In logitech-usb-restore you seem to have:

for payload in payloads:
  response = dongle.send_command(0x21, 0x09, 0x0200, 0x0000, payload)
response = dongle.send_command(0x21, 0x09, 0x0200, 0x0000, payloads[0])

But the logitech tools only write the first packet once, at the end of the flashing process. I assume this is on the logic that if flashing fails the interrupt vector will be set at 0xffff and thus the bootloader does not start the runtime firmware. I think you probably should skip the first payload packet in the same way to avoid broken hardware if the flashing is interrupted.

Hi,

I like the fact that this repo managed to have support for flashing a Logitech Unifying adapter.
I was wondering if I could somehow use the code to flash something on the unifying dongle so it acts like a regular BLE device which I can use in Windows/Linux to control other devices.

IIRC, the nRF24LU1+ seems to be able to do this with it's standard firmware.

Thank you

I tried different importing methods but failed

./prog/usb-flasher/logitech-usb-flash.py bin/dongle.formatted.bin bin/dongle.formatted.ihx Traceback (most recent call last): File "./prog/usb-flasher/logitech-usb-flash.py", line 3, in <module> from unifying import * File "/home/zodiac/Downloads/nrf-research-firmware/prog/usb-flasher/unifying.py", line 19, in <module> import usb, logging, time, sys, struct, os ImportError: No module named usb make: *** [Makefile:33: logitech_install] Error 1

This is not really a plugin dongle, but a internal USB board from a Logitech Revue device.
It's listed as USB id 046d:c532 in lsusb:
Bus 001 Device 069: ID 046d:c532 Logitech, Inc. Unifying Receiver

Comparing to the regular unifying receiver the USB descriptor is reasonably similar:
FWIW firmware functions (sniffing etc) seem to work fine after flashing the research firmware.

--- /tmp/unifying.googletv      2017-01-07 16:03:16.836122815 +0100
+++ /tmp/unifying.k400  2017-01-07 16:03:35.956016041 +0100
@@ -2358,7 +2358,7 @@
         wMaxPacketSize     0x0008  1x 8 bytes
         bInterval              10
 
-Bus 001 Device 055: ID 046d:c532 Logitech, Inc. Unifying Receiver
+Bus 001 Device 057: ID 046d:c52b Logitech, Inc. Unifying Receiver
 Device Descriptor:
   bLength                18
   bDescriptorType         1
@@ -2366,10 +2366,10 @@
   bDeviceClass            0 (Defined at Interface level)
   bDeviceSubClass         0 
   bDeviceProtocol         0 
-  bMaxPacketSize0         8
+  bMaxPacketSize0        32
   idVendor           0x046d Logitech, Inc.
-  idProduct          0xc532 Unifying Receiver
-  bcdDevice           25.00
+  idProduct          0xc52b Unifying Receiver
+  bcdDevice           24.01
   iManufacturer           1 
   iProduct                2 
   iSerial                 0 
@@ -2462,7 +2462,7 @@
           bCountryCode            0 Not supported
           bNumDescriptors         1
           bDescriptorType        34 Report
-          wDescriptorLength      93
+          wDescriptorLength      98
          Report Descriptors: 
            ** UNAVAILABLE **
       Endpoint Descriptor:

Interestingly it's not recognized by the Logitech Unifying app.

The chip is a nRF24LU1+ (NRF24LU1P1024IK).

After updating the USB id in prog/usb-flasher/unifying.py I get:

[2017-01-07 17:31:41.659]  Computing the CRC of the firmware image
[2017-01-07 17:31:41.763]  Preparing USB payloads
[2017-01-07 17:31:41.812]  Found Logitech Unifying dongle - HID mode
[2017-01-07 17:31:41.812]  Detaching kernel driver from Logitech dongle - HID mode
[2017-01-07 17:31:42.053]  Putting dongle into firmware update mode
[2017-01-07 17:31:42.057]  10:FF:8F:81:F1:03:00
[2017-01-07 17:31:42.061]  10:FF:81:F1:01:25:00
[2017-01-07 17:31:42.062]  Incompatible Logitech Unifying dongle (type 25). Only Nordic Semiconductor based dongles are supported.
Makefile:33: recipe for target 'logitech_install' failed

Patching that check as well I get:

[2017-01-07 17:41:29.256]  Putting dongle into firmware update mode
[2017-01-07 17:41:29.260]  10:FF:8F:81:F1:03:00
[2017-01-07 17:41:29.262]  10:FF:81:F1:01:25:00
[2017-01-07 17:41:30.863]  Found Logitech Unifying dongle - firmware update mode
[2017-01-07 17:41:30.863]  Putting dongle into firmware update mode - firmware update mode
[...]
usb.core.USBError: [Errno 13] Access denied (insufficient permissions)

(it failed to reconnect with permission denied because after reenumeration with the new id the usb device is owned by root again)

The bootloader now shows up in lsusb as:
Bus 001 Device 070: ID 046d:aaaa Logitech, Inc.

Updating the device permissions again and rerunning finishes the update:

[...]
[2017-01-07 17:43:41.353]  Mark firmware update as completed
[2017-01-07 17:43:41.737]  20:00:00:01:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6B:5C:06:F4:28:24:A5:55:97:9E:7A:4F
[2017-01-07 17:43:41.737]  Restarting dongle into research firmware mode
[2017-01-07 17:43:41.739]  70:00:00:00:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6B:5C:06:F4:28:24:A5:55:97:9E:7A:4F

Which seems to have worked?
Bus 001 Device 071: ID 1915:0102 Nordic Semiconductor ASA
this matches the "Logitech dongle flashed with research firmware" usb id from unifying.py.

Firmware functions (sniffing etc) seem to work fine after flashing the research firmware.

Hi guys，I have a problem with jackit on nethunter. Make sure I plug my Crazyradio PA in my nethunter use a usb dongle, and I install jackit on my nethunter , but when I run jackit , it report Cannot find CrazyPA USB Dongle,Please make sure you have it preloaded with the mousejack firmware (my nethunter phone is Nexus 5, I flash offical nethunter kernel and chroot already, and I make sure my Crazyradio PA has been flash mousejack firmware)

I have a Logitech C-U0007 receiver, and tried flashing the firmware. As it always failed, I broke it open to see about programming it with SPI. However, it appears I might have an OTP part. Could anyone confirm?
The chip is marked:

NRF N
LU1PA
1111AP

i get this error response when i try to run the scanner.py and i have converted it to python \3

i ran the platformio command - the one from the github page - it completed successfully.
i plugged the teensy 3.6 into breadboard.
i connected pins between teensy and crazyradio PA.
i ran 'sudo make spi_install'
it returned: make: *** No rule to make target 'spi_install'. Stop.
im using cinnamon mint linux in virtualbox -- any ideas?

I have logitech mouse G700s.
lsusb says:
Bus 001 Device 075: ID 046d:c531 Logitech, Inc. C-U0007 [Unifying Receiver]

I modified the usb id in unifying.py
And I tried to dump the firmware.

But I get:

sudo python2 prog/usb-flasher/logitech-usb-backup.py firmware-backup.bin infopage.bin
[2019-01-17 20:54:00.392] Found Logitech Unifying dongle - HID mode
[2019-01-17 20:54:00.392] Detaching kernel driver from Logitech dongle - HID mode
[2019-01-17 20:54:00.557] Putting dongle into firmware update mode
Traceback (most recent call last):
File "prog/usb-flasher/logitech-usb-backup.py", line 19, in
dongle = unifying_dongle()
File "/home/zibri/nrf-research-firmware/prog/usb-flasher/unifying.py", line 63, in init
self.enter_firmware_update_mode()
File "/home/zibri/nrf-research-firmware/prog/usb-flasher/unifying.py", line 135, in enter_firmware_update_mode
response = self.send_command(0x21, 0x09, 0x0210, 0x0002, "\x10\xFF\x81\xF1\x01\x00\x00", ep=0x83)
File "/home/zibri/nrf-research-firmware/prog/usb-flasher/unifying.py", line 179, in send_command
ret = self.dongle.ctrl_transfer(request_type, request, value, index, data, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 1034, in ctrl_transfer
self._ctx.managed_claim_interface(self, interface_number)
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 102, in wrapper
return f(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 167, in managed_claim_interface
self.backend.claim_interface(self.handle, i)
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 811, in claim_interface
_check(self.lib.libusb_claim_interface(dev_handle.handle, intf))
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 2] Entity not found

i have a unifying receiver dongle which when plugged in always used to show nRF24LU1P-F32 BOOT LDR which i guess was due to no firmware on it so in hopes to get it working i flashed you nrf-research-firmware and apparently its just stuck on that, if i run the logitech-usb-restore it gets it back to nRF24LU1P-F32 BOOT LDR temporarily untill i unplug and replug i but cant get it to a state where i can flash the unifying receiver hex file or just remain back on nRF24LU1P-F32 BOOT LDR, any help is appreciated

on plugging it in i see this
[ 4362.570453] usb 1-1.1.2: new full-speed USB device number 17 using dwc_otg [ 4362.710982] usb 1-1.1.2: New USB device found, idVendor=1915, idProduct=0102, bcdDevice= 0.01 [ 4362.710996] usb 1-1.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 4362.711006] usb 1-1.1.2: Product: Research Firmware [ 4362.711015] usb 1-1.1.2: Manufacturer: RFStorm

on trying restore it goes to this
[ 4377.320480] usb 1-1.1.2: reset full-speed USB device number 17 using dwc_otg [ 4377.640455] usb 1-1.1.2: device descriptor read/64, error -32 [ 4377.892110] usb 1-1.1.2: device firmware changed [ 4377.892327] usb 1-1.1.2: USB disconnect, device number 17 [ 4377.990515] usb 1-1.1.2: new full-speed USB device number 18 using dwc_otg [ 4378.127593] usb 1-1.1.2: New USB device found, idVendor=1915, idProduct=0101, bcdDevice= 0.01 [ 4378.127604] usb 1-1.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 4378.127608] usb 1-1.1.2: Product: nRF24LU1P-F32 BOOT LDR [ 4378.127612] usb 1-1.1.2: Manufacturer: Nordic Semiconductor

https://github.com/BastilleResearch/nrf-research-firmware/blob/master/prog/usb-flasher/logitech-usb-restore.py#L33 rewrites the first payload packet (I assume to mask out the bootloader from being written) but it only writes an array of 31 bytes, not 32. The other payload entries all have 32 bytes.

Hello,
I would like to flash my Logitech dongle, I am just struggling to install the firmware, as I believe some of the commands are old and based on python 2.7? I am using Ubuntu 20.04. Could someone please help me install on this distribution?

See: https://wiki.makerdiary.com/nrf52840-mdk-usb-dongle/

Hi, I'm trying to downgrade my Unifying dongle with logitech-usb-restore and a VirtualMachine but I'm getting this error:

Could someone help me?
Thank you.

I am trying to write a scanner based on this to figure out if we have vulnerable devices in the company and then decommission them.

I have successfully installed the firmware on a logitech unifying dongle and now trying to scan, which works ok, but almost every time I cancel the script and start it again I get timeout errors from the usb library until I reset the USB device.

Could this be that while it is in (pseudo) promiscious mode it can't be initialized/enter it again? And that it would make sense to have a "reset" command for the driver to properly put it into the state it has after powering on, and call that command upon any kind of exit from the scripts?

I've got an old
Bus 001 Device 033: ID 046d:c52b Logitech, Inc. Unifying Receiver
dongle which i want to flash.
For this reason i am building a docker container.
Sadly it does stop with following error:

./prog/usb-flasher/logitech-usb-flash.py bin/dongle.formatted.bin bin/dongle.formatted.ihx
[2017-11-13 17:59:57.604] Computing the CRC of the firmware image
[2017-11-13 17:59:57.649] Preparing USB payloads
[2017-11-13 17:59:57.716] Found Logitech Unifying dongle - HID mode
[2017-11-13 17:59:57.716] Detaching kernel driver from Logitech dongle - HID mode
Traceback (most recent call last):
File "./prog/usb-flasher/logitech-usb-flash.py", line 42, in
dongle = unifying_dongle()
File "/data/mousejack/nrf-research-firmware/prog/usb-flasher/unifying.py", line 56, in init
if self.dongle.is_kernel_driver_active(ep):
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 1061, in is_kernel_driver_active
self._ctx.managed_open()
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 102, in wrapper
return f(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 120, in managed_open
self.handle = self.backend.open_device(self.dev)
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 786, in open_device
return _DeviceHandle(dev)
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 643, in init
_check(_lib.libusb_open(self.devid, byref(self.handle)))
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 19] No such device (it may have been disconnected)
make: *** [logitech_install] Error 1
Makefile:33: recipe for target 'logitech_install' failed
The command '/bin/sh -c make logitech_install' returned a non-zero code: 2

Any Idea what goes wrong here? Base image is current debian stretch.

Here the Docker file so far

FROM debian:stretch

RUN apt-get update &&
apt-get -y --no-install-recommends install sdcc binutils python python-pip make git libusb-1.0-0 &&
apt-get -y -u dist-upgrade &&
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN pip2 install -U pip setuptools wheel
RUN pip2 install -U -I pyusb
RUN pip2 install -U platformio
RUN mkdir -p /data/mousejack/
WORKDIR /data/mousejack/
RUN git clone --depth=1 https://github.com/BastilleResearch/mousejack .
RUN git submodule init
RUN git submodule update
WORKDIR /data/mousejack/nrf-research-firmware
RUN make
RUN make logitech_install

The vendor flash tool stops before 0x7000 to avoid writing the bootloader (which could fail) but logitech-usb-restore seems to write the entire hex file.

A method to report the firmware's version would be useful.

Download and extract the Logitech firmware image, which will be named RQR_012_005_00028.hex or similar.
Download which Software to extrack firmware.

Python 2 is almost dead. Python3 has been around forever and should be the default.

I bought both C-U0007 and C-U0012 and both give me the same error message.

Incompatible Logitech Unifying dongle (type 24). Only Nordic Semiconductor based dongles are supported.

usb 1-1: new full-speed USB device number 6 using dwc2
usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1: Product: USB Receiver
usb 1-1: Manufacturer: Logitech
logitech-djreceiver 0003:046D:C52B.000F: hiddev96,hidraw0: USB HID v1.11 Device [Logitech USB Receiver] on usb-20980000.usb-1/input2

usb 1-1: new full-speed USB device number 7 using dwc2
usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1: Product: USB Receiver
usb 1-1: Manufacturer: Logitech
logitech-djreceiver 0003:046D:C52B.0012: hiddev96,hidraw0: USB HID v1.11 Device [Logitech USB Receiver] on usb-20980000.usb-1/input2

Hello

I have issue flashing firmware to CrazyRadio 2.0
After identifying device usb-flash.py script gives an error
Would appreciate any ideas or suggestions

user@user-VirtualBox:/opt/mousejack/nrf-research-firmware$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 003: ID 1915:7777 Nordic Semiconductor ASA
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
user@user-VirtualBox:/opt/mousejack/nrf-research-firmware$ sudo make install
[sudo] password for user:
./prog/usb-flasher/usb-flash.py bin/dongle.bin
[2023-10-03 07:52:13.178] Looking for a compatible device that can jump to the Nordic bootloader
[2023-10-03 07:52:13.224] Device found, jumping to the Nordic bootloader
Traceback (most recent call last):
File "./prog/usb-flasher/usb-flash.py", line 70, in
else: dongle.ctrl_transfer(0x40, 0xFF, 0, 0, (), timeout=usb_timeout)
File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 1079, in ctrl_transfer
self.__get_timeout(timeout))
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 901, in ctrl_transfer
timeout))
File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 604, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 32] Pipe error
Makefile:27: recipe for target 'install' failed
make: *** [install] Error 1

please advise below error when i am using make , I'm using kali linux
/opt/mousejack/nrf-research-firmware
sdcc --model-large --std-c99 -c src/main.c -o bin/main.rel
sdcc --model-large --std-c99 -c src/usb.c -o bin/usb.rel
sdcc --model-large --std-c99 -c src/usb_desc.c -o bin/usb_desc.rel
sdcc --model-large --std-c99 -c src/radio.c -o bin/radio.rel
sdcc --xram-loc 0x8000 --xram-size 2048 --model-large bin/main.rel bin/usb.rel bin/usb_desc.rel bin/radio.rel -o bin/dongle.ihx
objcopy -I ihex bin/dongle.ihx -O binary bin/dongle.bin
objcopy --pad-to 26622 --gap-fill 255 -I ihex bin/dongle.ihx -O binary bin/dongle.formatted.bin
objcopy -I binary bin/dongle.formatted.bin -O ihex bin/dongle.formatted.ihx

I was able to flash the dongle and use it in in Ubuntu however in Windows 10 when inserting the device, Windows first identifies it as "Unknown" in device manager and then it plays the disconnect sound multiple times. Using pyusb or hidapi, I cannot seem to find it either.

I've got a number of Logitech unifying dongles. Some are vulnerable, some are not. I want to flash some of the updated dongles with older firmware. Since it seems the older vulnerable firmware is no longer available, is it possible to back up the firmware on a device with older firmware and flash it on a new device?

Hi, i would really appraciate if someone could tell me if this will work with Crazyradio 2.0 which is based on nRF52840. In the description (https://www.bitcraze.io/products/crazyradio-2-0/) they say that it have mode behaves like a Crazyradio PA.

Thanks

sudo make install
./prog/usb-flasher/usb-flash.py bin/dongle.bin
Traceback (most recent call last):
File "./prog/usb-flasher/usb-flash.py", line 20, in
import usb, time, sys, array, logging
ImportError: No module named usb
make: *** [Makefile:27: install] Error 1

I tried pip install pyusb..but still the same.. please help me how to fix this guys

running make on this project is failing on Arch linux. Details below:

$ make
sdcc --model-large --std-c99 -c src/main.c -o bin/main.rel
sdcc --model-large --std-c99 -c src/usb.c -o bin/usb.rel
sdcc --model-large --std-c99 -c src/usb_desc.c -o bin/usb_desc.rel
sdcc --model-large --std-c99 -c src/radio.c -o bin/radio.rel
sdcc --xram-loc 0x8000 --xram-size 2048 --model-large bin/main.rel bin/usb.rel bin/usb_desc.rel bin/radio.rel -o bin/dongle.ihx
make: *** [Makefile:15: dongle.bin] Error 1

$ sdcc -v
SDCC : mcs51/z80/z180/r2k/r3ka/gbz80/tlcs90/ds390/pic16/pic14/TININative/ds400/hc08/s08/stm8 3.6.0 #9615 (Linux)
published under GNU General Public License (GPL)

$ python --version
Python 2.7.13

$ pip freeze
arrow==0.10.0
bottle==0.12.13
certifi==2017.7.27.1
chardet==3.0.4
click==5.1
colorama==0.3.9
idna==2.6
lockfile==0.12.2
platformio==3.4.1
pyserial==3.4
python-dateutil==2.6.1
pyusb==1.0.0
requests==2.18.4
semantic-version==2.6.0
six==1.10.0
urllib3==1.22

The usb-flash,py script uses python2 - is there a reason to do so?

this is what i get whenever i try to flash my logitech usb dongle. it IS the C-U0007, so it should work right?

this is a screenshot of lsusb. i am on ubuntu 19.10 and i have tried both USB ports.

Hi,

both the attempt to install the research firmware and to flash back the original firmware time out in the last-but-one-step:

<snip>
[2019-08-21 10:56:40.796]  20:00:01:09:03:8A:00:80:FD:05:26:4A:22:E0:FF:22:04:FF:AE:04:F1:57:7F:7F:5A:83:00:41:E5:E4:EE:FE
[2019-08-21 10:56:40.796]  Mark firmware update as completed
Traceback (most recent call last):
  File "./prog/usb-flasher/logitech-usb-restore.py", line 55, in <module>
    response = dongle.send_command(0x21, 0x09, 0x0200, 0x0000, "\x20\x00\x00\x01\x02" + "\x00"*27)
  File "/home/georg/rt/MouseJack/nrf-research-firmware/prog/usb-flasher/unifying.py", line 180, in send_command
    response = self.dongle.read(ep, 32, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/usb/core.py", line 988, in read
    self.__get_timeout(timeout))
  File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 851, in intr_read
    timeout)
  File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 936, in __read
    _check(retval)
  File "/usr/local/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out

Increasing the timeout value to 10s didn't yield an improvement.

The dongle remains in USB bootloader mode, and cannot be flashed by the Windows Unifying tool (it is shown as "USB receiver (DFU)" and the firmware update fails):

[1101540.588127] usb 3-1: New USB device found, idVendor=046d, idProduct=aaaa, bcdDevice= 1.04
[1101540.588132] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1101540.588134] usb 3-1: Product: USB BootLoader
[1101540.588136] usb 3-1: Manufacturer: Logitech

Initially, it was detected as:

[1100937.565845] usb 3-1: New USB device found, idVendor=046d, idProduct=c52b, bcdDevice=12.09
[1100937.565850] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1100937.565852] usb 3-1: Product: USB Receiver
[1100937.565855] usb 3-1: Manufacturer: Logitech