jqueryjquery数字小键盘插件件virtual keyboard怎么用
点击联系发帖人
时间:2016-02-28 04:33
AdvertisementAdvertisement
Sometimes it's just fun to play around with the programming languages we know and see what we can create. I thought it might be nice to create a little online keyboard with CSS, and then make it work with jQuery. The keyboard includes "action" keys (caps lock, shift, and delete) which dynamically changes the keyboard when clicked. I'll show you how to build it today.
Step 1: Basic HTML and Files
This keyboard requires a lot of HTML setup and playing around with CSS. Each of the keys will be represented by a list item in an unordered list. Each of the list items will have a class attached to them, used in both the CSS and jQuery. Most of the classes are just "letter", "lastitem", or something similar. This will make finding out which list item is which easy.
Make sure you have setup a folder wherever you are going to be using this keyboard. Inside this new folder, create an index.html file along with a css and a js folder. Finally, create a keyboard.js file in the js folder and a style.css file in the css folder.
Inside the HTML file we'll be including two JavaScript files and one CSS file. Inside the body tag there will be a HUGE unordered list containing all the letters, numbers, and some "action" keys. The HTML will also have a textarea in it with an id of "keyboard". This will be the place where all the characters are added. The below code should be placed inside the index.html file.
&!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&
&html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"&
&meta http-equiv="Content-Type" content="text/ charset=UTF-8" /&
&title&Online Keyboard&/title&
&link rel="stylesheet" type="text/css" href="css/style.css" /&
&div id="container"&
&textarea id="write" rows="6" cols="60"&&/textarea&
&ul id="keyboard"&
&li class="symbol"&&span class="off"&`&/span&&span class="on"&~&/span&&/li&
&li class="symbol"&&span class="off"&1&/span&&span class="on"&!&/span&&/li&
&li class="symbol"&&span class="off"&2&/span&&span class="on"&@&/span&&/li&
&li class="symbol"&&span class="off"&3&/span&&span class="on"&#&/span&&/li&
&li class="symbol"&&span class="off"&4&/span&&span class="on"&$&/span&&/li&
&li class="symbol"&&span class="off"&5&/span&&span class="on"&%&/span&&/li&
&li class="symbol"&&span class="off"&6&/span&&span class="on"&^&/span&&/li&
&li class="symbol"&&span class="off"&7&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&8&/span&&span class="on"&*&/span&&/li&
&li class="symbol"&&span class="off"&9&/span&&span class="on"&(&/span&&/li&
&li class="symbol"&&span class="off"&0&/span&&span class="on"&)&/span&&/li&
&li class="symbol"&&span class="off"&-&/span&&span class="on"&_&/span&&/li&
&li class="symbol"&&span class="off"&=&/span&&span class="on"&+&/span&&/li&
&li class="delete lastitem"&delete&/li&
&li class="tab"&tab&/li&
&li class="letter"&q&/li&
&li class="letter"&w&/li&
&li class="letter"&e&/li&
&li class="letter"&r&/li&
&li class="letter"&t&/li&
&li class="letter"&y&/li&
&li class="letter"&u&/li&
&li class="letter"&i&/li&
&li class="letter"&o&/li&
&li class="letter"&p&/li&
&li class="symbol"&&span class="off"&[&/span&&span class="on"&{&/span&&/li&
&li class="symbol"&&span class="off"&]&/span&&span class="on"&}&/span&&/li&
&li class="symbol lastitem"&&span class="off"&\&/span&&span class="on"&|&/span&&/li&
&li class="capslock"&caps lock&/li&
&li class="letter"&a&/li&
&li class="letter"&s&/li&
&li class="letter"&d&/li&
&li class="letter"&f&/li&
&li class="letter"&g&/li&
&li class="letter"&h&/li&
&li class="letter"&j&/li&
&li class="letter"&k&/li&
&li class="letter"&l&/li&
&li class="symbol"&&span class="off"&;&/span&&span class="on"&:&/span&&/li&
&li class="symbol"&&span class="off"&'&/span&&span class="on"&&&/span&&/li&
&li class="return lastitem"&return&/li&
&li class="left-shift"&shift&/li&
&li class="letter"&z&/li&
&li class="letter"&x&/li&
&li class="letter"&c&/li&
&li class="letter"&v&/li&
&li class="letter"&b&/li&
&li class="letter"&n&/li&
&li class="letter"&m&/li&
&li class="symbol"&&span class="off"&,&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&.&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&/&/span&&span class="on"&?&/span&&/li&
&li class="right-shift lastitem"&shift&/li&
&li class="space lastitem"&&&/li&
&script type="text/javascript" src="/ajax/libs/jquery/1.3.2/jquery.min.js"&&/script&
&script type="text/javascript" src="js/keyboard.js"&&/script&
You won't have to worry too much about the classes on the list items for now. I'll explain them more when we're using jQuery. However, some of the classes (like right-shift and lastitem) are just there because of the CSS we'll be using.
Step 2: Making the List Pretty
The JavaScript for the keyboard would work perfectly fine without any CSS, but it wouldn't look like a keyboard. I'm not going to explain every style because a lot of them are pretty self-explainitory, but there are a couple that I will go over. Save the following CSS in the style.css file located in the css folder.
margin: 0;
padding: 0;
font: 71%/1.5 Verdana, Sans-S
background: #
#container {
margin: 100
width: 688
margin: 0 0 5
padding: 5
width: 671
height: 200
font: 1em/1.5 Verdana, Sans-S
background: #
border: 1px solid #f9f9f9;
-moz-border-radius: 5
-webkit-border-radius: 5
#keyboard {
margin: 0;
padding: 0;
list-style:
#keyboard li {
margin: 0 5px 5px 0;
height: 40
line-height: 40
text-align:
background: #
border: 1px solid #f9f9f9;
-moz-border-radius: 5
-webkit-border-radius: 5
.capslock, .tab, .left-shift {
#keyboard .tab, #keyboard .delete {
#keyboard .capslock {
#keyboard .return {
#keyboard .left-shift {
#keyboard .right-shift {
width: 109
.lastitem {
margin-right: 0;
.uppercase {
text-transform:
#keyboard .space {
width: 681
#keyboard li:hover {
border-color: #e5e5e5;
Take notice of the following styles because they are very important.
.on - In some of the list items, there are two spans. These are the keys that have more than o like the numbers. The span with the on class will be hidden. This changed when a user clicks on the shift key, but more on that later with the JavaScript.
.lastitem - The last jey in any row will have its right margin zeroed out so the layout won't break.
Step 3: Bringing the Keys to Life
If you were to click on a list item nothing would happen. We're about to fix that with a little jQuery. The main idea we'll be using is to attach a click handler to each of the list items, grab the text when clicked, and do some magic to it depending on the list item's class. From here on out, all the JavaScript code will go into the keyboard.js file.
We need to open up jQuery and define three variables that will be used through the code. These variables are the textarea, a shift status, and a caps lock status.
$(function(){
var $write = $('#write'),
shift = false,
capslock =
// The rest of the code goes here.
What comes next is attaching the click handler to all the list items (keys). Two variables are setup when the key is clicked. $this is defined just to required less typing from us, and character is defined as the HTML of the list item. If the list item is a letter, nothing will happen to this variable, and it will be returned.
$('#keyboard li').click(function(){
var $this = $(this),
character = $this.html(); // If it's a lowercase letter, nothing happens to this variable
// Code for processing the key.
The Shift Key and Caps Lock
If the shift key (list items with the class of "left-shift" or "right-shift") is clicked, we want to toggle the "uppercase" class of each letter. Then for the list items with a class of "symbol," we want to toggle the display between the nested span tags. What we want to do next is set shift to the opposite boolean value (if it's true set it to false, and vice versa), and the caps lock variable to false, and finally return false to not do anything else with the character variable.
// Shift keys
if ($this.hasClass('left-shift') || $this.hasClass('right-shift')) {
$('.letter').toggleClass('uppercase');
$('.symbol span').toggle();
shift = (shift === true) ? false :
capslock =
Now, if the caps lock key is clicked, we will toggle the "uppercase" class
set the caps l and return false.
// Caps lock
if ($this.hasClass('capslock')) {
$('.letter').toggleClass('uppercase');
capslock =
The Delete Key
For the delete key, we need to assign another variable: html - the contents of what's currently in the textarea. Once we have that, we set the new HTML of the textarea to everything but the last character. This is done with JavaScript's
method. Once again we return false as to not run anything else.
if ($this.hasClass('delete')) {
var html = $write.html();
$write.html(html.substr(0, html.length - 1));
Special Characters
For all the list items which aren't a letter and aren't one of the "actions" keys, we change the character variable to something special. For a list item with the "symbol" class, character is set to the contents of whatever span is visible. A space is (obviously) used for the space bar. The tab character is represented by \t, and finally a new line (the return key) is \n.
// Special characters
if ($this.hasClass('symbol')) character = $('span:visible', $this).html();
if ($this.hasClass('space')) character = ' ';
if ($this.hasClass('tab')) character = "\t";
if ($this.hasClass('return')) character = "\n";
Uppercase Letters
If you can remember to when we handled the shift and caps lock keys, an "uppercase" class was either added or removed using the
function. If the uppercase class is found, the character is converted to its uppercase form with the help of the
// Uppercase letter
if ($this.hasClass('uppercase')) character = character.toUpperCase();
The Aftermath
On a normal keyboard, you usually only need the shift key for one letter. If the shift variable is found to be set to true, we want to toggle the display of the symbol's spans. What also happens is that if the caps lock key is "on", the letters are once again toggled between uppercase and lowercase.
To finish off, the character is added to the textarea and the user can continue "typing".
// Remove shift once a key is clicked.
if (shift === true) {
$('.symbol span').toggle();
if (capslock === false) $('.letter').toggleClass('uppercase');
// Add the character
$write.html($write.html() + character);
Final JavaScript Code
$(function(){
var $write = $('#write'),
shift = false,
capslock =
$('#keyboard li').click(function(){
var $this = $(this),
character = $this.html(); // If it's a lowercase letter, nothing happens to this variable
// Shift keys
if ($this.hasClass('left-shift') || $this.hasClass('right-shift')) {
$('.letter').toggleClass('uppercase');
$('.symbol span').toggle();
shift = (shift === true) ? false :
capslock =
// Caps lock
if ($this.hasClass('capslock')) {
$('.letter').toggleClass('uppercase');
capslock =
if ($this.hasClass('delete')) {
var html = $write.html();
$write.html(html.substr(0, html.length - 1));
// Special characters
if ($this.hasClass('symbol')) character = $('span:visible', $this).html();
if ($this.hasClass('space')) character = ' ';
if ($this.hasClass('tab')) character = "\t";
if ($this.hasClass('return')) character = "\n";
// Uppercase letter
if ($this.hasClass('uppercase')) character = character.toUpperCase();
// Remove shift once a key is clicked.
if (shift === true) {
$('.symbol span').toggle();
if (capslock === false) $('.letter').toggleClass('uppercase');
// Add the character
$write.html($write.html() + character);
Conclusion
Sometimes it's nice to play around, even if the final product isn't truly "real world." By applying a few classes to our list items, we were able to create a CSS and jQuery powered keyboard. The keyboard isn't totally useless. I've seen websites were there's an option for an on-screen keyboard. But mostly, this allows us to gain a better understanding of the capabilities of CSS and jQuery.
Follow us on , or subscribe to the
for more daily web development tuts and articles.
AdvertisementDifficulty:IntermediateCategories:Translations:Envato Tuts+ tutorials are translated into other languages by our community members&you can be involved too!Powered byAbout N/AAdvertisement1& speedNext lesson playing in 5 secondsWhat Would You Like to Learn? to the content editorial team at Envato Tuts+.基于jQuery UI的超酷虚拟键盘插件
当前位置: >
> 基于jQuery UI的超酷虚拟键盘插件
Virtual Keyboard是一款基于jQuery UI的超炫虚拟键盘插件。该虚拟键盘插件兼容多种主题,可以和jQuery mobile一起工作,并且支持触摸屏设备。
浏览器兼容性
Virtual Keyboard是一款基于 UI的超炫虚拟键盘插件。该虚拟键盘插件兼容多种主题,可以和jQuery mobile一起工作,并且支持触摸屏设备。
该虚拟键盘插件支持多种键盘布局,如QWERTY键盘,字母键盘, 数字键盘,Dvorak,区域键盘布局和自定义键盘布局。整个虚拟键盘可以通过CSS来自定义样式。
该虚拟键盘的特点有:
当指定的输入框聚焦的时候,虚拟键盘将被激活并显示在屏幕窗口中。
用户可以在键入时实时预览输入的字母
可以非常容易的定制虚拟键盘的布局
每个布局都带有4个标准键(default, shift, alt 和 alt-shift)
添加任意数量的任意组合键(Meta键)
每一个meta键都可以包含shift, alt 和 alt-shift keysets
可以将虚拟键盘定位在元素周围的任意位置,或者定位在页面的其它元素上
可以修改按键文字为其它语言或符号
允许直接输入或锁定预览窗口
可以设置输入内容的最大长度
可以很容易的输入变音符号,例如下面的例子:
' + vowel ( vowel with acute accent, e.g. ' + e = é )
` + vowel ( vowel with grave accent, e.g., ` + e = è )
" + vowel ( vowel with diaeresis, e.g., " + e = ? )
^ + vowel ( vowel with circumflex accent, e.g., ^ + e = ê )
~ + certain letters ( letter with tilde, e.g. ~ + n = ?, ~ + o = ? )
可以允许,禁止或添加所需要的读音函数
默认使用jQuery UI主题,也可以使用Bootstrap主题
内置的水印。如果浏览器不世出的占位符,会使用它来模拟
打字扩展允许你模拟输入键盘演示或协助用户输入
可以使用jQuery UI的autocomplete组件来实现输入的自动完成
支持多种键盘布局效果
可以通过或来安装该虚拟键盘插件。
bower install keyboard
npm install virtual-keyboard
关于该jQuery UI虚拟键盘的更多信息请参考:
本文版权属于jQuery之家,转载请注明出处:
萌码-Advertisement
您已经顶过了哦!KeySweeper – Arduino-based passive wireless keyboard sniffer - 推酷
KeySweeper – Arduino-based passive wireless keyboard sniffer
KEYSWEEPER // SIGINT // SAMY.PL // REL TO ALL // APPLIED HACKING
KeySweeper
is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.
Point of Contact:
//code@samy.pl //http://samy.pl
Released:January 12, 2015
Source code / schematic:
Unit Cost:$10 - 80 depending on operation
Status:Operational, open source, open hardware, declassified.
(U) Capabilities
is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back all keystrokes from any Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) in the area.
Keystrokes are sent back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper device comes within wireless range of the target KeySweeper. A web based tool allows live keystroke monitoring.
KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. &&. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.
KeySweeper extends the work of Travis Goodspeed on the
project and of Thorsten Schr&der and Max Moser of the
(U) Hardware
Arduino / Teensy microcontroller
$3 - 30: An
microcontroller can be used. In my build, I use an 3.3v Arduino Pro Mini due to its very thin profile.
nRF24L01+ 2.4GHz RF Chip
$1: I use a $1 nRF24L01+ RF chip which communicates using GFSK over 2.4GHz. More details are available below, and these chips can be purchased for as low as $1 on eBay. These chips can only communicate using proprietary protocols, and are not meant for sniffing, however we will see below they can be used in clever ways to promiscuously sniff.
AC USB Charger
$6: I use an inexpensive
(rectifier) which converts AC power to 5v DC, and this one I link to happens to have a screw which makes it easy to open (I've destroyed a few others in the process of opening). If using the GSM version of KeySweeper, I actually use two USB chargers -- the internals of a small charger (similar to that of an iPhone charger), and the external case from a larger USB charger.
SPI Serial Flash Chip
OPTIONAL ($2): An optional
can be used to store keystrokes on. If you use the FONA GSM board below, this is not necessary as keystrokes can be stored through the internet live, however if you wish to have a lower cost option, you can store keystrokes onto this chip within KeySweeper, and obtain the keystrokes later by getting within 2.4GHz wireless range of the device with a secondary device which will siphon the keystrokes from it.
Most microcontrollers have very limited memory or EEPROM to store data on, thus the advantage of having a flash chip to store these keystrokes on.
Adafruit FONA
OPTIONAL ($45): Adafruit has created a board called the
which allows you to use a 2G SIM card to send/receive SMS's, phone calls, and use the Internet directly from the device.
Using this, no flash chip is necessary as keystrokes are immediately sent to a backend server for proper data collection. Additionally, if specific keywords are ever typed by the target keyboards, an SMS message can be sent to a specified number to alert the operative of the fact.
OPTIONAL ($3, only if using FONA): The FONA requires a mini-SIM card (not a micro-SIM). I use a T-Mobile prepaid SIM card. I suggest use of T-Mobile as they support 2G, where most other carriers have or are deprecating their 2G network, and the FONA only supports 2G for Internet. Make sure you get the right size of SIM card -- more details on
3.7V Lithium-Ion (LiOn or LiPo) Battery
OPTIONAL ($5 and up, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless. Additionally, KeySweeper continues to operate covertly from battery power when pulled from AC power, and begins to recharge upon reconnecting to AC power.
(U) Software
KeySweeper
KeySweeper's source code and schematic can be obtained in entirety from my github:
There are multiple parts to KeySweeper. The primary code is installed on the microcontroller, while a web based backend using
logs all keystrokes and provides a web interface for live monitoring of the target keyboards.
Adafruit FONA library
You should use
as I include an additional option that allows the FONA to let us know when there's a new text message. In the original library, you must constantly poll to see if there are more text messages than you expect, however with my version you can enable an option fona.setSMSInterrupt(1) which causes the RI (Ring Interrupt) pin to pull low for a moment upon new SMS messages.
jQuery Terminal
I've created a backend tool that allows you to monitor keyboards live through a web page. The
plugin makes it look cooler.
jQuery UI Virtual Keyboard
continues to make the KeySweeper live spy interface tool look cool, showing keys on the virtual keyboard get pressed when the user actually presses keys.
(U) Determining Keyboard Radio Protocol
Upon obtaining a Microsoft wireless keyboard, if it's in our possession, we can refer to the back to inspect the FCC ID. On my keyboard, the FCC ID (which is required by all devices using radio frequencies in the US) is C3K1455 , which we can easily search on the
Immediately we discover the keyboard communicates on 2403 - 2480MHz based on the
Now that I know this is a 2.4GHz device, I assume it's either operating using a common 2.4GHz protocol such as wi-fi, bluetooth, zigbee, or others, or it's operating using a proprietary protocol. Due to the fact that the device came with its own USB dongle (with its own
), it's more than likely a proprietary 2.4GHz signal.
Because it's likely proprietary 2.4GHz, we need to now use some method of 2.4GHz sniffing. Wifi sniffers will not help as this isn't 802.11 (such as what we used inSkyJack), and RTL-SDR by itself won't help as it caps out around 2.2GHz unless additionally using an RF down converter (we used RTL-SDR in
), so I immediately want to use
, a powerful and inexpensive software defined radio, however while it's extremely powerful for its price, we may be able to get away with more inexpensive hardware.
Based off previous experience, my assumption is the keyboard is using something like a
, but we won't know for sure without further inspection.
After pulling the screws from the keyboard and opening it up, we see a single chip responsible for everything. It's labeled NRF 24LE1H , which sounds a lot like nRF24L01 (n=
, RF=Radio Frequency, 24=2.4GHz)! We quickly find the
chip with a search and see that it in fact has the nRF24L01+ RF chip integrated with a CPU (System-on-Chip/SoC), and a quick search on eBay shows the nRF24L01+ can be shipped to us for under $1.
The nRF24LE1 integrates an nRF24L01+ 2.4GHz RF transceiver core, enhanced 16MHz 8-bit 8051 compatible CPU, 1kB + 256B RAM, 16kB embedded Flash, and a wide range of system peripherals
Looking at the
, we see this is a 2.4GHz RF chip that operates at either 250kbps/1Mbps/2Mbps, uses GFSK (
is a digital frequency modulation/FM), and unfortunately lacks any legitimate promiscuous or direct mode for sniffing...or does it?
(U) Sniffing Proprietary 2.4GHz Signals
While I would normally pull out something like a HackRF or RTL-SDR with digital down converter (to get 2.4GHz into RTL-SDR range), it would be really nice if we could sniff with more inexpensive hardware, as ultimately I want to package everything up into a device that can be left in the field.
After a basic search, an amazing page came up from
, where he not only sniffs a similar keyboard (Microsoft Comfort Desktop 5000), but he also demonstrates how to turn the nRF24L01+ into a 2.4GHz sniffer using his
device, and a host computer with the
python application.
Travis found that sniffing with the device is traditionally difficult because not only must you specify the channel (frequency) to listen to, you must specify a MAC address to listen on. The nRF chip will only deliver packets sent to that specific MAC address. Additionally, the nRF chip won't tell you the MAC address since you already specified it (it's assumed to be in one of our RX_ADDR_P[0-5] pipes, found in the datasheet.)
However when specifying the length of the MAC, Travis found there is one option which is considered &illegal& in the datasheet ( SETUP_AW, 0x03 set to 00 ), but actually sets the MAC to 2 bytes! Also, by setting the MAC to data that would typically be found in the preamble ( 0x00AA or 0x0055, in binary 1010 or 0101 ), we can fool the device into giving us the packet early, providing a full MAC address to us in the data portion! Read his
for all the details.
(U) Increasing Speed and Portability
Now while we can use a GoodFET, computer and nRF24L01+ for sniffing during testing, we ultimately want this to be on an inexpensive and embedded device. We can take some of Travis' great work in Python and port it over to embedded C so that we can load it onto a microcontroller rather than requiring a computer+GoodFET.
Additionally, we implement a few improvements. Goodfet.nrf provides a method of scanning for devices by performing the following:
start at frequency 2400MHz
set datarate to 1Mbps and MAC to 0x00AA, listen for 10 seconds
set datarate to 2Mbps and MAC to 0x00AA, listen for 10 seconds
set datarate to 1Mbps and MAC to 0x0055, listen for 10 seconds
set datarate to 2Mbps and MAC to 0x0055, listen for 10 seconds
increment frequency and start over, and once we hit 2528MHz, reset to
frequencies)
upon seeing a potential keyboard, we require at least four packets to meet a threshold to be sure it's a legitimate packet as get many false positives
This means to scan the full range of frequencies, it takes ~85 minutes and at least several keystrokes must be pressed while we're sniffing within the correct 10 second period. After going over Travis' research and keyboard, the
research and keyboard, and my own keyboard, we can implement a few improvements:
if you recall from the FCC, we're only using 2403 - 2480MHz for these keyboards, reducing our 128 possible frequencies down to 78 (about 40% reduction in scanning)
all keyboards use 2Mbps, cutting our search in half
after inspecting more keyboards, I found that all Microsoft keyboards begin with 0xCD as the MAC, which tells us that our preamble will always be 0xAA () because the preamble of 0xAA is always followed by a 1 bit ( 0xCD is
) in order to keep the bits alternating, cutting our search in half
because we know the first byte of our MAC (0xCD), and we also know certain packets to look for, we simply detect only those packets which means we only ever need to see a single packet to be confident that it is in fact a keyboard
we reduce the scan per frequency to 500ms, causing our scan to take under 40 seconds to complete one full sweep
(U) Decrypting Keystrokes
Thorsten Schr&der and Max Moser presented a great device, the
, capable of sniffing Microsoft keyboards and have fully reverse engineered the decryption process and produced a device for doing so. However Travis points out that their device requires two radios and a high-end microcontroller to capture and parse packets at the 2Mbps speed the keyboards communicate at. Travis' project is great as well, however requires a host computer and will be too large for our covert implementation. We improve upon these designs in this scenario by requiring only an inexpensive radio and microcontroller, both low power and very small, no computer or fancy radios required.
Thorsten and Max discovered the keystrokes are simply encrypted (xor'd) with the MAC address in
, which we are able to sniff after using Travis' method of abusing the nRF24L01+ to both sniff and reveal MAC addresses. This &encryption& is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled.
After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke , as the alignment will never change, and 0xCD is always the first byte of the MAC.
An additional discovery is that since the length of the encryption portion of the packet is 11 bytes, the MAC is 5 bytes, and the CRC is each byte xor'd with another (before encryption), something interesting happens. Since the MAC is xor'd twice, we can also calculate the checksum without knowing the MAC address. This is because the MAC address is in there in full twice, and xoring any number by itself (or xor the MAC with the MAC) cancels itself out. The 11th byte is the first byte of the MAC again, which we always know is 0xCD. This allows us to perform other attacks, such as altering the keystroke and CRC, again without knowing the MAC address. I will present this and some other fun demonstrations in a future project.
A page from the KeyKeriki presentation demonstrates the decryption process:
Device type 0x0A = keyboard, 0x08 = mouse
Packet type 0x78 = keystroke, 0x38 = idle (key is held down)
Model type 0x06 = keyboard? This is the same HID code for a keyboard
HID code 0x05 = letter 'b' (described in section 7
Our decryption method, implemented in the KeySweeper source code:
// decrypt those keyboard packets!
void decrypt(uint8_t* pkt)
// our encryption key is the 5-byte MAC address and
// starts 4 bytes in (4-byte header is unencrypted)
for (int i = 4; i & 15; i++)
pkt[i] ^= mac && (((i - 4) % 5) * 8) & 0xFF;
(U) Building / Usurping a USB Charger
WARNING: Devices which connect to AC mains are using high-voltage power, and the device we are creating which connects to AC is not safe, nor does it meet typical electrical safety standards. This is a dangerous device and if used or built improperly, can kill, cause fire, or other severe damage. Do not build an AC-powered device unless you know what you're doing. If you wish to continue building this device but without AC power, simply use a battery or power the device from USB directly to safely follow along.
KeySweeper uses extremely low-power and low profile hardware to remain as covert as possible. KeySweeper can be operated from a battery, or from ~3-20V DC power. Because we wish to keep KeySweeper powered at all times, we stealthily install it inside of an innocent wall USB charger which we expect to be always plugged in.
In the case that the USB charger is unplugged, KeySweeper stealthily continues its operation using its (optional) internal battery. The moment KeySweeper is plugged back in, it switches back over to using AC power, and simultaneously recharges the battery.
If you are simply building KeySweeper without the GSM board, you can fit everything in a typical AC USB wall charger. I suggest looking for one that has a screw holding it together, as most others are sealed shut and requires destruction of some part of the device in order to open it.
If you decide to use the GSM board, I found it would not fit in this type of USB charger along with the rest of the electronics. However, I discovered that by opening a smaller USB charger (similar to the iPhone USB chargers), we find a much smaller rectifier (AC-&DC) and step-down convertor (high voltage-&5V) that allows all of our electronics to fit into the larger USB charger.
My friend Dana lent me her doll soldering iron. I don't quite understand what she uses it for, but it's a soldering iron with an attachable razor. This is great for cutting through plastic, and dolls, I presume. She took the iron back as soon as I explained what the device would do. Apparently she does not support this, though I'm not sure why. I'm sure I'll find out after I sniff more keystrokes from her keyboard.
WARNING: Again, because we are dealing with AC power, this is very dangerous. Do not open/rewire an AC powered device unless you know what you're doing.You can still build KeySweeper by simply powering everything from a USB charger, port or battery without modifying an AC-based device.
It's also important to wire up our Arduino via the RAW port to the 5v USB power with correct polarity (negative to GND, positive to RAW). In this case, I'm using a 3.3v Arduino Pro Mini. The RAW port takes in unregulated voltage between 3.35-12v and uses an onboard voltage regulator to bring it down to 3.3v. Note that our nRF24L01+ chip requires 1.9-3.6v, so giving it 5v is too much! Additionally, if you're using an SPI chip such as the
, it requires 2.7-3.6v, so again using 5v is too much! Be sure to use the regulated 3.3v off of the Arduino (from the VCC pin on a 3.3v Arduino, or the 3V3 pin on a 5v Arduino.)
note: the USB board pictured next to the multimeter is the original, larger USB charger before I had decided to swap it out with a smaller one to fit in the GSM board as well
After grabbing all of our hardware, we can see it all fits with space in our charger (before wiring):
For fun, I tied the charger's LED to pin 6 on the Arduino and while the LED appears to behave the same, I actually have it flash upon sniffing keystrokes. This will likely blow your cover, but is really fun to watch. I also ensure the LED turns off when power to AC is lost, even if the rest of the device continues to operate from the internal battery.
We also want to make sure we leave the rest of the USB charger operational so that other devices can continue to get power from the USB charger.
(U) Optional Secondary KeySweeper
If you wish to forgo the GSM board to keep costs down, you can create a secondary KeySweeper device simply containing an Arduino and nRF24L01+. While compiling the secondary one, uncomment the #define BACKTRACER 1 .
The way this works is if the secondary KeySweeper (BACKTRACER) ever comes within wireless distance (using the 2.4GHz nRF24L01+) of the first one, it auto-detects the existence of the first one and the initial KeySweeper device will dump its logs to the BACKTRACER. Autodetection is built into both KeySweepers so they can quickly find each other, thanks to the ability of the nRF24L01+ to have multiple RX pipes.
If you have the BACKTRACER hooked up to a computer, the keylogs will be dumped to serial, and you can send an 'E' command over serial to erase the contents of the original KeySweeper's SPI Flash chip now that you've obtained its contents. You can walk away allowing the original KeySweeper to continue logging keystrokes.
(U) Schematic
Click for larger version (FONA-based schematic), orclick here for the Fritzing file.
(U) Contact
Point of Contact:
You can see more of my projects athttp://samy.pl or contact me atcode@samy.pl.
已发表评论数()
已收藏到推刊!
请填写推刊名
描述不能大于100个字符!
权限设置: 公开
仅自己可见
正文不准确
标题不准确
排版有问题
没有分页内容
图片无法显示
视频无法显示
与原文不一致}
Sometimes it's just fun to play around with the programming languages we know and see what we can create. I thought it might be nice to create a little online keyboard with CSS, and then make it work with jQuery. The keyboard includes "action" keys (caps lock, shift, and delete) which dynamically changes the keyboard when clicked. I'll show you how to build it today.
Step 1: Basic HTML and Files
This keyboard requires a lot of HTML setup and playing around with CSS. Each of the keys will be represented by a list item in an unordered list. Each of the list items will have a class attached to them, used in both the CSS and jQuery. Most of the classes are just "letter", "lastitem", or something similar. This will make finding out which list item is which easy.
Make sure you have setup a folder wherever you are going to be using this keyboard. Inside this new folder, create an index.html file along with a css and a js folder. Finally, create a keyboard.js file in the js folder and a style.css file in the css folder.
Inside the HTML file we'll be including two JavaScript files and one CSS file. Inside the body tag there will be a HUGE unordered list containing all the letters, numbers, and some "action" keys. The HTML will also have a textarea in it with an id of "keyboard". This will be the place where all the characters are added. The below code should be placed inside the index.html file.
&!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&
&html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"&
&meta http-equiv="Content-Type" content="text/ charset=UTF-8" /&
&title&Online Keyboard&/title&
&link rel="stylesheet" type="text/css" href="css/style.css" /&
&div id="container"&
&textarea id="write" rows="6" cols="60"&&/textarea&
&ul id="keyboard"&
&li class="symbol"&&span class="off"&`&/span&&span class="on"&~&/span&&/li&
&li class="symbol"&&span class="off"&1&/span&&span class="on"&!&/span&&/li&
&li class="symbol"&&span class="off"&2&/span&&span class="on"&@&/span&&/li&
&li class="symbol"&&span class="off"&3&/span&&span class="on"&#&/span&&/li&
&li class="symbol"&&span class="off"&4&/span&&span class="on"&$&/span&&/li&
&li class="symbol"&&span class="off"&5&/span&&span class="on"&%&/span&&/li&
&li class="symbol"&&span class="off"&6&/span&&span class="on"&^&/span&&/li&
&li class="symbol"&&span class="off"&7&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&8&/span&&span class="on"&*&/span&&/li&
&li class="symbol"&&span class="off"&9&/span&&span class="on"&(&/span&&/li&
&li class="symbol"&&span class="off"&0&/span&&span class="on"&)&/span&&/li&
&li class="symbol"&&span class="off"&-&/span&&span class="on"&_&/span&&/li&
&li class="symbol"&&span class="off"&=&/span&&span class="on"&+&/span&&/li&
&li class="delete lastitem"&delete&/li&
&li class="tab"&tab&/li&
&li class="letter"&q&/li&
&li class="letter"&w&/li&
&li class="letter"&e&/li&
&li class="letter"&r&/li&
&li class="letter"&t&/li&
&li class="letter"&y&/li&
&li class="letter"&u&/li&
&li class="letter"&i&/li&
&li class="letter"&o&/li&
&li class="letter"&p&/li&
&li class="symbol"&&span class="off"&[&/span&&span class="on"&{&/span&&/li&
&li class="symbol"&&span class="off"&]&/span&&span class="on"&}&/span&&/li&
&li class="symbol lastitem"&&span class="off"&\&/span&&span class="on"&|&/span&&/li&
&li class="capslock"&caps lock&/li&
&li class="letter"&a&/li&
&li class="letter"&s&/li&
&li class="letter"&d&/li&
&li class="letter"&f&/li&
&li class="letter"&g&/li&
&li class="letter"&h&/li&
&li class="letter"&j&/li&
&li class="letter"&k&/li&
&li class="letter"&l&/li&
&li class="symbol"&&span class="off"&;&/span&&span class="on"&:&/span&&/li&
&li class="symbol"&&span class="off"&'&/span&&span class="on"&&&/span&&/li&
&li class="return lastitem"&return&/li&
&li class="left-shift"&shift&/li&
&li class="letter"&z&/li&
&li class="letter"&x&/li&
&li class="letter"&c&/li&
&li class="letter"&v&/li&
&li class="letter"&b&/li&
&li class="letter"&n&/li&
&li class="letter"&m&/li&
&li class="symbol"&&span class="off"&,&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&.&/span&&span class="on"&&&/span&&/li&
&li class="symbol"&&span class="off"&/&/span&&span class="on"&?&/span&&/li&
&li class="right-shift lastitem"&shift&/li&
&li class="space lastitem"&&&/li&
&script type="text/javascript" src="/ajax/libs/jquery/1.3.2/jquery.min.js"&&/script&
&script type="text/javascript" src="js/keyboard.js"&&/script&
You won't have to worry too much about the classes on the list items for now. I'll explain them more when we're using jQuery. However, some of the classes (like right-shift and lastitem) are just there because of the CSS we'll be using.
Step 2: Making the List Pretty
The JavaScript for the keyboard would work perfectly fine without any CSS, but it wouldn't look like a keyboard. I'm not going to explain every style because a lot of them are pretty self-explainitory, but there are a couple that I will go over. Save the following CSS in the style.css file located in the css folder.
margin: 0;
padding: 0;
font: 71%/1.5 Verdana, Sans-S
background: #
#container {
margin: 100
width: 688
margin: 0 0 5
padding: 5
width: 671
height: 200
font: 1em/1.5 Verdana, Sans-S
background: #
border: 1px solid #f9f9f9;
-moz-border-radius: 5
-webkit-border-radius: 5
#keyboard {
margin: 0;
padding: 0;
list-style:
#keyboard li {
margin: 0 5px 5px 0;
height: 40
line-height: 40
text-align:
background: #
border: 1px solid #f9f9f9;
-moz-border-radius: 5
-webkit-border-radius: 5
.capslock, .tab, .left-shift {
#keyboard .tab, #keyboard .delete {
#keyboard .capslock {
#keyboard .return {
#keyboard .left-shift {
#keyboard .right-shift {
width: 109
.lastitem {
margin-right: 0;
.uppercase {
text-transform:
#keyboard .space {
width: 681
#keyboard li:hover {
border-color: #e5e5e5;
Take notice of the following styles because they are very important.
.on - In some of the list items, there are two spans. These are the keys that have more than o like the numbers. The span with the on class will be hidden. This changed when a user clicks on the shift key, but more on that later with the JavaScript.
.lastitem - The last jey in any row will have its right margin zeroed out so the layout won't break.
Step 3: Bringing the Keys to Life
If you were to click on a list item nothing would happen. We're about to fix that with a little jQuery. The main idea we'll be using is to attach a click handler to each of the list items, grab the text when clicked, and do some magic to it depending on the list item's class. From here on out, all the JavaScript code will go into the keyboard.js file.
We need to open up jQuery and define three variables that will be used through the code. These variables are the textarea, a shift status, and a caps lock status.
$(function(){
var $write = $('#write'),
shift = false,
capslock =
// The rest of the code goes here.
What comes next is attaching the click handler to all the list items (keys). Two variables are setup when the key is clicked. $this is defined just to required less typing from us, and character is defined as the HTML of the list item. If the list item is a letter, nothing will happen to this variable, and it will be returned.
$('#keyboard li').click(function(){
var $this = $(this),
character = $this.html(); // If it's a lowercase letter, nothing happens to this variable
// Code for processing the key.
The Shift Key and Caps Lock
If the shift key (list items with the class of "left-shift" or "right-shift") is clicked, we want to toggle the "uppercase" class of each letter. Then for the list items with a class of "symbol," we want to toggle the display between the nested span tags. What we want to do next is set shift to the opposite boolean value (if it's true set it to false, and vice versa), and the caps lock variable to false, and finally return false to not do anything else with the character variable.
// Shift keys
if ($this.hasClass('left-shift') || $this.hasClass('right-shift')) {
$('.letter').toggleClass('uppercase');
$('.symbol span').toggle();
shift = (shift === true) ? false :
capslock =
Now, if the caps lock key is clicked, we will toggle the "uppercase" class
set the caps l and return false.
// Caps lock
if ($this.hasClass('capslock')) {
$('.letter').toggleClass('uppercase');
capslock =
The Delete Key
For the delete key, we need to assign another variable: html - the contents of what's currently in the textarea. Once we have that, we set the new HTML of the textarea to everything but the last character. This is done with JavaScript's
method. Once again we return false as to not run anything else.
if ($this.hasClass('delete')) {
var html = $write.html();
$write.html(html.substr(0, html.length - 1));
Special Characters
For all the list items which aren't a letter and aren't one of the "actions" keys, we change the character variable to something special. For a list item with the "symbol" class, character is set to the contents of whatever span is visible. A space is (obviously) used for the space bar. The tab character is represented by \t, and finally a new line (the return key) is \n.
// Special characters
if ($this.hasClass('symbol')) character = $('span:visible', $this).html();
if ($this.hasClass('space')) character = ' ';
if ($this.hasClass('tab')) character = "\t";
if ($this.hasClass('return')) character = "\n";
Uppercase Letters
If you can remember to when we handled the shift and caps lock keys, an "uppercase" class was either added or removed using the
function. If the uppercase class is found, the character is converted to its uppercase form with the help of the
// Uppercase letter
if ($this.hasClass('uppercase')) character = character.toUpperCase();
The Aftermath
On a normal keyboard, you usually only need the shift key for one letter. If the shift variable is found to be set to true, we want to toggle the display of the symbol's spans. What also happens is that if the caps lock key is "on", the letters are once again toggled between uppercase and lowercase.
To finish off, the character is added to the textarea and the user can continue "typing".
// Remove shift once a key is clicked.
if (shift === true) {
$('.symbol span').toggle();
if (capslock === false) $('.letter').toggleClass('uppercase');
// Add the character
$write.html($write.html() + character);
Final JavaScript Code
$(function(){
var $write = $('#write'),
shift = false,
capslock =
$('#keyboard li').click(function(){
var $this = $(this),
character = $this.html(); // If it's a lowercase letter, nothing happens to this variable
// Shift keys
if ($this.hasClass('left-shift') || $this.hasClass('right-shift')) {
$('.letter').toggleClass('uppercase');
$('.symbol span').toggle();
shift = (shift === true) ? false :
capslock =
// Caps lock
if ($this.hasClass('capslock')) {
$('.letter').toggleClass('uppercase');
capslock =
if ($this.hasClass('delete')) {
var html = $write.html();
$write.html(html.substr(0, html.length - 1));
// Special characters
if ($this.hasClass('symbol')) character = $('span:visible', $this).html();
if ($this.hasClass('space')) character = ' ';
if ($this.hasClass('tab')) character = "\t";
if ($this.hasClass('return')) character = "\n";
// Uppercase letter
if ($this.hasClass('uppercase')) character = character.toUpperCase();
// Remove shift once a key is clicked.
if (shift === true) {
$('.symbol span').toggle();
if (capslock === false) $('.letter').toggleClass('uppercase');
// Add the character
$write.html($write.html() + character);
Conclusion
Sometimes it's nice to play around, even if the final product isn't truly "real world." By applying a few classes to our list items, we were able to create a CSS and jQuery powered keyboard. The keyboard isn't totally useless. I've seen websites were there's an option for an on-screen keyboard. But mostly, this allows us to gain a better understanding of the capabilities of CSS and jQuery.
Follow us on , or subscribe to the
for more daily web development tuts and articles.
AdvertisementDifficulty:IntermediateCategories:Translations:Envato Tuts+ tutorials are translated into other languages by our community members&you can be involved too!Powered byAbout N/AAdvertisement1& speedNext lesson playing in 5 secondsWhat Would You Like to Learn? to the content editorial team at Envato Tuts+.基于jQuery UI的超酷虚拟键盘插件
当前位置: >
> 基于jQuery UI的超酷虚拟键盘插件
Virtual Keyboard是一款基于jQuery UI的超炫虚拟键盘插件。该虚拟键盘插件兼容多种主题,可以和jQuery mobile一起工作,并且支持触摸屏设备。
浏览器兼容性
Virtual Keyboard是一款基于 UI的超炫虚拟键盘插件。该虚拟键盘插件兼容多种主题,可以和jQuery mobile一起工作,并且支持触摸屏设备。
该虚拟键盘插件支持多种键盘布局,如QWERTY键盘,字母键盘, 数字键盘,Dvorak,区域键盘布局和自定义键盘布局。整个虚拟键盘可以通过CSS来自定义样式。
该虚拟键盘的特点有:
当指定的输入框聚焦的时候,虚拟键盘将被激活并显示在屏幕窗口中。
用户可以在键入时实时预览输入的字母
可以非常容易的定制虚拟键盘的布局
每个布局都带有4个标准键(default, shift, alt 和 alt-shift)
添加任意数量的任意组合键(Meta键)
每一个meta键都可以包含shift, alt 和 alt-shift keysets
可以将虚拟键盘定位在元素周围的任意位置,或者定位在页面的其它元素上
可以修改按键文字为其它语言或符号
允许直接输入或锁定预览窗口
可以设置输入内容的最大长度
可以很容易的输入变音符号,例如下面的例子:
' + vowel ( vowel with acute accent, e.g. ' + e = é )
` + vowel ( vowel with grave accent, e.g., ` + e = è )
" + vowel ( vowel with diaeresis, e.g., " + e = ? )
^ + vowel ( vowel with circumflex accent, e.g., ^ + e = ê )
~ + certain letters ( letter with tilde, e.g. ~ + n = ?, ~ + o = ? )
可以允许,禁止或添加所需要的读音函数
默认使用jQuery UI主题,也可以使用Bootstrap主题
内置的水印。如果浏览器不世出的占位符,会使用它来模拟
打字扩展允许你模拟输入键盘演示或协助用户输入
可以使用jQuery UI的autocomplete组件来实现输入的自动完成
支持多种键盘布局效果
可以通过或来安装该虚拟键盘插件。
bower install keyboard
npm install virtual-keyboard
关于该jQuery UI虚拟键盘的更多信息请参考:
本文版权属于jQuery之家,转载请注明出处:
萌码-Advertisement
您已经顶过了哦!KeySweeper – Arduino-based passive wireless keyboard sniffer - 推酷
KeySweeper – Arduino-based passive wireless keyboard sniffer
KEYSWEEPER // SIGINT // SAMY.PL // REL TO ALL // APPLIED HACKING
KeySweeper
is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.
Point of Contact:
//code@samy.pl //http://samy.pl
Released:January 12, 2015
Source code / schematic:
Unit Cost:$10 - 80 depending on operation
Status:Operational, open source, open hardware, declassified.
(U) Capabilities
is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back all keystrokes from any Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) in the area.
Keystrokes are sent back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper device comes within wireless range of the target KeySweeper. A web based tool allows live keystroke monitoring.
KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. &&. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.
KeySweeper extends the work of Travis Goodspeed on the
project and of Thorsten Schr&der and Max Moser of the
(U) Hardware
Arduino / Teensy microcontroller
$3 - 30: An
microcontroller can be used. In my build, I use an 3.3v Arduino Pro Mini due to its very thin profile.
nRF24L01+ 2.4GHz RF Chip
$1: I use a $1 nRF24L01+ RF chip which communicates using GFSK over 2.4GHz. More details are available below, and these chips can be purchased for as low as $1 on eBay. These chips can only communicate using proprietary protocols, and are not meant for sniffing, however we will see below they can be used in clever ways to promiscuously sniff.
AC USB Charger
$6: I use an inexpensive
(rectifier) which converts AC power to 5v DC, and this one I link to happens to have a screw which makes it easy to open (I've destroyed a few others in the process of opening). If using the GSM version of KeySweeper, I actually use two USB chargers -- the internals of a small charger (similar to that of an iPhone charger), and the external case from a larger USB charger.
SPI Serial Flash Chip
OPTIONAL ($2): An optional
can be used to store keystrokes on. If you use the FONA GSM board below, this is not necessary as keystrokes can be stored through the internet live, however if you wish to have a lower cost option, you can store keystrokes onto this chip within KeySweeper, and obtain the keystrokes later by getting within 2.4GHz wireless range of the device with a secondary device which will siphon the keystrokes from it.
Most microcontrollers have very limited memory or EEPROM to store data on, thus the advantage of having a flash chip to store these keystrokes on.
Adafruit FONA
OPTIONAL ($45): Adafruit has created a board called the
which allows you to use a 2G SIM card to send/receive SMS's, phone calls, and use the Internet directly from the device.
Using this, no flash chip is necessary as keystrokes are immediately sent to a backend server for proper data collection. Additionally, if specific keywords are ever typed by the target keyboards, an SMS message can be sent to a specified number to alert the operative of the fact.
OPTIONAL ($3, only if using FONA): The FONA requires a mini-SIM card (not a micro-SIM). I use a T-Mobile prepaid SIM card. I suggest use of T-Mobile as they support 2G, where most other carriers have or are deprecating their 2G network, and the FONA only supports 2G for Internet. Make sure you get the right size of SIM card -- more details on
3.7V Lithium-Ion (LiOn or LiPo) Battery
OPTIONAL ($5 and up, only if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless. Additionally, KeySweeper continues to operate covertly from battery power when pulled from AC power, and begins to recharge upon reconnecting to AC power.
(U) Software
KeySweeper
KeySweeper's source code and schematic can be obtained in entirety from my github:
There are multiple parts to KeySweeper. The primary code is installed on the microcontroller, while a web based backend using
logs all keystrokes and provides a web interface for live monitoring of the target keyboards.
Adafruit FONA library
You should use
as I include an additional option that allows the FONA to let us know when there's a new text message. In the original library, you must constantly poll to see if there are more text messages than you expect, however with my version you can enable an option fona.setSMSInterrupt(1) which causes the RI (Ring Interrupt) pin to pull low for a moment upon new SMS messages.
jQuery Terminal
I've created a backend tool that allows you to monitor keyboards live through a web page. The
plugin makes it look cooler.
jQuery UI Virtual Keyboard
continues to make the KeySweeper live spy interface tool look cool, showing keys on the virtual keyboard get pressed when the user actually presses keys.
(U) Determining Keyboard Radio Protocol
Upon obtaining a Microsoft wireless keyboard, if it's in our possession, we can refer to the back to inspect the FCC ID. On my keyboard, the FCC ID (which is required by all devices using radio frequencies in the US) is C3K1455 , which we can easily search on the
Immediately we discover the keyboard communicates on 2403 - 2480MHz based on the
Now that I know this is a 2.4GHz device, I assume it's either operating using a common 2.4GHz protocol such as wi-fi, bluetooth, zigbee, or others, or it's operating using a proprietary protocol. Due to the fact that the device came with its own USB dongle (with its own
), it's more than likely a proprietary 2.4GHz signal.
Because it's likely proprietary 2.4GHz, we need to now use some method of 2.4GHz sniffing. Wifi sniffers will not help as this isn't 802.11 (such as what we used inSkyJack), and RTL-SDR by itself won't help as it caps out around 2.2GHz unless additionally using an RF down converter (we used RTL-SDR in
), so I immediately want to use
, a powerful and inexpensive software defined radio, however while it's extremely powerful for its price, we may be able to get away with more inexpensive hardware.
Based off previous experience, my assumption is the keyboard is using something like a
, but we won't know for sure without further inspection.
After pulling the screws from the keyboard and opening it up, we see a single chip responsible for everything. It's labeled NRF 24LE1H , which sounds a lot like nRF24L01 (n=
, RF=Radio Frequency, 24=2.4GHz)! We quickly find the
chip with a search and see that it in fact has the nRF24L01+ RF chip integrated with a CPU (System-on-Chip/SoC), and a quick search on eBay shows the nRF24L01+ can be shipped to us for under $1.
The nRF24LE1 integrates an nRF24L01+ 2.4GHz RF transceiver core, enhanced 16MHz 8-bit 8051 compatible CPU, 1kB + 256B RAM, 16kB embedded Flash, and a wide range of system peripherals
Looking at the
, we see this is a 2.4GHz RF chip that operates at either 250kbps/1Mbps/2Mbps, uses GFSK (
is a digital frequency modulation/FM), and unfortunately lacks any legitimate promiscuous or direct mode for sniffing...or does it?
(U) Sniffing Proprietary 2.4GHz Signals
While I would normally pull out something like a HackRF or RTL-SDR with digital down converter (to get 2.4GHz into RTL-SDR range), it would be really nice if we could sniff with more inexpensive hardware, as ultimately I want to package everything up into a device that can be left in the field.
After a basic search, an amazing page came up from
, where he not only sniffs a similar keyboard (Microsoft Comfort Desktop 5000), but he also demonstrates how to turn the nRF24L01+ into a 2.4GHz sniffer using his
device, and a host computer with the
python application.
Travis found that sniffing with the device is traditionally difficult because not only must you specify the channel (frequency) to listen to, you must specify a MAC address to listen on. The nRF chip will only deliver packets sent to that specific MAC address. Additionally, the nRF chip won't tell you the MAC address since you already specified it (it's assumed to be in one of our RX_ADDR_P[0-5] pipes, found in the datasheet.)
However when specifying the length of the MAC, Travis found there is one option which is considered &illegal& in the datasheet ( SETUP_AW, 0x03 set to 00 ), but actually sets the MAC to 2 bytes! Also, by setting the MAC to data that would typically be found in the preamble ( 0x00AA or 0x0055, in binary 1010 or 0101 ), we can fool the device into giving us the packet early, providing a full MAC address to us in the data portion! Read his
for all the details.
(U) Increasing Speed and Portability
Now while we can use a GoodFET, computer and nRF24L01+ for sniffing during testing, we ultimately want this to be on an inexpensive and embedded device. We can take some of Travis' great work in Python and port it over to embedded C so that we can load it onto a microcontroller rather than requiring a computer+GoodFET.
Additionally, we implement a few improvements. Goodfet.nrf provides a method of scanning for devices by performing the following:
start at frequency 2400MHz
set datarate to 1Mbps and MAC to 0x00AA, listen for 10 seconds
set datarate to 2Mbps and MAC to 0x00AA, listen for 10 seconds
set datarate to 1Mbps and MAC to 0x0055, listen for 10 seconds
set datarate to 2Mbps and MAC to 0x0055, listen for 10 seconds
increment frequency and start over, and once we hit 2528MHz, reset to
frequencies)
upon seeing a potential keyboard, we require at least four packets to meet a threshold to be sure it's a legitimate packet as get many false positives
This means to scan the full range of frequencies, it takes ~85 minutes and at least several keystrokes must be pressed while we're sniffing within the correct 10 second period. After going over Travis' research and keyboard, the
research and keyboard, and my own keyboard, we can implement a few improvements:
if you recall from the FCC, we're only using 2403 - 2480MHz for these keyboards, reducing our 128 possible frequencies down to 78 (about 40% reduction in scanning)
all keyboards use 2Mbps, cutting our search in half
after inspecting more keyboards, I found that all Microsoft keyboards begin with 0xCD as the MAC, which tells us that our preamble will always be 0xAA () because the preamble of 0xAA is always followed by a 1 bit ( 0xCD is
) in order to keep the bits alternating, cutting our search in half
because we know the first byte of our MAC (0xCD), and we also know certain packets to look for, we simply detect only those packets which means we only ever need to see a single packet to be confident that it is in fact a keyboard
we reduce the scan per frequency to 500ms, causing our scan to take under 40 seconds to complete one full sweep
(U) Decrypting Keystrokes
Thorsten Schr&der and Max Moser presented a great device, the
, capable of sniffing Microsoft keyboards and have fully reverse engineered the decryption process and produced a device for doing so. However Travis points out that their device requires two radios and a high-end microcontroller to capture and parse packets at the 2Mbps speed the keyboards communicate at. Travis' project is great as well, however requires a host computer and will be too large for our covert implementation. We improve upon these designs in this scenario by requiring only an inexpensive radio and microcontroller, both low power and very small, no computer or fancy radios required.
Thorsten and Max discovered the keystrokes are simply encrypted (xor'd) with the MAC address in
, which we are able to sniff after using Travis' method of abusing the nRF24L01+ to both sniff and reveal MAC addresses. This &encryption& is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled.
After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke , as the alignment will never change, and 0xCD is always the first byte of the MAC.
An additional discovery is that since the length of the encryption portion of the packet is 11 bytes, the MAC is 5 bytes, and the CRC is each byte xor'd with another (before encryption), something interesting happens. Since the MAC is xor'd twice, we can also calculate the checksum without knowing the MAC address. This is because the MAC address is in there in full twice, and xoring any number by itself (or xor the MAC with the MAC) cancels itself out. The 11th byte is the first byte of the MAC again, which we always know is 0xCD. This allows us to perform other attacks, such as altering the keystroke and CRC, again without knowing the MAC address. I will present this and some other fun demonstrations in a future project.
A page from the KeyKeriki presentation demonstrates the decryption process:
Device type 0x0A = keyboard, 0x08 = mouse
Packet type 0x78 = keystroke, 0x38 = idle (key is held down)
Model type 0x06 = keyboard? This is the same HID code for a keyboard
HID code 0x05 = letter 'b' (described in section 7
Our decryption method, implemented in the KeySweeper source code:
// decrypt those keyboard packets!
void decrypt(uint8_t* pkt)
// our encryption key is the 5-byte MAC address and
// starts 4 bytes in (4-byte header is unencrypted)
for (int i = 4; i & 15; i++)
pkt[i] ^= mac && (((i - 4) % 5) * 8) & 0xFF;
(U) Building / Usurping a USB Charger
WARNING: Devices which connect to AC mains are using high-voltage power, and the device we are creating which connects to AC is not safe, nor does it meet typical electrical safety standards. This is a dangerous device and if used or built improperly, can kill, cause fire, or other severe damage. Do not build an AC-powered device unless you know what you're doing. If you wish to continue building this device but without AC power, simply use a battery or power the device from USB directly to safely follow along.
KeySweeper uses extremely low-power and low profile hardware to remain as covert as possible. KeySweeper can be operated from a battery, or from ~3-20V DC power. Because we wish to keep KeySweeper powered at all times, we stealthily install it inside of an innocent wall USB charger which we expect to be always plugged in.
In the case that the USB charger is unplugged, KeySweeper stealthily continues its operation using its (optional) internal battery. The moment KeySweeper is plugged back in, it switches back over to using AC power, and simultaneously recharges the battery.
If you are simply building KeySweeper without the GSM board, you can fit everything in a typical AC USB wall charger. I suggest looking for one that has a screw holding it together, as most others are sealed shut and requires destruction of some part of the device in order to open it.
If you decide to use the GSM board, I found it would not fit in this type of USB charger along with the rest of the electronics. However, I discovered that by opening a smaller USB charger (similar to the iPhone USB chargers), we find a much smaller rectifier (AC-&DC) and step-down convertor (high voltage-&5V) that allows all of our electronics to fit into the larger USB charger.
My friend Dana lent me her doll soldering iron. I don't quite understand what she uses it for, but it's a soldering iron with an attachable razor. This is great for cutting through plastic, and dolls, I presume. She took the iron back as soon as I explained what the device would do. Apparently she does not support this, though I'm not sure why. I'm sure I'll find out after I sniff more keystrokes from her keyboard.
WARNING: Again, because we are dealing with AC power, this is very dangerous. Do not open/rewire an AC powered device unless you know what you're doing.You can still build KeySweeper by simply powering everything from a USB charger, port or battery without modifying an AC-based device.
It's also important to wire up our Arduino via the RAW port to the 5v USB power with correct polarity (negative to GND, positive to RAW). In this case, I'm using a 3.3v Arduino Pro Mini. The RAW port takes in unregulated voltage between 3.35-12v and uses an onboard voltage regulator to bring it down to 3.3v. Note that our nRF24L01+ chip requires 1.9-3.6v, so giving it 5v is too much! Additionally, if you're using an SPI chip such as the
, it requires 2.7-3.6v, so again using 5v is too much! Be sure to use the regulated 3.3v off of the Arduino (from the VCC pin on a 3.3v Arduino, or the 3V3 pin on a 5v Arduino.)
note: the USB board pictured next to the multimeter is the original, larger USB charger before I had decided to swap it out with a smaller one to fit in the GSM board as well
After grabbing all of our hardware, we can see it all fits with space in our charger (before wiring):
For fun, I tied the charger's LED to pin 6 on the Arduino and while the LED appears to behave the same, I actually have it flash upon sniffing keystrokes. This will likely blow your cover, but is really fun to watch. I also ensure the LED turns off when power to AC is lost, even if the rest of the device continues to operate from the internal battery.
We also want to make sure we leave the rest of the USB charger operational so that other devices can continue to get power from the USB charger.
(U) Optional Secondary KeySweeper
If you wish to forgo the GSM board to keep costs down, you can create a secondary KeySweeper device simply containing an Arduino and nRF24L01+. While compiling the secondary one, uncomment the #define BACKTRACER 1 .
The way this works is if the secondary KeySweeper (BACKTRACER) ever comes within wireless distance (using the 2.4GHz nRF24L01+) of the first one, it auto-detects the existence of the first one and the initial KeySweeper device will dump its logs to the BACKTRACER. Autodetection is built into both KeySweepers so they can quickly find each other, thanks to the ability of the nRF24L01+ to have multiple RX pipes.
If you have the BACKTRACER hooked up to a computer, the keylogs will be dumped to serial, and you can send an 'E' command over serial to erase the contents of the original KeySweeper's SPI Flash chip now that you've obtained its contents. You can walk away allowing the original KeySweeper to continue logging keystrokes.
(U) Schematic
Click for larger version (FONA-based schematic), orclick here for the Fritzing file.
(U) Contact
Point of Contact:
You can see more of my projects athttp://samy.pl or contact me atcode@samy.pl.
已发表评论数()
已收藏到推刊!
请填写推刊名
描述不能大于100个字符!
权限设置: 公开
仅自己可见
正文不准确
标题不准确
排版有问题
没有分页内容
图片无法显示
视频无法显示
与原文不一致}
我要回帖
更多推荐
- ·慎言修身慎行打一最佳生肖肖是什么
- ·一个枪毙而死的鬼最大的烦恼是什么最狰狞的打一个生肖生肖
- ·澄海3c十大技巧的作弊地图是怎么回事??
- ·dnf怎么dnf转换材质是直接把装备变了吗防具材质-防具材质dnf转换材质是直接把装备变了吗方法
- ·《鹅鸭杀》鹅鸭杀雇佣杀手是干什么的玩法攻略
- ·罗马表郑州石子销售销售处
- ·苏州公司注册代理哪家有诚信?
- ·会宁县党县乡的吕堡村的精准扶贫发放仪式讲话贷款什么时候发放
- ·开超市房租1年3万上海平均房租走势图每天卖多少钱能争钱
- ·海蓝之谜官方旗舰店家旗舰店兴国县
- ·苏州哪家医院比较好代理公司注册信誉比较好的是哪家?
- ·房贷45w组合贷,21.9w的公积金30年,23.1w中行的商贷9年,选的等额本息还款大概比等额本金要
- ·庆阳市富蓝华富盛诺商贸有限公司司
- ·泰来县人民政府胜利蒙古乡黑帝村兴业兴旺玉米种植合作社
- ·广川信和广场到广州沙河服装批发网址公交
- ·气郁能做腹式呼吸吗凉宫春日的忧郁百度云文库
- ·差别意思那么大?什么意思
- ·华硕x555lf i75500u5500u的加内存条那块怎么拆?
- ·深圳东门步行街美女哪个wifi最好
- ·jqueryjquery数字小键盘插件件virtual keyboard怎么用
- ·ue4的打包文件怎么用vr眼镜打开
- ·明日大富翁网址 mingban.hk www.beduu.com
- ·黑客技术改手机运行空间
- ·求错了性别别错爱资源不错爱的百度云资源
- ·app首席再次下载不下来衣服被染了咋办办?以前下载了我删除了在下载下载不下来I了不跳转到商城
- ·河南交通技校哪个大学电脑教的好不是技校是大学录取线多少
- ·心理罪百度云无删减未删减全集百度云
- ·已婚男女单独看电影总是单独聊天会被别人误会吗?
- ·为何我转发说说为什么qq号总是被冻结结
- ·请教小机前面板检查到110000AC的英雄联盟提示检查网络问题
- ·手机小米充电五秒摔左肋以后低烧咋回事自动断开咋回事
- ·windows2008 r2需要更新吗
- ·华为荣耀宝马x1升级导航Android5.1能不能达到华为tr5的质量标准
- ·platinumbin roye电影迅雷看看是啥意思
- ·好易典h18与步步高学习机h8破解h85那个好
