HID_KEY_....

[k-redas]

Hi @all

Sorry the title is not very explicite...and my approximative english...

I test your wonderfull tool since one week.

After de pairing (good RF adress + Key)

First, From my computer’s terminal I run “sudo ./munifying pair”
Then, From LOGITacker console I run “pair device run”
The pairing data (i.e. encryption keys) will be stored into LOGITacker’s flash.
And then I stock the device data with "devices storage save xx:xx:xx:xx:xx"
At last I use "options discover onhit passive-enum on"

I can sniff and pair my device (logitech MK700/710 with vulnerability), but when i am in passive enumeration mode and i press A key letter i have this output :

LOGITACKER_PROCESSOR_PASIVE_ENUM: frame RX in passive enumeration mode (addr 0F:20:98:35:0C, len: 22, ch idx 0, raw ch 5) app: Unifying RF frame: Encrypted keyboard, counter 3ABFCFAB LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 D3 75 E3 78 02 EA 1F|..u.x... LOGITACKER_PROCESSOR_PASIVE_ENUM: 69 5D 3A BF CF AB 00 00|i]:..... LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 00 00 00 00 19 |......
LOGITACKER_PROCESSOR_PASIVE_ENUM: Test decryption of keyboard payload: LOGITACKER_PROCESSOR_PASIVE_ENUM: 5E FB E7 18 A4 E7 88 08|^....... LOGITACKER_KEYBOARD_MAP: LEFT_ALT appended LOGITACKER_PROCESSOR_PASIVE_ENUM: Mod: (LEFT_SHIFT | LEFT_ALT | LEFT_GUI | RIGHT_CONTROL | RIGHT_ALT) LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: UNKNOWN HID KEY LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_RIGHTMETA LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_U LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: UNKNOWN HID KEY LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_RIGHTMETA LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_KATAKANAHIRAGANA LOGITACKER_PROCESSOR_PASIVE_ENUM: frame RX in passive enumeration mode (addr 0F:20:98:35:0C, len: 22, ch idx 0, raw ch 5) app: Unifying RF frame: Encrypted keyboard, counter 3ABFCFAC LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 D3 18 5C 09 85 68 0B|.....h. LOGITACKER_PROCESSOR_PASIVE_ENUM: 96 78 3A BF CF AC 00 00|.x:..... LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 00 00 00 00 36 |.....6
LOGITACKER_PROCESSOR_PASIVE_ENUM: Test decryption of keyboard payload: LOGITACKER_PROCESSOR_PASIVE_ENUM: FE 19 38 EB AD A0 4E 2E|..8...N. LOGITACKER_KEYBOARD_MAP: LEFT_ALT appended LOGITACKER_PROCESSOR_PASIVE_ENUM: Mod: (LEFT_SHIFT | LEFT_ALT | LEFT_GUI | RIGHT_CONTROL | RIGHT_SHIFT | RIGHT_ALT | RIGHT_GUI) LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_V LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_SLASH LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: UNKNOWN HID KEY LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: UNKNOWN HID KEY LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: UNKNOWN HID KEY LOGITACKER_PROCESSOR_PASIVE_ENUM: Key: HID_KEY_PAGEDOWN LOGITACKER_PROCESSOR_PASIVE_ENUM: frame RX in passive enumeration mode (addr 0F:20:98:35:0C, len: 10, ch idx 0, raw ch 5) app: Unifying RF frame: Set keep-alive LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 4F 00 01 9A 00 00 00|.O...... LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 16

but the output may be this (source : https://github.com/mame82/UnifyingVulnsDisclosureRepo/issues/2)

app: Unifying RF frame: Encrypted keyboard, counter 73361F9D LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 D3 7C FF EF 3B 04 CA|..|..;.. LOGITACKER_PROCESSOR_PASIVE_ENUM: 9C 9D 73 36 1F 9D 00 00|..s6.... LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 00 00 00 00 1C |......
LOGITACKER_PROCESSOR_PASIVE_ENUM: Test decryption of keyboard payload: LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 04 00 00 00 00 00 C9|........ LOGITACKER_PROCESSOR_PASIVE_ENUM: Key 1: HID_KEY_A LOGITACKER_PROCESSOR_PASIVE_ENUM: frame RX in passive enumeration mode (addr E2:C7:94:F2:C5, len: 22, ch idx 23, raw ch 74) app: Unifying RF frame: Encrypted keyboard, counter 73361F9E LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 D3 99 D3 78 25 E5 53|....x%.S LOGITACKER_PROCESSOR_PASIVE_ENUM: 21 D7 73 36 1F 9E 00 00|!.s6.... LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 00 00 00 00 8E |......
LOGITACKER_PROCESSOR_PASIVE_ENUM: Test decryption of keyboard payload: LOGITACKER_PROCESSOR_PASIVE_ENUM: 00 00 00 00 00 00 00 C9|........

We see " LOGITACKER_PROCESSOR_PASIVE_ENUM: Key 1: HID_KEY_A" except that i dont have this reslut line.

In the other hand, if i press the same key, each time i have a different result.

Do you have some ideas to resolve this ?

Thank Up