The nRF24 Playset is a collection of software tools for wireless input devices like keyboards, mice, and presenters based on Nordic Semiconductor nRF24 transceivers, e.g. nRF24LE1 and nRF24LU1+.
All software tools support USB dongles with the nrf-research-firmware by the Bastille Threat Research Team (many thanks to @marcnewlin)
- nRF24LU1+ USB radio dongle with flashed nrf-research-firmware by the Bastille Threat Research Team, e. g.
- Bitcraze CrazyRadio PA USB dongle
- Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)
- Python2
- PyUSB
- PyGame for GUI-based tools
Proof-of-concept software tool to demonstrate the replay and keystroke injection vulnerabilities of the wireless keyboard Cherry B.Unlimited AES
Proof-of-concept software tool to demonstrate the keystroke injection vulnerability of some AES encrypted wireless keyboards
Usage:
# python2 keystroke_injector.py --help
_____ ______ ___ _ _ _____ _ _
| __ \| ____|__ \| || | | __ \| | | |
_ __ | |__) | |__ ) | || |_ | |__) | | __ _ _ _ ___ ___| |_
| '_ \| _ /| __| / /|__ _| | ___/| |/ _` | | | / __|/ _ \ __|
| | | | | \ \| | / /_ | | | | | | (_| | |_| \__ \ __/ |_
|_| |_|_| \_\_| |____| |_| |_| |_|\__,_|\__, |___/\___|\__|
__/ |
|___/
Keystroke Injector v0.7 by Matthias Deeg - SySS GmbH (c) 2016
usage: keystroke_injector.py [-h] [-a ADDRESS] [-c N [N ...]] -d DEVICE
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Address of nRF24 device
-c N [N ...], --channels N [N ...]
ShockBurst RF channel
-d DEVICE, --device DEVICE
Target device (supported: cherry, perixx)
Proof-of-concept software tool similar to cherry_attack.py to demonstrate the replay and keystroke injection vulnerabilities of the AES encrypted wireless desktop set Logitech MK520
Proof-of-concept software tool to demonstrate the keystroke injection vulnerability of nRF24-based Logitech wireless presenters
Usage:
# python2 logitech_presenter.py --help
_____ ______ ___ _ _ _____ _ _
| __ \| ____|__ \| || | | __ \| | | |
_ __ | |__) | |__ ) | || |_ | |__) | | __ _ _ _ ___ ___| |_
| '_ \| _ /| __| / /|__ _| | ___/| |/ _` | | | / __|/ _ \ __|
| | | | | \ \| | / /_ | | | | | | (_| | |_| \__ \ __/ |_
|_| |_|_| \_\_| |____| |_| |_| |_|\__,_|\__, |___/\___|\__|
__/ |
|___/
Logitech Wireless Presenter Attack Tool v1.0 by Matthias Deeg - SySS GmbH (c) 2016
usage: logitech_presenter.py [-h] [-a ADDRESS] [-c N [N ...]]
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Address of nRF24 device
-c N [N ...], --channels N [N ...]
ShockBurst RF channel
GUI-based version of the proof-of-concept software tool logitech_presenter.py
Proof-of-Concept software tool to demonstrate mouse spoofing attacks exploiting unencrypted and unauthenticated wireless mouse communication
Usage:
# python2 radioactivemouse.py --help
_____ ______ ___ _ _ _____ _ _
| __ \| ____|__ \| || | | __ \| | | |
_ __ | |__) | |__ ) | || |_ | |__) | | __ _ _ _ ___ ___| |_
| '_ \| _ /| __| / /|__ _| | ___/| |/ _` | | | / __|/ _ \ __|
| | | | | \ \| | / /_ | | | | | | (_| | |_| \__ \ __/ |_
|_| |_|_| \_\_| |____| |_| |_| |_|\__,_|\__, |___/\___|\__|
__/ |
|___/
Radioactive Mouse v0.8 by Matthias Deeg - SySS GmbH (c) 2016
usage: radioactivemouse.py [-h] -a ADDRESS -c CHANNEL -d DEVICE -x ATTACK
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Address of nRF24 device
-c CHANNEL, --channel CHANNEL
ShockBurst RF channel
-d DEVICE, --device DEVICE
Target device (supported: microsoft, cherry)
-x ATTACK, --attack ATTACK
Attack vector (available: win7_german)
A demo video illustrating a mouse spoofing attack is available on YouTube: Radioactive Mouse States the Obvious
Proof-of-Concept software tool to demonstrate replay vulnerabilities of different wireless desktop sets using nRF24 ShockBurst radio communication
Usage:
# python2 simple_replay.py --help
_____ ______ ___ _ _ _____ _ _
| __ \| ____|__ \| || | | __ \| | | |
_ __ | |__) | |__ ) | || |_ | |__) | | __ _ _ _ ___ ___| |_
| '_ \| _ /| __| / /|__ _| | ___/| |/ _` | | | / __|/ _ \ __|
| | | | | \ \| | / /_ | | | | | | (_| | |_| \__ \ __/ |_
|_| |_|_| \_\_| |____| |_| |_| |_|\__,_|\__, |___/\___|\__|
__/ |
|___/
Simple Replay Tool v0.2 by Matthias Deeg - SySS GmbH (c) 2016
usage: simple_replay.py [-h] [-a ADDRESS] [-c N [N ...]]
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Address of nRF24 device
-c N [N ...], --channels N [N ...]
ShockBurst RF channel
Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent