

# USB PHY on FPGA





- 1. Снифферы
  - а. Логические анализаторы: Saleae, Dreamsource, etc.
  - b. <a href="https://www.totalphase.com/products/beagle-usb12/">https://www.totalphase.com/products/beagle-usb12/</a>
  - c. <a href="http://openvizsla.org/">http://openvizsla.org/</a>
  - d. MAX3421 + <a href="https://github.com/Xarlan/usbsniff">https://github.com/Xarlan/usbsniff</a>
  - e. Beaglebone +

https://beagleboard.org/p/drinkcat-myopenid-com/usb-sniffer-ba62d2

- 2. Прокси
  - a. Beaglebone-like usb proxy (https://github.com/dominicgs/USBProxy)
  - b. Custom FPGA proxy
  - c. Atmega + https://github.com/matlo/serialusb
- 3. Fuzzing/badUSB, etc.
  - a. <a href="http://goodfet.sourceforge.net/hardware/facedancer21/">http://goodfet.sourceforge.net/hardware/facedancer21/</a>
  - b. Other MCU/MAX4321...









### Start Of Frame transaction



#### IN+NAK transaction



### **IN+DATA** transaction



#### **OUT/SETUP** transaction





module(in x1, in x2, out S, out P);

assign 
$$P = x1 \& x2;$$
  
assign  $S = (x1 | x2) \& (\sim P);$ 

endmodule



```
wire[3:0] comb_out = reg_b < 10 ?
reg_b + 1 : 0;

reg[3:0] reg_a;
reg[3:0] reg_b;

always @(posedge clk) begin
    reg_b <= reg_a;
    reg_a <= comb_out;
end</pre>
```

```
reg[3:0] reg_a;
reg[3:0] reg_b;

always @(posedge clk) begin
    if(reg_b < 10) reg_a <= reg_b + 1;
    else reg_a <= 0;

    reg_b <= reg_a;
end</pre>
```

```
reg[3:0] reg_a;
reg[3:0] reg_b;
always @(posedge clk) begin
    reg_b <= reg_a;</pre>
    reg_a <= reg_b;</pre>
end
```

#### Ссылки

- https://github.com/ganper/usbproxy
- https://www.devalias.net/devalias/2018/05/13/usb-reverse-engineering-down-t
   he-rabbit-hole/
- https://www.beyondlogic.org/usbnutshell/usb1.shtml
- http://www.cypress.com/documentation/application-notes/an57294-usb-101-in troduction-universal-serial-bus-20

## thx

**Andrew Strokov** 

@aanper

https://t.me/shitsch