USB KILLER V3 reverse engineering in progress UPDATED

[Parrot974]

Hello,

I decided to reverse engineer a quite interesting thing which is the USB Killer V3. I don't intend to do anything wrong with it, it is just something interesting and easy to reverse engineer since I'm a beginner.

After some research, all I found out about this thing is some pictures of the PCB and a partial list of the components so I decided to buy one in order to reverse engineer it.
I managed to unsolder all the components properly so I could extract the schematic out of it.
Here are the pictures where you can see clearly the PCB and the components:





<a target='_blank' href='https://fr.imgbb.com/'>picture hosting[/url]




Here is also the uncomplete schematic:


<a target='_blank' href='https://fr.imgbb.com/'>picture hosting[/url]


IC3 is an SOT323 Package, sorry about the confusion, Pin 5 is non existing

 I identified some of the electric components like a Mosfet, what can possibly be a Mosfet driver but not much more. I think the transformer is a flyback transformer so the  IC3 is either a flyback boost converter or a dedicated Xenon Flash Capactitor Charger (which is more or less the same I guess)

For the Transformer, I measured 5 Ohm at the primary and 40 Ohm at the secondary. For its inductance, I have a LCR meter but without knowing the hysteresis of the core, I’m not sure it is worth measuring it.


I understand the flyback converter principle but the thing I don’t understand is how can the capacitors discharge into the data line only once they are fully charged and not before.
All the main components have been filed with what appears to be a CNC to prevent anyone to read a reference.

The voltage read at the diode D4 pins is 1.1V so I guess it is a Zener Diode.
I guess R5 is there to discharge the capacitor when the device is unplugged.

Could anyone guess what are the remaining components ?


Note The Russian Hacker Dark Purple who first created it was using a Xenon Flash Capacitor Charger in his Version 2: LT3484 from Linear I assume.

I attached the Eagle File of the schematic.

Kind regards,

Parrot

[daqq]

Were I to guess, IC1 is a MOSFET - it has a pretty typical pinout for such devices.

Pin 3 of IC3 is a feedback pin, pin2 would be GND, 1 would be SWitch. 4 5 and 6 (there's an error in your schematic, these should all be connected) are connected to a single net, which should be then VCC. Typically, for such controllers there's an inverted SHUTDOWN pin, GND and Softstart of VOUT. This IC ( http://cds.linear.com/docs/en/datasheet/3467afe.pdf ) could be used, though the SS signal would have to be ignored. Though connecting it to VCC would probably work. It's probably not the specific IC, but very similar to the one you are looking for.

I understand the flyback converter principle but the thing I don’t understand is how can the capacitors discharge into the data line only once they are fully charged and not before.

That would be the job of IC2 - trigger the MOSFET IC1 after some time has passed.

[daqq]

More like SCR or photo flash IGBT. I think there are Japanese companies (i.e. Renesas) making TSSOP8 IGBTs for photo flash applications.

Sure, could be that as well. It should be a simple matter to measure the device and based on the voltage on the transistor when open determine whether it's a MOSFET or an IGBT. An IGBT should have around 2V, a MOSFET should be load dependent.

[Parrot974]

Thank you very much for your help guys!

Daqq, actually on the IC3, the pin 5 is non existing. It is a SOT323 package, it isn't easy to see on the picture and I couldnt fine the right symbol in Eagle. Sorry about that I will edit my post. 
so it might be this one http://www.linear.com/product/LT3468  but the "charge" pin would be constantly at VCC so technically it shouldnt work because it need to be toogled to recharge the capacitors:

CHARGE (Pin 4): Charge Pin. This pin must be brought
high (>1V) to enable the part. A low (<0.3V) to high (>1V)
transition on this pin puts the part into power delivery
mode. Once the target output voltage is reached, the part
will stop charging the output. Toggle this pin to start
charging again. Ground to shut down. You may bring this
pin low during a charge cycle to halt charging at any time.


About the IC2, how is it triggered ? how can he detect the right time to trigger the Mosfet IC1 ?

Im going to look for photoflash IGBT, thanks.

[daqq]

Could be a simple timer with an RC oscillator. You don't need precise timing for this kind of thing. It would probably be OK to assume that it takes X seconds to charge up to 100%, so after any time longer than X it's OK to trigger.

edit:

so it might be this one http://www.linear.com/product/LT3468  but the "charge" pin would be constantly at VCC so technically it shouldnt work because it need to be toogled to recharge the capacitors:

I don't think so... your schematic indicates, that the pin 3 is connected to something that looks very much like a feedback network. The LT3468 has only an inverting DONE on pin 3, which would not do anything useful.

[Parrot974]

You're right about the LT3484, it wouldn't work. I'll check for another similar device.

The RC timer thing totally make sense but I can't really see how it would cycle. Assuming that IC2 is a transistor and that Pin 5 is its Base, it would be constantly triggered.

[daqq]

While searching for a device note that it might not necessarily come from a famous vendor - it might be some obscure chinese company with no english datasheet. Unless you decap the IC you might never be sure.

As to the timer, well, for all you know it might be a microcontroller or a specialized IC that just is a self contained long interval RC timer such as this: http://cds.linear.com/docs/en/datasheet/699512fa.pdf

[Parrot974]

I see yes, it might be easier to use similar components even if it isn't exactly the same. The result will be the same and it will save me some time and effort.

I know how it works, that was the goal here. Ill try for some time again and if I can"t find the exact components I'll use some different one.

[wraper]

IC1 should be a mosfet. I guess that IC2 could be ATTINY4, pinout matches.

[Parrot974]

I think this would be quite an overkill for such a cheap thing. GND and VCC might match but it is quite comon to have VCC and GND here on such small package.

I think it is a dedicated timer like dapp mentionned earlier. A bit like this one http://cds.linear.com/docs/en/datasheet/699512fa.pdf

[tablatronix]

nice, I thought this was open source since I first read about it on hackaday, turns out schematic was never released by deeppurple for previous versions at all.

[wraper]

I think this would be quite an overkill for such a cheap thing.

Why overkill? It's extremely simple (512B FLASH 32B SRAM ),cheap, especially in volume and can output pulses exactly as intended without any external parts. http://eu.mouser.com/ProductDetail/Microchip-Technology-Atmel/ATTINY4-TS8R/?qs=sGAEpiMZZMvix4Kz%252byXAvaR0Df3WjnmM
And it's not cheap at all, costs EUR 50.

[senso]

It shows 0,295€ for me, 30 cents for a programmable micro is pretty cheap, beats a timer with passives all around to set it up.

[Parrot974]

well, that make sense after all. 

[drussell]

Why would you want to kill a USB port, anyway?

... and if you did, why not just connect up a neon sign transformer or something and really let the sparks fly?

[DBecker]

Why would you want to kill a USB port, anyway?

... and if you did, why not just connect up a neon sign transformer or something and really let the sparks fly?

The idea that you drop one in a parking lot to make random people's lives miserable.  Or teens use it to destroy school computers.

People here presumably have an interest in how the gadget is designed, rather than an interest in destroying things.  Pretty much like the curiosity about how a land mine works, even if you don't intend to go out and cripple people.

Luckily the typical person understands how much easier it is to destroy than create, and refrains from destruction.
 

[wraper]

Why would you want to kill a USB port, anyway?

... and if you did, why not just connect up a neon sign transformer or something and really let the sparks fly?

Investigate what you need, buy the parts, make circuit, attach USB connector... This is off the shelf solution any person can use to instantly kill computer. Not for sparks and special effects, then you could just use a hammer on your PC as well. More than that, you can quietly kill any computer where you can access USB. Or make a sabotage by placing it in some place so another person plugs it without knowing what it is.

[amyk]

More interestingly, what would it take to make a USB port survive one?

[wraper]

More interestingly, what would it take to make a USB port survive one?

Nothing reasonable that I could imagine. Protection devices which would give enough protection have too much capacitance to work on USB data lines.

[NiHaoMike]

I'd imagine a cheap hub (or several) would greatly reduce the effectiveness. Maybe you should have tested that with a few cheap hubs and an old, worthless PC before doing the teardown?

[drussell]

The idea that you drop one in a parking lot to make random people's lives miserable.  Or teens use it to destroy school computers.

Well, wouldn't it still be more fun then to use a few thousand volts in there instead of a couple hundred?    

If person X sticks the DESTRUCTION WIZARD that they found in the parking lot into their computer (instead of just a USB charger or whatnot), then they would at least get a light show for their troubles.   

As for someone intentionally destroying school property, I hope the bastard is found, expelled, charged criminally and made to pay back for all the damage caused! 

That's NOT cool...   

[Parrot974]

I will re-solder some of the compoments to mesure some voltages. I'll determine weither IC2 is a ATTINY4 or something else. I may learn more about IC3 too.

[Parrot974]

Little update,

The connection of the capacitors was actually wrong.
They are connected according to this schematic.


<a target='_blank' href='https://fr.imgbb.com/'>image uploader[/url]


Those capacitors being approximately 10µF, connected this way the total capacitance should be 20µF
About the Voltage, the device is delivering pulses of 200V so there should be 100V per capacitor (2 capacitors in series in each branch but the last one). Therefore, they should be rated for 150V (Given that a capacitor should be used at 80% of his voltage rating which is about 120V)
The thing is, capacitors of this capacitance, voltage rating and this size just doesn’t seems to exist.
Ceramic capacitors with those specs are a lot bigger, most of the time it is several smaller capacitor packed together.  Is it possible that they used a lower voltage rating, not expecting the capacitors to be used for long?
How did they managed to make this work?

[T3sl4co1l]

Thanks, I figured these things were designed as such.

It's not a MOSFET, but a photoflash IGBT.  Example: http://www.onsemi.com/pub_link/Collateral/TIG058E8-D.PDF

Nothing else has the ampacity in that size to be useful for switching surges.

It could be an SCR, but none are available in such small SMT packages.

The capacitors are connected very strangely; did you check continuity of the pads to prove it is correct?

They likely are running the capacitors beyond ratings.  Ceramic capacitors typically fail (internal breakdown, I think failing shorted) at many times their rating.  For example, a 16V part might die at over 100V.  The margin may be lower for high voltage parts (i.e., a 100V part dies at 300V, say), but still enough for this.

AFAIK, there isn't a wear mechanism at high voltage.  The downside is mainly that the capacitance drops like a brick near the rated voltage.

Tim

[wraper]

Little update,

The connection of the capacitors was actually wrong.
They are connected according to this schematic.

No, this schematic is completely wrong because: