Fun with HexInject and USB protocols
June 2, 2011 2 Comments
Did you know that pcap (http://www.tcpdump.org/) libraries can capture raw USB traffic?
I had noticed several times the presence of various USB interfaces in wireshark but so far I’ve never tried to play with them:
On your system should appear similar interfaces. If not you can refer to this guide: http://wiki.wireshark.org/CaptureSetup/USB
In this short post I just want to talk about a simple experiment I did with hexinject and awk: the recognition of mouse clicks.
The first thing to do is to find the port connected to the mouse. I’m sure there are more elegant systems to do it, but I just looked in wireshark at the port receiving packets when the mouse is moved. From the image you can easily tell that, in my case, it’s the USB port 3 (usbmon3).
Then we can try to sniff on this port, performing various actions with the mouse, to see if we can understand at least part of the protocol used.
Captured data in the case of a left mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 8D 43 E7 4D 00 00 00 00 AA 38 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 01 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C 8D 43 E7 4D 00 00 00 00 BD 38 00 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
Captured data in the case of a right mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 AB 43 E7 4D 00 00 00 00 A2 22 03 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 02 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C AB 43 E7 4D 00 00 00 00 B4 22 03 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
The first dumped line is generated by the mouse, the second is the system acknowledgment. The hexadecimal byte in bold represent the button pressed (use the scrollbar to reach the text). Bytes in italic allow us to understand the type of action performed (a button action and not a mouse movement).
Using these informations it’s very easy to write an awk script that can tell us the type of action performed:
# # Analyze USB mouse protocol # and print button actions # # use with: # source_program | awk --enable-switch -f mouse_click.awk # or sometimes just: # source_program | gawk -f mouse_click.awk # /06 00 00 00 06 00 .+ 0[0-9] 00 00 00 00 00$/ { # button code check switch ($65) { case "00": print "click released"; break; case "01": print "left click"; break; case "02": print "right click"; break; case "03": print "left+right click"; break; case "04": print "central click"; break; default: print "code " $65 " click"; break; } }
Let’s try it:
$ sudo hexinject -s -i usbmon3 | awk -f mouse_click.awk left click click released central click click released left+right click click released ...
This successful experiment demonstrates the extreme versatility of the “Data Oriented” approach used by hexinject. In the future I hope to deepen the USB protocol and maybe write a post that uses hexinject in USB injection mode (really cool IMHO).
At the moment I haven’t a very in-depth knowledge of USB, but if you want to know the meaning of the rest of the dump can refer to this document: http://www.usb.org/developers/devclass_docs/HID1_11.pdf, or this tutorial (shorter): http://www.faculty.iu-bremen.de/birk/lectures/PC101-2003/14usb/FINAL%20VERSION/usb_protocol.html.
Recent Comments