Hacking into computers is all well and good if you’re a CS person, but I’m a EE. This device plugs in-line with the PS2 port and hijacks key presses. When a username is typed in, it records the following password.
This originated as a final project for a microcontrollers class I was in. Consequently, this project is designed on a PIC microcontroller. The electronics are built onto a small board that plugs into the computer’s PS2 port and provides another PS2 port for the keyboard to plug in to. While plugged in it secretly steals passwords. I’ll give some background about PS2 keyboard protocol as well as info about electrical and software design. Finally, I’ll provide links to schematics and source code.
I want to give credit to Ryan Westafer as well. He was my partner on this project.
PS2 keyboard protocol
The keyboard uses two signals to implement its synchronous communication protocol. Both clock and data lines are open-collector and therefore idle high. When either party is ready to send data, the clock is driven low for eight bits of data plus a start bit, stop bit, and parity bit. This protocol is used to send â€˜makeâ€™ and â€˜breakâ€™ codes for each keystroke. Make codes signify a key has been pressed, and break codes signify its release. Here is a list of all make and break codes. In fact, this guy’s site explains all of this very well. Link.
I wanted to use the 5V power that is supplied in the PS2 connector to power our device so it could be covertly implanted. I also didn’t want to mess-up the computer or keyboard, hinder the user, or give ourselves away. This didn’t really require sneakiness because I just hooked clock and data lines to our high impedance digital inputs on the PIC. I also added an LED for debugging purposes, but it would definitely be removed in a for-real spy version. Schematic.
The algorithm works by watching for clock edges then recording the eight data bits that follow. The program then checks to see if the received byte is within the range of acceptable characters (0x15-0x7d). If the byte is within the given range of alphanumeric characters, it gets processed. If not, the byte gets ignored. Ignored bytes are either break codes, or function key make codes, and thus are of no interest. Once bytes are received and validated, the pattern recognition algorithm determines if data logging should begin.
Pattern recognition algorithm is a big word for a simple state machine that looks for patterns like “root”, “su”, or other programmable phrases that signify that a pattern is coming. When a pattern is recognized, the next 16 characters are stored to a RAM buffer.
The guidelines of the class were that two PIC processors had to communicate, so here ends the functionality of the ‘spy board.’ The spy board could be connected to another board (which had a LCD display) via an SPI connection. When a button on the spy board was pushed it downloaded its ram buffer to the larger board. The spy board just kept the make codes for the keys. Once they were transmitted to the larger board, a lookup table was used to determine which make code made what ASCII character. This message was then displayed on the LCD display.
Stuff I learned
Turns out that mouse movement drives the same clock line as the keyboard. Either they share the clock, or the OS requests the state of keys such as â€œALTâ€ or â€œCTRLâ€ when the mouse is moved. Because the data line remains high during this occurrence, null bytes are received. Fortunately the algorithm, designed to discard invalid bytes, ignores the mouse movement.
Also, after a byte is received you need to wait approximately 30 ms in order successfully ignore all non-make code transmissions of the keyboard.
Furthermore, I learned during this project that holding a chip onto a socket != putting the chip in that socket. *Especially* when trying to program a chip. It ended up causing all sorts of errors and once I started actually plugging it in development went much faster.
Future Work and Other Ideas
Ideally, I would like to re-build this and bundle it with a flash memory card so that it could just record every thing that the snooped on computer typed. Then, when a ‘secret code’ was typed in it would dump everything back onto the PS2 line and print out a complete log. Then you could get passwords and all sorts of other stuff.
Also, if I could do it all over again, I would use C instead of assembly. (C makes life immensely easier!)