If you need to reverse-engineer a USB protocol on a computer running Linux, your work is easy because you control everything on the target system — you can just look at the raw USB data. If you’d like to reverse-engineer a USB device that plugs into a game console, on the other hand, your work is a lot harder. Until now.

serialusb is a side-project by [Mathieu Laurendeau], alias [Matlo]. His main project, GIMX is aimed at gaming and lets you modify your gaming controller’s performance by passing it first through your PC and tweaking the USB data before forwarding it on to the target console. Want rapid fire? You got it. Alter the steering-wheel sensitivity curves? Sure.

GIMX is essentially a USB man-in-the-middle between your controller and your console, with the added ability to modify the data along the way. For hardware that’s not yet supported by GIMX, though, either [Matlo] would need to borrow your controller, or teach you to man-in-the-middle your own USB traffic. And that’s what serialusb does.

The hardware required is very modest: a USB-to-serial adapter and an ATmega32u4-based Arduino clone. Many of you could whip this together with parts on hand, and it’s the same hardware you’d need to run GIMX anyway. Data goes through your computer, is usbmon’ed and wireshark’ed, and then passed over serial to the ATmega which then converts it back into USB, plugged into the console. A very tidy little setup.

In case this seems familiar, we’ve covered a similar trick by [Matlo] before that used a BeagleBoard as the computer in the middle. That’s a sweet setup for sure, but if you don’t have a spare single-board computer lying around, now you can get it done for only around $5 in parts. Happy USB reversing!

19 Comments

  1. USBProxy for the Beaglebone Black is also a good option: https://github.com/dominicgs/USBProxy

  2. Elliot Williams

    It’s listed in the similar projects section of this project’s GitHub site, and yeah, it’s basically the same thing with a Beaglebone playing the role of your computer in the middle.
    Although the USB-serial-USB trick makes this one super-duper cheap.

  3. This is a good idea, Also opens the door to downloaing scrips to get you past hard parts of a game (as long as that part of the game repeats the scenario exactly).

  4. Elliot Williams

    And fooling around with AI to control the games, and bots to farm XP / whatevers. Ain’t that grand?!?

  5. Couldn’t you make it fully standalone by using a USB host module? You’d have to sort out editing the setings, but I’m sure It wouldn’t be too hard.

  6. hmm. could be the tool to get the canon 9900f scanner supported in sane…

  7. mecodegoodsomeday

    Surprised nobody’s mentioned Travis Goodspeed’s Facedancer: http://store.hackaday.com/products/facedancer21

  8. Nathan McCorkle

    Or the Daisho project (by mike ossmann) which is USB3, or TotalPhase’s Beagle USB line of products (though commercial, it is good to have comparisons)

  9. or that scam kickstarter (OpenVizsla) from back in the day

  10. Nathan McCorkle

    Sounds slow and like a lot of devices wouldn’t work

  11. No different than a USB hub but for the bit manipulation in between. No reason to think it wouldn’t work. USB is a protocol. Follow it on both sides and no-one is the wiser.
    As for speed, USB is slow relative to just about everything in a modern PC. Even an entry level netbook can calculate an orbital insertion on mars in the time spent between packets.

  12. not to be niggly, but the graphic at the top of the article is incorrect. it shows RX tied to RX and TX tied to TX. they need to be tx to rx and rx to tx.

  13. The CP2102 board is mislabeled.

  14. What if I connect like this
    USB device HC05. HC05 USB host
    TX RX RX. TX
    RX TX WIRELESS TX RX
    GND1 GND1 GND2. GND2
    And pair the two HC 05 or similar modulus ?

  15. It messed up the alignment. USB>HC05 ———-HC05<USB

  16. This could work:
    target device ↔ PC ↔ USB to UART adapter ↔ HC05 ↔ HC05 ↔ atmega32u4 ↔ target host
    But this probably requires many tweaks, and the wireless connection can add latency.

  17. Can I make the32u4 act as host? So the layout will be
    Usb device atmega32u4 BTmodule———BTmodule atmega32u4 USB host
    I didn’t thought about latency, thank you for pointing it out.

  18. No the atmega32u4 can only be a device. A work-around is to use a USB host shield:
    target device ↔ USB host shield ↔ atmega32u4 ↔ HC05 ↔ HC05 ↔ atmega32u4 ↔ target host
    But the setup becomes quite complex and requires a lot of work.

  19. Okay. Thanks.

Leave a Comment

Your email address will not be published. Required fields are marked *