Introduction
Familiar with the concept of hardware keylogging? A hardware keylogger is a perfect solution for monitoring user activity, at very low risk of disclosure. A hardware keylogger is a purely electronic device, so no access to the operating system is required, no traces are left, and software has no possibility of detecting such a device. However, the hardware keylogger concept inherits one weakness: physical access to the keylogger is required for retrieving captured data. This problem has finally found its solution: a
Wireless Keylogger.
KeeLog has already released one
open source PS/2 hardware keylogger design to the public. Now, we are doing it again with the
DIY Wireless Keylogger. This design is fully free for private and commercial use, with the following restrictions:
- All materials presented on this web page are the intellectual property of KeeLog and using them constitutes acceptance of the license terms below and the general User Agreement.
- This Wireless Keylogger project is provided as is, with all faults, and with no warranty whatsoever.
- Reproduction of this article, or any materials contained within, are allowed only if given proper credit to it's authors in the form of a link to the source webpage:
http://www.keelog.com/wireless_keylogger.html
You should not use the Wireless Keylogger to intercept data you are not authorized to possess, especially passwords, banking data, confidential correspondence etc. Most countries recognize this as a crime.The Wireless Keylogger consists of two main building blocks: the transmitter, and the receiver. The actual keylogging takes place in the transmitter, which is in fact a PS/2 hardware keylogger, with a built-in 2.4 GHz wireless module. Captured keystroke data is transmitted through the radio-link in real-time, rather than getting stored. The receiver on the other hand, is a wireless acquisition unit with a USB interface. All keystroke data received from the transmitter is sent to the host computer via USB. From the software side, this data is available through a virtual COM port, allowing any terminal client to be used for visualizing keystroke data.
Wireless Keylogger block scheme
The entire system works in real-time, so text typed on the remote computer is seen immediately on the receiver side. The system has a maximum range of around 50 yards (meters). This corresponds to an effective range of around 20 yards (meters) through 2-4 walls, depending on their thickness.
 |  |
Wireless Keylogger transmitter | Wireless Keylogger receiver |
Both the transmitter and the receiver are based on the same schematics and circuit board. Both have the same form factor, and are intended for mounting on PS/2 and USB extension cables. The recommended housing is an EMC-balun enclosure, which makes the device resemble a standard extension cable.
Components
This article describes the entire assembly process of the DIY Wireless Keylogger. Depending on your skills, you may choose to create your own Wireless Keylogger from scratch, or order a preassembled one from us. We can deliver a set of components with pre-programmed microcontrollers and standard casing (as seen on pictures), or a fully assembled and tested set of devices. Please scroll to the
kits section for more details.
If you decide to create your own Wireless Keylogger, you should have some basic experience with electronics and soldering, ideally with SMT (Surface Mounted Technology). The easiest option includes ordering a kit with components from us, and doing the soldering, cabling, and final assembly on your own. This involves having a temperature-controlled soldering iron and quite good soldering skills. If you decide to design and produce the PCBs yourself, you should have significant experience in this field and proper equipment.
The table below summarizes the BOM (Bill of Materials) contained in a single transmitter or receiver unit. An additional PS/2 extension cable is required for the transmitter, and a USB type A connector or cable is required for the receiver.
 |  |
Set of electronic components | Cables, enclosure, and PCBs |
| Designator | Description | Footprint | Qty |
| U1 | Microcontroller AT91SAM7S64 | TQFP64 | 1 |
| U2 | Transceiver nRF2401 | QFN24 | 1 |
| U3 | Voltage regulator MCP1700T-330 | SOT-23 | 1 |
| Q1 | Crystal 18.432 MHz | HC-49 SMD | 1 |
| Q2 | Crystal 16 MHz | HC-49 SMD | 1 |
| R1, R2 | Resistor 1.5 kΩ | 0805 | 2 |
| R3, R4 | Resistor 27 Ω | 0805 | 2 |
| R5 | Resistor 1 MΩ | 0805 | 1 |
| R6 | Resistor 22 kΩ | 0805 | 1 |
| C1, C27 | Capacitor 10 nF | 0805 | 2 |
| C2, C28 | Capacitor 1 nF | 0805 | 2 |
| C3, C4, C6, C7, C8 | Capacitor 22 pF | 0805 | 5 |
| C5 | Capacitor 33 nF | 0805 | 1 |
| C9 | Capacitor 2.2 pF | 0805 | 1 |
| C10, C11 | Capacitor 1 pF | 0805 | 2 |
| C12, C22, C23, C24, C25, C26, C32, C33, C34, C42, C43 | Capacitor 100 nF | 0805 | 11 |
| C21, C31, C41 | Capacitor 1 µF | 0805 | 3 |
| L1 | Ferrite Bead | 0805 | 1 |
| L2 | Inductor 3.6 nH | 0805 | 1 |
| L3 | Inductor 18 nH | 0805 | 1 |
Wireless Keylogger BOM (PDF version)
Both the transmitter and the receiver use the same PCB and the same set of components (they differ by cabling and firmware). The Atmel
AT91SAM7S64 microcontroller and the
nRF2401 wireless transceiver are the core components. Both require crystals for proper operation. Besides the
MCP1700 voltage regulator, all other components are passive (resistors, capacitors, and a few inductors). A simple wire is recommended for the dipole antenna. The double-sided two-layer PCB is shown on the pictures below.
If you feel skilled enough to manufacture PCBs yourself, you may use the 1:1 mask set available below. The reference design uses FR4 with 1.0 mm thickness.
Building the DIY Wireless Keylogger can be a lot of fun for electronics enthusiasts. However, we're perfectly aware, that hunting for components retail and soldering 0603 footprints can take all that pleasure away. That's why we've prepared two different kits, with the most common component sets:
- Complete component set for transmitter or receiver ($40 or €30 per set)
- Assembled transmitter or receiver mini-board ($90 or €70 per piece)
If you wish to purchase any of the above kits, have an additional request, or want more information, please contact our
Sales Department.
Assembly
The Wireless Keylogger electrical circuit is composed of two main building-blocks: the
AT91SAM7S64 microcontroller and the
nRF2401 transceiver. The accompanying passive components are mainly oscillator and RF circuitry. The entire circuit is powered with 3.3V, generated by the
MCP1700 regulator and filtered by a set of capacitors. Power is drawn directly through the PS/2 bus (transmitter), or USB (receiver). If you already have assembled mini-boards, skip to the
wiring section. If you have decided to assemble the circuit boards yourself, you'll need to follow the schematics and guidelines below.
Wireless Keylogger electrical schematics (PDF version)
Use a fine tip for soldering (typically smaller than 0.5 mm) and soldering flux (for example RMA7). Don't overheat the components. Start the assembly with the
nRF2401 transceiver, as it has the most difficult footprint. Proceed with the
AT91SAM7S64 microcontroller and the
MCP1700 voltage regulator. Always make sure pin 1 matches the first pad on the PCB. Finally, solder all the auxiliary circuitry: crystals, resistors, capacitors, and inductors. Leave the antenna for the end. You can use a dedicated ISM 2.4 GHz antenna, or simply make a quarter-wave dipole antenna from a piece of wire. The optimal length is 1.23" (3.125 cm). Assembled mini-boards should look similar to the ones on the pictures below.
 |  |
Assembled PCB top side with microcontroller | Assembled PCB bottom side with transceiver |
After assembling the circuit boards, it's time for the cabling. Apart from firmware, this is the place where the transmitter differs from the receiver. The transmitter should be coupled in parallel with the PS/2 bus. The PCB has pads for connections leading both to the computer, and to the keyboard. The receiver, on the other hand, should have a standard connection to the USB port. The images below show how the connections should be made.
Use PS/2 and USB extension cables, cut them open, and isolate the signal lines. The tricky part is to identify how the wires inside correspond to signal lines. Some PS/2 and USB cables have standardized colors, however trusting in this is very risky. The recommended solution would be to use a short-circuit tester or ohmmeter to find out which wire corresponds to which signal. The diagrams below will be helpful.
PS/2 plug pinout (transmitter unit) | Signal | Description | PS/2 pin | Comments |
| VCC | +5V power | 4 | must be connected to module |
| GND | Power ground | 3 |
| CLK | Clock | 5 |
| DATA | Data | 1 |
| NC | Unused lines | 2, 6 | not used by module if present, leave in original state |
| SHLD | Shield | - |
USB plug pinout (receiver unit) | Signal | Description | USB pin | Comments |
| VCC | +5V power | 1 | must be connected to module |
| D- | Data | 2 |
| D+ | Data | 3 |
| GND | Power ground | 4 |
| SHLD | Shield | - | not used by module if present, leave in original state |
If the microcontrollers you're using aren't programmed yet, this is a good moment to upload firmware using the ISP (In-System Programming) technology. Read the
firmware section to get more details. When this is done, the mini-boards should look similar to the ones on the pictures below.
 |  |
Transmitter circuit board wired to PS/2 bus | Receiver circuit board wired to USB |
Before putting the enclosure on, we recommend to do one last check. Use a short-circuit tester or ohmmeter to check the resistance between the power supply (VCC) and ground (GND) on the USB and PS/2 connector. The presence of a short circuit here means, that the whole circuit should be revised, otherwise it could lead to damaging your computer. If everything's OK, mount the enclosure using glue or resin, and you're set to go.
Power-up
Once you have a transmitter-receiver pair of devices assembled, it's time for the first test. We recommend to use a single computer for testing both devices. First, power down the computer and connect the transmitter unit between the PS/2 keyboard and PS/2 port.
 |  |
Connect the transmitter unit to the PS/2 port | Connect the PS/2 keyboard to the transmitter unit |
When done, boot the computer and make sure the PS/2 keyboard is working properly (no influence of the keylogger should be noticeable). Now it's time to test the receiver unit. Before you proceed, please download the
KeeLog driver files first. Unzip and save the files to the local hard disk on your computer. Then, plug the receiver unit into a free USB port (no need to power down the computer). Make sure it's in a position enabling reception of the radio signals coming from the transmitter.
 |
Connect the receiver unit to a free USB port |
The first time the receiver unit is connected, a driver installation dialog will appear. Strictly speaking, it will use the bundled virtual COM port driver delivered with most operating systems, such as Windows. However, the corresponding INF description file has to be selected manually. When the system asks for a driver, browse to the location where the driver file was saved. The pictures below illustrate the process.
 |  |
Choose to locate and install driver software | Choose to browse for driver |
 |  |
Choose to show browse option | Browse to driver location |
If the driver installation process was successful, the receiver unit should be visible as a USB to serial converter. Open the Device Manager in Windows to find out, and check which virtual port was assigned to the device.
Receiver unit visible in the Device Manager
To start receiving keystroke data from the transmitter unit, you may use any terminal client, such as Hyperterminal. We recommend to use our free
Simple Serial Monitor application for it's flexibility and ease of use.
After launching Simple Serial Monitor (or any alternative application), remember to set the correct COM port. If everything proceeded correctly, the receiver unit will immediately show all keystrokes typed on the PS/2 keyboard.
 |
Remote computer with PS/2 transmitter unit | Local computer with USB receiver unit |
The next step would be to test the same using two different computers. Make sure they are in transmission range. If you see text popping up in the terminal window, then your Wireless Keylogger set is ready for it's first real mission.
Remember to use this device only for legitimate purposes!
בנוסף התולעת מאפשרת לתוקף להריץ פקודות מרוחקות על המכשיר דרך אתר השליטה.)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
