Re: reverse-engineering a usb device

[Christoph Gysin <christoph.gysin@xxxxxxxxxx>]

2009/2/13 Microbit_P43000 <microbit@xxxxxxxxxxxxxxxxxxxxxx>:
> I haven't used SnoopyPro in ages, but IIRC (not sure) you could filter on
> certain protocols.

Unfortunately SnoopyPro-0.22 (latest release) doesn't support any filtering.

> If so, a lot of the mass storage uses RBC commands (scsi), if you can
> suppress those, the log would be dramatically reduced I think.

Yeah, that was my idea. Does anybody know of a (free) tool that is
capable of filtering these commands?

> Else you would need to wait till enum and all RBC traffic has settled a bit
> and then start a new log while you press the button. Perhaps you might catch
> it that way ?

The traffic from/to the device doesn't seem to settle. It keeps on
flooding the log. Around 100 pakets per second. After ~25s:

up   25.875	BULK_OR_INTERRUPT_TRANSFER	-	0x00000000
down 25.875	BULK_OR_INTERRUPT_TRANSFER	00 00 00 00 7f 20 00 00	
up   25.875	BULK_OR_INTERRUPT_TRANSFER	70 00 02 00 00 00 00 0a	0x00000000
down 25.875	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 08 8d e2 81	
up   25.875	BULK_OR_INTERRUPT_TRANSFER	55 53 42 53 08 8d e2 81	0x00000000
down 25.875	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 08 8d e2 81	
up   25.891	BULK_OR_INTERRUPT_TRANSFER	-	0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	00 00 00 00 00 00 00 00	
up   25.891	BULK_OR_INTERRUPT_TRANSFER		0xc0000004
down 25.891	RESET_PIPE		
up   25.891	RESET_PIPE		0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 08 8d e2 81	
up   25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 53 08 8d e2 81	0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 08 8d e2 81	
up   25.891	BULK_OR_INTERRUPT_TRANSFER	-	0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	00 00 00 00 00 00 00 0a	
up   25.891	BULK_OR_INTERRUPT_TRANSFER	70 00 02 00 00 00 00 0a	0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 08 8d e2 81	
up   25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 53 08 8d e2 81	0x00000000
down 25.891	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 d0 1c ed 81	
up   25.906	BULK_OR_INTERRUPT_TRANSFER	-	0x00000000
down 25.906	BULK_OR_INTERRUPT_TRANSFER	00 00 00 00 00 00 00 00	
up   25.906	BULK_OR_INTERRUPT_TRANSFER		0xc0000004
down 25.906	RESET_PIPE		
up   25.906	RESET_PIPE		0x00000000
down 25.906	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 d0 1c ed 81	
up   25.906	BULK_OR_INTERRUPT_TRANSFER	55 53 42 53 d0 1c ed 81	0x00000000
down 25.906	BULK_OR_INTERRUPT_TRANSFER	55 53 42 43 d0 1c ed 81	
up   25.906	BULK_OR_INTERRUPT_TRANSFER	-	0x00000000
down 25.906	BULK_OR_INTERRUPT_TRANSFER	70 00 02 00 00 00 00 0a	
up   25.906	BULK_OR_INTERRUPT_TRANSFER	70 00 02 00 00 00 00 0a	0x00000000

> I don't seem to recall anything in RBC about reporting events such as button
> presses.
> I would expect that an interrupt pipe is used for that.

I thought so too, but I see only two enpoints of type bulk for IN/OUT:

$ sudo lsusb -d 0781:b7b9 -v

Bus 001 Device 006: ID 0781:b7b9 SanDisk Corp.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x0781 SanDisk Corp.
  idProduct          0xb7b9
  bcdDevice           18.04
  iManufacturer           3 SanDisk
  iProduct                4 SDDR-189
  iSerial                 5 2008081401127
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           32
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk (Zip)
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0000
  (Bus Powered)

Thanks for your help,
Chris
-- 
echo mailto: NOSPAM !#$.'<*>'|sed 's. ..'|tr "<*> !#:2" org@fr33z3

--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ