Tuesday, July 3, 2012
Emulating USB Devices with Python
as presented with Sergey Bratus at Recon 2012
with thanks to Sergio Alverez and the Dartmouth Scooby Gang.
Not long ago, I was giving a lecture to Sergey Bratus's class at Dartmouth, where he asked me to teach the students about SPI, I2C, and the other bus protocols that are commonly found in embedded systems. When a student made the inevitable joke about Sergey's Magic School Bus, my good neighbor's eyes lit up and he exclaimed, "It's not a bus; it's a network!"Skipping on down...
Unlike the Teensy and similar hardware, this tool is not designed to run standalone. All of the complicated software is in Python on one workstation, while the emulated USB device appears on a second workstation. This makes fuzz testing and exploit debugging a hell of a lot more efficient, while the resulting exploit can be ported to run as C firmware for deployment.
Introducing the Facedancer Board
Our rough prototype was refined into a single board, which is documented as the Facedancer10 as part of the GoodFET project. The board consists of a GoodFET41 with the MAX3420 target onboard. One USB Mini plug runs to the workstation emulating a USB device, and the other USB Mini plug runs to a second host which sees only the emulated device.
The C firmware running on the MSP430 is intentionally kept as minimal as possible, with complexity pushed to the Python client in order to speed development and prevent the need for reflashing during development. This is perfectly fine for emulating USB devices, as kernels seem very tolerant of delays in responses. Additionally, the MAX3420 handles all fast-reaction timings itself, so our round-trip overheads don't create any serious problems.
As a networking protocol, USB is quite different from the IP protocols that you are likely familiar with. It is not more difficult, but it is designed along different lines, with a different philosophy and different concepts. To learn the language, I recommend a mixture of reverse engineering devices, writing drivers, and writing emulators. Sniff some traffic with Wireshark, VMWare, or a Total Phase Beagle, then read it and try to write your own client in PyUSB. A good tutorial on that can be found in Adafruit's page on Hacking the Kinect.Read More...
- News 07-05-12
- Anyone for Pi? Mods and hacks for the Raspberry Pi | TechRepublic
- Watch out Google: Apple gets patent for wearable device - Computerworld
- What the ‘Internet doomsday’ virus is and how to fix it - The Washington Post
- Best Free Video Editor
- How to Identify Poison Ivy: 8 steps (with pictures) - wikiHow
- Central Banks Move to Fuel Economy on 3 Fronts - NYTimes.com
- Oil Embargo Leads Iran to Disguise Tankers - NYTimes.com
- Japanese Commission Calls Fukushima Nuclear Crisis a ‘Man-Made’ Disaster - NYTimes.com
- Raspberry Pi prototyping boards available at adafruit - Hack a Day
- Television built from a tin can - Hack a Day
- Flimsy Pi case still provides a level of protection - Hack a Day
- F/stop printer for analog printing black and white photos - Hack a Day
- DNSchanger shutdown may kick 300,000 offline Monday • The Register
- World’s Most Abstract Visual Dictionary Defines Words By Their Top Google Image Result | WebProNews
- Google Now: Do You Want Google Using Your Information In This Way? | WebProNews
- Facedancer board lets your Python programs pretend to be USB hardware - Hack a Day
- Automatic beverage delivery system - Hack a Day
- Travis Goodspeed's Blog: Emulating USB Devices with Python
- Red Bull Creation Challenge 2012 - YouTube