[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.
With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.
Continue reading “Glitching USB Firmware for Fun”
With a proliferation of USB Flash disk drives has come a very straightforward attack vector for a miscreant intent on spreading malware onto an organisation’s computer network. Simply drop a few infected drives in the parking lot, and wait for an unsuspecting staff member to pick one up and plug it into their computer. The drives are so familiar that to a non-tech-savvy user they appear harmless, there is no conscious decision over whether to trust them or not.
A diabolical variant on the exploit was [Dark Purple]’s USB Killer. Outwardly similar to a USB Flash drive, it contains an inverter that generates several hundred volts from the USB’s 5 volts, and repeatedly discharges it into the data lines of whatever it is plugged into. Computers whose designers have not incorporated some form of protection do not last long when subjected to its shocking ministrations.
Now the original has a commercial competitor, in the form of Hong Kong-based usbkill.com. It’s a bit cheaper than the original, but that it has appeared at all suggests that there is an expanding market for this type of device and that you may be more likely to encounter one in the future. They are also selling a test shield, an isolated USB port add-on that allows the device to be powered up without damaging its host.
From the hardware engineer’s point of view these devices present a special challenge. We are used to protecting USB ports from high voltage electrostatic discharges with TVS diode arrays, but those events have an extremely high impedance and the components are not designed to continuously handle low-impedance high voltages. It’s likely that these USB killers will result in greater sales of protection thermistors and more substantially specified Zener diodes in the world of USB interface designers.
We covered the original USB Killer prototype when it appeared, then its second version, and finally its crowdfunding campaign. This will probably not be the last we’ve heard of these devices and they will inevitably become cheaper, so take care what you pick up in that parking lot.
[DastardlyLabs] saw a video about converting a PS/2 keyboard to Bluetooth and realized he didn’t have any PS/2 keyboards anymore. So he pulled the same trick with a USB keyboard. Along the way, he made three videos explaining how it all works.
The project uses a stock DuinoFun USB mini host shield with a modification to allow it to work on 5V. An Arduino mini pro provides the brains. A FT-232 USB to serial board is used to program the Arduino. A standard Bluetooth module has to have HID firmware installed. [Dastardly] makes a homemade daughterboard–er, shield–to connect it to the Arduino.
The result is a nice little sandwich with a USB plug, a Bluetooth antenna, and some pins for reprogramming if necessary. Resist the urge to solder the Bluetooth board in–since it talks on the same port as the Arduino uses for programming, you’ll have to remove it before uploading new code.
If you need help reprogramming the HC-05 Bluetooth module, we’ve covered that before. This project drew inspiration from [Evan’s] similar project for PS/2 keyboards.
Continue reading “Convert Any USB Keyboard to Bluetooth”
A while back, [cnlohr] needed a USB keyboard and mouse. His box ‘o junk didn’t hold this particular treasure, and instead of hopping on Amazon like a normal geek or venturing into the outside realm on a mid-level ‘store’ quest like a normal person, [cnlohr] decided to turn an ESP8266 into a USB keyboard and mouse. How hard could it be? The ESP doesn’t support USB, but bitbanging hasn’t stopped him before. The end result is a USB stack running on the ESP8266 WiFI module.
[cnlohr] has been working for about a month on this USB implementation for the ESP, beginning with a logic analyzer, Wireshark, Xtensa assembly, and a lot of iteration. The end result of this hardware hacking is a board based on the ESP8285 – an 8286 with integrated Flash – that fits snugly inside a USB socket.
This tiny board emulates low-speed USB (1.5 Mbps), and isn’t really fast enough for storage, serial, or any of the fancier things USB does, but it is good enough for a keyboard and mouse. Right now, [cnlohr]’s ESP USB device is hosting a webpage, and by loading this webpage on his phone, he has a virtual keyboard and mouse on a handheld touchscreen.
If you’re keeping track, [cnlohr] has now brought Ethernet and USB to a tiny microcontroller that can be bought for a few bucks through the usual online outlets. If you’d like to build your own ESP USB stick, all the files are over on the Gits.
Thanks [lageos] for the tip.
Continue reading “Software USB On the ESP8266”
[Andrew Milkovich] was inspired build his own Super Nintendo cartridge reader based on a device we covered an eternity (in internet years) ago. The device mounts a real cartridge as a USB mass storage device, allowing you to play your games using an emulator directly from the cart.
This uses a Teensy++ 2.0 at its core. [Andrew] had to desolder the EEPROM pins from the SNES cartridge and reverse engineer the pinouts himself, but the end result was a device that could successfully read the cartridge without erasing it, no small accomplishment. The finished cartridge reader is build on some protoboard and we’d like to complement [Andrew] on his jumper routing on the underside of that board.
Of course, the experience of any console is just not the same without the original controller. So [Andrew] went a step further and made his own SNES controller to USB converter. This had the venerable Atmel ATmega328 at its core, and can be used separate from the cartridge reader if desired.
“Round up the usual suspects…”
[CNLohr] just can’t get enough of the ESP8266 these days — now he’s working on getting a version of V-USB software low-speed USB device emulation working on the thing. (GitHub link here, video also embedded below.) That’s not likely to be an afternoon project, and we should warn you that it’s still a project in progress, but he’s made some in-progress material available, and if you’re interested either in USB or the way the mind of [CNLohr] works, it’s worth a watch.
In this video, he leans heavily on the logic analyzer. He’s not a USB expert, and couldn’t find the right resources online to implement a USB driver, so he taught himself by looking at the signals coming across as he wiggled a mouse on his desk. Using the ever-popular Wireshark helped him out a lot with this task as well. Then it was time to dig into Xtensa assembly language, because timing was critical.
Speaking of timing, one of the first things that he did was write some profiling routines so that he could figure out how long everything was taking. And did we mention that [CNLohr] didn’t know Xtensa assembly? So he wrote routines in C, compiled them using the Xtensa GCC compiler, and backed out the assembly. The end result is a mix of the two: assembly when speed counts, and C when it’s more comfortable.
Continue reading “[CNLohr], ESP8266, USB…”
The Raspberry Pi is a great computer, even if it doesn’t have SATA. For those of us who have lost a few SD cards to the inevitable corruption that comes from not shutting a Pi down properly, here’s something for you: USB Mass Storage Booting for the Raspberry Pi 3.
For the Raspberry Pi 1, 2, Compute Module, and Zero, there are two boot modes – SD boot, and USB Device boot, with USB Device boot only found on the Compute Module. [Gordon] over at the Raspberry Pi foundation spent a lot of time working on the Broadcom 2837 used in the Raspberry Pi 3, and found enough space in 32 kB to include SD boot, eMMC boot, SPI boot, NAND flash, FAT filesystem, GUID and MBR partitions, USB device, USB host, Ethernet device, and mass storage device support. You can now boot the Raspberry Pi 3 from just about anything.
The documentation for these new boot modes goes over the process of how to put an image on a USB thumb drive. It’s not too terribly different from the process of putting an image on an SD card, and the process will be streamlined somewhat in the next release of
rpi-update. Some USB thumb drives do not work, but as long as you stick with a Sandisk or Samsung, you should be okay.
More interesting than USB booting is the ability for the Pi 3 to boot over the network. Booting over a network is nothing new – the Apple II could do it uphill both ways in the snow, but the most common use for the Pi is a dumb media player that connects to all your movies on network storage. With network booting, you can easily throw a Pi on a second TV and play all that media in a second room. Check out the network booting tutorial here.