Cynthion


 

Making USB Accessible

Cynthion is an all-in-one tool for building, testing, monitoring, and experimenting with USB devices. Built around a unique FPGA-based architecture, Cynthion's digital hardware can be fully customized to suit the application at hand. As a result, it can act as a no-compromise High-Speed USB protocol analyzer, a USB-hacking multi-tool, or a USB development platform.

Out-of-the-box, Cynthion acts as a USB protocol analyzer capable of capturing and analyzing traffic between a host and any Low-, Full-, or High-Speed ("USB 2.0") USB device. It works seamlessly with our open-source ViewSB software, which translates captured USB traffic into a human-readable format. ViewSB runs on Linux, MacOS, Windows, and FreeBSD.

Combined with the Cynthion software and the FaceDancer libraries, Cynthion becomes a versatile USB-hacking and development tool. FaceDancer makes it quick and easy to create or tamper with real USB devices—not just emulations—even if you don’t have experience with digital-hardware design, HDL, or FPGA architecture!

Core Features

Cynthion is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with—and, indeed, to master—USB. Below are a few of the challenges to which you’ll be able to apply your Cynthion:

  • Protocol analysis for Low-, Full-, and High- speed USB. Cynthion provides everything you need for passive USB monitoring. Add the ViewSB analysis software, and you have a full-featured USB analyzer capable of passively capturing both USB traffic and up to 16 related digital signals.
  • Creating your own Low-, Full-, or High- speed USB device. Cynthion provides nMigen gateware that allows you to create USB devices in gateware, firmware, or a combination of the two. Using the FaceDancer library, you can create or emulate real USB devices in high-level Python.
  • Meddler-in-the-Middle (MitM) attacks on USB communication. Cynthion hardware can function as a "USB proxy" capable of transparently modifying USB data as it flows between a host and a device. Each board's three USB Type-C connections allow for simultaneous, high-speed proxying while maintaining a high-speed connection to the host. As a result, you can proxy a connection with or without the help of a host PC.
  • USB reverse engineering and security research. Cynthion hardware and gateware represent a purpose-built backend for research tools like FaceDancer and USB-fuzzing libraries, thereby simplifying the emulation and rapid prototyping of compliant and non-compliant USB devices. Unlike other USB-emulation solutions, Cynthion-based hardware is dynamically reconfigurable, so it gives you the flexibility to create any endpoint configuration and engage in almost any USB (mis)behavior.

(Click to expand.)

Cynthion includes all of the hardware necessary for low-, full-, or high-speed USB protocol analysis – which means it can provide the same functionality as expensive commercial USB analyzers like the TotalPhase Beagle 480 or the LeCroy Mercury series.

Unlike existing USB solutions, however, Cynthion's analyzer stack is built entirely upon powerful, open-source tooling. By leveraging the remarkable nMigen gateware-generation library and ultra-fast open FPGA tools, Cynthion can automatically customize itself to the task at hand, which gives it access to unique features like user-defined hardware triggering and simultaneous capture of additional external or internal signals.

Cynthion uses the open-source ViewSB analyzer frontend, which is a powerful, cross-platform tool for capturing, viewing, and analyzing USB data. ViewSB helps make USB traffic more human-readable while processing that traffic at any level of abstraction. And because it is completely open-source and extensible, you can add it to your own custom analysis layer simply by creating a single Python file.

An Educational Platform for Learning About USB

A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here.

A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here. Click to expand.

The Cynthion team has a long history of USB education. We’ve developed a number of open-source USB trainings and workshops at varying difficulty levels. Over the course of this campaign, we will develop and maintain additional Cynthion-specific material that will help you learn how to work with—and hack on—USB.

Cynthion's customizable architecture allows you to do more than just watch the packets fly by. Using Cynthion, you can reach out and touch USB traffic at every level. It’s a lot easier to learn how something works when you can take it apart, poke around inside it, and manipulate it in clever ways. Cynthion gives you that level of control.

Easily Create Your Own USB Designs

Cynthion was built from the ground-up to facilitate the process of creating new USB devices. Whether you’re a veteran low-level hardware designer or completely new to this, Cynthion will make your life easier in several ways.

First of all, its FaceDancer backend allows you to describe entire custom USB devices quickly, using just a few lines of Python, so you can try them out right away on real hardware. And, to help you get started, FaceDancer comes with a collection of existing device templates:

# Using a FaceDancer pre-made device, you can create a
# "USB rubber ducky" with only a few lines of python!

device = USBKeyboardDevice()

async def type_letters():
    await device.type_string('r', modifiers=KeyboardModifiers.MOD_LEFT_META)
    await asyncio.sleep(0.5)
    await device.type_string('calc\n')

main(device, type_letters())

And, for those with an interest in FPGA design, Cynthion's unique nMigen library makes it almost trivial to implement USB gateware. Have a look at our library of examples and start building your own gateware devices in no time!

Transparently Manipulate USB Data

Cynthion is as useful when working with existing USB devices as it is when designing new ones. By giving you the ability to inject or modify USB data transparently—on the fly—it allows you to do things that would otherwise be impossible. And its support for FaceDancer’s USBProxy means that manipulating USB data on the wire is as easy as writing a few lines of Python:

# USBProxy makes manipulating USB data trivial!
# The following few lines are enough to flip the X-axis
# on a Nintendo-branded USB game controller:

class SwitchControllerInvertXFilter(USBProxyFilter):

    def filter_in(self, ep_num, data):
        # The fourth byte of our packets contains the
        # joystick X position, as a number between 0 and 255.
        data[3] = 0xff - data[3]
        return ep_num, data

Cynthion's USB peripherals are customized for each USBProxy application, so you’re not restricted to certain USB device configurations. It is theoretically possible to proxy just about any USB device in existence!

Tools for Reverse Engineering & Security Research

As a Great Scott Gadgets (GSG) product, Cynthion was designed from the beginning to enable new and innovative research, but it also supports a multitude of security and reverse-engineering applications:

  • Live, easy-to-customize USB analysis allows you to observe protocols as they fly down the wire and trivially annotate USB data with custom filters as you decode new protocols.
  • Simple tools for creating and emulating USB devices let you rapidly develop hardware that is compatible with existing USB host software.
  • Using Cynthion's flexible USB stack, you can easily produce non-compliant traffic with which to fuzz a variety of hosts – or the software and drivers running on those hosts!
  • USBProxy Meddler-in-the-Middle (MitM) functionality gives you the ability to manipulate USB data, as it passes between the host and a device, so that you can "see what happens" when a device deviates from established protocols.

Technical Specifications

  • A Lattice Semiconductor LFE5U-12F ECP5 FPGA supported by the yosys+nextpnr open-source FPGA flow
  • Three High-Speed USB interfaces, each connected to a USB3343 PHY capable of operating at up to 480 Mbps.
    • Two USB Type-C connectors for device-mode communication (left side)
    • One USB Type-C connector for host-mode communication, device-mode communication, or USB analysis (right-side)
    • One USB Type-A connector for host-mode communication or USB analysis (right-side, shared with Type-C connector)
  • A Microchip SAMD11 debug controller allows user configuration of the FPGA and provides a number of diagnostic interfaces:
    • A complete, user-programmable JTAG controller capable of configuring the FPGA and communicating via JTAG with user designs
    • A built-in USB-to-serial communications bridge for FPGA debug I/O
    • A variety of simple, built-in debug mechanisms, including utilities that allow you to create simple, PC-accessible register interfaces
  • Three USB power switches allow you to control power to and from the right-side USB connectors, thereby facilitating controlled power cycling of USB-powered devices under analysis.
  • 64 Mbit (8 MiB) RAM for buffering USB traffic or for user applications
  • Two unpopulated User I/O SMA connector footprints intended for Trigger In / Trigger Out use or for multi-device clock/data synchronization
  • Two unpopulated Pmod I/O connectors presenting 16 high-speed FPGA user IOs that support user FPGA applications and allow logic-level data to be captured during USB analysis
  • 32 Mbit (4 MiB) SPI-connected flash for PC-less FPGA configuration
  • Six FPGA-connected user LEDs and five microcontroller-managed status LEDs

Milled-Aluminum Enclosure

To protect your Cynthion while in use, we’ve commissioned an expert designer to create a beautiful and robust milled-aluminum enclosure that completely surrounds and protects Cynthion's electronics:

3D render of Cynthion in its CNC-milled aluminum enclosure

Each case will be precisely CNC-milled from solid aluminum, then anodized for a sleek, matte-black surface finish. The case design features an intricate internal pattern tailored exactly to the Cynthion it will contain. This customization maximizes case density for robust protection and an unusually solid feel – without compromising Cynthion's tiny size or light weight.

During the campaign, Cynthion can be purchased with or without its enclosure.

Comparisons

Cynthion Beagle USB 12 Beagle USB 480 USB Explorer 200 OpenVizsla PhyWhisperer-USB GreatFET One
Low-/Full-Speed Support Y Y Y Y Y Y Y
High Speed Support Y N Y Y Y Y N
USB Analysis Supported Y Y Y Y Y limited N
External Buffer DRAM Y N Y Y Y N N
Advanced Analysis Triggering Y N Limited Limited N Y N
Supports User USB Designs Y N N N Unofficial ¹ Unofficial ¹ Y
FaceDancer Support Y N N N N N Full-speed only
MITM Support Y N N N N N Limited
USB Device-capable ports ² 3 0 0 0 1 1 1
USB Host-capable ports ³ 1 0 0 0 0 0 1
Target Power Control Y N N N N Y Host mode only
Extra/User I/O 16 (PMOD) + 2 (SMA) 0 4 (mini-DIN connector) 0 22 (0.1" header) 12 (CW connector) 100 (0.1" header)
LEDS / Unique Colors 11 / 9 1 / 1 3 / 2 3 / 1 3 / 2 5 / 3 4 / 2
Onboard Debug Hardware  Y N N N UART only UART only Y
Standalone Operation Capable  Y N N N N N Limited
User-Customizable FPGA Y N N N Y Y N/A
usbc.tf Training Materials Y N N N N N Y
Open HW/FW/SW Y N N N Y Y Y
Open Toolchain Y N N N N (ISE) N (Vivado) Y (non-FPGA)
Size Equivalent Saltine cracker or 6x6 LEGO® tile Deck of cards Nintendo Switch Two bricks Nintendo Switch Deck of cards Deck of cards
Cost (USD or USD equivalent) $149 $495 $1,295 $1,599 $180  $250 $89

¹ By replacing official gateware with Cynthion's open gateware
² Via Cynthion Gateware, TinyUSB SoC, or FaceDancer
³ Via FPGA Gateware
 To debug USB/FPGA designs
 For user gateware or firmware designs
 No longer directly available (price from a third-party manufacturing the open design)

Support & Documentation

The Cynthion project—including its hardware, gateware, firmware, and software—has been developed and enhanced in the open on GitHub. You can view its annotated hardware designs on GitHub, and its developer documentation on ReadTheDocs.

We welcome questions and discussion in the Cynthion Discord Channel or via a bridge to the Cynthion IRC Channel.

x