EvilCrow-Keylogger

WiFi keylogger with Micro SD slot, based on the Atmega32U4 microcontroller and the ESP32-PICO module

Idea, development and implementation: Joel Serna (@JoelSernaMoreno) & Ernesto Sánchez (@ernesto_xload)

Collaborators: Ignacio Díaz (@Nacon_96) / Forensic&Security (@ForensicSec)

PCB design, manufacturer and distributor: April Brother (@aprbrother)

The developers and collaborators of this project do not earn money with this. You can invite me for a coffee to further develop Low-Cost hacking devices. If you don't invite me for a coffee, nothing happens, I will continue developing devices.

For Sale at:

• Aliexpress: Coming soon...
• Tindie: Coming soon...

Disclaimer

Evil Crow Keylogger is a physical keylogger device for professionals and cybersecurity enthusiasts.

AprilBrother and the collaborators of this project are not responsible for the incorrect use of Evil Crow Keylogger.

We recommend using this device for testing, learning and fun :D

Introduction

Evil Crow Keylogger is a physical keylogger with the following hardware:

• Atmega32U4 with Arduino Lilypad USB bootloader
• ESP32-PICO module for communication via Wi-Fi
• Slot MicroSD
• USB Host MAX3421
• Hall sensor for unbrick device

NOTE: Some keys or modifiers have not been implemented. I don't have time or material to test all the keyboards. If you have any errors, you can contact me by Twitter: @JoelSernaMoreno

Layouts:

• BE_BE layout support.
• CZ_CZ layout support.
• DA_DK layout support.
• DE_DE layout support.
• EN_US layout support.
• ES_ES layout support.
• FI_FI layout support.
• FR_FR layout support.
• IT_IT layout support.
• PT_PT layout support.
• TR_TR layout support.

NOTE: Please do not ask me to implement new functions in this code. You can develop code for Evil Crow Keylogger and send me PR with your new code.

Installation

Software requirements

• 0.- Add your user to the dialout group: sudo usermod -a -G dialout USER

• 1.- Install esptool: sudo apt install esptool

• 2.- Install pyserial: sudo pip install pyserial

Automatic installation

1. Install Platformio Core: https://docs.platformio.org/en/latest/core/index.html
2. Download keylogger-pio repository (This is a migration of Evil Crow Keylogger to platformio): git clone https://github.com/volca/keylogger-pio.git
3. Download source EvilCrow-Keylogger. Put the directory in same level with keylogger-pio: git clone https://github.com/joelsernamoreno/EvilCrow-Keylogger.git
4. Add jumper GPIO0 to GND for ESP32-PICO
5. Connect Evil Crow Keylogger via USB port
6. Go to the keylogger-pio directory: cd keylogger-pio
7. Run flash.bat or ./flash.sh to program 32u4 and esp32-pico

Manual installation

• 0.- Download and Install the Arduino IDE: https://www.arduino.cc/en/main/software

• 1.- Open Arduino IDE.

• 2.- Go to File - Preferences. Locate the field "Additional Board Manager URLs:" Add "https://dl.espressif.com/dl/package_esp32_index.json" without quotes. Click "Ok"

• 3.- Select Tools - Board - Boards Manager. Search for "esp32". Install "esp32 by Espressif system version 1.0.3". Click "Close".

• 4.- Download/extract EvilCrow-Keylogger repository.

• 5.- Copy the Keyboard and USB Host Shield libraries included in this repository to your Arduino library directory.

NOTE: The Keyboard library included in this repository has been modified, EvilCrow Keylogger needs this library to work.

Layout support

Evil Crow Keylogger supports several layouts, the en_us layout is by default.

Set up a new layout:

• 0.- Open Keyboard/src/Keyboard.cpp with a text editor

• 1.- Change #define kbd_en_us to another layout. Example: #define kbd_es_es

You can use:

• kbd_be_be
• kbd_cz_cz
• kbd_da_dk
• kbd_de_de
• kbd_en_us
• kbd_es_es
• kbd_fi_fi
• kbd_fr_fr
• kbd_it_it
• kbd_pt_pt
• kbd_tr_tr

• 2.- Save and close Keyboard.h

Upload the ESP32 code

To upload the ESP32 code into the keylogger, you can do this in different ways: You can use an Arduino, an FTDI or an ESP Flasher from April Brother. On this way I will use an Arduino to upload the ESP32 code.

Here you can see all the pins corresponding to ESP32:

• 0.- Wire the Keylogger with Arduino using the following pinout:

• 1.- Open Arduino IDE.

• 2.- Open the ESP32.ino sketch.

• 3.- Select Tools - Board - "ESP32 Dev Module".

• 4.- Connecting the Arduino device to the computer.

• 5.- Upload the code to the board.

Upload atmega32u4 code

• 0.- Connect Evil Crow Keylogger via USB port.

• 1.- Open Arduino IDE.

• 2.- Open the ATMEGA32U4.ino sketch.

• 3.- Select Tools - Board – "Arduino Lilypad USB".

• 4.- Upload the code to the board.

• Done!

First steps with Evil Crow Keylogger

• 0.- Connect a keyboard to the Evil Crow Keylogger USB host port.

• 1.- Connect Evil Crow Keylogger to your laptop.

• 2.- Open a notepad and type Hello World with the keyboard connected to the keylogger

• 3.- Visualize the wifi networks around you and connect to the Keylogger (default SSID: Keylogger).

• 4.- Enter the password for the wifi network (default password: 123456789).

• 5.- Open a browser and access the web panel (default IP: 192.168.4.1).

• 6.- Click on the View Log option

Use the Micro SD Slot

Evil Crow Keylogger also stores the log on the Micro SD card.

File: log.txt

Unbrick Evil Crow Keylogger with Hall Sensor

First, you’ll need to set the serial port to the bootloader. But that port is only visible when the board is in bootloader mode, so pull the reset line low twice quickly to invoke the bootloader reset feature. You can quickly press the reset button** twice. While the Evil Crow Keylogger is in the bootloader mode, change the ‘Tools > Serial Port’ menu to the bootloader COM port. Quick! You’ve only got eight seconds.

The reset button is a HALL sensor, that means you need to place a magnet close that side of the PCB, in order to simulate the "button pressure".

• 1.- Open Arduino IDE and open ATMEGA32U4.ino sketch

• 2.- Connect Evil Crow Keylogger via USB port.

• 3.- Press Upload sketch

• 4.- Start the unbrick phase with a magnet by placing it close that side of the PCB where the hall sensor is located (do it two times). Close-away-close-away