In the previous post, I have talked a bit about USBsamurai based on C-U0007.
With this article I wanna bring more light regarding:
Let’s get started!
As you see below, they quite differ from aesthetic point of view. Moreover, the C-U0007 mounts a Nordic chipset and the C-U0012 a TI chipset. This info will be partially useful when will be matter of picking the best hardware for creating USBsamurai.
First of all, why do we need to flash the G700 firmware on the C-U0007?
Simple, for keystroke injection, the receiver model matters, as typing speed depends on this. For Unifying receivers (i.e. C-U0007), typing out the Air-gap Bypass Client takes aprox. 2 minutes. Which, despite being typed on a stealthy way, is not optimal.
For Unifying receivers with a Nordic chipset (i.e. C-U0007), this could be reduced to 30 seconds if a G700 firmware is used, but injection is always unencrypted* (meaning everybody else could inject to, as G700 accepts plain injection).
*In case you want more privacy while injecting payloads… I recommend to use the slightly more expensive C-U0012 which has encryption enabled.
How we can improve C-U0007 speed?
You need to buy an old G700 mouse and dump with munifying its firmware and then flash all the C-U0007 you want. Luckily, It happens I have a G700 firmware available HERE. 🙂 Check below for the detailed instructions.
As for TI receivers (i.e. C-U0008/0012) typing speed could be also reduced to 30 seconds with a LIGHTSPEED firmware. Where do you get the LIGHTSPEED firmware? Either on Logitech’s Github or HERE. But will be discussed in details later on in this article.
IMPORTANT! Before starting be sure you know what you are doing and have all your tools around!
The process is rather simple:
**I recommend trying with this, I built few of USBsamurai with this cable. Is quite easy to open with a scalpel. https://www.aliexpress.com/item/33052091501.html
Congrats! Now you have your first USBsamurai based on C-U0012!
For LIGHTSPEED, throughput is higher than a normal Unifying firmware, and most importantly the covert channel is Encrypted. Therefore LOGITacker needs to know its encryption key. Which is achieved by pairing the C-U0012 dongle with the LOGITacker itself.
Also remember that if you plan to use an USBsamurai based on C-U0012…LOGITacker needs to run in LIGHTSPEED mode. You can set it with the commands:
Remember: if instead, you wanna use a C-U0007 with G700 fw, you will have to switch operational mode back to g700:
The Flashing procedure is pretty simple:
Reminder: LOGITacker needs to run in G700 mode. You can set it with the commands:
If instead, you wanna use a C-U0012 with LIGHTSPEED fw, you will have to switch your LOGITacker’s operational mode back to LIGHTSPEED:
Here we need to split the topic in few points, and I won’t go that deep since there is plenty of documentation in its Github’s repo.
First of all, I assume you already flash the latest release of it in one of the compatible hardware. [In case you are updating to latest release, after flashing it, connect to LOGITacker via serial and do issue erase_flash command. Note that you may loose all your previous scripts and data.]
Working modes (This is mandatory to get everything working properly!!!):
How to create a script and automatically load at startup:
Simple, connect to LOGITacker over serial and type something as follow.
script press GUI r
script delay 500
script string iexplore -k http://fakeupdate.net/wnc/
script delay 200
script press RETURN
script store wannacry
Once saved in the flash, try to load it again.
script load wannacry
The following commands will tell LOGITacker to use this payload as default one for each injection.
options inject default-script wannacry
How To Pair USBsamurai:
IMPORTANT!: Every-time you will turn-on LOGITAcker you will have to load from the flash the pairing data of the very specific USBsamurai you wanna use. To do that you need to type the following command
devices storage load XX:XX:XX:XX:XX
and pick the right address of that specific dongle. Of course you can load multiple USBsamurai!
How To Inject Payloads:
How To Bypass an Air-Gapped Machine:
IMPORTANT!!! Be sure you have ONLY that Logitech dongle connected on your computer!! Otherwise, run a Kali VM and attach to it ONLY the C-U00xx you wanna flash/pair!
Moreover, either setup all software on a Kali VM (which is confirmed running all fine) or use sudo to run on your preferred Linux OS.
Regarding munifying, I usually download it from Github, install golang, libusb and then compile it with “go build”.
No. This is a DIY project and will stay as it is. But… if you have a spare Bitcoin to give to some no-profit organization around the world… send me the proof of payment and I will make you a shiny USBsamurai!
No. So far it cannot. Though, there are some hackish ways to accomplish it. Example, by using an external NanoHub (https://www.smart-prototyping.com/NanoHub-tiny-USB-hub-for-hacking-projects).
Of course, I couldn’t conclude this article without not thanking Marcus “LOGIhacker” Mengs (a.k.a. @mame82) for having created such amazing software and (especially) for having shared with the community in FOSS!
About the author Luca Bongiorni: