Every hacker knows what it is to venture down a rabbit hole. Whether it lasts an afternoon, a month, or decades, finding a new niche topic and exploring where it leads is a familiar experience for Hackaday readers.
[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others.
His guide is impressively comprehensive, and covers all the necessary areas in hardware and software. After formally defining a USB system, [Glenn] refers us to [LinuxVoice], for a nifty tutorial on writing a linux USB driver for an RC car, in Python. Moving on to hardware, a number of open-source and commercial options are discussed, including GoodFET, FaceDancer, and Daisho – an FPGA based monitoring tool for analysing USB 3.0, HDMI and Gigabit Ethernet. If you only need to sniff low speed USB, here’s a beautifully small packet snooper from last year’s Hackaday prize.
This is a guide which is well-informed, clearly structured, and includes TL;DR sections in the perfect places. It gives due credit to LibUSB and PyUSB, and even includes resources for USB over IP.
If you’re worried about USB hacks like BadUSB, perhaps you should checkout GoodUSB – a hardware firewall for USB devices.
Header image: Ed g2s (CC-SA 3.0).
Looks like the site is offline. You can read the google cached version here:
http://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Fwww.linuxvoice.com%2Fdrive-it-yourself-usb-car-6%2F&oq=cache%3Ahttps%3A%2F%2Fwww.linuxvoice.com%2Fdrive-it-yourself-usb-car-6%2F&aqs=chrome..69i57j69i58.1540j0j4&sourceid=chrome&ie=UTF-8
Looks like the site is offline. You can read it using the google cached version: http://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Fwww.linuxvoice.com%2Fdrive-it-yourself-usb-car-6%2F&oq=cache%3Ahttps%3A%2F%2Fwww.linuxvoice.com%2Fdrive-it-yourself-usb-car-6%2F&aqs=chrome..69i57j69i58.1540j0j4&sourceid=chrome&ie=UTF-8
Thanks for article, will be looking into more detail this w/end, tah
Provokes me to review state of the art if one wished to bit bang a
processor just to add comparatively low speed USB and of course
after the CPU/system selected primarily for other functions which
are not time dependent.
Eg A product designed for simple logging has a few spare pins
and code space and under appropriate circumstances could a bit-
banged USB mode be implemented such as to offer low data volume,
status and reports no more than say 100Kbytes each hour or so.
I’ve read a low speed compatibility mode in the standard is around
as little as 150K bytes/sec as part of the spec compliance,
if that were true then a portable device with developed software
should be recognisable by any compliant host. Which raises
a question as to how low speed compliant USB can actually go ?
There is some discussion of this here
https://www.avrfreaks.net/forum/bit-banging-usb
and thus curious if observers of this thread have personal experience,
such as when they also personally have reverse engineered USB for
whatever reasons or the enthusiast imagines cramming as much as
possible into the lowest end CPU to achieve some minimal USB functionality ?
Cheers
Darn, that link from google didn’t resolve to the original page
or changed and google not updated, this link seems far
more pertinent:-
https://www.avrfreaks.net/forum/yet-another-software-usb-implementation
LUFA is another popular low-speed USB bit-bang implementation
Ah cool, thanks Wally Owen
I also found this, should be upgradable easily to more
modern devices and their packages too, though I like the
very small silabs 8051 compatibles…
https://dicks.home.xs4all.nl/avr/usbtiny/
Also this one with some driver stuff though XP…
https://web.archive.org/web/20160414132209/http://www.cesko.host.sk/IgorPlugUSB/IgorPlug-USB%20(AVR)_eng.htm
I believe LUFA uses native USB transceiver hardware, rather than bit-banging. “[LUFA] is an open-source complete USB stack for the USB-enabled Atmel AVR8 and (some of the) AVR32 microcontroller series.” Perhaps you are thinking of V-USB:
https://www.obdev.at/products/vusb/index.html
what I would like to know is who’s the genius behind USB 3.0 ? They made it so that you can plug it in either way, yet for the PC side its still the same. They should have made the change on both ends. DUGH….
Eh?
USB-C plugs are reversible, USB 3.0 is available in a variety of connectors. Your PC may have either the old style USB-A(?) socket, or the new reversible USB-C socket, or both.
I believe it’s perfectly valid to use USB-C at both ends of the connection. Not only reversible, but the entire cable can be turned. It will be cool if laptops start including multiple USB-C ports commonly.
many already are
I guess this will solve the quantum USB problem :p
Charge for the USB specs?
I’ve been wondering. Imagine you have two USB devices, one connecting to the other directly, through USB. Is there a device that can act as a MitM proxy between those devices, so that one can modify (or at least see) the data being sent from one device to the other on the fly?
Ah good question.
From my earliest recollection when USB first came out there was an
option for device manufacturers to offer a start peer to peer mode
option if the device type could accommodate it – sort of like rs-232
terminal to terminal.
ie Say both devices programmed to allow peer to peer hostless
comms for what ever function or subests etc such as terminal to
terminal etc or Eg data logger (DL) to terminal or DL to DL
as backup, extract, compare, report exceptions etc
Then device 1 powers up, sends an id string but goes nowhere then waits.
Device 2 then powers up whilst connected to device 1 sending its id
string recognised by device 1 – they then handshake and all good.
IIRC the id string had a flag to indicate if it could accept peer to peer
and the nature of its function or another string on an ack type h/shake etc
We did this all the time with multiple daisy chain rs-232, etc 485 & current loop
In other words an intermediate device only needed if either of the connected
devices not suitably programmed or variations to that effect with the intermediate
Device doing something re protocols, buffering etc. Only minor issue
re power up timing, delay, reconnect etc usually only 500mS max or so…
I think this might now be in the USB spec for peer to peer, worth a look and
I think the detail also comes up in the usbview utility either .com or .exe
Cheers :-)
when USB first came out you couldnt just connect two Hosts to each other. USB OTG lets you switch between host/device modes, but that came out with USB 2.0.
There were special USB link cables for connecting PCs directly, but they acted as USB device from both ends, and required additional driver/software.
A number of the hardware devices I wrote about in the linked article actually do just that! Check out the facedancer-series in particular.
http://devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-the-rabbit-hole/#hardware-facedancer
http://devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-the-rabbit-hole/#hardware-facedancer-2
I love the first paragraph of this article – it realy describes the situation well
Haha, I know right? Another day, another random topic I want to deep dive into and learn all about!
Easiest way to reverse Windows drivers for Linux is to have a Linux box and on top of that a VirtualBox. Use the USB device inside of the VirutalBox with windows and use usbmon to monitor all the Packages. Normaly all devices confirm to the USB standard so that you only must care about the package Level and not the levels below. usbmon has a binary interface with it you can dump the packages. After dumping you can write a basic driver to replay the dump. And as soon as the USB device responds you can start to reverse the protocol.