USB Sniffer & PS2 Sniffer Plank + Firmware for BP

General
21

I’ve tested the design, and everything works well. Here’s my proposal for the final Plank—let me know what you think:

CONNECTORS (PROTOTYPE):

  • 1 USB A Male
  • 1 USB A Female
  • 2 PS2 FEMALE Mini-DIN-6

I’m using the same “5V track” for both the PS2 and USB connectors since they share the same voltage.

5962947987938329932
59629479879383299321280×724 193 KB

TRIGGER PIN YELLOW (FOR PS2 & USB):

IO0

PS2: Must be consecutive and in this order:

  • DAT: IO4
  • CLK: IO5
  • PIO INTERNAL & RESERVED (FUTURE): IO3, IO6, IO7

USB: Must be consecutive and in this order:

  • D+: IO1
  • D-: IO2
  • PIO INTERNAL & RESERVED (FUTURE): IO3, IO6, IO7

RED LED

CAPACITANCE:

  • 2 or 3 Samsung CL21A226MAYNNNE - @electronic_eel suggestion (I’m using 47uF TAN in the prototype)

SWITCH:

  • Physical sliding switch to connect the VOUT from the Bus Pirate to the VCC of both PS2 and USB

Connectors:

  • I prefer through-hole (TH) connectors for TRIGGER PIN, USB and PS2 because they withstand the test of time better. (Many times with SMT, I’ve ended up with the connectors in my hand when connecting extension cables, etc.)

Additional Change:

  • Add the USB-C connector - @ian suggestion

@ian & community, opinion?

2 Likes
22

This is going to be used to connect the plank to the PC, for example when doing USB sniffing, correct?

I think it is mechanically not sound to connect a USB A male plug that has a plank and BusPirate hanging off it directly into a PC. So the only option here would be to use a USB-A female to male extension cord and connect that to the PC.

While these USB extension cords are common, I think they aren’t as common as, say USB-A male to USB-B, micro-B or USB-C.

So I suggest to just use a USB-C connector here. These are getting more common every day and also there are well-designed SMT versions available that are cheap&easy to manufacture while still being mechanically robust. Look for example the one that is on the BusPirate. I would suggest using exactly that part.

2 Likes
23

This is in line with my thinking about it. If you must, a big chunky B. But in reality a small low profile C is probably enough on its own. “Everyone” has a phone charging cable.

Is this needed? If the PC is providing power, then the Bus Pirate buffer should be powered by the PC. If the keyboard is stand alone with the Bus Pirate, then the user hits W 5 to power everything?

That makes sense. USBC SMD is very strong though, it has the partial through hole mounting posts that can be stenciled and reflowed.

image
image1002×574 46 KB

I am not certain what goes on the other side of the TRIG header.

I added ferrite beads to all the cable power inputs/outputs, but it is probably not strictly needed.

kaybee-plank-rev1.zip (800.3 KB)

24

I like using USB Male-A because it allows connection with a simple USB Male-to-Female extension cable.

And if that cable ever fails in an urgent situation, the standalone USB-A Male connector can still be directly plugged into a PC somehow.

(I know it’s not ideal, nor a great idea, but it could save you on a bad day.)

Anyway, just go ahead and use USB-C instead.

Don’t use Micro-USB or anything else—I think USB-C is the best choice.

I still prefer through-hole (TH) options, but if it’s a matter of manufacturing and cost, use whatever works best.

The trigger PIN is for USB—connect it directly to IO0 on the Bus Pirate. We’ll use it to let the user start capturing via external signal. Since in USB Full-Speed, memory will fill up quickly, and we can’t sample too many packets, this gives the user more control and allows them to use an external trigger to start everything. I placed two pins to make it easier to solder without using tweezers and burning myself, but you can use just one pin there. Although keeping it straight and aligned with just one pin can be tricky.

Some PS2-to-USB adapters are garbage and behave strangely, so I like the idea of manual thing to isolating the Bus Pirate’s VOUT from the target device’s power supply + having the option to use it when needed, to provide a bit more milliamps to the target.

Also, keep in mind that you might be sniffing on one PC with the Bus Pirate, while the target keyboard is connected to another PC, which could have a slightly different USB voltage.

In fact, for USB sniffing, it’s very common that the sniffing PC and the target PC where the USB device is connected are different, The goal is to avoid saturating the USB bus. Having all the USB devices from the target PC + the sniffing tool on the same USB host is usually a bad idea.

NOTE: USB sniffer isn’t just for keyboards—this is a sniffer for any USB device up to Full-Speed , including USB Mass Storage Full-Speed etc.

But maybe I’m being too paranoid—if you think this isn’t necessary, feel free to leave it out (slide SWITCH). :blush:

So, how are we finalizing the Plank design? @electronic_eel @ian

  • slide switch yes or not?
  • only two USB: (not three) one USB A Female (target USB device ex: keyboard / usb mass storage full speed …) + USB-C (to PC target device)?
  • etc
1 Like
25

Then one should probably be a voltage or a ground? Or both? Is a pull-down or up needed on the trigger pin?

Sure, I understand how you’d like the switch to work. I’ll add one.

1 Like
26

Leave it as pull-up if you want, or float, and we’ll configure it as input pull-up in the BIO0—whichever you think is best.

about: only two USB: (not three) one USB A Female (target USB device ex: keyboard / usb mass storage full speed …) + USB-C (to PC target device)?

1 Like
27

Yes on the connectors.

The pull ups are all or nothing on current hardware, will that be okay? Is TRIG active high or active low?

28

We can handle the trigger however we want.

Currently, I use it like this:

  • Trigger input is internally pulled up, and the active level is LOW.
  • When triggering is enabled in the settings, the capture pauses until the trigger pin is pulled LOW.

btw, I think two capacitors is enough: CL21A226MAYNNNE Samsung Electro-Mechanics Capacitors | 25V 22uF X5R ±20% 0805 Multilayer Ceramic Capacitors MLCC - SMD/SMT | LCSC Electronics

By the way, @ian, you read my mind haha! I also used a 2K resistor for the red LED. :laughing:

1 Like
29

Behind the buffer the pin pull up doesn’t do anything.

If it is a PIO pin, then I believe the direction will matter if you use JMP or WAIT pin.

If it is active low then we should add a 10k or 2k (or 5.1k) pullup to TRIG.

30

I’m a bit confused by the USB-pins in the schematics: what is USB_P and USB_N for, it looks like USB_D+ and USB_D- are used everywhere?

Might I suggest to add some IP4220CZ6F TVS diodes for basic protection? I’d say for USB_D+, USB_D-, CLK, DAT, TRIG.

This would need 2 of them, so use the rest of the TVS diode channels on IO3, IO6 and IO7 as they will probably be accessible on the connector.

1 Like
31

I’ll update the schematic now that the design is stabilized.

TVS diodes are a bit of a stretch I think. They should be on the target and the host PC (and the Bus Pirate…), Probably not needed on a vampire tap. Even the ferrites are overkill, but you mention noisy adapters and there are long powered cables involved so it might in some cases reduce power noise.

Didn’t realize who I was replying too, sorry. You didn’t mention the noise :slight_smile:

32

Ah okay, I understand. The USB P and N are the cross connections to make USB C act as low speed USB I believe.

33

oka, then add it an external resistor

I don’t know much about USB-C—with the current design, will everything work correctly when sniffing Low-Speed and Full-Speed?

And will pass-through work properly?

Will it support cable connections like:

  • USB-C (Plank) → USB-C cable (PC)
  • USB-C (Plank) → USB-A Male cable (PC)

image
image427×276 18.7 KB

image
image536×427 31.3 KB

1 Like
34

image
image1193×527 41 KB

  • Slide switch to connect/disconnect VOUT from the board
  • Removed USB B
  • Added pull-up to TRIG
  • second TRIG header pin is ground
2 Likes
35

Yes all these should be supported. It is the same USBC connection used on the Bus Pirate so well tested.

1 Like
36

For me, this is perfect, great job! I like it.

So, have we reached a consensus? :grinning_face_with_big_eyes: @ian @electronic_eel

As far as I’m concerned, you can build the first prototype whenever you want, and we’ll test it! :rocket:

1 Like
37

By the way, even if it’s a bit more expensive, I highly recommend this PS/2 Male-to-Male cable.

I’ve tested cheaper ones (black ones), and they don’t last long… the pins are bad.

I always use this cable in my training sessions, and I’ve had zero issues. :white_check_mark:

image
image437×357 50.2 KB

1 Like
38

Should Trig not be pulled to VOUT instead of VDD?

It is a signal to communicate with the BP, not something that has to do with the power supply of the PS/2 or USB devices connected.

So I think it would be better to use VOUT, so you can leave the power switch open, have a separate/different VOUT and still trigger reliably.

2 Likes
39

Good point. I will update and attempt to route the board if it seems simple.

2 Likes
40

I think I see another issue:

PS/2 is powered with 5V and IIRC it also uses 5V for data. So set VOUT to 5V and everything works.

But USB uses 3.3V as voltage on the data lines while Vusb is 5V.

So pure sniffing of USB with VOUT set to 5V might not have the correct threshold levels on the 1T45, but I think it should still work.

The real issue is when you want to translate between PS/2 and USB. Then you need VOUT set to 5V for the PS/2 part. But when you write on the USB data lines, you use a too high voltage. This poses the risk of damaging the host or device you are talking to.

I don’t see another solution than adding a 3.3V regulator and two 1T45 to the plank to fix this. But the direction pins of these additonla 1T45s will have to be driven, changing the code from @Dreg

1 Like