Skip to content

Instantly share code, notes, and snippets.

@mwwhited

mwwhited/UsbHidDecode.md

Last active December 7, 2020 22:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mwwhited/263f3f871e05c934884926773d79596f to your computer and use it in GitHub Desktop.
Save mwwhited/263f3f871e05c934884926773d79596f to your computer and use it in GitHub Desktop.
Download ZIP
USB HID Decoding Tips
Raw
UsbHidDecode.md

HID USB Decoding

Summary

This is a guide on how you can decode existing USB devices and protocols.

Wireshark with USBPcap

Wireshark makes it possible to trace and capture raw data from USB Devices

Useful filters

Use Filter
Vendor ID usb.idVendor = 0x04d8
Product ID usb.idProduct
Source usb.src == "1.11.1"
Destination usb.dst == "1.11.1"
Data Length usb.data_len > 0
Source or Destiniation usb.addr matches "^1.4

Hints

If you find know the Vendor/Product ID you can filter in wiresharp like

usb.idVendor = 0x04d8

After that filter you can look at the source/destination ie. 1.10.0 and set your filter similar to below to see the data being exchanged

usb.addr matches "^1.10" && usb.data_len > 0

this will return all traffic with content while exclusing the HID control events.

Fuzzy matching (regex)

partial match on strings with regular expressions

usb.src matches "^1.11" || usb.dst matches "^1.11"

matching on partial data 00ff000000ffff000000

usbhid.data[:3] == 00:ff:00

More examples

HidSharp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment