Summary of POCKETADMIN – KEYSTROKE INJECTION DEVICE
PocketAdmin is an open-source keystroke injection device (BadUSB) offering extended functionality, lower cost, and hardware openness compared to the USB Rubber Ducky. It features a built-in interpreter for direct script execution, dual-mode operation as both keyboard and disk, and automatic OS detection for payload selection. Designed with KiCad, it uses a 32-bit microcontroller with integrated flash memory, allowing users to modify VID/PID settings and keyboard layouts without firmware updates.
Parts used in the PocketAdmin:
- KiCad 5.0.2 design files
- Integrated full-speed USB2.0 peripheral
- On-board 32MiB flash memory chip
- Pushbutton (MSD-only button)
- ST-Link V2 programmer
- C programming language toolchain
- openocd flashing software
- Emacs text editor
- Makefile
- gcc-arm-none-eabi toolchain
This is a keystroke injection device (also called badusb). It is similar to a well-known USB rubber ducky made by hak5, but has much extended functionality, lower price and is also completely open source. It looks and feels like an ordinary USB flash drive, but acts as a keyboard that types in a preprogrammed payload. This payload can do anything from configuring a network to installing a reverse shell, since the device can basically do whatever an admin can with a terminal, but taking only a few seconds. This makes it a very powerful tool for automating sysadmin tasks or use in penetration testing.
Here is quick summary of how PocketAdmin is different from USB rubber ducky (and many others):
- Made from inexpensive off-the-shelf parts, with not only open source firmware, but hardware design files as well. This allows the user to do substantial modifications to the design, as well as provides an option to build your own units.
- Has a built-in interpreter (compatible with existing ducky script) which takes text files directly, so you never have to install any encoder software and keep converting payload.txt to inject.bin.
- Can act as both keyboard and USB disk, allowing for better payloads; the memory chip is integrated, so there is no need to keep sticking SD card in/out of various devices while developing payloads.
- Has an OS detection mechanism, which allows you to store multiple payloads simultaneously and have the device automatically pick the correct payload to run.
- Extended set of commands for extra functionality, such as: without doing any firmware update the user can set which VID / PID values to use, configure how the device should show up
(keyboard only / flash disk only / keyboard+disk), change keyboard layout, and many other things.
HARDWARE
project is designed using KiCad 5.0.2
- check KiCad pcb file for PCB manufacturing info
- check KiCad sch file + BOM.txt for component info
Uses integrated full-speed (12Mbit/s) USB2.0 peripheral, with on-board 32MiB flash memory chip for data storage; only 24MiB are available for use due to overprovisioning reasons.
Measured speeds for MSD access : read 728 KiB/s, write 110-150 KiB/s, with higher write speeds being acheived for files smaller than 4MiB. While not very fast, it is enough for most badusb applications.
The pushbutton on the device is referred to as MSD-only button. Normally the payload is run whenever you plug the device into a PC. But if you press and hold this button while inserting the device, it prevents any keystrokes from being typed in and makes the device show up as a flash drive.
Fully assembled unit has dimensions of 59x18x9mm and weight of 8 grams. When opening up the case, be careful no to break the plastic studs near the USB connector and at the opposite (from USB) end of enclosure.
Hardware programmer device used in this project is ST-Link V2
For instructions on how to build and flash the device go check this video:
FIRMWARE
- programming language used = C
- flashing software used = openocd
- IDE used = emacs text editor + Makefile
The firmware was developed on debian 9.7 system, using gcc-arm-none-eabi toolchain (compiler, linker, binutils) and it does use gcc specific extentions. it was successfully compiled and tested with arm-none-eabi-gcc version 7.3.1
depends on libgcc.a, which is included in this repository. linker script, startup code and openocd configuration files are included here as well.
Read more: POCKETADMIN – KEYSTROKE INJECTION DEVICE
- How does PocketAdmin differ from a USB Rubber Ducky?
It is made from inexpensive off-the-shelf parts, offers open source hardware and firmware, includes a built-in interpreter for direct text file usage, and acts as both a keyboard and USB disk. - Can I modify the hardware design of this device?
Yes, because the project provides open source hardware design files, users can make substantial modifications or build their own units. - Does the device require encoder software to run scripts?
No, it has a built-in interpreter compatible with existing ducky scripts that takes text files directly without needing conversion to inject.bin. - What happens if I press the MSD-only button while plugging in the device?
Pressing and holding the button prevents keystrokes from being typed and makes the device appear only as a flash drive. - How does the device handle multiple payloads?
It features an OS detection mechanism that allows storing multiple payloads simultaneously and automatically picking the correct one to run. - Can I change the device identity without updating firmware?
Yes, users can set which VID and PID values to use and configure how the device shows up without doing any firmware update. - What tools were used to develop the firmware?
The firmware was developed using C, openocd, emacs text editor, Makefile, and the gcc-arm-none-eabi toolchain on a debian system.
