Open source DIY hardware keylogger

KeeLog has decided to release an early version of it's hardware keylogger family to the public domain, including full firmware & software source code, keylogger hardware electrical schematics, and documentation. This PS/2 key logger is a 100% operational and tested device, assembled and used by hundreds of people around the world. Operation of this hardware key logger is similar to the KeyGrabber PS/2. We provide the application KeyGrab for retrieve and analysis of recorded keystroke data. However, please note that this DIY hardware keylogger project is provided as

is, with all faults, and with no warranty whatsoever.

Start your programmer software. AT89C4051) AT24C512 serial EEPROM chip (or compatible) 12 MHz crystal 2 x 33p capacitor 10 uF capacitor 10 k resistor small push-button Finally. You may also recompile the source using the source code and an 8051 compiler. pick the AT89C2051. Put it together Program the keylogger microcontroller firmware first. Soldering is probably the most difficult part of the project. as the keylogger hardware should be made as small as possible. The keylogger hardware schematics below show how connections should be made between components. go down this list to check if you have all the tools and skills needed to accomplish this hardware keylogger project:    some experience in electronics hardware a soldering iron a microcontroller programmer (supporting the Atmel AT89CXX51 family) The following components are required for the hardware keylogger project:        Atmel AT89C2051 microcontroller (or AT89C1051. A good idea is to buy a PS/2 extension cable and a 4-inch piece of heat-shrinkable tubing. . and burn the flash with the binary file or the hex version.Tools and components Before you start. which can be thermally wrapped around the ready made keylogger. casing for the hardware keylogger is required.

Unused IC pins can be removed. VCC. DATA. heat it until it wraps around the soldered components.Solder the components together starting from the microcontroller and the EEPROM. Connect all four used PS/2 pins (CLK. a good idea is to let some glue or resin in between the components. however avoid short circuits. solder the PS/2 connectors to the keylogger. They will be difficult to remove after the device is finished. . and GND) on both connectors (at the keyboard and at the computer). Make the hardware keylogger as compact as possible. The keylogger circuit should look somewhat like the prototype shown on the photo. after the main components are connected. Finally pull the thermal tubing on. Before pulling the thermal tubing around the hardware keylogger. When mounting the capacitor. Make sure you put the heat shrink tubing on one part of the cable. A good idea is to cut the PS/2 extension cable into two pieces and solder each part separately. Make sure the push button is accessible. and cut out a small hole so the button is accessible. to make the device more rigid. make sure it's biased correctly. Finally.


Record mode is completely independent from the operating system installed on the computer.Record mode The hardware keylogger starts recording key data once plugged between the keyboard and the computer. On computer power-up data will start recording. Once this data has been transmitted to the computer. it can be processed and analyzed. The transmitted keystroke data is acquired by a the KeyGrab application. Run the KeyGrab application. All key data sent by the keyboard will be recorded to 64 kB hardware non-volatile EEPROM memory. Playback mode Once the hardware keylogger has recorded key data. The hardware keylogger does this by simulating keyboard keystrokes. . The keylogger is completely transparent for computer operation and cannot be detected by software in record mode. Follow the instructions for initiating data download. it can be retrieved to any PC running Windows 9X/Me/XP/2000. Disconnect the keyboard. Find the PS/2 connector at the computer. Connect the hardware keylogger in place of the keyboard. Connect the keyboard to the keylogger.

Connect the hardware keylogger instead of the keyboard. You can analyze the table manually. it's automatically preprocessed to show key data that logged during recording. . Press the button on the hardware keylogger to initiate data download. Do this when the desired keystroke data has been downloaded to the PC. or use some of the search options. Click on the KeyGrab title bar to make it the active application. Keystrokes that occurred a long time ago are transmitted later. Press the button again to finish transmission. Data analysis When downloading keystroke data to the KeyGrab main table. Do not connect the keyboard. Do not change the active application during transmission. Data is transmitted in descending order. Disconnect the hardware keylogger and plug your PS/2 keyboard back in. to show keys pressed recently first.

These columns code what keys have been pressed and released. Download The DIY hardware keylogger data retrieve and analysis application for Windows 9X/ME/2000/XP: . Last memory position written during recording (hex form). Keylogger data is transmitted in reverse chronological order (recent keystroke data first).1 2 3 4 5 6 Position in keylogger hardware memory used by keyboard event (hex form). Captured and logged keystroke. Keystroke scancode on PS/2 bus (hex form). Event that took place . Keylogger hardware memory size (in kilobits). The only column that is of any interest to the user is Key (2) and Action (3).a key press or release. Scroll the bar to see the keystroke history during recording.

The oldest data will be lost. data to be overwritten.asm The precompiled AT89C2051 hardware keylogger firmware is also available: BIN file . confidential correspondence etc. 3. Legal liability 1. Not knowing the law does not allow you not to obey it. Countries have different laws about logging keyboard data. 2. The last memory access address is updated approximately every 10 seconds. When this memory is full. You should not use this device to intercept data you are not authorized to possess. such as saving the last memory access address. 3. sometimes important. especially passwords. writing will start over again from the first memory location. Do not leave the hardware keylogger connected in record mode when The full source code for the AT89C2051 microcontroller: Source code .KeyGrab. . We do not take any responsibility for any damage or harm caused by the use of this hardware This will use memory and cause old. The hardware keylogger has 64 kB of non-volatile EEPROM (0.hex Things you should know We encourage you to read this section to avoid problems that might occur using the hardware keylogger. Key data logging 1. banking data.bin HEX file . The first 128 bytes of memory are reserved for configuration data. Please read our user agreement. Most countries recognize this as a crime.

One key-press-release sequence requires 3 bytes for a standard key and 5 bytes for an extended key. however the keyboard is superior. The active application must be KeyGrab. 2. The hardware keylogger transmits data back to the computer simulating the keyboard. preceded with a starting bit. and clocks them with negative impulses on the CLK line. you would probably find 6 wires within. The PS/2 keyboard is a bit more complicated than you might think.Key data transmission 1. . PS/2 keyboard operation 1. the character is generated again with a preceding 240 (F0 hex) character. either Windows or a different application will start interpreting the simulated keystrokes coming from the hardware keylogger. this doesn't mean 64 thousand keystrokes can be memorized. When the key is released. The whole transmission process can last up to 20 minutes. You can read about this in the short The PS/2 keyboard protocol. 2. 4. Do this when the keystroke data starts getting duplicated. You can notice this analyzing raw data logged by the hardware keylogger. The keyboard sends information about keys which have been pressed and released. The keyboard puts successive bits on the DATA line. You can see how these lines correspond to DIN (a) and miniDIN (b) connector pins on the figure to the right. Keystroke data is retrieved in reverse chronological order. There are also extended keys using the 224 (E0 hex) character. For keystroke data retrieve you will need at least a 100 MHz Pentium class computer with Windows 9X/Me/XP/2000 installed. In any other case. 3. The real keyboard has to be disconnected during transmission. 5. You have to wait a while to get very old keyboard data. The data chunk consists of only one byte. Two of these are power lines: ground (GND) and +5 volts (VCC) from the computer power supply. Only 4 of these are meaningful. Although the hardware keylogger has 64 kB of memory. The other two wires are asynchronous transmission lines: the data line (DATA) and the clock line (CLK). Transmission is bi-directional. Transmission must be terminated manually by pressing the push-button again. This is to provide recent data first. The PS/2 keyboard protocol Background If you were to cut a PS/2 keyboard cable through. The PC keyboard generates one character each time a key is pressed. and followed by a parity and stop bit. Logging has been optimized in the commercial versions.

This would still be a nice protocol if it wasn't for some special keys present on the standard PC keyboard. An event is considered a key being pressed or released. only the keyboard sends data. followed by the scancode. the sequence 224. which occasionally wants to send information to the keyboard. it's scancode will be generated constantly with the set repetition delay. character repeat etc. Every key has exactly one scancode. You can see state diagrams of keyboard to host (a) and host to keyboard (b) transmission on the figure below. When a special key is pressed. Normal and special keys are common for all national keyboard layouts with regard to the map of scancodes. the 240 (F0 hex) character will be sent. Bus data So what is actually transmitted through the keyboard lines? On startup both the keyboard and the computer send initialization data. However.30 kHz. So a standard keystroke causes 3 characters to be sent down the line. like Home. If a key is held down for some time. When a special key is released. If a key is released. then the keys scancode is sent. In such cases. like interrupting a transmission. followed by the scancode. the PC pulls the CLK line low for some time and waits for the keyboard to start generating impulses. it clocks it's own character in on the DATA line.. When it's finally released. creating a map of scancodes. To make to . If a standard key is pressed. first the special byte 240 (F0 hex) is sent . it's so called "scancode" is sent. This protocol has of course a few exceptions.. informing that they are OK. When the computer is running normally. etc. End. F0). This would be a very nice serial protocol if it wasn't for the computer. the byte 224 (E0 hex) is generated. these are very rare cases. 240 is fired (E0.Clock frequency is 10. the arrows. This is data about every event that took place. When these impulses start. followed by the scancode.

Data logging The microcontroller monitors the DATA and CLK lines all the time. otherwise it will interpret the data flow. to process the flow of data from the keylogger hardware. The KeyGrab application has to be active. When the user decides recording is over and presses the button. and special keys are transmitted using a two-byte hex code. . Thanks to this. Normal keys are simulated as they were written in memory. it's best to pretend these keys do not exist. For a keyboard interfacer. Data is logged to non-volatile EEPROM memory as it goes down the line. Print Screen and Pause. The keylogger starts simulating key data from internal hardware memory. two super-special keys exist. The keyboard should be disconnected.story a bit more complicated. which cause a whole sequence of scancodes to be transmitted. the hardware keylogger switches to playback mode. acquiring all data. the user can later find out about every event on the keyboard.