mosca1337 Posted April 15, 2013 Share Posted April 15, 2013 Hey, I need some help debugging my new ducky. I've made some simple 'hello world' ducky scripts without any issues. They run on mac, windows, linux etc without any problems. I tried the same simple script in OSX's single user mode with no luck. It appears as though OSX in single user mode does not recognize the ducky as a keyboard? I tried increasing the string delay of the script so that it would type much slower. No luck. I have also tried plugging in external USB keyboards (such as my dell keyboard). Those are all recognized in single user mode. I tried the ducky on desktop Macs and MacBook Pros. Also no difference. Here is a test script: STRING_DELAY 50DELAY 3000STRING Hello WorldENTER I'm really hoping that I am just making a small mistake. I've tried compiling my ducky script using 2.4, 3.0, and with the online tool. Again, any help would be appreciated! I have a real kickass script for quickly rooting Macs that I would like to share. Thanks! Quote Link to comment Share on other sites More sharing options...
no42 Posted April 15, 2013 Share Posted April 15, 2013 I thought single user mode only loads a small subset of drivers. Have you tried cloning the vid and pid of a keyboard that works. You need v2 firmware. Encoder v2.4 is more stable at moment, v3 is experimental. Quote Link to comment Share on other sites More sharing options...
dunce Posted April 15, 2013 Share Posted April 15, 2013 I'm having the same problem trying to enter a firmware password on OSX. Using the vid and pid of a known working keyboard did not solve the problem. Quote Link to comment Share on other sites More sharing options...
no42 Posted April 15, 2013 Share Posted April 15, 2013 (edited) If your a mac developer you can download the usb debugging kernel module. That might shed some light in single user mode?I saw someone demo the mac pin attack on the net, but didn't record the link. Your sure your on firmware v2 not stock? Edited April 16, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 17, 2013 Author Share Posted April 17, 2013 I thought single user mode only loads a small subset of drivers. Have you tried cloning the vid and pid of a keyboard that works. You need v2 firmware. Yes, single user mode is very limited. I do not believe that is the problem. I can plug any keyboard into any mac in single user mode, and they are all useable. So I created a vidpid.bin at the root of the SD card. I was able to change the VID and PID properly. On OSX, you can run: system_profiler SPUSBDataType Will give: HID Keyboard: Product ID: 0xc312 Vendor ID: 0x046d (Logitech Inc.) Version: 1.00 Speed: Up to 12 Mb/sec Manufacturer: ATMEL AVR Location ID: 0x06200000 / 4 Current Available (mA): 500 Current Required (mA): 100 This will give the VID and PID of all attached USB devices. I connected the working keyboard and copied the VID and PID over to the Ducky. Running the above command again, I was able to confirm that the Ducky had successfully cloned the VID and PID of the previously working keyboard. I also tried a handful of the VIDS and PIDS files available on google code. Still no luck. I flashed the ducky with duck_v2.hex and also osx.hex. I compiled a hello world script on Duck encoder V2.4. Again, the script works just fine on any computer, but isn't recognized in single user mode. I know this is possible because the ducky is a "keyboard", and keyboards work in single user mode. I know its possible!!! I appreciate the help btw Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 17, 2013 Author Share Posted April 17, 2013 Also here are two screenshots of some debugging using Apple's USB Prober app. The device labeled "HID Keyboard" is the ducky that is imitating the VID and PID of the true logitech keyboard. The device labeled "USB Multimedia Keyboard" is the logitech keyboard. I noticed that towards the bottom there is a "Interface subclass". The ducky is 0 (false) and the logitech is 1 (Boot interface). I immediately correlate the words "single user mode" and "boot". I know nothing about USB devices, but could setting the value to 1 somehow make the ducky keyboard "visible" at startup in single user mode? Is there anyway to hardcode these Device Descriptors? Quote Link to comment Share on other sites More sharing options...
no42 Posted April 17, 2013 Share Posted April 17, 2013 (edited) Great research! Thanks for this info. Im on it! If you can test duck_v2.1.hex and provide feedback, it would be appreciated. Edited April 17, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 17, 2013 Author Share Posted April 17, 2013 I think we're getting closer. It appears as though the "Device subclass" was changed to 1 instead of "Interface subclass". With the v2.1 hex, OSX doesn't recognize the ducky as a keyboard in regular or single user mode. Also, it appears as though the vidpin.bin is no longer read. The ducky appears to be an "Atmel Corporation" VIDPIN instead of the desired logitech VIDPIN. I attached a screenshot of the ducky with the new hex. Thanks! Quote Link to comment Share on other sites More sharing options...
no42 Posted April 17, 2013 Share Posted April 17, 2013 (edited) Can we Try again.... duck_v2.1.hex Think I uploaded the wrong file in my haste Edited April 17, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 17, 2013 Author Share Posted April 17, 2013 Does not work in regular or single user. This time the ducky is recognized as a "logitech" keyboard though. Device subclass: 1 Interface subclass: 0 Swap those two, and hopefully we'll get lucky. Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 17, 2013 Author Share Posted April 17, 2013 I found an article that may help: http://www.usb.org/developers/devclass_docs/HID1_11.pdf Page 18: Description of Subclass codes Bottom of page 77: bInterfaceSubClass - Offset/size (bytes) 6/1 - Boot Interface subclass - 0x01 Quote Link to comment Share on other sites More sharing options...
no42 Posted April 17, 2013 Share Posted April 17, 2013 (edited) Right, 3rd time lucky.... duck_v2.1.hex Some of the variables are tricky, and require access to the heap - I havnt fully worked out all the memory bugs & spacings so am having to hack the code. Looks like previous attempts were changing the Device subclass instead of the intended interface subclass, hopefully this one has patched the right memory space. Thanks again for your help and feedback. Edited April 17, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 18, 2013 Author Share Posted April 18, 2013 Same results as the previous. I ran the command tail -c 2097152 duck_v2.1.hex | grep 0000010300 :1082D00009022200010100A032090400000103008C Those might represent the values: Interface #0 - 0x00 Alternate Setting - 0x00 Number of Endpoints - 0x01 Interface Class - 0x03 Interface Subclass - 0x00 Changing it to 0000010301 may work? I'm having a hard time figuring out how to find and replace in hex though. Quote Link to comment Share on other sites More sharing options...
no42 Posted April 18, 2013 Share Posted April 18, 2013 Strange, new file hasn't been downloaded? Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 18, 2013 Author Share Posted April 18, 2013 No, I'm just going crazy. I flashed back to v2 and then to your v2.1. It works!!!! It's funny how one bit can cause so much trouble haha. Thanks again for the help! Quote Link to comment Share on other sites More sharing options...
mosca1337 Posted April 18, 2013 Author Share Posted April 18, 2013 Posted the script here: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Root-Backdoor and tutorial here: http://patrickmosca.com/root-a-mac-in-10-seconds-or-less/ Quote Link to comment Share on other sites More sharing options...
no42 Posted April 18, 2013 Share Posted April 18, 2013 You should post that under a new topic as "[Payload] OSX SIngle User Mode Backdoor". Nice work. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.