search

BastilleResearch / mousejack

MouseJack device discovery and research tools
GNU General Public License v3.0
1.28k stars 254 forks source link

scanning without result #15

Open Dr-Death opened 8 years ago

Dr-Death commented 8 years ago

Hi, when i run nrf24-scanner with crazyradio PA it keep scanning without showing and result.

i reinstall pyusb as suggested in one of the tickets, also tried to flash crazyradio firmware and set the address to 1915:0102 instead of 1915:7777 in all files under "crazyradio-firmware/usbtools" but get error when tring to flash crazyradio FW:

sudo ./cradioFlasher.py Image size: 7359 Loaded binary image.

Starting to flash... Launch bootloader Traceback (most recent call last): File "./cradioFlasher.py", line 157, in flash ret = launchBootloader.launchBootloader(True) File "/home/drdeath/mousejack/crazyradio-firmware/usbtools/launchBootloader.py", line 61, in launchBootloader handle.controlMsg(0x40, 0xFF, (), value=0, index=0, timeout=100) File "/usr/local/lib/python2.7/dist-packages/usb/legacy.py", line 211, in controlMsg timeout = timeout) File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 1043, in ctrl_transfer self.__get_timeout(timeout)) File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 883, in ctrl_transfer timeout)) File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check raise USBError(_strerror(ret), ret, _libusb_errno[ret]) usb.core.USBError: [Errno 32] Pipe error

also notes an error with launchBootloader:

sudo ./launchBootloader.py Launch bootloader Traceback (most recent call last): File "./launchBootloader.py", line 95, in sys.exit(launchBootloader(True)) File "./launchBootloader.py", line 61, in launchBootloader handle.controlMsg(0x40, 0xFF, (), value=0, index=0, timeout=100) File "/usr/local/lib/python2.7/dist-packages/usb/legacy.py", line 211, in controlMsg timeout = timeout) File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 1043, in ctrl_transfer self.__get_timeout(timeout)) File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 883, in ctrl_transfer timeout)) File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check raise USBError(_strerror(ret), ret, _libusb_errno[ret]) usb.core.USBError: [Errno 32] Pipe error

nrf24-scanner just keep looping without showing any result:

sudo ./nrf24-scanner.py -v [2016-04-21 10:20:33.078] Using channels 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83 [2016-04-21 10:20:33.166] Entered promiscuous mode [2016-04-21 10:20:33.169] Tuned to 2 [2016-04-21 10:20:33.273] Tuned to 3 ..... ......

lsusb show's:

Bus 002 Device 003: ID 1915:0102 Nordic Semiconductor ASA

please advice, thanks

marcnewlin commented 8 years ago

Are you able to flash the dongle using sudo make install from the repository root? If this works, then everything should be good to go with the dongle.

Given that the nrf24-scanner.py script doesn't raise any exceptions, I suspect that it just isn't seeing any traffic. The script works by cycling through each channel and listening on each for 100ms. In order to see a device, the target device needs to be transmitting on a given channel at the same time that the dongle is listening on that channel.

The easiest way to find the address of a mouse, for instance, is to run the script and move your mouse around while it cycles through the channels. Depending on the mouse (and its hopping behavior), it will usually get detected in 10-30 seconds.

marcnewlin commented 8 years ago

Depending on the target device, you can speed up the process by limiting the channels that are scanned. Logitech Unifying devices, for instance, use every third channel between 2402 and 2474. To scan on just these channels, you can invoke the script as follows:

sudo ./tools/nrf24-scanner.py -c {2..74..3} -v

Dr-Death commented 8 years ago

sudo make install run without error:

sudo make install
./prog/usb-flasher/usb-flash.py bin/dongle.bin
[2016-04-21 20:55:58.324]  Looking for a compatible device that can jump to the Nordic bootloader
[2016-04-21 20:55:58.594]  Device found, jumping to the Nordic bootloader
[2016-04-21 20:55:58.672]  Looking for a device running the Nordic bootloader
[2016-04-21 20:55:59.334]  Writing image to flash
[2016-04-21 20:55:59.858]  Verifying write
[2016-04-21 20:56:00.028]  Firmware programming completed successfully
[2016-04-21 20:56:00.028]  Please unplug your dongle or breakout board and plug it back in.

i moved the mouse all the time while scanning, but nothing detected

marcnewlin commented 8 years ago

Which mouse are you using?

Dr-Death commented 8 years ago

i have two mouse's to test with (astrum, intex): Bus 003 Device 008: ID 248a:8564
Bus 002 Device 011: ID 062a:4101 Creative Labs Wireless Keyboard/Mouse

marcnewlin commented 8 years ago

I haven't looked at mice from Astrum or Intex, but I suspect they are using a different type of transceiver.

Dr-Death commented 8 years ago

the usb dongle for astrum written on it 2.4GHZ

marcnewlin commented 8 years ago

This project works with devices that are compatible with the nRF24L series of transceivers from Nordic Semiconductor.

Not all mice use this particular type of transceiver, so your best bet would be to look at one of the known devices listed in the public advisories:

https://github.com/RFStorm/mousejack/tree/master/doc/advisories

Dr-Death commented 8 years ago

the touchpad in togitech wireless keyboard does is it compatible?

marcnewlin commented 8 years ago

Yes, all of the Logitech Unifying devices use nRF24L compatible transceivers.

Dr-Death commented 8 years ago

i have this logitech wireless keyboard (model name: Y-RAN77), i moved the touchpad while scanning but also nothing detect:

Bus 003 Device 010: ID 046d:c51e Logitech, Inc.

also test it with the small type of mini keyboard that came with touchpad:

Bus 002 Device 016: ID 0c45:7000 Microdia

marcnewlin commented 8 years ago

It looks like that uses an older 27MHz transceiver, but any of the Logitech Unifying branded devices are compatible.

Dr-Death commented 8 years ago

yes its an old keyboard, i will check with some friends if they have any new modules of logitech or M$ to test it with.

thanks

MindrustUK commented 8 years ago

Think I've got a similar problem.

I'm using a "2.4Ghz nRF24LU1+ USB radio Crazyradio dongle" bought from: http://www.ebay.co.uk/itm/331932644753?_trksid=p2060353.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

I've tried various mice and keyboards, I think most are probably a bit old (I.e. pre-unifying) However I've also tested a Logitech TK820 and Logitech M505 which are definitely unifying compatible (the M505 ships with the 0007 dongle [I couldn't re-flash this to test because it wasn't mine]).

I'm running "nrf24-scanner.py -l" and I would've expected some results but even with the "-v" flag I just get output that it's hopping channels and the green LED on the dongle lights up.

Any suggestions?

Thanks.

sw1337 commented 8 years ago

I've got the Crazyradio PA and the EagleTec K104 / KS04 2.4 GHz Wireless Combo keyboard. However, after flashing i cant find any device with nrf24-scanner.py.

Any ideas?