On 2024-05-16 12:56, Ethin Probst wrote:
On Thursday, May 16th, 2024 at 00:19, Lars Melin <larsm17@xxxxxxxxx> wrote:
On 2024-05-16 05:12, Ethin Probst wrote:
I can also not find such a transition in your other two captures, all
descriptor readouts that includes USB Id are 2b5a:000c.
This is what puzzles me as well. If I'm missing something it's at a
level that USB Pcap can't capture. When I begin the capture, plug in
the device and power it on, the second packet is always the right
descriptor (pid 000d). There is no indicator in the capture that
commands are sent before that pid is received. As for the other
problem, yeah, that confused me too; I would've thought that another
get descriptor request would've been sent, but apparently not, because
when I remove the device from the VM and reattach it to the host, the
pid is correct.
You can set up a USBPCap filter on id.Vendor and id.Product (2b5a:000c)
so that the capture will not start until you connect your device.
It will stop capture (logging on screen will stop) when the device
transition into 2b5a:000d so you can then close the pcap file.
The cmd making the transition should be near the end of your capture. :-)
Your IDA-disassembly is probably on the wrong file, I'd guess that the
.sys file in the driver directory corresponding to the .inf file for
the firmware loading Id is what handles firmware loading/checking.
best
Lars
