9.0 KiB
9.0 KiB
Azeron Configuration Protocol Documentation
Overview
This document describes the approach to reverse engineering the USB configuration protocol for the Azeron Cyborg keypad (USB ID: 16d0:113c). The device uses a vendor-specific USB interface for configuration, which needs to be understood to implement full configuration support.
USB Device Analysis
Device Descriptor Summary
- Vendor ID: 0x16d0 (MCS)
- Product ID: 0x113c (Azeron Keypad)
- Configuration: 1 configuration, 5 interfaces
- Power: 500mA (bus-powered)
Interface Breakdown
-
Interface 0: Vendor-specific (0xFF)
- Endpoints: 0x81 (IN), 0x01 (OUT)
- Purpose: Likely main configuration interface
- Packet size: 32 bytes
-
Interface 1: HID
- Endpoint: 0x82 (IN)
- Purpose: Main button input
- Packet size: 16 bytes
-
Interface 2: HID Boot Mouse
- Endpoint: 0x83 (IN)
- Purpose: Mouse emulation
- Packet size: 7 bytes
-
Interface 3: HID
- Endpoint: 0x84 (IN)
- Purpose: Analog stick input
- Packet size: 16 bytes
-
Interface 4: HID with IN/OUT
- Endpoints: 0x85 (IN), 0x06 (OUT)
- Purpose: LED/control interface
- Packet size: 64 bytes
Protocol Reverse Engineering Approach
Phase 1: USB Traffic Capture
Option A: Windows Software Capture (Recommended)
If you have access to Windows and the Azeron configuration software:
-
Setup:
# Install USBPcap on Windows # Install Wireshark -
Capture Process:
- Start USBPcap capture on the Azeron device
- Open Azeron Windows software
- Perform configuration changes:
- Map a button to different key
- Change analog stick settings
- Switch profiles
- Save configuration
- Stop capture and save the data
-
Analysis:
- Look for control transfers to Interface 0
- Identify command patterns
- Map request types and data formats
Option B: Linux Exploration
Without Windows software, we can try to discover the protocol:
-
Basic Communication Test:
# Use the azeron-cli tool to attempt communication ./build/azeron-cli list # Try to read from configuration endpoint # (This will require implementing test functions) -
USB Control Transfer Testing:
- Test standard USB requests
- Try vendor-specific requests
- Monitor device responses
Phase 2: Protocol Discovery
Common USB Configuration Patterns
Most gaming devices use similar patterns:
-
Configuration Read:
Request Type: 0xC0 (Vendor IN) Request: 0x01-0xFF (varies by device) Value: 0x0000 Index: Interface number (0) Data: Response buffer -
Configuration Write:
Request Type: 0x40 (Vendor OUT) Request: 0x01-0xFF (varies by device) Value: 0x0000 Index: Interface number (0) Data: Command/data buffer
Expected Command Structure
Based on similar devices, the protocol likely includes:
-
Read Current Configuration:
- Command to read all button mappings
- Command to read analog stick settings
- Command to read profile information
-
Write Configuration:
- Command to set button mapping
- Command to set analog stick parameters
- Command to save configuration to device
-
Profile Management:
- Command to switch active profile
- Command to read/write profile data
Phase 3: Implementation Strategy
Step 1: Basic Communication
Add test functions to the library:
// In libazeron/protocol.c
int azeron_protocol_test_read(struct azeron_device *device)
{
uint8_t buffer[64];
int ret;
// Try various vendor requests
for (int req = 0x01; req <= 0xFF; req++) {
ret = azeron_device_control_transfer(device,
0xC0, // Vendor IN
req, // Request
0x0000, // Value
0x0000, // Index (Interface 0)
buffer, sizeof(buffer),
1000);
if (ret > 0) {
printf("Request 0x%02x: %d bytes\n", req, ret);
// Print buffer contents
}
}
return AZERON_SUCCESS;
}
Step 2: Button Mapping Discovery
The button mapping likely uses:
- Button ID (1-32)
- Key type (keyboard, mouse, gamepad, macro)
- Key code or action
- Modifiers (shift, ctrl, alt)
Expected data structure:
struct button_mapping {
uint8_t button_id;
uint8_t key_type;
uint16_t key_code;
uint8_t modifiers;
};
Step 3: Analog Stick Configuration
Analog stick settings likely include:
- Dead zone (0-100%)
- Sensitivity curve (linear, exponential)
- X/Y inversion flags
- Mode (analog, 4-way digital, 8-way digital, mouse)
Step 4: Profile Management
Profile commands likely:
- Read profile (0-2)
- Write profile
- Set active profile
- Save to device EEPROM
Phase 4: Testing and Validation
Test Plan
-
Basic Detection:
- Verify device is detected
- Check all interfaces are accessible
-
Configuration Read:
- Read current button mappings
- Verify against known configuration
-
Configuration Write:
- Change single button mapping
- Verify change persists
- Test in-game/application
-
Profile Management:
- Create multiple profiles
- Switch between profiles
- Verify profile persistence
Development Notes
USB Control Transfer Format
// Vendor request to interface 0
int azeron_protocol_send_command(struct azeron_device *device,
uint8_t request,
uint16_t value,
uint16_t index,
uint8_t *data,
size_t size,
int timeout)
{
return libusb_control_transfer(device->handle,
0x40, // Vendor OUT
request,
value,
index,
data,
size,
timeout);
}
int azeron_protocol_receive_response(struct azeron_device *device,
uint8_t request,
uint16_t value,
uint16_t index,
uint8_t *data,
size_t size,
int timeout)
{
return libusb_control_transfer(device->handle,
0xC0, // Vendor IN
request,
value,
index,
data,
size,
timeout);
}
Common Gaming Device Protocol Patterns
-
Init/Handshake:
- Send init command
- Receive device info/acknowledgment
-
Read Configuration:
- Send read command with offset/address
- Receive configuration data
- May require multiple transfers for full config
-
Write Configuration:
- Send write command with data
- Receive acknowledgment
- Send save command to persist
-
Profile Operations:
- Select profile (0-2)
- Read/write profile data
- Set as active profile
Tools for Reverse Engineering
USB Capture Tools
- USBPcap: Windows USB capture
- Wireshark: Protocol analysis
- usbmon: Linux kernel USB monitoring
- libusb debug: Enable debug output
Analysis Tools
- Protocol analyzers: Wireshark with USB dissectors
- Hex editors: For examining binary data
- Custom scripts: Python with pyusb for testing
Expected Challenges
- Encryption/Obfuscation: Configuration may be encrypted
- Checksums: Data may include CRC/checksums
- Command Sequences: May require specific command sequences
- Timing Requirements: Some devices have strict timing
- Device Protection: May have write protection mechanisms
Next Steps
- Capture USB Traffic: Get Windows software captures
- Analyze Patterns: Identify command structure
- Implement Protocol: Add functions to libazeron
- Test Incrementally: Start with simple commands
- Document Findings: Update this document with actual protocol
Contributing
If you discover protocol details:
- Document the command format
- Provide example USB captures
- Include test code if available
- Update this documentation
Safety Notes
- Always test with backup configurations
- Be prepared to reset device to factory defaults
- Don't write untested commands to device
- Monitor device temperature during testing
- Stop if device behaves unexpectedly
Current Status
Protocol Status: Not yet reverse engineered Implementation Status: Placeholder functions only Next Step: USB traffic capture and analysis