Arduino UNO R2/R3 as a HID Device


   By: magikh0e 
   magikh0e _aT_ ihtb d0t org
                                                                                        
'\v/`  
     (o 0)  m0o. 
 (_)  /
 
 
  Last Edit: July 4 2015

Table Of Contents

Prerequsites
Arduino DFU Programming
 -Enabling DFU Mode
  -Programming the ATMega16U2 chip with dfu-programmer (Linux / Windows)
  -Restoring Arduino Default Bootloader


This tutorial explains how to turn an Arduino UNO into a HID device, emulating a keyboard like a Teensy Kit can do. 
The Arduino UNOs come with an Atmega16U2 chip, this chip acts as a bridge between the computers USB port and the main 
processor's serial port. 

The firmware on this chip can be updated using a special USB protocol called DFU (Device Firmware Update). 
In order for the Arduino to act as a HID device, the standard USB serial firmware needs replaced.

What good is Arduino as a HIUD Device?
Programmable HID USB Keystroke Dongle - Using the Teensy as a pen testing device
Social Engineer Toolkit - Arduino Based Attack Vector
Teensy USB HID for Penetration Testers - Part 1: Introduction and Arduino Installation

Prerequesite Software

Hardware: 
	Arduino UNO R2/R3
	Jumper or Piece of wire

Software: 
Arduino IDE
dfu-programmer, dfu-util (Linux)
libusb-dev (Linux)
Atmel Flip (Windows)

Firmware:
Arduino-usbserial-atmega16u2-Uno-Rev3.hex
Arduino-keyboard.hex


Arduino DFU Programming

NOTE: In order to get the Arduino into DFU mode, you must short the RESET pin to the GROUND pin on the 
ATMega16U2's ICSP header. Soldering resistors etc is NOT REQUIRED with Arduino R2 / R3.


Arduino_ICSP_RESETGNDPINS



Enabling DFU Mode


1. Power on the Arduino and then using the example image above, connect the pins with a jumper or touch them together 
   with a piece of wire, no longer than 2-3 seconds. The LED should flash and the Arduino will reboot. 
   The Arduino will now be in DFU mode, ready to be programmed.



Programming the ATMega16U2 chip with dfu-programmer


(Linux)
1. From a terminal as root, issue the following commands: 


dfu-programmer atmega16u2 erase
dfu-programmer atmega16u2 flash --debug 1 Arduino-usbserial-atmega16u2-Uno-Rev3.hex
dfu-programmer atmega16u2 reset


(Windows)
1. Open Atmel Flip. From the menu select Device->Select. Select ATmega16U2, then click OK.
2. From the menu select Settings->Communication->USB, then click Open.
3. From the menu select File->Load HEX File..., select the 
   Arduino-usbserial-atmega16u2-Uno-Rev3.hex file, then click on the Run button.
4. Click the Start Application button, ensuring Reset box is checked.


Once you have completed the steps above for your OS, power cycle the Arduino and make sure it's visible by the computer. 
Open Arduino IDE, then verify and upload the following code into the Arduino.



uint8_t buf[8] = { 0 }; 

void setup() {
	Serial.begin(9600);
	randomSeed(analogRead(0));
	delay(200);
}

void loop() {
	delay(5000);
	buf[0] = 0;
	buf[2] = 0x10; // letter M - http://www.freebsddiary.org/APC/usb_hid_usages.php
	Serial.write(buf, 8);
	releaseKey();
}

void releaseKey() {
	buf[0] = 0;
	buf[2] = 0;
	Serial.write(buf, 8); 
}




4. Repeat Step 1 from Enabling DFU Mode, this time using the Arduino-keyboard.hex file. 
   Power cycle the Arduino.
   
6. Open notepad and confirm that you see M's being sent by the Arduino. If you see the M's the Arduino is now
   configured as a HID device.
   
   
   

If you wish to change what the keyboard actually does, ie load a power shell script ;). 
You first need to repeat the following steps:
 
Enabling DFU Mode Step 1 and Programming Arduino-usbserial-atmega16u2-Uno-Rev3.hex Step 1 & Step 2. 

NOTE:Replace the code within Step 2 with your desired code or select from 
Arduino HID Sketch - Penetration testing examples...





Restoring Arduino Default Bootloader


If you just wish to restore back to the default Arduino bootloader, repeat 
Enabling DFU Mode Step 1 and Programming UNO-dfu_and_usbserial_combined.hex 
Step 1 using the latest atmegaxxu2 from Arduino github