1. Introduction
As a child, I was a primary school student who skipped classes to go to internet cafes. It was said that the internet cafe owner would install a small device on the USB port behind the computer to record the online gaming accounts of primary school students. Now I know that it was a hardware keylogger.
Hardware keyloggers
Like software keyloggers, they record all user inputs on the keyboard, such as account passwords, URLs, phone numbers, etc.
The unique aspect of the hardware version is that even with various defense measures that can defend against most software keyloggers, hardware-based keyloggers are imperceptible to the operating system, as they are just standard input devices. This makes recognition and defense quite difficult.
Can you find the keylogger device in the picture?
In this article, we will discuss the principles of hardware keyloggers and create a hardware keylogger that can be remotely controlled via Wi-Fi, starting from the PCB and firmware.
2. Principles
There are many finished hardware keyloggers available on e-commerce sites both domestically and internationally, but they are a bit expensive. Open-source designs include spacehuhn’s wifi_keylogger (https://github.com/spacehuhn/wifi_keylogger), and @anymous’s project on Freebuf (https://www.freebuf.com/geek/58895.html), etc.
Taking wifi_keylogger as an example, it is an Arduino-based keylogger. It has Wi-Fi functionality, can store recorded keyboard inputs, and allows viewing recorded data through its emitted Wi-Fi network.
wifi_keylogger
However, you may find it impractical: it is too large and difficult to install behind a computer.
The reason is that USB keyboards use the HID protocol. For Arduino, the speed is too fast to read. Therefore, in addition to Arduino, other devices are needed to read the HID protocol.
The solution of wifi_keylogger is to use a USB Host Shield module (the white part in the picture), while @anymous’s method is to use an adapter to convert the USB keyboard to a PS2 keyboard and analyze the PS2 protocol.
These solutions have two drawbacks: one is size, and the other is that these solutions may affect the keyboard, such as multimedia keys being unusable, compatibility issues with different keyboard layouts, etc.
To achieve a more compact and compatible design, other chips must be used, and the PCB must be redesigned. Ideally, the HID protocol conversion, keyboard data parsing and recording, and Wi-Fi functionality should be integrated onto one board and kept small.
This article designs and produces such a keylogger.
3. Design
The keylogger in this article realizes the analysis and recording of USB keyboard input and provides Wi-Fi functionality. In this chapter, we will specifically analyze the design of each part.
Wi-Fi Part
In penetration scenarios, if a hardware device is implanted and you come back to retrieve it after a few days, you might end up in prison. If the keylogger has Wi-Fi functionality, you can read keyboard records remotely, and even configure it to connect to the target office’s Wi-Fi, directly sending keyboard records back to the attacker’s control server.
Reading records via Wi-Fi
For the Wi-Fi part, we use the famous ESP8266 chip—cheap and powerful Wi-Fi SOC, widely used in the IoT field. This article uses the ESP8266-07S module, which is very small and exposes commonly used pins, meeting the requirements of this article.
ESP8266-07S module
Keyboard Recording Part
First, we need the CH9350 chip to convert the HID protocol to UART protocol for analyzing and recording keyboard data. The backend data analysis and recording are implemented on the ESP8266.
CH9350
CH9350 is a USB keyboard and mouse to serial communication control chip produced by Nanjing Qinheng Micro Company. It can convert HID protocol and UART protocol and is highly complete and easy to develop.
We will use CH9350 to convert the USB keyboard’s HID protocol to UART protocol, using ESP8266 to parse and record keyboard input content and provide Wi-Fi access functionality.
Overall Circuit Design
The schematic of the entire circuit is shown in the figure:
Schematic
The power module is in the lower left corner. Since the ESP8266 requires a 3.3V power supply and the USB interface provides 5V power supply, the AMS1117-3.3 chip is used for conversion.
Directly below is the ESP8266-07S module, and we use its UART interface RX (receiving end) to receive data sent by CH9350. It connects to the keyboard side CH9350’s UART TX (sending end) to “listen” to the communication between CH9350.
This has an additional benefit: the analysis module of the keylogger stands at the perspective of an “observer”. Even if it experiences slow parsing speed or even crashes, it will not affect the keyboard.
The two chips in the center are CH9350. According to the official documentation, two CH9350 chips are used as the lower machine connected to the keyboard and the upper machine connected to the computer, both powered by 3.3V.
On both sides are USB connectors and sockets for connecting to the computer’s USB interface and connecting the USB keyboard.
Firmware Design
The specific keyboard data parsing, data storage, and Wi-Fi functionality require us to write relevant programs in the ESP8266 module, which is the firmware.
ESP8266 supports development through Arduino, which facilitates our firmware development. Therefore, this article completes the development in the Arduino environment.
The firmware of the ESP8266 needs to implement:
Read keyboard data between CH9350 via UART serial and parse it.
Store data in SPIFSS and provide read and clear functions.
Provide functionality to view recorded content via Wi-Fi.
After powering on, the two CH9350 will automatically negotiate to enter “mode 1” and transmit various data frames over the UART interface. For the specific process and data frame information, please refer to the official documentation. Among them, we need the “valid key value frame,” which contains the key information pressed by the user on the keyboard. Its format is as follows:
Valid key value frame
Since we are intercepting the data from the USB keyboard, the frame format is generally as follows:
57AB 83 0C 12 01 00 00 04 00 00 00 00 00 12 17 //A key pressed
57AB 83 0C 12 01 00 00 00 00 00 00 00 00 13 14 //Key released
The first 6 digits are fixed, the next 8 digits are standard USB keyboard data, and the last two digits are the serial number and checksum.
The first 6 digits can be used as the feature for identifying valid key value frames, and we can read the following 8 digits to obtain key press information.
For specific data tables, please refer to the USB HID Usage Table, linked at the end of this article.
In Arduino, the example code to identify valid key value frames is as follows:
void loop() {while (Serial.available() > 0) { // There is data in the serial buffer if (Serial.read() == 0x83){ // The second byte of the frame 83 is the first feature delay(10); // Appropriate delay to wait for subsequent data to reach the serial buffer if (Serial.read() == 0x0C){ delay(10); if (Serial.read() == 0x12){ delay(10); if (Serial.read() == 0x01){ // Read 8-bit keyboard data here }}}}}}The ESP8266 module receives the keyboard data frames through the TX port of the upper machine connected to CH9350 and decodes it into key press information. The obtained data is then stored in SPIFSS.
SPIFSS (Serial Peripheral Interface Flash File System) is a flash memory built into the ESP8266 module, and its data will not be lost after power off. In the ESP8266-07S module, the size of this flash memory is 4M, which is enough to store quite a lot of keyboard records.
We can read and modify SPIFSS through FS.h, and the example code is as follows:
#include File logFile; // Create file object void setup() { SPIFFS.begin(); logFile = SPIFFS.open("/keyLog.txt", "a+"); // Open a file dataFile.println("Some Data Here,Maybe Keylog"); // Write data dataFile.close(); } Finally, for the Wi-Fi part: create a Wi-Fi network that attackers can connect to and view or clear keyboard records. Here, we refer to some ideas from wifi_keylogger, and the example code is as follows:
#include #include #include const char *ssid = "USBKeylogger"; // Name of the created access point const char *password = "12345678"; // Password for the access point AsyncWebServer server(80); // Open service on port 80 (IP is 192.168.4.1) void setup() { WiFi.mode(WIFI_STA); // Wi-Fi in access point mode WiFi.softAP(ssid, password); // Start Wi-Fi server.on("/", HTTP_GET, [](AsyncWebServerRequest *request){ // Display recorded content when accessing the root directory request->send(SPIFFS, "/keyLog.txt", "text/plain"); }); server.on("/clear", HTTP_GET, [](AsyncWebServerRequest *request){ // Clear existing records when accessing "/clear" logFile.close(); logFile = SPIFFS.open("/keyLog.txt", "w"); request->send(200, "text/plain", "Log File Cleared!"); }); server.begin(); // Start server } The combination of the three is the complete code for USBKeylogger. The complete firmware source code can be downloaded from the link provided at the end of this article.
4. Hardware Production
PCB Design and Production
To turn theory into reality, we need to convert the schematic into PCB and perform layout. Here we use Lichuang EDA for production.
Due to space limitations, the specific layout process will not be discussed here. The author’s PCB design is shown in the figure:
PCB Design (Copper not shown)
The schematic and PCB design for USBKeylogger are open-source, and the project link can be obtained at the end of this article. If you would like to reference, redevelop, or produce directly, feel free to fork the author’s project.
After completing the design, export the PCB project as Gerber files and submit them to a PCB manufacturer for production.
You can choose a domestic sampling factory, commonly known ones include Jialichuang, Jiepei, Huacong PCB, etc. The domestic PCB industry has developed to a terrifying level: for this small double-layer board, the cost for 5 samples is around 5-30 yuan, and it can be delivered within 2-3 days.
The author chose Jialichuang. The relevant production parameters are shown in the figure:
Production Parameters
After submitting the order, if there are no special process and color requirements, you can generally receive the finished product within 48 hours. The produced PCB looks like this:
PCB
Burning Firmware
You might think the next step is to solder the components? Not yet, before soldering, we first need to burn the firmware into the ESP8266.
Please note that the ESP8266 module must be written with firmware before soldering onto the PCB. Otherwise, you need to disconnect the RX contact of ESP8266 from the PCB to burn it normally, which is a bit troublesome.
Burning requires using a USB2TTL module. You can buy a CH340 or something for about 6 yuan.
USB2TTL Module
The burning method is to connect the ESP8266’s TXD0, RXD0, VCC, GND, and GPIO0 to the USB2TTL. The connection method is as follows:
| ESP8266 Module | USB2TTL Module |
|---|---|
| TXD0 | RX |
| RXD0 | TX |
| VCC | 3V3 |
| GND | GND |
| GPIO0 | GND |
The wiring of the ESP8266 module and USB2TTL should look like this (pay attention to the wire colors):
Wiring of ESP8266 Module
Wiring of USB2TTL Module
(Here’s a pitfall: the difference between ESP-07 and ESP-07S is not just in the antenna. The burning methods for both are completely different. The ESP-07S has built-in pull-up/down resistors, and you only need to pull down GPIO0 to download. But ESP-07 does not, and you need to connect it manually. The author initially made a mistake in the design of the board.)
After the connection is complete, connect the USB2TTL to the computer.
Burning also requires installing the Arduino environment, which can be downloaded online and is relatively simple, so it will not be elaborated here. The troublesome part is installing the ESP8266 extension. The author’s network environment may lead to 404 errors, requiring VPN.
The specific method is to open the firmware source code for USBKeylogger (download link at the end). After entering the Arduino IDE, click “File – Preferences” and enter:
http://arduino.esp8266.com/stable/package_esp8266com_index.json
Preferences
After saving, open “Tools – Board – Board Manager” and find “esp8266” in the “Contributed” type, and click install.
Board Manager
Now you should be able to find “Generic ESP8266 Module” in “Tools – Board”. Select it and adjust the other settings (such as Flash Size, etc.) as shown in the figure:
Board Settings
Finally, in the port menu, select the COM port of USB2TTL (definitely not COM1, it may be COM3, COM4, etc.), and then click “Project – Upload” to burn the code to the development board. This process takes 2-3 minutes. If you see the following debugging information, it means the firmware has been successfully burned.
Firmware burned successfully
Component Soldering
Next is the soldering of components on the board. The relevant BOM (Bill of Materials) is as follows:
| Name | Number | Package | Unit Price (Yuan) | Quantity |
|---|---|---|---|---|
| CH9350L | U1, U2 | LQFP-48 | 14 | 2 |
| Capacitor 100nF | C1,2,3,4 | C0603 | 4 (100 pcs) | 4 |
| Capacitor 1uF | C5,6 | C0603 | 5 (100 pcs) | 2 |
| ESP-07S | U4 | 8.5 | 1 | |
| AMS1117-3.3 | U3 | 0.5 | 1 | |
| USB Female Socket | USB1 | USB-A | 0.2 | 1 |
| USB Plug | USB2 | USB-A | 0.2 | 1 |
| Single Product Cost: About 39 Yuan |
Soldering requires using a soldering iron, rosin, solder wire, and high-temperature sponge. Because we need to solder the densely pinned CH9350L, it is recommended to use a chisel tip soldering iron. This set costs about 60 yuan.
The soldering iron can melt solder wire for soldering various components. Rosin can restore oxidized solder due to long-term high temperatures, and the high-temperature sponge can clean the soldering iron tip after soaking in water.
The author uses a Huanghua 907 soldering iron with a chisel tip. This soldering iron is moderately priced, adjustable in temperature, has replaceable tips, and has a long lifespan. With the above tools, most common components can be soldered.
Huanghua 907 soldering iron and chisel tip
As for the specific soldering methods, it is difficult to express solely with words. If you want to learn, you can find many video tutorials on Bilibili or other video sites, as well as tutorials on soldering specific components.
A little tip:
The best soldering order is CH9350-AMS1111-Capacitors-USB Connectors-ESP8266 Module. The ESP8266 must be programmed first.
Soldering the CH9350 module requires only a small amount of solder, combined with a relatively large amount of rosin. Touch the chisel tip to all the pins on one side, dragging it outwards or to one side; this process is very satisfying for perfectionists.
This soldering iron can reach a maximum of 400°, but it is not necessary; too high a temperature can easily oxidize the solder. Generally, 250-300° is sufficient.
After soldering, the black rosin residue can be cleaned with a small knife and a cotton swab dipped in alcohol.
The finished product looks like this:
Finished Product
After all components are installed, you can choose to install the antenna of the ESP8266-07S as needed, as its built-in antenna generally has poor signal and short range.
5. Testing
By now, you have obtained the finished USBKeylogger. Install it on the USB port behind the victim’s computer, connect it to the keyboard, and it will record all of the victim’s keyboard records.
Connection Diagram
Once installed, you should be able to find a Wi-Fi network named “USBKeyLogger” with the password “12345678”. (The name and password can be modified in the firmware source code.)
Wi-Fi List
Next, open your browser and visit http://192.168.4.1/, and you will see all the keyboard records.
View Record Content
Visit http://192.168.4.1/clear/, you can clear the saved records.
6. Conclusion and More
This article basically realizes the design and production of a hardware keylogger. I had heard about this thing a long time ago, but the actual production process was somewhat different from what I had imagined.
This device can be further optimized, such as modifying the PCB design to implant it into the plastic shell of the keyboard, or using other chips to save costs (e.g., CH376, but that would increase the amount of code significantly).
Moreover, its firmware is still relatively “rudimentary”; I will continue to develop it in the future. This project is open-source, and you are welcome to contribute!
Appendix and References
USBKeylogger schematic, PCB, firmware: https://oshwhub.com/PushEAX/USBKeylogger
CH9350 official materials and documentation: http://www.wch.cn/products/CH9350.html
ESP8266-07S manual: http://wiki.ai-thinker.com/_media/esp8266/a000um00a3.pdf
HID Usage Tables:
https://usb.org.10-1-108-210.causewaynow.com/sites/default/files/hut1_12.pdf
Introduction to SPIFFS operations
http://www.taichi-maker.com/homepage/esp8266-nodemcu-iot/iot-c/spiffs/spiffs-operation/
*This article is for technical discussion and research only and is strictly prohibited for illegal use.
Recommended
