“OpenVizsla is a project to design a device that will allow the capture and inspection of USB traffic that will help with the reverse engineering and debugging of proprietary USB devices, and will also be an invaluable tool for developers working with USB and especially those who are using USB in embedded designs."
This is the first sentence of a Kickstarter project which was funded in 2010. It was donated with over 80.000 USD (what was much more then it was expected) (and what turned out to be less than really was needed) in a month. A pair of enthusiasts (bushing and pytey) with their friends put a lot of effort to create small, cheap and open sourced USB sniffer.
After over two years of struggle, while no working prototype was ready, people over the Internet were really nervous. Many of them were calling project maintainers to give them back their money. One of the founders (pytey) wanted to support local businesses in Hungary, and he said he could get them a good deal on assembly there. He took most of the parts, and after he left the US it was more and more difficult to contact him.
After two months without any sign of life from pytey, bushing realized, that he was left alone. With no parts left enough to assembly working boards for people who donated their money. With not enough money to buy missing parts. And not enough money to give it back to donators. He rearranged the design, using entirely parts that he could buy off-the-shelf with the money he had access to.
At the beginning of 2014 first working boards were sent to premium donators. People who donated less received bare PCB’s with parts to assemble it on their own a few months later. Kickstarter project was closed on Aug 27 2014. Every man who donated money on it received what was agreed.
Ben “bushing” Byer died Feb 8 2016.
A Brief Description
Since there is no (affordable, at least) silicon that out-of-the-box provides USB sniffing features, the heart of the OpenVizsla is an FPGA, Xilinx Spartan 6 LX FPGA to be exact. Board has Micron MT48LC16M16A2P-xx SDRAM (256MB), FTDI FT2232H High-Speed USB converter with FIFO interface, and SMSC USB3343 ULPI PHY Hi-Speed USB 2.0 transceiver.
It has two USB 2.0 B ports (for a host and for a server) and one USB 2.0 A port for a target device, which is going to be analyzed. It provides no USB 3.0 support. As there was very little support last few years, there are a lot of known limitations.
Sniffing USB devices
OpenVizsla is a sniffer and analyzer. It allows you to passively monitor the communication between a USB host and USB peripheral. It supports USB low-speed, full-speed and high-speed. To show that it works we started with something simple. Low-speed USB devices are i.e. keyboards and mouses. For the first test we used a keyboard, because it is easy to interpret.
As we can see, though there are a lot of frames going, most of them are basically empty. USB protocol throws frames even if there is no info to send. Some times there can be some information detected, like i.e.:
DATA1: 00 00 1e 00 00 00 00 00 29 88 we’ve got something to read.
According to USB keyword specification, the 3rd byte of a report applies to
the first button pressed. And
1e is hexadecimal representation of keycode
of ‘1’. (Which actually has been pressed).
Let’s try an USB mouse instead.
After the sniffing started for a while we did nothing. Then, we started to move the mouse in random directions. Stopped. And started again.
The second and the third byte represents movement in consequently X and Y axis. The first (it should be properly called ‘0’) byte represents mouse buttons status.
Ok, that’s fun, may be nice to check once or even twice if it works as described in a specification. But is that what this device is designed for? Well, maybe. If You are a USB peripherals engineer.
Let’s do something more interesting.
In examples above we showed how intense is low-speed communication over USB. Signals flew so quickly, that it was hard to notice a single data frame. And that was low-speed. Devices like USB memory sticks run on a high-speed. Unfortunately, this is so fast, that in the real time the amount of information makes it totally unreadable for a man.
Instead of showing a movie, we’ll show a set of frozen frames from the output.
These are frames from a connected USB stick, that does absolutely nothing.
The last square bracket represents a number of bytes send, after that you can
read a packet identifier.
IN means a
ACK is a
handshake signal, which you can observe in examples above.
Now, let’s connect to OpenVisla some real thing. Our choice was a stick with live system, which should try to be recognized by the PC.
After a second we’ve had:
What we can convert from hexadecimal to ASCII and obtain: