Fun with USB Rocket Launchers and Python

USB LauncherI’ve had this USB Rocket Launcher gathering dust in my cupboard for some time but never really used it all that much, It’s primarily aimed at Windows users and has no software for other operating systems or documentation on how it works.

So last weekend I brought it into my workplace for some office warfare, and since our office is open plan this made it an ideal battleground, fueled by some Python.

UPDATE: Code has been posted to TCC’s GitLab, you can get it here: https://git.thecodecache.net/aleyshon/USB-Sentry

In order to make this work from within Python we needed to know what command were being sent to the device, so that we could replay them at our leisure.

To do this I used some software called USBPCap along with Wireshark to dump out the packets being sent.

The device I have uses the Vendor ID of 0x2123 and a Product ID of 0x1010. (DreamCheeky Thunder)

All commands sent to the device had a Request Type of 0x21 (Host to Device) and a Request of 0x09 (SET_CONFIGURATION). The device never returns any data. It is one way communication.

All payloads sent to the Rocket Launcher were always 8 bytes long and always started with 0x02 or 0x03, Followed by a single varying byte, Like this:

Interesting! It seems the other six bytes were not used by any of the commands.

Eventually I had managed to capture all the commands being sent, one at a time and built up a little data sheet about it’s protocol, which was very simple:

With this data in hand, it was time for some Python! We opted to use the pyUSB library for interfacing with the device.

Here was the final code we came up with, it picks a random number between 1 and 6 and performs an action associated with that number, we will be uploading this to GitLab shortly.

Please Share!Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn