Project

General

Profile

DevelopersUSB Sniffing in Linux » History » Version 7

Daniel Clemmensen, 02/24/2019 01:05 PM

1 1 Daniel Clemmensen
h1. DevelopersUSB Sniffing in Linux
2
3
In a nutshell:
4 6 Daniel Clemmensen
* Run the Windows program to be sniffed under "Wine":https://www.winehq.org
5
* use "Wireshark":https://www.wireshark.org (preferrably the Tshark variant) to capture the USB protocol interactions
6 1 Daniel Clemmensen
* Use Tshark (or Wireshark) to filter the captured data
7
* Use a small program to post-process the data into an easily-read form.
8 2 Daniel Clemmensen
9
h2. The Problem
10
11
To write a driver, we need to first analyze the radio's serial communications protocol. Simple methods such as interposing a sniffer system may work, but some protocols have timing constraints that cause these methods to fail. We avoid this by intercepting the communications inside of the OS. There are ways to do this inside the Windows OS, but you may prefer to use a Linux system.
12
13
h2. Approach
14
15 6 Daniel Clemmensen
Wine and tshark/wireshark are part of most major Linux distributions and can be built for most others(Wine requires an Intel-compatible system.) We will use the Wine suite in Linux to provide a Windows API environment, and then run the manufacturer's software under Wine. Wine permits the application to use the USB cable connected to Linux. Linux has a facility called _usbmon_ that permits capture of the USB protocol as the program reads and writes the serial port. The Wireshark application (and the batch-mode Tshark application) run under linux and interact with usbmon and actually capture the data. Finally, a small post-processing application can extract the actual serial data and present it in an easily-usable fashion.
16 2 Daniel Clemmensen
17
h2. Prerequisites
18
19
* a Linux system that has usbmon support
20
* root login privileges
21
* Wine installed
22
* USB programming cable
23
* Manufacturer's radio programming application
24
* wireshark/tshark installed
25
26
h2. Initial setup
27
28
* Determine the Linux name of the serial cable USB device (e.g., /dev/ttyUSB0) Wine makes the Linux serial ports available as COM ports. To see the mapping, use 
29
<pre>
30
   ls -l ~/.wine/dosdevices/
31
</pre>
32
33 3 Daniel Clemmensen
* Run the application under Wine and configure it to use the correct "Windows" COM port as supplied by Wine.
34
* Use the application to program your radio, to verify that everything works.
35
* Determine the cable's device ID. Use
36 2 Daniel Clemmensen
<pre>
37
   lsusb -l
38
</pre>
39 3 Daniel Clemmensen
* Exit the application
40 2 Daniel Clemmensen
41 4 Daniel Clemmensen
* Set up an empty directory for your capture work. Download and copy the two script files and the "tidy.c"  program (links at the end of this page) into your directory.
42 3 Daniel Clemmensen
* If you only have one cable, you may choose to modify the start_trace.sh script to replace the commandline param ($1) with the device ID
43
* compile tidy:
44 2 Daniel Clemmensen
<pre>
45
   gcc tidy.c -o tidy
46
</pre>
47
48
h2. Perform a capture
49
50
To perform the capture, we must start the capture program, then start the communications interaction and wait for it to finish, then stop the capture, and finally post-process the captured data.  Unfortunately, there is no obvious way to automate the timing of these steps, so you must do them manually. The capture script is capturing everything on the USB bus shared by the cable, so don't wander away to take a coffee break between the time you start the capture and the time you stop it. You can probably capture more than 30 minutes without straining your system unless the same bus is supporting HDMI, disk, or GigE.
51
52 3 Daniel Clemmensen
* Open a console, navigate to your trace directory, login as root.
53
* Run the application under Wine. Do any preliminary setup in the application, but do not communicate with the radio yet
54
* In the console, start the capture on your device. if the device id is 067b:
55 2 Daniel Clemmensen
<pre>
56
   ./start_trace.sh 067b
57
</pre>
58 3 Daniel Clemmensen
* In the application, initiate the serial data interaction
59
* Wait for the interaction to finish
60
* In the console, kill the capture program. (use a ^C. Yes, it's ugly)
61
* Note the USB device number printed by the capture script. (Yes. it's not the device ID)
62
* Log out as root.
63
* (Optional) exit the application
64 7 Daniel Clemmensen
* Run The cleanup script using the USB device number. If the device number is 11:
65 2 Daniel Clemmensen
<pre>
66
   ./clean.sh 11
67
</pre>
68 3 Daniel Clemmensen
* The captured data is in a file named "radiotrace."
69 2 Daniel Clemmensen
70
h2. Other considerations
71
72
Some protocols may have tight timing constraints. While the raw capture data contains precision timestamps, the three provided scripts do not retain them. If you need this data, you must read the Tshark documentation and modify the scripts. The documentation is opaque. You may find it easier to start by using Wireshark.
73
74
Some protocols may use serial dataset signals, or change the serial I/O speed, or perform other unusual functions. These functions occurs on subdevices of the USB cable device other than the data device. the three scripts ignore these subdevices. Again, if you think you need to see this, modify the scripts and/ or use Wireshark.