Monday, March 2, 2015

Boston Key Party 2014 / Riverside


Get the file :

# wget http://bostonkeyparty.net/challenge.pcapng.28c58da9dd07532d45aa68f9b825941e
# file challenge.pcapng.28c58da9dd07532d45aa68f9b825941e 
challenge.pcapng.28c58da9dd07532d45aa68f9b825941e: pcap-ng capture file - version 1.0

Lot of USB data inside:
# tshark -r challenge.pcapng.28c58da9dd07532d45aa68f9b825941e | head
  1 0.000000000         host -> 1.0          64 USBHUB GET_STATUS Request
  2 0.000011000          1.0 -> host         68 USBHUB GET_STATUS Response
  3 0.074167000         host -> 12.0         64 USB GET DESCRIPTOR Request DEVICE
  4 0.075077000         12.0 -> host         82 USB GET DESCRIPTOR Response DEVICE
  5 0.150556000         host -> 1.0          64 USBHUB GET_STATUS Request
  6 0.000015000         host -> 1.0          64 USBHUB GET_STATUS Request

Device [12.0] description:
DEVICE DESCRIPTOR
    bLength: 18
    bDescriptorType: DEVICE (1)
    bcdUSB: 0x0200
    bDeviceClass: Use class info in Interface Descriptor (0x00)
    bDeviceSubClass: 0
    bDeviceProtocol: 0
    bMaxPacketSize0: 8
    idVendor: 0x046d      <---- Logitech Inc.
    idProduct: 0xc00e     <---- Logitech Optical Mouse,
    bcdDevice: 0x1100     
    iManufacturer: 1
    iProduct: 2
    iSerialNumber: 0
    bNumConfigurations: 1
( Ref: http://www.pcidatabase.com/vendor_details.php?id=1691)

Take sample data:
# tshark -r challenge.pcapng.28c58da9dd07532d45aa68f9b825941e  'usb.device_address == 12' -x
....
105 5.078857000         12.1 -> host         68 USB URB_INTERRUPT in
0000  c0 44 a9 c7 00 88 ff ff 43 01 81 0c 02 00 2d 00   .D......C.....-.
0010  7f 99 ea 54 00 00 00 00 93 3c 09 00 00 00 00 00   ...T.....<......
0020  04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00   ................
0030  08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00   ................
0040  00 01 00 00    
....

Find tech spec:
struct mouse_report_t
{
    uint8_t buttons;
    int8_t x;
    int8_t y;
    int8_t wheel;
}

Write parser -> och it is on-screen keyboard:)
Enhance parser :