How to make Rubber Ducky with built-in pyrotechnics

How to make Rubber Ducky with built-in pyrotechnics

Imagine: you stick a USB flash drive into a USB stick and suddenly a window opens in your browser, where a sad clown spins the handle. When the melody ends, the flash drive makes “bam” and … at best sprinkles you with confetti. In this article you will learn how to cross the BadUSB attack device with a self-destruct device and at the same time learn some make-up techniques.

If we talk about this device as a flash drive that can emit smoke, of course, it will have few useful applications – except to use it as a scenery in a movie about hackers for a particularly dramatic scene (and video with PoC is great!). However, there are many ways to improve the payload. For example, you can replace it with a “sound grenade” that will give a little fun to the security team and keep their momentum to pull a foreign object out of the computer immediately. Once plugged in, the keystroke injector will work as you need it, then it will start the siren and will not turn off until the battery is dead. This is possible because the software controls a switch that can supply as much power as the USB port gives you.

This material is provided for educational purposes only. Do not repeat anything you read in real life.

In general, you can use many variants of small schemes here. And if you can put a bigger case, for example, take the format of removable disks for 2.5 inches, the choice becomes even richer. This goes well with battery powered devices. For example, combat devices for work with Wi-Fi (hacking, silencers, etc.), which will receive power from the battery only when they are brought to the target zone.

This is a project description with basic data about the electronic circuit. Detailed information about any dangerous manipulations is not reported intentionally. A video with a demonstration cannot be played without additional work, knowledge and components.


This small project started when I came across a ridiculous picture on Twitter: there was a picture of a firecracker hidden inside a flash drive. Everyone who saw this picture, had about one reaction: fun, of course, but evil. I began to think about the possibility of combining something like this with Rubber Ducky to have both a software peiload and a physical one.

I will not dwell on the unsuccessful experiments I have been doing while looking for different approaches and making improvements. Most of these tweets required skills that I do not know. But what fun is it if you don’t stumble at every step? I’ve never prototyped the circuit boards before, did not write firmware, did not work with Android, or with AVR chips.

Initially, I planned to use the Hak5 Rubber Ducky, which costs 50 dollars. The only output interface he has is the 3.3V LED. I looked for a miniature MOSFET, which withstands 3 A and more with a minimum switching voltage of about 1 V. Perfect: I could connect to the LED power supply and switch anything with enough USB power.

All I had to do was find a way to control the LED because Duckyscript does not allow it. However even with the custom firmware I will only be able to get very limited control over the LED. Then I found projects like “USB Rubber Ducky for a Dollar” (or $3-5 dollars) which used the ATtiny85 chip. This is a much better approach. As a bonus in most schemes you get two free GPIO ports at the same time!

In search of the least expensive way to get a device that would not stretch for months waiting for goods from China, I realized that Digispark for 5 dollars is almost ready-made boards, and they are sold on Amazon. There were also some clones found Digispark for $3 each and $1.5 each on eBay. And they have not only the ATtiny85 I need, but most of the other components needed for the project.

Components List

This is what the list of details looks like in the end.

Primary Details

    • Common sense – 1 pcs. Try to protect yourself and others from a variety of dangers;
    • ATtiny85 – 1 pcs. (from Digispark clone);

Attiny85 – 1 pcs.

    • resistance at 68 ohms – 2 pcs. (from Digispark clone);
    • resistance to 1,5 kOhm – 1 pc. (from Digispark clone);
    • stabilitron at 3.6 V – 2 pcs. (from Digispark clone);

stabilitron at 3.6 V – 2 pcs.

  • MP Transistor (MOSFET) IRLML2502 — 1 шт. (there are different options here. For example, the ZXMN2F34FHTA will also work well);
  • resistance to about 680 ohms (see important security note in the assembly instructions).


Optional parts and tools

  • The old flash drive in the retractable version. We can use its case and USB plug;
  • printed board for prototyping SMTpad 50×50 (this is what I used, more experienced friends will probably find a better way to build the schema);
  • copper ribbon (I used it to close connections on the board);
  • solder, soldering paste, rosin;
  • soldering iron or soldering station.

Peyload Details

  • That all depends entirely on what you are going to add. The Peiload will receive 5V of voltage for as long as you set it up (at least as long as the device is plugged in, if necessary add the battery).
  • You can directly connect 5V connectors for something like a “sound grenade”.
  • For something dramatic like smoke bombs … this information I will probably omit, so that one of the readers do not do anything stupid. I’m sorry, but I have a couple more places to do such a fake thing with the text.


Collect all together

If you want to make a large device, for example in the format of a 2.5″ external disk, then you can simply take a Digispark and add MOSFET to control our physical peyload. But if you want to push everything into the tiny format of a USB flash drive, you will have to squeeze all the components. First of all you will have to disassemble the Digispark into components. It came out to me cheaper and was more convenient than buying all the components separately. So the next will be implied that you go along the same path.



In general, there is nothing fundamentally new here. I successfully borrowed the scheme from the projects on cloning Rubber Ducky on ATtiny85.


In my version to the fifth pin simply attached MOSFET-transistor. The smallest and cleanest example in this version is uDuck. The scheme is as simple as possible and supports the least USB functions. Stabilitrons reduce the voltage on data lines to 3.6V. Resistors help the device meet USB specifications (recognition speed, power, etc.) – important for compatibility. I have seen schemes in which some (or even all) of the resistors and stabilitrons are removed, making compatibility and reliability severely compromised.

There are a few other things you should know about.

  • The resistance between the source and flow of MOSFET transistor must be studied. When the resistance is too high or there is no resistor at all, the payload will be triggered when loading. The point is that the ATtiny supplies voltage to the contacts when they are switched on. Thanks to Graham Sutherland (@gsuberland) for his help in this matter.
  • Maybe make a double trigger by duplicating the MOSFET circuit on the sixth pin.


Coard Design

Considering the non-standard layout of the printed circuit board, I do not know how to portray it correctly. Red is a strip of copper tape. Pay attention to places where it curves around corners. Green is where the ends of the wires that go to the USB will be soldered. Blue is the contact for wires to physical peloids. Why copper tape? Because I do not know what I am doing and it worked after I failed ten times with the other options.


Here is one of the boards wrapped with a ribbon before soldering. The holes are not used – they are just part of the SMTpad board that I cut into pieces. You may have noticed that I removed the substrate where there would be a 600 Ohm resistance for a MOSFET transistor. This helps to avoid accidental short circuits.



This is how it all looks after soldering. You can see the remnants of the green board flash drive, which I cut.

But everything is installed in the case. The USB plug is a good way to secure it.



Program ATtiny85

When you work with ATtiny from Digispark, programming is much easier because the bootloader is already there. You open the Arduino IDE, make a sketch, tell it to boot up and then plug the board into the USB.

Someone has even made a converter called digiduck for already existing Duckyscript scripts. As a bonus, you can use the LIGHT ON and LIGHT OFF commands in the script to make the MOSFET palyload work. The LIGHT ON function supplies voltage to the pins 5 and 6 to which it is connected. If the same is done on a regular Digispark, a blue LED will light up and it will turn on when the fifth pin is energized. This is very useful for testing.

Below is a sketch that was used in the original confetti video. The terminal opens, then the sound is spun out at full volume and the Vimeo video opens to full screen (cartoon RedNoseStudio). Nothing awesome in terms of HID attacks. At the 22nd second, digitalWrite is used to apply voltage to the MOSFET transistor. After three seconds, the current supply to the peiload stops.

#include "DigiKeyboard. h" #define KEY_TAB 43 #define KEY_DOWN 81 #define KEY_DELETE 42 #define KEY_PRINTSCREEN 70 #define KEY_SCROLLLOCK 71 #define KEY_INSERT 73 #define KEY_PAUSE 72 #define KEY_HOME 74 #define KEY_PAGEUP 75 #define KEY_END 77 #define KEY_PAGEDOWN 78 #define KEY_RIGHTARROW 79 #define KEY_RIGHTARROW 81 #define KEY_LEFTARROW 80 #define KEY_UP 82 #define KEY_UPARROW 82 #define KEY_NUMLOCK 83 #define KEY_CAPSLOCK 57 #define KEY_MENU 118 void setup() { pinMode(1), OUTPUT); pinMode(0, OUTPUT); digitalWrite(0, LOW); digitalWrite(1, LOW); DigiKeyboard. sendKeyStroke(KEY_SPACE, MOD_GUI_LEFT); DigiKeyboard.delay(500); DigiKeyboard.sendKeyStroke(0); DigiKeyboard.println("terminal"); DigiKeyboard. delay(50); DigiKeyboard.sendKeyStroke(0); DigiKeyboard.sendKeyStroke(KEY_ENTER); DigiKeyboard.delay(1500); DigiKeyboard.sendKeyStroke(0); DigiKeyboard. println("osascript -e 'set volume 4' && open"); DigiKeyboard.sendKeyStroke(0); DigiKeyboard. delay(22000); DigiKeyboard.sendKeyStroke(0); digitalWrite(0, HIGH); digitalWrite(1, HIGH); DigiKeyboard.delay(3000); digitalWrite(0, LOW); digitalWrite(1, LOW); } void loop() { }You may notice that digiduck translates LIGHT ON/OFF as digitalWrite with the parameters (0, HIGH) or (1, HIGH). This corresponds to pin 5 (0) or 6 (1) on ATtiny. This means multiple LEDs or in this case multiple triggers.

Remove the 5-second delay at start

One of the annoying features of Digispark is a five-second delay in loading. It is this delay that allows you to load new sketches on connection. If you remove it, you will need to close two ATtiny pins to load the program. To deal with the delay you will need a new loader. You can load it with a programmer, but it’s much more fun to use a “NOPslide” vulnerability to load it from the memory which is usually used for sketches. However, to write firmware you will still need to remove some fuses inside the chip. Unfortunately, this still requires a high voltage (12V) programmer. They say that in some versions of Digispark the fuse bits are not set, but in mine they were.

High voltage programmer

If you choose a path with a high-voltage programmer, there is a wide range of devices – for example, $ 60. However, it is quite possible to do with Arduino Nano v3 for 4 dollars and a breadboard. Someone made a sketch for Arduino, which automatically cleans the safety bits, which is very convenient for us. Steps 1-3 of guides on this operation led me to the desired result.

Instead of connecting the ATtiny directly to the layout, I used the SOIC-8 clamp to program the chip directly. I also replaced a 12V battery with a 5V booster for 5 bucks. I used all this so much that I moved from the layout board to a more permanent ProtoBoard.



Write a new loader

Now that the fuses have been removed, we can load a new bootloader. As I said before, you can do this with a programmer. With minimal changes, the high voltage programmer we have already used will do. But it is far from as much fun as something you weren’t supposed to do.

There is a project micronucleus where new firmware is developed. If you dig into the depths of this project, you will find a utility called upgrade which uses NOP sliding to download new bootloaders via USB. You write micronucleus BootloaderName.hex and you are done. I used the binary version of micronucleus-1.11-entry-jumper-pb0-upgrade.hex. Remember that once you change the bootloader, there will be a five second delay and you will no longer be able to close the first and fifth pins (or others if you have a different bootloader) to the ground to flood a new ATtiny sketch.

Too-Doo & Whishlist

  • Normal PCB for easy soldering
  • the ability to get custom input and extend the potential feature set.


I didn’t record every step, but I still have photos of several files that happened in the process.

Digispark and MOSFET.


The first test of a five-volt trigger.


An attempt to reduce the Digispark in the hope of still sticking it in the body of the flash drive.

An attempt to attach the contacts to the SOT-23 MOSFET case to use it on a breadboard. The legs fell off, you should have taken it in your hands.

But a better attempt to place MOSFET on a breadboard. This is the first time I have experienced all the beauty of copper tape!

Source – Hacker.RU.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: