A hardware-based USB 2.0 monitor & trigger platform, controlled from Python

This project was launched in the fall of 2019 on Crowd Supply.
USB is the most common interface for computer peripherals (maybe you’ve heard of it?), which nowadays includes many USB-connected security devices such as Bitcoin Wallets, FIDO2 keys, and encrypted drives. Three of the biggest threats to these security devices are USB protocol errors (often found with fuzzing), side-channel power analysis, and fault injection. PhyWhisperer-USB targets those last two - it serves as a cycle-accurate triggering and monitoring tool. It watches the USB bus for specific data patterns, triggers an event (such as a fault injection or recording a power trace), and can also record USB data.

Hardware-level Sniffing

Because it’s also a hardware sniffer, PhyWhisperer-USB can watch the USB bus to monitor errors and other events that won’t make it into a software-only sniffer. It also generates a clock synchronized to the USB bus itself, giving perfect cycle-accurate timing and allowing very repeatable power measurements.

Portable and Extendable

This is all wrapped up in a nice enclosed box you can chuck in your bag. It also connects nicely to other tools (ChipWhisperer, ChipSHOUTER, GreatFET, oscilloscope) to provide extended features all controlled by one Python script.

Open Source

Power-users will love the fact it’s open source with spare FPGA room and a built-in programmer to reload the FPGA bitstream in a few seconds. It’s built by NewAE Technology Inc., who has experience delivering open source hardware tools for security analysis and has a reputation for professionalism and seriousness.

USB Fuzzing & Hacking

When you think of USB hacking, you might think of Kate Temkin attacking the Nintendo Switch via sending malformed USB packets (even see the CVE). That work has spun into a ton of great tools (see this talk by Kate Temkin and Mikaela Szekely), which we aren’t looking to replace.

PhyWhisperer-USB concentrates on hardware-level pattern matching for super-precise triggering. It’s something that only a handful of expensive commercial tools offer, and if you want to extend them with your own logic, you’re out of luck. But because PhyWhisperer-USB is open-source, you can freely add your own logic to the FPGA.

USB Sniffing

PhyWhisperer-USB can act as a hardware sniffer with the features you’d expect, like cycle-accurate timestamps on data packets and monitoring errors on the bus.

The one missing sniffing feature is a large amount of on-board memory to deal with ‘bursty’ data (think trying to sniff a USB video camera or USB thumb drive). But most people dealing with USB don’t care about that - most problems you debug with USB are during enumeration and configuration phase, which the PhyWhisperer-USB can easily keep up with.

PhyWhisperer-USB concentrates on the hardware and computer interface - to get GUI decoding you can use Wireshark (which supports USB decoding) to monitor the data, or perform some basic parsing using code such as in OpenVizsla. This project isn’t designed as a sniffer first (like OpenVizsla or Total Phase Beagle 480), so trade-offs are made to give you other features that fault injection and power analysis power users might need (like being able to power-cycle the target).

*buf = (uint8_t*)(&guid);
*len = MIN(*len, guid.header.dwLength);
status = USBD_REQ_HANDLED;

Getting the right timing is important to all of the above attacks. This consistent need to have “on-the-wire” triggering is what drove me to develop PhyWhisperer-USB and what makes it unique among USB analysis tools.

Features & Specifications

• USB modes supported: USB 2.0 Low/Full/High Speed
• FPGA: Xilinx Spartan 7S15
• Control PC connection: Micro-USB 2.0 HS
• Host USB connection: Micro-USB
• Target USB connection: Female A connector
• Target power source: Selectable to come from Host USB or Control PC
• Spare digital I/O: 8 data pins, 1 clock pin routed to FPGA (on front panel)
• Clock output: 60 MHz, derived from 480 MHz USB clock (on ChipWhisperer clock pin)
• Trigger pattern: 1 - 64 bytes with mask
• Trigger delay: 0 - 1048576‬ cycles of 240 MHz internal clock (derived from USB clock)
• USB sniffer FIFO: 8192 bytes (FPGA block RAM, adjustable depending on FPGA utilization)
• Control PC software: Python 3 library, Windows/Mac/Linux support (including signed Windows drivers)

Interfacing

A Microchip USB3500 front-end provides a simple parallel interface to the Xilinx Spartan 7S15 FPGA. This allows the device to monitor the USB traffic in real-time and, in the future, could even allow the PhyWhisperer-USB to transmit USB traffic (including invalid packets). This device uses a Microchip ATSAM3U1C as the high-speed USB interface to the host PC. The use of the ATSAM3U1C provides more flexibility than an FTDI device, since you can run code on the microcontroller for other tasks.

Power

The USB front-end has a number of jumpers to allow routing of power in various ways. By default you use it as a simple sniffer, but by adjusting some jumpers, you can insert a 5-ohm shunt resistor into the USB power line. This shunt resistor allows ‘simple power analysis’ to be performed on a device. The output of the shunt is routed to an MCX connector on the front-panel.

Documentation & Sources

Source code is maintained at github.com/newaetech/phywhispererusb. This repo holds:

• Python library (in development)
• Microcontroller firmware
• PCB sources in Altium Designer format (sorry Chris Gammell)
• FPGA design files

We maintain a support forum at https://forum.newae.com for all NewAE Technology Inc. products.