MouseJack troubleshooting

I’m trying to get MouseJack attack working in lab conditions.
[+] nRF24 module
[+] Logitech mouse, presumably old enough not to have a fix, paired with a receiver
[+] Temporarily installed CFW with all the nRF apps
[-] 10uF cap (available but not yet soldered, since the module is not “acting flaky” - it simply doesn’t work)


  • Turn the mouse on, plug the receiver, test
  • Plug the nRF24 into Flipper
  • Launch “Sniffer” app
  • Verify the module initialized
  • Jiggle the mouse until app does a full cycle or two over channels
  • If an address is found (typically not), exit “Sniffer”, launch “Mouse Jacker”, select it
  • Select a harmless BadUSB payload
  • Nothing happens

Any ideas on what to try?

Is your target host Linux? This won’t work.

My work on this topic: How does Flipper Zero connect to a dongle? - #8 by LupusE

On Windows, address is found reliably, but it is not unique - that is, I have observed it earlier when testing on Linux. Still, BadUSB scripts produce no results.

I’ve just tried it, and it works. Even without capacitor ‘hack’.

  1. Get Flipper firmware: mkdir ~/git; cd ~/git; git clone --recursive
  2. Prepare environment: cd flipperzero-firmware; ./fbt
  3. Clone nrf24 toys: cd ~/git/; git clone[find_my_repo]/ofw-flipperzero-nrf24
  4. Link source to base: ln -s ~/git/ofw-flipperzero-nrf24/nrfsniff ~/git/flipperzero-firmware/applications_user; ln -s ~/git/ofw-flipperzero-nrf24/mousejacker ~/git/flipperzero-firmware/applications_user
  5. Fix source: $editor ~/git/flipperzero-firmware/applications_user/mousejacker/mousejacker_ducky.c

Line 99: for(uint32_t i = 0; i < sizeof(mj_ducky_keys) / sizeof(MJDuckyKey); i++) {
Line 114: for(int n = 0; n < len - 2; n++) cksum = (cksum - payload[n]) & 0xff;

NOTE: This will lead to an crach of the flipper at the end of the duck script … but is enough to get it working.

  1. Compile App: cd ~/git/flipperzero-firmware; ./fbt fap_nrf24_sniffer; ./fbt fap_mouse_jacker
  2. Copy the files from ~/git/flipperzero-firmware/build/f7-firmware-D/.extapps/nrf24_*.fap to the Flipper via qFlipper in /ext/apps/GPIO/

When I connect the nRF24 module to the Flipper I need to reboot the Flipper. There is no error, but also no result in the App [NRF24] Sniffer.
After Reboot I set the Sample Time to 1000, so it will scan every channel for 1 second. It is enough, because I am moving the mouse permanent. I press the ‘OK’ button on the Flipper to start the sniffing.

If the Sniffer get a catch, it will be seen et qFlipper in @/ext/apps_data/nrfsniff/addresses.txt. Just download the file and see the [address],[transfer rate].

Now I can stick the Logitech in my booted Win and start [NRF24] Mouse Jacker. If I am not sure I will open a Notepad and wait for any input. If I know what will happen I can start from the Desktop.

I forgot: this will compile the source for the Dev OFW …

Either install the dev firmware, from qFlipper or the one you just created, or select the 0.99.1 branch before compiling.
I think git clone -b 0.99.1 --recursive will do the trick.

Meh. I hoped to get away with precompiled apps.
Will try.