finds.dev← search

// the find

RoganDawes/LOGITacker

★ 738 · C · GPL-3.0 · updated Jan 2024

Enumerate and test Logitech wireless input devices for vulnerabilities with a nRF52840 radio dongle.

LOGITacker is firmware for the nRF52840 dongle that turns it into a standalone RF attack platform targeting Logitech wireless peripherals. It runs entirely on-device — no host software needed beyond a serial terminal — and covers MouseJack injection, forced pairing, AES key sniffing from pairing (CVE-2019-13052), and encrypted keystroke injection once a key is obtained. The target audience is security researchers and pentesters auditing Logitech Unifying deployments.

The pseudo-promiscuous discovery mode is well-optimized for Logitech's 2.4 GHz protocol specifically, which lets it find devices faster than generic ESB sniffers. The on-device scripting engine with flash persistence is genuinely useful — you can configure it to auto-inject on device discovery with no host attached, which makes physical drop scenarios practical. AES key handling is end-to-end: sniff pairing, derive key, store to flash, inject encrypted — the full attack chain runs without exfiltrating data to a host. USB pass-through (mirroring decrypted RF input to the host's HID stack) is a clever way to use it as a live eavesdropping tap.

The README is explicitly marked 'under construction' and several sections are 't.b.d.' — the raw USB HID format doc and headless automation guide are stubs, which hurts anyone trying to build tooling around the raw interface. No build instructions are included; pre-built hex files are shipped in the repo, which means you're trusting binaries you can't reproduce without the full Nordic SDK setup that isn't documented here. The project has been dormant since early 2024 and targets the nRF5 SDK (legacy), not the newer nRF Connect SDK — the underlying framework is effectively deprecated, so any nRF52840 board-support additions require working against old tooling. KeyJack and CVE-2019-13053 are explicitly out of scope and punted to mjackit, so the coverage gap against patched receivers is real.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →