USB Man-in-the-middle Adapter

The module works as a pass through, providing access to data and power lines for a USB device. [BadWolf] built it in order to sniff out communications between peripherals and the Universal Serial Bus. For now it just provides access to the different signals, but we think there’s quite a bit of usefulness in that. First off, the power rail is mapped out to a jumper, making it dead simple to monitor the voltage stability or patch in a multimeter to get feedback on current consumption. But you can also see in the foreground that a pin socket makes it easy to tap into the board using jumper wires. We think it would be a great breadboard adapter for USB work that would continue being useful after you’ve populated your first PCB for the prototype.

[BadWolf] has other plans in store for it though. He wants to intercept and decipher the communications happening on the data lines. In the video after the break he mentions the possibility of using a Bus Pirate for this (we have our doubts about that) but plans to start his testing with an STM32 discovery kit. We can’t wait to see what he comes up with.

21 thoughts on “USB Man-in-the-middle Adapter

  1. This is good for USB 1.1 at the very best. Have you heard of impedance mismatch? Signal reflections? You will not be reliably pushing data through this.

    No offense, but there are a ton of actual USB breakout adapters out there that are much better than this. Kudos to a beginner, but read up on the concepts above to understand why you should not do this.

  2. Easiest way to do this interceptor is to….. use some diodes! The impedance mismatch is almost inevitable, but you do want to isolate your one directional signals for analyzation. Get some small 1n4128/4 or 1n4004 from radioshack for about a $1 and you will have less issues when you go to look at the data. It works better for sipping serial, but should help you get closer to a USB2.0 spec without messing the signals up much as they pass by. BTW – a short mismatch in impedance will not be too bad for the USB 2.0 spec as long as your cables are short; its much more critical for USB 3.0.

  3. This is a joke right ? The USB is differential, no use for the diodes also. There is no point in doing this, the USB is so complex that it is way easier to sniff the software part in the OS of your choice.

    anyway, if you HAVE to do this, then try putting an op-amp at the D+ D- lines to create 0-1 signaling. The opamp will not push the impedance too much if put directly on the PCB. You can then mess with the signal.

  4. USB isn’t really like serial in that you cant just look at TXD and RXD and infer what’s happening. D+ and D- are differentially signaled, and shared for communication in each direction. Therefore, it requires much more work to know who is saying what on the bus. I’m not saying it’s not possible, but it will take a lot of work. There was a kickstarter project about this a while ago:

    http://www.kickstarter.com/projects/bushing/openvizsla-open-source-usb-protocol-analyzer?ref=live

    good luck

  5. sounds like there is a lot of room for improvement but its a great start! I think BadWolf would appreciate everyone’s ideas on how to improve his design so I for one suggest sending him them with as much detail as possible.

  6. @Paul
    Thanks a lot!

    @the others
    I do know it’s differential,but as soon as you are able to read both states without interfering,there’s no doubt on who say what since all comms are started by the host except for a few special things. If I succeed in reading the D lines states faster than they go (should work with an AVR-look on the page,a guy did it with an ATtiny) then a simple code do compute the resulting char being sent and then transmit that to another Serial port and there ya go,live feed of 0s and 1s.

  7. Ummmmm…. Send the sniffed data to a serial port? There’s a little difference in speed there. You aren’t going to be sending USB data to a serial port without some extreme data loss.

    Also, StaceyD, what are you talking about!?!? Diodes? Really?

  8. It might be worth mentioning USB protocol analyzers have existed for a very long time.

    They’re not cheap, and probably the most affordable is the Beagle from Total Phase ($400 for 12 Mbit/sec, $1200 for 480 Mbit/sec). These wonderful hardware devices can sniff everything that happens on the USB, with 20-some ns timestamp accuracy.

    It’d be awesome if someone made a cheap, open source version. But the commercial ones have existed and worked very well for a very long time.

  9. paul and hpux735 are right you need some power to catch usb 2.0, however usb 1.1 is do able and i think the Open Workbench Logic Sniffer can do usb 1.1 or they were working on it.
    i am waiting to see openvizsla project
    if you need to get in to usb comuncation read “USB Complete” to become a complete ninja also ladyada has some tuts http://www.ladyada.net/learn/diykinect/

    I hope I have helped

  10. http://cgi.ebay.com/USB-EXTENSION-CABLE-6-MALE-FEMALE-6FT-A-A-6-FT-/120573706525?pt=LH_DefaultDomain_0&hash=item1c12c0c11d#ht_2091wt_901

    Sells an A type USB M/F 6′ (extension cord) from San Diego for $2.87 postage paid. You could remove several inches of sheath and tap into the conductors without cutting them (the ultimate in reliable connection). If you separate them appropriately, it is impossible for them to short, so no insulation needed. Just slit the sheath you removed and tape it back in place, a band between each wire out. I’ve tapped many data (and 1 or 2 power) cables this way without incident. Of course, you can still just cut the cable and wire up your breakout board.

  11. Do you really know how USB works?
    So you want to sniff USB data and then said data over a usb cable to the computer in form of 1’s and 0’s?
    At least make use of the full 8 data bits per serial packet and send 8bits at a time, and this will only work if you are sniffing a usb1.1 cable with a usb2.0 device capable of using its bandwidth.

  12. Yes, USB does work much differently than serial. However, I am expecting this guy really to just want to be hooking it up to the Open Logic Sniffer or similar. http://dangerousprototypes.com/2010/02/25/prototype-open-logic-sniffer-logic-analyzer-2/

    Just saying that the diodes might help him not blow something up by sending off-data back through the line or messing with the signal structure. Cmon guys, willing to bet that he was just curious! Whenever you try something new that you may not know a lot about, always a good idea to use protection!

  13. “he mentions the possibility of using a Bus Pirate for this (we have our doubts about that)”

    I have my doubts too – with a 115200bps serial interface it’s going to be tough to sniff even low-speed USB.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.