Download as PDF, PPTX
Uploaded byLubomir Rintel
Reverse Engineering: Writing a Linux driver for an unknown device
The document discusses reverse engineering a Linux driver for an unknown USB video capture device. The key steps taken were: 1) Capturing traffic from the device when used in Windows to understand the frame format and endpoints. This revealed the device provides YUV video data over isochronous endpoints. 2) Developing a userspace program using libusb to replay the USB traffic and extract test image data to validate the frame format. 3) Creating a Linux kernel driver that interfaces with the USB and Video4Linux2 frameworks to provide the captured video as a video device to userspace programs through Videobuf2 buffers.
More Related Content
Similar to Reverse Engineering: Writing a Linux driver for an unknown device
![Linuxdd[1]](https://cdn.slidesharecdn.com/ss_thumbnails/linuxdd1-110927015846-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Reverse Engineering: Writing a Linux driver for an unknown device
- 1. Reverse Engineering: Writing aLinux driver for an unknown device Ľubomír Rintel <lkundrak@v3.sk> OSSConf 2013, Žilina BTC: 1A28Etzh7zsK2Bq36qvPKJi18s53M9B2FU
- 2. Our device ● Unknown toLinux ● No documentation ● No Google hits for chip ● Desperate users in Ubuntu forums
- 4. The Plan ● Make itwork in Windows ● Capture what happens ● Find image data ● Mimic the behavior in userspace ● Transform into a kernel module
- 5.
- 6. USB Architecture ● Network ofHost, Hubs and Devices
- 7. USB Addresses ● Bus &Device number Host Device 1:1 Hub Device 2:1 Hub Device 2:2 Flash Drive Device 3:1 Mouse
- 8. USB Addresses $ lsusb Bus001 Bus 002 Bus 002 Bus 003 $ lsusb ... Device Device Device Device -v 001: 001: 002: 001: ID ID ID ID 1d6b:0002 1337:abcd 1337:0123 dead:b4b3 Linux Foundation 2.0 root hub Trololol USB 1.1 Hub Trololol Flash Drive Random Mouse
- 9. USB Device ● Self-describing ● Endpoints ● CONTROL ● INTERRUPT ● BULK ● ISOCHRONOUS ● Endpoints groupedinto Interfaces ● Interfaces grouped into Configurations
- 10. Our device Device Alternate setting0 Endpoints: Alternate setting 1 Endpoints: 0x81 Isochronous IN 0x81 Isochronous IN 0x82 Bulk IN 0x82 Bulk IN 0x83 Bulk IN 0x83 Bulk IN 0x84 Interrupt IN 0x84 Interrupt IN
- 11. The Plan ● Make itwork in Windows ● Capture what happens ● Find image data ● Mimic the behavior in userspace ● Transform into a kernel module
- 12.
- 13.
- 14. What did wesee ● Number of CONTROL requests ● ISOCHRONOUS packets once capture starts
- 15.
- 16. YUV2 Y Y Y Y U1 U1 U1U1 Y Y Y Y V1 V1 V1 V1 Y Y Y Y U2 U2 U2 U2 Y Y Y Y V2 V2 V2 V2
- 17. LibUSB ● We could replaythe traffic ● In userspace – no kernel hacking needed ● C, Python & Perl bindings ● Now we need to find start & end of the picture
- 18.
- 19. Frame format 88 0100 00 88 01 00 01 ... 88 01 02 cf ... cf 88 03 00 00 ... 00 00 00 00 • 15 Frame number ● Even/odd ● Chunk number 0 – 0x2cf = 719 ● 88 02 80 00 88 02 82 xx xx xx xx • 240 740 x 480 YUV2 Interlaced (NTSC)
- 21. To kernel! ● Booooring! ● A module ● USBframework ● ● Video4Linux2 ● ● Linux Device Drivers: http://lwn.net/Kernel/LDD3/ LWN Series: http://lwn.net/Articles/203924/ Videobuf2 ● LWN Article: http://lwn.net/Articles/447435/
- 22.
- 23. Video4Linux2 ● Provide a devicewith known API ● ● read(), write() ● ioctl() ● ● open(), close() mmap() Negotiate format with userspace
- 24. Videobuf2 ● Manages buffers offrames ● Connects to Video4Linux2 ● read(), write(), mmap() ● some ioctl()s – – Start/stop capture Exchange buffers with userspace
- 25. USB framework ● ● Setup thedevice Allocate buffers for exchange of data with device ● Handle start/stop ● Isochronous callbacks ● Copy data from USB buffers to Videobuf2 buffers
- 26.
- 27.
- 28. Questions? Found this useful?My Bitcoin address is: 1A28Etzh7zsK2Bq36qvPKJi18s53M9B2FU