7/27/2019 Usb Reversing
1/56
ubomr Rintel
7/27/2019 Usb Reversing
2/56
Our device
Unknown to Linux No documentation No Google hits for chip Desperate users in
Ubuntu forums
7/27/2019 Usb Reversing
3/56
7/27/2019 Usb Reversing
4/56
The Plan
Make it work in Windows Capture what happens Find image data Mimic the behavior in userspace Transform into a kernel module
7/27/2019 Usb Reversing
5/56
USB
7/27/2019 Usb Reversing
6/56
USB Architecture
Network of Host, Hubs and Devices
7/27/2019 Usb Reversing
7/56
USB Addresses
Bus & Device number
Host
Device 1:1Hub
Device 2:1Hub
Device 3:1Mouse
Device 2:2Flash Drive
7/27/2019 Usb Reversing
8/56
USB Addresses
lsusb
us 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hu
us 002 Device 001: ID 1337:abcd Trololol USB 1.1 Hubus 002 Device 002: ID 1337:0123 Trololol Flash Drive
us 003 Device 001: ID dead:b4b3 Random Mouse
lsusb -v
..
7/27/2019 Usb Reversing
9/56
USB Device
Self-describing Endpoints
CONTROL INTERRUPT BULK
ISOCHRONOUS Endpoints grouped into Interfaces Interfaces grouped into Configurations
7/27/2019 Usb Reversing
10/56
Our device
Device
Alternate setting 0Endpoints:
Alternate setting 1Endpoints:
0x81 Isochronous IN
0x82 Bulk IN
0x83 Bulk IN
0x84 Interrupt IN
0x81 Isochronous IN
0x82 Bulk IN
0x83 Bulk IN
0x84 Interrupt IN
7/27/2019 Usb Reversing
11/56
The Plan
Make it work in Windows Capture what happens Find image data Mimic the behavior in userspace Transform into a kernel module
7/27/2019 Usb Reversing
12/56
Windows & VirtualBox
7/27/2019 Usb Reversing
13/56
7/27/2019 Usb Reversing
14/56
What did we see
Number of CONTROL requests ISOCHRONOUS packets once capture starts
7/27/2019 Usb Reversing
15/56
RGB
R R R R R R R R
G G G G G G G G
B B B B B B B B
7/27/2019 Usb Reversing
16/56
YUV2Y Y Y Y U1 U1 U1 U1
Y Y Y Y V1 V1 V1 V1
Y Y Y Y U2 U2 U2 U2
Y Y Y Y V2 V2 V2 V2
7/27/2019 Usb Reversing
17/56
LibUSB
We could replay the traffic In userspace no kernel hacking needed C, Python & Perl bindings Now we need to find start & end of the picture
7/27/2019 Usb Reversing
18/56
Test image
0xaaaaaaaa0xff00ff00
0x00ff00ff
0x80808080
0x00000000
7/27/2019 Usb Reversing
19/56
Frame format
88 01 00 00
88 01 02 cf
88 02 80 00
88 02 82 cf
88 03 00 00
xx xx xx xx 240 00 00 00 00 15
88 01 00 01...
...
Frame number Even/odd Chunk number 0 0x2cf = 719
740 x 480 YUV2 Interlaced (NTSC)
...
7/27/2019 Usb Reversing
20/56
7/27/2019 Usb Reversing
21/56
To kernel!
Booooring! A module USB framework
Linux Device Drivers: http://lwn.net/Kernel/LDD3/
Video4Linux2
LWN Series: http://lwn.net/Articles/203924/ Videobuf2
LWN Article: http://lwn.net/Articles/447435/
http://lwn.net/Kernel/LDD3/http://lwn.net/Articles/203924/http://lwn.net/Articles/447435/http://lwn.net/Articles/447435/http://lwn.net/Articles/203924/http://lwn.net/Kernel/LDD3/http://lwn.net/Articles/447435/http://lwn.net/Articles/203924/http://lwn.net/Kernel/LDD3/7/27/2019 Usb Reversing
22/56
Architecture
Video4Linux2
Videobuf2Ourcode
USB
Userspace
Hardware
7/27/2019 Usb Reversing
23/56
Video4Linux2
Provide a device with known API open(), close() read(), write() ioctl() mmap()
Negotiate format with userspace
7/27/2019 Usb Reversing
24/56
Videobuf2
Manages buffers of frames Connects to Video4Linux2
read(), write(), mmap() some ioctl()s
Start/stop capture Exchange buffers with userspace
7/27/2019 Usb Reversing
25/56
USB framework
Setup the device Allocate buffers for exchange of data with
device Handle start/stop Isochronous callbacks
Copy data from USB buffers to Videobuf2 buffers
7/27/2019 Usb Reversing
26/56
Architecture
Video4Linux2
Videobuf2Ourcode
USB
Userspace
Hardware
7/27/2019 Usb Reversing
27/56
All done!
7/27/2019 Usb Reversing
28/56
Questions?
7/27/2019 Usb Reversing
29/56
ubomr Rintel OSSConf 2013, ilina
Reverse Engineering:
Writing a Linux driver for an
unknown device
7/27/2019 Usb Reversing
30/56
Our device
Unknown to Linux No documentation No Google hits for chip Desperate users in
Ubuntu forums
7/27/2019 Usb Reversing
31/56
7/27/2019 Usb Reversing
32/56
The Plan
Make it work in Windows Capture what happens Find image data Mimic the behavior in userspace Transform into a kernel module
7/27/2019 Usb Reversing
33/56
USB
7/27/2019 Usb Reversing
34/56
7/27/2019 Usb Reversing
35/56
USB Addresses
Bus & Device number
Host
Device 1:1Hub
Device 2:1Hub
Device 3:1Mouse
Device 2:2Flash Drive
7/27/2019 Usb Reversing
36/56
USB Addresses
$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1337:abcd Trololol USB 1.1 Hub
Bus 002 Device 002: ID 1337:0123 Trololol Flash Drive
Bus 003 Device 001: ID dead:b4b3 Random Mouse
$ lsusb -v
...
7/27/2019 Usb Reversing
37/56
USB Device
Self-describing Endpoints
CONTROL INTERRUPT BULK ISOCHRONOUS
Endpoints grouped into Interfaces
Interfaces grouped into Configurations
7/27/2019 Usb Reversing
38/56
Our device
Device
Alternate setting 0Endpoints:
Alternate setting 1Endpoints:
0x81 Isochronous IN
0x82 Bulk IN
0x83 Bulk IN
0x84 Interrupt IN
0x81 Isochronous IN
0x82 Bulk IN
0x83 Bulk IN
0x84 Interrupt IN
7/27/2019 Usb Reversing
39/56
The Plan
Make it work in Windows Capture what happens Find image data Mimic the behavior in userspace Transform into a kernel module
7/27/2019 Usb Reversing
40/56
7/27/2019 Usb Reversing
41/56
Wireshark & usbmon
7/27/2019 Usb Reversing
42/56
7/27/2019 Usb Reversing
43/56
7/27/2019 Usb Reversing
44/56
YUV2Y Y Y Y U1 U1 U1 U1
Y Y Y Y V1 V1 V1 V1Y Y Y Y U2 U2 U2 U2
Y Y Y Y V2 V2 V2 V2
7/27/2019 Usb Reversing
45/56
7/27/2019 Usb Reversing
46/56
7/27/2019 Usb Reversing
47/56
Frame format
88 01 00 00
88 01 02 cf
88 02 80 00
88 02 82 cf
88 03 00 00
xx xx xx xx 240 00 00 00 00 15
88 01 00 01...
...
Frame number Even/odd Chunk number 0 0x2cf = 719
740 x 480 YUV2 Interlaced (NTSC)
...
7/27/2019 Usb Reversing
48/56
7/27/2019 Usb Reversing
49/56
To kernel!
Booooring! A module USB framework
Linux Device Drivers: http://lwn.net/Kernel/LDD3/
Video4Linux2 LWN Series: http://lwn.net/Articles/203924/
Videobuf2
LWN Article: http://lwn.net/Articles/447435/
7/27/2019 Usb Reversing
50/56
7/27/2019 Usb Reversing
51/56
7/27/2019 Usb Reversing
52/56
7/27/2019 Usb Reversing
53/56
7/27/2019 Usb Reversing
54/56
Architecture
Video4Linux2
Videobuf2Ourcode
USB
Userspace
Hardware
7/27/2019 Usb Reversing
55/56
7/27/2019 Usb Reversing
56/56
Questions?
Top Related