Remote-Exploit
Home > Research > KeyKeriki

KeyKeriki

KeyKeriki Logo

Name: Keykeriki
Type: Hardware and Software
Slides:keykeriki_ph7d9.pdf (Our slides from ph-neutral7d9)
Hardware:keykeriki-hw-0.6.tar.gz (Eagle files, partlists, build howto)
Software:keykeriki-release-0.5.2.tar.gz (Software & documentation)
Documentation: See folder "docs" within the download package
License: OpenSource, free for non-commercial use, commercial usage needs special permission
Contact: hardhack@remote-exploit.org

Description: Now, 1.5 years after releasing our whitepaper "27Mhz Wireless Keyboard Analysis Report" about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier


Please note, we will provide pre made PCBs and components very soon at a fair price. Please check back after some time.



Why is there a rooster in the logo for a security device?
Kikeriki is the scream of a rooster (English: cock-a-doodle-doo). And because the phonetic sound is very similar to the word "Key" the name popped up. Funny, heh?


KeyKeriki Device

About the hardware: Keykeriki is build around the Texas Instruments TRF7900 chip controlled by an ATMEL ATMEGA 8-bit microcontroller. For logging abilities, an SDCard interface is built into the board layout, as well as an additional USART channel for future hardware extensions, that we'd like to call "backpacks". The whole board can be powered directly via the USB bus or a stable 5V power source. Keykeriki is not USB certified :-).When connected to a USB port, one can use either a decent terminal application or the keyctrl software which is part of included in the software package of this project. One can download all the schematics in Eagle and PDF format as part of the projects software package. The following interfaces are available on the board:

  • Mini-B USB connector (USB to serial + power supply)
  • SDCard slot
  • External Antenna Connector
  • USART connector for Backpacks


Please note, we currently don't supply pre-fabricated boards (yet). Check back in a few weeks for news about that topic. We are investigating our options to be able to provide ready-made boards for a fair price.

About the Software: Because of the flexible hardware design, most features are built within software. We wanted to provide more than just decoding of the collected data in this initial release, and we have. Please see the following feature list:

  • Radio frequency channel switching
  • Signal strenght (RSSI) display
  • Data logging to SDCard
  • Dumping content of SDCard to terminal
  • Encryption key handling
  • On-the-fly deciphering of Microsoft's XOR based encryption
  • Hardware signal filter state configuration
  • Feature state configuration incl. persistent storage
  • Activation and usage of backpack USART interface
  • Sniffing and decoding of keystrokes of Microsoft 27Mhz based keyboards

Please note: the decoding for the Logitech keyboards is known and documented already but not yet implemented within this first release. Check back later to see it soon. We have working Proof-of-Concept firmware images, but we didn't release those yet.


About Backpacks: Keykeriki uses one of the ATMEGA's USART's for interfacing with external hardware extensions. Those "Backpacks" add additional functionality. We are not finished with the design for them, but we are working on the following extensions so far:

  • LCD Backpack - Shows keystrokes on lcd
  • epeater Backpack - Sends the keystrokes using GPRS or other radio transmission
  • Iphone interface

Video: An early prototype LCD backpack in action
2010's Progress: Currently we are working hard on a new Keykeriki v2 hardware release which is also 2.4GHz capable. Please find our latest slides from our presentation at DeepSec 2009 Security Conference in Vienna later at the top of this page. More on this (codename Vogelgrippe) will be released here. Please stay tuned. There are already prototypes around, performing remote command injection.