--- title: USB Reverse Engineering tags: usb, yoctol, workshop --- # USB Reverse Engineering 如何拿到 USB 設備的 PID 及 VID: https://kb.synology.com/zh-tw/DSM/tutorial/How_do_I_check_the_PID_VID_of_my_USB_device ```shell # linux $ lsusb -v # mac $ system_profiler SPUSBDataType # windows $ GO_CHECK_GUI ``` ex: ``` USB: USB 3.0 Bus: Host Controller Driver: AppleUSBXHCISPTLP PCI Device ID: 0x9d2f PCI Revision ID: 0x0021 PCI Vendor ID: 0x8086 USB 2.0 Hub: Product ID: 0x0801 Vendor ID: 0x1a40 (TERMINUS TECHNOLOGY INC.) Version: 1.00 Speed: Up to 480 Mb/sec Location ID: 0x14200000 / 1 Current Available (mA): 500 Current Required (mA): 100 Extra Operating Current (mA): 0 USB2.0 Hub : Product ID: 0x2813 Vendor ID: 0x2109 (VIA Labs, Inc.) Version: 2.21 Speed: Up to 480 Mb/sec Manufacturer: VIA Labs, Inc. Location ID: 0x14230000 / 6 Current Available (mA): 500 Current Required (mA): 0 Extra Operating Current (mA): 0 USB2.0 Hub : Product ID: 0x2817 Vendor ID: 0x2109 (VIA Labs, Inc.) Version: 6.34 Serial Number: 000000000 Speed: Up to 480 Mb/sec Manufacturer: VIA Labs, Inc. Location ID: 0x14220000 / 2 Current Available (mA): 500 Current Required (mA): 0 Extra Operating Current (mA): 0 USB-HID Keyboard: Product ID: 0x0112 Vendor ID: 0x04d9 (Holtek Semiconductor, Inc.) Version: 1.06 Speed: Up to 12 Mb/sec Location ID: 0x14223000 / 5 Current Available (mA): 500 Current Required (mA): 100 Extra Operating Current (mA): 0 USB 2.0 BILLBOARD: Product ID: 0x0103 Vendor ID: 0x2109 (VIA Labs, Inc.) Version: 3.97 Serial Number: 0000000000000001 Speed: Up to 12 Mb/sec Manufacturer: VLI Inc. Location ID: 0x14221000 / 4 Current Available (mA): 500 Extra Operating Current (mA): 0 USB Billboard Device : Product ID: 0x8883 Vendor ID: 0x2109 (VIA Labs, Inc.) Version: 0.01 Serial Number: 0000000000000001 Speed: Up to 480 Mb/sec Manufacturer: VIA Labs, Inc. Location ID: 0x14225000 / 3 Current Available (mA): 500 Extra Operating Current (mA): 0 USB 3.1 Bus: Host Controller Driver: AppleUSBXHCITR PCI Device ID: 0x15ec PCI Revision ID: 0x0006 PCI Vendor ID: 0x8086 Bus Number: 0x00 USB3.0 Hub : Product ID: 0x0813 Vendor ID: 0x2109 (VIA Labs, Inc.) Version: 2.21 Speed: Up to 5 Gb/sec Manufacturer: VIA Labs, Inc. Location ID: 0x00200000 / 1 Current Available (mA): 900 Current Required (mA): 0 Extra Operating Current (mA): 0 CyberSLIM S1-U3H: Product ID: 0x3910 Vendor ID: 0x13fd (Initio Corporation) Version: 3.01 Serial Number: 30303030303030303030303030303030 Speed: Up to 5 Gb/sec Manufacturer: Location ID: 0x00240000 / 2 Current Available (mA): 900 Current Required (mA): 144 Extra Operating Current (mA): 0 Media: CyberSLIM S1-U3H: Capacity: 1 TB (1,000,204,885,504 bytes) Removable Media: No BSD Name: disk2 Logical Unit: 0 Partition Map Type: GPT (GUID Partition Table) USB Interface: 0 Volumes: EFI: Capacity: 209.7 MB (209,715,200 bytes) File System: MS-DOS FAT32 BSD Name: disk2s1 Content: EFI Volume UUID: 0E239BC6-F960-3107-89CF-1C97F78BB46B coolcoolcoo: Capacity: 999.99 GB (999,993,376,768 bytes) Available: 586.28 GB (586,278,109,184 bytes) Writable: Yes File System: ExFAT BSD Name: disk2s2 Mount Point: /Volumes/coolcoolcoo Content: Microsoft Basic Data Volume UUID: BA12FC83-7C55-3459-A3AC-30495BCFFAD5 Ultra Fit: Product ID: 0x5583 Vendor ID: 0x0781 (SanDisk Corporation) Version: 1.00 Serial Number: 4C530001310607121554 Speed: Up to 5 Gb/sec Manufacturer: SanDisk Location ID: 0x00210000 / 3 Current Available (mA): 900 Current Required (mA): 896 Extra Operating Current (mA): 0 Media: Ultra Fit: Capacity: 124.22 GB (124,218,507,264 bytes) Removable Media: Yes BSD Name: disk5 Logical Unit: 0 Partition Map Type: MBR (Master Boot Record) USB Interface: 0 Volumes: NO NAME: Capacity: 124.22 GB (124,218,475,008 bytes) Available: 119.33 GB (119,331,676,160 bytes) Writable: Yes File System: MS-DOS FAT32 BSD Name: disk5s1 Mount Point: /Volumes/NO NAME Content: Windows_FAT_32 Volume UUID: C9F8A080-FFDB-3850-89B3-C778A5991103 iBridge Bus: Host Controller Driver: AppleUSBVHCIBCE Apple Internal Keyboard / Trackpad: Product ID: 0x027a Vendor ID: 0x05ac (Apple Inc.) Version: 9.13 Serial Number: FM784940G8PHYMLA5+TDL Speed: Up to 480 Mb/sec Manufacturer: Apple Inc. Location ID: 0x80500000 / 4 Current Available (mA): 500 Current Required (mA): 500 Extra Operating Current (mA): 0 Built-In: Yes Headset: Product ID: 0x5043 Vendor ID: 0x05ac (Apple Inc.) Version: 0.01 Serial Number: 000000000000 Speed: Up to 480 Mb/sec Manufacturer: Apple Location ID: 0x80400000 / 3 Current Available (mA): 500 Current Required (mA): 500 Extra Operating Current (mA): 0 Built-In: Yes iBridge ALS: Product ID: 0x8262 Vendor ID: 0x05ac (Apple Inc.) Version: 2.01 Serial Number: 000000000000 Manufacturer: Apple Inc. Location ID: 0x80300000 iBridge FaceTime HD Camera (Built-in): Product ID: 0x8514 Vendor ID: 0x05ac (Apple Inc.) Version: 2.01 Serial Number: DJH84666TAYJ3Y514 Manufacturer: Apple Inc. Location ID: 0x80200000 iBridge: Product ID: 0x8233 Vendor ID: 0x05ac (Apple Inc.) Version: 2.01 Serial Number: 0000000000000000 Manufacturer: Apple Inc. Location ID: 0x80100000 ``` ## Capturing Data for mac&linux: https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/USB for windows: https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/USB https://desowin.org/usbpcap/ https://www.usb.org/sites/default/files/hut1_22.pdf ## Driving Your USB Car https://www.linuxvoice.com/drive-it-yourself-usb-car-6/ https://www.beyondlogic.org/usbnutshell/usb3.shtml#USBPacketTypes check: https://github.com/wtflink/usb-lab or: ```javascript= const HID = require('node-hid'); const VENDOR_ID_NINTENDO = 0x057e; // 1406 const DEVICE_ID_NINTENDO_PROCON = 0x2009; // 8201 const PROCON_REPORT_SEND_USB = 0x80; const PROCON_REPORT_REPLY_USB = 0x81; const PROCON_REPORT_REPLY = 0x21; const PROCON_REPORT_TYPE = 0x00; const PROCON_REPORT_CMD_ACK = 0x0e; const PROCON_REPORT_INPUT_FULL = 0x30; const PROCON_REPORT_INPUT_SIMPLE = 0x3f; const PROCON_USB_HANDSHAKE = 0x02; const PROCON_USB_BAUD = 0x03; const PROCON_USB_ENABLE = 0x04; const PROCON_USB_DISABLE = 0x05; const PROCON_USB_DO_CMD = 0x92; const PROCON_CMD_AND_RUMBLE = 0x01; const PROCON_CMD_RUMBLE_ONLY = 0x10; const PROCON_CMD_INFO = 0x02; const PROCON_CMD_MODE = 0x03; const PROCON_CMD_BTNTIME = 0x04; const PROCON_CMD_LED = 0x30; const PROCON_CMD_LED_HOME = 0x38; const PROCON_CMD_GYRO = 0x40; const PROCON_CMD_BATTERY = 0x50; const PROCON_ARG_INPUT_FULL = 0x30; const PROCON_ARG_INPUT_SIMPLE = 0x3f; const PROCON_EVENT_TOGGLE_GYRO = 0xff; const RUMBLE_NEUTRAL = [0x00, 0x01, 0x40, 0x40]; const RUMBLE = [0x74, 0xbe, 0xbd, 0x6f]; device = new HID.HID(VENDOR_ID_NINTENDO, DEVICE_ID_NINTENDO_PROCON); device.on('data', function (data) { if (data[0] === PROCON_REPORT_REPLY_USB) { console.log('\n', data.toString('hex')); } }); device.on('error', function (err) { console.log('\nerror: ', err.toString('hex')); }); function sendCommand(command) { const data = [PROCON_REPORT_SEND_USB, ...command]; console.log(device.write(data)); } const padding = 0x00; function sendSubCommand(command, param) { const data = [ PROCON_CMD_AND_RUMBLE, padding, ...RUMBLE_NEUTRAL, ...RUMBLE_NEUTRAL, command, ...param, ]; console.log(device.write(data)); } function setPlayerLights(bit) { // LED controls work bitwise so // 1 = *--- // 2 = -*-- // and so on sendSubCommand(PROCON_CMD_LED, [bit]); } function setHomeLight(params) { sendSubCommand(PROCON_CMD_LED_HOME, params); } function sendRumble(low, high) { const data = [ PROCON_CMD_RUMBLE_ONLY, padding, ...(low ? RUMBLE : RUMBLE_NEUTRAL), ...(high ? RUMBLE : RUMBLE_NEUTRAL), ]; console.log(device.write(data)); } sendCommand([PROCON_USB_ENABLE]); sendCommand([PROCON_USB_HANDSHAKE]); setPlayerLights(5); setTimeout(() => { setHomeLight([0x0f, 0xf0, 0x00]); setTimeout(() => { sendRumble(true, true); }, 3000); }, 3000); ``` ref: https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering/blob/master/USB-HID-Notes.md https://github.com/node-hid/node-hid https://github.com/Dan611/hid-procon https://github.com/yvbbrjdr/procon