Pwnd Blaster Hacking Your PC Using Your Speaker Without Ever...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.nns.ee/2026/06/03/katana-badusb
• Blog Title: Pwnd Blaster: Hacking Your PC Using Your Speaker Without Ever Touching It
• Suggested Section: Hardware/Physical Access > Firmware Analysis, with cross-references from Radio Hacking/BLE and Generic Hacking/BadUSB or Physical Attacks. A suitable new page could be: Firmware Analysis > BLE Firmware Update Abuse and BadUSB Peripheral Reflashing

🎯 Content Summary

The post describes a full remote-to-host compromise chain against the Creative Sound Blaster Katana V2X speaker. An attacker within roughly ~15 m Bluetooth range can connect to the speaker over BLE without pairing, send privileged internal CTP commands, upload attacker-modified firmware, and turn the USB-connected speaker into a BadUSB/Rubber Ducky-style keyboard that injects keystrokes into the attached PC. No CVE is mentioned or assigned. The practical impact is high: unauthentica...

🔧 Technical Details

Unauthenticated BLE bridge to a privileged internal protocol. If an embedded device exposes the same command protocol over multiple transports, authentication must be enforced consistently on every transport. In this case, USB CTP commands required challenge-response authentication, but the BLE GATT bridge forwarded CTP frames directly to the internal handler without pairing or authentication. The attacker writes CTP frames beginning with 0x5a to a BLE write characteristic and reads responses from a response characteristic. The concrete test was writing 5a 09 01 02 to 9e9daaec-3a10-4fe8-b69f-7397aff77886 and reading from 9e9daaeb-3a10-4fe8-b69f-7397aff77886, which returned the firmware version even though the same command requires authentication over USB.

Unsigned firmware update exploitation through checksum recomputation. A firmware-update mechanism that only verifies an unkeyed checksum pr...

🤖 Agent Actions

Done.

Updated:

• src/hardware-physical-access/firmware-analysis/firmware-integrity.md

Added concise, non-duplicative content covering:

• unauthenticated BLE/GATT bridges into privileged internal update protocols
• checksum-only firmware “integrity” vs real authenticity
• reflashing trusted USB peripherals into BadUSB keyboards by extending existing HID functionality
• RTOS task replacement for stable firmware payload execution
• repurposing benign protocol handlers into memory read/write/execute primitives for faster RE

Validation:

• Re-read the file and confirmed the ## References section is at the end
• Confirmed the training banner remains the last line
• mdbook build could not be run here because mdbook is not installed (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.nns.ee/2026/06/03/katana-badusb

Content Categories: Based on the analysis, this content was categorized under "Hardware/Physical Access > Firmware Analysis, with cross-references from Radio Hacking/BLE and Generic Hacking/BadUSB or Physical Attacks. A suitable new page could be: Firmware Analysis > BLE Firmware Update Abuse and BadUSB Peripheral Reflashing".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0