Logitech Wireless Keyboards
LOGITECH:
k520
k270
I noticed that the unifying receiver for the newer style logitech keyboards didn’t have a connect button on them to sync the keyboard or mouse to the receiver. This made me wonder how they were pairing and down the rabbit hole i went. The objective was to extract the firmware from the device and decompile to see how it was doing the pairing. Once i opened the devices i noticed both of them use the NRF24LE1-H 2.4ghz wireless radios with mcu on the same die. Below are some pictures of both boards and the test pads associated with each of the pins that they are connected to. The larger pads would be used if you wanted to use the on board MCU to talk to an outside SPI device. This feature is disabled on the boards i have examined.
The datasheet showed an alternative route into the device by accessing the built in flash directly. The chip is configured to map the pins to the correct flash spi peripheral when you hold the prog pin high and pulse the reset pin low. after doing this the first command send was read the flash protect register. This yielded 0x80, meaning that the there was no “non-protected” memory other than the info page. The info page is an area where the developer can place information about the structure of the flash memory as well as some system based (NRF) radio setup registers. upon reading out these registers (everything was blank) i found that the fuse bit had been set by logitech so that you couldn’t even read the flash memory and be able to decompile the firmware.
The NRF24LE1-H also contains a built in hardware AES encryption engine. Anything that is put into the TX buffers is AES encrypted before it is sent out through the radio. This only leaves one other attack vector. So now that there is no way to decrypt the key output, and there is no way to rewrite the firmware. I guess the next step is to just use the pins that the chip uses for input and create a script loader that can execute the specific key presses without the need to carry around a keyboard. Think of it as a wireless USB rubber ducky that can attack any machine that has the unifying receiver from logitech. This has yet to be confirmed. but it is the next step…