MK520 —— 请求测试教程

[linux0ne]

1、我的设备是MK520，键盘和鼠标套装。
2、我现在无法确定unifying设备的固件是旧的还是新的，怎么确定？
3、我在罗技的官方网站上，只看到了unifying设备的识别软件，是2010年的版本，并没有看到固件在哪里下载，也没有看到三年前的固件修复补丁在哪里，求指教？
4、演示视频中，带天线的USB类识别装置是什么 ？如何可以得到？

[RoganDawes]

Google translates this as:

1, my device is MK520, keyboard and mouse set.
2, I can not determine firmware unifying equipment is old or new, how to determine?
3, I'm on Logitech's official website, only to see the unifying device recognition software, version 2010, and did not see where to download the firmware, three years ago, did not see where the firmware repair patches, seeking advice ?
4, demo video, USB class identification device with an antenna What is? How can I get?

[RoganDawes]

Re 4, that is likely to be either a CrazyRadio PA+LNA, with a NRF24LU1 chip on it, or possibly an AprilBrother NRF52840 dongle. Perhaps you can provide a link to the video in question, so we can be sure?

[RoganDawes]

Re 3, this article has more information on the difficulty of updating the firmware of the receiver:

https://www.heise.de/ct/artikel/Logitech-keyboards-and-mice-vulnerable-to-extensive-cyber-attacks-4464533.html

Not too helpful, I admit. Perhaps Logitech will improve their website, and updaters. You may actually have better luck using the Linux fwupd site. https://fwupd.org/

[linux0ne]

Re 4, that is likely to be either a CrazyRadio PA+LNA, with a NRF24LU1 chip on it, or possibly an AprilBrother NRF52840 dongle. Perhaps you can provide a link to the video in question, so we can be sure?

https://www.freebuf.com/news/207981.html 看这个链接中的演示视频。注意视频中带天线的那个设备。

[RoganDawes]

I believe that is the CrazyRadio.

[mame82]

Re 4, that is likely to be either a CrazyRadio PA+LNA, with a NRF24LU1 chip on it, or possibly an AprilBrother NRF52840 dongle. Perhaps you can provide a link to the video in question, so we can be sure?

https://www.freebuf.com/news/207981.html 看这个链接中的演示视频。注意视频中带天线的那个设备。

The PoC for CVE-2019-13052 (sniff pairing, live decryption of keyboard) could be replicated using either LOGITacker or mjackit:

1. With software tool mjackit and a CrazyRadio PA or Logitech CU0007 dongle (both run nRF24LU1+) + modified firmware
   • mjackit: https://github.com/mame82/mjackit/
   • firmware for CU0007 / CrazyRadio PA: https://github.com/mame82/nrf-research-firmware
2. LOGITacker without external software
   • supported hardware: Nordic nRF52840 Dongle / AprBrother 52840 Dongle / MakerDiary MDK / MakerDiary MDK Dongle
   • LOGITacker Firmware: https://github.com/mame82/LOGITacker/releases/tag/v0.1.2-beta

In order to sniff a pairing, additional software is needed to pair a device:

• Windows: Unifying Software (supports only Unifying receivers)
• Linux: munifying pre-release (supports Unifying receivers, Receivers of presentation clickers R500/SPOTLIGHT, receivers of Logitech LIGHTSPEED wireless gaming peripherals like G603 mouse)

PoC for CVE-2019-13053 (encrypted injection without knowledge of encryption key) could be replicated using mjackit.

PoC for CVE-2019-13054 (extraction of encryption keys from presentation clicker receivers) and CVE-2019-13055 (extraction of encryption keys from Unifying receivers) could be replicated using the full version of munifying combined with either mjackit or LOGITacker (for sniffing/injection). The full version of munifying will be released in August, along with availability of a vendor patch for those vulnerabilities.

Note: CVE-2019-13052 (which will not be patched) will achieve the same results as CVE-2019-13054/13055 (will be patched). All of these vulnerabilities allow an attacker with one-time physical access to steal the link encryption keys of a wireless device. The vulnerability which will be patched (USB based key eextraction), only applies to some Logitech receivers - the vulnerability which will not be patched (key extraction based on sniffing of device pairing) applies to ALL Logitech receivers

[linux0ne]

@mame82 Thank! Thank you very much for your guidance and help.
Looking forward to your further updates.

[linux0ne]

@RoganDawes Thank! Thank you very much for your guidance and help.

[linux0ne]

@mame82
I would like to ask the following questions further:
1、“firmware for CU0007 / CrazyRadio PA: https://github.com/mame82/nrf-research-firmware”
What's the function of this firmware and how to use it? It updates the firmware of CU0007 itself and adds security?
Normally, if you want to invade a CU0007 device, you can't rewrite its firmware first, can you?

2、What is "LOGITacker"？It's "AprilBrother NRF52840 dongle"?Are there any corresponding pictures or introductory links?

3、I really want to know, what is the wireless receiver used in your video? Are all the four vulnerabilities detected using this device for signal sniffing?

[linux0ne]

Do you mean that:

1. Such a combination can be used: mjackit and CrazyRadio PA。The latter needs to be brushed into the latest firmware：https://github.com/mame82/nrf-research-firmware

This combination of software and hardware has the most obvious effect on CU0007 equipment. yes or no ?

2. Can also be used：LOGITacker. The question is: What is LOGITacker? Is that it "AprilBrother NRF52840 dongle"?

Of course, you need to brush firmware into a LOGITacker device before using it. “https://github.com/mame82/LOGITacker/releases/tag/v0.1.2-beta”

This combination of software and hardware has the most obvious effect on CU0007 equipment. yes or no ?

[mame82]

Everything correct, but with CU0007 it is a bit different.

LOGITacker and/or mjackit could be used to interact with CU0007 (Unifying Nordic), CU0008 (Unifying TI / Lightspeed), CU0012 (Unifying TI nano) ... additionally CU0016 (R500/SPOTLIGHT clickers TI).

As CU0007 is a Nordic based dongle with nRF24LU1+ it could server as replacement for the CrazyRadio PA. The modified 'nrf-research-firmware' could be flashed onto this dongle, instead. In contrast to CrazyRadio, the CU0007 has a PCB antenna and misses the PA, so RF range isn't as good.