LUNA

A multi-tool for building, analyzing, and hacking USB devices

This project is coming soon. Sign up to receive updates and be notified when this project launches.


Making USB Accessible

LUNA is an all-in-one tool for building, testing, monitoring, and experimenting with USB devices. Built around a unique FPGA-based architecture, LUNA’s digital hardware can be fully customized to suit the application at hand. As a result, it can act as a no-compromises High-Speed USB protocol analyzer, a USB-hacking multi-tool, or a USB development platform.

Out-of-the-box, LUNA acts as a USB protocol analyzer capable of capturing and analyzing traffic between a host and any Low-, Full-, or High-Speed ("USB 2.0") USB device. It works seamlessly with our open-source ViewSB software, which translates captured USB traffic into a human-readable format. ViewSB runs on Linux, MacOS, Windows, and FreeBSD.

Combined with the LUNA software and the FaceDancer libraries, LUNA becomes a versatile USB-hacking and development tool. FaceDancer makes it quick and easy to create or tamper with real USB devices – not just emulations – even if you don’t have experience with digital hardware design, HDL, or FPGA architecture!

Core Features

LUNA is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with – and, indeed, to master – USB. Below are a few of the things you’ll be able to use your LUNA for:

  • Protocol analysis for Low-, Full-, and High- speed USB. LUNA provides everything you need for passive USB monitoring. Add the ViewSB analysis software, and you have a full-featured USB analyzer capable of passively capturing both USB traffic and up to 16 related digital signals.
  • Creating your own Low-, Full-, or High- speed USB device. LUNA provides nMigen gateware that allows you to create USB devices in gateware, firmware, or a combination of the two. Using the FaceDancer library, you can create or emulate real USB devices in high-level Python.
  • Meddler-in-the-Middle (MitM) attacks on USB communication. LUNA hardware can function as a "USB proxy" capable of transparently modifying USB data as it flows between a host and a device. Each board's three USB-C connections allows for simultaneous, high-speed proxying, all while maintaining a high-speed connection to the host. As a result, you can proxy a connection with or without the help of a host PC.
  • USB reverse engineering and security research. LUNA hardware and gateware represent a purpose-built backend for research tools like FaceDancer and USB fuzzing libraries, thereby simplifying the emulation and rapid prototyping of compliant and non-compliant USB devices. Unlike other USB emulation solutions, LUNA-based hardware is dynamically reconfigurable, so it gives you the flexibility to create any endpoint configuration and engage in almost any USB (mis)behaviour.

Technical Specifications

  • A Lattice Semiconductor LFE5U-12F ECP5 FPGA supported by the yosys+nextpnr open-source FPGA flow
  • Three High-Speed USB interfaces, each connected to a USB3343 PHY capable of operating at up to 480 Mbps.
    • Two USB Type-C connectors for device-mode communication (left side)
    • One USB Type-C connector for host-mode communication, device-mode communication, or USB analysis (right-side)
    • One USB Type-A connector for host-mode communication or USB analysis (right-side)
  • A Microchip SAMD11 debug controller allows user configuration of the FPGA and provides a number of diagnostic interfaces:
    • A complete, user-programmable JTAG controller capable of configuring the FPGA and communicating via JTAG with user designs
    • A built-in USB-to-serial communications bridge for FPGA debug I/O
    • A variety of simple, built-in debug mechanisms, including utilities that allow you to create simple, PC-accessible register interfaces
  • Three USB power switches allow you to control power to and from each of the right-side USB connectors, thereby facilitating controlled power cycling of USB-powered devices under analysis.
  • 64 Mbit (8 MiB) RAM for buffering USB traffic or for user applications
  • Two unpopulated User I/O SMA connector footprints intended for Trigger In / Trigger Out use or for multi-device clock/data synchronization
  • Two unpopulated Pmod I/O connectors presenting 16 high-speed FPGA user IOs that support user FPGA applications and allow logic-level data to be captured during USB analysis
  • 32 Mbit (4 MiB) SPI-connected flash for PC-less FPGA configuration
  • Six FPGA-connected user LEDs and five microcontroller-connected status LEDs

(Click to expand.)

LUNA includes all of the hardware necessary for low-, full-, or high-speed USB protocol analysis – which means it can provide the same functionality as expensive commercial USB analyzers like the TotalPhase Beagle 480 or the LeCroy Mercury series.

Unlike existing USB solutions, however, LUNA’s analyzer stack is built entirely upon powerful, open source tooling. By leveraging the unique nMigen gateware-generation library and ultra-fast open FPGA tools, LUNA can automatically customize itself to the task at hand, which gives it access to unique features like user-defined hardware triggering and simultaneous capture of additional external or internal signals.

LUNA uses the open-source ViewSB analyzer frontend, which is a powerful, cross-platform tool for capturing, viewing, and analyzing USB data. ViewSB helps make USB traffic more human-readable while processing that traffic at any level of abstraction. And because it is completely open-source and extensible, you can add it to your own custom analysis layer simply by creating a single Python file.

An Educational Platform for Learning About USB

A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here.

A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here. Click to expand.

The LUNA team has a long history of USB education. We’ve developed a number of open-source USB trainings and workshops at varying difficulty levels. Over the course of this campaign, we will develop and maintain additional LUNA-specific material that will help you learn how to work with – and hack on – USB.

LUNA’s customizable architecture allows you to do more than just watch the packets fly by. Using LUNA, you can reach out and touch USB traffic at every level. It’s a lot easier to learn how something works when you can take it apart, poke around inside it, and manipulate it in clever ways. LUNA gives you that level of control.

Easily Create Your Own USB Designs

LUNA was built from the ground-up to facilitate the process of creating new USB devices. Whether you’re a veteran low-level hardware designer or completely new to this, LUNA will make your life easier in several ways.

First of all, its FaceDancer backend allows you to describe entire custom USB devices quickly, using just a few lines of Python, so you can try them out right away on real hardware. And, to help you get started, FaceDancer comes with a collection of existing device templates:

# Using a FaceDancer pre-made device, you can create a
# "USB rubber ducky" with only a few lines of python!

device = USBKeyboardDevice()

async def type_letters():
    await device.type_string('r', modifiers=KeyboardModifiers.MOD_LEFT_META)
    await asyncio.sleep(0.5)
    await device.type_string('calc\n')

main(device, type_letters())

And, for those with an interest in FPGA design, LUNA’s unique nMigen library makes it almost trivial to implement USB gateware. Have a look at our library of examples and start building your own gateware devices in no time!

Transparently Manipulate USB Data

LUNA is as useful when working with existing USB devices as it is when designing new ones. By giving you the ability to inject or modify USB data transparently – on the fly – it allows you to do things that would otherwise be impossible. And its support for FaceDancer’s USBProxy means that manipulating USB data on the wire is as easy as writing a few lines of Python:

# USBProxy makes manipulating USB data trivial!
# The following few lines are enough to flip the X-axis
# on a Nintendo-branded USB game controller:

class SwitchControllerInvertXFilter(USBProxyFilter):

    def filter_in(self, ep_num, data):
        # The fourth byte of our packets contains the
        # joystick X position, as a number between 0 and 255.
        data[3] = 0xff - data[3]
        return ep_num, data

LUNA’s USB peripherals are customized for each USBProxy application, so you’re not restricted to certain USB device configurations. It is theoretically possible to proxy just about any USB device in existence!

Tools for Reverse Engineering & Security Research

As a Great Scott Gadgets product, LUNA was designed from the beginning to enable new and innovative research, but it also supports a multitude of security and reverse-engineering applications:

  • Live, easily-to-customize USB analysis allows you to observe protocols as they fly down the wire and trivially annotate USB data with custom filters as you decode new protocols.
  • Simple tools for creating and emulating USB devices let you rapidly develop hardware that is compatible with existing USB host software.
  • Using LUNA's flexible USB stack, you can easily produce non-compliant traffic with which to fuzz a variety of hosts – or the software and drivers running on those hosts!
  • USBProxy Meddler-in-the-Middle (MitM) functionality gives you the ability to manipulate USB data, as it passes between a host and a device, so that you can "see what happens" when a device deviates from established protocols.

Open Source Information

See Also

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: