I recently found in my office a suspicious device which I plugged in a spare computer. It was recognized as a keyboard by the system, and started clicking and typing. Whether it is a malicious device, a prank, or an automation tool; I want to find what's it purpose and the code.
When plugged:
$ sudo dmesg
[ 59.018129] usb 1-4: new full-speed USB device number 5 using xhci_hcd
[ 59.169828] usb 1-4: New USB device found, idVendor=239a, idProduct=800e, bcdDevice= 1.00
[ 59.169842] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 59.169847] usb 1-4: Product: ItsyBitsy 32u4 5V 16MHz
[ 59.169851] usb 1-4: Manufacturer: Adafruit
[ 59.169855] usb 1-4: SerialNumber: C
[ 59.192196] cdc_acm 1-4:1.0: ttyACM0: USB ACM device
[ 59.192216] usbcore: registered new interface driver cdc_acm
[ 59.192218] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[ 59.199938] input: Adafruit ItsyBitsy 32u4 5V 16MHz as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.2/0003:239A:800E.0002/input/input22
[ 59.260993] hid-generic 0003:239A:800E.0002: input,hidraw1: USB HID v1.01 Keyboard [Adafruit ItsyBitsy 32u4 5V 16MHz] on usb-0000:00:14.0-4/input2
[ 59.261027] usbcore: registered new interface driver usbhid
[ 59.261028] usbhid: USB HID core driver
It is a Adafruit ItsyBitsy 32u4. Which has an ATmega32u4 onboard chip and and USB bootloader "AVR109 compatible", according to its description on Adafruit's website.
I know that I cannot get directly the source code but I was planning to use a disassembler to do the translation. And maybe getting some hint about it. Any help about this is also welcome.
I have read that I can dump the binary from the bootloader using the tool avrdude
. Although, because this device is set as an HID keyboard I do not know if the methods I saw are the appropriate for this or maybe is just impossible to access the bootloader anymore.
I have tried the following:
$ sudo avrdude -p m32u4 -c avr109 -U flash:r:flash.hex -v -v
This is the output (erroneous):
130 ⨯
avrdude: Version 6.3-20171130
Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
Copyright (c) 2007-2014 Joerg Wunsch
System wide configuration file is "/etc/avrdude.conf"
User configuration file is "/root/.avrduderc"
User configuration file does not exist or is not a regular file, skipping
Using Port : /dev/ttyS0
Using Programmer : avr109
AVR Part : ATmega32U4
Chip Erase delay : 9000 us
PAGEL : PD7
BS2 : PA0
RESET disposition : dedicated
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :
Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 65 20 4 0 no 1024 4 0 9000 9000 0x00 0x00
flash 65 6 128 0 yes 32768 128 256 4500 4500 0x00 0x00
lfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
hfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
efuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
lock 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
calibration 0 0 0 0 no 1 0 0 0 0 0x00 0x00
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00
Programmer Type : butterfly
Description : Atmel AppNote AVR109 Boot Loader
Connecting to programmer: .avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
Found programmer: Id = ""; type =
Software Version = .; Hardware Version = .
avrdude: ser_recv(): programmer is not responding
avrdude: butterfly_recv(): programmer is not responding
Should I try to add other options? Like -P for port, that I have seen in other questions on the internet. Although, I do not know which value to give to this option.
I want to know, it is possible to extract the code from the bootloader? If it is, how? Should I use avrdude
or any other tool? How?
Thank you in advance.
Yes, you are looking for the -P flag, it needs the path to the serial device of the AVR when it's in its bootloader. As long as it is a normal itsybitsy, and not one that's been modified to work without the bootloader, you need to get it into the bootloader by hitting the reset button twice withing 750ms, and within 8 seconds you need to run the avrdude command.
For the -P flag, you posted your dmesg output, and it's the same as my machine, /dev/ttyACM0.
So, my dance to get mine is to hold reset for a count of 5 (to let Linux notice it's gone and free the device it was assigned), hit the reset button again quickly, wait for a second (but not too long; Linux needs to reallocate the tty but you cannot miss the bootloader window), then run the avrdude command:
sudo avrdude -p m32u4 -c avr109 -P /dev/ttyACM0 -U flash:r:flash.hex -v -v
Good luck! Hopefully it's just a prank.