USB Data Snooping

Posted on June 26, 2008. Filed under: Linux Kernel, Software | Tags: , , , , |

During my work for gPXE I had to snoop the USB data for various reasons. Here’s a small post showing all the approaches to do it.

QEMU

If you are running your OS in QEMU, then you are very lucky. If you have got the QEMU source code, just go and uncomment the lines starting with #define DEBUG_*. Now when you run QEMU, you will see tons of very valuable information being printed on the console. This makes QEMU a bit slow. But who cares for speed when debugging! The best thing about this approach is that the data printed by QEMU is in a user understandable format unlike the dump by usbmon which follows next.

USBMON

This method is a bit involved. First you have to mount the debugfs in /sys/kernel/debug. There you see a directory called usbmon. In there you see many files 1t,1u,2t,2u etc. The one prefixed with ‘u’ is supposed to be a newer version. The number identifies the bus number. The bus your device is connected to is obtained by running lsusb – an utility supplied under the usbutils package.

Once you’ve identified the bus your device is attached to, go ahead and do ‘cat 3t’ for example and you see tons of information of this form.

ffff810106c656c0 20722002 C Co:6:000:0 0 0
ffff8100aa4a0540 20735354 S Ci:6:003:0 s 80 06 0100 0000 0012 18 <
ffff8100aa4a0540 20741001 C Ci:6:003:0 0 18 = 12010002 00000008 6d0419c0 01430102 0001
ffff8100aa4a0540 20741011 S Ci:6:003:0 s 80 06 0200 0000 0009 9 <
ffff8100aa4a0540 20746000 C Ci:6:003:0 0 9 = 09022200 010100a0 32
ffff8100aa4a0540 20746008 S Ci:6:003:0 s 80 06 0200 0000 0022 34 <
ffff8100aa4a0540 20754001 C Ci:6:003:0 0 34 = 09022200 010100a0 32090400 00010301 02000921 11010001 22370007 05810305
ffff8100aa4a0540 20754012 S Ci:6:003:0 s 80 06 0300 0000 00ff 255 <
ffff8100aa4a0540 20759000 C Ci:6:003:0 0 4 = 04030904
ffff8100aa4a0540 20759006 S Ci:6:003:0 s 80 06 0302 0409 00ff 255 <
ffff8100aa4a0540 20768000 C Ci:6:003:0 0 36 = 24035500 53004200 20004f00 70007400 69006300 61006c00 20004d00 6f007500
ffff8100aa4a0540 20768006 S Ci:6:003:0 s 80 06 0301 0409 00ff 255 <
ffff8100aa4a0540 20775001 C Ci:6:003:0 0 18 = 12034c00 6f006700 69007400 65006300 6800
ffff8100aa4a0540 20775125 S Co:6:003:0 s 00 09 00

The format of this dump is pretty well documented in a in source text file located in Documentation/. You can also get it here. This output is really helpful.

This cool thing is used by device driver writers. The device for which they intend to write a device driver is  pass-through-ed to QEMU. They run a OS such as Windows in it and when the windows driver for the device interacts with its device, it can be snooped. And looking at this data, people write reverse engineered drivers!

Possibly related posts: (automatically generated)

Make a Comment

Make A Comment: ( 1 so far )

blockquote and a tags work here.

One Response to “USB Data Snooping”

RSS Feed for Brain Dump Comments RSS Feed

hmm. hadn’t been here in a long time. missed a lot!

now added into google reader. can rest in peace.

adityabheemarao
July 11, 2008

Reply

Where's The Comment Form?

  • Feed

  • Ohloh

    Ohloh profile for Balaji Rao

  • Bookmarks

  • Categories

  • Visitors

    Locations of visitors to this page

  • Hits

    • 16,934 hits

Liked it here?
Why not try sites on the blogroll...