Reverse Engineering USB Devices Drew Fisher December 28, 2011 - - PowerPoint PPT Presentation

reverse engineering usb devices
SMART_READER_LITE
LIVE PREVIEW

Reverse Engineering USB Devices Drew Fisher December 28, 2011 - - PowerPoint PPT Presentation

Nov 04, 2022 171 likes •437 views

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect What well cover Introduction

slide-1
SLIDE 1

Reverse Engineering USB Devices

Drew Fisher December 28, 2011

slide-2
SLIDE 2

whoami

Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect

slide-3
SLIDE 3

What we’ll cover

Introduction Motivation USB Primer Protocol Reverse Engineering Vision for future Questions

slide-4
SLIDE 4

Motivation: cool new devices!

◮ There are USB devices out there that do (really!) neat things ◮ The more unique the device, the less likely that the vendor

supports it with a non-Windows driver

slide-5
SLIDE 5

Motivation: a compatible driver

◮ We want to speak the same protocol. This protocol is built

atop USB.

slide-6
SLIDE 6

Motivation: a compatible driver

◮ We want to speak the same protocol. This protocol is built

atop USB.

◮ We need to understand the device’s state transitions.

slide-7
SLIDE 7

Motivation: a compatible driver

◮ We want to speak the same protocol. This protocol is built

atop USB.

◮ We need to understand the device’s state transitions. ◮ We need to understand the device’s data.

slide-8
SLIDE 8

Motivation: a compatible driver

◮ We want to speak the same protocol. This protocol is built

atop USB.

◮ We need to understand the device’s state transitions. ◮ We need to understand the device’s data. ◮ So let’s watch the messages that go by, and figure out which

  • nes are which.
slide-9
SLIDE 9

USB: just the basics

◮ Distinction between Host and Device ◮ All communications are started by the host ◮ Devices have multiple endpoints which are in effect, separate

data queues

slide-10
SLIDE 10

USB Primer - USB endpoint/transfer types

Four types:

◮ Control ◮ Interrupt ◮ Isochronous ◮ Bulk

slide-11
SLIDE 11

USB Primer - Control Transfers

◮ Host starts a request, specifies request number and direction ◮ Either host or device transfers data ◮ Device or host acknowledges transfer if successful ◮ Every USB Device supports control transfers on endpoint 0

slide-12
SLIDE 12

USB Primer - Interrupt Transfers

◮ Guaranteed bounds on latency ◮ Attempts retransmission next epoch on error ◮ Useful to notify host of device state change ◮ Example: used for Human Interface Device reports (mice,

keyboards)

slide-13
SLIDE 13

USB Primer - Isochronous Transfers

◮ Guaranteed polling rate and bandwidth ◮ No retransmission ◮ Useful for avoiding jitter - dropped packets are okay, as long

as stream is realtime

◮ Example: used for USB Video Class video stream

slide-14
SLIDE 14

USB Primer - Bulk Transfers

◮ Large bursty data ◮ CRC provides error detection ◮ Retransmission provides reliable delivery ◮ Example: USB Mass storage (disks, flash drives)

slide-15
SLIDE 15

Putting it together

◮ Under normal operation, the host’s driver tracks the device’s

state.

◮ So all information pertaining to state transitions are encoded

in the transfers.

◮ State changes require reliable delivery. ◮ Streaming realtime data (like audio) does not.

slide-16
SLIDE 16

So now what?

Assumption: we are working with devices that already have working drivers. The usual workflow:

  • 1. Obtain USB traces of normal operation
  • 2. Stare at them until they make sense
  • 3. Write driver
slide-17
SLIDE 17

Step 1: get data

Hardware loggers:

◮ TotalPhase Beagle 480 ◮ OpenVizsla – http://openvizsla.org/

Software loggers:

◮ BusDog – Windows USB filter driver

http://code.google.com/p/busdog/

◮ /dev/usbmon

slide-18
SLIDE 18

Step 2: understand data

◮ Download/extract TotalPhase Data Center for your platform:

http://www.totalphase.com/products/data center/

◮ Get USB trace from someone who bought a Beagle 480:

git clone git://github.com/adafruit/Kinect.git

◮ Open Kinect/USBlogs/enuminit.tdc with Data Center ◮ Start reading ;)

slide-19
SLIDE 19

Pattern matching

Problems developers face Protocol versioning Packet framentation and reassembly Latency measurement

slide-20
SLIDE 20

Pattern matching

Problems developers face Solution Protocol versioning Magic bytes Packet framentation and reassembly Length/size bytes Sequence numbers Latency measurement Timestamps

slide-21
SLIDE 21

Structure

Bootloader command: uint32 t magic; uint32 t tag; uint32 t bytes; uint32 t cmd; uint32 t address; uint32 t unknown;

slide-22
SLIDE 22

Structure

Audio in transfer: uint32 t magic; // 0x80000080 uint16 t channel; // Values between 0x1 and 0xa indicate audio channel uint16 t len; // packet length uint16 t window; // timestamp uint16 t unknown; // ??? int32 t samples[]; // Size depends on len

slide-23
SLIDE 23

Step 3: write driver

libusb is pretty cool and makes prototyping easy (compared to prototyping kernel drivers). http://www.libusb.org/wiki/libusb-1.0

slide-24
SLIDE 24

Live demo!

slide-25
SLIDE 25

What should RE tools do?

◮ Help human notice patterns, especially common ones ◮ Help human test hypotheses against larger dataset ◮ Help humans work together

slide-26
SLIDE 26

Questions!

http://openkinect.org/