Hackaday Prize Entry: USB Packet Snooping

Sometimes you run into a few problems when developing your own hardware, and to solve these problems you have to build your own tools. This is exactly how [KC Lee]’s USB Packet Snooper was created. It’s a small device that allows for capturing and analyzing Full Speed USB traffic to debug one of [KC]’s other Hackaday Prize entries.

[KC] is building an HID Multimedia Dial for this year’s Hackaday Prize. It’s kind of like the Microsoft Surface Dial or the ubiquitous Griffin PowerMate that has been on the market for the better part of two decades. This multimedia dial is bitbanging USB with an STM8, which means [KC] needs a tool to capture raw USB packets.

The design of this USB Packet Snooper is split up into two parts. The first is either a dongle or a pass-through device that simply serves as a tap between a USB device and a USB host. The logging and analysis board attaches to this dongle, and uses a rather fast ARM microcontroller to listen in on USB packets and send everything over serial to a PC.

This is a rather novel device; V-USB is limited to Low Speed USB, and other USB capture tools are far out of reach of the hobbyist budget. Software solutions on a PC obviously won’t work because [KC] doesn’t even know if he’s sending valid USB packets. This is a great tool that finally brings hobbyist-level USB analysis up to Full Speed USB.

36 thoughts on “Hackaday Prize Entry: USB Packet Snooping

  1. Well, commercial USB analyzers are expensive, but not necessarily “far out of reach”. The Beagle full-speed analyzer is $400, the high-speed one is $1200, while super-speed is $5000. Indeed, some other brands can be much more expensive, but you also tend to get better analysis tools with them.

    1. The Beagle. Ellisys, etc. are not expensive because of expensive parts. They are expensive because the vendors know that they sell to a niche market where one hour of one developer costs XXX US$.

      Both devices are essentially:
      – a USB PHY
      – an FPGA
      – a chip to transfer the data to the PC, f.ex. a Cypress FX2

    2. Plus Total Phase’s Beagle analyzers have a really awesome software suite to view the data. It’s got some good packet filtering options, plus will actually decode the traffic instead of just showing you raw packets.

    3. The expense is totally worth it if you’re on the clock needing to debug some issue and don’t want to have to screw with rolling your own hardware and software. I’ve used the Beagle for I2C and it has been crazy useful (try setting up a scope to capture rapid I2C traffic, guaranteeing that you won’t miss any transactions…it’s worth the $330 to just get a beagle).

  2. How can you ever hope to send full speed packets over serial to a PC?
    Full speed USB is only 12Mbit/s.
    It is just out of reach of a USD 5 logic analyser, but it can easily be captured with an USD30 Logic analyser.

    And Sigrok / Pulseview has built in support for USB.
    I’ve captured some low-speed usb (2.5Mbit/s) myself with the Salaea clone.
    Works beautifully.

    Sigrok-cli extracts the text/packets into easiily & scriptable format.

    Somewhere halfway this video there is an introduction with working with sigrok-cli

  3. I thought of a device like this today at work; to sniff a phone LED device on a work PC where I don’t have admin rights. And then this pops up at HaD, an enjoyable coincidence!

    1. Happened to me quite a few times now that sometimes I feel like I’m being watched. Articles that I’ve recently read or watched suddenly appear here the next day, or a few hours later.

      1. This.
        And also you can imagine lots of watched us are so interested in fidget spinners and Arduino, that we get a constant feed of articles about those topics here. Invaluable scrutiny !

    1. If you look close enough, you can see dust on his workspace and possibly even smell a burrito he ate. I really cannot believe that a human drinks water to stay alive these days…

  4. After re-reading I only get more confused.
    First V-usb works with AVR processors
    Bit-banging Full-speed USB wit an STM8?
    But he already has a “rather fast” ARM uC?

    Why bitbang at all?
    It is error- prone, eats cpu cycles, cpu needs to attend every ms.
    And STM32 boards whit a 72MHZ (Slow for arm) processor cost < USD2 and they have hardware USB.

    Had another quick peek at the USB packet decoder. Unfortunately not much specific info of this particular decoder on the Sigrok site. but the "getting started site:
    http://sigrok.org/wiki/Getting_started_with_a_logic_analyzer

    Additionally, it is possible to run analyzers with a live capture such as in this example utilizing the fx2lafw driver and monitoring one side of a SPI transaction:

    sigrok-cli –config samplerate=1M –driver=fx2lafw –continuous -P spi:mosi=1:clk=3:cs=4

    When combined with tools such as grep, egrep, sed, perl, python, and many others, all kinds of powerful analysis becomes possible.

  5. Whilst this initially looked imilar to something we may have seen before… certainly USB sniffers have been blogged on HaD.

    This guy [KC Lee] seems to be doing a good job at bringing an otherwise inaccessible yet useful tool to the masses, Whats more is that this is his own work and research that has brought such a wonder.

    Brian,
    You went from Epic-fail of entering a Plagiarist into the prize to epic recovery with this post in less than a day and thus you’ve likely earned a lot of your respect back.

    Try to keep this up instead. ;)

      1. But can you have it even if you did want it? That is the relevant question, are people prepared to forget all the things you have done and are you really capable of maturing, evolving?

      2. As you wish…. So it has been granted.

        So far you have a group following of haters and therefor a following of trolls.

        Once apon a time Hackaday had a bit of a following,
        Comment generating posts climbed up to nearly (or was it over) 1000+ comments at times,
        People looked elsewhere, therefore comment generating posts rarely exceed 500 comments,
        even though said posts should of hit well above the old score of 1K comments.

        This explains that there must be less than half the visitors here than back then…
        Statistics (Excluding Bots, pingbacks, etc) should give some of the story.

        Lets make Hackaday great again!

        1. Part of the demise of Hackaday is because they post way to many articles and the average content has gone down.
          Recently I was looking for a way to start with ESP8266 and I searched hackaday.
          Over a 100 articles and lots of them with low content.
          So it’s better to search for tutorials on the ‘net directly.

          I also stopped giving tips to Hackaday after I noticed that the tips I gave were put on Hackaday under the name of one of their (paid?) moderators a few weeks later.

          I’m afraid there won’t be a going back from a Mega Buck Corporation to a community place by and for hackers. Too much money involved.

          1. @Paul,
            I haven’t noticed…. It depends on whom it is writing the article, I suppose.

            There used to be a forum that still exists if one was to google for the forums and find it…. Otherwise it is a hidden feature that was probably hidden for a select elite few whilst HackADay.io is being promoted heavily.

            Brian’s last epic-fail article was a result of not checking his sources.
            The trolling of said post was a reminder as to maintain quality of his work.
            He won’t have to put up with seeing my handle on his articles anymore… If and when I do finally document some of my own work… Brian won’t be posting an article about it… He’s banned.

            A crow that befriends you is a rare thing,
            A crow that forgives you after you then turn against it: is rarer, if not extremely rare,
            It is unheard of for a crow to try and be social with said human after further escalation!

  6. A snooper is handy for writing drivers for *nix kernels for devices that only have Windows support. Not so common these days but still a handy tool to have when needed.

      1. Ah, because the VM just passes the raw USB right through to Windows so you can tap the data stream. Neat, and yeah obviously a superior solution, but are there any gotchas all?

  7. One way to do it: http://essentialscrap.com/dsoquad/usb.html

    Sigrok also works, though I’ve had some trouble with 24 MHz logic analyzer not always being fast enough for 12 MHz USB traffic.

    For software side analyzing, Windows 10 now has “Microsoft Message Analyzer” that works somewhat ok. On Linux there is Wireshark, and it sometimes works on windows also. But often a hardware analyzer is more useful for debugging low-level issues

    1. Acutally I’m supprised you can catch a 12MHz signal with a 24MHz logic analyser reliably enough to be usefull.
      There is also a discrepancy between MHz and Msps…
      But a rule of thumb is that you need at least 4 times the sample rate of your signal for reliable results.

      Also:
      What hardware did you use with sigrok?
      http://www.sigrok.org/wiki/Supported_hardware

      Did you use a USD 5 Salaea clone (Cypress CY7…) or did you use more “serious” hardware?

      Those CY7’s also use full-speed (12Mbps) USB to send the data to the PC and such a signal would be on the limit of such cheap hardware.
      I am very curious…

      But I’m very happy with those FX2lafw based clones. They are fast enough for me because I only work with low-end microcontrollers and never work with signals of > 1Mbit/s
      (Maybe I’ll catch some S/Pdif audio soon. That’s over a Mbit/s.)

      1. Yeah, FX2/CY7C68xxx; but it uses high-speed USB (480 Mbit/s) so it is plenty fast if you only need 2 bits per sample. Not sure if fx2lafw supports less than 8-bit sampling yet though.

        And yeah, usually you’d need oversampling but when the samplerate is closely enough divisible by signal frequency it also kind-of works without. But whether it is reliable enough to be useful varies; it wasn’t reliable enough for me, though other people have said it works for them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s