DIY USB Keys

Edit – Added some more to this article to make it more complete. 24-FEB-2019
Edit – Added a possible explanation as to why V-USB may not be working. 03-APR-2019

I have many passwords. I also apparently have “security fatigue.”

What sucks is that I want my passwords to be stronger in general, but I can’t remember them when they’re randomly generated and 20+ characters long. There ARE solutions to this problem already, like Mooltipass, Yubikey, and the U2F Zero. These are very cool, but the U2F Zero wasn’t available when I started writing this post, Yubikeys are $40 a piece, and Mooltipass is $79. I personally like the Mooltipass the most, but unfortunately, I’d have to carry around a key card, the Mooltipass itself, download a Firefox extension, download an app, and enter a pin when I want to login to anything. In totality, it’s not a bad system, but I want, you know, a key. Something dumb. My thinking is that I want to keep out internet randos. If you were to find me in real life and threaten me, I’d probably just GIVE you my passwords. Just please don’t hit me in the face.

Relevant XKCD:
With that in mind, I remembered the Rubber Ducky by Hak5. It mimics a USB keyboard so that an attacker could quickly run scripts. Currently it costs about $45, which is a little too rich for my blood. I would like to have about 10 or so keys so this probably isn’t a good solution. If you look at the chip on the Rubber Ducky, however, you’ll notice that it’s got an AT32UC3B1256 for an MCU. This chip was likely chosen for its USB peripheral. It’s possible that if you reduced the number of components and kept things simple, you could create your own USB key. Unlike the Rubber Ducky, I just want my bad USB to enter passwords.


I found Joonas Pihlajamaa’s blog using an ATTiny85 without a crystal which meets all of my requirements. The real advantage of his method is that it’s incredibly cheap. A company called RobotDyn even makes reproductions of his design, albeit with some modifications. Unfortunately, I couldn’t get these premade things to work for the life of me. Every time I would plug in the device I’d get the message in my log.

$ dmesg | tail
[  178.159276] usb 2-1.6: device descriptor read/64, error -32
[  178.347266] usb 2-1.6: new low-speed USB device number 6 using ehci-pci
[  178.427265] usb 2-1.6: device descriptor read/64, error -32
[  178.615262] usb 2-1.6: device descriptor read/64, error -32
[  178.723376] usb 2-1-port6: attempt power cycle
[  179.327262] usb 2-1.6: new low-speed USB device number 7 using ehci-pci
[  179.743253] usb 2-1.6: device not accepting address 7, error -32
[  179.823265] usb 2-1.6: new low-speed USB device number 8 using ehci-pci
[  180.239278] usb 2-1.6: device not accepting address 8, error -32
[  180.239380] usb 2-1-port6: unable to enumerate USB device

I ended buying like three of them for ten bucks, so it wasn’t the end of the world. I think if you are going to make commercially viable dumb USB keys, this would ultimately be the way to go to keep costs down.

Looking into this problem some more, I came across this post on Arduino.cc . A contributor, mrbrunette states:

“I have done more V-USB projects than I can count and I have showcased some of the intefaces:
http://forum.arduino.cc/index.php?topic=195003.0

I did not look at your PIX, but almost always, the problems are

    • Noise from wiring length
    • Wrong Zener diodes

If you are sure that D+ and D- are properly identified and wired correctly, the the Zeners are the most likely suspect.  The zeners are very critical and in the link above I give the part number of the ones that I have used successfully.

On Windows, V-USB seems to work best on USB 1.1 ports and USB 2.0 (older ports) but is really problematic on USB 3.x ports.  If you PC has a USB 2.x port, use this one instead of the high speed 3.x port.

Honestly, with the advance in technology in PC hardware, I would not doubt that V-USB ceases to be viable on the newest hardware in a year or so.  Perhaps someone will write a PC/Windows driver that can be utilized instead of the Windows HID driver, but so far that has not happened and the generic driver is becoming more particular to V-USB.”

This could potentially explain why I was having problems plugging these devices into my USB 3.0 port.

When I first started writing this article I was experimenting with STMicro products at work and I had gotten very familiar with the STM32F030R8 Discovery board. I noticed that discovery boards have an STM32F103C8 controlling their USB, and not something like an FTDI chip or CH340G serial IC. When I started to go down this path I discovered the “blue pill” which was a super cheap breakout of the STM32F103C8. I bought of few of these boards and quickly realized that this was not going to be an out-of-the-box solution since the USB connections on these boards are all messed up. These boards are super cheap, but still, I just want a dead simple out-of-the-box solution. After spending a few more hours diagnosing why my blue pills weren’t working as I had hoped they would I found another board. The Mini-Maple by Leaf Labs. Unfortunately, you can’t buy this board from Leaf Labs anymore, but there is a very decent clone out there made by a company called BAITE.

And it works reliably!

For this project I used Arduino’s IDE, which can be downloaded at arduino.cc. To install this you simply download the IDE for your operating system, and run the install script.

After following the instructions, changing my rules in Linux so that the mini maple was seen in plugdev, making myself a part of the group plugdev, and installing dfu-util by running:

$ sudo apt-get install dfu-util

Once you’ve got that done you’ll also want to add the mini maple to your rules.

sudo nano /etc/udev/rules.d/45-maple.rules

and add the following to your rules set. You don’t need this to USE the key, but you do need it for plugdev and df-utils which will allow you to program the thing.

Add these contents:

ATTRS{idProduct}=="1001", ATTRS{idVendor}=="0110", MODE="664", GROUP="plugdev"
ATTRS{idProduct}=="1002", ATTRS{idVendor}=="0110", MODE="664", GROUP="plugdev"
ATTRS{idProduct}=="0003", ATTRS{idVendor}=="1eaf", MODE="664", GROUP="plugdev" SYMLINK+="maple", ENV{ID_MM_DEVICE_IGNORE}="1"
ATTRS{idProduct}=="0004", ATTRS{idVendor}=="1eaf", MODE="664", GROUP="plugdev" SYMLINK+="maple", ENV{ID_MM_DEVICE_IGNORE}="1"

You’ll also need to add yourself to the plugdev group which is pretty easy.

sudo adduser $USER plugdev

You may have to log out and log back in for your user to see the changes.

With this device I use USBComposite.h which can be found at:

https://github.com/arpruss/USBComposite_stm32f1

To install USBComposite go to your system’s arduino library directory (for me it was located at ~/arduino-1.8.8/libraries/) and just do a git clone of the USBComposite repo there. If you have arduino IDE open while doing this, simply restart it, and it should work.

If all else fails, you can include the full path of USBComposite.h and call it a day.

Now we’ll have to install the mini maple as a recognized board in the Arduino IDE. To do this go File->Preferences and under “Additional Board Manager URLS” add:

http://dan.drown.org/stm32duino/package_STM32duino_index.json

This should allow you to go into Tools->Board->Board Manager and search for the STM32F1 type boards and install it. Once you’ve installed that set of boards the mini maple should appear on the list of boards you can program.

If you followed the install instructions, the following code should upload to your device, and make a hardware “key” for you.

#include <USBComposite.h>

USBHID HID;
HIDKeyboard Keyboard(HID);
void setup() {
  HID.begin(HID_KEYBOARD);
  Keyboard.begin(); // useful to detect host capslock state and LEDs
  delay(5000);
}

void loop() {
  
  Keyboard.print("USERNAME");
  delay(5000);
  
  Keyboard.print("PASSWORD");
  delay(5000);
}

If you’re unable to flash the device make sure the correct port and board is selected in the IDE.

You might end up with an error like “No DFU capable USB device found” output in the Arduino IDE and this is normal.

What you need to do is push the innermost button (reset) and try to catch the micro while its booting up. Just keep resetting and trying to reflash the device until your changes finally upload to the microcontroller.

Arduino IDE will produce output that looks like this on a successful flash:

Sketch uses 17244 bytes (15%) of program storage space. Maximum is 110592 bytes.
Global variables use 4296 bytes (24%) of dynamic memory, leaving 13112 bytes for local variables. Maximum is 17408 bytes.
Failed to open serial device.
No valid DFU suffix signature
Warning: File has no DFU suffix

dfu-util 0.7

Copyright 2005-2008 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2012 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to dfu-util@lists.gnumonks.org

Filter on vendor = 0x1eaf product = 0x0003
Opening DFU capable USB device… ID 1eaf:0003
Run-time device DFU version 0110
Found DFU: [1eaf:0003] devnum=0, cfg=1, intf=0, alt=1, name=”STM32duino bootloader v1.0 Upload to Flash 0x8005000″
Claiming USB DFU Interface…
Setting Alternate Setting #1 …
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 0110
Device returned transfer size 1024
bytes_per_hash=344
Copying data from PC to DFU device
Starting download: [##################################################] finished!
state(8) = dfuMANIFEST-WAIT-RESET, status(0) = No error condition is present
Done!
Resetting USB to switch back to runtime mode
Waiting for /dev/ttyACM0 serial…Done

I can see security professionals loathing the use of something like this. It’s merely dumping out plain text, which is a super not cool. I also read online (and I don’t know if this is true because I don’t own one) that keyboard spoofing is essentially how the moolti-pass works under the hood. This could explain why you also need to enter a pin code on top of also having a keycard. But the point of this device isn’t really to make a system more secure. The point is to have an arbitrarily long password that isn’t a hindrance from a user’s perspective. For seven dollars it’s not bad. I wouldn’t recommend this for super critical systems, but it certainly makes logging into a blog a lot easier.

You may have noticed that I added a 5-second delay to the setup function. This is intentional. Windows 7 isn’t as quick on the draw for recognizing HID devices as Ubuntu is it seems, and it needs a couple of extra seconds for it to be seen as a USB HID device.

For size comparison here’s what the thing looks like next to a key. I found that having a microusb to usb adapter keeps everything compact.

And the code combined with the device, you can expect from something like this when you use it:


The cool thing about these keys is that I don’t need to install software on any of the machines I use since it looks like a human interface device to the OS.

So far, the only problems I’ve had using this method was on Mac where for some reason Mac wants to set your keyboards nationality when these devices are plugged in. If you’re using this on a system that you own this shouldn’t be a big issue, but if you’re creating your own rubber ducky with the above just be aware that this is a thing.

Tagged , ,