Reversing the cobra 1.5+ USB protocol

Introduction

This page will show you my findings while sniffing the USB protocol of the cobra bios 1.5 up to 2.1.

The information provided here, will be used in my open source vua-access library, that can be used to interfere with the viper usb adapter.

The library and associated programs aim to provide the features of the original programs inluded with cobra and will eventually add additional features to them.

All of this is mainly written due to the lack of linux support in the original library and programs provided.

Establishing a connection

After the driver is initialized, the program tells cobra to flush the FIFO buffer.

Then it sends the first part of the handshake. The last 4 bytes are variable.

Cobra answers with the second part of the handshake. The first 4 bytes will be the same as the last 4 in HandshakeOut1. The second 4 bytes are variable.

The program answers with the third part of the handshake. The first 4 bytes will be the same as the last 4 in HandshakeIn1. The second 4 bytes are variable and contain a command for cobra.

Sending DOL files

The command from DolSendUSB is "00h 00h 14h A0h". Cobra goes into USB mode. After that it switches something in the USB connection (I assume enabling bulk transfer, but this has to be clarified...) and uploads a small helper program (~5kb).

The uploaded program will then provide additional functions (receive dol, relocate dol, jump to entry point). The actual dol ist then sent in an custum format (I need to investigate the transformation further)