[Matlo] wrote in to share his USB sniffing project using the BeagleBoard-xM. It builds on the Google Summer of Code project from 2010 that used the non-xM version of the hardware to build a pass through USB sniffer. [Matlo] couldn’t get it to work back then, but recently revisited the project. He’s cleaned up some scripts and generally made it a bit easier for others to pull off as well.
The ARM-based BeagleBoard seen above acts as man-in-the-middle. You connect your target USB device to the board and the board to a computer. The board emulates the target device, passing packets in either direction while also logging them. The captured data is in the correct format for display using WireShark, the de facto standard for making sense of captured communication packets.
This is great for figuring out how to use USB devices on non-standard systems, or vice versa.
yay its like OpenVizsla
except it works and is not a SCAM
very important exception :-)
The question is, will it work on a BeagleBone Black? That’s all I have handy… might dive into it and find out!
I was going to ask the same thing. Does the black at least have all the necessary hardware to support a port? It’s both cheaper and more accessible.
Probably with a little work, as the AM335x uses a similar USB device block. the Beaglebone Black is probably better than the original Beaglebone since it doesn’t have an onboard hub in between the MUSB and the connector.
I’ve been working on something very similar for the BeagleBone Black, but this is much further ahead than my project.
I’ll try to build this for the BBB tonight, I don’t see why it wouldn’t work, there is one host port and one device port (both are OTG on the chip, but there’s no access to the ID pin on one and the other will not provide power).
Dominic, any luck on this for the BBB? Thanks!
I wasn’t able to get this code to build against recent kernals, but I was able to hack something together using gadgetfs. This is as far as I got: https://github.com/dominicgs/usb-mitm
I was able to replicate a device’s endpoints and pass through control messages before I was sidetracked by other work. My next goal is to make bulk and interrupt endpoints work correctly.
The communication between the devices can be monitored with usbmon, although it would be nice to
a) pipe that over the ethernet port to a monitoring host
b) allow some sort of function hook so that data can be interfered with in the middle
now,
what is the speed it can handle? USB 1.1, 2 or 3.
I was under the conclusion that you need an FPGA to get solid sniffing for high speed usb. Never the less I am very interested to see what dirty cheap ARM can do.
Quite a while ago, when researching for my USB book (http://www.fysnet.net/the_universal_serial_bus.htm), I contacted TotalPhaze and requested one of their boards (http://www.totalphase.com/products/beagle_usb12/).
Their Beagle, which after looking here, I take it is not the same as the BeagleBone described within the project above, helped me greatly, and TotalPhaze donated the board to my project. Anyway, this style of board is very helpful in tracking down quirks and other items about finicky devices. It was and still is a great tool to have, and now you have sparked my interest in the BeagleBone Black. Go hackaday.com.
I use virtualbox for sniffing usb packages. It is easy, do not cost a lot of money and with a windows license you can sniff the original driver. Afterwards just use libusb and bam you have a working userspace driver :) No need for additional hardware.
No offence to the project it is for shure cool ;)
I’d be very interested to hear more about this method. Is there a writeup available?
I second that
If time permits I will write one but it is quite simple you need to use a linux computer running virtualbox with a windows vm. afterwards use usbmon with the binary interface (there is a tool from red hat available which prints it out to stdout) If ready for sniffing disconnect and connect the device. Afterwards you trigger the actions you like to do. You can then write a driver from the data with usblib. You can automate this step a bit with python or per.
“disconnect and connect the device” virtualy with virtualbox. There is a button to connect and disconnect the devices.
This is limited to drivers that run on a Windows PC, and it also requires administrative user rights.
So a serious question – what does this method do that Travis Goodspeed’s FaceDancer can’t?
The two have different functions:
The FaceDancer allows you to prototype devices to a host, i.e. you’re spoofing the device. This means that you can do things like fuzz the host USB stack or driver, but you need to act like a device, which is hard if you have no idea about the way the device works.
This method allows you to sniff the packets on the USB connection by being in the middle, so you can transparently sit on a connection and learn the protocol that the driver uses to communicate with the device. you can buy commercial products that do this, such as the Beagle USB 480 from Total Phase (the Beagle name is a coincidence).
Using the Kinect as an example, the method with the BeagleBoard would allow you to learn the protocol and and implement libfreenect. Once you know that protocol, the FaceDancer would let you write a python script that pretends to be a Kinect and you could fuzz the Xbox 360 driver for Kinect.
Ah. Thank you Dominic. Looks like this is a to-do after I get my Facedancer built (in other words, after SMD kicks my bottom again). Looks like the two are very complementary.
I have been trying to make it work with Beagleboard XM (rev C) but it could not detect any USBs! Do you guys have any idea why is it not listing anything?
I updated the disk image, it should now work with rev C boards.