Skip to main content
Hacking the Kinect USB Analyzer

Hacking the Kinect

Image for user adafruit2
by lady ada
published July 29, 2012, last edited March 08, 2024
posted in Hacks
Save Link Note Download
129
Intermediate
Project guide

USB Analyzer

Reverse-engineering the Kinect is a little easier since we have a known-working system (Xbox 360). Instead of guessing commands, we can just see what commands the Xbox sends and 'replay them'
gaming_beagle.jpg

This requires being able to listen into those commands, however. With protocols such as SPI, Serial, Parallel and i2c, you can listen in with any logic analyzer or oscilloscope. USB is fast/complex enough to require its own kind of logic analyzer. The one we'll be using is called the Beagle480 from TotalPhase. This is the 'high speed' USB analyzer, which we splurged on. (For many devices, Low/Full speed is fast enough, and there's a lower cost analyzer available.)

The USB analyzer acts as a 'tap' that plugs in between the Xbox and the Kinect. A computer is conneted as well. The computer receives all the data being transmitted into memory and logs it.

If you can connect the device to a computer, there are tons of free USB-packet-capture programs that don't require a hardware man-in-the-middle. In our case, the Kinect must connect to an XBox and we can't run software on it, necessitating the Beagle
gaming_beagleend.jpg
From left to right there is a DIN connector, USB A connector and USB B connector. The Xbox connects to the USB B and the Kinect connects to the USB A. The DIN connector is for other kinds of data sniffing (like SPI or i2c).
gaming_beagleend2.jpg

On the other side, a single B connector which goes to the listening computer

The best way we've found to get the right data is to make sure to get even the 'enumeration' (initialization) packets so plug in the listening computer and start up the software. Then plug in the other end to the devices you want to sniff.

gaming_saving.jpg

Lookin' at Logs


Since you probably don't have a USB analyzer, we have some logs that you can use to follow along with us. Visit the GitHub repository and click the **Downloads** button

Make yourself a sandwich, its a big file!

Also download the Beagle Data Center software (Mac/Win/Linux) and install it

OK now that you've eaten, lets open up the enuminit.tdc file. This is the full enumeration and initialization.

gaming_startscreen.gif

Remember that when we log the data, there's a lot of it that we can then pare down!

Let start by remembering that there are four devices (hub, camera, mic, motor) but we only need to listen to one (motor). Click on the Bus tab on the lower right

gaming_businfo.gif

We have a few devices. Lets explore each one

If you click on Unconfigured device (0) you'll see that it was not captured. This is probably because I jiggled the cable when inserting it so it started to create a device and then got disconnected. Its not important.

gaming_dev0.gif
Click on  (1) This device is a Class device type USB Hub. That's the internal hub. We can ignore this as well.
gaming_hub.gif
Device #4 has a PID of 688, that's in decimal. If we convert it to hex we get 0x02b0 - this is the Motor device!
gaming_pid688.gif
Now we can filter so that only this device's logs are shown.
gaming_filter.gif
Our log screen is much shorter now.
gaming_control4.gif

You can see that there's some initialization and then just two repeating motifs: a 1 byte message alternated with a 10 byte message.

For the motor to move according to the xbox's wishes, there must be some command sent from the xbox to the kinect. Lets filter some more to see just commands sent to the device

gaming_filtering.gif
Go to the LiveFilter and select Host-to-Device.
gaming_commands.gif

Now we've really pared it down. There are only four commands sent to the kinect motor, since the motor moves during initialization we can just try each one. Lets look at each command

Command 1 has a bRequest of 0x06 and a wValue of 4, the wLength is 0 which means no data is written, the entire command is the Request and Value.

gaming_command1.gif
Command #2 uses the same bRequest but with a different wValue of 0x01.
gaming_command2.gif
Command #3 is a different bRequest of 0x31 and a wValue of 0xffd0.
gaming_command3.gif
Command #4 is the same bRequest and a wValue of 0xfff0.
gaming_command4.gif

Now we've determined there are two request commands we can send. One is 0x06 and the other is 0x31

Time to experiment!

Page last edited March 08, 2024

Text editor powered by tinymce.

 Fuzzing Command #1 & 2 - LED blinky! 
Related Guides
PlayStation Spinner Controller
By John Park
intermediate
USB-PD Hacks
By Phillip Burgess
intermediate
Installing IronOS on an MHP30 Mini Hot Plate...
By Anne Barela
beginner
Commodore 64 - The Most Popular Retro Computer of...
By Matt G
beginner
Build your own NeXT with a virtual machine
By Matt G
intermediate
LED Matrix Wall Arcade for Pico-8
By John Park
beginner
New
Feather RP2040 DVI Video Synth
By Liz Clark
intermediate
BOSEbuild Reactive Sound
By Jwm2440N38QaXTx
beginner
Super Nintendo USB Controller
By Robert Dale Smith
intermediate
Larsio Paint Music
By John Park
intermediate
New
Use Apple HomeKit Devices with itsaSNAP and Adafruit IO
By Liz Clark
intermediate
Spruce Up a Costume with MONSTER M4SK Eyes and Voice
By Phillip Burgess
intermediate
Todbot's CircuitPython Tricks
By John Park
beginner
n3rfgun
By Scott McCulley
beginner
Cosplay Hacks
By Phillip Burgess
beginner
Search

Search

Categories