I fired up Wireshark’s USB capture. After the standard control transfers, the device sent a vendor‑specific request: 0x5a (bRequest = 90 decimal). The data payload? A 32‑byte blob starting with 0x1e3d198a – its own VID/PID reversed.
Within an hour, I decoded the pattern. The 198a PID wasn’t for serial emulation. It enabled over USB bulk endpoints. The device was masquerading as a cheap debug tool but could read/write physical RAM if the host’s USB controller had a certain vulnerability (CVE‑2028‑44321). vid = 1e3d pid = 198a
The drone didn’t crash. It was deactivated – by a device that looked like a $2 cable. Linux I fired up Wireshark’s USB capture
lsusb -d 1e3d:198a -v # Shows device descriptors, endpoints, configurations vid = 1e3d pid = 198a