USB Sniffing: Difference between revisions

From flashrom
Jump to navigation Jump to search
(Initial version)
 
(virtual box)
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
= usbmon - The Linux way =
= usbmon - The Linux way =
== Capturing native Linux applications ==
== Capturing native Linux applications ==
== Capturing virtualized applications ==
Be sure to load the usbmon kernel module with <code>modprobe usbmon</code>.
Then you should be able to select a USB bus (sic!) number in Wireshark (if it runs as root).
 
= Capturing virtualized applications =
Most probably the proprietary device comes with a proprietary application running on a proprietary OS like Windows or OSX.
Most probably the proprietary device comes with a proprietary application running on a proprietary OS like Windows or OSX.
By using a virtual machine we can nevertheless do the capturing and dissecting in Linux.
By using a virtual machine we can nevertheless do the capturing and dissecting in any host OS.
The only difference here is that the virtual machine must support forwarding USB ports and traffic into the virtualized operating system in a way that usbmon can cope with.
 
== Using usbmon to capture the guest OS traffic ==
The only difference to the native usbmon sniffing above is that the virtual machine must support forwarding USB ports and traffic into the virtualized operating system in a way that usbmon can cope with. Alternatively one can try to use the Windows approach explained below with USBPcap to capture the traffic inside the guest OS.
 
==VirtualBox ==
For USB 2.0 support one needs to use Oracle's expansion pack hence Oracle's VirtualBox. For Ubuntu precise one can easily install Oracle's Virtualbox like this:
<nowiki>wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
sudo su -c "echo deb http://download.virtualbox.org/virtualbox/debian precise contrib > /etc/apt/sources.list.d/virtualbox.list"
sudo apt-get update
sudo apt-get install virtualbox-4.1</nowiki>
 
The expansion pack is version-dependent and can be installed with the "script" below or manually by downloading it from [http://www.oracle.com/technetwork/server-storage/virtualbox/downloads/index.html#extpack Oracle's download page] and installing it in the GUI under File/Preferences/Extensions.
<nowiki>vb_version=$(dpkg -l virtualbox* | grep "ii.*virtualbox-[0-9]" | egrep -o "[0-9]\.[0-9]\.[0-9]+")
wget "http://download.virtualbox.org/virtualbox/${vb_version}/Oracle_VM_VirtualBox_Extension_Pack-${vb_version}.vbox-extpack"
VBoxManage extpack install --replace "Oracle_VM_VirtualBox_Extension_Pack-${vb_version}.vbox-extpack"</nowiki>
 
After installation one needs to activate the USB controller and USB 2.0 separately in the properties of the virtual machine.
 
== VMware ==
VMware supports logging tunneled USB traffic on its own.
A detailed Howto can be found at the [http://vusb-analyzer.sourceforge.net/tutorial.html tutorial page of vusb-analyzer].
Essentially one has to edit the .vmx file while the VM is stopped and add the following options:
<nowiki>
monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = <number of 16-byte lines to capture per packet (default is 80)></nowiki>
After powering on or resuming the VM, you should start to see USBIO log lines in vmware.log.
There is a [http://esec-lab.sogeti.com/dotclear/public/blog/vmwusb2pcap.rb ruby script] that converts this to Wireshark's pcap format.


= USBPcap - Windows =
= USBPcap - Windows =
Line 13: Line 43:
Wireshark supports dissecting USBPcap capture files since version 1.10.
Wireshark supports dissecting USBPcap capture files since version 1.10.


= bb_usb_sniffer - Using a BeagleBoard-xM as MITM =
= Hardware =
 
== Commercial Devices ==
[http://www.ellisys.com/products/usbcompare.php Ellisys] and [http://www.internationaltestinstruments.com/products/97-1480a-usb-20-protocol-analyzer.aspx ITIC] offer (quite expensive, i.e. >500$) dedicated appliances for USB sniffing.
== bb_usb_sniffer - Using a BeagleBoard-xM as MITM ==
Another interesting way is to use an embedded Linux computer between the device and the host.
Another interesting way is to use an embedded Linux computer between the device and the host.
This approach has been implemented using a BeagleBoard-xM [https://github.com/matlo/bb_usb_sniffer].
This approach has been implemented using a BeagleBoard-xM [https://github.com/matlo/bb_usb_sniffer].
== Logic Analyzers ==
In some situations it might be useful to capture the signals in a more direct way, for example if the USB signals are routed on a PCB only. If you manage to capture them successfully with a logic analyzer you can use [http://sigrok.org sigrok] to help analyzing the result.
= Support Software =
Apart from the mighty Wireshark there is a number of other software packages that might help you analyzing:
* [http://vusb-analyzer.sourceforge.net vusb-analyzer] is able to visualize and decode usbmon, VMware and Ellisys logs.
* [http://sourceforge.net/apps/trac/pyusb/ pyusb] is a libusb wrapper which could be used for sophisticated replay attacks or live decoding.


= See also =
= See also =
http://wiki.wireshark.org/CaptureSetup/USB
http://wiki.wireshark.org/CaptureSetup/USB

Latest revision as of 09:52, 10 July 2013

To reverse engineer protocols of proprietary (flashing) USB devices one needs to obtain traces of the communication between the vendor application and the device. Below is a list of possible methods to do so.

usbmon - The Linux way

Capturing native Linux applications

Be sure to load the usbmon kernel module with modprobe usbmon. Then you should be able to select a USB bus (sic!) number in Wireshark (if it runs as root).

Capturing virtualized applications

Most probably the proprietary device comes with a proprietary application running on a proprietary OS like Windows or OSX. By using a virtual machine we can nevertheless do the capturing and dissecting in any host OS.

Using usbmon to capture the guest OS traffic

The only difference to the native usbmon sniffing above is that the virtual machine must support forwarding USB ports and traffic into the virtualized operating system in a way that usbmon can cope with. Alternatively one can try to use the Windows approach explained below with USBPcap to capture the traffic inside the guest OS.

VirtualBox

For USB 2.0 support one needs to use Oracle's expansion pack hence Oracle's VirtualBox. For Ubuntu precise one can easily install Oracle's Virtualbox like this:

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -
sudo su -c "echo deb http://download.virtualbox.org/virtualbox/debian precise contrib > /etc/apt/sources.list.d/virtualbox.list"
sudo apt-get update
sudo apt-get install virtualbox-4.1

The expansion pack is version-dependent and can be installed with the "script" below or manually by downloading it from Oracle's download page and installing it in the GUI under File/Preferences/Extensions.

vb_version=$(dpkg -l virtualbox* | grep "ii.*virtualbox-[0-9]" | egrep -o "[0-9]\.[0-9]\.[0-9]+")
wget "http://download.virtualbox.org/virtualbox/${vb_version}/Oracle_VM_VirtualBox_Extension_Pack-${vb_version}.vbox-extpack"
VBoxManage extpack install --replace "Oracle_VM_VirtualBox_Extension_Pack-${vb_version}.vbox-extpack"

After installation one needs to activate the USB controller and USB 2.0 separately in the properties of the virtual machine.

VMware

VMware supports logging tunneled USB traffic on its own. A detailed Howto can be found at the tutorial page of vusb-analyzer. Essentially one has to edit the .vmx file while the VM is stopped and add the following options:

monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = <number of 16-byte lines to capture per packet (default is 80)>

After powering on or resuming the VM, you should start to see USBIO log lines in vmware.log. There is a ruby script that converts this to Wireshark's pcap format.

USBPcap - Windows

On Windows hosts one can use USBPcap to capture USB traffic natively.

Wireshark supports dissecting USBPcap capture files since version 1.10.

Hardware

Commercial Devices

Ellisys and ITIC offer (quite expensive, i.e. >500$) dedicated appliances for USB sniffing.

bb_usb_sniffer - Using a BeagleBoard-xM as MITM

Another interesting way is to use an embedded Linux computer between the device and the host. This approach has been implemented using a BeagleBoard-xM [1].

Logic Analyzers

In some situations it might be useful to capture the signals in a more direct way, for example if the USB signals are routed on a PCB only. If you manage to capture them successfully with a logic analyzer you can use sigrok to help analyzing the result.

Support Software

Apart from the mighty Wireshark there is a number of other software packages that might help you analyzing:

  • vusb-analyzer is able to visualize and decode usbmon, VMware and Ellisys logs.
  • pyusb is a libusb wrapper which could be used for sophisticated replay attacks or live decoding.

See also

http://wiki.wireshark.org/CaptureSetup/USB