Webkey hacking

Just a quick post..

I recently got like 15 webkey devices  and here’s how to make them direct them to your own site, make them start a program or your mail or whatever.  But first, what is a webkey? As you can see on the picture these are like some sort of buttons with a USB cable on it.

A webkey is a device which you plug into you USB port and says it is a HID (keyboard) device  which starts the “run” prompt if you push the button (under which is actually a real push-button), then it “types” a website and “pushes” enter and starts the website.

At my school all the teachers got one from I think it was management or something, to make things easier or on virtualize things or something   (then why a physical button??)… Anyway all the teachers got one and the most of them did think of it as a giant big waist of money. So they made a box for it to put them in and send them back (or throw them away or something). Luckily enough I got a few and thought, as every thinker and hacker would think, what’s inside, and more important, can I hack it?!

I got a few

Well it is… and it would even be possible that you got on this website USING the webkey!

Off course I took it apart and this is what was inside:

As you can see there is a blob and a normal soic chip, and some caps. It turns out that the blob chip is the MCU and the soic chip is a EEPROM (24c02) chip on which, as I thought already, the url to the website.

As you can see on the picture I already soldered 3 wires to the EEPROM. The EEPROM supports I2C/TWI so I soldered a wire to the SCL and SDA (and the GND). This way I could read and program it with my (awesome) Bus Pirate.

I read the datasheet which says me the address of the EEPROM is 0xa0 (write) and 0xa1 (read). The address determined by the A0, A1 and A2. These are set to GND or VCC. In my case these where all connected to GND, so the address is 0xa0 and 0xa1. Optionally the Bus Pirate has a macro for searching addresses on a I2C bus. I thought the EEPROM had to be protected some way, like setting the Write Protect (WP) pin to VCC, but also this wasn’t the case luckily for me!

So for starters here’s the coding to do to read the EEPROM with a Bus Pirate:

[0xa1 r:256]

[ = startbit
] =stopbit
0xa1 = read address of EEPROM
r:256 = read 256 bytes

To learn more about programming the EEPROM with the Bus Pirate check this.

Make sure U don’t change the pointer (pointed to a memory byte)!! I did this a few times and it seems the MCU on the board notes this and will not read the EEPROM any more, instead it reads the PRE programmed URL (in the MCU itself): http://www.tenx.com.tw/

If you only get this message it means the place of the pointer isn’t correct. So first read all the data, in my case 256 bytes, then calculate the byte it first begins to read. In my case the MCU begins to read at 0×40 (byte 64).

When you read the EEPROM you get a long list of ACK’s, zero’s and some data, this is the URL in ascii, (check google -> ascii to hex to translate). The data is actually stored at memory byte 0 and further on.

So to program you have to do the following:

1. Do not change the pointer!

2. Read a lot of bytes save this data. (read like 2KB to make sure you read everything, or check the datasheet on what your EEPROM’s memory is)

[0xa1 r:2096]

3. Figure out where the MCU begins to read and look when it is back at that point. Remember this point. (in my case I found 256 bytes and it began to read from 0×40 the 64th byte.

4. Write the data of your choice, 8 bytes a time (check datasheet for this)(translate the ascii code to hex, dec or binary).

Use for example:
[0xa0 0 0x68 0x74 0x74 0x70 0x3a 0x2f 0x2f 0x6a]
[0xa0 8 0x6a 0x73 0x68 0x6f 0x72 0x74 0x63 0x75]
[0xa0 16 0x74 0x2e 0x63 0x6f 0x6d]

or notepad:
[0xa0 0 0x6e 0x6f 0x74 0x65 0x70 0x61 0x64][0xa0 0x40]

5. Set the pointer back to the original place!

[0xa0 0x40]

Make sure when you test it you give it a power restart.

This way it worked for this webkey!

Another thing, the webkey has some printing on it with the logo of my school, I wanted to change it to my own so I used acetone to remove the printing and used a marker to write my PCB logo on it.

And now we literally have a JJShortcut!