Unbridled HIDIOcy@stevelord, Raw Hex, https://hidiot.com/

This Guy

• @stevelord on Twitter and Mastodon

• Raw Hex, 44CON, HIDIOT

• I like breaking and building (the Internet of) things

What Is HIDIOT?• Human Interface Device Input/Output Toolkit

• Tool To Teach Hardware Hacking Skills

• uC and host programming

• Circuit design and Soldering

• Bus interfaces and protocols

What Is HIDIOT?

• Specific focus: 11-16 year old kids

• Teach kids to: void warranties, do unspeakable things to microcontrollers, save the world

What is HIDIOT?

• Alternative focus: Hackers

• Originally built as a tool to explore USB protocols, HID devices for USB/Bluetooth

• Used to simulate USB devices and for rapid prototyping

Part 1Using (and abusing) HIDIOT

What Does HIDIOT Have?

• USB interface to ATTiny85

• 8k SRAM, 512 bytes RAM, 512 bytes EEPROM

• Almost any bus type thanks to USI

• Soft UART, SPI, I2C, 1-wire buses, USB :)

HIDIOT Software Stack

• Arduino IDE with Digispark/Trinket capability

• AVR-GCC for those who like to go manual

• Micronucleus Bootloader

• V-USB for USB management

• Library support for lots of add-ons

Physical HIDIOT• Temp Sensor

• Light sensing via LED

• 2x LEDs

• 2x Tact switches

• Breakout area

Host Comms With HIDIOT

• USB Generic HID Class/LibUSB

• CDC Serial*

• Keyboard/Mouse/Joystick/MIDI etc.

• Anything you can write reports for

Computer Add-on Projects (CAPs)

• Like Shields or HATs

• Interchangeable hardware add-ons

• Ideal for modular HID-based exfil

Rapid Prototyping With HIDIOT

• Use breakout to add parts

• Build CAP for components

• Take ATTiny85 off board and add to CAP

• Add Power Source

Part 2A High Level Overview of USB 2.0

Part 2A High Level Overview of USB 2.0

While I build a HIDIOT live

Electrical USB

• 4 Pins - VCC, GND, D-, D+

• Differential Encoding on D-/D+ for noise cancellation

• Pull-up/down resistors for different device/host/hub combinations

USB 2.0 Terms• Transfers

• Transactions

• Packets/Phases

• PID

• CRC

USB 2.0 Comms

• All transfers/transactions are IN or OUT from the hosts perspective.

• IN - Device to Host

• OUT - Host to Device

USB 2.0 Transfer Types

• Control

• Bulk

• Interrupt

• Isochronous

USB 2.0 Transactions

• Transfers consist of 1 or more transactions

• Each Transaction consists of two or three packets (stages/phases)

• Packets contain PIDs and other info

USB 2.0 Packets

• Token packet (all transactions, contains PID, endpoint and CRC)

• Data packet (contains PID, data and CRC)

• Handshake packet (contains PID)

Other Packets

• PING packets

• PRE packets

Control Transfers

• 1 Setup stage transaction

• 0 or more data stage transactions

• 1 Status stage transaction (in opposite direction, IN if no data stage sent)

Control Transfers

• Each stage has 3 phases (packets)

• Token

• Data

• Handshake

Interrupt Transfers

• Low Speed Transfers

• 1 or more IN or OUT transaction

• Same 3 phases as before

Lets Get Out Of The Weeds(Thank goodness)

USB Device Classes

• Lots of ‘em

• We’re focused on USB HID Device Class

• BONUS: USB HID === Bluetooth HID

Common USB HID Class Devices

• Keyboards

• Mice

• Game Controllers

• Generic HID Class*

Uncommon USB HID Class Devices

• UPSes

• Software Protection Dongles

• Medical Devices

USB Reports• Each device communicates using reports

• Device describes report structure during enumeration

• IN interrupt transfer is minimum required for HID (e.g. keyboard press)

• OUT transfers are optional (e.g. to report keyboard LED status change)

How HID Works• Host polls device’s interrupt IN endpoint

• If device has data it will send data in report format

• Common devices use reports compliant with USB-IF standards

• Custom devices require custom drivers

Part 3Software Stack

Installation

• Install Arduino

• Add Digispark board

• Install Windows USB drivers (optional)

• You can play along.

Part 4DEMOS!

#1: Morse Code Blinker

#2, #3 Keyboard Control

• Hello World

• A Bit More

#4 DuckyScript

#5 Improving DuckyScript

#6 Pi Shutdown

#7 Improved Pi Shutdown

#8 Randomness

#9 Better Randomness

#10 Entropy Through WDT Jitter

#11 Hardware SSH Key

#11 Hardware SSH Key

DENIED!!!

#11 Interfacing With Hardware

#12 Something Different

Part 5Expanding HIDIOT

Part 6Things For You To Try

Some Ideas To Try• USB Host Fuzzing

• USB Device Fuzzing

• Brute forcing PINs with USB Keyboard

• Visible Light Comms

• Software Defined IR

Some Ideas To Try• Portable RF hacking projects

• USB Host power-based side channel attacks

• Fuzzing SPI devices

• Fuzzing I2C devices

• Abusing USB report structure trust

Some Ideas To Try

• USB Device change detection and alerting

• EFI/SPI/I2C integrity monitoring

• U2F Security Key

• USB RF Bug/Anomaly Detection