Electronic – Recreating a missing wireless keyboard dongle with NRF24L01

I have found an old Logitech Wireless Keyboard (specifically, the MK250 model), which was originally sold with a separated "standard" 2.4Ghz receiver dongle (Not 'Unifying', as written here). I assume that the keyboard itself has a corresponding 2.4Ghz transmitter inside.

My goal is to recreate a receiver which will communicate with that specific keyboard properly from one side, and with the computer's USB from the other side, just as the original dongle did. This is what I had in mind in order to achieve it:

Sniff 2.4Ghz communication from the keyboard using NRF24L01. Not sure how to do that; perhaps scanning all NRF's channels for some communication? Should I expect 802.11 interference from wireless routers around?
After I could determine the RF coming out of the keyboard, next step would be to reverse the protocol in use. Not sure how to go here either; I guess that it would be some sort of trial and error…
Use some MCU or similar to relay keyboard information as HID over USB.

Does this seem the right direction here?
Any advise about the sniffing/reversing part?
Is it too ambitious/can't be done?

Best Answer

Well, I have found two main ways to sniff and decode NRF24 communication:

Using RTF-SDR with a MMDS down converter to slow down the fast 2.4Ghz communication to around 400Mhz (by Omri Iluz)
Using dedicated hardware (Custom made NHBadge12 in this case) and an open source project called GoodFet.NRF which extends the GoodFet open hardware/software project (by Travis Goodspeed).

Both methods comes with detailed instructions on how to perform promiscuity scan of NRF24 addresses (the hard part), allowing to find the specific address of the keyboard to reverse. This task is not trivial since the base address length can be up to 4 bytes, which leaves us with too much combinations to brute force.

After the base address is found, and a solid sniffing channel is established with the keyboard, it is relatively easy to extract the XOR encryption key used to encrypt communication between the keyboard and the lost dongle. With the key it is almost trivial to reconstruct the original communication between the wireless keyboard and the missing dongle, and there are more than enough ways of achieving that, one even includes using Arduino with DFU upgrade.

An interesting fact to note is that the XOR encryption key can be easily extracted once the NRF24 base address is established, since HID packets usually contain many zeros - 0 - and XOR between the encryption key and zeros reveals the key, sometime more than once in a single packet! :) )

There is also a porting of the Goodfet to arduino, but I couldn't find good examples on how to use it properly on an Arduino based MCU.

Best Answer

Related Solutions

Electronic – Arduino PS/2 Keyboard Emulator Issues

How to profile the communication protocol of the Microsoft Arc wireless keyboard

Related Topic