Device not always detected as HID device

[hegocre]

Your problem

When connecting the device to a computer, either Linux or Windows, it is inconsistently being detected as a Keyboard (TinyUSB) or as a serial device (USB JTAG/serial debug unit). In both cases, the Wi-Fi AP and the web interface start successfully, and I can connect to the webpage and grab the logs (attached later).

If I try to run other payloads stored on the SD card from the web interface (for example, the YouTube part of the Rickroll one), it only works when it is detected as TinyUSB, and not in the other case.

The rest of the settings of the device are the default ones.

As stated before, I've encountered the problem with at least three different computers, using both Windows 10 and Windows 11, as well as Arch Linux.

Your device

LilyGo T-Dongle S3

Language (HID attacks only)

The Keyboard layout is win_es, which I've compiled into the firmware. The keyboard layout on the computer is also ES. There are no errors in the logs regarding this.

Your DuckyScript

The payload on the device is the following one, which just disables the LED and the screen:

TFT_OFF
LED_OFF

Your debug logs

WifiPw = 'password'
Running!
Setting payload to - '/autorun.ds'
Script finished execution

• I confirm I have read the FAQ: ✅
• I confirm I am using the latest release: ✅

Additional information

Any more info which could be useful, I will gladly provide it.

Thank you very much for this tool.

[i-am-shodan]

Definitely odd, I've got a ton of devices and never seen this.

1. Are these machines virtual machines?
2. Are they different physical machines?
3. Can you retest with no autorun.ds file
4. Does the VID/PID of the device change?
5. In device manager are there any keyboards/USB devices in the error state (exclamation mark next to it)
6. Have you changed any of the device settings?
7. When it is detected as a keyboard is there also a serial device?
8. Can you try using the windows tool 'Device Cleanup Tool' and clearing all the entries on your machine and retrying.

[dybbsteppp]

I have been having the exact same issue. Testing with the rickroll example was working intermittently and at some point the computer I was testing just started detecting the device only as USB JTAG/serial debug unit - this is on Windows 10.

My device is also LilyGo T-Dongle S3

Windows 11 PC is detecting it correctly for now.

[hegocre]

1. No, they are not virtual machines
2. Yes, at least 4 of them
3. Same thing happens
4. When there is no HID keyboard, I have a serial device (COM3) with id 303a:1001. When the HID is detected, both have id cafe:403f with names Serial Device (COM4) and HID Keybard Device.
5. No
6. No, all settings are default
7. Yes
8. Same result, sometimes the HID device appears, sometimes it doesn't

[i-am-shodan]

This seems like USB CDC on boot. When the device hits the boot loaded it is starting its own USB stack for serial mode debugging.

It needs to not do that

[i-am-shodan]

I suspect lilygo is shipping devices with different efuses. It looks like the USB_PHY_SEL eFuse needs to be burnt.

I've had a quick look and it doesn't seem like pio supports setting esp32 efuses in the IDE but there is a python tool espefuse.py that can do it. Maybe the Arduino IDE can do it?

[hegocre]

So is there anything can I do something to help you confirm this?

[i-am-shodan]

You could try blowing that eFuse and see if that fixes the issue

[hegocre]

Should I burn it with a 0 then?

If I understood the documentation correctly, I should run the following command:

espefuse.py --port /dev/ttyACM0 burn_efuse USB_PHY_SEL 0

Which is returning the following error:

A fatal error occurred: New value is not accepted for efuse 'USB_PHY_SEL' (will always burn 0->1), given value=0

[i-am-shodan]

The ESP32-S3 has a number of eFuses which can store system and user parameters. Each eFuse is a one-bit field which can be programmed to 1 after which it cannot be reverted back to 0.

[hegocre]

Yep, looks like it is consistently being detected as a HID device. Let me do some verifying on another machine, but seems good now.
Thanks!

[i-am-shodan]

Can you confirm that setting USB_PHY_SEL to 1 fixed the issue.

Also can you confirm you can still DFU flash the device.

[dybbsteppp]

If you provide some more instructions I can also test the fix you used to confirm if it's working.

[hegocre]

Can you confirm that setting USB_PHY_SEL to 1 fixed the issue.

I can confirm that it fixed the issue.

Also can you confirm you can still DFU flash the device.

I cannot confirm I can still DFU flash just now, I will be able to do it in a few hours.

[i-am-shodan]

Great news, it would be great to get the command line you used and I'll update the wiki.

[hegocre]

If you provide some more instructions I can also test the fix you used to confirm if it's working.

You need to install the esptool and then run the following command with the device in flashing mode (port may change):

espefuse.py --port /dev/ttyACM0 burn_efuse USB_PHY_SEL 1

[hegocre]

Hello. I have checked this, and I was able to program the device with PIO, but with some issues. The device appears now as 303a:0009 Espressif ESP32-S3 (different name and PID), and I had to do an extra step to be able to flash it.

I had to execute the following command:

sudo chmod a+rw /dev/ttyACM0

or

sudo usermod -aG uucp username

Otherwise, I was getting the error Could not open /dev/ttyACM0, the port doesn't exist, which wasn't happening before.

Also, the flashing procedure ended with the following error:

[...]
Writing at 0x00239e4e... (99 %)
Writing at 0x0023aa5e... (100 %)
Wrote 2274976 bytes (1527532 compressed) at 0x00010000 in 22.8 seconds (effective 799.1 kbit/s)...
Hash of data verified.

Leaving...
WARNING: ESP32-S3 (revision v0.2) chip was placed into download mode using GPIO0.
esptool.py can not exit the download mode over USB. To run the app, reset the chip manually.
To suppress this note, set --after option to 'no_reset'.

Which leads me to believe that the flashing works OK, but it either tries to reset it, and now it can't, or it wasn't trying it before.

Maybe these cannot entirely be considered problems. The first one happened also with arduino, for example, which required you to be root or have the adequate permissions, and the second one could maybe be solved by adding the suggested flag? (I think it is OK to have to reset it manually). Either way, I think it would be good to see if there is a workaround, or document it otherwise.

Thanks!

[Talismancer]

Hi Hegocre...after this one-way burn of the fuse, will this prevent updates via the Web Installer? Can it see & use the new COM port?

[i-am-shodan]

If it does, there is undocumented OTA flashing method that I can document. I suspect that it will still work.

[hegocre]

Hi @Talismancer @i-am-shodan

When trying to flash from espwebtool, I'm getting the following error:

Click Connect to start
Connecting...
Connected successfully.
Try hard reset.
Chip type ESP32-S3
Connected to ESP32-S3
MAC Address: E4:B3:23:F3:BB:7C
Uploading stub...
Running stub...
Stub is now running...
Detecting Flash Size
FlashId: 0x1840EF
Flash Manufacturer: ef
Flash Device: 4018
Auto-detected Flash size: 16MB
Image header, Magic=0xAA, FlashMode=0x01, FlashSizeFreq=0x02
Writing data with filesize: 3072
Erase size 3072, blocks 1, block size 0x4000, offset 0x8000, encrypted no
Flashing... 100%
Took 129ms to write 3072 bytes
Erase size 0, blocks 0, block size 0x4000, offset 0x0000, encrypted no
Image header, Magic=0x01, FlashMode=0x00, FlashSizeFreq=0x00
Writing data with filesize: 8192
Erase size 8192, blocks 1, block size 0x4000, offset 0xE000, encrypted no
Flashing... 100%
Took 118ms to write 8192 bytes
Erase size 0, blocks 0, block size 0x4000, offset 0x0000, encrypted no
Image header, Magic=0xE9, FlashMode=0x02, FlashSizeFreq=0x3F
Writing data with filesize: 2272960
Erase size 2272960, blocks 139, block size 0x4000, offset 0x10000, encrypted no
Flashing... 0%
Flashing... 1%
Flashing... 2%
Flashing... 2%
Flashing... 3%
ERROR!
SlipReadError: Timed out waiting for packet header
Image header, Magic=0xE9, FlashMode=0x02, FlashSizeFreq=0x3F
Writing data with filesize: 19488
Erase size 19488, blocks 2, block size 0x4000, offset 0x0000, encrypted no
ERROR!
SlipReadError: Timed out waiting for packet header
Done!
To run the new firmware please reset your device.

Also, a device with a warning appeared in device manager:

[Talismancer]

That's a pity..my success rate is ~1/4 getting HID. ElegantOTA might be the Jailbreak here.

[hegocre]

Just to verify, I tried with VScode and PIO on Windows (I was previously doing it from Linux), and it is also working succesfully, so it looks like a problem with espwebtool.

[Talismancer]

Can confirm. I just burnt the fuse and it indeed fixed the problem. HID appears every reset. I can update via VScode/PIO but not via the Web Installer just as Hegocre said.

[hegocre]

Hi @i-am-shodan

Related to this issue, I've been experimenting with the agent installer script, and I was having some trouble. After investigating a bit, I found that after the agent.img is mounted (USB_MOUNT_DISK_READ_ONLY), the serial and HID devices disappear, and a new serial device with id 303a:1001 appears again, which means that the input commands that should install the agent do not work.

Also, the command WAIT_FOR_USB_STORAGE_ACTIVITY hangs forever at waiting for MSC activity, I temporarily replaced it with simple DELAY, and that's how I found the problem above.

Could this be related to this issue?

Thanks!

[i-am-shodan]

Worth saying that I checked the efuses on my favourite device which doesn't show any of these issues

From a pio terminal I ran

pip install cryptography
pip install ecdsa
pip install bitstring
pip install reedsolo
pio pkg exec --package "platformio/tool-esptoolpy" -- espefuse.py --port COM13 summary

USB_PHY_SEL is unset

USB_PHY_SEL (BLOCK0)                               Select internal/external PHY for USB OTGand usb_se = False R/W (0b0)

[hegocre]

Maybe is then an issue with another eFuse? Would it be useful if I send you the complete summary?

[Hydronus1981]

I to have this issue except when it is not occasionally it is never detected as a hid device always shows up ejectable as USB JTAG no HID or ducky scripts will run unless you only want to change the LCD that is all I can get it to do besides wifi and interface there but no payloads will work

for the ESP tool it fails to set port and burn the refuse I am at a loss for my failure on this one