Bus snooping/sniffing: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 18: | Line 18: | ||
===Log parsers, format etc=== |
===Log parsers, format etc=== |
||
* [[http://mcentral.de/hg/~mrec/usbreplay/archive/tip.tar.gz parser.pl]] |
|||
* parser.pl |
|||
* [[usbmon2usbsnoop]] |
* [[usbmon2usbsnoop]] |
||
* [[http://linuxtv.org/hg/v4l-dvb/raw-file/tip/v4l2-apps/util/parse_em28xx.pl em28xx log parser]] |
|||
... |
... |
||
===Snooping Procedures:=== |
|||
* Use a Snopping utility to get the log. |
|||
* Group URB transactions into a shorter log by using a parser |
|||
* Identify the URB transactions at the control endpoint. URB transactions look like those: |
|||
40 02 00 00 ba 00 03 00 >>> 20 11 00 |
|||
{| class="wikitable" |
|||
|+'''URB fields''' |
|||
|- |
|||
| Byte || Meaning |
|||
|- |
|||
| 1 || {| bit 7 = 1 - read / 0 - write |
|||
bit 6 = 1 - Vendor Class |
|||
|- |
|||
| 2 || URB Request |
|||
|- |
|||
| 3-4 || URB Value in big endian |
|||
|- |
|||
| 5-6 || URB Index in big endian |
|||
|- |
|||
| 7-8 || URB message size in big endian |
|||
|- |
|||
|} |
|||
{| class="wikitable" |
|||
|+'''control URB examples ''' |
|||
| 40 00 00 00 08 00 01 00 >>> 3d || USB OUT, Vendor class, Req = 0, Value = 0x0000, Index = 0x0008, Size = 0x0001, Message = 0x3d |
|||
|- |
|||
| 40 02 00 00 ba 00 03 00 >>> 20 11 00 || USB OUT, Vendor class, Req = 0x02, Value = 0x0000, Index = 0x00ba, Size = 0x0003, Message = "0x20, 0x11, 0x00" |
|||
|- |
|||
| c0 00 00 00 15 00 01 00 <<< 00 || USB IN, Vendor class, Req = 0x00, Value = 0x0000, Index = 0x0015, Size = 0x0001, Message = "0x00" |
|||
|} |
|||
After getting the log, you should analyse and understand the meaning for your device. |
|||
In the case of [[Em28xx Devices | em28xx]], you can use the [[http://linuxtv.org/hg/v4l-dvb/raw-file/tip/v4l2-apps/util/parse_em28xx.pl em28xx log parser]] to proccess the URBs and the driver dmesg dumps (in the compact format as shown above) and print them into a more human way: |
|||
em28xx_write_reg(dev, EM28XX_R08_GPIO, 0x3d); |
|||
i2c_master_send(0xba>>1, { 20 11 00 }, 0x03); |
|||
em28xx_read_reg(dev, EM28XX_R15_RGAIN); /* read 0x00 */ |
|||
===Command Playback Utilities:=== |
===Command Playback Utilities:=== |
||
Revision as of 16:06, 2 January 2009
Purpose and relevance to development work -- description coming soon
PCI / PCIe
Snooping Utilities:
- BTSpy [1] - Windows based snoop for BT8x8 based devices
- Dscaler's RegSpy [2] - Windows based; contains the ability to snoop the registers of PCI / PCIe interface chipsets ... also see this note
USB
Snooping Utilities:
- usbsnoop - a Windows based utility for sniffing/monitoring communications traffic for a USB device. Note: In case usbsnoop/SniffUSB doesn't work for you, here are a few time limited apps that should work under Vista:
- USB Monitor - 14-day trial period
- USBlyzer - fully functional evaluation version for 33 days
- SnoopyPro - Windows based snoop for USB device communications traffic
- usbsnoop/SniffUSB - Windows based snoop for USB device communications traffic
- usbmon - Linux kernel module which can snoop USB device communications traffic
- Wireshark - logs usbmon output, via libpcap
- USBMon - logs usbmon output
Log parsers, format etc
...
Snooping Procedures:
- Use a Snopping utility to get the log.
- Group URB transactions into a shorter log by using a parser
- Identify the URB transactions at the control endpoint. URB transactions look like those:
40 02 00 00 ba 00 03 00 >>> 20 11 00
| Byte | Meaning |
| 1 | bit 7 = 1 - read / 0 - write
bit 6 = 1 - Vendor Class |
| 2 | URB Request |
| 3-4 | URB Value in big endian |
| 5-6 | URB Index in big endian |
| 7-8 | URB message size in big endian |
| 40 00 00 00 08 00 01 00 >>> 3d | USB OUT, Vendor class, Req = 0, Value = 0x0000, Index = 0x0008, Size = 0x0001, Message = 0x3d |
| 40 02 00 00 ba 00 03 00 >>> 20 11 00 | USB OUT, Vendor class, Req = 0x02, Value = 0x0000, Index = 0x00ba, Size = 0x0003, Message = "0x20, 0x11, 0x00" |
| c0 00 00 00 15 00 01 00 <<< 00 | USB IN, Vendor class, Req = 0x00, Value = 0x0000, Index = 0x0015, Size = 0x0001, Message = "0x00" |
After getting the log, you should analyse and understand the meaning for your device.
In the case of em28xx, you can use the [em28xx log parser] to proccess the URBs and the driver dmesg dumps (in the compact format as shown above) and print them into a more human way:
em28xx_write_reg(dev, EM28XX_R08_GPIO, 0x3d);
i2c_master_send(0xba>>1, { 20 11 00 }, 0x03);
em28xx_read_reg(dev, EM28XX_R15_RGAIN); /* read 0x00 */
Command Playback Utilities:
- usb-robot - plays back USB Snoopy capture logs
- usbreplay - plays back usbsnoop capture logs
i2c
- i2c Tools: see here and here
- http://en.wikipedia.org/wiki/I2C#Development_Tools
- also see this thread
External Links
- Wikipedia's Bus sniffing article; note that the Cache coherency article is a probably a little less vague or more enlightening