El Bruno

Buenas,

as I have received several questions about how to interpret the input buffer and output USB devices, will leave an easy way of doing this.

Personally, I use the technique of the trial and error; but of course, this brings you many problems head and best work with some low level language (C# sucks!).

So if you’re a friend of abstractions, USB Monitor may be helpful. This software allows you to monitor the flow of data that is sent in the USB hubs. In other words you can see one one the bytes that pass through each USB port.

In my particular case, and with the full version installed, I configured the same so that it captures all the information that passes through the second HID device. Now I noticed that the first is the mouse.

So once defined the device we want to attack, the following is to start with the recording of data. In my particular case, I have not applied any filter.

I launched the implementation of control of the Lance missiles that comes with it and I launched a missile. This is the trace will let me log

   1: 000238: Class-Specific Request Sent (DOWN), 24.04.2012 23:33:07.320 +22.500

   2: Request Type:Set Report (Data Field)

   3: Report Type:Output

   4: ReportID:0x0

   5: Parsed Report:

   6: Report Name:Unknown

   7: Unknown[-128..127]/[0..255]: 64

   8:  

   9: 000239: Class-Specific Data (UP), 24.04.2012 23:33:07.320 +0.0

  10: Request Type:Set Report (Data Field)

  11:  

  12: 000240: Report Arrived (UP), 24.04.2012 23:33:07.335 +0.015

  13: Report Name:Unknown

  14: Unknown[-128..127]/[0..255]: 0

  15:  

  16: 000241: Report Arrived (DOWN), 24.04.2012 23:33:07.335 +0.0

  17: Report Name:Unknown

  18: Unknown[-128..127]/[0..255]: 0

  19:  

  20: 000242: Class-Specific Request Sent (DOWN), 24.04.2012 23:33:07.335 +0.0

  21: Request Type:Set Report (Data Field)

  22: Report Type:Output

  23: ReportID:0x0

  24: Parsed Report:

  25: Report Name:Unknown

  26: Unknown[-128..127]/[0..255]: 16

  27:  

  28: 000243: Class-Specific Data (UP), 24.04.2012 23:33:07.335 +0.0

  29: Request Type:Set Report (Data Field)

  30:  

  31: 000244: Class-Specific Request Sent (DOWN), 24.04.2012 23:33:07.850 +0.514

  32: Request Type:Set Report (Data Field)

  33: Report Type:Output

  34: ReportID:0x0

  35: Parsed Report:

  36: Report Name:Unknown

  37: Unknown[-128..127]/[0..255]: 64

  38:  

  39: 000245: Class-Specific Data (UP), 24.04.2012 23:33:07.850 +0.0

  40: Request Type:Set Report (Data Field)

  41:  

  42: 000246: Report Arrived (UP), 24.04.2012 23:33:07.866 +0.015

  43: Report Name:Unknown

  44: Unknown[-128..127]/[0..255]: 16

  45:  

  46: 000247: Report Arrived (DOWN), 24.04.2012 23:33:07.866 +0.0

  47: Report Name:Unknown

  48: Unknown[-128..127]/[0..255]: 16

  49:  

  50: 000248: Class-Specific Request Sent (DOWN), 24.04.2012 23:33:07.953 +0.086

  51: Request Type:Set Report (Data Field)

  52: Report Type:Output

  53: ReportID:0x0

  54: Parsed Report:

  55: Report Name:Unknown

  56: Unknown[-128..127]/[0..255]: 64

  57:  

  58: 000249: Class-Specific Data (UP), 24.04.2012 23:33:08.007 +0.053

  59: Request Type:Set Report (Data Field)

  60:  

  61: 000250: Report Arrived (UP), 24.04.2012 23:33:08.026 +0.019

  62: Report Name:Unknown

  63: Unknown[-128..127]/[0..255]: 16

  64:  

  65: 000251: Report Arrived (DOWN), 24.04.2012 23:33:08.026 +0.0

  66: Report Name:Unknown

  67: Unknown[-128..127]/[0..255]: 16

  68:  

  69: 000252: Class-Specific Request Sent (DOWN), 24.04.2012 23:33:14.565 +6.539

  70: Request Type:Set Report (Data Field)

  71: Report Type:Output

  72: ReportID:0x0

  73: Parsed Report:

  74: Report Name:Unknown

  75: Unknown[-128..127]/[0..255]: 32

  76:  

  77: 000253: Class-Specific Data (UP), 24.04.2012 23:33:14.565 +0.0

  78: Request Type:Set Report (Data Field)

  79:  

  80: 000254: Class-Specific Request Sent (DOWN), 24.04.2012 23:37:05.977 +231.412

  81: Request Type:Set Report (Data Field)

  82: Report Type:Output

  83: ReportID:0x0

  84: Parsed Report:

  85: Report Name:Unknown

  86: Unknown[-128..127]/[0..255]: 64

  87:  

  88: 000255: Class-Specific Data (UP), 24.04.2012 23:37:05.977 +0.0

  89: Request Type:Set Report (Data Field)

  90:  

  91: 000256: Report Arrived (UP), 24.04.2012 23:37:05.977 +0.0

  92: Report Name:Unknown

  93: Unknown[-128..127]/[0..255]: 0

  94:  

  95: 000257: Report Arrived (DOWN), 24.04.2012 23:37:05.977 +0.0

  96: Report Name:Unknown

  97: Unknown[-128..127]/[0..255]: 0

  98:  

  99: 000258: Class-Specific Request Sent (DOWN), 24.04.2012 23:37:06.040 +0.062

 100: Request Type:Set Report (Data Field)

 101: Report Type:Output

 102: ReportID:0x0

 103: Parsed Report:

 104: Report Name:Unknown

 105: Unknown[-128..127]/[0..255]: 16

 106:  

 107: 000259: Class-Specific Data (UP), 24.04.2012 23:37:06.040 +0.0

 108: Request Type:Set Report (Data Field)

 109:  

 110: 000260: Class-Specific Request Sent (DOWN), 24.04.2012 23:37:06.102 +0.062

 111: Request Type:Set Report (Data Field)

 112: Report Type:Output

 113: ReportID:0x0

 114: Parsed Report:

 115: Report Name:Unknown

 116: Unknown[-128..127]/[0..255]: 64

 117:  

 118: 000261: Class-Specific Data (UP), 24.04.2012 23:37:06.196 +0.093

 119: Request Type:Set Report (Data Field)

 120:  

 121: 000262: Report Arrived (UP), 24.04.2012 23:37:06.211 +0.015

 122: Report Name:Unknown

 123: Unknown[-128..127]/[0..255]: 16

 124:  

 125: 000263: Report Arrived (DOWN), 24.04.2012 23:37:06.211 +0.0

 126: Report Name:Unknown

 127: Unknown[-128..127]/[0..255]: 16

 128:  

 129: 000264: Class-Specific Request Sent (DOWN), 24.04.2012 23:37:06.258 +0.046

 130: Request Type:Set Report (Data Field)

 131: Report Type:Output

 132: ReportID:0x0

 133: Parsed Report:

 134: Report Name:Unknown

 135: Unknown[-128..127]/[0..255]: 64

 136:  

 137: 000265: Class-Specific Data (UP), 24.04.2012 23:37:06.367 +0.109

 138: Request Type:Set Report (Data Field)

 139:  

 140: 000266: Report Arrived (UP), 24.04.2012 23:37:06.367 +0.0

 141: Report Name:Unknown

 142: Unknown[-128..127]/[0..255]: 16

 143:  

 144: 000267: Report Arrived (DOWN), 24.04.2012 23:37:06.367 +0.0

 145: Report Name:Unknown

 146: Unknown[-128..127]/[0..255]: 16

 147:  

 148: 000268: Class-Specific Request Sent (DOWN), 24.04.2012 23:37:06.430 +0.062

 149: Request Type:Set Report (Data Field)

 150: Report Type:Output

 151: ReportID:0x0

 152: Parsed Report:

 153: Report Name:Unknown

 154: Unknown[-128..127]/[0..255]: 32

 155:  

 156: 000269: Class-Specific Data (UP), 24.04.2012 23:37:06.523 +0.093

 157: Request Type:Set Report (Data Field)

If we look at the packages sent (CS Request Sent) we can see the following sequence

• 64
• 16
• 64
• 64
• 32

Also have the time difference between each call. For my test I her I rounded to 50 milliseconds and I created a sample application are the following code:

   1: using System;

   2: using System.Threading;

   3: using USBHIDDRIVER;

   4:  

   5: namespace HidUsbDriverConsoleTest

   6: {

   7:     internal class Program

   8:     {

   9:         private static void Main(string[] args)

  10:         {

  11:             var usb = new USBInterface(@"vid_0a81", @"pid_ff01");

  12:             usb.Connect();

  13:             WriteData(usb, 64);

  14:             WriteData(usb, 16);

  15:             WriteData(usb, 64);

  16:             WriteData(usb, 64);

  17:             WriteData(usb, 32);

  18:             Console.ReadLine();

  19:         }

  20:         private static void WriteData(USBInterface usb, byte secondByteValue)

  21:         {

  22:             var command = new byte[] { 0, 2 };

  23:             command[1] = secondByteValue;

  24:             usb.UsbDevice.writeDataSimple(command);

  25:             Thread.Sleep(50);

  26:         }

  27:     }

  28: }

As you can see, lines 13-17 simulate this sequence and time to interact with the Lance missiles USB, then do the same as the original application.

Simpler is impossible

Download: http://www.hhdsoftware.com/usb-monitor

Saludos @ Home

El Bruno