The Flipper Zero is essentially a Swiss Army Knife of hacking and testing, but an ESP32 isn't too far off, either. I've already demonstrated how one can be turned into a Wi-Fi honeypot, but thanks to the ESP32-S3's USB capabilities, it can do a whole lot more. With some work, I was able to easily turn it into a BadUSB, just like what the Flipper Zero can do, and it's capable of running DuckyScripts.

Despite the name, a BadUSB isn't necessarily a bad thing. All it does is identify itself as a keyboard to your computer, and your computer then allows it to send inputs as if it were an actual keyboard with a human tapping away. That means it can do anything you can do with just a keyboard, except automatically rather than being done by hand. This has some benefits: you can automate program installation, or repurpose it to interact with your PC remotely.

How it works is pretty simple, and I'll walk you through it, and what it can do.

Setting up BadUSB on the ESP32-S3

I built an interpreter that uses the same syntax, and a Web UI

 
Credit:  

First and foremost, I aimed to maximize compatibility with Flipper Zero BadUSB scripts, so I went through popular examples and implemented most of the primary features that I came across. These include:

  • STRING
    • This types whatever comes after STRING
  • GUI
    • On Windows, this presses the Windows key and (optionally) the input key at the same time
  • CTRL/ALT/SHIFT
    • This presses CTRL, ALT, or Shift and (optionally) the input key at the same time
  • TAB
    • This presses tab
  • REM
    • This is short for "Remark", and is analogous to a code comment
  • DELAY
    • This delays for X number of milliseconds

An example script looks like this, which opens the "Run" dialog box, types "notepad," presses enter, and then types "Hello from ESP32-S3!":

DEFAULT_DELAY 80
GUI r
DELAY 500
STRING notepad
ENTER
DELAY 500
STRING Hello from ESP32-S3!
ENTER

However, if I wanted to launch a few applications when I boot up my PC, I could also do the following to open Chrome and Obsidian:

GUI r
DELAY 500
STRING obsidian://
ENTER
DELAY 500 
GUI r
DELAY 500
STRING chrome

I then tested it by using some of those pre-made scripts for the Flipper Zero, and they just... worked. There are many out there, admittedly made with varying degrees of ethics. While there are great use cases for automating your PC's management, or even just trolling friends, I've seen quite a few BadUSB scripts that were created with malicious intent.

One example I came across required the user to provide a Discord token, and the device can then access the internet and use the Discord API to send information about that computer back to a private server that the attacker is hosting. With that said, here are some of the many things I've seen when researching, and all are possible with BadUSB:

  • Changing a PC's wallpaper
  • Subscribing to a YouTube channel
  • Launching all of your applications for a given use-case remotely
  • Grabbing Wi-Fi passwords from a computer
  • Retrieving browser data from a computer

Needless to say, I didn't build this with the intention of using it maliciously. Instead, it was more of an exercise in seeing what I could do with it that was fun, silly, or even just interesting. It took a pretty long time to implement all of the above commands, and there is no support in place for arrow keys, F keys, page up or down, or any of the other commands that are supported by DuckyScript language.

 
Credit:  

When designing it, I wasn't sure whether I wanted the ESP32 to operate on the same network as the rest of my devices, or for it to create its own network that I can connect to from my phone or laptop. I ultimately opted to have it create its own network, using a LittleFS file storage to store scripts for later execution. They stay persistent between reboots and software updates, so I can save a bunch of scripts on it, then launch them at a later date by connecting to the hotspot it creates and navigating to "192.168.4.1" in my browser where it displays all of my listed scripts.

As well, I created a /log endpoint that shows what would have gone out over serial, as I had trouble getting both serial and Human Input Device emulation working at the same time. This way, I can still see if there are problems, and I can diagnose and fix anything if I need. For example, I initially had problems with scripts not being saved, and I was able to use this to print all of the contents of LittleFS to diagnose and troubleshoot.

The ESP32-S3 is incredibly versatile

You can build so much with one

In terms of versatility, it's hard to beat the ESP32-S3. You get all of the standard benefits of a regular ESP32, and you get the ability to emulate all kinds of USB devices on top of that. It can be a mouse, a keyboard, a MIDI controller, and so much more. I've even seen people build a controller out of one, as it can emulate a gamepad and feed Xbox-style inputs to a computer over a Bluetooth or a wired connection.

If you want to do something similar with your ESP32, I highly recommend checking out the SuperWiFiDuck GitHub repository. I came across it after I wrote this tool, and it adds a fancy web UI rather than the basic one that I have here. Plus, it has a few more commands, and the only difference is that you may need to update some of the libraries used.

A Flipper Zero is a fantastic tool, but an ESP32 can be nearly as versatile, too. There are some minor features you miss out on, but the ESP32 can offer some additional features that the Flipper can't, like Wi-Fi capabilities (without the additional module, anyway). Plus, an ESP32 is significantly cheaper, and you can use this to automate your PC in many different ways, from a start-up-script that logs into and initializes your PC, to a tool to play pranks on your friends.