usb reversing

7/27/2019 Usb Reversing

1/56

ubomr Rintel


2/56

Our device

Unknown to Linux No documentation No Google hits for chip Desperate users in

Ubuntu forums


3/56


4/56

The Plan

Make it work in Windows Capture what happens Find image data Mimic the behavior in userspace Transform into a kernel module


5/56

USB


6/56

USB Architecture

Network of Host, Hubs and Devices


7/56

USB Addresses

Bus & Device number

Host

Device 1:1Hub

Device 2:1Hub

Device 3:1Mouse

Device 2:2Flash Drive


8/56

USB Addresses

lsusb

us 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hu

us 002 Device 001: ID 1337:abcd Trololol USB 1.1 Hubus 002 Device 002: ID 1337:0123 Trololol Flash Drive

us 003 Device 001: ID dead:b4b3 Random Mouse

lsusb -v

..


9/56

USB Device

Self-describing Endpoints

CONTROL INTERRUPT BULK

ISOCHRONOUS Endpoints grouped into Interfaces Interfaces grouped into Configurations


10/56

Our device

Device

Alternate setting 0Endpoints:


0x81 Isochronous IN

0x82 Bulk IN

0x83 Bulk IN

0x84 Interrupt IN

0x81 Isochronous IN

0x82 Bulk IN

0x83 Bulk IN

0x84 Interrupt IN


11/56

The Plan



12/56

Windows & VirtualBox


13/56


14/56

What did we see

Number of CONTROL requests ISOCHRONOUS packets once capture starts


15/56

RGB

R R R R R R R R

G G G G G G G G

B B B B B B B B


16/56

YUV2Y Y Y Y U1 U1 U1 U1

Y Y Y Y V1 V1 V1 V1

Y Y Y Y U2 U2 U2 U2

Y Y Y Y V2 V2 V2 V2


17/56

LibUSB

We could replay the traffic In userspace no kernel hacking needed C, Python & Perl bindings Now we need to find start & end of the picture


18/56

Test image

0xaaaaaaaa0xff00ff00

0x00ff00ff

0x80808080

0x00000000


19/56

Frame format

88 01 00 00

88 01 02 cf

88 02 80 00

88 02 82 cf

88 03 00 00

xx xx xx xx 240 00 00 00 00 15

88 01 00 01...

...

Frame number Even/odd Chunk number 0 0x2cf = 719

740 x 480 YUV2 Interlaced (NTSC)

...


20/56


21/56

To kernel!

Booooring! A module USB framework

Linux Device Drivers: http://lwn.net/Kernel/LDD3/

Video4Linux2

LWN Series: http://lwn.net/Articles/203924/ Videobuf2

LWN Article: http://lwn.net/Articles/447435/
http://lwn.net/Kernel/LDD3/http://lwn.net/Articles/203924/http://lwn.net/Articles/447435/http://lwn.net/Articles/447435/http://lwn.net/Articles/203924/http://lwn.net/Kernel/LDD3/http://lwn.net/Articles/447435/http://lwn.net/Articles/203924/http://lwn.net/Kernel/LDD3/


22/56

Architecture

Video4Linux2

Videobuf2Ourcode

USB

Userspace

Hardware


23/56

Video4Linux2

Provide a device with known API open(), close() read(), write() ioctl() mmap()

Negotiate format with userspace


24/56

Videobuf2

Manages buffers of frames Connects to Video4Linux2

read(), write(), mmap() some ioctl()s

Start/stop capture Exchange buffers with userspace


25/56

USB framework

Setup the device Allocate buffers for exchange of data with

device Handle start/stop Isochronous callbacks

Copy data from USB buffers to Videobuf2 buffers


26/56

Architecture

Video4Linux2

Videobuf2Ourcode

USB

Userspace

Hardware


27/56

All done!


28/56

Questions?


29/56

ubomr Rintel OSSConf 2013, ilina

Reverse Engineering:

Writing a Linux driver for an

unknown device


30/56

Our device

Unknown to Linux No documentation No Google hits for chip Desperate users in

Ubuntu forums


31/56


32/56

The Plan



33/56

USB


34/56


35/56

USB Addresses

Bus & Device number

Host

Device 1:1Hub

Device 2:1Hub

Device 3:1Mouse

Device 2:2Flash Drive


36/56

USB Addresses

$ lsusb

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 002 Device 001: ID 1337:abcd Trololol USB 1.1 Hub

Bus 002 Device 002: ID 1337:0123 Trololol Flash Drive

Bus 003 Device 001: ID dead:b4b3 Random Mouse

$ lsusb -v

...


37/56

USB Device

Self-describing Endpoints

CONTROL INTERRUPT BULK ISOCHRONOUS

Endpoints grouped into Interfaces

Interfaces grouped into Configurations


38/56

Our device

Device



0x81 Isochronous IN

0x82 Bulk IN

0x83 Bulk IN

0x84 Interrupt IN

0x81 Isochronous IN

0x82 Bulk IN

0x83 Bulk IN

0x84 Interrupt IN


39/56

The Plan



40/56


41/56

Wireshark & usbmon


42/56


43/56


44/56

YUV2Y Y Y Y U1 U1 U1 U1

Y Y Y Y V1 V1 V1 V1Y Y Y Y U2 U2 U2 U2

Y Y Y Y V2 V2 V2 V2


45/56


46/56


47/56

Frame format

88 01 00 00

88 01 02 cf

88 02 80 00

88 02 82 cf

88 03 00 00

xx xx xx xx 240 00 00 00 00 15

88 01 00 01...

...

Frame number Even/odd Chunk number 0 0x2cf = 719

740 x 480 YUV2 Interlaced (NTSC)

...


48/56


49/56

To kernel!

Booooring! A module USB framework

Linux Device Drivers: http://lwn.net/Kernel/LDD3/

Video4Linux2 LWN Series: http://lwn.net/Articles/203924/

Videobuf2

LWN Article: http://lwn.net/Articles/447435/


50/56


51/56


52/56


53/56


54/56

Architecture

Video4Linux2

Videobuf2Ourcode

USB

Userspace

Hardware


55/56


56/56

Questions?

usb reversing

Documents