Menu
0
0

Your Cart is Empty

products
  • WIFI PENTESTING
  • SOFTWARE
  • HOTPLUG ATTACKS
  • IMPLANTS & REMOTE ACCESS
  • FIELD KITS
  • R&D / DETECTION
  • ACCESSORIES
  • RESEARCH
    • Support

    Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

  • ORDERS
  • PRODUCT
  • SERVICE
  • INQUIRIES

  • Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning podcasts, leading pentest gear, and inclusive community – where all hackers belong.

    • Payloads

    PAYLOAD HUB
    Discover creative payloads from the Hak5 community with filtering by device and category.

    PAYLOAD STUDIO
    Unleash your hacking creativity with this full-featured web-based Payload development environment.

    PAYLOAD AWARDS
    Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

    DUCKYSCRIPT COURSE
    Learn directly from the creators! Unlock your creative potential with this comprehensive course.

    [PAYLOAD] SERIES
    Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

  •

  • PAYLOAD HUB
    Discover creative payloads from the Hak5 community with filtering by device and category.

  •

  • PAYLOAD STUDIO
    Unleash your hacking creativity with this full-featured web-based Payload development environment.

  •

  • PAYLOAD AWARDS
    Get your payload in front of thousands and enter to win. Nearly $10,000 in annual Hak5 prizes!

  •

  • DUCKYSCRIPT COURSE
    Learn directly from the creators! Unlock your creative potential with this comprehensive course.

  •

  • [PAYLOAD] SERIES
    Join Hak5 hosts and collaborators as we dive into the techniques and code that make great payloads!

    • Cynthion
    Cynthion

    Cynthion

    $150.00 - $200.00

     

    Making USB Accessible

    Cynthion is an all-in-one tool for building, testing, monitoring, and experimenting with USB devices. Built around a unique FPGA-based architecture, Cynthion's digital hardware can be fully customized to suit the application at hand. As a result, it can act as a no-compromise High-Speed USB protocol analyzer, a USB-hacking multi-tool, or a USB development platform.

    Out-of-the-box, Cynthion acts as a USB protocol analyzer capable of capturing and analyzing traffic between a host and any Low-, Full-, or High-Speed ("USB 2.0") USB device. It works seamlessly with our open-source ViewSB software, which translates captured USB traffic into a human-readable format. ViewSB runs on Linux, MacOS, Windows, and FreeBSD.

    Combined with the Cynthion software and the FaceDancer libraries, Cynthion becomes a versatile USB-hacking and development tool. FaceDancer makes it quick and easy to create or tamper with real USB devices—not just emulations—even if you don’t have experience with digital-hardware design, HDL, or FPGA architecture!

    Ships in 1-3 day worldwide

    Orders are fulfilled from our California warehouse in 1-3 days. Typical shipping times:

    • 🇺🇸 USA: 2-7 days
    • 🇨🇦 Canada: 2-8 days
    • 🇬🇧 UK: 3-5 days
    • 🇪🇺 EU: 3-8 days
    • 🦘 Australia: 3-10 days
    Insured against loss & damage

    Orders under $2500 are automatically protected against loss & damage via MonkProtect™ shipping insurance with a fast and easy resolution center.

    EU Safety Information

    Manufacturer: Hak5 LLC. 5473 Blair Rd, Ste 100 PMB 39371, Dallas, TX 75231. Shop@Hak5.org. https://shop.hak5.org
    Responsible Person: Easy Access System Europe - Mustamäe tee 50, 10621 Tallinn, Estonia, gpsr.requests@easproject.com
    Safety Information: Warning: Not suitable for children under 14 years. This is not a toy. Contains small parts that may present a choking hazard. Keep out of reach of children. Do not expose the device to water, excessive moisture, direct sunlight or extreme conditions (moisture, heat, cold, dust), as the device may malfunction or cease to work when exposed to such elements. Do not attempt to disassemble or repair the device yourself. Doing so voids the limited warranty and could harm you or the device. This device is not designed, manufactured or intended for use in hazardous environments requiring fail-safe performance in which the failure of the device could lead directly to death, personal injury, or severe physical or environmental damage. Wireless equipped devices are restricted to indoor use only when operating in the 2400 MHz – 2483.5 MHz frequency range within the EU and EFTA countries, as required by Article 10(10) of Directive 2014/53/EU. Battery equipped devices: do not dispose of batteries in household waste. Battery replacement must be carried out by a qualified technician. This USB-powered device complies with the EMC Directive (2014/30/EU) and meets the requirements of EN 55032 and EN 55035 for electromagnetic compatibility. This device is designed in accordance with USB-IF specifications for voltage limits, data integrity, and power safety to ensure reliable and compliant operation. This product has been designed and manufactured in accordance with the RoHS requirements and complies with the European Union’s Restriction of Hazardous Substances (RoHS) Directive 2011/65/EU and Directive (EU) 2015/863. This device is designed to operate reliably within an operating temperature range of 35ºC to 45ºC and a storage temperature range of -20ºC to 50ºC. It is rated for use in environments with 0% to 90% relative humidity (non-condensing). Proper environmental conditions must be maintained to ensure optimal performance and longevity. Made in China. This device is for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use. This device is packaged with a limited warranty, the acceptance of which is a condition of sale. See Hak5.org for additional warranty details and limitations. Availability and performance of certain features, services and applications are device and network dependent and may not be available in all areas; additional terms, conditions and/or charges may apply. All features, functionality and other product specifications are subject to change without notice or obligation. Hak5 LLC reserves the right to make changes to the products description without notice. Hak5 LLC does not assume any liability that may occur due to the use or application of the product(s) described herein.

    Core Features

    Cynthion is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with—and, indeed, to master—USB. Below are a few of the challenges to which you’ll be able to apply your Cynthion:

    • Protocol analysis for Low-, Full-, and High- speed USB. Cynthion provides everything you need for passive USB monitoring. Add the ViewSB analysis software, and you have a full-featured USB analyzer capable of passively capturing both USB traffic and up to 16 related digital signals.
    • Creating your own Low-, Full-, or High- speed USB device. Cynthion provides nMigen gateware that allows you to create USB devices in gateware, firmware, or a combination of the two. Using the FaceDancer library, you can create or emulate real USB devices in high-level Python.
    • Meddler-in-the-Middle (MitM) attacks on USB communication. Cynthion hardware can function as a "USB proxy" capable of transparently modifying USB data as it flows between a host and a device. Each board's three USB Type-C connections allow for simultaneous, high-speed proxying while maintaining a high-speed connection to the host. As a result, you can proxy a connection with or without the help of a host PC.
    • USB reverse engineering and security research. Cynthion hardware and gateware represent a purpose-built backend for research tools like FaceDancer and USB-fuzzing libraries, thereby simplifying the emulation and rapid prototyping of compliant and non-compliant USB devices. Unlike other USB-emulation solutions, Cynthion-based hardware is dynamically reconfigurable, so it gives you the flexibility to create any endpoint configuration and engage in almost any USB (mis)behavior.

    (Click to expand.)

    Cynthion includes all of the hardware necessary for low-, full-, or high-speed USB protocol analysis – which means it can provide the same functionality as expensive commercial USB analyzers like the TotalPhase Beagle 480 or the LeCroy Mercury series.

    Unlike existing USB solutions, however, Cynthion's analyzer stack is built entirely upon powerful, open-source tooling. By leveraging the remarkable nMigen gateware-generation library and ultra-fast open FPGA tools, Cynthion can automatically customize itself to the task at hand, which gives it access to unique features like user-defined hardware triggering and simultaneous capture of additional external or internal signals.

    Cynthion uses the open-source ViewSB analyzer frontend, which is a powerful, cross-platform tool for capturing, viewing, and analyzing USB data. ViewSB helps make USB traffic more human-readable while processing that traffic at any level of abstraction. And because it is completely open-source and extensible, you can add it to your own custom analysis layer simply by creating a single Python file.

    An Educational Platform for Learning About USB

    A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here.

    A fully open-source set of training materials walk you through the basics of USB - including descriptions and diagrams of the basic elements of USB, such as USB Transfers pictured here. Click to expand.

    The Cynthion team has a long history of USB education. We’ve developed a number of open-source USB trainings and workshops at varying difficulty levels. Over the course of this campaign, we will develop and maintain additional Cynthion-specific material that will help you learn how to work with—and hack on—USB.

    Cynthion's customizable architecture allows you to do more than just watch the packets fly by. Using Cynthion, you can reach out and touch USB traffic at every level. It’s a lot easier to learn how something works when you can take it apart, poke around inside it, and manipulate it in clever ways. Cynthion gives you that level of control.

    Easily Create Your Own USB Designs

    Cynthion was built from the ground-up to facilitate the process of creating new USB devices. Whether you’re a veteran low-level hardware designer or completely new to this, Cynthion will make your life easier in several ways.

    First of all, its FaceDancer backend allows you to describe entire custom USB devices quickly, using just a few lines of Python, so you can try them out right away on real hardware. And, to help you get started, FaceDancer comes with a collection of existing device templates:

    # Using a FaceDancer pre-made device, you can create a
# "USB rubber ducky" with only a few lines of python!

device = USBKeyboardDevice()

async def type_letters():
    await device.type_string('r', modifiers=KeyboardModifiers.MOD_LEFT_META)
    await asyncio.sleep(0.5)
    await device.type_string('calc\n')

main(device, type_letters())

    And, for those with an interest in FPGA design, Cynthion's unique nMigen library makes it almost trivial to implement USB gateware. Have a look at our library of examples and start building your own gateware devices in no time!

    Transparently Manipulate USB Data

    Cynthion is as useful when working with existing USB devices as it is when designing new ones. By giving you the ability to inject or modify USB data transparently—on the fly—it allows you to do things that would otherwise be impossible. And its support for FaceDancer’s USBProxy means that manipulating USB data on the wire is as easy as writing a few lines of Python:

    # USBProxy makes manipulating USB data trivial!
# The following few lines are enough to flip the X-axis
# on a Nintendo-branded USB game controller:

class SwitchControllerInvertXFilter(USBProxyFilter):

    def filter_in(self, ep_num, data):
        # The fourth byte of our packets contains the
        # joystick X position, as a number between 0 and 255.
        data[3] = 0xff - data[3]
        return ep_num, data

    Cynthion's USB peripherals are customized for each USBProxy application, so you’re not restricted to certain USB device configurations. It is theoretically possible to proxy just about any USB device in existence!

    Tools for Reverse Engineering & Security Research

    As a Great Scott Gadgets (GSG) product, Cynthion was designed from the beginning to enable new and innovative research, but it also supports a multitude of security and reverse-engineering applications:

    • Live, easy-to-customize USB analysis allows you to observe protocols as they fly down the wire and trivially annotate USB data with custom filters as you decode new protocols.
    • Simple tools for creating and emulating USB devices let you rapidly develop hardware that is compatible with existing USB host software.
    • Using Cynthion's flexible USB stack, you can easily produce non-compliant traffic with which to fuzz a variety of hosts – or the software and drivers running on those hosts!
    • USBProxy Meddler-in-the-Middle (MitM) functionality gives you the ability to manipulate USB data, as it passes between the host and a device, so that you can "see what happens" when a device deviates from established protocols.

    Technical Specifications

    • A Lattice Semiconductor LFE5U-12F ECP5 FPGA supported by the yosys+nextpnr open-source FPGA flow
    • Three High-Speed USB interfaces, each connected to a USB3343 PHY capable of operating at up to 480 Mbps.
      • Two USB Type-C connectors for device-mode communication (left side)
      • One USB Type-C connector for host-mode communication, device-mode communication, or USB analysis (right-side)
      • One USB Type-A connector for host-mode communication or USB analysis (right-side, shared with Type-C connector)
    • A Microchip SAMD11 debug controller allows user configuration of the FPGA and provides a number of diagnostic interfaces:
      • A complete, user-programmable JTAG controller capable of configuring the FPGA and communicating via JTAG with user designs
      • A built-in USB-to-serial communications bridge for FPGA debug I/O
      • A variety of simple, built-in debug mechanisms, including utilities that allow you to create simple, PC-accessible register interfaces
    • Three USB power switches allow you to control power to and from the right-side USB connectors, thereby facilitating controlled power cycling of USB-powered devices under analysis.
    • 64 Mbit (8 MiB) RAM for buffering USB traffic or for user applications
    • Two unpopulated User I/O SMA connector footprints intended for Trigger In / Trigger Out use or for multi-device clock/data synchronization
    • Two unpopulated Pmod I/O connectors presenting 16 high-speed FPGA user IOs that support user FPGA applications and allow logic-level data to be captured during USB analysis
    • 32 Mbit (4 MiB) SPI-connected flash for PC-less FPGA configuration
    • Six FPGA-connected user LEDs and five microcontroller-managed status LEDs

    Milled-Aluminum Enclosure

    To protect your Cynthion while in use, we’ve commissioned an expert designer to create a beautiful and robust milled-aluminum enclosure that completely surrounds and protects Cynthion's electronics:

    3D render of Cynthion in its CNC-milled aluminum enclosure

    Each case will be precisely CNC-milled from solid aluminum, then anodized for a sleek, matte-black surface finish. The case design features an intricate internal pattern tailored exactly to the Cynthion it will contain. This customization maximizes case density for robust protection and an unusually solid feel – without compromising Cynthion's tiny size or light weight.

    During the campaign, Cynthion can be purchased with or without its enclosure.

    Comparisons

    Cynthion Beagle USB 12 Beagle USB 480 USB Explorer 200 OpenVizsla PhyWhisperer-USB GreatFET One
    Low-/Full-Speed Support Y Y Y Y Y Y Y
    High Speed Support Y N Y Y Y Y N
    USB Analysis Supported Y Y Y Y Y limited N
    External Buffer DRAM Y N Y Y Y N N
    Advanced Analysis Triggering Y N Limited Limited N Y N
    Supports User USB Designs Y N N N Unofficial ¹ Unofficial ¹ Y
    FaceDancer Support Y N N N N N Full-speed only
    MITM Support Y N N N N N Limited
    USB Device-capable ports ² 3 0 0 0 1 1 1
    USB Host-capable ports ³ 1 0 0 0 0 0 1
    Target Power Control Y N N N N Y Host mode only
    Extra/User I/O 16 (PMOD) + 2 (SMA) 0 4 (mini-DIN connector) 0 22 (0.1" header) 12 (CW connector) 100 (0.1" header)
    LEDS / Unique Colors 11 / 9 1 / 1 3 / 2 3 / 1 3 / 2 5 / 3 4 / 2
    Onboard Debug Hardware  Y N N N UART only UART only Y
    Standalone Operation Capable  Y N N N N N Limited
    User-Customizable FPGA Y N N N Y Y N/A
    usbc.tf Training Materials Y N N N N N Y
    Open HW/FW/SW Y N N N Y Y Y
    Open Toolchain Y N N N N (ISE) N (Vivado) Y (non-FPGA)
    Size Equivalent Saltine cracker or 6x6 LEGO® tile Deck of cards Nintendo Switch Two bricks Nintendo Switch Deck of cards Deck of cards
    Cost (USD or USD equivalent) $149 $495 $1,295 $1,599 $180  $250 $89

    ¹ By replacing official gateware with Cynthion's open gateware
    ² Via Cynthion Gateware, TinyUSB SoC, or FaceDancer
    ³ Via FPGA Gateware
     To debug USB/FPGA designs
     For user gateware or firmware designs
     No longer directly available (price from a third-party manufacturing the open design)

    Support & Documentation

    The Cynthion project—including its hardware, gateware, firmware, and software—has been developed and enhanced in the open on GitHub. You can view its annotated hardware designs on GitHub, and its developer documentation on ReadTheDocs.

    We welcome questions and discussion in the Cynthion Discord Channel or via a bridge to the Cynthion IRC Channel.