BadUSB in BIOS

liteversion · December 26, 2022, 2:36pm

Hi all,

I’m trying to deliver a USB payload in a windows BIOS enviroment but the Flipper Zero is not recognized in the BIOS enviroment. The payload script works fine when the pc is booted up, but the Flipper is not recognized at all by the laptop when in BIOS. It’s an HP Elitebook 850 G6. Does anyone have any ideas? All feedback is welcomed!

LupusE · December 26, 2022, 9:10pm

BadUSB is just a Keyboard for the system. No difference if you are in Linux, Windows or the BIOS.

On one hand the BIOS could have a security option, to allow only a specific Vendor:Device ID. On the other hand maybe you need special Character input …
In every case, you gave us very little to work with. What is your expectations as answer? A fully working BIOS control RubberDuck script?

My suggestion to get a better answer:

Give us the BadUSB script, or a little example (choose one option, change tha value, save and reboot) that is working on your OS but not at your BIOS.
Tell us what bios you are using. Maybe someone is able to test/reproduce the behaviour and we can see if this is a Flipper issue or a BIOS issue.

samdcbu · December 26, 2022, 11:11pm

Have you tried using an external keyboard attached via USB while in the BIOS? My first guess is that the BIOS may only be accepting keyboard inputs from the laptop’s built in keyboard.

liteversion · December 27, 2022, 12:11pm

An external keyboard does seem to work

liteversion · December 27, 2022, 12:20pm

Ok… It’s my first time on this forum and also the first time I’m trying to work with BadUSB scripts… I’m sorry if you found my description to be insufficient, but I think inexperience is to blame.

The BIOS is HP R70 Ver.01.03.00 with release date 09/12/2019 But the issue is with every HP BIOS environment I tested.

Here is the BadUSB payload I made, It’s supposed to fill out the BIOS password and press enter which does work in a logged in computer:

REM first attempt delivering BIOS payload
DELAY 750
STRING Bal00n1!
DELAY 500
ENTER

I obviously changed the password before posting, but that shouldn’t make a difference

LupusE · December 27, 2022, 2:22pm

Okay, understood, for the BIOS password it should be easier to reproduce. Unfortunately I don’t have any system with me right now.

But one question to the timing:

plug in Flipper
open BadUSB
start laptop
when dialog appeared you’ll press ‘Run’.

Right?
I don’t know if it is important for the BIOs if the kbd is plugged in already or will be plugged in during the dialog. We need to check this first.

Vincent_Vega · December 30, 2022, 1:50pm

There is some simplified USB HID boot protocol, and and many BIOSes rely on it, and if Bad USB does not implement it it won’t work.

LupusE · December 30, 2022, 2:07pm

Sounds interesting, Dou you have a source for this?

In my understanding there is a USB HID support over the USB chipset in the BIOS, that is accepting any keyboard. And BadUSB is just any keyboard.
I don’t see the point where BadUSB needs to support BIOS keypress different from the system keypress.

I am really interested in learn more about this.

Vincent_Vega · December 30, 2022, 2:11pm

It’s common knowledge, STFW gives a lot of results such as USB Human Interface Devices - OSDev Wiki

LupusE · December 30, 2022, 2:52pm

Interesting read. It should be seen with a logic Analyzer if the boot protocol is supported. I’ll try to connect my flipper at home.

LupusE · December 30, 2022, 3:42pm

Since it is common knowledge, maybe I am too uneducated. This was new for me.
I’ve tried it at my Lenovo, and indeed, Load the BadUSB script works, hit run and the display says ‘Wait for connection’, until the Boot will reach the LUKS Passphrase.

So, BadUSB can enter the LUKS boot password, but not in BIOS. Not even during the setup of the password.

The solution would be, to implement BIOS USB HID in Flipper BadUSB. Does not sound easy to me.

Vincent_Vega · December 30, 2022, 6:36pm

Of course, knowing the search keyword requires prior experience.

However, ‘USB HID boot protocol’ is not obscure, there is a lot of documentation about it on the web.

LupusE · December 30, 2022, 7:38pm

Yes, right. It is written as well in your reference link. Bios USB HID is simpler as the system USB HID …
But not in my talents to write such low level code.

Vincent_Vega · December 30, 2022, 8:01pm

It’s nothing difficult, there is just a lot of details that you have to read from the specification and then put into code so it takes some time. You will probably want to have a debugger available, too.

Vincent_Vega · December 30, 2022, 8:13pm

Looking at the device description it indeed does not support boot protocol:

Bus 003 Device 120: ID 1234:5678 Brain Actuated Technologies Keyboard
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0         8
  idVendor           0x1234 Brain Actuated Technologies
  idProduct          0x5678 
  bcdDevice            1.00
  iManufacturer           1 Apple
  iProduct                2 Keyboard
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0031
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              100mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         1
      bFunctionClass          0 
      bFunctionSubClass       0 
      bFunctionProtocol       0 
      iFunction               0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.00
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     138
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval               2
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval               2
Device Status:     0x0000
  (Bus Powered)

And a device that does has two descriptors, one for boot protocol and one for the full hid protocol:

Bus 003 Device 006: ID 258a:0049 BY Tech Gaming Keyboard
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x258a 
  idProduct          0x0049 
  bcdDevice            1.01
  iManufacturer           1 BY Tech
  iProduct                2 Gaming Keyboard
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x003b
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      67
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     227
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval               1
Device Status:     0x0000
  (Bus Powered)

unicode · February 4, 2024, 9:05am

For anyone interested, here a snippet of code of how it was implemented with the USB Boot Protocol:

github.com/flipperdevices/flipperzero-firmware

BadUSB: implement boot protocol

flipperdevices:dev ← CFSworks:usb-boot-hid

opened 01:48AM - 16 Mar 23 UTC

CFSworks

+136 -114

# What's new This is another PR in the same vein as #2480. I've had to open a… fresh PR as the previous one was closed no-questions-asked without me having any opportunity to discuss/cure the problems with the change. The previous PR simply changed the subclass/protocol of the Flipper BadUSB device, so that UEFI and BIOS that use this information to look for keyboards would recognize the Flipper, e.g. SeaBIOS [requires this](https://github.com/coreboot/seabios/blob/rel-1.16.1/src/hw/usb-hid.c#L142) as do some UEFI environments (like the one in my 2021 laptop), even if the latter go on to read the descriptors and use the Report, not Boot, protocol. That PR was closed with a reference to the specification for the Boot protocol itself (which is the same as Flipper's current Report protocol, just without the leading Report ID). While I do not personally need Boot protocol support, I have gone ahead and implemented it. Though, at the same time, the PR was closed with the remark "it makes little to no sense to support those legacy systems." So I confess I'm now trapped in a [double bind](https://en.wikipedia.org/wiki/Double_bind) as to whether Boot protocol support is desired or not. :confused: In addition to implementing the Boot protocol, I have also taken some time to fix some other mistakes in the same file (removing a one-interface Interface Association, and an unused endpoint), in a bid to make this version of the PR hopefully more worthy of consideration. # Verification - [ ] Do a quick regression test of BadUSB and USB remote functions - [ ] Find a UEFI/BIOS computer for which these functions do not work on current release - [ ] Verify that UEFI/BIOS keyboard is operable with these changes applied # Checklist (For Reviewer) - [ ] PR has description of feature/bug or link to Confluence/Jira task - [ ] Description contains actions to verify feature/bugfix - [ ] I've built this code, uploaded it to the device and verified feature/bugfix