Reverse Engineering USB Protocols On A Function Generator

When working with test equipment such as oscilloscopes and function generators, it can be useful to take a screen capture. Historically this was done with Polaroid cameras that were bolted in place, but these days it can be done over a simple USB connection. [Majenko] didn’t like the Windows-only software that shipped with their Tenma 72-14110 function generator, however, and set about reverse engineering the USB protocol to create their own.

The hack was pulled off by running the original software in a Windows VM, while running Wireshark in the host Linux OS to capture the USB traffic. Once enough data had been captured, [Majenko] set about figuring out how the function generator formatted the screen data when sending it to the PC. Based on the fact that the data changed in length depending on what was on the display, it was surmised that the data was not raw, but compressed somehow. A hunch suggested it was probably some form of Run-Length Encoding, and this proved to be correct. With a little more digging and experimentation, [Majenko] was able to put together some code that netted a clear image from the device.

It’s a useful guide for reverse engineering image data, one that could prove useful if you’re tackling a similar problem on other hardware. We’ve seen some great reverse engineering efforts over the years, on everything from old video hardware to the Sega Saturn. If you’ve been diving deep into the secrets of software or hardware yourself, be sure to drop us a line.

21 thoughts on “Reverse Engineering USB Protocols On A Function Generator

    1. License agreements prevent reverse engineering of binaries. That is if people actually read them. Better to clean room reverse engineer it instead, with a USB shim, aka usb-shark/usbmon, so people can’t accuse you of copying code.

  1. I can understand the ‘Windows Only’ problem. Can be aggravating. I to have Windows 7 setup in a VM, in the rare case I might need it. Anyway, a neat bit of reverse engineering. Congrats.Your ‘hunch’ worked out very well it seems. Maybe you should be a cryptologist :) . When I worked a lot with serial protocols, I almost always had a manual to look at to ‘read’ the data stream — usually. Good job.

  2. Any chance of reverse engineering the remote commands as well? I have a 72-14120 and I’m pretty bummed I can’t use regular SCPI to address it.
    Btw, Tenma is the Farnell white label brand, the actual manufacturer in this case is Uni-T, and the actual model name of your device is UTG2000B

    1. I am working on documenting more of the protocol at the moment. I haven’t worked out how it sends commands yet, but I can get the state of the front panel LEDs, lock the front panel controls, and get the model and serial numbers. Remote controls is one of the things I really want to try and decode.

  3. Too bad they don’t document their functions like most instruments do. For GPIB and usually ethernet the big guys like Tektronix and HP/Agilent/Keysight publish and expose APIs to get raw data and control the devices. I would not feel bad about “reverse engineering” any device that does not publish that data. It’s just wrong in the test instrument world. Makes it difficult to integrate into an automated testing procedure that is computer driven when they tie you to a single purpose interface like that. I suspect we will see lots more of this as we see more black box type instruments and SDRs where a computer is an integral part of functionality. There are quite a few vendors out there who make great hardware but the software almost seems like an afterthought.

  4. @Majenko, nice find, though it’s a shame they only send the image. Uni-T is somewhat notorious for shitty protocols, the stories I could tell…
    Tip: you can reduce by half the USB packet chatter by only showing (direction==out && type=submit) + (direction == in && type == complete). That filters out USB protocol cruft (don’t use this if the device uses control packets).

    @Koenraad you surprise me. IIRC you once attended a talk at Revspace in Den Haag about reverse engineering USB protocols. You should be able to do this :-)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.