Turning a Raspberry Pi Pico into a Bad USB

 

 

This guide will walk you through converting a Raspberry Pi Pico into a “Bad USB,” a device that can mimic a keyboard and execute pre-programmed scripts on a target computer. This is typically used for penetration testing and educational purposes.

 

Materials Needed:

• Raspberry Pi Pico
• Micro USB cable
• Computer with internet access
• MicroSD card (optional for storing scripts)
• Thonny IDE (or another code editor that supports MicroPython)

 

Step 1: Prepare the Raspberry Pi Pico

1. Download the MicroPython Firmware:
   • Visit the Raspberry Pi Pico MicroPython firmware page and download the latest .uf2 firmware file.
2. Install the MicroPython Firmware:
   • Connect your Raspberry Pi Pico to your computer using a Micro USB cable while holding the BOOTSEL button.
   • Release the button once the Pico is connected; it should appear as a removable storage device.
   • Drag and drop the .uf2 file onto the Pico’s storage. The Pico will reboot and be ready to run MicroPython.

Step 2: Install Thonny IDE

1. Download and Install Thonny:
   • Download Thonny IDE from the official website and install it on your computer.
2. Set Up Thonny for Pico:
   • Open Thonny.
   • Go to TOOLS > OPTIONS > INTERPRETER. 
   • Select “MicroPython (Raspberry Pi Pico)” from the dropdown menu.

Step 3: Writing the Bad USB Script

1. Create a Basic Script:
   • In Thonny, write a simple script that simulates keyboard input. Below is an example that opens Notepad on a Windows machine and types “Hello, World!”:

 

import time
import machine
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keycode import Keycode

# Delay to allow time to remove the device after insertion
time.sleep(5)

# Initialize the keyboard
keyboard = Keyboard(usb_hid.devices)

# Press Windows + R to open Run dialog
keyboard.press(Keycode.WINDOWS, Keycode.R)
keyboard.release_all()

time.sleep(0.5)

# Type ‘notepad’ and press Enter
keyboard.write(‘notepad\n’)

time.sleep(1)

# Type ‘Hello, World!’
keyboard.write(‘Hello, World!’)

 

   2. Upload the Script to the Pico:

• Save the script as main.py in Thonny.
• Click the “Run” button in Thonny to upload the script to your Pico.
• The script will automatically execute whenever the Pico is connected to a computer.

 

Step 4: Testing the Bad USB

1. Safely Eject the Pico from your computer.
2. Plug the Pico into a Target Computer:
   • Insert the Pico into the USB port of the target computer.
   • After a few seconds, the script should start running, and you should see the Notepad application open with the text “Hello, World!” typed out.

Step 5: Customizing the Payload

1. Modify the Script:
   • You can customize the payload by editing the script in Thonny. For example, you can change the text, open different applications, or execute commands in the command prompt or terminal.
2. Adding More Functionality:
   • Consider adding more complex payloads, such as opening a web browser to a specific URL, downloading and executing files, or even creating reverse shells.
3. Using CircuitPython Libraries:
   • If you need more advanced features, you can use CircuitPython and additional libraries like adafruit_hid to create more sophisticated payloads.

Step 6: Safety and Ethics

1. Use Responsibly:

   • This tool should only be used for educational purposes or with explicit permission during penetration testing.
   • Misuse of such a device can lead to legal consequences.
2. Secure Your Device:
   • Ensure that your Pico is not left unattended or plugged into an unauthorized machine.

 

Your Raspberry Pi Pico is now set up as a Bad USB, capable of simulating a keyboard and executing pre-defined scripts on a target computer. With this guide, you have learned how to prepare the Pico, write a basic script, and test the device.

Remember to use this tool responsibly and ethically. Happy coding!