From d9d9ba6c43b36178f281047ea2b9208b22af70a7 Mon Sep 17 00:00:00 2001 From: FreeArtMan Date: Wed, 31 Jul 2019 22:58:30 +0100 Subject: Updated webusb second revision --- md/writeup/webusb_example.md | 111 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 90 insertions(+), 21 deletions(-) (limited to 'md') diff --git a/md/writeup/webusb_example.md b/md/writeup/webusb_example.md index a98216b..717e77b 100644 --- a/md/writeup/webusb_example.md +++ b/md/writeup/webusb_example.md @@ -12,7 +12,6 @@ USB serail interface is cheap to get on any online shop here is quite common chip models CH341,PL2303. TODO -* describe how request decoded add py example code * describe initialisation phase * Describe how to send data on CH341 * Describe how to recieve data on CH341 @@ -149,21 +148,77 @@ serial.Port.prototype.vendorWrite = function(value,index) { ### CH341 chip request table -| | | -| --- | --- | +Check kernel soruce for more registers that is minimal request +list to run the code +| Request type | Recepient | Direction | Request | Value | +| --- | --- | --- | --- | --- | +| vendor | device | out | CH341_REQ_WRITE_REG | 0x9a | +| vendor | device | in | CH341_REQ_READ_REG | 0x95 | +| vendor | device | out | CH341_REQ_MODEM_CTRL | 0xa4 | -### PL2301 chip request table -| Request name | value | -| --- | --- | -| CP210_VENDOR_WRITE_REQUEST | | -| CP210_VENDOR_READ_REQUEST | | -| CP210_GET_LINE_REQUEST | | -| CP210_SET_LINE_REQUEST | | -| CP210_SET_CONTROL_REQUEST | | -| CP210_BREAK_REQUEST | | +### PL2301 chip request table + +Check linux kernel source for more requests + +| Request type | Recepient | Direction | Request | Value | +| --- | --- | --- | --- | --- | +| device | vendor | out | CP210_VENDOR_WRITE_REQUEST | 0x01 | +| device | vendor | in | CP210_VENDOR_READ_REQUEST | 0x01 | +| interface | class | in | CP210_GET_LINE_REQUEST | 0x21 | +| interface | class | out | CP210_SET_LINE_REQUEST | 0x20 | +| interface | class | out | CP210_SET_CONTROL_REQUEST | 0x22 | +| interface | class | out | CP210_BREAK_REQUEST | 0x23 | + + +### Python snippet to decode request type + +Sometime there is mentioned request type in kernel source. +For PL2303 driver source just give hex equvalent of it, so its need +to be decoded to create USB packet for js. + +```python +import sys + +i = int(sys.argv[1],16) +print(i) +d1 = i&0x1f +print("Recepient "+str(d1)), +if d1 == 0: + print(" device") +elif d1 == 1: + print(" interface") +elif d1 == 2: + print(" endpoint") +elif d1 == 3: + print(" other") +else: + print(" Unknown") + +d2 = ((i>>5)&0x3) +print("Request type "+str(d2)), +if d2 == 0: + print(" standart") +elif d2 == 1: + print(" class") +elif d2 == 2: + print(" vendor") +elif d2 == 3: + print(" reserved") +else: + print(" Unknown") + +d3 = ((i>>7)&0x1) +print("Direction "+str(d3)), +if d3 == 0: + print(" Out") +elif d3 == 1: + print(" In") +else: + print(" Unknown") +``` ## Sniffing USB traffic @@ -180,6 +235,13 @@ modprobe usbmon ls /sys/kernel/debug/usb/usbmon ``` +To see all usb interfaces with detailed info +``` +cat /sys/kernel/debug/usb/devices +``` +Here is quick look whant kind of interfaces device have, endpoint numner, +used power. + ``` T: Bus=01 Lev=04 Prnt=43 Port=03 Cnt=02 Dev#= 45 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=ff(vend.) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 @@ -197,6 +259,13 @@ cat /sys/kernel/debug/usb/usbmon/1u > /tmp/1.mon.out ``` ### Sniffed traffic example +example of sniffed trafic from usbmon +``` +ffff8c3203c21000 2726380350 S Co:2:022:0 s 40 9a 1312 b282 0000 0 +ffff8c3203c21000 2726380459 C Co:2:022:0 0 0 +ffff8c3203c21000 2726380480 S Co:2:022:0 s 40 9a 2518 00c3 0000 0 +ffff8c3203c21000 2726380636 C Co:2:022:0 0 0 +``` ## Thx @@ -206,14 +275,14 @@ cat /sys/kernel/debug/usb/usbmon/1u > /tmp/1.mon.out ## Source - +[http://git.main.lv/cgit.cgi/webusb.git/tree/](http://git.main.lv/cgit.cgi/webusb.git/tree/) ## Links -[https://www.mankier.com/8/usbmon](https://www.mankier.com/8/usbmon) -[https://www.kernel.org/doc/Documentation/usb/usbmon.txt](https://www.kernel.org/doc/Documentation/usb/usbmon.txt) -[https://elinux.org/images/1/17/USB_Debugging_and_Profiling_Techniques.pdf](https://elinux.org/images/1/17/USB_Debugging_and_Profiling_Techniques.pdf) -[https://developer.mozilla.org/en-US/docs/Web/API/USB](https://developer.mozilla.org/en-US/docs/Web/API/USB) -[https://developer.mozilla.org/en-US/docs/Web/API/USBDevice](https://developer.mozilla.org/en-US/docs/Web/API/USBDevice) -[https://github.com/ultibohub/Core/blob/master/source/rtl/ultibo/drivers/pl2303.pas](https://github.com/ultibohub/Core/blob/master/source/rtl/ultibo/drivers/pl2303.pas) -[https://github.com/torvalds/linux/blob/master/drivers/usb/serial/pl2303.c](https://github.com/torvalds/linux/blob/master/drivers/usb/serial/pl2303.c) -[https://www.beyondlogic.org/usbnutshell/usb1.shtml](https://www.beyondlogic.org/usbnutshell/usb1.shtml) +[1] [https://www.mankier.com/8/usbmon](https://www.mankier.com/8/usbmon) +[2] [https://www.kernel.org/doc/Documentation/usb/usbmon.txt](https://www.kernel.org/doc/Documentation/usb/usbmon.txt) +[3] [https://elinux.org/images/1/17/USB_Debugging_and_Profiling_Techniques.pdf](https://elinux.org/images/1/17/USB_Debugging_and_Profiling_Techniques.pdf) +[4] [https://developer.mozilla.org/en-US/docs/Web/API/USB](https://developer.mozilla.org/en-US/docs/Web/API/USB) +[5] [https://developer.mozilla.org/en-US/docs/Web/API/USBDevice](https://developer.mozilla.org/en-US/docs/Web/API/USBDevice) +[6] [https://github.com/ultibohub/Core/blob/master/source/rtl/ultibo/drivers/pl2303.pas](https://github.com/ultibohub/Core/blob/master/source/rtl/ultibo/drivers/pl2303.pas) +[7] [https://github.com/torvalds/linux/blob/master/drivers/usb/serial/pl2303.c](https://github.com/torvalds/linux/blob/master/drivers/usb/serial/pl2303.c) +[8] [https://www.beyondlogic.org/usbnutshell/usb1.shtml](https://www.beyondlogic.org/usbnutshell/usb1.shtml) -- cgit v1.2.3