USB
USB¶
Umap2: NCC's python USB host security tool
USB host/device implementation using PIO of raspberry pi pico (RP2040).
USB Exploitaing with a raspberry pi pico
ViewSB is a USB analyzer that supports various capture backends including GreatFET, OpenVizsla, and usbmon.
Coding a USB Driver
https://den.dev/blog/reverse-engineer-stream-deck-plus/ usb steam Deck
When a USB is plugged in it sends a start of frame packets every 1 ms.
Uses a Data+ and an Data- to create destructive interference to prevent the cable acting like an antenna.
USB Versions¶
Marketing Information:
| Marketing Name | Also Known As | Signal Gbps | Signal MiB/s | Wires | Cable |
|---|---|---|---|---|---|
| USB 1.1 | Full Speed | 12 Mbps | 1.5 MiB/s | 4 | 4m |
| USB 2.0 | Hi-Speed | 480 Mbps | 60 MiB/s | 4 | 4m |
| SuperSpeed USB 5Gbps | USB 3.0 / USB 3.1 / USB 3.2 / USB 3.1 Gen 1 / USB 3.2 Gen 1 / | 5000 Mbps | 625 MiB/s | 8 | 3m |
| SuperSpeed USB 10Gbps | USB 3.1 / USB 3.2 / USB 3.1 Gen 2 / USB 3.2 Gen 2 / | 10000 Mbps | 1250 MiB/s | 8 | 2m |
| SuperSpeed USB 20Gbps | USB 3.2 / USB 3.2 Gen 2x2 / | 20000 Mbps | 2500 MiB/s | 12 | 1m |
| USB4 20Gbps | USB4 Gen 2×2 / USB4 / | 20000 Mbps | 2500 MiB/s | 12 | 0.8m |
| USB4 40Gbps | USB4 Gen 3×2 / USB4 / | 40000 Mbps | 5000 MiB/s | 12 | 0.8m |
Speeds:
| Name | Signal | Sig Total | Encoding | Effective b | Effective B | Real Life |
|---|---|---|---|---|---|---|
| USB 3.2 Gen 1×1 | 5,000 Mbps | 5,000 Mbps | 8b/10b | 4,000 Mbps | 500 MiB/s | 400 MiB/s |
| USB 3.2 Gen 1×2 | 5,000 Mbps | 10,000 Mbps | 8b/10b | 8,000 Mbps | 1,000 MiB/s | 800 MiB/s |
| USB 3.2 Gen 2×1 | 10,000 Mbps | 10,000 Mbps | 128b/132b | 9,696 Mbps | 1,212 MiB/s | 780 MiB/s |
| USB 3.2 Gen 2×2 | 10,000 Mbps | 20,000 Mbps | 128b/132b | 19,392 Mbps | 2,424 MiB/s | 1,600 MiB/s |
| USB 4 Gen 2×2 | 10,000 Mbps | 20,000 Mbps | 128b/132b | 19,392 Mbps | 2,424 MiB/s | 1,600 MiB/s |
| USB 4 Gen 3×2 | 20,000 Mbps | 40,000 Mbps | 128b/132b | 38,7878 Mbps | 4,848 MiB/s | 2,700 MiB/s |
Types of Devices¶
| Base Class | Descriptor Usage | Description |
|---|---|---|
| 00h | Device | Use class information in the Interface Descriptors |
| 01h | Interface | Audio |
| 02h | Both | Communications and CDC Control |
| 03h | Interface | Human Interface Device (HID) |
| 05h | Interface | Physical |
| 06h | Interface | Image |
| 07h | Interface | Printer |
| 08h | Interface | Mass Storage (MSD) |
| 09h | Device | 8Hub |
| 0Ah | Interface | CDC-Data |
| 0Bh | Interface | Smart Card |
| 0Dh | Interface | Content Security |
| 0Eh | Interface | Video |
| 0Fh | Interface | Personal Healthcare |
| 10h | Interface | Audio/Video Devices |
| 11h | Device | Billboard Device Class |
| DCh | Both | Diagnostic Device |
| 0Eh | Interface | Wireless Controller |
| EFh | Both | Miscellaneous |
| FEh | Interface | Application Specific |
| FFh | Both | Vendor Specific |
https://microchipdeveloper.com/usb:device-classes
HID Devices¶
Details on Making your own Keyboard
HID Keyboard Protocol Details
Signals¶
http://www.usbmadesimple.co.uk/ums_3.htm
sync:
Reset: Both data lines are put low for 10ms
End of Packet: Both data lines are put low for 2 bits
Suspend:
Resume:
Keep Alive:
Transfer Types¶
Control Transfers: Configuration and implementation specific commands (used to configure a device)
Bulk Transfers: Large amounts of sequential data (generated or consumed in relatively large and bursty quantities)
Interrupt Transfers: A limited latency data transfer to or from a device (used for timely but reliable delivery of data)
Isochronous Transfers: Continuous Real-time data stream (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)
All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.
Packet Formats¶
- Packets are started by the sync signal and terminated by the EOP
- Token
- OUT (0001)
- IN (1001)
- SOF (0101)
- SETUP (1101)
- Data
- DATA0 (0011)
- DATA1 (1011)
- DATA2 (0111)
- MDATA (1111)
- Handshake
- ACK (0001)
- NAK (0001)
- STALL (0001)
- NYET (0001)
- Special
- PRE (1100)
- EER (1100)
- SPLIT (1000)
- PING (0100)
- RESRV (0000)
Control Transfer Packet¶
Setup Packet:
| bmRequest Type | bRequest | wValue | wIndex | wLength |
| 1 bit | 1 byte | 2 bytes | 2 bytes | 2 bytes |
bmReqest Type:
- Transfer Direction
- Host -> Device (request_type |= 0x0 << 7)
- Device -> Host (request_type |= 0x1 << 7)
- Type
- Standard (request_type |= 0x00 << 5)
- Class (request_type |= 0x01 << 5)
- Vendor (request_type |= 0x10 << 5)
- Reserved (request_type |= 0x11 << 5)
- Recipient
- Device (request_type |= 0x00000 )
- Interface (request_type |= 0x00001 )
- Endpoint (request_type |= 0x00010 )
- Other (request_type |= 0x00011 )
- Reserved (request_type |= 0x00000 )
bRequest:
wValue:
wIndex:
wLength:
- If this is non Zero. This means that there will be a data phase that follows this.
- If Transfer Direction is set to Device -> Host then will receive data from the device
- If Transfer Direction is set to Host -> Device then will send data to the device
- Once this is done a Zero length packet is sent to show that the data is done