lördag 13 april 2013

USB Missile Launcher + Delphi CRACKED!!!

 
Soooooo, me and this mysterious USB missile launcher that I couldn't crack have bugging me ever since I wanted to reverse engineer it early 2012. (read earlier post)

 I have read tons and tons of articles where people have tried to figure out how the tenxHID.dll function exports work and what their parameters are.

 People have been in touch with the original manufacturers, people have sent emails to every possible forum, It took me through the deepest parts of the internet in order to crack its secrets.

 Through forums, mailing lists, original chip manufacturer, disassembly software, usb sniffers and even unknown chinese websites.

 For over a year I have been walking around wanting to crack this son of a bitch.

 And today, well, yesterday, and tonight, I told myself "I have to put an end to this bullshit.", and it turns out to not be that hard of a task after all.

 All I needed to do was to send it two types of byte arrays (or packets, or frames, or whatever you want to call it), in 4 steps.

 Two separate 8 byte arrays, which initiates the device,
One 8 byte array which tells the device what to do (left, right, up, down, fire)
Two 8 byte arrays for initiation Again,
and lastly One 64 byte array to stop the device, or else it would just keep going and going once you told it what to do.

 I figured this out using a USB sniffer and Project Jedi as the USB HID component for Delphi XE 2.

 Now the thing was that the device itself was recognized as two separate HID
devices with the same VID and PID, but different Hardware ID's.

 So whenever you plug it in you will see two devices get connected.

 And a lot of people have managed to send 8 bytes to the device,
but never the 64 bytes.

 The trick and solution to this was that the first HID handles the 64 byte array which stops the device,
and the second HID handles the 8 byte array.

 Download project source from here.

 Developed using Delphi XE2 and Project Jedi.

 Mystery solved, Case Close, One Less Thing to walk around and think about.

 Time to sleep and never look back at it again.

 Good Night!
Upplagd av kl.
Etiketter: , , , , , , , , , , , ,

2 kommentarer:

  1. Jakob18 maj 2014 kl. 10:08

    Hello Aid, great working figuring out the right commands to control the missile launcher. I've been able to get the one I bought online working with your application for testing purposes.

    I've been looking through the code, but have real trouble (not knowing Delphi and despite your comments in the code). I'm trying to get my missile launcher to work like the "retaliation" one on github (https://github.com/codedance/Retaliation), but there it's another model and they don't work at all in the same way, it appears. It seems you're sending byte sequences to to initialize he connection and then to send the commands. Any help to adapt your Delphi code to the Python code of Retaliation would be greatly appreciate.

    [Hoping this message gets past your spam filter],

    Thanks,
    Jakob.

    SvaraRadera
    Svar
    1. SlimJimz18 maj 2014 kl. 10:19

      I am sorry Jakob, but I do not know how to program in Python.
      Do you know how to (in Python) get access to HID devices and send them bytes?

      If yes, then I can help you.

      Radera

Prenumerera på: Kommentarer till inlägget (Atom)