USB Reverse Engineering

Powered by RevSpace

Presented by
Hans de Goede

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License
Today's Topics
1. Looking at USB from the device driver POV
2. Endpoints
3. Interfaces
4. Descriptors
5. Descriptor types
6. Step by step instructions
7. Demo?
8. Questions
 Looking at a USB
device from the
device driver point of
view ?
 It's all about
Interfaces and
Endpoints !
Endpoints
A device driver talks to a USB device at the
endpoint level. The USB stack creates a virtual
pipe between each endpoint and the device
driver, like TCP/IP network sockets
Interfaces
One device can have multiple functions for
example video and audio for a webcams.
Endpoints are grouped together per function in
interfaces
Device drivers bind to an interface so one
device can have multiple drivers bound to it
The grouping and type of endpoints can be
found in the USB descriptors of the device
Descriptors
Endpoint Types
Control: short non urgent messages; high
latency reliable data delivery
Bulk: large non urgent messages; high latency
reliable data delivery
Interrupt: short urgent messages; low latency
reliable data delivery (max 64 bytes)
Isochronous: large urgent messages; low
latency unreliable delivery
Step by step instructions
Sniff USB traffic to the device
Using a vm with usbredirection and wireshark
Using usbsnoop aka SniffUsb-2.0 under WinXP
Look at sniffed data until you see a pattern
Write a simple test app using libusb; or
Write a simple linux device driver
Test; rinse; repeat
Demo ?
 Questions?

Contact:
hdegoede@redhat.com
Git repositories:
http://cgit.freedesktop.org/~jwrdegoede/
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License