Reverse Engineering Black Box Systems with GreatFET & Facedancer

Presented at TROOPERS18 (2018), March 14, 2018, 4 p.m. (Unknown duration)

The FaceDancer project is well known for its offensive capabilities, which include emulating USB devices and fuzzing USB hosts, but recent developments and new support for GreatFET hardware expand the project to include powerful reverse engineering capabilities. New features include simple protocol analysis, side channel analysis capabilities, and significantly faster emulation. With these features FaceDancer lowers the barrier to entry for reverse engineering USB devices, allowing anyone to get a foot in the door when reverse engineering "black box" or access-limited systems. This talk demonstrates how modern FaceDancer boards can be used to gather information and reverse engineer real hardware- by performing direct protocol analysis, capturing side channel information, and leveraging emulation to characterize devices, all using only the opening provided by a USB port. This talk will feature a variety of live demonstrations, including use of FaceDancer to reverse engineer real devices. We'll look at the way embedded host systems access USB devices, what this tells us about them, and how we can exploit their limitations, such as limited memory for disk caching or simple filesystem implementations. We'll also show some reverse engineering of USB devices when connected to host systems that we would traditionally struggle to access (no OS access, can't virtualise), such as game consoles - we'll manipulate Nintendo controllers with a simple 3 line Python function.


  • Kate Temkin
    Kate Temkin is a seasoned USB researcher, and maintains a variety of open-source hardware and software tools, including FaceDancer and GreatFET. In addition to significant experience with USB, Kate has significant educational experience, having previously taught and developed university-level engineering courses for Binghamton University.
  • Dominic Spill
    Dominic is a senior security researcher at Great Scott Gadgets where he writes software and firmware for open source hardware. His primary focus is sniffing and modifying communication protocols.