The document discusses reverse engineering a Linux driver for an unknown USB video capture device. The key steps taken were:
1) Capturing traffic from the device when used in Windows to understand the frame format and endpoints. This revealed the device provides YUV video data over isochronous endpoints.
2) Developing a userspace program using libusb to replay the USB traffic and extract test image data to validate the frame format.
3) Creating a Linux kernel driver that interfaces with the USB and Video4Linux2 frameworks to provide the captured video as a video device to userspace programs through Videobuf2 buffers.
Human Factors of XR: Using Human Factors to Design XR Systems
Reverse Engineering: Writing a Linux driver for an unknown device
1. Reverse Engineering:
Writing a Linux driver for an
unknown device
Ľubomír Rintel <lkundrak@v3.sk>
OSSConf 2013, Žilina
BTC: 1A28Etzh7zsK2Bq36qvPKJi18s53M9B2FU
2. Our device
●
Unknown to Linux
●
No documentation
●
No Google hits for chip
●
Desperate users in
Ubuntu forums
3.
4. The Plan
●
Make it work in Windows
●
Capture what happens
●
Find image data
●
Mimic the behavior in userspace
●
Transform into a kernel module
7. USB Addresses
●
Bus & Device number
Host
Device 1:1
Hub
Device 2:1
Hub
Device 2:2
Flash Drive
Device 3:1
Mouse
8. USB Addresses
$ lsusb
Bus 001
Bus 002
Bus 002
Bus 003
$ lsusb
...
Device
Device
Device
Device
-v
001:
001:
002:
001:
ID
ID
ID
ID
1d6b:0002
1337:abcd
1337:0123
dead:b4b3
Linux Foundation 2.0 root hub
Trololol USB 1.1 Hub
Trololol Flash Drive
Random Mouse
10. Our device
Device
Alternate setting 0
Endpoints:
Alternate setting 1
Endpoints:
0x81
Isochronous IN
0x81
Isochronous IN
0x82
Bulk
IN
0x82
Bulk
IN
0x83
Bulk
IN
0x83
Bulk
IN
0x84
Interrupt
IN
0x84
Interrupt
IN
11. The Plan
●
Make it work in Windows
●
Capture what happens
●
Find image data
●
Mimic the behavior in userspace
●
Transform into a kernel module
16. YUV2
Y
Y
Y
Y
U1 U1 U1 U1
Y
Y
Y
Y
V1 V1 V1 V1
Y
Y
Y
Y
U2 U2 U2 U2
Y
Y
Y
Y
V2 V2 V2 V2
17. LibUSB
●
We could replay the traffic
●
In userspace – no kernel hacking needed
●
C, Python & Perl bindings
●
Now we need to find start & end of the picture
23. Video4Linux2
●
Provide a device with known API
●
●
read(), write()
●
ioctl()
●
●
open(), close()
mmap()
Negotiate format with userspace
24. Videobuf2
●
Manages buffers of frames
●
Connects to Video4Linux2
●
read(), write(), mmap()
●
some ioctl()s
–
–
Start/stop capture
Exchange buffers with userspace
25. USB framework
●
●
Setup the device
Allocate buffers for exchange of data with
device
●
Handle start/stop
●
Isochronous callbacks
●
Copy data from USB buffers to Videobuf2 buffers