 Please welcome Kate Tinkin and Mikaela Zakeli. Thank you, so I'm Kate Tinkin, this is Mikaela Zakeli. Hello. How many of you think USB is black magic? I love seeing the number of hands go down every time we have one of these because like four or five years ago, try to get this a little closer, four or five years ago that just seemed like it was pervasive with the culture. And the reason for that is because USB tools have historically sucked. So if you want to go and do something with USB, usually you're talking about buying really expensive equipment. Like a USB analyzer that can do high speed still is something in the $1,000 range if you're going to buy something that comes with fancy close source software and fancy hardware. So a lot of the stuff we're doing now is talking about our hacking tools and our USB analysis tools that are meant to be extremely inexpensive and extremely open. So could start up with our bios, but we don't have time for that. I've never given a 25 minute talk before. I've rarely given an hour talk that's got an hour. So that's a recent skill. Bios, all you have to know, I'm Kate, this is Mikaela, and we're in the opposite orientation here that we were there. All right, perfect. So what is USB tools? We're giving a presentation about our project USB tools about a year on now. I wanted to put a few of the different tools that I maintain, including Face Dancer, if you've heard of that, onto a place that was not my personal GitHub. I went onto GitHub and started typing in things that vaguely sounded USB-like. And to my shock, the name USB tools was available. So we now have the USB tools organization on GitHub because apparently we are the first people to make USB tools, at least open source ones. Projects include VUSB, which is a USB analyzer. I have designed the name to be incredibly difficult to say. It is not as difficult as the previous name we were thinking about using, which was USB-SEE, which would have been literally impossible to pronounce, USB-C. So we have USB, we have Numap, which is a fuzzing framework that's kind of brand new. We have Face Dancer, which is an emulation and hacking framework. And so kind of what we're doing here is we're going to kind of give you updates on all of those projects, give you really brief overviews, and try to fit as much general USB content as we can in 25 minutes. So Face Dancer, if you're not familiar with it, is our emulation toolkit. It's a toolkit that allows you to emulate USB devices from right in Python. It is a tool that basically allows you to create USB devices really, really quickly. We've talked about it before at a lot of different places and talked about functionality and enables. It is used by other frameworks, including like UMAP, UMAP2, Numap, a whole line of things that we'll talk about for things like buzzing hosts, emulating devices in order to be able to do things like play NSA, or to be able to reverse engineer drivers. So kind of that's mostly been talked about, but what's new with Face Dancer is that for the first time we have a device that is a high-speed Face Dancer that is available for people to buy. You can always make your own. The designs for GreatFet are on GitHub, so I'm going to skip the project pitch, kind of talk about the longer-term stuff. So stuff that is coming in the future, we are going to definitely rewrite the Face Dancer toolkit to provide you some state-of-the-art USB emulation stuff in the future using all the new stuff Python has. And then in the longer term, I'm hoping to have this thing running on things like Raspberry Pi's. You don't even need special hardware to do USB emulation. And then even longer-term, hoping to break this down onto the really low-level hardware, so we can actually bring those to things like FPGAs that we can do things that USB controllers that are being used for emulation right now do not let you do. So that is, I think, all of the overview time we have for Face Dancer. That's kind of old news. What is new news? Do you want to talk about USB? New news would be USB, which is something that we only really introduced in the summer at Teardown. And it is our open-source USB analyzer that works with a variety of hardware backends that continue to be implemented and then also... Do you want to... So we're going to move to the next slide here. I would love to just call out our wonderful JPEG compression that we have going on here, because hitting Save in LibreOffice apparently means that you get wonderful artifacts. Well, apparently the JPEG compression is expensive. So typically, as I said, USB hardware tools have been very, very, very expensive. I think the cheapest USB analyzer that's commercially available is a tool that's by Total Phase, the Beagle. There are low-speed slash full-speed versions. It goes $300, I think, at the very minimum. And that's not going to do most USB devices that are used today. Most USB devices are high-speed, or what we call USB 2 commonly, for the spec that introduced it. And those things, if you want the analyzer, are going to cost you more like $1,000. So that's prohibitively expensive. That's a really high barrier to entry for those things. But we can do analysis in software. So if we want to, we can actually do analysis for much, much, much cheaper than that. USB, like many other tools, has software analysis. So it works with your operating system to give you a representation of the operating system's view of the kind of USB packets that are going on there. And let me move my terminal over there so you can see this. If I can figure out which direction this is in. I swear I can use a computer. Yeah, a little bit. I got this. I think my mouse is offset by like 10 pixels. So let's run. Want to grab this for a second? So here we're just going to do a quick demo of software analysis with the USB, assuming that we can manage to type, which is always a challenge. It is very large. I'm just going to press control minus. So assuming we can actually see this on this interestingly resolution monitor. If I take a USB device and plug it into my computer, we can kind of get a breakdown of all the traffic that goes by. This is not the full UI. This is a very small monitor compared to how large I need to make the text for it to be visible. There's actually more UI going on the side. But the important thing is that we actually take the data that is usually presented by tools like Wireshark and represent it as USB packets. So if you go and look at a tool like Wireshark, you actually see all the individual requests that are going between your software stack and your operating system. So you see things in terms of like USB request blocks or herbs, which don't really correspond at all well to the USB packets that are going through your wire. So this view is a view that gives you a much, much, much more USB kind of oriented view. But we can't actually see the individual packets. So I plugged in a flash drive. We can see the transfers that are happening here. But every one of those transfers is actually made of a lot of low-level things that are happening on the wire. But we're missing those because we're only seeing things from the operating system's perspective. So if you want to start messing with a USB device and seeing where it starts to misbehave, you're missing a lot of the detail that really shows you where things are broken. So if you happen to get a buffer overflow that causes your device to spew out data over USB like crazy, like a lot of the glitching projects have shown in the past or a lot of software bugs have caused, you're not going to see that at a small like this. Because this is all showing you what the operating system sees at things. So this is very good for reverse engineering if your device is working perfectly. You can see what the operating system sees. It is less good for cases where you want to be able to work with the device in order to get a real packet level, a real byte level view of what's going down the wire. Right? So let me start up the presentation again. I think I had function 5 instead of function 5, but it's okay. So there are definite limitations to those kind of models. But we really need to be able to do something that is a fully featured kind of analysis is a piece of hardware. And solutions that exist for creating these hardware analyzers tend to be extremely complicated. They tend to use things like FPGAs that are very expensive, that drive large buffers of memory. They use a lot of really over engineered hardware to do something that's a relatively simple task. And so about a year ago, when thinking about this and working on various tools we can use to get a view of signals, I started thinking about how we could do high speed analyzer for significantly cheaper. And it turns out that we have nice microcontrollers that do things like let you pipe really high speed serial data over to your host at USB high speed rates. So we can dump data to a host very, very, very quickly. Those are things that enable devices like HackRF, which is just basically the USB side of that is a really fast pipe for taking parallel data and shifting it over to the host. So these things are not that expensive. Microcontrollers like this are like four or five bucks in quantity. So microcontroller like that really doesn't need to be this whole gigantically engineered thing. And if you take a look at a USB UPI-FI, it is essentially a parallel bus that spits out your USB data at 60 megahertz and a lot of that data and a few encoded control signals that tell you things like where a packet starts and ends. But really what you have here is this parallel bus that is spewing out USB data as fast as you can see. It's telling you everything that is on that, it's going physically through that wire. That device costs about a dollar. Those are the things people put on there with their microcontrollers, with their systems in order to get their devices to talk USB. So in the end, this is essentially the thing that's designed to do the USB interfacing. And so if we have something that's basically taking everything that's on the wire and converting it to nice, easy to read digital signals for us, and we have something that's absolutely designed for taking those nice parallel USB signals and dumping them on the wire, a recipe between these two things for a USB analyzer. The only thing we can add that's kind of optional here is the ability to buffer some of those packets. So if your host can't pull down data from the USB 5 fast enough, you have the ability to buffer things and get taken advantage of the fact that sometimes USB may be very busy and sometimes it may be not, right? USB is typically a bursty protocol, so if you buffer that data, you can kind of compensate for those bursts of activity followed by the lulls that characterize USB. So essentially, this schematic is the schematic for the device that I built. This is essentially, this device is an add-on for GrapeFet, which is a USB board that contains exactly that microcontroller. All of this is a USB-fi, which is connected to the microcontroller. All this hardware really means we took these wires here coming off of that USB-fi with that physical layer chip and connected them directly to our microcontroller. So not too much later, we had hardware, and so this is the routing for the hardware. You can see it's pretty. I don't think it looks nice. And even more pretty is this thing in 3D. So this is essentially a render of what the board looks like. It feels vaguely like cheating, putting a render of a board up, but I have a physical board right here, so I'm cheating less than I could be. The actual 3D rendering tools is a little bit better at capturing images than I am. I would have been sitting there with an iPhone photo, and this is the back, which you can see, I've kind of got my snark on. So this board is called GrapeFet Rotodendron, and GrapeFet Rotodendron is a completely free... Freedom open-source USB analyzer. It's free open-source software. You can take it, you can grab it, you can do what you want. There is exactly one significant component on it, and though this is an add-on for GrapeFet, there is literally nothing stopping you from adding these to boards yourself. I have another board that someone made that is actually a similar microcontroller stuck onto a LPC same microcontroller. Same microcontroller, same PHY, and it happens to be almost the same thing. Just sitting there in a form someone else made that's almost a USB analyzer. So if they solve a couple of design issues they have with that one, it would be like a perfect USB analyzer in the same way this one is. So the point here is that if you have a microcontroller that can go very fast, like on bias towards GrapeFet, because that's what I develop on, but there's lots of different microcontrollers that can do this, and you have a USB PHY, you can create a USB analyzer. Again, this main part right here, the thing that's really driving everything is actually one of the cheapest parts involved. The connectors here, the USB connectors, the USB headers are significantly more money than the actual PHY is. So if you're looking at the bill of materials on here, like not counting the resistors and LEDs, like the big line items here are like USB connector. And that's always the way it is when you're designing hardware. So this is an extremely inexpensive set of components stuck to a board, and it's a USB analyzer. There's absolutely no reason why something like this should be the kind of thing that is that expensive. So if you want to narrate, I can actually go into a demonstration. Sure. So if we return to the terminal with the horrifically large font on the horrifically small resolution display, then hopefully we can get a demo working of analyzing USB using Ritter-Dendron, which is the board that she just talked about. We'll start off analyzing a full-speed device. So I'm going to plug in a full-speed device, because that happens to be the device that I have here. I can switch to a high-speed device in a second, but the data actually goes a bit slower on full-speed devices, which makes it a little bit better for putting these devices on the screen. If I plug in a flash drive and I don't slew it by like rapidly unplugging the thing, you're going to see just data flying by. But I have a full-speed device that doesn't do much of anything until you start using applications. It's the perfect thing for demonstrating stuff like this. Now, I do have one of those fancy laptops with the USB-C and very few USB-A ports, so I'm hoping that this thing doesn't make you plug it in and unplug it a couple times. But if you were to see here, physically on my table, connected to the gray-fit Ritter-Dendron, I have a little full-speed USB device that's plugged in and kind of hold this up. So essentially, just a device plugged right into my USB analyzer. I think you just unplugged it. Oh, it didn't plug it. Nice. It turns out devices want to be plugged in. Well, not all of them. This one does. All right, let's try that again. All right. And on the other end, I have a USB cable and I'm going to plug it into my computer, assuming this works. So in about a second, when it actually captures the full buffer, we'll start seeing some USB data. This USB data is coming from a device that's sitting right here using a $1 five-chip soldered to a board connected to a fancy mic controller. So all of this data that's coming in here is being accomplished by something that is super, super, super cheap. And this data is complete. We're not losing all the information that we lose that the operating system wants to hide from us from USB because we're using a hardware analyzer. So if we expand any of these, you can get right down into the low-level packet levels. So yeah, you can see everything down to the fact that when this individual transfer, when I tried to read information about the device, when you plug the device in and it says, okay, I am a USB network card or I am a USB serial adapter and it exchanges that information. In this case, the device is saying, hey, give me information on what kind of device you are. We can see when the host requests that the first time it asks the device for data, the device says, I don't have any ready for you yet. Second time it says, I don't have anything ready for you yet. And the third time it says, okay, here's the data. Everything's okay. So we can actually see all of these packets individually, byte by byte, flying over the wire because we are talking directly to a device that is meant to be talking USB. So this is like an incredible piece of technology that's $1 at the cheapest part of a USB analyzer. The only other thing you're really missing in order to have a USB analyzer, if you have something that can talk high-speed USB and you have something that, it's like a microcontroller that sits on a high-speed bus and actually gives you good throughput and you have something like a PHY, is the software. And we have open sourced our USB analyzer software. It is sitting there on GitHub at github.com slash USB tools slash USB. The link is in these slides. So you can actually go and grab that software. And that software works on boards other than the one we've just created. It works with a few other open-source USB tools that have been created that have analyzer functionality. One of them being OpenVista, which was an older USB analyzer from a bit ago. I have a slide for that. That's okay. Another tool that's recently been added is actually Colin O'Flynn, who does a lot of glitching work. If you work with ChipWhisper, a new board that is coming out, I think later this year, I'm not sure of his timeline, went through CrowdSupply. That is a board that has the capability to do USB analysis, because it has an FPGA and a USB PHY on it. And so that is something that we've actually already merged support into. So if you get that, you can do USB analysis with it. So let me switch back to this. So let's Rotodendron. And I'm supposed to say something like more like Rotodendron. And then put on my obnoxious speaker glasses. Except for one of our two TVs, half of it is cut out. Yes, right. So I think you need to cut one lens out for the glasses to make the joke work. I think that what I've learned is that at this particular venue, I need to put my words a little bit higher on the screen. So other USB tool things that we have been working on recently include Numap. Numap is a... essentially the new UMap. It is, I think, in some of the places written with rock dots on the U. So with an omelot, those are definitely a dig at Dominic Spill's rock dots, which have appeared at a bunch of events. I don't know if I kept them in most of the documentation because they are very silly. You'll have to add them back. So Numap is a very, very, very new tool in which I, I'm not intended, in which I mean I literally forked UMap too, added support for FaceDancer too. So added support for FaceDancer on newer boards and then left it alone. I have still to make improvements to it and add features, but it does do things that UMap was capable of doing like identifying what kind of devices a host accepts. So using FaceDancer's emulation capabilities, if you plug a FaceDancer device into a host, it will rapidly pretend to be a bunch of different devices and then as it does that see, okay, the host was willing to talk to me as a USB to serial converter. He was willing to talk to me as a USB flash drive. And once you have that information you can go and do things like like take the devices and modify them so that you're, let's say you take an emulation, you can start saying well what if I'm not exactly a compliant USB to serial converter? That's stuff you can do based on Numap and FaceDancer emulation. So it is very, very, very much a work in progress. So what should Numap be? Ideally it will be a much more comprehensive tool for host and device fuzzing. And ideally it will have things like UMap, the original UMap, but not UMap2 had a really cool feature where you could plug it into, take your FaceDancer device, plug it into another plug it into a host and be able to identify what operating system that host is running. Turns out if you plug a USB device into a variety of different hosts they all do slightly different things in terms of getting that device up and running. So if you take a look at a USB dump you can identify, for example, this device is a device that is running on macOS or running on Linux or running on Windows. So that kind of host identification is awesome because in some cases you cannot just identify that this is a Linux device but that this is a Linux device running a 2.7 kernel that hasn't been patched in 60 years. So that is something that we'd like to add back to that that existed in UMap1. Ideally it will exist again in UMap and one more thing that it should be that I think sort of is right now is functional. So that is very much a new thing, but hopefully that will grow into kind of fill the gap that UMap2 left when it ceased to be maintained. I do have a demo of doing high-speed stuff with Rotodendron. I also do want to before I do that talk really briefly for like a minute about some of the other tools we have. So I've talked about face-to-answer in VSB. We have a couple of other things that are in here including a driver for OpenVsla. So if you've been if you had an OpenVsla, if you backed the kickstarter like 10 years ago and it's been sitting collecting dust then we have a fully open source driver for that that's proper Python. This is another USB analyzer board that you can buy right now. So if you very much desperately want a high-speed USB analyzer that costs you less than $300 for 120 euros you can buy one of the leftover OpenVsla so you can go right now and buy a USB protocol analyzer that is driven by our USB software. So you can go and do this kind of analysis today. Anything we're forgetting about? I don't think so. Awesome. So also worth noting we have a full set of open source USB course materials which is available online. So if you go to usbc.tf that is if you spell usbctf but move the dot over one place that is the main URL for our trainings which we offer a couple of times a year and those are all open source. We also have mini.usb.ctf which is I is completely assumed by the monitor bezel but that is a workshop version that we give that workshop many times a year that is essentially a short form introduction to USB. Both of those are completely open source. You can see the source for those workshops at hacking USB, the kind of sister organization to USB tools and I think we have exactly one minute left here. One more demonstration. As I set up the demonstration do you want to field questions? Sure. Questions? Yes. So the GreatFat was built to have neighbors which are just add-on boards for the main base board and all of the GreatFat boards are codenamed based on flowers going A to Z. So by the time that we had designed RotorDendron we were already that far in the alphabet. We had to think of a flower that started with R and didn't want to go with the Rose because RotorDendron is much cooler. Anything else? Yes. Would it ever make sense to include low level USB packet interception and modification in this tool? Is that something that's possible? That's something that's not really possible with RotorDendron but is something that is absolutely possible with, do you want to? Yeah, I can answer this one. So a previous topic I've given to talk about is man on the middle in USB data and if you look in FaceDancer there is a tool called USB proxy which is an evolution tool originally created by Dominic Spill that lets you man on the middle USB data and modify it. So you can actually go and manipulate USB data on the fly. I'm getting nice angry red zeros here. You can modify USB data on the fly using that tool so you can actually go and see the packets as they run through the wire and then modify them. So assuming it actually wants to work, if I reset the board it probably would. Did I plug in the flash drive? Doesn't matter. I'm not going to do live stage debugging because I already got one demo here. That's perfect. Saved by the bell here. Saved by the bell. Thank you Kate and Michaela. If you want to corner them and try to get this demo working with them and or would like to ask them further questions. They will be out that way somewhere over there. Probably where there may be some seating and or food and or beverage and we'll all just have a chat out there. Thank you so much.