The FaceDancer project is well known for its offensive capabilities, which include emulating USB devices and fuzzing USB hosts, but recent developments and new support for GreatFET hardware expand the project to include powerful reverse engineering capabilities. New features include simple protocol analysis, side channel analysis capabilities, and significantly faster emulation. With these features FaceDancer lowers the barrier to entry for reverse engineering USB devices, allowing anyone to get a foot in the door when reverse engineering "black box" or access-limited systems.
This talk demonstrates how modern FaceDancer boards can be used to gather information and reverse engineer real hardware- by performing direct protocol analysis, capturing side channel information, and leveraging emulation to characterize devices, all using only the opening provided by a USB port. This talk will feature a variety of live demonstrations, including use of FaceDancer to reverse engineer real devices.
We'll look at the way embedded host systems access USB devices, what this tells us about them, and how we can exploit their limitations, such as limited memory for disk caching or simple filesystem implementations.
We'll also show some reverse engineering of USB devices when connected to host systems that we would traditionally struggle to access (no OS access, can't virtualise), such as game consoles - we'll manipulate Nintendo controllers with a simple 3 line Python function.