USB Reverse Engineering: Down the Rabbit Hole

What a weekend find! This is a nice piece in a puzzle I&#x27;m trying to solve related to a consumer audio device with upgradeable firmware.<p>The platform of the device is used for both a prosumer audio device, a professional device, as well as other consumer devices. On top of that, the prosumer device appears to have different functionality enabled based on the part of the world you buy the device, but my hypothesis is that the hardware is the same, regardless of region, and the firmware just implements a dark pattern to limit functionality (perhaps to avoid additional FCC certifications, support incidents, etc.).<p>Anyway, I&#x27;ve spent a few nights extracting the firmware from other regions, found a great presentation where the company details the hardware and platform, and discovered that the audio capabilities of the hardware for the prosumer device approach that of the professional device (higher sampling frequencies and resolution during recording).<p>My hope was to be able to flash the device with a modified file system that enabled the features, but ran into the firmware appearing to be encrypted, but potentially decrypted on the host before being pushed to the device. I&#x27;ve been decompiling the drivers to see if I could dump keys or the decrypted payloads, but also thought about sniffing the USB I&#x2F;O and dumping that way. It looks like this is a nice intro to help me on my way.

&gt; I won&#x27;t get deep on describing all of the facts, since that&#x27;s what Wikipedia is good at<p>Sigh. So many links, so much reading, and not one to the USB spec (that I found by skimming and searching). It&#x27;s not just this article, but seemingly every &#x27;deep dive does it&#x27;. Why do people read everything on the Internet, no matter the source and quality, but skip (what is usually) the best, most important source?

this is a great writeup, definitely falls into something I&#x27;ve been dreaming of building, but was planning to hack around the usb part of it (using a usb-uart adapter), but now I&#x27;m thinking maybe I do it right! should make for a great weekend.<p>unfortunately, it seems that the pre-req article is down, so here&#x27;s the cached copy: <a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:https:&#x2F;&#x2F;www.linuxvoice.com&#x2F;drive-it-yourself-usb-car-6&#x2F;" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:https:&#x2F;...</a>

I&#x27;ve sunk countless hours looking for a way to emulate USB devices in software under Windows. Two years ago there were many different ways. Today there are zero ways that I know of, apparently all removed within the last two years by an astounding tragic coincidence.<p>To elaborate on this section:<p><a href="http:&#x2F;&#x2F;devalias.net&#x2F;devalias&#x2F;2018&#x2F;05&#x2F;13&#x2F;usb-reverse-engineering-down-the-rabbit-hole&#x2F;#where-next" rel="nofollow">http:&#x2F;&#x2F;devalias.net&#x2F;devalias&#x2F;2018&#x2F;05&#x2F;13&#x2F;usb-reverse-engineer...</a><p>- There are two versions of the USB&#x2F;IP drivers. The initial version has a bug where disconnection of a device causes a blue screen. This version is signed by ReactOS, and so you can install this version&#x27;s drivers without needing to jump through any hoops under Windows. Then there&#x27;s a patched version that does not cause the bluescreen. Great! Except that this version is not signed by ReactOS. Okay, maybe we can get ReactOS to sign it -- nope, they discontinued their driver signing program because of new regulations by Microsoft put in place within the last year (<a href="https:&#x2F;&#x2F;www.reactos.org&#x2F;wiki&#x2F;Driver_Signing" rel="nofollow">https:&#x2F;&#x2F;www.reactos.org&#x2F;wiki&#x2F;Driver_Signing</a>). You can also no longer install unsigned drivers on Windows 10 by putting your machine into test mode. This capability was silently removed by Microsoft within the last year. You can still put your device into test mode, but the driver signing checker will still block installation. This is a damn shame because USB&#x2F;IP is a <i>great</i> project, and it even has a <i>signed driver</i> but the patched version of the driver is not signed. This is infinitely frustrating.<p>- Microsoft used to have this perfect thing called UDE (<a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows-hardware&#x2F;drivers&#x2F;usbcon&#x2F;developing-windows-drivers-for-emulated-usb-host-controllers-and-devices" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows-hardware&#x2F;drivers&#x2F;us...</a>). They removed it last year.<p>- Kernel mode drivers for Windows now have to go through this signing process (<a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows-hardware&#x2F;drivers&#x2F;install&#x2F;kernel-mode-code-signing-policy--windows-vista-and-later-" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows-hardware&#x2F;drivers&#x2F;in...</a>) as of last year. As mentioned before, this is why ReactOS discontinued their driver signing program as it&#x27;s too difficult to meet these new requirements.<p>I have read every forum post, stack overflow post, Windows technical docs, everything I could possibly find for a way to do stable, pure software emulation of USB devices on Windows. They all evaporated within the last year or two. So frustrating as I really really want to build out something but there&#x27;s simply no way to do it.<p>At this point I have resorted to attempting to hook every Windows system call related to USB device initialization and spoofing them but have been met with no success thus far.<p>I should note that the reason I want to do this in software is because I want to distribute the end result to a relatively large amount of potential users as GPL&#x27;d software. For this reason hardware emulation or patching &#x2F; downgrading Windows isn&#x27;t an option sadly.<p>Does anyone know of something I missed?

I see so much custom hardware. Can somebody tell me why running the drivers of interest in a virtualbox&#x2F;qemu image, and logging interaction on the host OS, doesn&#x27;t do a better job than custom hardware?