Webkey hacking

Posted: September 26, 2011 in Hacks, Programming
Tags: , , , , ,

Just a quick post..

I recently got like 15 webkey devices  and here’s how to make them direct them to your own site, make them start a program or your mail or whatever.  But first, what is a webkey? As you can see on the picture these are like some sort of buttons with a USB cable on it.

A webkey is a device which you plug into you USB port and says it is a HID (keyboard) device  which starts the “run” prompt if you push the button (under which is actually a real push-button), then it “types” a website and “pushes” enter and starts the website.

At my school all the teachers got one from I think it was management or something, to make things easier or on virtualize things or something   (then why a physical button??)… Anyway all the teachers got one and the most of them did think of it as a giant big waist of money. So they made a box for it to put them in and send them back (or throw them away or something). Luckily enough I got a few and thought, as every thinker and hacker would think, what’s inside, and more important, can I hack it?!

I got a few :)

Well it is… and it would even be possible that you got on this website USING the webkey!

Off course I took it apart and this is what was inside:

As you can see there is a blob and a normal soic chip, and some caps. It turns out that the blob chip is the MCU and the soic chip is a EEPROM (24c02) chip on which, as I thought already, the url to the website.

As you can see on the picture I already soldered 3 wires to the EEPROM. The EEPROM supports I2C/TWI so I soldered a wire to the SCL and SDA (and the GND). This way I could read and program it with my (awesome) Bus Pirate.

I read the datasheet which says me the address of the EEPROM is 0xa0 (write) and 0xa1 (read). The address determined by the A0, A1 and A2. These are set to GND or VCC. In my case these where all connected to GND, so the address is 0xa0 and 0xa1. Optionally the Bus Pirate has a macro for searching addresses on a I2C bus. I thought the EEPROM had to be protected some way, like setting the Write Protect (WP) pin to VCC, but also this wasn’t the case luckily for me!

So for starters here’s the coding to do to read the EEPROM with a Bus Pirate:

[0xa1 r:256]

[ = startbit
] =stopbit
0xa1 = read address of EEPROM
r:256 = read 256 bytes

To learn more about programming the EEPROM with the Bus Pirate check this.

Make sure U don’t change the pointer (pointed to a memory byte)!! I did this a few times and it seems the MCU on the board notes this and will not read the EEPROM any more, instead it reads the PRE programmed URL (in the MCU itself): http://www.tenx.com.tw/

If you only get this message it means the place of the pointer isn’t correct. So first read all the data, in my case 256 bytes, then calculate the byte it first begins to read. In my case the MCU begins to read at 0x40 (byte 64).

When you read the EEPROM you get a long list of ACK’s, zero’s and some data, this is the URL in ascii, (check google -> ascii to hex to translate). The data is actually stored at memory byte 0 and further on.

So to program you have to do the following:

1. Do not change the pointer!

2. Read a lot of bytes save this data. (read like 2KB to make sure you read everything, or check the datasheet on what your EEPROM’s memory is)

[0xa1 r:2096]

3. Figure out where the MCU begins to read and look when it is back at that point. Remember this point. (in my case I found 256 bytes and it began to read from 0x40 the 64th byte.

4. Write the data of your choice, 8 bytes a time (check datasheet for this)(translate the ascii code to hex, dec or binary).

Use for example:
[0xa0 0 0x68 0x74 0x74 0x70 0x3a 0x2f 0x2f 0x6a]
[0xa0 8 0x6a 0x73 0x68 0x6f 0x72 0x74 0x63 0x75]
[0xa0 16 0x74 0x2e 0x63 0x6f 0x6d]

or notepad:
[0xa0 0 0x6e 0x6f 0x74 0x65 0x70 0x61 0x64][0xa0 0x40]

5. Set the pointer back to the original place!

[0xa0 0x40]

Make sure when you test it you give it a power restart.

This way it worked for this webkey!

Another thing, the webkey has some printing on it with the logo of my school, I wanted to change it to my own so I used acetone to remove the printing and used a marker to write my PCB logo on it.

And now we literally have a JJShortcut! :)

Comments
  1. hello…

    This really answered my problem, thank you!…

  2. rick says:

    Cool! Thanks for the tutorial. I found one (with another logo but the same device) today at a fleemarket. I didn’t know about the BusPirate. I’ll probably buy one.

  3. [...] The teachers at [Wouter van der Vinne’s] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Wouter] got his hands on a few of them and decided to take one apart to see what made them tick. [...]

  4. [...] The teachers at [Wouter van der Vinne’s] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Wouter] got his hands on a few of them and decided to take one apart to see what made them tick. [...]

  5. [...] The teachers at [Jjshortcut's] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Jjshortcut] got his hands on a few of them and decided to take one apart to see what made them tick. [...]

  6. [...] The teachers at [Jjshortcut's] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Jjshortcut] got his hands on a few of them and decided to take one apart to see what made them tick. [...]

  7. Bento de Gier says:

    We got about 25 of these today and I’m trying to hack them to launch some other application.

    Our’s are “Eco” keys which put your PC into Standby when clicked.

    I removed the cover and the PCB is exactly the same as in your picture (same Revision etc etc) but we are missing the EEPROM (the chip you soldered the wires to). The only chip is hidden under the Epoxy bubble.

    The USB key is recognized as a HID Keyboard in Windows 7.

    Any ideas?

    • jjshortcut says:

      You could debug the traces for figuring out if the epoxy blob chip requests data of an EEPROM chip, if so you could place an EEPROM chip on it. Otherwise I’m not sure what to do..

  8. Promotional products is very useful part for marketing our company or business. Excellent and informative post. You will have several really useful thoughts keep up the good writing.

  9. Mibe says:

    I tried to hack one of these buttons (another pcb, but same eeprom). And i used a arduino to read & write the eeprom.

    At the moment i have the correct data on the eeprom, but (i guess) since the pointer is not set to the right location the mcu loads the hardcoded website. You mentioned something about calculating the right pointer position. How can i do this? And how can i set this on the eeprom?

    • jjshortcut says:

      Hi,

      As I described, the first time you read it, from pointer place one, you should be able to figure out from which pointer place the device itself begins to read. So if you read from pointer one it probably gives you some 0x00’s (zeros) until it reaches the real data. By counting all the 0x00’s before the real data you have your pointer number.

      Hope that helps!

      • Mibe says:

        Thank you for the reply.

        The first time I read the eeprom i made the folowing dump http://pastebin.com/pR59RuYG.

        So if I understand you correctly I have to set the pointer at byte 16 (the first one on the 3rd line). I tried this and it didn’t work.

      • jjshortcut says:

        You have to set the pointer to the exact place it began to start reading the first time, so this would be the total amount of bytes minus the first 16 bytes to get it in the right place again. So you have to figure out how big your EEPROM is (how many Bytes)..

      • Mibe says:

        Apparently in my case it had nothing to do with the pointer. It seemed the eeprom contained a 2 byte checksum after de null byte. After figuring out how to calculate this checksum i was able to change the command executed by the webkey.

  10. I would also like to convey that most people that find themselves with no health insurance
    are generally students, self-employed and those
    that are without a job. More than half on the uninsured are really under the age of Thirty-five.
    They do not really feel they are wanting health insurance because they’re young as well as healthy. Its income is frequently spent on homes, food, and also entertainment. A lot of people that do work either whole or as a hobby are not supplied insurance through their work so they move without because of the rising tariff of health insurance in the country. Thanks for the strategies you discuss through this web site.

  11. sympa mais aujourd’hui” il faut “a visiter mon site registre des creations

  12. elerepair says:

    just set the pointer to 0x00 in the beginning, then read 256 bytes, edit in hex editor, set the pointer to 0, just to be sure, and write everything back.

  13. Every weekend i used to visit this website, as i want enjoyment, for the reason that
    this this web page conations really good funny stuff too.

  14. elliott says:

    http://www.arcadeworlduk.com/product_downloads/USBButton.exe

    is the program to download to modify these buttons. a lot simpler than this hack.
    also if for some reason the program does not work you can use use http://www.autohotkey.com to script a new command line for example:
    #R::
    WinActivate,Breeze Systems Photobooth
    Sleep 50
    sendinput {F4}

    this script activates a program window, waits 50 milliseconds and then sends the F4 key
    a script that simply sends the f4 key would be
    #R::
    sendinput {F4}

  15. Kent Long says:

    Alternative approach. If you just want to open another webpage, there is a chrome extention that allows you to redirect a specific site to another on that browser instance. https://chrome.google.com/webstore/detail/block-site/eiimnmioipafcokbfikbljfdeojpcgbh?hl=en

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s