I came up with idea to create a simple keypad lock using this Keypad Matrix 3x4.
Now I want to brute-force the password using another Arduino. So I connect some GPIOs from my attacking Arduino to the GPIOs of the victim Arduino.
In order to trigger the numbers I do gpio.High the 2 GPIOs from the reference table (second link) and then gpi.Low to close the connection (I can trigger the button press with no problems by creating a short circuit between two GPIOs from the victim Arduino).
My problem is that I get something like a race condition (maybe some voltage leak) and also some combinations do not work.
So my question is: How am I supposed to connect the cables? (Bear in mind that I have a resistor in every connection coming from the attacking Arduino to the victim.) Do I have to use some more components? Why do I have "voltage leaks"?
-
\$\begingroup\$ Creating a "short circuit" should be a last resort. As your question does not include a circuit diagram of the target in the body of the post it's hard to be specific but it sounds like you have a matrix scanned keypad. Generally to do this without a controllable pass switch, what you would want to do would be to detect when a line on one side of the matrix is driven, and drive the line on the input side corresponding to the key you want to activate... If the scanning is fast, this may need to be interrupt based. Generally protection against this is limit try rates and opportunities. \$\endgroup\$Chris Stratton– Chris Stratton2018年10月04日 15:45:33 +00:00Commented Oct 4, 2018 at 15:45
-
\$\begingroup\$ I was told to use transistors as a switch. But I can not understand how this will avoid the voltage leaks :/. My connection is the same with the picture tutorial but instead of the keypad I use an Arduino. And for example if I want to trigger number one I set gpio.High the gpios 2+3 from my attacking pi. It's the same connection but with an Arduino. I will update my question with a diagram. Thanks for your answer! \$\endgroup\$ItsYou– ItsYou2018年10月04日 15:48:18 +00:00Commented Oct 4, 2018 at 15:48
-
\$\begingroup\$ Think: How does your first Arduino read the keypad? \$\endgroup\$Stack Exchange Broke The Law– Stack Exchange Broke The Law2022年08月29日 19:23:24 +00:00Commented Aug 29, 2022 at 19:23
2 Answers 2
In the second link you see that the input lines are pulled up to +5V. This tells you that the inputs are active low, as you can also see if you look at the keypad.cpp file I assume you are using on the target Arduino to read the keypad.
// bitMap stores ALL the keys that are being pressed.
for (byte c=0; c<sizeKpd.columns; c++) {
pin_mode(columnPins[c],OUTPUT);
pin_write(columnPins[c], LOW); // Begin column pulse output.
for (byte r=0; r<sizeKpd.rows; r++) {
bitWrite(bitMap[r], c, !pin_read(rowPins[r])); // keypress is active low so invert to high.
}
// Set pin to high impedance input. Effectively ends column pulse.
pin_write(columnPins[c],HIGH);
pin_mode(columnPins[c],INPUT);
}
You can get away with transistors that selctively connect the column lines to the row pins, but need to look at the cross connection - the columns are strobed low one at a time to read across the matrix of keys, and the resulting table of bits are then translated into a keypress. Since the columns are low at separate times, you need to make sure there's no cross-conduction to the one column that is low while it is being scanned - I think that's what you mean by 'voltage leaks' - reverse biased FETs will conduct due to the intrinsic body diode, so an additional diode would be needed. Looks like the columns outputs will momentary go high before going open after each scan.
The next issue is going to be timing, to detect when a keystroke has been scanned, and to hold the inputs at the right values while that occurs, then I'd guess that the target looks for a no press before looking for the next key. You should be able to see the three column outputs strobing low for each read cycle with the second Arduino, and time the key simulation from that. Once you're looking at the column outputs, you could also just use an interrupt driven routine that switches the row inputs to the chosen state directly for each character required, you'd need to check the timing of the strobing to make sure that is achievable in the time available.
A CMOS quad switch can be used for matrix switch simulation using a supply>= target. Pref. sharing the same supply to prevent SCR shootthru on power cycle. There may be other ways such as PNP arrays with input bias.
To properly simulate keypad entries that do not have N key rollover, there must be deadtime between key activation of each switch.
Depending on your target failed attempt timeout or lockout or back-off time algorithm, it can be hacked quickly or take a long time.
So the "key" answer is to "not key" between keys. ;) to avoid races. T=TBD