reverse engineering usb devices
play

Reverse Engineering USB Devices Drew Fisher December 28, 2011 - PowerPoint PPT Presentation

Nov 04, 2022 •171 likes •437 views

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect What well cover Introduction

  1. Reverse Engineering USB Devices Drew Fisher December 28, 2011

  2. whoami Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect

  3. What we’ll cover Introduction Motivation USB Primer Protocol Reverse Engineering Vision for future Questions

  4. Motivation: cool new devices! ◮ There are USB devices out there that do (really!) neat things ◮ The more unique the device, the less likely that the vendor supports it with a non-Windows driver

  5. Motivation: a compatible driver ◮ We want to speak the same protocol. This protocol is built atop USB.

  6. Motivation: a compatible driver ◮ We want to speak the same protocol. This protocol is built atop USB. ◮ We need to understand the device’s state transitions.

  7. Motivation: a compatible driver ◮ We want to speak the same protocol. This protocol is built atop USB. ◮ We need to understand the device’s state transitions. ◮ We need to understand the device’s data.

  8. Motivation: a compatible driver ◮ We want to speak the same protocol. This protocol is built atop USB. ◮ We need to understand the device’s state transitions. ◮ We need to understand the device’s data. ◮ So let’s watch the messages that go by, and figure out which ones are which.

  9. USB: just the basics ◮ Distinction between Host and Device ◮ All communications are started by the host ◮ Devices have multiple endpoints which are in effect, separate data queues

  10. USB Primer - USB endpoint/transfer types Four types: ◮ Control ◮ Interrupt ◮ Isochronous ◮ Bulk

  11. USB Primer - Control Transfers ◮ Host starts a request, specifies request number and direction ◮ Either host or device transfers data ◮ Device or host acknowledges transfer if successful ◮ Every USB Device supports control transfers on endpoint 0

  12. USB Primer - Interrupt Transfers ◮ Guaranteed bounds on latency ◮ Attempts retransmission next epoch on error ◮ Useful to notify host of device state change ◮ Example: used for Human Interface Device reports (mice, keyboards)

  13. USB Primer - Isochronous Transfers ◮ Guaranteed polling rate and bandwidth ◮ No retransmission ◮ Useful for avoiding jitter - dropped packets are okay, as long as stream is realtime ◮ Example: used for USB Video Class video stream

  14. USB Primer - Bulk Transfers ◮ Large bursty data ◮ CRC provides error detection ◮ Retransmission provides reliable delivery ◮ Example: USB Mass storage (disks, flash drives)

  15. Putting it together ◮ Under normal operation, the host’s driver tracks the device’s state. ◮ So all information pertaining to state transitions are encoded in the transfers. ◮ State changes require reliable delivery. ◮ Streaming realtime data (like audio) does not.

  16. So now what? Assumption: we are working with devices that already have working drivers. The usual workflow: 1. Obtain USB traces of normal operation 2. Stare at them until they make sense 3. Write driver

  17. Step 1: get data Hardware loggers: ◮ TotalPhase Beagle 480 ◮ OpenVizsla – http://openvizsla.org/ Software loggers: ◮ BusDog – Windows USB filter driver http://code.google.com/p/busdog/ ◮ /dev/usbmon

  18. Step 2: understand data ◮ Download/extract TotalPhase Data Center for your platform: http://www.totalphase.com/products/data center/ ◮ Get USB trace from someone who bought a Beagle 480: git clone git://github.com/adafruit/Kinect.git ◮ Open Kinect/USBlogs/enuminit.tdc with Data Center ◮ Start reading ;)

  19. Pattern matching Problems developers face Protocol versioning Packet framentation and reassembly Latency measurement

  20. Pattern matching Problems developers face Solution Protocol versioning Magic bytes Packet framentation and reassembly Length/size bytes Sequence numbers Latency measurement Timestamps

  21. Structure Bootloader command: uint32 t magic; uint32 t tag; uint32 t bytes; uint32 t cmd; uint32 t address; uint32 t unknown;

  22. Structure Audio in transfer: uint32 t magic; // 0x80000080 uint16 t channel; // Values between 0x1 and 0xa indicate audio channel uint16 t len; // packet length uint16 t window; // timestamp uint16 t unknown; // ??? int32 t samples[]; // Size depends on len

  23. Step 3: write driver libusb is pretty cool and makes prototyping easy (compared to prototyping kernel drivers). http://www.libusb.org/wiki/libusb-1.0

  24. Live demo!

  25. What should RE tools do? ◮ Help human notice patterns, especially common ones ◮ Help human test hypotheses against larger dataset ◮ Help humans work together

  26. Questions! http://openkinect.org/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Reverse-Engineering DisplayLink devices Florian floe Echtler, Chris platon Hodges

Reverse-Engineering DisplayLink devices Florian floe Echtler, Chris platon Hodges

Introduction Cracking the Encryption The Graphics Protocol Finale Reverse-Engineering DisplayLink devices Florian floe Echtler, Chris platon Hodges December 28, 2009 Florian floe Echtler, Chris platon Hodges USB to

644 views • 31 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78 Administratrivia Please fill-in the BH13US Feedback Form - Thanks! The views of the authors are their

1.19k views • 78 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Modeling the Architecture of Distributed Real-Time Systems Dominikus Herzberg Andr Marburger

Modeling the Architecture of Distributed Real-Time Systems Dominikus Herzberg Andr Marburger

Modeling the Architecture of Distributed Real-Time Systems Dominikus Herzberg Andr Marburger Ericsson Eurolab Deutschland GmbH Aachen University of Technology 52134 Herzogenrath, Germany 52074 Aachen, Germany OMER-2, Herrsching am

353 views • 16 slides
Information Visualization Rules of Thumb Tamara Munzner Department of Computer Science

Information Visualization Rules of Thumb Tamara Munzner Department of Computer Science

Information Visualization Rules of Thumb Tamara Munzner Department of Computer Science University of British Columbia Lect 20, 19 Mar 2020 https://www.cs.ubc.ca/~tmm/courses/436V-20 Upcoming Milestone 2: still due Wed Mar 25 11:59pm

433 views • 16 slides
D0Race: Communication & Documentation Ursula Bassler - Recommendations of the Video Task

D0Race: Communication & Documentation Ursula Bassler - Recommendations of the Video Task

D0Race: Communication & Documentation Ursula Bassler - Recommendations of the Video Task Force (10') Vivan O'Dell - VRVS: install it, use it, enjoy it! (15) Sharon Hagopian - The Mechanics of Meetings (10') Mark

489 views • 10 slides
CS 598: Advanced Internet Lecture 3: TCP / IP Brighten Godfrey pbg@illinois.edu Fall 2009 1

CS 598: Advanced Internet Lecture 3: TCP / IP Brighten Godfrey pbg@illinois.edu Fall 2009 1

CS 598: Advanced Internet Lecture 3: TCP / IP Brighten Godfrey pbg@illinois.edu Fall 2009 1 Today Announcements A few more project ideas Cerf and Kahn: TCP / IP Clark: TCP / IP design philosophy 2 Announcements Project proposals

506 views • 35 slides
Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06)

Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06)

Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06) Maintained by David V James IEEE 802.3 RE Study Group March 2006 1 Denver Credit is due to many others, whose reviews and comments drove this

408 views • 18 slides
Real-Time USB Communication in the Quest Operating System Eric Missimer, Ye Li, Richard West

Real-Time USB Communication in the Quest Operating System Eric Missimer, Ye Li, Richard West

Contributions USB 2.0 and EHCI Outline USB Scheduling Problem Experimental Evaluation Conclusions Real-Time USB Communication in the Quest Operating System Eric Missimer, Ye Li, Richard West Eric Missimer, Ye Li, Richard West Real-Time USB

670 views • 48 slides
Resonance of Isochronous Oscillators David Rojas Universitat de Girona, Catalonia, Spain

Resonance of Isochronous Oscillators David Rojas Universitat de Girona, Catalonia, Spain

Resonance of Isochronous Oscillators David Rojas Universitat de Girona, Catalonia, Spain Advances in Qualitative Theory of Differential Equations 2019 Joint work with Rafael Ortega This research has been partially supported by the

762 views • 18 slides
Challenges with Userspace USB Embedded Device Interfacing Dave Camarillo K Wilson Background...

Challenges with Userspace USB Embedded Device Interfacing Dave Camarillo K Wilson Background...

2009 Linux Plumbers Conference Portland, Oregon Challenges with Userspace USB Embedded Device Interfacing Dave Camarillo K Wilson Background... Portland State Aerospace Society http: //psas.pdx.edu PSAS is a student aerospace engineering

631 views • 31 slides

More recommend