DEV Community

Cover image for USB HID Down the rabbit hole: Logitech G435 dongle

Posted on

USB HID Down the rabbit hole: Logitech G435 dongle

Last time, in the first post of this series, I explored the vendor interface of my Logitech Mouse, now let's explore the dongle of my headphones. As I said last time, it caught my attention that it can send "phone" HID events. Also, Logitech doesn't provide any official software for configuring the headphones(like the sidetone volume) or seeing their status(like the battery remaining).

The dongle I have is the HDT647(PID 0acb). After a bit of research, the first thing that pop up is the FCC Internal teardown images report. Unfortunately, the chips markings aren't readable, but the IC interfacing the USB port is clearly from Realtek, while the other one seems to be the PAUxxxx SoCs from the defunct audiowise (Acquired by Airoha, a subsidiary of MediaTek).

I didn't want to open the dongle, as opening it up is a little "destructive", but I couldn't resist the urge. So, after opening the dongle, I read the chips markings. The Realtek codec is the ALC4021 (which is used in "similar" aplications), no datasheet available. The other is the PAU1823, again used in "similar" applications and no datasheet online(except one image and this forum post, which I cannot access the downloads as it requires an account). The last chip is a 512kb SPI flash (the MX25V512E), it can be for any of the other two chips.

Image description

Image description

Image description

So it is basically a Bluetooth Audio Dongle. It seems that Lightspeed is just that, Bluetooth 5.2 with their patented GreenRadio technology for low latency. But I'm not very sure.

On the other hand, in the research I found a bunch of software programs for this dongle. There is the official update software. There are also these "unofficial" pairing(and more) tools on the Logitech Reddit. These tools seem widely used, as I found the logs of these on other Reddit posts and even on GitHub!. Also, both the official and unofficial tools seem based on the same sources.

Finally, I also found a compatible dongle on eBay, which also provides a link to the previous "unofficial" tools.

The USB interface

It has a good quantity of snd-usb-audio interfaces and an HID one.

HID descriptor

# Logitech G series G435 Wireless Gaming Headset
# 0x05, 0x0c,                    // Usage Page (Consumer Devices)       0
# 0x09, 0x01,                    // Usage (Consumer Control)            2
# 0xa1, 0x01,                    // Collection (Application)            4
# 0x85, 0x03,                    //  Report ID (3)                      6
# 0x15, 0x00,                    //  Logical Minimum (0)                8
# 0x26, 0x8c, 0x02,              //  Logical Maximum (652)              10
# 0x19, 0x00,                    //  Usage Minimum (0)                  13
# 0x2a, 0x8c, 0x02,              //  Usage Maximum (652)                15
# 0x75, 0x10,                    //  Report Size (16)                   18
# 0x95, 0x02,                    //  Report Count (2)                   20
# 0x81, 0x00,                    //  Input (Data,Arr,Abs)               22
# 0xc0,                          // End Collection                      24
# 0x05, 0x0b,                    // Usage Page (Telephony Devices)      25
# 0x09, 0x01,                    // Usage (Phone)                       27
# 0xa1, 0x01,                    // Collection (Application)            29
# 0x85, 0x05,                    //  Report ID (5)                      31
# 0x15, 0x00,                    //  Logical Minimum (0)                33
# 0x26, 0xbf, 0x00,              //  Logical Maximum (191)              35
# 0x19, 0x00,                    //  Usage Minimum (0)                  38
# 0x2a, 0xbf, 0x00,              //  Usage Maximum (191)                40
# 0x95, 0x02,                    //  Report Count (2)                   43
# 0x81, 0x00,                    //  Input (Data,Arr,Abs)               45
# 0xc0,                          // End Collection                      47
# 0x06, 0xc0, 0xff,              // Usage Page (Vendor Usage Page 0xffc0) 48
# 0x09, 0x01,                    // Usage (Vendor Usage 0x01)           51
# 0xa1, 0x01,                    // Collection (Application)            53
# 0x06, 0xc1, 0xff,              //  Usage Page (Vendor Usage Page 0xffc1) 55
# 0x85, 0x06,                    //  Report ID (6)                      58
# 0x15, 0x00,                    //  Logical Minimum (0)                60
# 0x26, 0xff, 0x00,              //  Logical Maximum (255)              62
# 0x09, 0xf0,                    //  Usage (Vendor Usage 0xf0)          65
# 0x75, 0x08,                    //  Report Size (8)                    67
# 0x95, 0x07,                    //  Report Count (7)                   69
# 0x81, 0x02,                    //  Input (Data,Var,Abs)               71
# 0x09, 0xf1,                    //  Usage (Vendor Usage 0xf1)          73
# 0x75, 0x08,                    //  Report Size (8)                    75
# 0x96, 0x02, 0x02,              //  Report Count (514)                 77
# 0x91, 0x02,                    //  Output (Data,Var,Abs)              80
# 0x09, 0xf2,                    //  Usage (Vendor Usage 0xf2)          82
# 0x75, 0x08,                    //  Report Size (8)                    84
# 0x95, 0x3f,                    //  Report Count (63)                  86
# 0xb1, 0x02,                    //  Feature (Data,Var,Abs)             88
# 0xc0,                          // End Collection                      90
# 0x06, 0xc3, 0xff,              // Usage Page (Vendor Usage Page 0xffc3) 91
# 0x09, 0x01,                    // Usage (Vendor Usage 0x01)           94
# 0xa1, 0x01,                    // Collection (Application)            96
# 0x06, 0xc4, 0xff,              //  Usage Page (Vendor Usage Page 0xffc4) 98
# 0x85, 0x34,                    //  Report ID (52)                     101
# 0x15, 0x00,                    //  Logical Minimum (0)                103
# 0x26, 0xff, 0x00,              //  Logical Maximum (255)              105
# 0x09, 0xf3,                    //  Usage (Vendor Usage 0xf3)          108
# 0x75, 0x08,                    //  Report Size (8)                    110
# 0x95, 0x14,                    //  Report Count (20)                  112
# 0x81, 0x02,                    //  Input (Data,Var,Abs)               114
# 0x09, 0xf4,                    //  Usage (Vendor Usage 0xf4)          116
# 0x75, 0x08,                    //  Report Size (8)                    118
# 0x95, 0x02,                    //  Report Count (2)                   120
# 0x91, 0x00,                    //  Output (Data,Arr,Abs)              122
# 0xc0,                          // End Collection                      124

Enter fullscreen mode Exit fullscreen mode

The Consumer Control is for the volume up and down key press. The Telephony Devices I still cant find to trigger anything for this input event. And of course there are the Vendor Usage Page which are the most interesting ones. The usage of those is "strange", the only one used seems to be the report 6 in a curious way: The total size is completely ignored, usually sending 64 bytes of data. For writing, a standard send feature is used, but for reading, some messages come as a input, so you have to listen to it, while others you have to issue a get feature.

Reverse engineering the software

Both the program and the AwToolLIB are made in C# mono and shipped with some obfuscation(.NET reactor). At first, I thought it wasn't obfuscated and lost a lot of time trying to understand fake symbols and hashed string constants. But after removing the string hashing with .NET reactor slayer and knowing some symbols were fake, it was relatively "easy" navigating the code with ILSpy. This code is pretty complete, containing all the classes to interface with their different devices and functions. It also includes some internal resources, including what seems to be the firmware (file headset_RTK).


The protocol can be divided into two layers. The first layer is used to communicate with the Realtek driver to send commands to the Audio SoC, possibly through one of its serial interfaces (most probable UART, but it can also be SPI or I2C). The second layer is these commands.

RTK communication protocol

Messages are sent as a HID send feature. On every message sent, an ack is received as a HID input event. For example, an OK ack looks like this:

0 1
6 90
Report ID OK

The messages I found so far are the following.

Message 0 1 2 3 4 5 6 7 8
Enter Bootloader 6 1 3 0 0 0 0 0 0
Exit Bootloader 6 8 3 0 0 0 0 0 0
Send command 6 4 3 CMD_LEN CMD_LEN . . . .

The write command message is appended with the command at the end and requires entering the bootloader or strange and unusable behaviors will happen. Unfortunately, entering the bootloader will stop the audio functionalities.


On top of the RTK protocol, the manufacturer has what it seems to be a proprietary command-response protocol. For sending a command, a RTK write is used and for reading the response, a hid get feature is used.

Here is a quickly done dump of all commands I found. Keep in mind that some of these commands append arguments at the end, and surely I messed up writing some of them. Also, the bytes 4 is used to write the length in bytes of the command after this byte (sometimes is this length - 1). The byte 3, if 0 and the total command length is more than 5, is used as a command counter which gets incremented until 128.

AW_READ_MFI 80, 65, 8, 0, 2
OTA_CMD_IOCTL-Flash_Get_CRC16 80, 65, 6, 0, 13, 0, 37, 204, 250, 0, 0
OTA_CMD_IOCTL-Flash_Get_CRC32 80, 65, 6, 0, 13, 0, 37, 207, 250, 0, 0
LQ_DFU_BT_INQUIRY_SCAN 80, 65, 14, 0, 0, 240
TX_DG_CREATE_CONNECT_EX 80, 65, 14, 0, 0, 229
REMOTE_CREATE_CONNET 80, 65, 14, 0, 0, 226
LQ_DFU_REMOTE_DISCONNECT 80, 65, 14, 0, 0, 228
TX_DG_DISCONNECT_EX 80, 65, 14, 0, 0, 231
REMOTE_SET_MODE 80, 65, 14, 0, 0, 225
TX_DG_GET_CONNECT_STATUS_EX 80, 65, 14, 0, 0, 230
REMOTE_GET_CONNECT_STATUS 80, 65, 14, 0, 0, 227
REMOTE_GET_MODE 80, 65, 14, 0, 0, 224
LQ_GET_LPC 80, 65, 14, 0, 0, 4
LQ_GET_QUALTY 80, 65, 14, 0, 0, 3
LQ_GET_DEVM 80, 65, 14, 0, 0, 5
LQ_GET_AFH_MAP 80, 65, 14, 0, 0, 2
LQ_SET_AFH_MAP 80, 65, 14, 0, 0, 1
LQ_MONITOR_ENABLE 80, 65, 14, 0, 0, 0
AW_HA_GET_MP_TEST_MODE 80, 65, 11, 0, 18
AW_HA_SET_MP_TEST_MODE_ON 80, 65, 11, 1, 18
SETGET_HA_PURETONE 80, 65, 11, 1, 15
AW_HA_GET_USEREQ_SWITCH 80, 65, 11, 0, 12
AW_HA_SET_USEREQ_SWITCH 80, 65, 11, 1, 12
AW_HA_GET_USEREQ_GAIN_ALL 80, 65, 11, 0, 13
AW_HA_SET_USEREQ_GAIN_ALL 80, 65, 11, 1, 13
AW_HA_CLEAR_NVDS 80, 65, 11, 1, 19
SET_TWS_PAIR_ANC_FF_FILTER_TABLE 80, 65, 10, 0, 0, 59
SET_TWS_PAIR_ANC_FB_FILTER_TABLE 80, 65, 10, 0, 0, 60
ANC_ON 80, 65, 10, 0, 0, 1, 1, 1
ANC_OFF 80, 65, 10, 0, 0, 1, 1, 0
HT_ON 80, 65, 10, 0, 0, 5, 1, 1
HT_OFF 80, 65, 10, 0, 0, 5, 1, 0
send_Tracer_filter_query 80, 65, 3, 0, 0, 4
send_Tracer_filter 80, 65, 3, 0, 0, 3
send_Tracer_clock_control 80, 65, 3, 0, 0, 1
send_Tracer_switch 80, 65, 3, 0, 0, 2
send_TracerLogPath 80, 65, 3, 0, 0, 5
DEBUG_0B_Write_Reg 80, 65, 3, 0, 0, 11
DEBUG_0A_Read_Reg 80, 65, 3, 0, 0, 10
send_MicCalibration 80, 65, 3, 0, 0, 8
send_HWADbg_query 80, 65, 3, 0, 0, 7
send_HWADbg 80, 65, 3, 0, 0, 6
unknow 80, 65, 7, 0, 3, 8, 0, X
unknow 80, 65, 4, 0, 0, X, 0, 0, 0
AW_HA_SET_PASSTHROUGH_MODE_OFF 80, 65, 4, 0, 0, 105, 200192, 0, 0
CMD_ENC_MIC_GAIN_OFFSET 80, 65, 4, 0, 0, 98, 1, 1, X
HID_AW_HANDSET_MIC_MIC1 80, 65, 4, 0, 0, 38, 11, 0, 1
HID_AW_HANDSET_MIC_MIC2 80, 65, 4, 0, 0, 38, 11, 1, 1
HID_AW_HANDSET_MIC_NORMAL 80, 65, 4, 0, 0, 38, 11, 0, 0
HID_AW_HANDSET_MIC_NR_ENABLE 80, 65, 4, 0, 0, 9, X, 0, 0
CMD_CAPTURE_CONFIG 80, 65, 4, 0, 0, 25, 0, 1, 0
A_PreIIREQEna 80, 65, 4, 0, 0, 8, 10, 1, 0
EQ_ON_OFF 80, 65, 4, 0, 0, 62, X, X, 0
SET_PARAMETER_<X> 80, 65, 4, 0, 0, 8, X, X, 0
SET_PARAMETER_AECSysDelay 80, 65, 4, 0, 0, 8, 37, 0, 0
EQ_ON_OFF 80, 65, 4, 0, 0, 62, 2, 1, 0
CMD_Adjust_IIR_Gain_Left_FF 80, 65, 4, 0, 0, 50, X, X, 0
CMD_Adjust_IIR_Gain_Side_FB 80, 65, 4, 0, 0, 51, X, X, 0
delay_adjust 80, 65, 4, 0, 0, 93, X, X, 0
magnitude_adjust_FF 80, 65, 4, 0, 0, 94, X, X, 0
magnitude_adjust_FB 80, 65, 4, 0, 0, 95, X, X, 0
DSP_Data_Query 80, 65, 9, 0, 0, 37, 0, 0, 0
DSP_CMD_SPEECH_TEST 80, 65, 4, 0, 0, 38, 0, 0, 0
DSP_clock_control_ON 80, 65, 3, 0, 2, 1, 1
DSP_clock_control_OFF 80, 65, 3, 0, 2, 1, 0
DSP_CMD_CONFIG_WRITE_TBL 80, 65, 4, 0, 9, 33, 0, 0, 0, 1
DSP_CMD_WRITE_TBL 80, 65, 4, 0, 45, 34, 0, 0, 0
DSP_CMD_UPDATE_IIR_EQ 80, 65, 4, 0, 5, 35, 0, 0, 0, 0
DSP_CMD_IIR_EQ 80, 65, 4, 0, 13, 29, 0, 0, 0, 2, X, 0, 0, 0, X, 0, 0, 0
ANC_ON_OFF 80, 65, 7, 0, 5, 8, 0, 176, X, 1
DSP_set_IIR_Gain 80, 65, 9, 0, 13, X, 0, 0, 0, 2, X, X
CMD_WRITE_I2C 80, 65, 6, 0, 0, 0, 103, X, X
CMD_READ_I2C 80, 65, 6, 0, 0, 0, 104
CMD_WRITE_MP_DATA_BY_ID 80, 65, 6, 0, 0, 0, 68, X
CMD_READ_NVDS_DATA_BY_ID 80, 65, 6, 0, 2, 0, 70, X
CMD_READ_MP_DATA_BY_ID 80, 65, 6, 0, 2, 0, 67, X
CMD_READ_CUST_INFO 80, 65, 6, 0, 2, 0, 64, X
OTA_CMD_ECHO 80, 65, 6, 0, 1, 0, 254
CMD_GRS_STATUS 80, 65, 6, 0, 1, 0, 51
GET_RSSI 80, 65, 6, 0, 1, 0, 50
GET_BATTERY 80, 65, 6, 0, 1, 0, 49
ERASE_LOAD_REGION 80, 65, 6, 0, 1, 0, 53
OTA_CMD_GET_FILESYSTEM_TABLE 80, 65, 6, 0, 1, 0, 59
CMD_SET_LED_PWM 80, 65, 6, 0, 5, 0, 101, X, X, X, X
CMD_SET_LED_CURRENT 80, 65, 6, 0, 4, 0, 100, X, X, X
CMD_SET_LED 80, 65, 6, 0, 2, 0, 98, X
CMD_GET_ATB_VALUE 80, 65, 6, 0, 2, 0, 69, X
CMD_SET_IO_LEVEL 80, 65, 6, 0, 3, 0, 102, X, X
CMD_GET_IO_LEVEL 80, 65, 6, 0, 1, 0, 99
CMD_TEST_MODE 80, 65, 6, 0, 2, 0, 97, X
OTA_CMD_STORAGE_WRITE 80, 65, 6, 0, 10, 0, 34, X
OTA_CMD_STORAGE_READ 80, 65, 6, 0, 10, 0, 35, X
CMD_MORE_FRAME_WRITE 80, 65, 6, 0, 1, 0, 36
OTA_CMD_IOCTL_Flash_Get_RDID 80, 65, 6, 0, 13, 0, 37, 250, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0
OTA_CMD_IOCTL_READ_MAX_LEN 80, 65, 6, 0, 13, 0, 37, 52, 18, 90, 90
OTA_CMD_IOCTL_Flash_Get_CRC16 80, 65, 6, 0, 13, 0, 37, 204, 250, 0, 0
OTA_CMD_IOCTL_Flash_Erase_4K 80, 65, 6, 0, 13, 0, 37, 250, 0, 0, 0, 1, 0, 0, 0
OTA_CMD_REBOOT 80, 65, 6, 0, 2, 0, 60, X
OTA_CMD_REBOOT_AND_POWERON 80, 65, 6, 0, 2, 0, 66, X
OTA_CMD_HANDOVER 80, 65, 6, 0, 1, 0, 58
CMD_LOAD_MORE 80, 65, 6, 0, 1, 0, 55
CMD_SET_LOAD_INFO 80, 65, 6, 0, 6, 0, 54
CMD_CALC_LOAD_REGION_CRC 80, 65, 6, 0, 5, 0, 56
CMD_CALC_LOAD_REGION_CRC32 80, 65, 6, 0, 5, 0, 61
OTA_CMD_UPDATE 80, 65, 6, 0, 2, 0, 57, X
CMD_MORE_FRAME_READ 80, 65, 6, 0, 1, 0, 36
OTA_MODE_ENTER 80, 65, 6, 0, 2, 0, 48, 1
OTA_MODE_EXIT 80, 65, 6, 0, 2, 0, 48, 0
OTA_CMD_GET_IMAGE_VERSION 80, 65, 6, 0, 4, 0, 52, X, X, X
CMD_RF_TX_TEST_START 80, 65, 15, 0, 4, 2, X, X, X
CMD_RF_TX_TEST_END 80, 65, 15, 0, 1, 3
CMD_RF_FCC_TX_Test 80, 65, 15, 0, 8, 1
CMD_GET_FILESYSTEM_INDEX 80, 65, 6, 0, 2, 0, 73, X
Tracer_switch_ON 80, 65, 3, 0, 2, 2, 1
Tracer_switch_OFF 80, 65, 3, 0, 2, 2, 0
customer_data_command 80, 65, 8, 0, 0
TOUCH_command 80, 65, 12, 0, 0, X
enter_dut_in_hid_mode 80, 65, 7, 0, 0, 12
GS_Headtrack_init 80, 65, 7, 0, 3, 64, 0, 0, 1
GS_Headtrack_start 80, 65, 7, 0, 3, 64, 0, 1
GS_Headtrack_start_get_register 80, 65, 7, 0, 3, 64, 0, 2, X
VAD_init 80, 65, 7, 0, 3, 32, 0, 0, 1
D25_init 80, 65, 7, 0, 3, 48, 0, 0, 1, 1
VAD_set_axis 80, 65, 7, 0, 3, 32, 0, 2, X
VAD_start 80, 65, 7, 0, 3, 32, 0, 1
D25_start 80, 65, 7, 0, 3, 48, 0, 1
get_tpy_parameters 80, 65, 7, 0, 3, 48, 0, 3, X
set_tpy_parameters 80, 65, 7, 0, 3, 48, 0, 2, X
RegisterMMI 80, 65, 3, 0, 2, 253, 1
UnRegisterMMI 80, 65, 3, 0, 2, 253, 0
view raw G435 cmds hosted with ❤ by GitHub

It is curious that all of them start with [80,65]. Most of the commands seem to follow the following format, with a lot of exceptions.

0 1 2 3 4 5
Always 80 Always 65 Command "category" Generally commands sent counter Generally length after this byte Command ID

The commands category seems to be the following. Also, take it with a grain of salt.

Value Category
0 -
1 -
2 -
3 Debug
4 Audio
5 -
7 ?
8 Customer custom commands
10 Noise cancellation
11 NVDS (Non-volatile memory)
12 Touch
13 -
14 Wireless connection
15 RF test

The responses are another story that I might explore in a future blog post. The responses are read as 64 bytes blocks with an HID get feature at the report 6.

Bluetooth scan example

As an example, the following python snippet does a Bluetooth scan, listing all devices found.

import hid
d = hid.Device(0x046d, 0x0acb)
# Enter bootloader
assert == bytes([6,90,0,0,0,0,0,0,0]) # check ack
# Start scanning
assert == bytes([6,90,0,0,0,0,0,0,0]) # check ack
# Get results
while True:
data = d.get_feature_report(6, 64)
#TODO: process data
# Stop scanning
assert == bytes([6,90,0,0,0,0,0,0,0]) # check ack
# Exit Bootloader
assert == bytes([6,90,0,0,0,0,0,0,0]) # check ack

Pairing sequence

Looking at the pairing software logs, I can extrapolate the following sequence to pair a dongle with a headset. To illustrate, let's say that the Bluetooth MAC address of the headsets is [X0, X1, X2, X3, X4, X5]. The bytes relative to the standard command are underlined. Counter is the commands counter I mentioned on the protocol section.

  • Enter Bootloader
  • Sends LQ_DFU_BT_INQUIRY_SCAN (80, 65, 14, counter, 2, 240, 00) to enumerate all the Bluetooth devices.
  • Sends TX_DG_CREATE_CONNECT_EX (80, 65, 14, counter, 9, 229, 00, X5, X4, X3, X2, X1, X0) to pair the dongle with the headsets.
  • Sends REMOTE_GET_CONNECT_STATUS (80, 65, 14, counter, 1, 227) to check that the pairing was successful. If it fails, it retries the previous step.
  • Sends REMOTE_GET_MODE (80, 65, 14, counter, 1, 224) to get the "mode", maybe related to the connection mode on the headset (Bluetooth or lightspeed)?. If it is 01, it skips to the last step.
  • Sends REMOTE_SET_MODE (80, 65, 14, counter, 2, 225, 01) to set the mode to 01.
  • Sends REMOTE_GET_MODE (80, 65, 14, counter, 1, 224) to check that the mode has changed to 01.
  • Sends OTA_CMD_GET_IMAGE_VERSION (80, 65, 6, counter, 4, 0, 52, 01, 77, 67) to checks that the headset and the update tool (I think) firmware version are the same.

So, can we read the battery level?

Yes, but as it requires sending a command, so entering the bootloader, a cut on the audio will be produced which is bothering. Maybe this is why Logitech doesn't support these headphones on their software programs?. Here was where I lost interest in this, as the main reason I started researching about these headphones was for knowing the battery level. There are a lot of commands and fun things still worth exploring, which can result in interesting information for implementing an app for these headsets, but this is it for now.

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You. image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs