DIY a hardware keylogger

Category: Tag:

The hardware keylogger, like the software keylogger, will record all the user’s input on the keyboard, such as account passwords, URLs, mobile phone numbers, etc.

The uniqueness of the hardware version is that even with various defensive measures, it can defend most software keyloggers. But the hardware-based keylogger is imperceptible to the operating system, after all, it is a standard input device. Identification and defense becomes very difficult.

One of the devices in the picture is a keylogger, can you find it?

In this article, we will talk about the principle of hardware keyloggers. And starting from the PCB and firmware, make a hardware keylogger that can be remotely controlled via Wi-Fi.

2. Principle
There are many finished products on amazon, but the price is slightly more expensive. Open source designs include spacehuhn’s wifi_keylogger (https://github.com/spacehuhn/wifi_keylogger), and so on.

Let’s take wifi_keylogger as an example, it is an Arduino-based keylogger. With Wi-Fi function, it can store the recorded keyboard input, and can view and record the data through the Wi-Fi network sent by it.

wifi_keylogger

However, you may find it not very practical: it is too big to install behind a computer.

The reason is that the USB keyboard uses the HID protocol. For Arduino, it is too fast to read. So in addition to Arduino, other devices for reading HID protocol have to be added.

The solution for wifi_keylogger is to use a USB Host Shield module (the white part in the figure).

These solutions have two shortcomings: one is large, and the other is that these solutions will have some impact on the keyboard, such as the inability to use multimedia keys, compatibility issues with different keyboard layouts, and so on.

To achieve a more compact and compatible design, you have to switch to other chips and redesign the PCB. It is best to have HID protocol conversion, keyboard data analysis and recording, and Wi-Fi functions on one board, and the size is relatively small.

This article has designed and produced such a keylogger.

3. Design
The keylogger in this article realizes the analysis and recording of USB keyboard input and provides Wi-Fi function. In this chapter, we specifically analyze the design of each part.

Wi-Fi section
In an infiltration scenario, implanting a hardware device and returning it for a few days later may put you in jail. If the keylogger is equipped with Wi-Fi function, you can read the keyloggers remotely, and you can even configure it to connect to the Wi-Fi of the target office and directly send the keyloggers back to the attacker’s control server.

Read records via Wi-Fi

For the Wi-Fi part, we use the famous ESP8266 chip-a cheap and powerful Wi-Fi SOC, which is widely used in the Internet of Things field. In this article, the ESP8266-07S module is used, which is very small and leads to commonly used pins, which can meet the needs of this article.

ESP8266-07S module

Keylogger section
First, CH9350 chip is needed to convert HID protocol to UART protocol in order to analyze and record keyboard data. The back-end data analysis and recording are realized on ESP8266.

CH9350

CH9350 is a USB keyboard-mouse-to-serial communication control chip produced by Nanjing Qinheng Micro Company. It can convert between HID protocol and UART protocol, and has a high degree of completion and simple development.

We will use CH9350 to convert the HID protocol of the USB keyboard to UART protocol, use ESP8266 to parse and record keyboard input, and provide WI-FI access.

Overall circuit design
The schematic diagram of the entire circuit is shown in the figure:

Schematic diagram

The lower left is the power supply module. Since ESP8266 needs 3.3V power supply and the USB interface is 5V power supply, the AMS1117-3.3 chip is used for conversion.

Right below is the ESP8266-07S module. We use the RX (receiving end) of its UART interface to receive the data sent by CH9350. It is connected to the TX (transmitting end) of the CH9350 UART on the keyboard side, and “audits” the communication between CH9350.

This has another advantage: the analysis module of the keylogger stands in the perspective of the “bystander”, even if it has a slow analysis speed or even crashes, it will not have any impact on the keyboard.

The two chips in the center are CH9350. According to the official document, use two CH9350 as the lower computer connected to the keyboard and the upper computer connected to the computer, and use 3.3V power supply uniformly.

There are USB connectors and sockets on both sides, which are used to insert the USB interface of the computer and connect the USB keyboard.

Firmware design
Specific keyboard data analysis, data storage, and Wi-Fi functions require us to write related programs in the ESP8266 module.

ESP8266 supports Arduino development, which provides convenience for our firmware development, so this article completes the development under the Arduino environment.

The firmware of ESP8266 needs to implement:

Read the keyboard data between CH9350 through UART serial port and analyze it.

Store data in SPIFSS, and provide read and clear functions.

Provides the function of viewing recorded content via Wi-Fi

After power-on, the two CH9350 will automatically negotiate to enter “Mode 1” and transmit multiple data frames on the UART interface. For specific process and data frame information, please refer to official documents. What we need is the “valid key value frame”, which contains the key information that the user presses on the keyboard. The format is as follows:

Valid key value frame

Since we are intercepting USB keyboard data, the frame format is generally like this:

57AB 83 0C 12 01 00 00 04 00 00 00 00 00 12 17 //A key is pressed

57AB 83 0C 12 01 00 00 00 00 00 00 00 00 13 14 //Key is released

The first 6 bits are fixed, the next 8 bits are standard USB keyboard data, and the last two bits are serial number and checksum.

We can use the first 6 digits as a feature to identify the valid key value frame, and then read the last 8 digits to get the keystroke information.

Please refer to the USB HID Usage Table for the specific data table, attached at the end of the article.

In Arduino, the sample code for identifying valid key value frames is as follows:

void loop() {

while (Serial.available() > 0) { //Serial buffer has data

if (Serial.read() == 0x83){ //The second digit 83 of the frame is the first feature

delay(10); //Properly delay, wait for subsequent data to arrive in the serial buffer

if (Serial.read() == 0x0C){

delay(10);

if (Serial.read() == 0x12){

delay(10);

if (Serial.read() == 0x01){

//Read 8-bit keyboard data here

}

}

}

}

}

}

 

The ESP8266 module receives keyboard data frames through the TX port of CH9350 connected to the host computer. And decode it into key information. Next, save the obtained data in SPIFSS.

SPIFSS (Serial Peripheral Interface Flash File System) is a flash memory that comes with the ESP8266 module, and its data will not be lost after power failure. In the ESP8266-07S module, the size of this flash memory is 4M, which is enough for us to save a lot of keyboard records.

Through FS.h we can read and modify SPIFSS, the sample code is as follows:

#include <FS.h>

File logFile; //Create file object

void setup() {

SPIFFS.begin();

logFile = SPIFFS.open(“/keyLog.txt”, “a+”); //Open a file

dataFile.println(“Some Data Here,Maybe Keylog”); //data input

dataFile.close();

}

 

Finally, the Wi-Fi part: Create a Wi-Fi network, and the attacker can view or clear the keylogger after connecting. Part of the idea of wifi_keylogger is referenced here. The sample code is as follows:

#include <ESP8266WiFi.h>

#include <ESPAsyncTCP.h>

#include <ESPAsyncWebServer.h>

const char *ssid = “USBKeylogger”; //The name of the created access point

const char *password = “12345678”; //Access point password

AsyncWebServer server(80); //Open the service on port 80(ip为192.168.4.1)

void setup() {

WiFi.mode(WIFI_STA); //Wi-Fi is access point mode

WiFi.softAP(ssid,password); //Turn on Wi-Fi

server.on(“/”, HTTP_GET, [](AsyncWebServerRequest *request){ //Display record content when visiting the root directory

request->send(SPIFFS, “/keyLog.txt”, “text/plain”);

});

server.on(“/clear”, HTTP_GET, [](AsyncWebServerRequest *request){ //Clear existing records when visiting “/claer”

logFile.close();

logFile = SPIFFS.open(“/keyLog.txt”, “w”);

request->send(200, “text/plain”, “Log File Cleared!”);

});

server.begin(); //Turn on the server

}

 

The combination of these is the entire code of USBKeylogger. The complete firmware source code can be downloaded at the link given at the end of the article.

Fourth, hardware production
PCB design and production
In order to turn the theory into reality, we need to convert the schematic diagram into a PCB and perform layout. Lichuang EDA is used here for production.

The specific layout process is limited by space and will not be described here. My PCB design is shown in the figure:

PCB design (copper is not shown)

The schematic diagram and PCB design of USBKeylogger are open source, and the project link can be obtained at the end of the article. If you want reference, secondary development or direct production, welcome to fork my project.

After completing the design, export the PCB project as a Gerber file and submit it to the PCB manufacturer for production.

You can choose the proofing factory by yourself, the common ones are Jiali Chuang, Jiefang, Huaqiang PCB, etc. Now China’s PCB industry has reached a terrifying point: this kind of small double-layer board, the price of 5 proofs is around 5-30 yuan(about $5.00), and it can be delivered within 2-3 days.

The relevant production parameters are shown in the figure:

Production parameters

After submitting the order, if no special craftsmanship and variegation are required, the finished product can generally be obtained within 48 hours. The PCB board produced is like this:

PCB

Burn firmware
You may think that the next step is to solder components? Have to wait, before soldering, we first need to programming the firmware of ESP8266.

Please note that the ESP8266 module must first programming the firmware and then solder it to the PCB. Otherwise, you have to disconnect the RX contact of ESP8266 and the PCB before you can program normally, which is a bit troublesome.

You need to use the USB2TTL module for burning, just buy a CH340 from amazon, about $2.

 

 

USB2TTL module

The programming method is to connect TXD0, RXD0, VCC, GND, GPIO0 of ESP8266 to USB2TTL. The connection method is as follows:

ESP8266 module USB2TTL module
TXD0 RX
RXD0 TX
VCC 3V3
GND GND
GPIO0 GND

ESP8266 module and USB2TTL should be wired as shown in the figure (pay attention to the color of the wire):

 

Leads of ESP8266 module

Wiring of USB2TTL module

(The difference between ESP-07 and ESP-07S is not limited to the antenna. The programming methods of the two are completely different. The pins of ESP-07S have built-in up/down resistors, and you only need to pull down GPIO0 to download. But ESP-07 does not , Need to be connected manually. My initial board was drawn wrong.)

After the connection is complete, connect the USB2TTL to the computer.

You also need to install the Arduino environment for programming, just download it online, it’s relatively simple and won’t go into details here. The troublesome part is to install the extension of ESP8266.

The specific method is to open the firmware source code of USBKeylogger (there is a download link at the end of the article). After entering the Arduino IDE, click “File-Preferences” and enter in the “Additional Development Board Manager URL”:

http://arduino.esp8266.com/stable/package_esp8266com_index.json

After saving, open “Tools-Development Board-Development Board Manager”, find “esp8266” in the “contribution” type, and click install

Development Board Manager

Now you should be able to find “Generic ESP8266 Module” in “Tools-Development Board”. Select it and adjust other settings (such as Flash Size, etc.) as shown in the figure below:

Development board settings

Finally, in the port menu, select the COM port of USB2TTL (definitely not COM1, maybe COM3, COM4, etc.), and then click “Project-Upload” to burn the code to the development board. This process takes 2-3 minutes. If you see the following debugging information, it means that the firmware has been burned successfully

Firmware burned successfully

Component welding
Next is the welding of the components on the board. The relevant BOM (bill of materials) is as follows:

name number Package price(usd) 数量
CH9350L U1、U2 LQFP-48 2 2
capacitance100nF C1、2、3、4 C0603 1(100pcs) 4
capacitance1uF C5、C6 C0603 1(100pcs) 2
ESP-07S U4 1.5 1
AMS1117-3.3 U3 0.1 1
USBsocket USB1 USB-A 0.1 1
USBplug USB2 USB-A 0.1 1
Single finished product cost: about usd 5-7

Soldering requires electric soldering iron, rosin, tin wire and high temperature sponge. Because CH9350L with dense pins is to be soldered, it is recommended to use a soldering iron tip with a cutter head. This set is about $9-10.

The soldering iron can melt the tin wire for welding various components. Rosin can reduce the tin that has been oxidized at high temperature for a long time, and the soldering iron tip can be cleaned after the high temperature sponge is soaked in water.

I use a yellow flower 907 soldering iron with a cutter head. The price of this soldering iron is moderate, the temperature can be adjusted, the tip of the soldering iron can be replaced, and the service life is longer. With the above tools, most common components can be welded.

As for the specific method of soldering, if you want to learn, you can find quite a lot of video tutorials on the video website, as well as tutorials on soldering specific components.

A little trick:

The best welding sequence is CH9350-AMS1111-capacitor-USB connector-ESP8266 module. ESP8266 must be programmed first.

Welding the CH9350 module only needs a little tin, with more rosin. Stick the cutter head to all the pins on one side, and drag it outward or to one side. This process makes obsessive-compulsive disorder very comfortable.

This soldering iron can be opened up to 400 °, but it is not necessary, too high temperature tin is easy to oxidize. Generally 250-300° is sufficient.

The black rosin stains after welding can be cleaned up with a knife and a cotton swab dipped in alcohol.

The welded finished product looks like this:

Done

After all the accessories are installed, you can install the antenna of ESP8266-07S as required, because the antenna signal distance of its built-in antenna is not very far.

5. Test
Up to now, you have got the finished USBKeylogger, install it on the USB port on the back of the victim’s computer, connect the keyboard, it will record all the keyloggers of the victim.

 

Connection diagram

When it is installed, you should be able to search for a Wi-Fi network named “USBKeyLogger” with a password of “12345678”. (The name and password can be modified in the firmware source code)

Wi-Fi list

Next, open the browser and visit http://192.168.4.1/, you can see all the keyboard records.

 

 

Visit http://192.168.4.1/clear/ to clear the saved records.

Six, summary and more
This article basically realized the design and production of the hardware keylogger.

This thing can also have more optimizations, such as modifying the PCB design and implanting it in the plastic shell of the keyboard. Or switch to other chips to save costs (such as CH376, but the amount of code will be very large).

Moreover, its firmware is still relatively “simplistic”, and I will continue to develop it in the future.

 

Attachments and references
USBKeylogger schematic, PCB, firmware: https://oshwhub.com/PushEAX/USBKeylogger

CH9350 official information and documents: http://www.wch.cn/products/CH9350.html

ESP8266-07S manual: http://wiki.ai-thinker.com/_media/esp8266/a000um00a3.pdf

HID Usage Tables:

https://usb.org.10-1-108-210.causewaynow.com/sites/default/files/hut1_12.pdf

SPIFFS operation introduction

http://www.taichi-maker.com/homepage/esp8266-nodemcu-iot/iot-c/spiffs/spiffs-operation/

Reviews

There are no reviews yet.

Be the first to review “DIY a hardware keylogger”

Your email address will not be published. Required fields are marked *