InfoSec, Electronics, and Japan
This page is a logging of my security analysis, electronics projects, Japan insights, and comment otherwise. I often rant, so please comment and provide different views or ideas.
-
Keyboards – Serial Analysis Using FTD232RL
Posted on November 20th, 2009 No commentsFirst, for those friends at work and personal, you cannot just tap into a USB bus connection of any type and analyze like you can a serial connection. If you have to ask why with a condescending voice as if you could make it happen, then keep to yourself and study USB protocol.
Now that is out of the way, let me take a sentence or two to explain. USB is not serial and does not even compare to serial in a couple of areas. Timing on a USB bus is determined by the protocol version, hence 10 Mbs, 100 Mbs and faster all depending on whether you are using 1.0, 2.0 or whatever version. In serial communications, the implementer sets the timing to a baud rate. Next, what is on the bus is on the bus, so the exchange is not one-to-one in USB as it is with serial. The device identification (HID) is established by the host, and the USB host determines which traffic is for which device that is communicating over the bus. In other words, the USB host (computer) controls all communication, not the implementation of the device.
So one would ask why does a USB to PS2 converter just consist of the four pins of a USB connector tied into four pins of a PS2 connector? I too asked this question and performed a bit of analysis, including busting apart a couple of these adapters to see if a tiny ‘conversion’ chip was inside. This is very, very funny now that I understand better. The reason this kind of pin-to-pin connection works is because the computer (USB host) identifies the device as a PS2 device when it is plugged into the computer, and the computer speaks serial to the device. When the USB plug is used to connect the keyboard, the computer recognizes the keyboard as a USB device and the USB device chip in the keyboard talks to the PC accordingly.
What all this means is that if you run a straight wire tap into a USB-to-USB keyboard connection, you are going to get a lot of garbage from other devices running through the same host controller, you are going to have timing problems, and it will be virtually impossible for a PIC, AVR, or any micro controller to keep up with analysis and filtering due to computing limitations. If this has not made things clear, and you want to know more, I suggest a visit to this forum.
Now, onto the next step. How about running a straight wire tap from a USB-to-USB connection into an FTDI USB to serial conversion chip that is powered by the USB bus itself then analyze the serial exchange? Here is a quick mash up thrown together in Eagle late last night. Will spend some time this morning on the breadboard putting this together. The first thing of concern when reviewing this is whether the USB host (computer) will try to enumerate the FTDI chip and load the driver, which is what we don’t want – so may have to install some diodes or something to make sure the communication on goes one way from keyboard to FTDI chip and out the serial port. Another area of concern is whether the FTDI chip will perform the serial conversion without being enumerated by the computer. Stay tuned. Or, comment with some suggestions, because I really do need all the help I can get.
