search

BastilleResearch / mousejack

MouseJack device discovery and research tools
GNU General Public License v3.0
1.28k stars 254 forks source link

Logitech Unifying firmware absent #25

Open denisbsu opened 8 years ago

denisbsu commented 8 years ago

Is there a way to get any .hex version (12 or 24) of Logitech Unifying firmware without Windows installation?

zarbam commented 8 years ago

I'm also looking for this too.

tgmars commented 8 years ago

If anyone has the original firmware floating around, I'd really appreciate a copy too!

zarbam commented 8 years ago

Here's the link to the firmware download https://community.logitech.com/s/question/0D531000055gw8YCAQ

I was unable to get the firmware extracted. When I run it nothing happens.

eikaf commented 8 years ago

Same problem here, can't get back to old firmware through logitech page. I think we need .hex firmware image.

eikaf commented 8 years ago

Here the are, found it under ProgramData inside Windows RQR_012_007_00029.hex http://www112.zippyshare.com/v/Z0cVxtTK/file.html RQR_024_005_00029.hex http://www112.zippyshare.com/v/Cj6TLcbZ/file.html

khackskjs commented 7 years ago

Thank you for sharing download page. how to use .hex file? I've faced maybe the same problem that I can't update unifying receiver firmware. thank you in advance

eikaf commented 7 years ago

follow this procedure https://github.com/BastilleResearch/mousejack#flash-a-logitech-unifying-dongle-back-to-the-original-firmware

khackskjs commented 7 years ago

@eikaf Thank you for your answer fast. what you answered seems the way to adapt to linux like, right? I want to upgrade a receiver's firmware with windows 7. Do you know how to do?

eikaf commented 7 years ago

I don't think you can, probably you should try cgiwin but I don't recommend you doing that. You can try to restore firmware with Logitech tool. But I did not managed to do that. In case let us know.

khackskjs commented 7 years ago

@eikaf hm.. actually when I change my M705 mouse to another M705, It's ok the reason why I wanna update receiver firmware is problem of scrolling web browser. It means the receiver (I didn't change receiver) pairs another M705. after then, I came back using previous M705 mouse that is before change. It works well.............. so strange! so I've stopped updating firmware. but I'm still giving you thanks.

xillwillx commented 7 years ago

you can open the the exes with 7zip and extract the file .rsrc\2048\FILES\137 , that'll be your firmware only thing i didnt know is how do you know which version of the firmware you need? i jumped the gun and didnt check before flashing the mousejack firmware :x

Rondom commented 7 years ago

Does anyone have an old image, so, I can revert to the older, insecure RQR12.01_B0019 firmware?

techfixpros commented 6 years ago

Necro alert, but still pertinent.

The patched RQR12.07.B0029 as well as the insecure RQR12.05.B0028 can be found on github. https://github.com/Logitech/fw_updates

snoremaster3000 commented 5 years ago

Necro alert, but still pertinent.

The patched RQR12.07.B0029 as well as the insecure RQR12.05.B0028 can be found on github. https://github.com/Logitech/fw_updates

Are you sure? I don't think so. The release notes (https://github.com/Logitech/fw_updates/blob/master/RQR12/RQR12.05/RQR12.05_B0028.txt) say it's patched and I cannot get jackit to work with this version.

Here the are, found it under ProgramData inside Windows RQR_012_007_00029.hex http://www112.zippyshare.com/v/Z0cVxtTK/file.html RQR_024_005_00029.hex http://www112.zippyshare.com/v/Cj6TLcbZ/file.html

Here's the link to the firmware download https://community.logitech.com/s/question/0D531000055gw8YCAQ

I was unable to get the firmware extracted. When I run it nothing happens.

These links are expired unfortunatley. Can someone share an old fw please? I'm kicking myself bc I had a vulnerable mouse and then I loaded the nordicresearch image onto it without backing up the old image. Can't find it now. :(

T3KX commented 5 years ago

I have the same problem , I cant find an old vulnerable firmware

from this git https://github.com/xwings/tuya/tree/master/talks/mousejack/logitech%20firmware

The RQR_012_005_00028.hex make my dongle work , but its not vulnerable

And if i extract from RQR_024_003_00027.exe = RQR_024_003_00027.rsrc\2048\FILES\137 when i flash it , it show as boot loader and the mouse doesnt work

If anyone have an old firmware please upload

snoremaster3000 commented 5 years ago

Yes I also extracted RQR_024_003_00027.hex from RQR_024_003_00027.exe using "strings RQR_024_003_00027.exe > RQRstrings.txt" and then just erasing all but the hex for the fw and also just got a bootloader. only the RQR012 images seem to work for my receiver but none are vulnerable to keystroke injection. I've also tried all the fw images on the fw_updates github from Logitech and none vulnerable.

This is for a receiver that I had tested and confirmed vulnerable several times just hours before so I am fairly certain that it is not human error on my part.

Hopefully someone is willing to share a vulnerable image and if nothing else I'll put it up on my github for future researchers.

T3KX commented 5 years ago

Anyone knows a way or software to actually dump the firmware of an existing vulnerable dongle ?

T3KX commented 5 years ago

@snoremaster3000 i end up buying a dongle on amazon https://www.amazon.ca/gp/product/B01LYFI2LN/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

it work , its on 025.

snoremaster3000 commented 5 years ago

@snoremaster3000 i end up buying a dongle on amazon https://www.amazon.ca/gp/product/B01LYFI2LN/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

it work , its on 025.

That's too funny. Their stock is that old. I also found another vulnerable receiver and was able to dump the firmware off of it using logitech-usb-backup.py (can't find this tool in the github anymore for some reason) https://drive.google.com/open?id=1ed3xF_QWFSG8FJqvf3dAIAkMe3sX-1DK

It saved the firmware in binary format which I dont think will work. It needs some extra bytes added to the beginning too and I don't have time to figure it out at the moment but I will post what I have in case I never get around to it.

Definitely vulnerable https://drive.google.com/open?id=1PakgwcuM2IVsDIDid-tXnsXQP7_0kZlo

Probably vulnerable(didn't have time to test this receiver but judging by the release version I would say it probably vulnerable) https://drive.google.com/open?id=1TuCDm6zq2Ugrh03abzNSriaJL-PMtKfk

sogewasp commented 4 years ago

Necro alert again, but still relevant.

I'v tried the logitech-usb-backup.py on my unpatched device, it works. At least it extract some data from the device, but I would be very surprised if you can re-flash it as is. It's very different from the Logitech published firmwares and some data it's definitely missing.

@snoremaster3000 how did you manage to find the firmwares you uploaded ?

I have this device, but I would like to dump the vulnerable firmware before patching:

Current version:     RQR12.03_B0025
Bootloader Version:  BOT01.02_B0015

Btw the tool logitech-usb-backup.py is still available on github in older commits, they have removed it from the master's HEAD : https://github.com/BastilleResearch/nrf-research-firmware/commit/80ea8288cf3931365c86d599fd3de772cf993b90

I'm interested if anyone can show a way to properly dump the entire firmware.

sogewasp commented 4 years ago

Update: You can dump the firmware with https://github.com/mame82/munifying

Steps to reproduce:

git clone https://github.com/mame82/munifying
cd munifying
go build
./munifying dumpnordic
bilogic commented 4 years ago

Hi,

Any idea how I can analyze the contents of the firmware? What architecture etc? I'm trying to understand how the AES counter works https://github.com/RoganDawes/LOGITacker/issues/55#issuecomment-617739408

Thank you.