/USBvalve

Expose USB activity on the fly

Primary LanguageCMIT LicenseMIT

logo, landscape, dark text, transparent background

Expose USB activity on the fly

The two models The Watch 1.2

I'm sure that, like me, you were asked to put your USB drive in an unknown device...and then the doubt:

what happened to my poor dongle, behind the scene? Stealing my files? Encrypting them? Or just installing a malware? With USBvalve you can spot this out in seconds: built on super cheap off-the-shelf hardware you can quickly test any USB file system activity and understand what is going on before it's too late!

With USBvalve you can have an immediate feedback about what happen to the drive; the screen will show you if the fake filesystem built on the device is accessed, read or written:

Selftest Readme

and from version 0.8.0 you can also use it as USB Host to detect BADUSB devices:

HID

This is an example of the BADUSB debugger available on serial port:

If you prefer videos, you can also have a look to my Insomni'hack Presentation

USBvalve Watch

Starting from version 0.15.0 a new Pi Pico Watch version is supported. To compile the new version you have to uncomment the #define PIWATCH line at the beginning of the code. The hardware is a RP2040-based 1.28-inch TFT display and watch board. You can find some more info here. This is also fully compatible with the Waveshare RP2040-LCD-1.28.

Repository Structure

docs: documentation about the project, with a presentation where you can have a look to all the features

firmware: pre-built firmware for the Raspberry Pi Pico. You can just use these and flash them on the board. I prepared the two versions for 32 and 64 OLED versions

PCB: Gerber file if you want to print the custom PCB . It's not mandatory, you can use your own or build it on a breadboard

USBvalve: sources, if you want to modify and build the firmware by yourself

utils: some utilities you may use to build a custom FS

pictures: images and resources used in this doc

STL: STL files for enclosure. In 1.1 and 1.2 folders there are full enclosures (thanks to WhistleMaster). In folders 1.2_64 and 1.2_64_simple there are enclosures for the 128x64 screen (thanks to rtmq0227). If you want something lighter to protect the LCD you can go with USBvalve_sliding_cover.stl.

Build USBvalve

Part list

If you want to build your own, you need:

  • A Raspberry Pi Pico 1 or 2 (or another RP2040 based board, like Arduino Nano RP2040)
  • an I2C OLED screen 128x64 or 128x32 (SSD1306)
  • (optional) a USBvalve PCB or a breadboard
  • (optional) a 3D printed spacer to isolate the screen from the board (https://www.thingiverse.com/thing:4748043), but you can use a piece of electrical tape instead

Building instructions

Thanks to Tz1rf we also have two great videos: one explaining the building process step-by-step, and another showing how to upload firmware and use the tool.

Almost all the job is done directly on the board by the software, so you just need to arrange the connection with the OLED for output.

Starting from version 0.8.0 of the firmware, USBvalve can detect HID devices (used to detect BADUSB). This require an additional USB port behaving as Host. If you are not interested in this, you can use the old instructions in docs folder and use PCB version 1.1. Otherwise go ahead with PCB version 1.2 (we have version for USB-A or USB-B, see folder).

With USBvalve PCB

  • solder a USB female port in USBH area. This is for version A, but there is a version for USB Micro-B as well if you prefer
  • place the Raspberry Pi Pico on the silk screen on the front
  • you don't need to solder all the PINs. Just the following:
    • D4 and D5 (left side)
    • D14 and D15 (left side)
    • GND (right side, third pin from the top)
    • GND (right side, third pin from the bottom)
    • 3v3_OUT (right side)
    • VBUS (right side)
    • the 3 DEBUG pin on the bottom: SWCLK, GND and SWDIO
  • place the 3D printer spacer or a piece of tape on the parts of the OLED that my touch the Raspberry
  • solder the OLED (with a header) on the 4 PIN space

Some of the OLEDs have the GND and VCC PINs swapped, so I built the PCB to be compatible with both versions:

For example if your OLED has GND on PIN1 and VCC on PIN2 like this:

You have to place a blob of solder on these two pads on the back of the PCB:

Otherwise you should the opposite and place the solder on the other PADs:

Without USBvalve PCB

Pico Pi

If you are using a breadboard or just wiring, all you have to do is to ensure to connect the proper PINs at the OLED screen and to the Host USB port.

The mapping is the following:

  • PIN6 of Pi --> OLED SDA
  • PIN7 of Pi --> OLED SCL
  • PIN19 of Pi --> D+ of USB Host
  • PIN20 of Pi --> D- of USB Host
  • PIN23 (GND) of Pi --> GND of USB Host
  • PIN38 (GND) of Pi --> OLED GND
  • PIN36 (3V3OUT) of Pi --> OLED VCC
  • PIN40 (VBUS) of Pi --> VCC of USB Host

If you want to use the DEBUG functions, you can also place a header on the 3 SWD PINs at the bottom of the board.

With USBpipe PCB

Caution

This PCB is for experienced electronic makers DON'T USE IT IF YOU AREN'T SURE YOU CAN HANDLE IT!

Note

R7 and R8 aren't actually connected to anything. They are added for circuit debugging purposes. So they don't show up in the BOM

USBpipe PCB

USBpipe

USBpipe is a dedicated PCB for this project.

You can find everything you need in ./PCB/USBpipe/ folder.

Front

Back

Flash Firmware

To flash the firmware, follow these steps:

  • Connect the Raspberry Pi Pico with the USB cable, by keeping the BOOTSEL button pressed (the big white button on the board)
  • release the button
  • you will see a new drive on the system, named RPI-RP2 (in Linux envs you may have to manually mount it)
  • copy the proper firmware file (with extension uf2) in the folder, depending on the OLED you used
  • wait few seconds until the mounted folder disappear

It's done!

Anti-Detection

I don't know if it will ever be the case, but you may want to customize the firmware in order to avoid detection done by USBvalve-aware malware :-)

I grouped most of the variables you may want to modify in this section (see Dockerfile below for rebuilding)

// Anti-Detection settings.
//
// Set USB IDs strings and numbers, to avoid possible detections.
// Remember that you can cusotmize FAKE_DISK_BLOCK_NUM as well
// for the same reason. Also DISK_LABEL in ramdisk.h can be changed.
//
// You can see here for inspiration: https://the-sz.com/products/usbid/
//
// Example:
//             0x0951 0x16D5    VENDORID_STR: Kingston   PRODUCTID_STR: DataTraveler
//
#define USB_VENDORID 0x0951               // This override the Pi Pico default 0x2E8A
#define USB_PRODUCTID 0x16D5              // This override the Pi Pico default 0x000A
#define USB_DESCRIPTOR "DataTraveler"     // This override the Pi Pico default "Pico"
#define USB_MANUF "Kingston"              // This override the Pi Pico default "Raspberry Pi"
#define USB_SERIAL "123456789A"           // This override the Pi Pico default. Disabled by default. \
                                          // See "setSerialDescriptor" in setup() if needed
#define USB_VENDORID_STR "Kingston"       // Up to 8 chars
#define USB_PRODUCTID_STR "DataTraveler"  // Up to 16 chars
#define USB_VERSION_STR "1.0"             // Up to 4 chars

Building your firmware

Obviously you can also build your own firmware. To build the standard one I used:

  • Arduino IDE 2.3.4
  • Adafruit TinyUSB Library version 3.4.2, Pico-PIO-USB version 0.6.1, Board Raspberry Pi RP2040 (4.4.0) setting Tools=>CPU Speed at 133MHz and Tools=>USB Stack to Adafruit TinyUSB
  • Adafruit_SSD1306 OLED library version 2.5.13

Remember to add https://github.com/earlephilhower/arduino-pico/releases/download/global/package_rp2040_index.json in the Additional Board Manager URLs to install the proper board. Also, starting from TinyUSB version 3.4.2 is necessary to force the following macro setting DCFG_TUD_CDC=1. I strongly suggest you to use the provided Dockerfiles (see below).

If you want to re-create a new fake filesystem, you may want to have a look to the utils folder, where I placed some utilities to build a new one.

Dockerfile

If you want to build your own firmware, after you customized it, I provide a Dockerfile which builds a complete Arduino environment and compile the firmware. I added them for both Pico version 1 and 2.

Enter the following commands in the main USBvalve folder to build for Pico v1:

docker build -t usbvalve-pico1/arduino-cli -f Dockerfile.pico1 .
docker run --rm --name usbvalve -v $PWD:/mnt usbvalve-pico1/arduino-cli /mnt/USBvalve

The firmware will be placed with extension uf2 in folder USBvalve_out.

Contribute

If you have ideas or improvements in your mind, I encourage you to open an issue so that we can improve the project together! Thanks!

Support

If you have question or need support you can open an Issue here or reach me out on Twitter/X @red5heep

Community versions

The Community created some forks implementing support for other boards, or other modifications. Thank you to everyone who contributed to the development of USBvalve. Here below an unofficial/incomplete/unsupported list:

SAFETY WARNING

Warning

I've received a lot of questions about USBvalve and USB killer devices. USBvalve is not built to test these devices, it has not any kind of insulation or protection, so if you have the suspect you are dealing with one of these devices, test it with something else, NOT with USBvalve or you may damage the device, yourself or objects near to you.