Understand USB (in Linux)

Similar documents
How to fix Usually Slightly Broken devices and drivers?

Debugging Usually Slightly Broken Devices and Drivers

RINGDALE USB (UNIVERSAL SERIAL BUS) HID RELAY CONTROLLER (1543)

UC20 WinCE USB Driver

ARM Cortex core microcontrollers

TP-Link USB Port Hub Model UH700 Power 12V==2A

S1R72U06 Technical Manual

Serial Communications

Universal Serial Bus Device Class Definition Billboard Devices

Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions

Universal Serial Bus Device Class Definition For Content Security Devices

Future Technology Devices International Ltd. Application Note AN_168. Vinculum-II USB Slave. Customizing an FT232 Device

Serial Communications

Application Note: AN00136 USB Vendor Specific Device

Device Wire Adapter (DWA) Test Specification. Designed using the Certified Wireless USB Base Specification, Revision 1.0

PL-25A1 Hi-Speed USB Host-to-Host Bridge Controller (Chip Revision B) Product Datasheet

USB INTERFACE SPECIFICATION

Hacking the Kinect. Created by lady ada. Last updated on :21:33 AM UTC

AN USB HID Intermediate with PSoC 3 and PSoC 5LP. Contents. 1 Introduction

Universal Serial Bus Device Class Definition for Mass Storage Devices

Application Note. 32-bit Cortex -M0 MCU NuMicro Family. Application Note of NUVOTON 32-bit NuMicro Family

Application Note AN_164. Vinculum-II USB Slave. Writing a Function Driver

CM6327A USB Single-Chip Audio Solution for Mono Microphone

QNX Momentics DDK. Universal Serial Bus (USB) Devices. For QNX Neutrino or QNX , QNX Software Systems Ltd.

AN2554. Creating a Multi-LUN USB Mass Storage Class Device Using the MPLAB Harmony USB Device Stack INTRODUCTION CONTROL TRANSFERS

PL-2305 USB to Printer Bridge Controller (Chip Rev I) Product Datasheet

Universal Serial Bus Device Class Definition for Printing Devices

QNX Momentics DDK. Universal Serial Bus (USB) Devices. For QNX Neutrino or QNX , QNX Software Systems GmbH & Co. KG.

CM6327A USB Audio Single Chip Solution for Mono Microphone

Using the HT66FB5x0 for 2D Joystick Applications C Language Example

Embedded USB Drive. Preliminary Release. Revision History. July 14, 2006

PL-2507 Hi-Speed USB 2.0 to IDE Bridge Controller Preliminary Datasheet

Introduction to USB. Alan Ott SCaLE 15x March 2-5, 2017

Creating a USB Audio Device on a PIC32 MCU Using MPLAB Harmony

CM6120-S Best USB Audio Single Chip for PC Speakers Solution

Virtualised USB Fuzzing using QEMU and Scapy

Revision History. Rev Date Details A October 14, 2008 New release of Short and Legacy eusb Spec with SM325AC controller

Direct IP. Direct IP Integration Guide Rev 1.0 Distribution under NDA only

PL-2533 Hi-Speed USB MS PRO / MS / SD / MMC Card Reader Controller IC Product Datasheet

Part 1 - Introduction to USB

CM6307A USB Audio Single Chip with Array Microphone

HS-100 USB Audio Single Chip

Kernel USB Gadget Configfs Interface. Matt Porter Linaro

USS-720 Instant USB USB-to-IEEE* 1284 Bridge

JSR80 API Specification

SMART MODULAR eusb Drive

LZ85202 IrDA Control Host Controller with USB Interface User s Guide

PL-2507C Hi-Speed USB 2.0 to IDE Bridge Controller Product Datasheet

Universal Serial Bus - USB 2.0

Universal Serial Bus Device Class Definition for Video Devices: Video Device Examples. Revision 1.0

PL-2303X Edition (Chip Rev A) USB to Serial Bridge Controller Product Datasheet

I/O Management Software. Chapter 5

Universal Serial Bus Mass Storage Class. Bulk-Only Transport

CM Bit Stereo USB Audio Controller. Datasheet Version 1.01

EZ-USB AT2LP USB 2.0 to ATA/ATAPI Bridge

CM6120-XL USB 2CH Audio Controller for Speaker

Renesas USB MCU and USB ASSP

Computer Engineering Laboratory. MSc THESIS. PDP8 meets USB

ECE 471 Embedded Systems Lecture 30

Bootloader - Openmoko

Important Safety Notice

USB System Design in Sitara Devices Using Linux. [Part 6]: Use USB in Device Mode Bin Liu (EP, Processors)

Jürgen Beisert. Kritzel. This manual covers the hardware side of this project. Updated: April Page 1 of 25

Designing A Low Cost USB-PS/2 Combination Interface Mouse with the Cypress Semiconductor CY7C63723 encore USB Microcontroller

Application Note: AN00135 USB Test and Measurement Device

Design Of Linux USB Device Driver For LPC2148 Based Data Acquisition System Including GSM.

T24 Technical Manual Programming guide & advanced documentation. User Manual mantracourt.com

USB2.0 Device Controller SDK- Compiler

USB Complete. The Developer's Guide Fifth Edition. Jan Axelson. Lakeview Research LLC Madison, WI 53704

Development of an OpenOCD compatible Debugger for ARM - CMARMJTAG

CM119A High Integration/Low Cost USB Audio Controller

Testing and Debugging

CM6300 USB Audio Single Chip Specification

Interrupt transfers & USB 2.0 & USB 3.0. Group Members Mehwish Awan Mehwish Kiran

32-bit. Application Note. Microcontrollers. AVR32760: AVR32 UC3 USB DFU Bootloader Protocol. 1. Introduction. 1.1 Intended Audience. 1.

CM108B USB Audio Single Chip

TOUCH PANEL CONTROLLER. Delivery Specifications. Model Name: AHL-120N5

Human Interface Devices: Using Control and Interrupt Transfers

CY4611B FX2LP USB to ATA/CF Reference Design Notes

Universal Serial Bus Device Class Definition for Audio/Video Devices. Basic Device Profile (BDP) Release 1.0

David Harrison, Design Engineer for Model Sounds Inc.

Introduction to USB/LPC23xx

Renesas e 2 studio. Smart Configurator Application Examples: CMT, A/D, SCI, USB APPLICATION NOTE. Introduction. Target Device. Software Components

EZ-USB AT2 USB 2.0 To ATA/ATAPI Bridge

USB Feature Specification: Shared Endpoints

CM6308 USB Solution for Audio and Voice Applications

USB for Embedded Devices. Mohit Maheshwari Prashant Garg

Introduction USB Pisanje gonilnika USB. USB drivers

Dell SupportAssist Version 1.3 for Servers Reportable Items for Linux

EntréPad AES2501B FINGERPRINT SENSOR USB Interface Applications

CM101S+ USB 2CH Audio Controller

Certified Wireless USB Wire Adapter Model

UM0290 User manual. STR7/STR9 USB developer kit. Introduction

PDF created with pdffactory Pro trial version How USB Ports Work by Marshall Brain. Introduction to How USB Ports Work

Introducing Class-Level Decoding Video See a video demonstration of the new real-time class-level decoding feature of the Data Center Software.

Free (GPL) USB Firmware for Atmels AT90USB 8-bit microprocessor README 1

IMPORTANT NOTICE. As a result, the following changes are applicable to the attached document.

CM108AH Highly Integrated USB Audio I/O Controller

CM6302 USB High-Quality Dolby Headphone Solution

CLD SC58x CDC Library v.1.00 Users Guide Users Guide Revision For Use With Analog Devices ADSP-SC58x Series Processors. Closed Loop Design, LLC

Transcription:

Understand USB (in Linux) Krzysztof Opasiak Samsung R&D Institute Poland

1 Agenda What USB is about? Plug and Play How BadUSB works? May I have my own USB device? Q & A

What USB is about?

What Internet is about? It is about providing and using some services! Web pages File transfer Remote shell Mail Any other invented by programmer 3

4 How it is done? Usually it's well known client-server architecture

5 What USB is about? It is about providing and using some services! Additional storage Printing Ethernet External camera Any other invented by programmer

6 How it is done? In a very different way than Internet

USB Host vs USB Device HOST DEVICE Can be extended May extend USB HOST using some devices Has Type-A connector with some functionalities Has Type-B connector 7

How we connect them? 8

9 Logical vs physical topology Physical Logical

10 What is USB device? Piece of Hardware for providing desired functionality Piece of additional Hardware for USB communication USB protocol implementation Some useful protocol implementation

11 Endpoints Device may have up to 31 endpoints (including ep0) Each of them gets an unique Endpoint address Endpoint 0 may transfer data in both directions All other endpoints may transfer data in one direction: IN Transfer data from device to host OUT Transfer data from host to device

Endpoint types Control Bi-directional endpoint Used for enumeration Can be used for application Interrupt Transfers a small amount of low-latency data Reserves bandwidth on the bus Used for time-sensitive data (HID) 12

13 Endpoint types Bulk Used for large data transfers Used for large, time-insensitive data (Network packets, Mass Storage, etc). Does not reserve bandwidth on bus, uses whatever time is left over Isochronous Transfers a large amount of time-sensitive data Delivery is not guaranteed (no ACKs are sent) Used for Audio and Video streams Late data is as good as no data Better to drop a frame than to delay and force a re-transmission

14 USB bus USB is a Host-controlled bus Nothing on the bus happens without the host first initiating it. Devices cannot initiate any communication. The USB is a Polled Bus. The Host polls each device, requesting data or sending data.

15 What is USB host? Piece of hardware with some OS etc. Piece of USB Host side hardware (ehci, ohci, uhci, xhci) Drivers for USB hardware USB protocol implementation Drivers for some useful devices

Plug and Play

17 Step by step Plug in device Detect Connection Set address Get device info Choose a device driver Choose configuration Choose drivers for interfaces Use it ;)

Detect Connection 18

18 Detect Connection What with high-speed? We try to communicate using high speed. If successful the device is HS and FS otherwise.

19 Set address On plug-in device use default address 0x00 Only one device is enumerated at once Hosts assigns unique address for new device

20 Get device info Each USB world entity is described by data structure called descriptor Descriptors have different types, sizes and content But they all have a common header Field Size Value Description blength 1 Number Size of the Descriptor in Bytes bdescriptortype 1 Constant Device Descriptor (0x01) <data> blength - 2 NA Payload

21 Device descriptor Field Size Value Description blength 1 Number 18 bytes bdescriptortype 1 Constant Device Descriptor (0x01) bcdusb 2 BCD USB Specification Number which device complies too. bdeviceclass 1 Class Class Code (by USB Org) bdevicesubclass 1 SubClass Subclass Code (by USB Org) bdeviceprotocol 1 Protocol Protocol Code (by USB Org) bmaxpacketsize 1 Number Maximum Packet Size for Zero Endpoint. Valid Sizes are 8, 16, 32, 64 idvendor 2 ID Vendor ID (by USB Org) idproduct 2 ID Product ID (by Manufacturer) bcddevice 2 BCD Device Release Number imanufacturer 1 Index Index of Manufacturer String Descriptor iproduct 1 Index Index of Product String Descriptor iserialnumber 1 Index Index of Serial Number String Descriptor bnumconfigurations 1 Integer Number of Possible Configurations

22 Configuration Descriptor Field Size Value Description blength 1 Number Size of Descriptor in Bytes bdescriptortype 1 Constant Configuration Descriptor (0x02) wtotallength 2 Number Total length in bytes of data returned bnuminterfaces 1 Number Number of Interfaces bconfigurationvalue 1 Number Value to use as an argument to select this configuration iconfiguration 1 Index Index of String Descriptor describing this configuration bmattributes 1 Bitmap D7 Reserved, set to 1. D6 Self Powered D5 Remote Wakeup D4..0 Reserved, set to 0. bmaxpower 1 ma Maximum Power Consumption in 2mA units

23 Interface Descriptor Field Size Value Description blength 1 Number 9 Bytes bdescriptortype 1 Constant Interface Descriptor (0x04) binterfacenumber 1 Number Number of Interface balternatesetting 1 Number Value used to select alternative setting bnumendpoints 1 Number Number of Endpoints used for this interface binterfaceclass 1 Class Class Code (By USB Org) binterfacesubclass 1 SubClass Subclass Code (By USB Org) binterfaceprotocol 1 Protocol Protocol Code (By USB Org) iinterface 1 Index Index of String Descriptor Describing this interface

24 USB classes 00h Device Use class information in the Interface Descriptors 01h Interface Audio 02h Both Communications and CDC Control 03h Interface HID (Human Interface Device) 05h Interface Physical 06h Interface Image 07h Interface Printer 08h Interface Mass Storage 09h Device Hub 0Ah Interface CDC-Data 0Bh Interface Smart Card 0Dh Interface Content Security 0Eh Interface Video 0Fh Interface Personal Healthcare 10h Interface Audio/Video Devices 11h Device Billboard Device Class DCh Both Diagnostic Device E0h Interface Wireless Controller EFh Both Miscellaneous FEh Interface Application Specific FFh Both Vendor Specific

Device Info Summary Host gets info about new devices from suitable USB descriptors Most important data at this moment: idvendor idproduct bcddevice bdeviceclass bdevicesubclass bdeviceprotocol bmaxpower binterfaceclass binterfacesubclass binterfaceprotocol 25

26 Set Configuration Which configuration is the most suitable? We have enough power for it (bmaxpower?) It has at least one interface If device has only one config just use it Choose the one which first interface is not Vendor specific All interfaces of choosen configuration becomes enabled so let's use them

27 What USB driver really is? Piece of kernel code Usually provides something to userspace (network interface, tty, etc.) Implementation of some communication protocol

28 How to choose a suitable driver? struct usb_driver vs struct usb_device_driver When device needs special handling: Using VID and PID and interface id Driver probe()s for each interface in device that match vid and pid When driver implements some well defined, standardized protocol Using binterfaceclass, binterfacesubclass etc. Driver probe() for each interface which has suitable identity No matter what is the VID and PID Driver will not match if interface hasn't suitable class

Big picture 29

30 What's next? We have the driver which provides something to userspace but what's next? It depends on interface type: Network devices - Network manager should handle new interface setup Pendrives, disks etc - automount service should mount new block device Mouse, keyboard - X11 will start listening for input events And many many other things are going to be handled AUTOMATICALLY without any user action

How BadUSB works?

32 USB security summary Between plug in and start using there is no user interaction Drivers are probed automatically Userspace starts using new device automatically Device introduce itself as it wants There is no relation between physical outfit and descriptors

My beautiful tablet 33

34 BadUSB attack scenario User connect hacked device Device looks like pendrive, tablet But sends descriptor taken from some keyboard And implements HID protocol Kernel creates new input source and X11 just starts using them

35 How dangerous it is? I just downloaded image and changed the background but what else it can do? There is a version of this attack which spoofs DNS on host and redirects them to USB device Any command which doesn't require sudo can be executed anything! anything! anything!

36 How to protect? Don't connect unknown devices found on a street Limit number of input source to X11 Use device authorization Use interface authorization

37 Device/interface authorization Each USB device has authorized attribute in sysfs directory Each HCD has authorized_default entry in sysfs If we set this to false each new device on this bus will be unauthorized by default Drivers will not be able to bind to it This gives us time to use lsusb to check it

My tablet (once again) 38

May I have my own USB device?

40 Yes, you can! Need Suitable hardware Implementation of USB protocol Implementation of some useful protocol Solution Get some board with UDC controller (BBB, Odroid etc.) Use one from Linux kernel! A lot of protocols are available out of box in Linux kernel!

41 How to do this? That's a very good topic for tutorial! If you would like to learn this, feel free to join my tutorial: Wednesday, 14:00 room: Liffey Hall 2

Q & A

43 Thank you! Krzysztof Opasiak Samsung R&D Institute Poland +48 605 125 174 k.opasiak@samsung.com

44 References Tame The USB gadgets Talkative Beast, Krzysztof Opasiak Make your own USB gadget, Andrzej Pietrasiewicz USB and the Real World, Alan Ott USB in a Nutshell USB specification BadUSB attack

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback