Reverse engineering the Creative Katana V2X USB protocol

A developer recently purchased a Creative Sound Blaster Katana V2X soundbar and discovered its USB port could configure EQ and LEDs — but only through a proprietary Windows app. Determined to control it from Linux, they reverse engineered the entire USB protocol, cracked a custom AES-256-GCM authentication, and built a Rust CLI tool called v2x-ctl.

Initial recon: .NET and obfuscation

The Creative App is a .NET application, confirmed by the abundance of DLLs and the .exe.config file. Loading it in dnSpy revealed heavy obfuscation, making static analysis painful. The developer pivoted to dynamic analysis: capturing USB traffic with Wireshark and USBPcap before even opening the app.

Capturing the firmware upgrade

Upon first launch, the app prompted a firmware upgrade. The USB packets carrying the firmware were large and plaintext — a stroke of luck. The developer extracted the entire firmware blob from the capture using tshark. The file turned out to be a Creative Image File Format (CIFF) container with sections: CINF (device info), CIN2 (version), DATA (firmware binaries), and CHK2 (SHA-256 checksum).

The CIFF structure is straightforward:

  • Header: CIFF magic + 4-byte payload size
  • Sections: each with 4-byte magic, 4-byte section size, then payload

Inside, they found:

  • F-type sections: names like FBOOT (bootloader) and FMAIN (main firmware, FreeRTOS)
  • H-type sections: resources like audio prompts (Opus) and an 8051 MCU firmware (marvelX-malcolm.bin)

The CHK2 section is a SHA-256 hash covering everything from offset 0x08 to the start of CHK2.

Protocol dissection

After methodically clicking every app option and capturing each operation (about 100 captures over a day), the protocol became clear. Communication happens over a CDC ACM serial interface, exposed as /dev/ttyACM* on Linux. All proprietary commands use a simple framing:

5A [cmd] [len] [payload...]
  • 0x5A is the command start marker
  • cmd is the opcode
  • len is the number of payload bytes
  • payload is the subcommand data

Responses mirror this, often with a leading response indicator byte. Example: requesting firmware version:

Host -> Device:  5a 09 01 02
Device -> Host:  5a 09 12 02 10 "1.3.230619.1820\0"

Authentication: AES-256-GCM with a twist

Before any commands, the device requires a challenge-response handshake:

Host -> Device:  "whoareyou.MyApp8\r\n"
Device -> Host:  "whoareyou" 1e 04 83 32 [32 random bytes] "\r\n"
Host -> Device:  "unlock" [64 random bytes] "\r\n"
Device -> Host:  "unlock_OK\r\n"
Host -> Device:  "SW_MODE1\r\n"
[... binary commands ...]

Searching the DLLs for whoareyou led to CTCDC.dll. Loading it in Ghidra revealed the authentication function. Instead of a simple HMAC, Creative used AES-256-GCM.

The challenge format:

whoareyou [1E 04] [83 32] [32-byte nonce] \r\n

The key is constructed from the challenge header and static DLL bytes:

1e 04 d3 1a 21 27 9b e3 46 f0 99 9d 6e c4 c3 fe
be 98 90 18 69 c1 18 fb b1 25 6e 0c e0 7b 83 32

Broken down:

  • Bytes 0-1: challenge header 1E 04
  • Bytes 2-3: DLL static D3 1A
  • Bytes 4-27: 24 bytes from DLL at 0x101dba78
  • Bytes 28-29: DLL static E0 7B
  • Bytes 30-31: USB PID bytes from challenge (83 32)

The response is computed as:

  1. Generate 16 random bytes for iv
  2. Use iv[0:12] as GCM nonce
  3. Encrypt the 32-byte challenge nonce: (ciphertext, tag) = AES-256-GCM(key, iv[:12], nonce)
  4. Response = "unlock" + iv + ciphertext + tag + "\r\n"

This is unusual — AES-GCM provides both confidentiality and integrity, but confidentiality is pointless since the nonce is already known. Only the integrity proof matters. The developer speculates this might be a reused design from other Creative devices.

v2x-ctl: the Rust tool

With the protocol and authentication reverse engineered, the developer created v2x-ctl, a Rust library and CLI application. It currently supports the latest firmware version 1.3.230619.1820 and is best-effort for other Sound Blaster devices (key and IDs may differ).

Example usage:

# Set EQ preset
v2x set-eq --preset music

# Change LED mode
v2x set-led --mode wave

The code is available on GitHub for anyone to try.

Why this matters for developers

This reverse engineering effort demonstrates how proprietary USB protocols can be cracked with Wireshark, a disassembler, and patience. It also highlights a trend: hardware vendors locking down configuration to a single platform. The developer's approach — capturing all traffic first, then analyzing — is a textbook methodology for similar projects.

Next steps

The developer plans to analyze the BOOT and MAIN firmware dumps next. For now, if you own a Katana V2X and use Linux, v2x-ctl is your ticket to freedom from Windows.