Presentation is loading. Please wait.

Presentation is loading. Please wait.

- Akshit Maurya UIET, Panjab University, Chandigarh Programmable USB Human Interface Device.

Similar presentations

Presentation on theme: "- Akshit Maurya UIET, Panjab University, Chandigarh Programmable USB Human Interface Device."— Presentation transcript:

1 - Akshit Maurya UIET, Panjab University, Chandigarh Programmable USB Human Interface Device

2 Introduction A USB Human Interface Device is a computer device that takes input directly from human by establishing its connection to a computer over USB Example USB Keyboard, USB Mouse, USB Joystic/Gamepad. What if we could program an HID? Let’s say a keyboard

3 Why would we want it? Annoy user Types faster,without errors Execute series of stored (chained)commands Compromise security

4 How does it works?  Hardware setup AVR Atmega8 MCU -8bit microcontroller -provides maximum MIPS in 8-bit category(1MIPS/Mhz) -vast peripherals timer/counter, SPI, ADC, UART -cheaper (INR.90-120)  Only Problem: Atmega8 does not has a USB peripheral  One option :To use FT232 USB to UART converter chip Downfall :Costly(INR.600)

5 V-USB library: Answer to our Problem “V-USB is a software-only implementation of a low-speed USB device for Atmel’s AVR® microcontrollers, making it possible to build USB hardware with almost any additional chip.” All we have do is I.Compile Firmware AVR studio4 with appropriate Configuration. II.Set appropriate fuse Bits. III.Burn the Firmware into MCU Via programmer (ponyprog in my case)and MCU would take care of rest.

6 Circuit Diagram

7 Configuring V-USB according to Hardware #define USB_CFG_IOPORTNAME D #define USB_CFG_DMINUS_BIT 3 #define USB_CFG_DPLUS_BIT 2 #define USB_CFG_CLOCK_KHZ 16000 #define USB_CFG_IS_SELF_POWERED 0 #define USB_CFG_MAX_BUS_POWER 50 #define USB_CFG_HAVE_INTRIN_ENDPOINT 1 #define USB_CFG_IMPLEMENT_FN_WRITE 1 #define USB_CFG_VENDOR_ID 0x42, 0x42 #define USB_CFG_DEVICE_ID 0x31, 0xe1 #define USB_CFG_DEVICE_CLASS 0 #define USB_CFG_DEVICE_SUBCLASS 0 #define USB_CFG_INTERFACE_CLASS 0x03 // HID #define USB_CFG_INTERFACE_SUBCLASS 0x01 // Boot #define USB_CFG_INTERFACE_PROTOCOL 0x01//Keyboard #define USB_CFG_HID_REPORT_DESCRIPTOR_LENGTH 63

8 USB Transaction  A device may send or receive a transaction every USB frame (1 ms)  A transaction may be made up of multiple packets (token, data, handshake) but is limited in size to 8 bytes for low-speed devices

9 Data in DATA PACKET: REPORT  Report actually reflects input given by user Such as Key stroke, X/Y pointer of Mouse etc.

10 Implemented Structure Since Input Report’s size is 8-bytes hence structure defined is as follows typedef struct { uint8_t modifier; //1 byte for bit mapped modifier uint8_t reserved; //1 byte reserved uint8_t keycode[6]; //array of 6 bytes for key codes } keyboard_report_t;  Hence 1+1+6=8 bytes report data is transferred to host  Sent Over Interrupt IN Pipe

11 Output Report Sent over Control Pipe Output Report 0CAPS LOCK 1NUM LOCK 2SCROLL LOCK 3COMPOSE 4KANA 5RESERVED 6 7

12 PIPES USED  The Control pipe is used for: I. Receiving and responding to requests for USB control and class data. II.Transmitting data when polled by the HID class driver (using the Get_Report request). III.Receiving data from the host. such as Out Report/Feature Report.  The Interrupt pipe are used for: Transmitting low latency data to the device

13 Main Code working I.Build the report with keycode of “r” character and modifier as “Window” to obtain run box. II.Wait till an IN Token is encountered III.Push current report to Interrupt IN Endpoint Buffer IV.Make Null Report( all fields zero) V. Repeat steps 2 and 3. VI.Make report with keycode of first character of string VII.Repeat steps 2 and 3 until last character of string is encountered VIII. Repeats steps 2 and 3 continuously.

14 Functions Used: I.usbFunctionSetup() :gets called every time our device receives an OUT transfer at its endpoint. Thus this function handles USB requests. II.usbInit():called to initialize V-USB. III.usbDeviceDisconnect() and usbDeviceConnect():these are macros used to Disconnect and Connect USB device. IV.usbPoll():it polls the USB transfers and calls usbFunctionSetup() automatically if an OUT transfer is received. This function should be called at regular intervals. usbFunctionWrite(uchar *data, uchar len):If the control transfer contains payload data (other than that sent in wValue and wIndex) sent to the device, that payload data is passed to the function usbFunctionWrite() in chunks of up to 8 bytes. V.usbsetInterrupt():This Function is called to pass interrupt and bulk data. Up to 8 bytes may be passed in one call. The driver keeps the data in a buffer until it is requested by the host. VI.usbInterruptIsReady(uchar *, uchar length):To check if the buffer is available before calling usbSetInterrupt(). VII.wdt_enable(WDTO_1S) and wdt_reset():to enable and reset watch dog time respectively. Watchdog timer is enabled so that if somehow our code freezes then after 1 second, controller would reset itself. Thus watchdog timer is called at regular intervals VIII.sei():to set global interrupts. _delay_ms(uint8_t):to provide a delay. Other than above Functions provided by V-USB library, other functions used are: IX.buildReport(char):to convert the characters into corresponding characters and build the report. X.buildCustomReport(uint8_t,uint8_t):This function builds a report directly from its parameters without conversion of characters into scancodes. XI.printstring(char *):to output a string. This function uses a simple do while mechanism to extract a character from string and sends it to builReport() function for conversion. after this it sends the report and repeats above procedure again for a NULL report to reflect only one key stroke. The whole procedure is repeated till NULL terminator of string is encountered.

15 The actual fabricated device  TOP VIEW

16 The actual fabricated device  BOTTOM VIEW

17 Estimated Cost NameQuantityPrice INR 1.Atmega8 IC190X1=90 2.100nF, 27pF Cap. 2+20.50X4=2 3.4.7uF, 1uFCap.1+12X2=4 4.Resistances(1k5, 4k5,68E) 2+1+20.25X5=1.25 5.Crystal 16mhz110X1=10 6.USB male socket115X1=15 7.Zener diode 3V621.50X2=3 8.Bergstrip10.50X6=3 9.IC base 28-DIP15X1=5 10.General purpose PCB 110X1=10 Total143.25/-

18 Possible Improvements Addition of  EEPROM to store more commands using SPI interface

19 Possible Improvements Addition of  DIP switch to select among stored commands

20 Possible Improvements Addition of  RF reciever module (Suggested by classmate Mr. Navroop Singh Sandhu )

21 Possible Improvements Addition of  DS1307 RTC for Time specific tasks/attacks

22 Possible Improvements Addition of  Commands to download and execute vfwgrab.exe for Video camera uplink support Vfwgrab.exe is an application to post jpeg images to a web site via FTP or to any UNC filename from any Video from Windows device you may have installed on your computer.  Features of vfwgrab I.Small compact program(56kb) customized via a simple ini file. II.Allows the size, quality, location of the jpeg file to be specified. III.Runs in Silent mode continuously

23 Applications  Business Card-by Frank Zhao (

24 Applications: Continued  USB password generator-by Frank Zhao ( Runs on ATtiny85

25 Applications: Continued  Chenillard is a device that you secretly plug into a victim's computer. After that, the LEDs of the keyboard will flash in sequence.

26 Other Projects similar to this one PHUKD-by Adrian Crenshaw (  Runs on Teensy Board  1.2 by 0.7 inch  Costs INR 800-1000/-  Atmega32@16Mhz  Uses arduino Bootloader (Extra Flash space required)

27 Devices currently available in market.  USB Rubber Duck: Cost INR 3000/-

28 Questions?

29 Followups  Project URL hid-dongle hid-dongle  Email Id-

30 Thank you!!

Download ppt "- Akshit Maurya UIET, Panjab University, Chandigarh Programmable USB Human Interface Device."

Similar presentations

Ads by Google