BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.pass-the-salt.org//pts2024//talk//EJKJS8 BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-pts2024-EJKJS8@cfp.pass-the-salt.org DTSTART;TZID=CET:20240704T152500 DTEND;TZID=CET:20240704T160000 DESCRIPTION:USB (Universal Serial Bus) is the current standard for connecti ng peripherals to devices. USB is used to connect keyboards\, mouses\, pri nters\, music instruments\, storage\, cameras and pretty much everything t o a device. This makes it the perfect target for security researchers with physical access to a USB port. A small USB primer at the start of this ta lk should give you a broad idea of how USB2 works and some improvements US B3 brings.\n\nWhile exchanging with USB peripherals can be done in Python with PyUSB[1] on any PC\, creating custom USB peripherals for security ass essment and testing (e.g.\, attack surface analysis\, scanning\, fuzzing) of USB hosts can be more challenging as it requires specific hardware. Tha t's where Facedancer[2] came in 12 years ago : Facedancer is a Python libr ary from Great Scott Gadgets that interacts with a dedicated hardware capa ble of creating USB devices\, allowing you to create and modify a USB2 per ipheral in seconds.\n\nHowever\, the flexibility of Facedancer comes with a cost: data has to go from the target host to the controlling PC\, then b ack to the target host using a much longer path than a regular USB device would use. The current implementation of Facedancer is based on backends\, which support different hardwares: Facedancer21[3]/Raspdancer[4]/BeagleDa ncer[5](all variants of Facedancer21)\, GreatFET One[6] and the Moondancer backend for the upcoming Cynthion board[7]. While Moondancer should bring USB2 High-speed support (480Mb/s)\, Facedancer is currently stuck to USB2 Full-speed (1.5Mb/s) with instability issues.\n\nWith the open-source pro ject Hydradancer[8]\, we bring a USB2 High-speed backend to Facedancer usi ng the USB3 capabilities of HydraUSB3\, a platform based on the RISC-V WCH 569 chip. While emulating USB3 peripherals is still out of the question wi th the current delays\, Hydradancer brings improved speeds and stability f or USB2 peripheral emulation. As the WCH569 lacks documentation for USB3 a nd a proper SDK\, a lot of testing was required to get the USB3 connection working and we will present the different challenges that we encountered while making wch-ch56x-lib\, a support library for WCH569 with tested USB2 /USB3/HSPI(High-speed Parallel Interface)/SerDes(Serializer/Deserializer) drivers.\n\nAs we needed to measure the improvements of Hydradancer over e xisting backends\, we will present our benchmarks that compare Hydradancer with the existing Facedancer21 and GreatFET boards. Our results showed 44 7 times faster average write transfers for USB2 Full-speed transmission co mpared with Facedancer21 and 10 times faster compared with GreatFET One.\n \nThen\, we will demonstrate the use of Facedancer for security research a nd compare Hydradancer with the existing Facedancer21 and GreatFET One boa rds for this usage.\n\nAs Facedancer is not the only option when it comes to creating USB peripherals\, we will compare it with raw-gadget[9]\, a lo w-level interface for the Linux Gadget USB subsystem and learn how Hydrada ncer and raw-gadget can complement each other.\n\nFinally\, we will talk a bout the current limitations of USB emulation and what the future might lo ok like\, especially for USB3 peripheral creation.\n\nNOTE : We will relea se wch-ch56x-lib\, a support library for the WCH569 chip\, the code used f or our benchmarks along with the firmware and backend for Hydradancer in A pril 2024. Benjamin Vernoux\, the creator of HydraUSB3\, is currently work ing on making the Hydradancer hardware available to the public and it shou ld be ready for the talk or soon after. We started by working on a dual Hy draUSB3 setup\, Hydradancer will be a single smaller board and the talk wi ll be based on a development version of this new board.\n\n\n[1]: https:// github.com/pyusb/pyusb\n[2]: https://github.com/greatscottgadgets/facedanc er \n[3]: https://goodfet.sourceforge.net/hardware/facedancer21/\n[4]: htt ps://wiki.yobi.be/index.php/Raspdancer \n[5]: https://github.com/dominicgs /BeagleDancer\n[6]: https://greatscottgadgets.com/greatfet/one/\n[7]: http s://www.crowdsupply.com/great-scott-gadgets/cynthion/updates/moondancer-a- facedancer-backend-for-cynthion \n[8]: https://github.com/HydraDancer\n[9] : https://github.com/xairy/raw-gadget DTSTAMP:20260415T220150Z LOCATION:Amphitheater SUMMARY:Hydradancer\, using USB3 to improve USB hacking with Facedancer - T hiƩbaud Fuchs (R&D engineer\, Quarkslab) URL:https://cfp.pass-the-salt.org/pts2024/talk/EJKJS8/ END:VEVENT END:VCALENDAR