Link to this headingUSB
Umap2: NCC’s python USB host security tool
USB host/device implementation using PIO of raspberry pi pico (RP2040).
USB Exploitaing with a raspberry pi pico
ViewSB is a USB analyzer that supports various capture backends including GreatFET, OpenVizsla, and usbmon.
Coding a USB Driver
https://den.dev/blog/reverse-engineer-stream-deck-plus/ usb steam Deck
When a USB is plugged in it sends a start of frame packets every 1 ms.
Uses a Data+ and an Data- to create destructive interference to prevent the cable acting like an antenna.
Link to this headingUSB Versions
Marketing Information:
| Marketing Name | Also Known As | Signal Gbps | Signal MiB/s | Wires | Cable |
|---|---|---|---|---|---|
| SuperSpeed USB 5Gbps | USB 3.0 / USB 3.1 / USB 3.2 / USB 3.1 Gen 1 / USB 3.2 Gen 1 / | 5000 Mbps | 625 MiB/s | 8 | 3m |
| SuperSpeed USB 10Gbps | USB 3.1 / USB 3.2 / USB 3.1 Gen 2 / USB 3.2 Gen 2 / | 10000 Mbps | 1250 MiB/s | 8 | 2m |
| SuperSpeed USB 20Gbps | USB 3.2 / USB 3.2 Gen 2x2 / | 20000 Mbps | 2500 MiB/s | 12 | 1m |
| USB4 20Gbps | USB4 Gen 2×2 / USB4 / | 20000 Mbps | 2500 MiB/s | 12 | 0.8m |
| USB4 40Gbps | USB4 Gen 3×2 / USB4 / | 40000 Mbps | 5000 MiB/s | 12 | 0.8m |
Speeds:
| Name | Signal | Sig Total | Encoding | Effective b | Effective B | Real Life |
|---|---|---|---|---|---|---|
| USB 3.2 Gen 1×1 | 5,000 Mbps | 5,000 Mbps | 8b/10b | 4,000 Mbps | 500 MiB/s | 400 MiB/s |
| USB 3.2 Gen 1×2 | 5,000 Mbps | 10,000 Mbps | 8b/10b | 8,000 Mbps | 1,000 MiB/s | 800 MiB/s |
| USB 3.2 Gen 2×1 | 10,000 Mbps | 10,000 Mbps | 128b/132b | 9,696 Mbps | 1,212 MiB/s | 780 MiB/s |
| USB 3.2 Gen 2×2 | 10,000 Mbps | 20,000 Mbps | 128b/132b | 19,392 Mbps | 2,424 MiB/s | 1,600 MiB/s |
| USB 4 Gen 2×2 | 10,000 Mbps | 20,000 Mbps | 128b/132b | 19,392 Mbps | 2,424 MiB/s | 1,600 MiB/s |
| USB 4 Gen 3×2 | 20,000 Mbps | 40,000 Mbps | 128b/132b | 38,7878 Mbps | 4,848 MiB/s | 2,700 MiB/s |
Link to this headingTypes of Devices
| Base Class | Descriptor Usage | Description |
|---|---|---|
| 00h | Device | Use class information in the Interface Descriptors |
| 02h | Both | Communications and CDC Control |
| 03h | Interface | Human Interface Device (HID) |
| 08h | Interface | Mass Storage (MSD) |
| 0Dh | Interface | Content Security |
| 0Fh | Interface | Personal Healthcare |
| 10h | Interface | Audio/Video Devices |
| 11h | Device | Billboard Device Class |
| DCh | Both | Diagnostic Device |
| 0Eh | Interface | Wireless Controller |
| FEh | Interface | Application Specific |
https://microchipdeveloper.com/usb:device-classes
Link to this headingHID Devices
Details on Making your own Keyboard
HID Keyboard Protocol Details
Link to this headingSignals
http://www.usbmadesimple.co.uk/ums_3.htm
sync:
Reset: Both data lines are put low for 10ms
End of Packet: Both data lines are put low for 2 bits
Suspend:
Resume:
Keep Alive:
Link to this headingTransfer Types
Control Transfers: Configuration and implementation specific commands (used to configure a device)
Bulk Transfers: Large amounts of sequential data (generated or consumed in relatively large and bursty quantities)
Interrupt Transfers: A limited latency data transfer to or from a device (used for timely but reliable delivery of data)
Isochronous Transfers: Continuous Real-time data stream (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)
All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.
Link to this headingPacket Formats
-
Packets are started by the sync signal and terminated by the EOP
-
Token
- OUT (0001)
- IN (1001)
- SOF (0101)
- SETUP (1101)
-
Data
- DATA0 (0011)
- DATA1 (1011)
- DATA2 (0111)
- MDATA (1111)
-
Handshake
- ACK (0001)
- NAK (0001)
- STALL (0001)
- NYET (0001)
-
Special
- PRE (1100)
- EER (1100)
- SPLIT (1000)
- PING (0100)
- RESRV (0000)
Link to this headingControl Transfer Packet
Setup Packet:
| bmRequest Type | bRequest | wValue | wIndex | wLength |
| 1 bit | 1 byte | 2 bytes | 2 bytes | 2 bytes |
bmReqest Type:
- Transfer Direction
- Host -> Device (request_type |= 0x0 << 7)
- Device -> Host (request_type |= 0x1 << 7)
- Type
- Standard (request_type |= 0x00 << 5)
- Class (request_type |= 0x01 << 5)
- Vendor (request_type |= 0x10 << 5)
- Reserved (request_type |= 0x11 << 5)
- Recipient
- Device (request_type |= 0x00000 )
- Interface (request_type |= 0x00001 )
- Endpoint (request_type |= 0x00010 )
- Other (request_type |= 0x00011 )
- Reserved (request_type |= 0x00000 )
bRequest:
wValue:
wIndex:
wLength:
- If this is non Zero. This means that there will be a data phase that follows this.
- If Transfer Direction is set to Device -> Host then will receive data from the device
- If Transfer Direction is set to Host -> Device then will send data to the device
- Once this is done a Zero length packet is sent to show that the data is done
Link to this headingUSB Power Delivery
USB PD Fast Charging:
| Version | Voltage (V) | Max Current (A) | Max Power (W) |
|---|---|---|---|
| USB PD 1.0 | 5, 12, 20 | Up to 3.0 | Up to 60 |
| USB PD 2/3 | 5, 9, 15, 20 | Up to 5.0 | Up to 100 |
| USB PD 3.1 | 28, 36, 48 | Up to 5.0 | Up to 240 |
Link to this headingQualcomm Quick Charge (QC) Fast Charging
| Version Voltage Range Max Current Max Power Key Features |
| QC 1.0 (2013) Up to 6.3V 2A 10W Introduced higher-voltage charging |
| QC 2.0 (2014) Class A: 5V, 9V, 12V |
| Class B: 5V, 9V, 12V, 20V Up to 3A Up to 36W Improved efficiency and charging speed |
| QC 3.0 (2016) 3.6V–20V in 0.2V steps Up to 3A Up to 36W INOV (Intelligent Negotiation for Optimal Voltage) for optimization |
| QC 4.0 / 4+ (2017) 3.6V–20V (Quick Charge) |
| 5V, 9V (USB PD) Up to 5A Up to 100W (QC) |
| 27W (USB PD) Supports USB PD, enhanced safety |
| QC 5.0 (2020) 3.3V–20V Up to 7A Over 100W Supports dual-cell batteries, USB PD PPS, advanced cooling |
Link to this headingMediaTek Pump Express Fast Charging
| Version Voltage Range Max Current Max Power Key Features |
| Pump Express Up to 5V — <10W Initial version; negotiates voltage up to 5V depending on battery state. |
| Pump Express Plus Up to 12V — =<15W Improved version for chargers with output power of 15W or more. |
| Pump Express 2.0+ 5V–20V (0.5V step) 3A–4.5A+ ~15W Offers multiple charging stages: Normal, Turbo 1, and Turbo 2. |
| Pump Express 3.0 3V–6V (step of 0.010–0.020V) >5A 25–30W Uses direct charging via USB Type-C, bypassing the phone’s internal charging circuitry. |
Link to this headingVOOC and SuperVOOC Fast Charging
- VOOC 2014 and supported 5V/4A
SuperVOOC (2016): 10V / 5A = 50W
SuperVOOC 2.0 (2020): 10V / 6.5A = 65W
SuperVOOC 2.0 (2022): 11V / 6–7.3A = up to 80W
SuperVOOC 240W (2022): 20V / 12A = 240W
Link to this headingMi Turbo Charge and Xiaomi HyperCharge Fast Charging
Although Xiaomi advertises up to 120W in its promotional materials, this figure is only achievable when connected to a 240V power outlet. In Brazil, the USA, Canada, Colombia, Japan, and other countries with 120V power outlets, Xiaomi HyperCharge provides only 96W of power.
Xiaomi HyperCharge supports up to 20V, with current reaching 6A, enabling a maximum power of 120W.
Xiaomi HyperCharge requires an original Xiaomi cable and charger because the USB-A connector used includes an additional physical contact—five pins instead of the usual four.
Link to this headingAnker PowerIQ Fast Charging
Fast charging is offered not only by phone and processor manufacturers. Anker, a company that produces power banks and chargers, has its own standard called PowerIQ.
PowerIQ 1.0 delivers a maximum power of 12W by supplying 5V at up to 2.4A. PowerIQ 2.0 is an improved version that includes VoltageBoost technology, which compensates for voltage loss due to cable heating. It still provides 5V at up to 2.4A.
PowerIQ 3.0 is the latest version, supporting up to 100W of power. It is compatible with USB-C Power Delivery (PD) and Qualcomm Quick Charge 3.0. For example, the PowerPort+ Atom III charger with PowerIQ 3.0 features USB-C outputs supporting 5V at 2.4A, 9V at 3A, 15V at 3A, and 20V at 2.25A, as well as a USB-A output providing 5V at 2.4A, 9V at 1.66A, and 12V at 1.25A.
Link to this headingWireless Power Delivery
Link to this headingQi Wireless Charging
Operates from 110–205 kHz and adjusts dynamically based on feedback control to regulate charging power.
The Baseline Power Profile (BPP) delivers up to 5W of charging power. The Extended Power Profile (EPP) increases this to 15W and is the most common fast-charging option for smartphones. Additionally, there is a Medium Power Profile, offering between 30 and 65W.
Link to this headingApple MagSafe
MagSafe initially offered up to 15W of charging power, and with the iPhone 16 and MagSafe 2 (second generation), the power increased to 25W. To achieve maximum charging speed, a power adapter supporting USB Power Delivery (PD) 3.0 with output of 9V / 2.22A or 9V / 2.56A is required.
Link to this headingQi2 Wireless Charging
Qi2 includes the same magnetic ring as MagSafe. Qi2-compatible devices can charge using MagSafe chargers, and MagSafe-compatible iPhones can charge using Qi2 chargers. However, due to Apple’s proprietary certification, only certified MagSafe chargers deliver 15W power. Qi2 chargers, lacking certification, charge iPhones at up to 7.5W.