0

USB Analyzer

by lady ada
Reverse-engineering the Kinect is a little easier since we have a known-working system (Xbox 360). Instead of guessing commands, we can just see what commands the Xbox sends and 'replay them'
gaming_beagle.jpg

This requires being able to listen into those commands, however. With protocols such as SPI, Serial, Parallel and i2c, you can listen in with any logic analyzer or oscilloscope. USB is fast/complex enough to require its own kind of logic analyzer. The one we'll be using is called the Beagle480 from TotalPhase. This is the 'high speed' USB analyzer, which we splurged on. (For many devices, Low/Full speed is fast enough, and there's a lower cost analyzer available.)

The USB analyzer acts as a 'tap' that plugs in between the Xbox and the Kinect. A computer is conneted as well. The computer receives all the data being transmitted into memory and logs it.

gaming_beagleend.jpg
From left to right there is a DIN connector, USB A connector and USB B connector. The Xbox connects to the USB B and the Kinect connects to the USB A. The DIN connector is for other kinds of data sniffing (like SPI or i2c).
gaming_beagleend2.jpg

On the other side, a single B connector which goes to the listening computer

The best way we've found to get the right data is to make sure to get even the 'enumeration' (initialization) packets so plug in the listening computer and start up the software. Then plug in the other end to the devices you want to sniff.

gaming_saving.jpg

Lookin' at Logs


Since you probably don't have a USB analyzer, we have some logs that you can use to follow along with us. Visit the GitHub repository and click the **Downloads** button

Make yourself a sandwich, its a big file!

Also download the Beagle Data Center software (Mac/Win/Linux) and install it

OK now that you've eaten, lets open up the enuminit.tdc file. This is the full enumeration and initialization.

gaming_startscreen.gif

Remember that when we log the data, there's a lot of it that we can then pare down!

Let start by remembering that there are four devices (hub, camera, mic, motor) but we only need to listen to one (motor). Click on the Bus tab on the lower right

gaming_businfo.gif

We have a few devices. Lets explore each one

If you click on Unconfigured device (0) you'll see that it was not captured. This is probably because I jiggled the cable when inserting it so it started to create a device and then got disconnected. Its not important.

gaming_dev0.gif
Click on  (1) This device is a Class device type USB Hub. That's the internal hub. We can ignore this as well.
gaming_hub.gif
Device #4 has a PID of 688, that's in decimal. If we convert it to hex we get 0x02b0 - this is the Motor device!
gaming_pid688.gif
Now we can filter so that only this device's logs are shown.
gaming_filter.gif
Our log screen is much shorter now.
gaming_control4.gif

You can see that there's some initialization and then just two repeating motifs: a 1 byte message alternated with a 10 byte message.

For the motor to move according to the xbox's wishes, there must be some command sent from the xbox to the kinect. Lets filter some more to see just commands sent to the device

gaming_filtering.gif
Go to the LiveFilter and select Host-to-Device.
gaming_commands.gif

Now we've really pared it down. There are only four commands sent to the kinect motor, since the motor moves during initialization we can just try each one. Lets look at each command

Command 1 has a bRequest of 0x06 and a wValue of 4, the wLength is 0 which means no data is written, the entire command is the Request and Value.

gaming_command1.gif
Command #2 uses the same bRequest but with a different wValue of 0x01.
gaming_command2.gif
Command #3 is a different bRequest of 0x31 and a wValue of 0xffd0.
gaming_command3.gif
Command #4 is the same bRequest and a wValue of 0xfff0.
gaming_command4.gif

Now we've determined there are two request commands we can send. One is 0x06 and the other is 0x31

Time to experiment!

FUZZING COMMAND #1 & 2 - LED BLINKY!
Last updated on 2015-11-19 at 06.21.03 PM Published on 2012-07-29 at 11.58.38 AM

RELATED GUIDES

POPULAR
TTL Serial Camera
Snap, Snap!
by lady ada
This guide is for our new TTL serial camera module with NTSC video output. These modules are a nice addition to a microcontroller project when you want to take a photo or control a video stream. The modules have a few features built in, such as the ability to change the brightness/saturation/hue of images, auto-contrast and auto-brightness adjustment, and motion detection.
POPULAR
EL Wire
Working with Electroluminescent Wire
by lady ada
EL Wire, also known as Electroluminescent wire, is a stiff wire core coated with phosphor and then covered with a protective PVC sheath. When an AC signal is applied to it, it glows a cool neon color. Find out how to solder, power, and work with EL Wire in your next project.
POPULAR
BeagleBone
Tutorials for the TI embedded Linux board
by lady ada
New from the fine people who have brought us the Beagle Board, we now have a smaller, lighter, but powerful single board linux computer, Beagle Bone! We like this move to a more compact and integrated SBC. For example, there is onboard Ethernet and USB host, as well as a USB client interface (a FTDI chip for shell access). It even comes preloaded with Angstrom Linux on the 4 GB microSD card! Here are some tips and tricks to get your BeagleBone up and running.
POPULAR
Adafruit LED Backpacks
Control small LED matrices with ease
by lady ada
What's better than a single LED? Lots of LEDs! The matrices use a driver chip that does all the heavy lifting for you: They have a built in clock so they multiplex the display. They use constant-current drivers for ultra-bright, consistent color, 1/16 step display dimming, all via a simple I2C interface. Here is a detailed guide showing you how to solder, wire and control the display.