HiR Information Report: DigiSpark ATTiny85 Info

Jump to the bottom if you still really want to see the proof-of-concept code I put together for brute-forcing smartphones, but please, read through my FAQ and understand that this is a fool's errand.

If you're here because of my IGTV tutorial on programming HID attack payloads to the attiny85 development boards, here's what I know about them. I've been using this microcontroller since the original DigiSpark kickstarter in 2012, where I bought two through a pool from our local hackerspace. I think we ordered a 100-pack! In those years, I've used them for all kinds of purposes, much like one might use an Arduino that only has a few GPIO pins. Playing with RGB LEDs, photo cells, rain sensors, temperature probes, and writing cute messages to LCD displays via I2C. And, of course, using the DigiKeyboard library to emulate human interface devices (HIDs) for keyboard injection.

Several people have sent me DMs with questions. I'll attempt to answer the ones that keep coming up with my new attiny85 FAQ:

Q: Can I brute-force the lock code on a smart phone with this?

A: In my opinion, the attiny85 is not a very good tool to use to break into smartphone lock screens. They can be used to guess application PINs in some situations, but many phones will stop accepting PIN attempts after a few incorrect attempts, and some will even erase themselves after enough incorrect attempts. The attiny85 (or other attached HID devices) cannot guess pattern-based or biometric-based authentication. The attiny85 won't likely know what PIN was successful, so you will still not know the unlock code even if it succeeds.

Q: But I saw a video of someone hacking a phone with this! Can you show me how?

A: I have seen a few videos, including one where an iPhone inexplicably unlocks after seemingly getting the same PIN 30+ times in a row. I don't think that should work. Please ask the people who made those videos how they did it, because I have no clue.

Q: What tools SHOULD I use to hack smart phones?

A: I have no idea. I do not hack smartphone unlock codes.

Q: What ARE HID attacks useful for if it's not to hack smart phones?

A: The most common uses of HID injection are:

Automatically running a command on a target PC you gained physical access to
Downloading and running a payload such as meterpreter or cobalt strike during a sanctioned network security audit
Conveniently entering a long passphrase, such as to unlock your password vault or an encrypted external hard drive, with a device you keep securely with you.
These devices operate similar to the Hak5 Rubber Ducky. Search the internet for interesting things folks have done with that product for ideas you can implement with your attiny85!

Q: Where do I buy one?

A: I got mine from DigiSpark's kickstarter back in 2012. Since then, there have been MANY clones manufactured that all generally work just fine. I also have the Evil Crow BadUSB cable which can be programmed the same way. Here are a few places that sell them:

If you cannot buy from the above links in your area, search for "attiny85" for sale locally and look for devices that are assembled onto a PCB similar to the ones featured in my post.

Q: Where can I find example programs for HID attacks on the ATTiny85?

A: The Evil Crow Git Repo is what I mentioned in my video. It links to additional attiny85 HID payloads: https://github.com/joelsernamoreno/EvilCrow-Cable

Q: Is there a step-by-step guide to setting up everything I need to play with the ATTiny85?

A: Yes! For all of my various '85 programming needs (even the stuff that's not officially called DigiSpark), I relied on the DigiSpark Getting started guide: http://digistump.com/wiki/digispark/tutorials/connecting

Q: Please, please, please gimme gimme some example code to guess the pin on a smartphone!

A: That's not a question, but y'all keep begging me so here ya go, as promised in my IGTV Video about it. PLEASE KEEP IN MIND you will almost certainly lock yourself out of a phone, or potentially even factory-wipe it if you use this code to try to hack a smartphone. You may need to right-click and save-as on these.

PixelCrack.ino -- An example brute-force guesser that presses "enter" between each 6-digit PIN (as required by my Pixel 3XL)

SamsungCrack.ino -- The same code, except without pressing enter between PIN attempts, since my Samsung doesn't require it.

About HiR

HiR is what happens when 1990s-era e-Zine writers decide to form a blog. Most of us hail from the Great Plains region of the United States.

Ax0n, HiR founder and editor-in-chief is an information security specialist currently working in the luxury goods industry.

Asmodian X joined HiR in December 1997 and currently works as a web developer and SysAdmin in the education industry.

Frogman has been on board since May 1998 and has many technical passions. When not experimenting with obscure hardware, he can be found leaping from one rooftop to the next, making the world his office.

TMiB has also been helping since 1998. Also our resident Physicist and go-to guy for xkcd jokes we don't get, The Man in Black currently works in the Internet industry in an east-coast data center.

DigiSpark ATTiny85 Info

Pages

Search

Direct RSS Links

HiR Featured Columns

HiR Tools

HiR Categories

HiR on Twitter

About HiR

Blog Archive

HiR in real life

Links and Blogs

DigiSpark ATTiny85 Info

Pages

Search

Subscribe To

Direct RSS Links

HiR Featured Columns

HiR Tools

HiR Categories

HiR on Twitter

About HiR

Blog Archive

HiR in real life

Links and Blogs