Usb — Vid-0bb4 Amp-pid-0c01

The next packet decrypted to a string: "LOGIN_MANAGER_HOOK" .

She’d found the thing in a bin of “dead stock” at an electronics flea market in Shenzhen. The vendor, a man with gold teeth and the tired eyes of a recycler, had shrugged when she asked. “Old phone part. Maybe HTC. No power.” He’d waved a dismissive hand over a pile of similar unidentifiable boards.

Mira, a firmware archaeologist for a data recovery firm in Austin, had a different instinct. VID 0BB4 was Google’s vendor ID—specifically, the legacy block from the early Android days. PID 0C01 wasn’t in any public database. Not one. Not the Linux kernel’s usb.ids , not the private archives she’d scraped from darknet hardware forums. It was a ghost in the machine. Usb Vid-0bb4 Amp-pid-0c01

She picked up her soldering iron. She had a choice: melt the chip into a blob of anonymous carbon, or call a number she’d sworn never to use again. The number for a reporter at The Register who’d burned a source ten years ago but still paid well for “unimpeachable hardware stories.”

The fourth was a fragmented 4KB block. Mira reassembled it. It was a tiny, elegant rootkit. Not for persistence—for interception . It hooked the NtReadFile call. Every time the operating system read from a specific file— C:\Windows\System32\config\SAM —the hook didn’t steal the password hash. It replaced it. On the fly. For exactly 200 milliseconds. The next packet decrypted to a string: "LOGIN_MANAGER_HOOK"

She felt a cold trickle down her spine. That address space… she checked her own system’s memory map. It fell within the runtime of csrss.exe —the Windows Client Server Runtime Process. The part of the OS that handles the literal drawing of the screen, the console windows, the logon UI.

Someone with this device could walk up to any Windows 7 or 8.1 machine (the timing matched the legacy HTC drivers the chip was built to emulate), plug in this “dead” board, and for that fleeting third of a second, the administrator password hash would be swapped for a known value. They’d log in once. The hook would vanish. No logs. No new accounts. No traces. “Old phone part

The USB chip sat on the anti-static mat, its hidden layer still dreaming of the POKE command it would never execute. . A key to every castle, melted into e-waste. Or not.

She powered it through a current-limited supply. 0.01 amps. A whisper. The chip didn’t enumerate as a storage device or a debug interface. Instead, Windows threw a cryptic error: But her logic analyzer caught something the OS didn’t. In the first 18 milliseconds of negotiation, before the handshake failed, the device spat out a single, 64-byte packet. Not standard USB. Raw, encrypted payload.

It wasn’t code. It was a memory address: 0x00007FF8A4B12C00 . And a single instruction: POKE .