USB data Sniffing and recreating similar behaviour

Sniff.. Sniff…

Recently I had to work on a USB camera device for Linux. The vendor has just given the example code for Windows. That example code also uses some pre-compiled library and dll file. So there is no way to know what exactly is happening when the software is run and device is controlled via the software. Basically I have to make filter switcher of the camera work in Linux. For windows vendor has provided with one filter switching application.

Usblyzer ( http://www.usblyzer.com/ ) is a great tool for sniffing USB traffic. It gives you almost everything required to re-create the scenario. I used this to see the USB packets and then used libusb for windows to re-create the scenario.

libusb: A Great Open source usb library

Making windows work with libusb:

Download most recent version of libusb. I used :

http://kaz.dl.sourceforge.net/project/libusb-win32/libusb-win32-releases/1.2.6.0/libusb-win32-bin-1.2.6.0.zip

go to bin folder and run the install-filter exe. Now you need to copy the dll and sys file. I did below for my PC:
ALL ARCHITECTURES:
x86\libusb0_x86.dll: x86 32-bit library. Must be renamed to libusb0.dll
On 32 bit, Installs to Windows\system32\libusb0.dll.

X86 ONLY ARCHITECTURES:
x86\libusb0.sys: x86 32-bit driver.
Installs to Windows\system32\drivers\libusb0.sys

After above steps you will be able to able to see your device info when you run testlibusb-win.exe from bin folder.

Get to work

Now create an empty Visual studio project.

Add proper libusb.lib in Linker => Input additional dependency. For my PC it was in lib/msvc/libusb.lib.

Include lusb0_usb.h in your main file.

Now you can write code to get device handle and send data. I am pasting my code for reference:

#include <stdio.h>
#include "lusb0_usb.h"
#include <iostream>
#include <windows.h>

using namespace std;

int main(int argc, char** argv)
{
usb_dev_handle *my_dev_hndl = NULL; /* the device handle */
struct usb_device *my_dev;

struct usb_bus *busses;

void usb_init(void);
usb_find_busses(); /* find all busses */
usb_find_devices(); /* find all connected devices */
busses = usb_get_busses();
struct usb_bus *bus;

/* ... */

for (bus = busses; bus; bus = bus->next)

{
struct usb_device *dev;

for (dev = bus->devices; dev; dev = dev->next)

{
/* Check if this device is a printer */
if (dev->descriptor.bDeviceClass == 239) {//you can find this in info of testlibusb
/* Open the device, claim the interface and do your processing */
printf("I am so happy \n");
my_dev = dev;
printf("%d\n",dev->descriptor.bDeviceClass);
cout<<"Number of possible configurations: "<descriptor.bnumconfigurations<<" "<<<span="" class="hiddenSpellError" pre="">endl;
cout<<"VendorID: "
cout<<"ProductID: "
my_dev_hndl = usb_open(dev);
/* only one configuration: #1 */
int ret = usb_set_configuration(my_dev_hndl, 1);
if (ret < 0)
{
printf("usb_set_configuration failed ret code: %d.\n", ret);
printf("%s\n", usb_strerror());
}

/* configuration #1, interface #0 */
ret = usb_claim_interface(my_dev_hndl, 0);
if (ret < 0)
{
printf("usb_claim_interface failed ret code: %d\n", ret);
printf("%s\n", usb_strerror());
//usb_close(my_dev_hndl);
}
}
char bmRequestType= 0x21;

unsigned char bRequest = 0x01;
unsigned short wValue = 0x400;
unsigned short wIndex = 0x400;
unsigned short wLength = 4;
unsigned int timeout = 1000;

char data_rec[2] = { 0x04, 0x00 };//20 32 B0 22
usb_control_msg(my_dev_hndl, 0xA1, 0x85, wValue, wIndex, data_rec, 2, timeout);

char data_init[4] = { 0x00, 0x00, 0x00, 0x00 };//20 32 B0 22
usb_control_msg(my_dev_hndl, bmRequestType, bRequest, wValue, wIndex, data_init,  wLength, timeout);

usb_control_msg(my_dev_hndl, 0xA1, 0x85, wValue, wIndex, data_rec, 2, timeout);

usb_control_msg(my_dev_hndl, 0xA1, 0x85, wValue, wIndex, data_rec, 2, timeout);

char data_init1[4] = { 0x00, 0x00, 0x00, 0xAA };//20 32 B0 22
usb_control_msg(my_dev_hndl, 0xA1, 0x81, wValue, wIndex, data_init1, wLength, timeout);
Sleep( 3 );
}
}
}

if (dev->descriptor.bDeviceClass == 239) {//you can find this in info of testlibusb

What I noticed here is when you are recreating the scenario you have to be careful about timing also otherwise it may result in “Bulk or Interrupt Transfer failure”

To get the info about usb_control_msg parameters you can check USBLYZER output. More info is displayed at bottom in summary and Analysis section.

Offset Field Size Value Description
0 bmRequestType 1 40h
4..0: Recipient ...00000 Device
6..5: Type .10..... Vendor
7: Direction 0....... Host-to-Device
1 bRequest 1 01h
2 wValue 2 0400h
4 wIndex 2 0400h
6 wLength 2 0004h

Now I recreated the same message sequence passing in Linux using libusb. I was able to achieve the same result on Linux without any help from device vendor. 🙂

In linux I faced the issue where device was always busy error code -6. This can be resolved by

libusb_detach_kernel_driver(h, 0);

h is device handle 0 is interface.

The sequence is same here also first list the device and find your device of interest. After this open your device and get dev handle detach the device to make sure no one else is using it. cal set_configuration and claim_interface. Prepare required data and send.

 

For debugging in Linux you can use usbmon. It comes with linux so nothing is required. Commands to see usbmon output:

sudo mount -t debugfs none_debugs /sys/kernel/debug

sudo modprobe usbmon

sudo cat /sys/kernel/debug/usb/devices

lsusb

ls /sys/kernel/debug/usb/usbmon

sudo cat /sys/kernel/debug/usb/usbmon/2u > ~/2u.mon.out

After above command see the output in file 2u.mon.out

2u is my device you can see output of all usb with 0u otherwise you need to search for your device bus with lsusb and sudo cat /sys/kernel/debug/usb/devices commands.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s