BAD USB Remote Bluetooth Access + Remember Pairing

IDEA: Imagine having a “Bluetooth dongle” which would be paired with the Flipper Zero through the “Bad USB Feature” to allow to just plug in this Bluetooth USB dongle into a random PC and have remote access to run scripts etc without pairing the flipper to the PC each and every time.

Solution: I made some research and apparently one needs to use some kind of Bluetooth adapter that stores devices in its memory.

Question: Do you think that an esp32 board with Bluetooth+SD card/flash memory that has a USB connection would be able to be programmed to operate in such a scenario? The specific board im talking about is the " LILYGO® TTGO T1 V1.3 ESP32 Development Board Rev1 Wifi Module and Bluetooth and SD Card Bord 4MB FLASH " which can be found on Aliexpress.

I think it would be easier to realize this via nFR24 and a cheap HID dongle.
See How does Flipper Zero connect to a dongle?

The Flipper Zero does not have a full BT stack, but I don’t know if it is feature-rich enough to perform your idea.

Thank you very much for your input. I’ll look into your suggestion definitely !

AFAIR the Rubber Ducky can be radio-activated.

You are talking about 'USB Ninja?
An ordinary USB cable to charge and transfer data… And when triggered, switch to HID and type any payload (Rubber Ducky Scripts).

A real security nightmare. I’ve seen this in action, once. Even if the attack is detected through hardened systems and/or a good heuristic, I don’t know much people who are able to identify this cable as tread.

Nice expensive toy. But not very helpful to use with the Flipper. Although the Flipper may can activate the cable. But looks much more suspicious to play around with a orange Tamagotchi, than with your mobile.

I remember that about Ducky, but I may be wrong. Maybe Ninja, as you say.

I mentioned Ducky, because the idea I got from OP is a need to do BadUSB remotely, not BadUSB stealthily.

I’d probably buy a Cactus WHID and call it a day. I have used one for quick setups. An app can run on your phone or you can connect to it over WiFi and use a web based interface. It’s basically what you describe without the Flipper and WiFi rather then Bluetooth.

As pointed out by @LupusE a phone is a heck of a lot less conspicuous the the Flipper.

I may have found something interesting related to this. I will report back when it arrives and if it was useful

I ordered an NRF24 to use with a logitech Unify receiver in the hopes of sending scripts without needing to pair each time. @LupusE This should work right ?

Should it work? It depends.

• If you’d expect to plug it in and it does something: No.
• If you are open to dive through the internet, take a look at the pairing process and the communication protocol for the Logitech keyboard/mouse: Definitely yes.

Maybe a little Flipper application/GPIO googeling is needed, too.

PS: I don’t own a nRF24 myself. and even if it is really cheap, I have other projects ongoing, so I will not start a new one around the Flipper.
Autosync Git2SD, FZ-IRDB2SQLite, BadUSB Data extraction, … Plus not started now: Proxmark3 RFID analysis.

Maybe I’ll join later, depending on how the project looks.

For this use case, you need the nrf as well as a downgraded unifying receiver. There is a procedure to do this. I will try to find it today. I haven’t tried myself, but it’s on my wishlist.

Thank you for your reply guys. Im definitely down to research and try to get this to work, i just need to be pointed in the right direction. @emptythevoid I would truly appreciate if you can share any info youve got. Thanks once again

Here’s what I found previously when I was researching this. I’ve not tried this procedure. The way I understand it, as it relates to your use case, is that you have to make the unifying receiver vulnerable to mousejacking so that the NRF24 can scan and connect to it, and therefore deploy a payload using it. I don’t know exactly how that will actually look like when you get it to work (you might still have to scan and connect to the receiver each time, rather than it always being ‘paired’ like bluetooth).

Ugh, it’s for Python2. I don’t want to screw up my main machine, so I might simply set up another machine with an older distro. I’ll report back.

Was able to downgrade one, possibly two unifying receivers. Now I just need to obtain an NRF24.

Edit: Ordered.

I think you may find more cool uses for the NRF if you keep exploring it. Like @LupusE I have many projects and not enough time for a new one. I’m hoping to build some of the Flipper functions into a less conspicuous package(Gameboy) as soon as I can get hold of one key part.

I wasn’t aware before, but @emptythevoid pointed out, that only C-U0007 will work. Because this is the Unify dongle with a nRF chip, that is vulnerable.

I haven’t seen how to determine the different versions, by now. Just lookup online research should not be the answer. Maybe there are other working version, too.

I have some receiver’s here, will test if the downgrade also works with Linux tools. Or port the script to python3?
So much ideas, I almost forgot this weekend I am on the road. But most can be done offline.

Edit: The model is printed on the device. A good start.
All 6 usb Sticks in my office are U0007… It is good for testing, but I haven’t one to test negative…

Hey everyone, I think I’ve gotten this to work. I purchased this special USB Bluetooth dongle: " Bluetooth 4.0/4.1/5.0/5.1 USB Bridge - HID Proxy - Legacy - TV Adapter/Dongle" https://i.ebayimg.com/images/g/xe0AAOSwVqlaHG-n/s-l1600.jpg

After pairing, I seem to be able to move this dongle between different computers (Windows and Linux) and the Flipper is able to send BadBT commands without re-pairing. I’ll be testing this more, but results are promising.