Getting Started With Your HIDIOT Badge

Warning: Unlike most software, hardware can permanently damage machines. While every effort has been made to ensure that the 44CON badge will not kill your computer, remember that you built it yourself. Consider using a USB Hub when connecting the HIDIOT. Electrical faults are more likely to kill the hub than your computer. 44CON and Sense/Net Ltd accept no responsibility, both in general and specifically to the use and abuse of your HIDIOT and any damage caused therein.

Thanks to Akos Rajtmar for the HIDIOT assembly video above

If you came to 44CON 2016, then congratulations, you are one of about 500 people who have a HIDIOT 0.7 board.

If you took part in the badge soldering workshop, then congratulations, you are one of <150 people who have a fully functioning HIDIOT 0.7 board.

But what is a HIDIOT 0.7? And how do you make it do something other than blink?

Enter the HIDIOT

The Human Interface Device Input/Output Toolkit (HIDIOT) is a USB-based board for manipulating and experimenting with USB HID class devices. The version given out at 44CON is unreleased. In effect, we decided to make our badge a piece of 0day hardware.

0Day Hardware, that sounds cool!

Well, yes and no. On the one hand, the hardware is more or less finalised, ready to rumble and unlikely to significantly change in a way that will break compatibility between 0.7 and 1.0 next year, but the software hasn’t all been written yet.

On the plus side, knowing this would happen we went and made sure that the boards you have are fully compatible with another board called the Digispark. It’s a really cool board that also allows you to play with HID systems. When HIDIOT 1.0 is ready, you’ll be able to keep the digispark mode or reprogram yours to work with the new software stack.

Programming a fully built HIDIOT

If you have your HIDIOT fully built, you can program it with the Arduino IDE. Download and install the IDE for your Operating System as normal. Once you’ve installed it, start the application and you should see something like the screenshot below.

First we need to install Digispark support. To do this, open up the Arduino IDE preferences window, then open up the Additional Boards Manager URLs. I have a bunch of extra boards installed for various purposes. However, you’re going to want to add the line in the screenshot below, which is http://digistump.com/package_digistump_index.json.

Click OK on both windows once you’ve added the board. You can now bring up the boards manager via Tools -> Board -> Boards Manager as shown below.

Search for Digistump in the search section and install the Digistump AVR Boards. The other boards will not work, so don’t add them. Then click Close.

Now you should be able to create a basic blinky program and use the PB1 LED to light it up. We can test Digispark compatibility by using the blinky program provided for the digispark. Replace the text in the editor with the contents of the screenshot below:

The more observant reader may notice that the code writes to two separate output locations. This is because the Digispark has two hardware revisions with LEDs on different parts of the circuit board. The HIDIOT only has one user-programmable LED, but we add this to ensure the compatibility is there.

Select the Digispark using Tools -> Board -> Digispark (Default – 16.5mhz) and set the programmer to Micronucleus using Tools -> Programmer -> Micronucleus. In the editor, you’ll notice two round buttons towards the top left of the window. The first compiles the code, while the second compiles and uploads it to the HIDIOT.

Protip: While every measure is taken to design this to avoid killing your computer, there’s always the possibility that it could. Consider connecting it to a USB Hub to program the device. That way if anything goes wrong it’s more likely to kill the USB Hub than your computer’s USB port, or worse.

When you hit the upload button, you’ll see it compile and if all is well it will run the Digispark Uploader. Connect your HIDIOT and it should upload, then start blinking.

Protip: The USB PCB connector is non-standard. You might want to use a USB extension lead when testing to make sure that it can make a clean contact with all USB bases. Macbooks in particular are a royal PITA to get working properly without them.

What’s happening?

When you connect the HIDIOT, the Micronucleus bootloader (which is what allows it to be programmed over USB) waits a few seconds to receive a program before jumping to your code. If it times out, it’ll jump to whatever code is on the device.

Although you’re using the Arduino IDE, the HIDIOT uses a different chip to the Arduino, and not all functions are the same. The Digispark libraries provide a really good way of simulating keyboards, mice etc. but to go further you’ll need to look at V-USB, at least until 1.0. Such is the nature of 0day hardware.

Ok, now what?

Now you have a blinking HIDIOT, it’s time to do something useless with it. How about a rick roll?

      #include "DigiKeyboard.h"
  
      void setup() {
        DigiKeyboard.update();
        DigiKeyboard.sendKeyStroke(0);
        DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
        DigiKeyboard.delay(250);
        DigiKeyboard.write(" iexplore.exe http://bit.ly/1fYriw1");
        DigiKeyboard.sendKeyStroke(KEY_ENTER);
      }
  
  
      void loop() {
        // this is generally not necessary but with some older systems it seems to
        // prevent missing the first character after a delay:
        DigiKeyboard.update();
        DigiKeyboard.sendKeyStroke(0);
        DigiKeyboard.delay(5000);
      }

Name a new project Hello Rickroll, then copy and paste the code above into a new file in the IDE. If you’ve ever used C, you’ll be right at home. If not, you might feel a bit uncomfortable, but give it a go.

The first line tells the Arduino IDE to include the definitions contained in a file called DigiKeyboard.h. This includes all the necessary macros for referring to special keys, such as MOD_GUI_LEFT for the windows key, or Mac CMD key.

The setup() function is called once whenever the code starts running. In this case we use various keyboard functions to keep keyboard connectivity alive, send Windows+R, and to point internet explorer to a specific URL.

The loop() function runs continuously, and in this case simply keeps the keyboard connected to the host at the software level.

Compile it and connect your HIDIOT, then go over to an unsuspecting Windows machine and plug it in. After a few seconds the disembodied keyboard will type out commands and send them to Rickroll unwitting victims.

I’ll start writing more material on the HIDIOT at Raw Hex as the project starts to mature, but for now some things to try:

• A Powershell payload that downloads and runs a meterpreter without touching disk
• A payload to minimise windows, take a screenshot of the desktop, save it to disk somewhere, move all desktop icons to a user folder and set the desktop wallpaper to the screenshot. Every hour.
• A mouse jiggler to stop screens auto-locking.

There’s plenty more that can be done, but that’s just a start. Enjoy your HIDIOT!