Reverse Engineering the 1989 Power Glove for HID Injection

TLDR: This research demonstrates how to transform a vintage 1989 Nintendo Power Glove into a functional Bluetooth HID device for keystroke and mouse injection. By reverse-engineering the proprietary ultrasonic sensor protocol and interfacing it with an ESP32 microcontroller, the project enables wireless control of presentation software. Pentesters can adapt these techniques to build custom, low-profile hardware implants that bypass traditional endpoint detection by masquerading as standard input devices.

Hardware hacking often feels like a lost art in an era dominated by cloud-native vulnerabilities and complex web application logic. Yet, the physical layer remains the most reliable entry point for an attacker with proximity. When you can convince a machine that a piece of 1989 plastic is a trusted keyboard, you bypass the entire software-based security stack. This project proves that even the most archaic hardware can be repurposed into a modern, effective tool for physical access testing.

The Protocol and the Hardware

The Nintendo Power Glove is not a sophisticated piece of kit by modern standards. It relies on a series of ultrasonic microphones positioned around the television to triangulate the glove's position. These sensors are essentially glorified microphones that output raw analog signals. The challenge in this research was not just the signal processing, but the physical interface. The glove communicates via a proprietary seven-pin connector that requires a specific pulse-latch protocol to extract button states.

To make this work, the project utilized an ESP32 development board, which provides the necessary Bluetooth stack to emulate a Human Interface Device (HID). The primary hurdle was voltage mismatch. The Power Glove operates on 5V logic, while the ESP32 is a 3.3V device. Sending a 5V signal directly into the ESP32 pins is a guaranteed way to release the "magic smoke." The solution involved using a logic level converter to bridge the gap between the two systems.

Implementing the HID Injection

Once the electrical interface was stable, the focus shifted to the firmware. The goal was to map the glove's physical buttons to HID events. The protocol for reading the NES controller is well-documented, but implementing it on an ESP32 requires precise timing. You must pulse the latch pin and then clock the data pin to shift out the button states.

// Simplified snippet for reading the NES controller state
digitalWrite(LATCH, HIGH);
delayMicroseconds(12);
digitalWrite(LATCH, LOW);
for (int i = 0; i < 8; i++) {
  digitalWrite(CLOCK, LOW);
  delayMicroseconds(6);
  // Read bit and store in buffer
  digitalWrite(CLOCK, HIGH);
  delayMicroseconds(6);
}

The ESP32 firmware handles the translation of these button presses into Bluetooth HID reports. By using the ESP-IDF framework, you can define the device as a keyboard or mouse. The most critical part of the code is the loop that polls the controller state and sends the HID report. If you poll too quickly, you risk overwhelming the controller or causing erratic behavior. Adding a small delay ensures the stability of the input stream.

Pentesters and Physical Access

For a pentester, the utility here is obvious. During a physical engagement, you need tools that look innocuous. A vintage gaming accessory sitting on a desk is far less likely to trigger suspicion than a rogue Rubber Ducky plugged into a USB port. By embedding an ESP32 inside the glove, you create a wireless, long-range HID injector that can be used to execute payloads from across the room.

The impact of HID injection is absolute. Once the device is paired with the target machine, it has the same privileges as the logged-in user. You can open a terminal, download a reverse shell, or exfiltrate data. Because the operating system treats the device as a standard keyboard, there are no driver installation prompts or suspicious USB device notifications to alert the user.

Defensive Considerations

Defending against HID-based attacks is notoriously difficult because the threat mimics the primary interface between the user and the machine. Organizations should implement strict policies regarding the connection of unauthorized Bluetooth devices. Endpoint Detection and Response (EDR) solutions can monitor for rapid, non-human typing patterns, which are characteristic of automated HID injection. However, these detections are often bypassed by adding randomized delays between keystrokes in the payload script.

The most effective defense is physical security. If an attacker cannot get close enough to pair a device or plug in a rogue peripheral, the attack vector is neutralized. For high-security environments, disabling Bluetooth or using hardware-based USB port locks is the only way to ensure that unauthorized input devices cannot be introduced to the workstation.

This research is a reminder that the physical layer is never truly "secure." We spend so much time auditing code and hardening network configurations that we often forget the hardware sitting right in front of us. Whether it is a 35-year-old gaming glove or a modern wireless mouse, if it can send input to a machine, it can be turned into a weapon. The next time you are on an engagement, look at the peripherals. You might find that the most dangerous device in the room is the one that looks like a toy.