Add support for special disguised HID attack modes

Signed-off-by: James Christopher Adduono <[email protected]>
mdlx · Dec 10, 2016 · 05ecaee · 05ecaee
1 parent c1ac895
commit 05ecaee
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 11 deletions.
diff --git a/nethunter-installer/boot-patcher/patch.d/01-ramdisk-patch b/nethunter-installer/boot-patcher/patch.d/01-ramdisk-patch
@@ -32,4 +32,4 @@ setprop ro.secure 0
 import_rc init.nethunter.rc
 
 # ensure /dev/hidg0 and /dev/hidg1 have the correct access rights
-ueventd_set "/dev/hidg*" 0660 root system
+ueventd_set "/dev/hidg*" 0666 root system
diff --git a/nethunter-installer/boot-patcher/ramdisk-patch/init.nethunter.rc b/nethunter-installer/boot-patcher/ramdisk-patch/init.nethunter.rc
@@ -4,9 +4,11 @@ on init
     export TERMINFO /system/etc/terminfo
     export TERM linux
 
-# Execute files in /system/etc/init.d near the end of the boot sequence
 on boot
+    # Execute files in /system/etc/init.d near the end of the boot sequence
     start run-parts
+    # Save boot USB configuration for restoring after HID attacks
+    start save-usb-config
 
 service run-parts /system/xbin/busybox_nh run-parts /system/etc/init.d
     class late_start
@@ -16,20 +18,55 @@ service run-parts /system/xbin/busybox_nh run-parts /system/etc/init.d
     disabled
     oneshot
 
-# HID USB property
+service save-usb-config /system/bin/sh /sbin/usb_config.sh save
+    class late_start
+    seclabel u:r:init:s0
+    user root
+    group root
+    disabled
+    oneshot
+
+service reset-usb-config /system/bin/sh /sbin/usb_config.sh reset
+    class late_start
+    seclabel u:r:init:s0
+    user root
+    group root
+    disabled
+    oneshot
+
+# After using HID attacks we should reset to OEM configuration
+on property:sys.usb.config=reset
+    start reset-usb-config
+
+# HID attack support (emulated Microsoft Comfort Curve Keyboard 2000)
 on property:sys.usb.config=hid
+    stop adbd
     write /sys/class/android_usb/android0/enable 0
-    write /sys/class/android_usb/android0/idVendor 0461
-    write /sys/class/android_usb/android0/idProduct 0010
+    write /sys/class/android_usb/android0/idVendor 045E
+    write /sys/class/android_usb/android0/idProduct 00DD
+    write /sys/class/android_usb/android0/bDeviceClass 0
+    write /sys/class/android_usb/android0/bDeviceSubClass 0
+    write /sys/class/android_usb/android0/bDeviceProtocol 0
+    write /sys/class/android_usb/android0/iManufacturer "Microsoft"
+    write /sys/class/android_usb/android0/iProduct "Microsoft USB Comfort Curve Keyboard 2000 (IntelliType Pro)"
     write /sys/class/android_usb/android0/functions hid
     write /sys/class/android_usb/android0/enable 1
     setprop sys.usb.state hid
 
-on property:sys.usb.config=hid,adb
+# HID + Flash Drive attack support (emulated Kingston DataTraveler 2.0)
+on property:sys.usb.config=hid,mass_storage
+    stop adbd
     write /sys/class/android_usb/android0/enable 0
-    write /sys/class/android_usb/android0/idVendor 0461
-    write /sys/class/android_usb/android0/idProduct 0010
-    write /sys/class/android_usb/android0/functions hid,adb
+    write /sys/class/android_usb/f_mass_storage/lun/cdrom 0
+    write /sys/class/android_usb/f_mass_storage/lun/ro 0
+    write /sys/class/android_usb/f_mass_storage/lun/nofua 0
+    write /sys/class/android_usb/android0/idVendor 0930
+    write /sys/class/android_usb/android0/idProduct 6545
+    write /sys/class/android_usb/android0/bDeviceClass 0
+    write /sys/class/android_usb/android0/bDeviceSubClass 0
+    write /sys/class/android_usb/android0/bDeviceProtocol 0
+    write /sys/class/android_usb/android0/iManufacturer "Kingston"
+    write /sys/class/android_usb/android0/iProduct "DataTraveler 2.0"
+    write /sys/class/android_usb/android0/functions hid,mass_storage
     write /sys/class/android_usb/android0/enable 1
-    start adbd
-    setprop sys.usb.state hid,adb
+    setprop sys.usb.state hid,mass_storage
diff --git a/nethunter-installer/boot-patcher/ramdisk-patch/sbin/usb_config.sh b/nethunter-installer/boot-patcher/ramdisk-patch/sbin/usb_config.sh
@@ -0,0 +1,74 @@
+#!/system/bin/sh
+
+conf_store=/data/local/usb_config
+android_usb=/sys/class/android_usb/android0
+
+print() {
+	echo "$*"
+	log -t "usb_config.sh" "$*"
+}
+
+abort() {
+	>&2 echo "Error: $*"
+	log -p e -t "usb_config.sh" "$*"
+	exit 1
+}
+
+save_file() {
+	[ -f "$android_usb/$1" ] || return 1
+	sfd=$(dirname "$conf_store/$1")
+	[ -d "$sfd" ] || mkdir -p "$sfd"
+	[ -d "$sfd" ] || return 1
+	cat "$android_usb/$1" > "$conf_store/$1"
+}
+
+save_usb_config() {
+	mkdir -p "$conf_store"
+	[ -d "$conf_store" ] || abort "Could not create '$conf_store' directory"
+	print "Saving current usb configuration to '$conf_store'"
+	save_file idVendor
+	save_file idProduct
+	save_file bDeviceClass
+	save_file bDeviceSubClass
+	save_file bDeviceProtocol
+	save_file iManufacturer
+	save_file iProduct
+	save_file f_mass_storage/inquiry_string
+	save_file f_mass_storage/lun/cdrom
+	save_file f_mass_storage/lun/ro
+	save_file f_mass_storage/lun/nofua
+	save_file functions
+	getprop sys.usb.config > "$conf_store/sys.usb.config"
+}
+
+reset_file() {
+	[ -f "$android_usb/$1" ] || return 1
+	[ -f "$conf_store/$1"  ] || return 1
+	cat "$conf_store/$1" > "$android_usb/$1"
+}
+
+reset_usb_config() {
+	[ -d "$conf_store" ] || abort "Could not find '$conf_store' directory"
+	print "Resetting usb configuration to values in '$conf_store'"
+	echo 0 > "$android_usb/enable"
+	reset_file idVendor
+	reset_file idProduct
+	reset_file bDeviceClass
+	reset_file bDeviceSubClass
+	reset_file bDeviceProtocol
+	reset_file iManufacturer
+	reset_file iProduct
+	reset_file f_mass_storage/inquiry_string
+	reset_file f_mass_storage/lun/cdrom
+	reset_file f_mass_storage/lun/ro
+	reset_file f_mass_storage/lun/nofua
+	reset_file functions
+	cfg=$(cat "$conf_store/sys.usb.config")
+	setprop sys.usb.config "$cfg"
+}
+
+case "$1" in
+	save)  save_usb_config  ;;
+	reset) reset_usb_config ;;
+	*) abort "Invalid argument - must call with \$1 as 'save' or 'reset'" ;;
+esac