5

I have found an old Logitech Wireless Keyboard (specifically, the MK250 model), which was originally sold with a separated "standard" 2.4Ghz receiver dongle (Not 'Unifying', as written here). I assume that the keyboard itself has a corresponding 2.4Ghz transmitter inside.

My goal is to recreate a receiver which will communicate with that specific keyboard properly from one side, and with the computer's USB from the other side, just as the original dongle did. This is what I had in mind in order to achieve it:

  1. Sniff 2.4Ghz communication from the keyboard using NRF24L01. Not sure how to do that; perhaps scanning all NRF's channels for some communication? Should I expect 802.11 interference from wireless routers around?

  2. After I could determine the RF coming out of the keyboard, next step would be to reverse the protocol in use. Not sure how to go here either; I guess that it would be some sort of trial and error...

  3. Use some MCU or similar to relay keyboard information as HID over USB.

Does this seem the right direction here? Any advise about the sniffing/reversing part? Is it too ambitious/can't be done?

Omer
  • 238
  • 3
  • 11
  • You say the keyboard has a 2.4GHz receiver but, what does it use as a transmitter? – Andy aka Nov 24 '14 at 11:33
  • See edit. The keyboard has a transmitter, the dongle I'm want to build is the receiver. Sorry for confusion :) – Omer Nov 24 '14 at 11:37
  • 2
    Unless you're terribly interested in doing this as a science experiment, this sounds like an awful lot of work just to be able to use an old keyboard. – tcrosley Nov 24 '14 at 11:58
  • I agree, this is tedious, but I do this project for learning purposes as well. – Omer Nov 24 '14 at 12:03
  • 2
    And since my girlfriend really likes that specific keyboard, and she made me promise that I won't buy anything to make it work again... – Omer Nov 24 '14 at 12:18
  • You seem to be making a really big assumption that the nRF24L01 is RF-protocol compatible with the keyboard. Unless the keyboard *specifically* uses a nRF24* for the existing communication system, this is almost certainly not true. There are lots and lots of little, low-power 2.4 Ghz transmitter/receivers, and they almost universally cannot interoperate without a *lot* of effort. – Connor Wolf Nov 27 '14 at 02:55
  • 2
    You are correct, this is indeed my assumption. And after opening the keyboard case and examining the circuit, I can confirm that this specific model is using NRF24. Actually, during my exploration on the subject, I discovered that most 2.4Ghz wireless non-BT keyboards uses Nordic's NRF chip. – Omer Nov 27 '14 at 06:44

1 Answers1

2

Well, I have found two main ways to sniff and decode NRF24 communication:

Both methods comes with detailed instructions on how to perform promiscuity scan of NRF24 addresses (the hard part), allowing to find the specific address of the keyboard to reverse. This task is not trivial since the base address length can be up to 4 bytes, which leaves us with too much combinations to brute force.

After the base address is found, and a solid sniffing channel is established with the keyboard, it is relatively easy to extract the XOR encryption key used to encrypt communication between the keyboard and the lost dongle. With the key it is almost trivial to reconstruct the original communication between the wireless keyboard and the missing dongle, and there are more than enough ways of achieving that, one even includes using Arduino with DFU upgrade.

An interesting fact to note is that the XOR encryption key can be easily extracted once the NRF24 base address is established, since HID packets usually contain many zeros - 0 - and XOR between the encryption key and zeros reveals the key, sometime more than once in a single packet! :) )

There is also a porting of the Goodfet to arduino, but I couldn't find good examples on how to use it properly on an Arduino based MCU.

Omer
  • 238
  • 3
  • 11
  • Actually, i would like to ask you Omer about your research on the keyboards. In a comment you mention that you found most keyboards use nordics nRF chip. I am looking for specific keyboards, but cannot find any info about this. I'd appreciate your help. – bris Mar 22 '15 at 14:07