USB reverse engineering - where to start?

Did you see a new gadget or toy and start brimming with ideas? See something that has tons of potential? Discuss these thoughts here.

USB reverse engineering - where to start?

Postby ntas » December 1st, 2015, 8:35 am

Hi!

First of all, yes, I'm new (here on the forum - I've been a HAD reader for years), hello. I'm an electronics technician at what would've been known as a polytechnic college, immediately before that I'd just completed four years of undergraduate EE study up to HND level (but can't afford to do the final year to convert it into a degree because I already have one) and before that I'd been a hobbyist (yes, I started with Arduino) for about a year or two.

So I've had this brainworm of a project for years now and I think it's finally time to start actually doing something about it. Long story short, I want to roll my own Logitech G27 racing wheel controller - essentially a custom MCU with programming that I have full control over, but one that presents itself to the software as a real G27 so I get the force feedback signal and shift light LED data from the Logitech drivers (the rest of the device is a straightforward HID, I think). I'll have to work out the code that translates the optical encoder, button and potentiometer input into outgoing USB data and then incoming USB data into force feedback motor PWM signals and shift light LED patterns (the latter should be straightforward as it's just a 595 circuit).

The problem is, I know very little about how USB - much less USB device drivers! - actually works so I don't know where to start. I was thinking maybe I'd try sniffing USB data from (and to) my keyboard or mouse, maybe programming a 32u4-based Arduino to present itself as different types of HID devices to get a feel for it, but I just can't see how I'd get from here to making a copy of a G27 complete with force feedback.

Therefore I'm turning to you, the HAD community, to politely as for some pointers as to where to start. While I'm not exactly wet behind the ears this is an entirely new subject to me, so be gentle but not too gentle.

Thanks!
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am

Re: USB reverse engineering - where to start?

Postby st2000 » December 2nd, 2015, 7:12 am

If RS232 can be written about in, say, a 10 page white paper. Then to cover USB in the same manner would take a book. I would start at Jan's web site and grab a copy of her USB book:
http://janaxelson.com/
http://janaxelson.com/usbc.htm

If you really want to stick w/HID only, you may try to find a short cut lesson. But "Host USB" is really complicated and I have not really come across anyone who writes Windows USB drivers (cost too much?? too hard to do??). Most hackers going this route write Linux drivers. BTW, I think HID is really slow. But I may be wrong on that.
st2000
 
Posts: 1453
Joined: February 3rd, 2011, 6:10 pm

Re: USB reverse engineering - where to start?

Postby ntas » December 2nd, 2015, 11:42 am

Thank you, that looks like a great starting point. Honestly I have no idea what the alternatives to HID are or, well, anything really so I'm going to read up on it and see what I can work out. I don't want to write my own drivers, though, I want to reverse engineer the G27 so that I can program something that works with the existing drivers. It's probably a rabbit hole to nowhere, I definitely get 'that' feeling (you know when you ask yourself why something hasn't already been done and the only answer that makes sense is "Because it's far too difficult"?), but I'm already having fun with it and I hope to learn something about how USB works as a result, regardless of whether I achieve my goal or not.

Thanks again!
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am

Re: USB reverse engineering - where to start?

Postby st2000 » December 3rd, 2015, 7:37 am

Well, the (one of the) 1st step(s) to faking out a driver is to copy the USB vendor and device IDs. Either look them up or read them out of the USB device. (BTW: USB Host is at one end of the USB cable and USB Device is at the other. You can have many Devices but only 1 Host..) In many (some) versions of Windows you can find the ID information in some GUI device driver menu. In Linux you plug the USB Device in and type "lsusb".

As for the rest of it, I think the project is too broad and needs more discovery. In other words, you can speculate all you want. But maybe only 1 in 10 thoughts will be on target.

For now, HID does not define everything. https://en.wikipedia.org/wiki/USB_human_interface_device_class You can let your imagination run with that for a moment. Also you might be looking at multiple USB Devices. https://en.wikipedia.org/wiki/Compound_device I'll speculate the more this USB HID Device is different from a keyboard & mouse, the more likely you will need the actual device to discover how to create your own. If your end game is to create a high-end arcade like device, it may be easier to get this USB Device and interface it with high end hardware: https://na.suzohapp.com/products/driving_controls/50-0102-08
st2000
 
Posts: 1453
Joined: February 3rd, 2011, 6:10 pm

Re: USB reverse engineering - where to start?

Postby ntas » December 3rd, 2015, 11:16 am

st2000 wrote:I'll speculate the more this USB HID Device is different from a keyboard & mouse, the more likely you will need the actual device to discover how to create your own. If your end game is to create a high-end arcade like device, it may be easier to get this USB Device and interface it with high end hardware: https://na.suzohapp.com/products/driving_controls/50-0102-08


I do have a G27 to test, so that's at least that hurdle overcome... My goal at the end is to create exactly what that product doesn't have, which is a control board that is:
- Easier to buy in low quantities
- Easier to program
- Open to modification
- Compatible with the Logitech drivers without any work required host-side (this is important to ensure compatibility with as many games as possible - Xsim is what most people use for DIY wheels but I don't think it works with everything that Logitech's drivers do because of how it gets the data from the game)
- Possible to replace cheaply - or at least a more cheaply than the entire G27 - if you accidentally wire your custom 100W H-bridge wrong and blow the controller up or something.

As for why I want to do this, well, why not? I could go on but let's just say it's one of those projects that I just want to do because I want to, though learning enough about USB to be able to learn even more later would be great.
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am

Re: USB reverse engineering - where to start?

Postby ntas » December 15th, 2015, 7:25 am

So I downloaded Wireshark and installed it along with the optional USBPcap software, fully expecting it to be a huge hassle to get it to do anything useful, but within maybe five minutes it was spitting out all sorts of USB data for me to look at. Unfortunately it seems that all of the USB ports my PC has are all on the same bus (Wireshark said I had four but only the third had anything on it) so the log gets hugely clogged up with reports from my keyboard and mouse, there's probably a way to filter them out though.

Anyway, it's quite an amazing tool, of course I don't understand most of what it's telling me - IRP IDs, USBD status, IRP info, URB function, etc. - but I have at least noticed that it shows button press and release events and it reports the pedal positions too. Later on I'm going to collect data for pressing each button and the difference between 0% and 100% on each pedal, I'll also try plugging and unplugging the device a few times to see what data is exchanged and if it's the same every time.
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am

Re: USB reverse engineering - where to start?

Postby ntas » February 5th, 2016, 6:01 am

So I've been very slowly working on this idea since I last posted, mostly just reading to try to improve my knowledge (and I briefly explored RS232 as a little sidetrack, it's actually quite fun!). I've been looking here: https://www.circuitsathome.com/communic ... ces-part-1 to try to get my head around the HID descriptor a little. Am I correct in thinking that if the device in question is a pure HID device (I don't even know what else it can be, such is my limited knowledge), I can replicate the HID descriptor with, say, an Arduino Leonardo and the PC will treat it the same way?

I'm concerned, though, that the device is more complicated than just a straightforward generic HID device. Is there any way I'd be able to determine that through evidence I already have rather than going to the hassle of getting the HID descriptor for the device, loading it onto a 32U4 and trying it out? I mean, would Windows tell me, or maybe I could investigate how it operates with and without the proper drivers to see if it conforms to the HID specification?
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am

Re: USB reverse engineering - where to start?

Postby xorpunk » February 16th, 2016, 2:17 pm

Just use a newer build of WireShark and do static analyses of packets..

If it'll work with isolated-crypto thumb drives and DRM dongles it'll work with anything.. SDR and standard storage controllers are far more simple..
xorpunk
 
Posts: 6
Joined: September 25th, 2012, 10:07 am

Re: USB reverse engineering - where to start?

Postby ntas » February 29th, 2016, 4:30 am

Just a quick update to say I've been using Wireshark to examine the communications between the device and host, it's a fascinating tool. I've managed to parse the HID descriptor and it all matches up with the data being transferred to and from the host, I've also done some experiments of my own using an Arduino Leonardo and some HID device libraries, going into the cpp files and editing the HID descriptor itself then reading it back with Wireshark to see what happens, it's great fun... Just not super productive at the moment, but it's just baby steps right now, I guess.

Interestingly, the device first enumerates as a Logitech Driving Force wheel (which is ancient) with its own HID descriptor, then just after the HID descriptor is exchanged it re-enumerates as the Logitech G27 Racing Wheel with a different HID descriptor, but it's not a composite device. Interesting stuff, kind of.
ntas
 
Posts: 19
Joined: December 1st, 2015, 6:50 am


Return to The new gadget brainstorm pit

Who is online

Users browsing this forum: Bing [Bot] and 3 guests