Making USB Accessible
Cynthion is an all-in-one tool for building, testing, monitoring, and experimenting with USB devices. Built around a unique FPGA-based architecture, Cynthion's digital hardware can be fully customized to suit the application at hand. As a result, it can act as a no-compromise High-Speed USB protocol analyzer, a USB-hacking multi-tool, or a USB development platform.
Out-of-the-box, Cynthion acts as a USB protocol analyzer capable of capturing and analyzing traffic between a host and any Low-, Full-, or High-Speed ("USB 2.0") USB device. It works seamlessly with our open-source software, which translates captured USB traffic into a human-readable format. ViewSB runs on Linux, MacOS, Windows, and FreeBSD.
Combined with the and the libraries, Cynthion becomes a versatile USB-hacking and development tool. FaceDancer makes it quick and easy to create or tamper with real USB devices—not just emulations—even if you don’t have experience with digital-hardware design, HDL, or FPGA architecture!
Core Features
Cynthion is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with—and, indeed, to master—USB. Below are a few of the challenges to which you’ll be able to apply your Cynthion:
- Protocol analysis for Low-, Full-, and High- speed USB. Cynthion provides everything you need for passive USB monitoring. Add the ViewSB analysis software, and you have a full-featured USB analyzer capable of passively capturing both USB traffic and up to 16 related digital signals.
- Creating your own Low-, Full-, or High- speed USB device. Cynthion provides nMigen gateware that allows you to create USB devices in gateware, firmware, or a combination of the two. Using the FaceDancer library, you can create or emulate real USB devices in high-level Python.
- Meddler-in-the-Middle (MitM) attacks on USB communication. Cynthion hardware can function as a "USB proxy" capable of transparently modifying USB data as it flows between a host and a device. Each board's three USB Type-C connections allow for simultaneous, high-speed proxying while maintaining a high-speed connection to the host. As a result, you can proxy a connection with or without the help of a host PC.
- USB reverse engineering and security research. Cynthion hardware and gateware represent a purpose-built backend for research tools like FaceDancer and USB-fuzzing libraries, thereby simplifying the emulation and rapid prototyping of compliant and non-compliant USB devices. Unlike other USB-emulation solutions, Cynthion-based hardware is dynamically reconfigurable, so it gives you the flexibility to create any endpoint configuration and engage in almost any USB (mis)behavior.
A Full-Featured, Open-Source USB Protocol Analyzer
(Click to expand.)
Cynthion includes all of the hardware necessary for low-, full-, or high-speed USB protocol analysis – which means it can provide the same functionality as expensive commercial USB analyzers like the or the .
Unlike existing USB solutions, however, Cynthion's analyzer stack is built entirely upon powerful, open-source tooling. By leveraging the remarkable and , Cynthion can automatically customize itself to the task at hand, which gives it access to unique features like user-defined hardware triggering and simultaneous capture of additional external or internal signals.
Cynthion uses the open-source analyzer frontend, which is a powerful, cross-platform tool for capturing, viewing, and analyzing USB data. ViewSB helps make USB traffic more human-readable while processing that traffic at any level of abstraction. And because it is completely open-source and extensible, you can add it to your own custom analysis layer simply by creating a single Python file.
An Educational Platform for Learning About USB
A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here. Click to expand.
The Cynthion team has a long history of USB education. We’ve developed a number of open-source USB and at varying difficulty levels. Over the course of this campaign, we will develop and maintain additional Cynthion-specific material that will help you learn how to work with—and hack on—USB.
Cynthion's customizable architecture allows you to do more than just watch the packets fly by. Using Cynthion, you can reach out and touch USB traffic at every level. It’s a lot easier to learn how something works when you can take it apart, poke around inside it, and manipulate it in clever ways. Cynthion gives you that level of control.
Easily Create Your Own USB Designs
Cynthion was built from the ground-up to facilitate the process of creating new USB devices. Whether you’re a veteran low-level hardware designer or completely new to this, Cynthion will make your life easier in several ways.
First of all, its backend allows you to describe entire custom USB devices quickly, using just a few lines of Python, so you can try them out right away on real hardware. And, to help you get started, FaceDancer comes with a collection of existing device templates:
# Using a FaceDancer pre-made device, you can create a# "USB rubber ducky" with only a few lines of python!device = USBKeyboardDevice()async def type_letters(): await device.type_string('r', modifiers=KeyboardModifiers.MOD_LEFT_META) await asyncio.sleep(0.5) await device.type_string('calc\n')main(device, type_letters())And, for those with an interest in FPGA design, Cynthion's unique nMigen library makes it almost trivial to implement USB gateware. Have a look at our and start building your own gateware devices in no time!
Transparently Manipulate USB Data
Cynthion is as useful when working with existing USB devices as it is when designing new ones. By giving you the ability to inject or modify USB data transparently—on the fly—it allows you to do things that would otherwise be impossible. And its support for FaceDancer’s USBProxy means that manipulating USB data on the wire is as easy as writing a few lines of Python:
# USBProxy makes manipulating USB data trivial!# The following few lines are enough to flip the X-axis# on a Nintendo-branded USB game controller:class SwitchControllerInvertXFilter(USBProxyFilter): def filter_in(self, ep_num, data): # The fourth byte of our packets contains the # joystick X position, as a number between 0 and 255. data[3] = 0xff - data[3] return ep_num, dataCynthion's USB peripherals are customized for each USBProxy application, so you’re not restricted to certain USB device configurations. It is theoretically possible to proxy just about any USB device in existence!
Tools for Reverse Engineering & Security Research
As a Great Scott Gadgets (GSG) product, Cynthion was designed from the beginning to enable new and innovative research, but it also supports a multitude of security and reverse-engineering applications:
- Live, easy-to-customize USB analysis allows you to observe protocols as they fly down the wire and trivially annotate USB data with custom filters as you decode new protocols.
- Simple tools for creating and emulating USB devices let you rapidly develop hardware that is compatible with existing USB host software.
- Using Cynthion's flexible USB stack, you can easily produce non-compliant traffic with which to fuzz a variety of hosts – or the software and drivers running on those hosts!
- USBProxy Meddler-in-the-Middle (MitM) functionality gives you the ability to manipulate USB data, as it passes between the host and a device, so that you can "see what happens" when a device deviates from established protocols.
Technical Specifications
- A Lattice Semiconductor LFE5U-12F ECP5 FPGA supported by the
yosys nextpnropen-source FPGA flow - Three High-Speed USB interfaces, each connected to a USB3343 PHY capable of operating at up to 480 Mbps.
- Two USB Type-C connectors for device-mode communication (left side)
- One USB Type-C connector for host-mode communication, device-mode communication, or USB analysis (right-side)
- One USB Type-A connector for host-mode communication or USB analysis (right-side, shared with Type-C connector)
- A Microchip SAMD11 debug controller allows user configuration of the FPGA and provides a number of diagnostic interfaces:
- A complete, user-programmable JTAG controller capable of configuring the FPGA and communicating via JTAG with user designs
- A built-in USB-to-serial communications bridge for FPGA debug I/O
- A variety of simple, built-in debug mechanisms, including utilities that allow you to create simple, PC-accessible register interfaces
- Three USB power switches allow you to control power to and from the right-side USB connectors, thereby facilitating controlled power cycling of USB-powered devices under analysis.
- 64 Mbit (8 MiB) RAM for buffering USB traffic or for user applications
- Two unpopulated User I/O SMA connector footprints intended for Trigger In / Trigger Out use or for multi-device clock/data synchronization
- Two unpopulated Pmod I/O connectors presenting 16 high-speed FPGA user IOs that support user FPGA applications and allow logic-level data to be captured during USB analysis
- 32 Mbit (4 MiB) SPI-connected flash for PC-less FPGA configuration
- Six FPGA-connected user LEDs and five microcontroller-managed status LEDs
Milled-Aluminum Enclosure
To protect your Cynthion while in use, we’ve commissioned an expert designer to create a beautiful and robust milled-aluminum enclosure that completely surrounds and protects Cynthion's electronics:
3D render of Cynthion in its CNC-milled aluminum enclosure
Each case will be precisely CNC-milled from solid aluminum, then anodized for a sleek, matte-black surface finish. The case design features an intricate internal pattern tailored exactly to the Cynthion it will contain. This customization maximizes case density for robust protection and an unusually solid feel – without compromising Cynthion's tiny size or light weight.
During the campaign, Cynthion can be purchased with or without its enclosure.
Comparisons
| Cynthion | |||||||
|---|---|---|---|---|---|---|---|
| Low-/Full-Speed Support | Y | Y | Y | Y | Y | Y | Y |
| High Speed Support | Y | N | Y | Y | Y | Y | N |
| USB Analysis Supported | Y | Y | Y | Y | Y | limited | N |
| External Buffer DRAM | Y | N | Y | Y | Y | N | N |
| Advanced Analysis Triggering | Y | N | Limited | Limited | N | Y | N |
| Supports User USB Designs | Y | N | N | N | Unofficial ¹ | Unofficial ¹ | Y |
| FaceDancer Support | Y | N | N | N | N | N | Full-speed only |
| MITM Support | Y | N | N | N | N | N | Limited |
| USB Device-capable ports ² | 3 | 0 | 0 | 0 | 1 | 1 | 1 |
| USB Host-capable ports ³ | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Target Power Control | Y | N | N | N | N | Y | Host mode only |
| Extra/User I/O | 16 (PMOD) 2 (SMA) | 0 | 4 (mini-DIN connector) | 0 | 22 (0.1" header) | 12 (CW connector) | 100 (0.1" header) |
| LEDS / Unique Colors | 11 / 9 | 1 / 1 | 3 / 2 | 3 / 1 | 3 / 2 | 5 / 3 | 4 / 2 |
| Onboard Debug Hardware ⁴ | Y | N | N | N | UART only | UART only | Y |
| Standalone Operation Capable ⁵ | Y | N | N | N | N | N | Limited |
| User-Customizable FPGA | Y | N | N | N | Y | Y | N/A |
| usbc.tf Training Materials | Y | N | N | N | N | N | Y |
| Open HW/FW/SW | Y | N | N | N | Y | Y | Y |
| Open Toolchain | Y | N | N | N | N (ISE) | N (Vivado) | Y (non-FPGA) |
| Size Equivalent | Saltine cracker or 6x6 LEGO® tile | Deck of cards | Nintendo Switch | Two bricks | Nintendo Switch | Deck of cards | Deck of cards |
| Cost (USD or USD equivalent) | $149 | $495 | $1,295 | $1,599 | $180 ⁶ | $250 | $89 |
¹ By replacing official gateware with Cynthion's open gateware
² Via Cynthion Gateware, TinyUSB SoC, or FaceDancer
³ Via FPGA Gateware
⁴ To debug USB/FPGA designs
⁵ For user gateware or firmware designs
⁶ No longer directly available (price from a third-party manufacturing the open design)
Support & Documentation
The Cynthion project—including its hardware, gateware, firmware, and software—has been developed and enhanced in the open . You can view on GitHub, and its on ReadTheDocs.
We welcome questions and discussion in or via a bridge to the .
Documentation Links
- User documentation will be made available as the campaign progresses.
- USB training materials are available at ; additional materials will be released in cooperation with in the near future.
- Board schematics:
- Design files:
- Cynthion Gateware:
- Debugger Firmware:
- Software
- Cynthion:
- FaceDancer:
- ViewSB:
