The firmware evolves as needed by myself (on-stage demos, experiments). No feature requests, PRs welcome
- adaptive timeout on passive enum (keep alive / set keep alive adoption)
- more language layouts (currently DE and US)
- [done] key
pressmethod for injection (handling shortcuts) - [done] flash storage of device data
- auto delete devices from list (not spotted for a while / dongle not reachable in active enum)
- [partially,
optionscommand] automation: active enum --> passive enum --> discover (default) - abort conditions for passive enum (too many non-Unifying frames, no frames after timeout, enough frames of interesting types received, interesting != keep-alive)
- [done for keyboard] mirror input reports to HID keyboard/mouse interface
- [done] pass sniffed frames on HID raw
- [done] passive enum keyboard reports to string: modifiers have to be added
- [done] cli: auto complete for
devices store loadanddevices store delete(maybe option to store full dongle) - flash storage automation: optional auto store for
- [done] devices with sniffed pairing and encryption capability (chances are low to capture pairing in flight --> must have)
- [done] devices which respond to plain keystroke injection during active enum
- [done] devices for which plain key reports have been captured during passive enum (f.e. R400 doesn't reveal injection vuln during active enum, but send plain keyboard reports)
- extensive testing of device flash storage, definition of upper limits (nobody needs 1000 devices on the dongle, as they could be barely handled interactively)
- maybe: Introduce user provided meta data, like "site name" for discover and custom device name, to make it easier to re-identify specific devices stored on flash (raw RF addresses require noting down additional info) - this is low prio, as it requires additional relationships for data stored on flash, which means runtime-reference-creation and thus brings all nice errors of pointer arithmetic (missing Golang here)
- account for re-transmits from legit device (analyze PID of ESB PCF ... for passive enum, pair sniffing) - must have for on-stage demos
- [partially] BSP: proper LED driving and button interaction for various modes
- [done,
scriptcommand] injection: allow entering inject mode without given RF address (block execution unless target RF address is set, instead) - [done] storing scripts
- [done] loading scripts
- [done] script FDS: deletion, list stored scripts
- injection: abort command for long typing scripts (work around for now
discover run) - [done] command for manual device creation (avoid the need of discover, allow adding keys e.g. R500 presentation clicker)
- [done] command for flash erase
- [done] remove test commands
- emulation of dongle in pairing mode
- utilizing scripts for "classical" USB injection instead of RF (bonus: trigger from RF, f.e. presentation clicker)
- check options to ship stored FDS data with hex image for firmware (pre-built scripts, down&exec demo as default)
- remove either key or raw key data from device struct, to save space (one could be derived from the other, as "key generation" is no one-way function)
- [done] rework
options show - implement
options pair-sniff pass-through-raw - [done] remove unneeded modules in root folder (refactoring)
- [done] add GCC build scripts for MDK and MDK dongle
- capabilities to send in new HID++ messages (maybe re-write device capabilities)
- [dead end, newer fw sets a bit if pairing address is enabled, only this allows response for pairing phase 2] forced pairing on "patched" dongles
- [not doable] check if there's a way to use a "sub-shell" in nrf_cli to emulate an interactive shell for the Unifying backdoor
- firmware attacks via keystroke injection (payload to transmit keys on RF after USB extraction)
- done: UTF8 string parser
- done: UTF8 string to hid report translator
- done: hid report to RF frame translator (only plain, encrypted is ToDo)
- done: flash storage of global options
- done: pairing emulation (usable for forced pairing), Note: active enum "forced pairing" test returns false positives, because it opts out too early (has to test phase 2)
- done: pair sniffing and proper device creation
- done: flash device storage (and dongle storage with m:n data relation)
- done: UTF8 keyboard combo string to HID report translator (
presscommand) - done: refactor all "sub state machines" to logitacker_processor interface (discover, pair_sniff, pair_device, active_ennum, passive_enum, inject)
- done: build custom ringbuf based on nrf_ringbuf (no pointer based access to backing array, as this is problematic if payload wraps around max length; peeking into buffer is needed as it should be used for script tasks)