Home > Projects > Keyboard Snooper

Keyboard Snooper

Snooper ThumbnailHacking into computers is all well and good if you’re a CS person, but I’m a EE. This device plugs in-line with the PS2 port and hijacks key presses. When a username is typed in, it records the following password.

Introduction

This originated as a final project for a microcontrollers class I was in. Consequently, this project is designed on a PIC microcontroller. The electronics are built onto a small board that plugs into the computer’s PS2 port and provides another PS2 port for the keyboard to plug in to. While plugged in it secretly steals passwords. I’ll give some background about PS2 keyboard protocol as well as info about electrical and software design. Finally, I’ll provide links to schematics and source code.

The Snooper

I want to give credit to Ryan Westafer as well. He was my partner on this project.

PS2 keyboard protocol

The keyboard uses two signals to implement its synchronous communication protocol. Both clock and data lines are open-collector and therefore idle high. When either party is ready to send data, the clock is driven low for eight bits of data plus a start bit, stop bit, and parity bit. This protocol is used to send ‘make’ and ‘break’ codes for each keystroke. Make codes signify a key has been pressed, and break codes signify its release. Here is a list of all make and break codes. In fact, this guy’s site explains all of this very well. Link.

Electronic Design

I wanted to use the 5V power that is supplied in the PS2 connector to power our device so it could be covertly implanted. I also didn’t want to mess-up the computer or keyboard, hinder the user, or give ourselves away. This didn’t really require sneakiness because I just hooked clock and data lines to our high impedance digital inputs on the PIC. I also added an LED for debugging purposes, but it would definitely be removed in a for-real spy version. Schematic.

Software Design

The algorithm works by watching for clock edges then recording the eight data bits that follow. The program then checks to see if the received byte is within the range of acceptable characters (0x15-0x7d). If the byte is within the given range of alphanumeric characters, it gets processed. If not, the byte gets ignored. Ignored bytes are either break codes, or function key make codes, and thus are of no interest. Once bytes are received and validated, the pattern recognition algorithm determines if data logging should begin.

Pattern recognition algorithm is a big word for a simple state machine that looks for patterns like “root”, “su”, or other programmable phrases that signify that a pattern is coming. When a pattern is recognized, the next 16 characters are stored to a RAM buffer.

The guidelines of the class were that two PIC processors had to communicate, so here ends the functionality of the ‘spy board.’ The spy board could be connected to another board (which had a LCD display) via an SPI connection. When a button on the spy board was pushed it downloaded its ram buffer to the larger board. The spy board just kept the make codes for the keys. Once they were transmitted to the larger board, a lookup table was used to determine which make code made what ASCII character. This message was then displayed on the LCD display.

Stuff I learned

Turns out that mouse movement drives the same clock line as the keyboard. Either they share the clock, or the OS requests the state of keys such as “ALT” or “CTRL” when the mouse is moved. Because the data line remains high during this occurrence, null bytes are received. Fortunately the algorithm, designed to discard invalid bytes, ignores the mouse movement.

Also, after a byte is received you need to wait approximately 30 ms in order successfully ignore all non-make code transmissions of the keyboard.

Furthermore, I learned during this project that holding a chip onto a socket != putting the chip in that socket. *Especially* when trying to program a chip. It ended up causing all sorts of errors and once I started actually plugging it in development went much faster.

Future Work and Other Ideas

Ideally, I would like to re-build this and bundle it with a flash memory card so that it could just record every thing that the snooped on computer typed. Then, when a ‘secret code’ was typed in it would dump everything back onto the PS2 line and print out a complete log. Then you could get passwords and all sorts of other stuff.

Also, if I could do it all over again, I would use C instead of assembly. (C makes life immensely easier!)

Code & Schematic Files

PIC16F676 Code
PIC18F452 Code
Schematic

Categories: Projects Tags:
  1. June 15th, 2009 at 21:19 | #1

    I gotta hand it to you buddy. You have some very cool ideas.

  2. raz
    July 12th, 2010 at 10:15 | #2

    Where can i buy this? Can I buy it?
    I run a small business. I employ 12 screenprinters and 1 admin staff.
    Im convinced my admin employee is screwing me over financially through misuse of the computer system (albeit not a very advanced one!)
    I have no evidence to prove she is doing this but this device would let me monitor what she sends out and receives!Orders I have been waiting on and promised, are mysteriously being offered to other competitors…..without explanation!
    As you can guess….I am NOT cmputer minded.
    Would appreciate ANY help you can offer?
    Thanks
    Razman Tir

  3. August 6th, 2010 at 10:21 | #3

    @raz. I don’t sell this project, but I think there is similar stuff at thinkgeek.com

  4. November 18th, 2010 at 01:40 | #4

    Looks cool. I don’t believe it would be to difficult to make it work with usb either. I’ve seen some write up on how to convert ps2 to usb and vice versa. I’m inclined to build one though. I already have plenty of unfinished projects right now.

  5. August 9th, 2013 at 21:12 | #5
  1. February 27th, 2010 at 06:00 | #1