USB Sniffing With The BeagleBoard-xM

[Matlo] wrote in to share his USB sniffing project using the BeagleBoard-xM. It builds on the Google Summer of Code project from 2010 that used the non-xM version of the hardware to build a pass through USB sniffer. [Matlo] couldn’t get it to work back then, but recently revisited the project. He’s cleaned up some scripts and generally made it a bit easier for others to pull off as well.

The ARM-based BeagleBoard seen above acts as man-in-the-middle. You connect your target USB device to the board and the board to a computer. The board emulates the target device, passing packets in either direction while also logging them. The captured data is in the correct format for display using WireShark, the de facto standard for making sense of captured communication packets.

This is great for figuring out how to use USB devices on non-standard systems, or vice versa.

21 thoughts on “USB Sniffing With The BeagleBoard-xM

      1. Probably with a little work, as the AM335x uses a similar USB device block. the Beaglebone Black is probably better than the original Beaglebone since it doesn’t have an onboard hub in between the MUSB and the connector.

        1. I’ve been working on something very similar for the BeagleBone Black, but this is much further ahead than my project.

          I’ll try to build this for the BBB tonight, I don’t see why it wouldn’t work, there is one host port and one device port (both are OTG on the chip, but there’s no access to the ID pin on one and the other will not provide power).

          1. I wasn’t able to get this code to build against recent kernals, but I was able to hack something together using gadgetfs. This is as far as I got: https://github.com/dominicgs/usb-mitm

            I was able to replicate a device’s endpoints and pass through control messages before I was sidetracked by other work. My next goal is to make bulk and interrupt endpoints work correctly.

            The communication between the devices can be monitored with usbmon, although it would be nice to
            a) pipe that over the ethernet port to a monitoring host
            b) allow some sort of function hook so that data can be interfered with in the middle

  1. now,
    what is the speed it can handle? USB 1.1, 2 or 3.
    I was under the conclusion that you need an FPGA to get solid sniffing for high speed usb. Never the less I am very interested to see what dirty cheap ARM can do.

  2. Quite a while ago, when researching for my USB book (http://www.fysnet.net/the_universal_serial_bus.htm), I contacted TotalPhaze and requested one of their boards (http://www.totalphase.com/products/beagle_usb12/).
    Their Beagle, which after looking here, I take it is not the same as the BeagleBone described within the project above, helped me greatly, and TotalPhaze donated the board to my project. Anyway, this style of board is very helpful in tracking down quirks and other items about finicky devices. It was and still is a great tool to have, and now you have sparked my interest in the BeagleBone Black. Go hackaday.com.

  3. I use virtualbox for sniffing usb packages. It is easy, do not cost a lot of money and with a windows license you can sniff the original driver. Afterwards just use libusb and bam you have a working userspace driver :) No need for additional hardware.

    No offence to the project it is for shure cool ;)

        1. If time permits I will write one but it is quite simple you need to use a linux computer running virtualbox with a windows vm. afterwards use usbmon with the binary interface (there is a tool from red hat available which prints it out to stdout) If ready for sniffing disconnect and connect the device. Afterwards you trigger the actions you like to do. You can then write a driver from the data with usblib. You can automate this step a bit with python or per.

    1. The two have different functions:
      The FaceDancer allows you to prototype devices to a host, i.e. you’re spoofing the device. This means that you can do things like fuzz the host USB stack or driver, but you need to act like a device, which is hard if you have no idea about the way the device works.

      This method allows you to sniff the packets on the USB connection by being in the middle, so you can transparently sit on a connection and learn the protocol that the driver uses to communicate with the device. you can buy commercial products that do this, such as the Beagle USB 480 from Total Phase (the Beagle name is a coincidence).

      Using the Kinect as an example, the method with the BeagleBoard would allow you to learn the protocol and and implement libfreenect. Once you know that protocol, the FaceDancer would let you write a python script that pretends to be a Kinect and you could fuzz the Xbox 360 driver for Kinect.

Leave a Reply to raszCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.