The MouseJack NES controller allows you to hijack and control nearby wireless mice for that nostalgic trolling goodness.
This project is the love child of Burning Man and my wireless mouse/keyboard research, and I am open sourcing it so that you too can troll people with an NES controller.
In preparation for Burning Man in 2015, I built a big LED covered top hat so I could efficiently blind my campmates. I needed a way to provide input to the hat, and the obvious thing to do was make a wireless NES controller (duh).
Around the same time, I was starting to investigate Logitech wireless mice, which use the same type of radio transceiver as my NES controller. So just before DEF CON 23, I hacked together some code to hijack other peoples' Logitech wireless mice, and spent the week trolling people at BSidesLV (sorry CTFers) and DEF CON. This proved to be hilarious, and the IoT Village was even using a Logitech mouse for their presentation clicker.
The initial controller was pretty quaint, with only a single radio and no display, so I decided to iterate on it after DEF CON and Burning Man had wrapped up. I tend to get really excited and overdo these sort of projects, and I ended up filling the controller to the brim.
The result was a controller containing a Teensy, 500mAh LiPo battery, 5x nRF24L01+ radios, 32GB of microSD storage, and a 128x64 OLED display.
The ToorCon crew was kind enough to let me talk about the beefed up NES controller at ToorCon 17 (which you should do sometime if you like epic Nerf battles).
ToorCon got me excited about trying my hand at vulnerability research, and I ended up using the NES controller to find a keystroke injection vulnerability in Logitech wireless keyboards. This evolved into 16 different mouse and keyboard vulnerabilities and a lot of unhappy vendors.
The firmware is configured as a PlatformIO project, and can be installed as follows:
cd firmware
platofrmio run --target upload
The firmware currently supports Logitech mice, but if there is sufficient interest, I can add support for other vendors. I will also gladly accept pull requests.
Usage is pretty straight forward:
- Turn on the controller
- When a Logitech mouse is discovered, it will show up in the device list
- Use the d-pad to scroll up/down and select a target mouse
- Press 'select' to enter hijack mode
- In hijack mode, the d-pad and a/b buttons are used to move the cursor and click the mouse buttons
- Press select again to exit hijack mode and return to the list
- Blog - Burning Man LED Top Hat
- Slides - Hacking Wireless Mice with an NES Controller @ ToorCon 17
- Slides - MouseJack: Inecting Keystrokes into Wireless Mice @ DEF CON 24
- Whitepaper - MouseJack: Inecting Keystrokes into Wireless Mice @ DEF CON 24
- Video - MouseJack: Inecting Keystrokes into Wireless Mice @ DEF CON 24
- Video - Hak5 Interview @ DEF CON 24
- Info - MouseJack/Bastille
- Code - nRF24LU1+ Research Firmware
- Code - gr-nordic (nRF24L GNU Radio Module)