Welcome to the SecAware blog

I spy with my beady eye ...

18 May 2022

Hacking the Microsoft Sculpt keyboard


In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.

This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.

So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.

In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:

  1. Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional).
  2. Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.
  3. Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.
  4. Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.
  5. Under the wrist rest are another 16 little screws. Remove them all, including the two recessed screws near the hump/gap in the middle of the keyboard. Use the magnet to lift out the screws if that helps.
  6. Separate the base of the keyboard from the key unit by working right around the edge with the spudger, gently levering it apart. Like the wrist rest, it is a snap-fit and stronger than it looks. 
  7. As the two parts separate, gently pull the battery connector cable from the circuit board inside: it has a small white push-fit connector.
  8. Remove the two screws from the circuit board.
  9. Using the dental pick, ease the black plastic strip aside from the long white connector to release the ribbon cable pinched underneath.

  10. Remove the circuit board.
  11. Dismantle the newer keyboard in the same way.
  12. Replace the circuit board from the new keyboard with the circuit board from the old one.
  13. Replace the ribbon cable into the connector, then ease the black plastic strip back into place to hold it firm.
  14. Replace the two screws holding the circuit board.
  15. Put the two parts of the keyboard together, connecting the battery cable to the circuit board as you do. The white power plug is keyed and should only go in one way around as shown here, with the black wire closest to the black IC:

  16. Before proceeding, feel free to check that the new keyboard works with the original USB dongle.
  17. Complete the reassembly by snapping the two parts of the keyboard back together all the way around the edge. 
  18. Reinstall the 16 screws from under the wrist rest.
  19. Snap the wrist rest back into place, checking that it is fully home all the way around.
  20. Replace the 5 screws under the feet: remember those 3 longer ones under the wrist rest.
  21. Replace the feet.  If the glue isn't very sticky, apply fresh glue e.g. UHU clear adhesive, to avoid the keyboard becoming lopsided.
  22. Optionally, recover and save the screws, keycaps, plastic spring units, wrist rest and rubber feet from the old keyboard to repair/replace them on the new keyboard as they wear out (see below). Oh and those silver discs embedded in the black pastic base are strong magnets to hold the keyboard ramp in place: if you choose to recover them for other projects, you will need tools to break apart the dark grey ABS 'engineering plastic', knowing that it can fracture into sharp shards. Take care!
Being some of the most common letters in English, the AERT keys always seem to wear out fastest for me and the space key is noticeably shiny, along with the backspace for some raeson. After >4 decades' practice, I can almost touch-type so wearing away the key legends should not be a problem ... except when I'm tired and emotional anyway. More annoying are those few intermittent keys, caused by dirt getting under the keycaps and into the switches beneath. 
 
Also, the extra-wide keys on the Sculpt sometimes go wonky, staying down on one side or the otehr. Removing any of the keycaps is easy enough: lever up a corner using the dental pick, then lift the cap off using your fingernail. It is a snap-fit. Underneath, you'll find a distinctly unhygienic accumulation of dust, hair and al-desko lunch crumbs: brush them gently away, trying to avoid breathing in any more pathogens.
 
Here's the disgusting view under one of the well-used Ctrl keys:

 
A: One of two stainless steel support rods is held in this pair of metal loops, and is clipped to the keycap, keeping it level.
B: A smaller stainless steel rod fits to these loops, and is also clipped to the keycap. In this pic, I have put the dental pick tip through a loop from the opposite side.
C: These are plastic scissor-action 'springs' that also clip to the keycap (see below). They are small and fragile.
D: The key's microswitch is under this central silicone rubber dust cover. Check that the dustcover over the microswitch and any surrounding black rubber pad are intact and not torn. If they are, the keyboard is probably stuffed: dust will undoubtedly work its way in to interfere with the switch action, if it hasn't already.


If the 'springs' are in separate pieces or obviously broken, replace them with good ones of the same size from your stash of bits (step 22).
 
Being in two halves and even bigger than the Ctrl key, longer support rods under the space bar are attached either side:
 
 
Check that the plastic spring units (and support bars if applicable) are intact and in place. If these are broken or bent, replace them from your stash from the previous Sculpt keyboard (step 22), replace the metal bars into their hoops, then pop the keycaps into place and hope they work better now. Most of all, hope they work at all! If not, too bad. It is probably time to replace your worn-out keyboard after all.
 
 
* I say 'allegedly' because there is no easy way for me to check the claim. Doubtless with a little effort, I could monitor the RF transmissions and perhaps capture and decode the digital bit-stream, but then proving that the system is or is not using AES would be harder, practically impossible for me given my rudimentary knowledge of cryptanalysis.  I suppose I could check the randomness of the encrypted data statistically, looking for patterns that correlate with the letter frequencies. Message headers and structures might be clues. I could try brute force attacks ... or not bother.

No comments:

Post a Comment