How to Make Your Own Bad USB

By My_Ouzo

Hello, everyone!

Many of you don't even know about my existence here on Null Byte, so I thought of contributing something
rather interesting. Recently, someone asked how to make your own "Bad USB," and I promised to make a how-
to on this topic. In addition, it would be nice to have something related on our WonderHowTo world. So here it
is!

Introduction

Most common USB flash drives are exploitable due to the "BadUSB" vulnerability. This allows us hackers to
reprogram the microcontroller in them to act as a human interface device (HID), e.g., a keyboard, and perform
custom keystrokes on our target machine. This scenario is often called an "HID Payload Attack," since you have
to hand over your script to the Bad USB for the execution (more on that later). Even though almost every USB
flash drive is exploitable, the only released reprogramming method is for "Phison" microcontrollers.

In this tutorial, we are going to determine the microcontroller of your USB flash drive, compile the source code
published in GitHub for the tools we need, and move over to building a custom firmware with an embedded
HID payload that will turn our harmless USB flash drive into a malicious keyboard designed to help us
compromise our victim machine. The process is kind of like compiling and flashing ROMs to your Android
device.
Requirements

We need to work on Windows.

Also, we need to have an USB 3.0 flash drive with a Phison 2303 (2251-03) microcontroller. You can find a list
of known supported devices on GitHub. I will use an 8 GB Toshiba TransMemory-MX USB 3.0 drive in this
tutorial.

Sometimes owning a confirmed device doesn't mean the PS2251-03 is actually being used, as manufacturers
seem to use different controllers even within same device models.

Make sure you can open the case of your USB device without damaging it. One of my friends had to literally
saw up his USB device because he was too hasty. Please read the "Setting Our Device into "Boot Mode"
Manually" section at the end of this article for help on opening it.

Please continue at your own risk; there is no guarantee that your device will work, even though there
shouldn't be any issues.

Determining the Microcontroller of Our USB Flash Drive

Before starting, we want to make sure our USB uses the supported controller. We can use a program called
Flash Drive Information Extractor to gather the required information about our USB.

It doesn't require any installation. Just open the tool and hit the "Get USB Flash Drive Information" button
while you have your USB inserted into your PC. If your drive uses the Phison 2303 (2251-03) controller, the
output should look similar to this:
However, if your USB device has a different one, it is most likely that you cannot reprogram it to an HID device
with this exploit. Make sure to check the known supported devices in order to get one that will work.

Setting Up the Build-Environment

The developer of the code recommends us to use any version of Microsoft Visual Studio 2012 or higher to
compile the tools and SDCC for building custom firmware. Visual Studio will probably take multiple hours to
download and cannot be paused, so make sure you have enough time available. It also claims multiple gigabytes
on your primary drive, about 10 GB on my SSD, which is annoying.

Downloading & Compiling the Source Code

In order to modify our supported USB drive, we need to build the tools which interact with it. The source code
is published on GitHub by Adam Caudill. Actually, Visual Studio comes with an neat feature that lets us clone
the whole repository. You can even interact with VS from the GitHub site:
After cloning and opening the repostitory. You are most likely to see three solutions.

DriveCom

EmbedPayload

Injector

We will need DriveCom and EmbedPayload only. If opened, you can compile with Ctrl + Shift + B or Menu
bar - Build - Build Solution.

If you cannot clone the repository through Visual Studio, download the .zip file from GitHub and open the .sln
files in each folder of the solutions. DriveCom and EmbedPayload should be in the ...\Psychson\tools directory
now: E:\Documents\Bad_USB\Psychson\tools.
Obtaining a Burner Image

A "burner image" is required for dumping and flashing firmware on your drive. These are typically named using
the convention "BNxxVyyyz.BIN". Burner images for Phison controllers can be found here. Even though the
site is only available in Russian, you will find the download link if you scan the site for "BN03." BN implies
burner image, and 03 corresponds to PS2251-03. I extracted the files in E:\Documents\BadUSB\Burner_Image\.

Every burner image should do the job, but you can use the newest version which is indicated by the "Vyyy" part
of the name.

Dowload Duck Encoder

The "Duck Encoder" is a Java-based cross-platform tool which converts scripts into HID payloads. It is based
upon the Bad-USB called "Rubber Ducky" by Hak5. You can download it here. (Do not forget to install Java.) I
saved it at E:\Documents\Bad_USB\DuckEncoder\.

Creating Custom Firmware

At this point, all our preparations are done and we can continue using the tools. In this step, we simply have to
go to our ...\Psychson\firmware\ directory and run build.bat. If everything goes right, you will see a new folder
with many different files inside.
The fw.bin file is the file we will use in the following payload.

Writing a Script

You may ask yourself in which language we are going to write our script. Since the Duck Encoder is based upon
"Rubber Ducky," we will use "Duckyscript" as the language. The syntax is rather easy. More detailed
instructions can be found here.

We will go ahead and create a .txt file in our preferred directory

(E:\Documents\Bad_USB\DuckEncoder\script.txt). I thought of showing you something more interesting than a

"Hello World" script, so I made this one:

As you may suppose, the Bad USB will "press" Windows + R and cause windows to shut down immediately
with this script. In addition, you can clearly see that I wrote "/" instead of "-". That's because our "keyboard"
(Bad USB) has a U.S. layout and Windows is set to DEU in my country. Keep in mind that we have to change
the Windows layout to U.S. and write the script the way we would do usually, or the way your victim's PC
would write it. Don't be confused of the input.

You can even use custom scripts and do some reverse engineering here.

Converting It into an HID Payload

It is time to start using the Windows terminal - cmd.

java -jar "PATH to \duckencode.jar" -i "PATH to \script.txt"-o "\payload.bin Path"

Example:

java -jar E:\Documents\BadUSB\DuckEncoder\duckencode.jar -i E:\Documents\Bad_USB\DuckEncoder

\script.txt -o E:\Documents\Bad_USB\DuckEncoder\inject.bin

We won't get any output, but inject.bin should be created in E:\Documents\Bad_USB\DuckEncoder\, in my

instance.

Embed the Payload in the Firmware

Now we need to use the tools we built with Visual Studio. Obviously, EmbedPayload is to embed payloads. We
simply have to execute it in cmd:

"Path to EmbedPayload.exe" "PATH to payload" "PATH to the firmware we built"

For me, it is:

E:\Documents\BadUSB\Psychson\tools\EmbedPayload.exe E:\Documents\Bad_USB\DuckEncoder\inject.bin
E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

Note that fw.bin includes the payload now. You can also overwrite the firmware by executing build.bat again.

Dumping the Current Firmware of the USB Flash Drive

I strongly advise you to make a copy of the current firmware on your USB flash drive in case you want to
restore it. For any action we want to take on our USB, we have to use DriveCom, which is in our "tools" folder.

"PATH to DriveCom.exe" /drive="Drive Letter of our USB" /action=DumpFirmware /burner="PATH to our

burner image" /firmware="PATH of the output.bin"

In my instance:

E:\Documents\Bad_USB\Psychson-master\tools\DriveCom.exe /drive=F /action=DumpFirmware

/burner=E:\Documents\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB
\originalfw.bin

Flashing Firmware

Finally, we can hand over the very malicious shut-down payload embedded into the firmware to our USB flash
drive:

"PATH to DriveCom.exe" /drive="Drive Letter" /action=SendFirmware /burner="PATH to our burner image"

/firmware="PATH to the firmware"
In my instance:

E:\Documents\BadUSB\Psychson\tools\DriveCom.exe /drive=F /action=SendFirmware /burner=E:\Documents

\Bad_USB\Firmware\BN03V117M.BIN /firmware=E:\Documents\Bad_USB\Psychson\firmware\bin\fw.bin

A successful output should look like this:

Notice that DriveCom is switching the mode of our USB to boot mode automatically to flash the firmware.
Now that our USB flash drive has become a keyboard, we cannot switch modes any more with our tools, nor
access to the memory, but that is a minor problem. In the next section, I will focus how to resolve this issue.

Setting Our Device into "Boot Mode" Manually

If you want to take further actions to your Bad USB, you will notice that neither DriveCom nor Windows nor
any other operating system can access it, because it is a keyboard after all. We need to open the case of our USB
drive and connect two pins of the microcontroller while plugging the drive into our PC. Since the circle is on
the top left corner of my controller (from this perspective), I have to connect the two pins of the left bottom
side:
You may need to open the picture in a new tab and zoom in.

I usually use the edge of a USB connector to connect these two pins. In addition, a USB extension cable can be
very useful in this scenario. It seems to be difficult, but you will get used to this. Use whatever you feel most
comfortable with, without damaging your USB flash drive. If you do it correctly, the drive will show up in
Windows again:
And we can modify our drive or flash the original firmware again. If not, your PC will shut down—try harder
next time.

Notes

The Bad USB may not work on every Windows PC, including mine, since it may be incompetent at loading
drivers. You might want to try adding a delay at the start of the script (Thanks Seytonic)

Keep in mind that you won't be able to access the memory while your USB drive is faking an HID device.

Final Thoughts

The Bad USB is a very powerful tool if you have access to your victim's PC, even though Windows can be crap
at loading the USB drivers. In addition, it avoids AV detection since it is a keyboard rather than a virus.

Furthermore, I would like to mention that I really appreciate constructive feedback from you guys. So feel free
to PM me if you find any mistake or want me to improve something!

References

github.com/adamcaudill/Psychson

github.com/hak5darren/USB-Rubber-Ducky/wiki

All of the pictures were taken by myself.

Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium
Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training
from cybersecurity professionals.

Buy Now (90% off) >

Other worthwhile deals to check out:

97% off The Ultimate 2021 White Hat Hacker Certification Bundle

99% off The 2021 All-in-One Data Scientist Mega Bundle

98% off The 2021 Premium Learn To Code Certification Bundle

62% off MindMaster Mind Mapping Software: Perpetual License