Fun with HexInject and USB protocols
02 Jun 2011
Did you know that pcap (http://www.tcpdump.org/) libraries can capture raw USB traffic?
I had noticed several times the presence of various USB interfaces in wireshark but so far I've never tried to play with them:
On your system should appear similar interfaces. If not you can refer to this guide: http://wiki.wireshark.org/CaptureSetup/USB.
In this short post I just want to talk about a simple experiment I did with hexinject and awk: the recognition of mouse clicks.
The first thing to do is to find the port connected to the mouse. I'm sure there are more elegant systems to do it, but I just looked in wireshark at the port receiving packets when the mouse moved. In my case this was USB port 3 (usbmon3).
Then we can try to sniff on this port, performing various actions with the mouse, to see if we can understand at least part of the protocol used.
Captured data in the case of a left mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 8D 43 E7 4D 00 00 00 00 AA 38 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 01 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C 8D 43 E7 4D 00 00 00 00 BD 38 00 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
Captured data in the case of a right mouse click:
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 AB 43 E7 4D 00 00 00 00 A2 22 03 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 02 00 00 00 00 00 80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C AB 43 E7 4D 00 00 00 00 B4 22 03 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
The first dumped line is generated by the mouse, the second should be the system acknowledgment (I think). The hexadecimal byte in bold represent the button pressed. Bytes in italic allow us to understand the type of action performed (a button action and not a mouse movement).
Using these informations it's very easy to write an awk script that can tell us the type of action performed:
# # Analyze USB mouse protocol # and print button actions # # use with: # source_program | awk --enable-switch -f mouse_click.awk # or sometimes just: # source_program | gawk -f mouse_click.awk # /06 00 00 00 06 00 .+ 0[0-9] 00 00 00 00 00$/ { # button code check switch ($65) { case "00": print "click released"; break; case "01": print "left click"; break; case "02": print "right click"; break; case "03": print "left+right click"; break; case "04": print "central click"; break; default: print "code " $65 " click"; break; } }
Let's try it:
$ sudo hexinject -s -i usbmon3 | awk -f mouse_click.awk left click click released central click click released left+right click click released ...
The script just compares the value of a byte of the USB packet, against a list of known values for mouse buttons.
This experiment illustrates the extreme versatility of the "Data Oriented" approach used by hexinject. In the future I hope to deepen the USB protocol and maybe write a post that uses hexinject in USB injection mode (really cool IMHO).
At the moment I haven't a very in-depth knowledge of USB, but if you want to know the meaning of the rest of the dump can refer to this document: http://www.usb.org/developers/devclass_docs/HID1_11.pdf, or this tutorial (shorter): http://www.faculty.iu-bremen.de/birk/lectures/PC101-2003/14usb/FINAL%20VERSION/usb_protocol.html.