Reverse Engineering: Writing a Linux driver for an unknown device
•
11 likes•13,409 views
The document discusses reverse engineering a Linux driver for an unknown USB video capture device. The key steps taken were: 1) Capturing traffic from the device when used in Windows to understand the frame format and endpoints. This revealed the device provides YUV video data over isochronous endpoints. 2) Developing a userspace program using libusb to replay the USB traffic and extract test image data to validate the frame format. 3) Creating a Linux kernel driver that interfaces with the USB and Video4Linux2 frameworks to provide the captured video as a video device to userspace programs through Videobuf2 buffers.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Reverse Engineering: Writing a Linux driver for an unknown device
Similar to Reverse Engineering: Writing a Linux driver for an unknown device (20)
More from Lubomir Rintel
Recently uploaded
Recently uploaded (20)
Reverse Engineering: Writing a Linux driver for an unknown device
- 1. Reverse Engineering: Writing a Linux driver for an unknown device Ľubomír Rintel <lkundrak@v3.sk> OSSConf 2013, Žilina BTC: 1A28Etzh7zsK2Bq36qvPKJi18s53M9B2FU
- 2. Our device ● Unknown to Linux ● No documentation ● No Google hits for chip ● Desperate users in Ubuntu forums
- 4. The Plan ● Make it work in Windows ● Capture what happens ● Find image data ● Mimic the behavior in userspace ● Transform into a kernel module
- 5. USB
- 6. USB Architecture ● Network of Host, Hubs and Devices
- 7. USB Addresses ● Bus & Device number Host Device 1:1 Hub Device 2:1 Hub Device 2:2 Flash Drive Device 3:1 Mouse
- 8. USB Addresses $ lsusb Bus 001 Bus 002 Bus 002 Bus 003 $ lsusb ... Device Device Device Device -v 001: 001: 002: 001: ID ID ID ID 1d6b:0002 1337:abcd 1337:0123 dead:b4b3 Linux Foundation 2.0 root hub Trololol USB 1.1 Hub Trololol Flash Drive Random Mouse
- 9. USB Device ● Self-describing ● Endpoints ● CONTROL ● INTERRUPT ● BULK ● ISOCHRONOUS ● Endpoints grouped into Interfaces ● Interfaces grouped into Configurations
- 10. Our device Device Alternate setting 0 Endpoints: Alternate setting 1 Endpoints: 0x81 Isochronous IN 0x81 Isochronous IN 0x82 Bulk IN 0x82 Bulk IN 0x83 Bulk IN 0x83 Bulk IN 0x84 Interrupt IN 0x84 Interrupt IN
- 11. The Plan ● Make it work in Windows ● Capture what happens ● Find image data ● Mimic the behavior in userspace ● Transform into a kernel module
- 14. What did we see ● Number of CONTROL requests ● ISOCHRONOUS packets once capture starts
- 16. YUV2 Y Y Y Y U1 U1 U1 U1 Y Y Y Y V1 V1 V1 V1 Y Y Y Y U2 U2 U2 U2 Y Y Y Y V2 V2 V2 V2
- 17. LibUSB ● We could replay the traffic ● In userspace – no kernel hacking needed ● C, Python & Perl bindings ● Now we need to find start & end of the picture
- 19. Frame format 88 01 00 00 88 01 00 01 ... 88 01 02 cf ... cf 88 03 00 00 ... 00 00 00 00 • 15 Frame number ● Even/odd ● Chunk number 0 – 0x2cf = 719 ● 88 02 80 00 88 02 82 xx xx xx xx • 240 740 x 480 YUV2 Interlaced (NTSC)
- 21. To kernel! ● Booooring! ● A module ● USB framework ● ● Video4Linux2 ● ● Linux Device Drivers: http://lwn.net/Kernel/LDD3/ LWN Series: http://lwn.net/Articles/203924/ Videobuf2 ● LWN Article: http://lwn.net/Articles/447435/
- 23. Video4Linux2 ● Provide a device with known API ● ● read(), write() ● ioctl() ● ● open(), close() mmap() Negotiate format with userspace
- 24. Videobuf2 ● Manages buffers of frames ● Connects to Video4Linux2 ● read(), write(), mmap() ● some ioctl()s – – Start/stop capture Exchange buffers with userspace
- 25. USB framework ● ● Setup the device Allocate buffers for exchange of data with device ● Handle start/stop ● Isochronous callbacks ● Copy data from USB buffers to Videobuf2 buffers
- 27. All done!
- 28. Questions? Found this useful? My Bitcoin address is: 1A28Etzh7zsK2Bq36qvPKJi18s53M9B2FU