Did you know that pcap (
http://www.tcpdump.org/
) libraries can capture raw USB traffic?
I had noticed several times the presence of various USB interfaces in wireshark but so far I’ve never tried to play with them:
On your system should appear similar interfaces. If not you can refer to this guide:
http://wiki.wireshark.org/CaptureSetup/USB
In this short post I just want to talk about a simple experiment I did with hexinject and awk: the recognition of mouse clicks.
The first thing to do is to find the port connected to the mouse. I’m sure there are more elegant systems to do it, but I just looked in wireshark at the port receiving packets when the mouse is moved. From the image you can easily tell that, in my case, it’s the USB port 3 (usbmon3).
Then we can try to sniff on this port, performing various actions with the mouse, to see if we can understand at least part of the protocol used.
Captured data in the case of a left mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 8D 43 E7 4D 00 00 00 00 AA 38 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 01 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C 8D 43 E7 4D 00 00 00 00 BD 38 00 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
Captured data in the case of a right mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 AB 43 E7 4D 00 00 00 00 A2 22 03 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 02 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C AB 43 E7 4D 00 00 00 00 B4 22 03 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
The first dumped line is generated by the mouse, the second is the system acknowledgment. The hexadecimal byte in bold represent the button pressed (use the scrollbar to reach the text). Bytes in italic allow us to understand the type of action performed (a button action and not a mouse movement).
Using these informations it’s very easy to write an awk script that can tell us the type of action performed:
# # Analyze USB mouse protocol # and print button actions # # use with: # source_program | awk --enable-switch -f mouse_click.awk # or sometimes just: # source_program | gawk -f mouse_click.awk # /06 00 00 00 06 00 .+ 0[0-9] 00 00 00 00 00$/ { # button code check switch ($65) { case "00": print "click released"; break; case "01": print "left click"; break; case "02": print "right click"; break; case "03": print "left+right click"; break; case "04": print "central click"; break; default: print "code " $65 " click"; break; } }
Let’s try it:
$ sudo hexinject -s -i usbmon3 | awk -f mouse_click.awk left click click released central click click released left+right click click released ...
This successful experiment demonstrates the extreme versatility of the “Data Oriented” approach used by hexinject. In the future I hope to deepen the USB protocol and maybe write a post that uses hexinject in USB injection mode (really cool IMHO).
At the moment I haven’t a very in-depth knowledge of USB, but if you want to know the meaning of the rest of the dump can refer to this document:
http://www.usb.org/developers/devclass_docs/HID1_11.pdf
, or this tutorial (shorter):
http://www.faculty.iu-bremen.de/birk/lectures/PC101-2003/14usb/FINAL%20VERSION/usb_protocol.html
.
hi there! hexinject is truly awesome, i have been looking for a tool like this one for a long while. but.. attempts to compile hexinject using OpenWRT toolchain fails:
In file included from /home/danja/bits/openwrt/wap2102/staging_dir/toolchain-mips_gcc-4.5-linaro_uClibc-0.9.32/lib/gcc/mips-openwrt-linux-uclibc/4.5.4/../../../../mips-openwrt-linux-uclibc/sys-include/stdlib.h:209:0,
from hexinject.h:13,
from hexinject.c:8:
/home/danja/bits/openwrt/wap2102/staging_dir/toolchain-mips_gcc-4.5-linaro_uClibc-0.9.32/lib/gcc/mips-openwrt-linux-uclibc/4.5.4/../../../../mips-openwrt-linux-uclibc/sys-include/sys/types.h:151:27: error: duplicate ‘unsigned’
in other words there is something funny about stdlib.h.
any chance to resolve this?
greetings!
Hello,
seems an uClibc problem…
However I’ve tried to compile without stdlib.h:
In file included from hexinject.c:9:0:
hexstring.h: In function ‘hexstr_to_raw’:
hexstring.h:128:17: warning: incompatible implicit declaration of built-in function ‘malloc’ [enabled by default]
hexstring.h: In function ‘raw_to_hexstr’:
hexstring.h:171:20: warning: incompatible implicit declaration of built-in function ‘malloc’ [enabled by default]
But, as you can see, it gives a warning for the implicit declaration of ‘malloc’. It should works if you don’t care about the warnings…
Otherwise you can try to delete some headers from hexinject.h, and leave only:
#include "pcap.h"
#include "stdio.h"
#include "stdlib.h"
#include "stdint.h"
#include "getopt.h"
#include "assert.h"
#include "arpa/inet.h"
I don’t know how the compilation for openwrt is supposed to work, so it may be better to ask in openwrt forum/list…