{"id":868,"date":"2015-02-15T12:26:37","date_gmt":"2015-02-15T18:26:37","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?page_id=868"},"modified":"2015-03-02T09:51:23","modified_gmt":"2015-03-02T15:51:23","slug":"remote-hid-attacks-testing-setup","status":"publish","type":"page","link":"https:\/\/www.jedge.com\/wordpress\/remote-hid-attacks-testing-setup\/","title":{"rendered":"Remote HID Attacks – Testing \/ Setup"},"content":{"rendered":"


\nPart 4 \u2013 Remote HID Attacks with a Teensy \u2013 Testing Your Build \/ Getting Started<\/strong><\/p>\n

GL-iNet GPIO Setup<\/strong>
\nPins 18,19,20,21,22 are available as GPIOs for the GL-iNet. The script below will activate the GPIOs and set them to “low”. GPIO 21 is responsible for the Teensy 2.0 USB communication. GPIOs 18, 19, 20, & 22 provide the option to execute Teensy HID commands and will be discussed below. From the GL-iNet command prompt we can download the code below.
\n

#!\/bin\/sh \/etc\/rc.common\n#set GPIO\nSTART=10\nstart() {        \n\n  echo 18 > \/sys\/class\/gpio\/export\n  echo out > \/sys\/class\/gpio\/gpio18\/direction\n  echo 0 > \/sys\/devices\/virtual\/gpio\/gpio18\/value\n\n  echo 19 > \/sys\/class\/gpio\/export\n  echo out > \/sys\/class\/gpio\/gpio19\/direction\n  echo 0 > \/sys\/devices\/virtual\/gpio\/gpio19\/value\n\n  echo 20 > \/sys\/class\/gpio\/export\n  echo out > \/sys\/class\/gpio\/gpio20\/direction\n  echo 0 > \/sys\/devices\/virtual\/gpio\/gpio20\/value\n\n  echo 21 > \/sys\/class\/gpio\/export\n  echo out > \/sys\/class\/gpio\/gpio21\/direction\n  echo 0 > \/sys\/devices\/virtual\/gpio\/gpio21\/value\n\n  echo 22 > \/sys\/class\/gpio\/export\n  echo out > \/sys\/class\/gpio\/gpio22\/direction\n  echo 0 > \/sys\/devices\/virtual\/gpio\/gpio22\/value\n}<\/code><\/pre><\/p>\n
root@OpenWrt:\/# cd \/etc\/init.d\nroot@OpenWrt:\/etc\/init.d#  wget http:\/\/www.jedge.com\/code\/setgpio\nroot@OpenWrt:\/etc\/init.d#  chmod 755 setgpio\nroot@OpenWrt:\/etc\/init.d#  \/etc\/init.d\/setgpio enable<\/code><\/pre>Does It Work?<\/strong>
\nFirst things first, how do we know what we built in Part 3<\/a> ( or 3.1<\/a>) actually works?  The first round of code for the Teensy will allow is to test it to ensure all that soldering actually connected your knee bone to your thigh bone.  Our test code will ensure that we can access the SD card and that activation of the GPIOs from the GL-iNet are seen by the Teensy.<\/p>\n
The Software<\/strong>
\nI\u2019m not going to go into too much detail on getting your environment setup and configured to work with the Teensy.  Excellent tutorials exist on downloading and installing the Arduino and Teensy software for your platform of choice.  I will be using the following on a Windows 7 system:  <\/p>\n
Teensyduino – https:\/\/www.pjrc.com\/teensy\/teensyduino.html<\/a>
\nTeensy Loader – https:\/\/www.pjrc.com\/teensy\/loader.html<\/a><\/p>\n
Format the SD Card<\/strong>
\nEnsure your SD Card is properly formatted.  Use the formatter tool from sdcard.org to properly format your card for best read\/write performance for use with the Teensy.  For this tutorial my SD Card is called  SDCARD.<\/p>\n
Teensy 2.0 Test Sketch<\/strong>
\nGo here<\/a> for the sketch file.  Before we compile and install the code ensure you have Disk(SD Card) + Keyboard selected (Figure 1).<\/p>\n
<\/a>
Figure 1:  Select SD Card + Keyboard<\/figcaption><\/figure>\n
When you compile and install the code, if your Teensy is set to automatically reboot, you should be prompted with an Autoplay window (Figure 2).<\/p>\n
<\/a>
Figure 2<\/figcaption><\/figure>\n
Connect to your GL-iNet<\/strong><\/p>\n
Access a shell on your GL-iNet, either from the serial port or SSH, and run the setgpio shell script from Part 2.  Ensure you are able to see the LED on your Teensy.  Activation of the GPIOs will cause the LED to blink 1-4 times based on which GPIO is activated.  In this example we will activate GPIO 19 which should cause the LED to blink twice every 4 seconds.
\n
root@OpenWrt:~# echo 1 > \/sys\/devices\/virtual\/gpio\/gpio19\/value\n<\/code><\/pre>Test each of the GPIOs by activating and deactivating them.  To deactivate the GPIO just assign a zero (0) to the vale.
\n
root@OpenWrt:~# echo 0 > \/sys\/devices\/virtual\/gpio\/gpio19\/value\n<\/code><\/pre>Note that if more than one GPIO is activated the LED will blink based on the order of the \u201cif\u201d statements from the code.  For example, activation of GPIO 20 and 18 will cause the LED to blink once, wait four (4) seconds, blink three (3) times, wait four (4) seconds, and repeat.<\/p>\n
Test the Relay Switch<\/strong>
\nNow we will activate GPIO 21 which should switch the relay and connect the Teensy USB connection from the workstation to the GL-iNet.  If you are connected through the serial port you will immediately see the success of the drive being recognized.
\n
root@OpenWrt:~# echo 1 > \/sys\/devices\/virtual\/gpio\/gpio21\/value\nroot@OpenWrt:~# [17231.710000] usb 1-1: new full-speed USB device number 3 using ehci-platform\n[17231.870000] scsi0 : usb-storage 1-1:1.0\n[17232.870000] scsi 0:0:0:0: Direct-Access     Generic  USB Flash Disc   1.00 PQ: 0 ANSI: 4\n[17232.890000] sd 0:0:0:0: [sda] 1984000 512-byte logical blocks: (1.01 GB\/968 MiB)\n[17232.890000] sd 0:0:0:0: [sda] Write Protect is off\n[17232.900000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.910000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.930000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.940000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.950000]  sda: sda1\n[17232.970000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.970000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.980000] sd 0:0:0:0: [sda] Attached SCSI removable disk\n<\/code><\/pre>If you are connected through SSH you will need to run dmesg.  The last 10-15 lines should show the same information.
\n
root@OpenWrt:~# dmesg |tail -n 15\n[17200.550000] usbcore: registered new interface driver ums-usbat\n[17231.710000] usb 1-1: new full-speed USB device number 3 using ehci-platform\n[17231.870000] scsi0 : usb-storage 1-1:1.0\n[17232.870000] scsi 0:0:0:0: Direct-Access     Generic  USB Flash Disc   1.00 PQ: 0 ANSI: 4\n[17232.890000] sd 0:0:0:0: [sda] 1984000 512-byte logical blocks: (1.01 GB\/968 MiB)\n[17232.890000] sd 0:0:0:0: [sda] Write Protect is off\n[17232.900000] sd 0:0:0:0: [sda] Mode Sense: 03 00 00 00\n[17232.900000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.910000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.930000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.940000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.950000]  sda: sda1\n[17232.970000] sd 0:0:0:0: [sda] No Caching mode page present\n[17232.970000] sd 0:0:0:0: [sda] Assuming drive cache: write through\n[17232.980000] sd 0:0:0:0: [sda] Attached SCSI removable disk\n<\/code><\/pre>You can now mount the SD Card and access your files.
\n
root@OpenWrt:~# mkdir \/mnt\/sda1\nroot@OpenWrt:~# mount \/dev\/sda1 \/mnt\/sda1 \n<\/code><\/pre>We probably want to safely unmount the SD Card every time we switch the USB connection.  I slapped together a simple shell script to switch the USB connection.
\n
#!\/bin\/sh\ncurrentval=`cat \/sys\/devices\/virtual\/gpio\/gpio21\/value`\n\nif [ "$1" = "internal" ]; then\n  if [ "$currentval" = "1" ]; then\n    echo "USB connection is already set to GL-iNet.  Nothing to do."\n    exit 1\n  elif [ $currentval = "0" ]; then\n    echo 1 > \/sys\/devices\/virtual\/gpio\/gpio21\/value\n    sleep 3\n    if [ ! -d "\/mnt\/sda1" ]; then\n      mkdir \/mnt\/sda1\n    fi\n    mount \/dev\/sda1 \/mnt\/sda1\n  fi\nfi\n\nif [ "$1" = "external" ]; then\n  if [ "$currentval" = "0" ]; then\n    echo "USB connection is already set to Host.  Nothing to do."\n    exit 1\n  elif [ $currentval = "1" ]; then\n    umount \/mnt\/sda1\n    sleep 3\n    echo 0 > \/sys\/devices\/virtual\/gpio\/gpio21\/value\n  fi\nfi\n<\/code><\/pre>Teensy 3.1 Test Sketch<\/strong>
\nGo here<\/a> for the Teensy 3.1 sketch file.  The pins are different than the Teensy 2.0 and also mounted in different locations when it was connected to the GL-iNet.  Probably due to the Teensy 2.0 having and SD Card and my use of a pitch adapter in that build…or something like that.  Bottom line the code is modified to work with the Teensy 3.1 but you get the same blinkly blinky with the LED when you activate the appropriate GPIO on the GL-iNet.<\/p>\n
References<\/strong>
\nInstalling Arduino Libraries
\nhttp:\/\/arduino.cc\/en\/Guide\/Libraries<\/a><\/p>\n
SdFat Arduino Library
\nhttps:\/\/github.com\/greiman\/SdFat<\/a><\/p>\n
SD Card Formater
\nhttp:\/\/www.sdcard.org\/downloads\/<\/a><\/p>\n
Openwrt Wiki on Storage
\nhttp:\/\/wiki.openwrt.org\/doc\/howto\/storage<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Part 4 \u2013 Remote HID Attacks with a Teensy \u2013 Testing Your Build \/ Getting Started GL-iNet GPIO Setup Pins 18,19,20,21,22 are available as GPIOs for the GL-iNet. The script below will activate the GPIOs and set them to “low”. GPIO 21 is responsible for the Teensy 2.0 USB communication. GPIOs 18, 19, 20, & […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-868","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=868"}],"version-history":[{"count":14,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/868\/revisions"}],"predecessor-version":[{"id":928,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/868\/revisions\/928"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}