Our keyboards are tracking us

3 comments

• atmanactive 1 day ago
  https://keyboard.futo.org/
  [-]
  • theandrewbailey 1 day ago
    I run de-googled Android systems, and use FUTO keyboard on every single one. Supports swiping and voice recognition models.
    [-]
    • atmanactive 1 day ago
      Could you please recommend some?
      [-]
      • theandrewbailey 1 day ago
        Lineage: https://lineageos.org/

        Graphene: https://grapheneos.org/

        Bliss: https://sourceforge.net/projects/blissos-x86/files/Official/
• toast0 1 day ago
  Can you use simple keyboard?

  https://github.com/rkkr/simple-keyboard

  It's not smart at all, but it's also not smart at all.
• rasz 1 day ago
  Keyboards were always dangerous.

  Very first 1981 IBM PC 5150 had special diagnostic backdoor routine hidden in POST code:

  https://minuszerodegrees.net/5150/post/5150%20-%20POST%20-%2...

  IF REQUESTED, LOAD DIAG. CODE "Take the clock pin in the motherboard's keyboard DIN connector LOW for 40 ms. (Done by the KBD_RESET subroutine.) If the attached device responds with the byte of 65h, the attached device is a special IBM device that supplies diagnostic/test code to the 5150 via the keyboard port. If 65h received, load in the diagnostic/test code (255 bytes) via the keyboard port, then execute the code."

  Not that dangerous as it was only active for a split second during boot. But it gave peopple ideas. Zenith Data Systems implemented something similar in its ZBIOS, except meant to be active _at all times_ when computer runs :o

  seg000:7B03 in https://github.com/raszpl/Zenith_ZBIOS/blob/main/Zenith%20Z-... :

      seg000:7B03 Backdoor_loader proc near              ; CODE XREF: Keyboard_Process_Modifiers+30↑p
        cli
        mov     ah, IO_Port_64h_KBC_CMD_60_WRITE_CONFIG
        call    Keyboard_KBC_command
        call    Keyboard_KBC_wait_input_ready
        mov     al, 5                                    ; magic Keyboard command to initialize backdoor code upload
        out     IO_Port_60h_KBD_Command, al
        call    Keyboard_Read_Synchronous
        mov     cl, al
        call    Keyboard_Read_Synchronous
        mov     ch, al
        mov     ax, 0
        mov     es, ax
        mov     di, offset 500h                          ; payload lands at 500h
      
      backdoor_load_loop:
        call    Keyboard_Read_Synchronous
        stosb
        loop    backdoor_load_loop
        jmp     far ptr 0:500h                           ; executing our payload
      Backdoor_loader endp
  
  

  triggered by pressing [T while holding Ctrl:

      check_Backdoor_init_key:                           ; CODE XREF: Keyboard_Process_Modifiers+E↑j
         cmp     ch, 1Bh                                 ; Set-1 scancode [ (Left Bracket) key
         jnz     short check_Backdoor_trigger_key
         or      byte ptr cs:0CEh, 1
         jmp     error_exit
  
      check_Backdoor_trigger_key:
         cmp     ch, 14h                                 ; Set-1 scancode T key
         jnz     short clear_backdoor_gate
         test    byte ptr cs:0CEh, 1
         jz      short clear_backdoor_gate
         call    Backdoor_loader
  
  

  Good news for Zenith customers from 1989 someone with more sense disabled this in final bios, but dead code is still there :)