flash memory. You can't change them while the Teensy is running. However, if you really felt ambitious, you could change the code which reads the memory and transmit it to the PC. It's located in the giant endpoint0 interrupt routine, in usb.c. In fact, here it is:

                if (bRequest == GET_DESCRIPTOR) {
                        list = (const uint8_t *)descriptor_list;
                        for (i=0; ; i++) {
                                if (i >= NUM_DESC_LIST) {
                                        UECONX = (1<<STALLRQ)|(1<<EPEN);  //stall
                                        return;
                                }
                                pgm_read_word_postinc(desc_val, list);
                                if (desc_val != wValue) {
                                        list += sizeof(struct descriptor_list_struct)-2;
                                        continue;
                                }
                                pgm_read_word_postinc(desc_val, list);
                                if (desc_val != wIndex) {
                                        list += sizeof(struct descriptor_list_struct)-4;
                                        continue;
                                }
                                pgm_read_word_postinc(desc_addr, list);
                                desc_length = pgm_read_byte(list);
                                break;
                        }
                        len = (wLength < 256) ? wLength : 255;
                        if (len > desc_length) len = desc_length;
                        list = desc_addr;
                        do {
                                // wait for host ready for IN packet
                                do {
                                        i = UEINTX;
                                } while (!(i & ((1<<TXINI)|(1<<RXOUTI))));
                                if (i & (1<<RXOUTI)) return;    // abort
                                // send IN packet
                                n = len < ENDPOINT0_SIZE ? len : ENDPOINT0_SIZE;
                                for (i = n; i; i--) {
                                        pgm_read_byte_postinc(UEDATX, list);
                                }
                                len -= n;
                                usb_send_in();
                        } while (len || n == ENDPOINT0_SIZE);
                        return;
                }

That code is responsible for sending all the descriptors, so if you tweaked it for only 1 descriptor, be sure to make that a special case test and fall back to the normal code for the other cases, since the PC needs to read all the descriptors.

Of course, intentionally setting the ID numbers to mimic a well known product is ethically questionable, and also violates the USB-IF adapter's agreement, and might be bad karma too....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...