Project

General

Profile

DevelopersUSB Sniffing in Linux » History » Version 2

Daniel Clemmensen, 02/24/2019 09:55 AM
full initial page other than files

1 1 Daniel Clemmensen
h1. DevelopersUSB Sniffing in Linux
2
3
In a nutshell:
4
* Run the Windows program to be sniffed under Wine
5
* use Tshark (or Wireshark) to capture the USB protocol interactions
6
* Use Tshark (or Wireshark) to filter the captured data
7
* Use a small program to post-process the data into an easily-read form.
8 2 Daniel Clemmensen
9
h2. The Problem
10
11
To write a driver, we need to first analyze the radio's serial communications protocol. Simple methods such as interposing a sniffer system may work, but some protocols have timing constraints that cause these methods to fail. We avoid this by intercepting the communications inside of the OS. There are ways to do this inside the Windows OS, but you may prefer to use a Linux system.
12
13
h2. Approach
14
15
We will use the Wine suite in Linux to provide a Windows API environment, and then run the manufacturer's software under Wine. Wine permits the application to use the USB cable connected to Linux. Linux has a facility called usbmon that permits capture of the USB protocol as the program reads and writes the serial port. The Wireshark application (and the batch-mode Tshark application) run under linux and interact with usbmon and actually capture the data. Finally, a small port-processing application can extract the actual serial data and present it in an easily-usable fashion. 
16
17
h2. Prerequisites
18
19
* a Linux system that has usbmon support
20
* root login privileges
21
* Wine installed
22
* USB programming cable
23
* Manufacturer's radio programming application
24
* wireshark/tshark installed
25
26
h2. Initial setup
27
28
* Determine the Linux name of the serial cable USB device (e.g., /dev/ttyUSB0) Wine makes the Linux serial ports available as COM ports. To see the mapping, use 
29
<pre>
30
   ls -l ~/.wine/dosdevices/
31
</pre>
32
33
*Run the application under Wine and configure it to use the correct "Windows" COM port as supplied by Wine.
34
*Use the application to program your radio, to verify that everything works.
35
*Determine the cable's device ID. Use
36
<pre>
37
   lsusb -l
38
</pre>
39
*Exit the application
40
41
*Set up an empty directory for your capture work. Download and copy the two script files and the "tidy.c" program into your directory.
42
*if you only have one cable, you may choose to modify the start_trace.sh script to replace the commandline param ($1) with the device ID
43
*compile tidy:
44
<pre>
45
   gcc tidy.c -o tidy
46
</pre>
47
48
h2. Perform a capture
49
50
To perform the capture, we must start the capture program, then start the communications interaction and wait for it to finish, then stop the capture, and finally post-process the captured data.  Unfortunately, there is no obvious way to automate the timing of these steps, so you must do them manually. The capture script is capturing everything on the USB bus shared by the cable, so don't wander away to take a coffee break between the time you start the capture and the time you stop it. You can probably capture more than 30 minutes without straining your system unless the same bus is supporting HDMI, disk, or GigE.
51
52
*Open a console, navigate to your trace directory, login as root.
53
*run the application under Wine. Do any preliminary setup in the application, but do not communicate with the radio yet
54
*in the console, start the capture on your device. if the device id is 067b:
55
<pre>
56
   ./start_trace.sh 067b
57
</pre>
58
*in the application, initiate the serial data interaction
59
* wait for the interaction to finish
60
*in the console, kill the capture program. (use a ^C. Yes, it's ugly)
61
*note the USB device number printed by the capture script. (Yes. it's not the device ID)
62
*log out as root.
63
*(optional) exit the apllication
64
*run The cleanup script using the USB device nuber. If the device number is 11:
65
<pre>
66
   ./clean.sh 11
67
</pre>
68
*The captured data is in a file named "radiotrace."
69
70
h2. Other considerations
71
72
Some protocols may have tight timing constraints. While the raw capture data contains precision timestamps, the three provided scripts do not retain them. If you need this data, you must read the Tshark documentation and modify the scripts. The documentation is opaque. You may find it easier to start by using Wireshark.
73
74
Some protocols may use serial dataset signals, or change the serial I/O speed, or perform other unusual functions. These functions occurs on subdevices of the USB cable device other than the data device. the three scripts ignore these subdevices. Again, if you think you need to see this, modify the scripts and/ or use Wireshark.