Add support for 06cb:009a

[frederictobiasc]

Hi, Lenovos T480 uses another unsupported fingerprint reader. I changed the main.c of the prototype in order to execute the tasks. Initialisation and "Test leds" works fine, but "Scan fingerprint" seems to be not working. Prototype log

[nmikhailov]

I have pushed some test code in 9a branch. Could you check it out please?

[frederictobiasc]

Hey, I applied the fix as mentioned before, I'll check out 9a now. You can find the new logfile at https://github.com/frederictobiasc/Validity90/blob/4bc9c5bfdc03ec5f4bf49b2c1ecd0a0cc6261896/prototype/logs/log9a It is crashing with a segmentation fault at line 993.

[frederictobiasc]

I set up two new logfiles with the prototype of 9a branch: 9a_1 9a_2 It crashes randomly on further invocations of tls_read() after the last invocation: https://github.com/frederictobiasc/Validity90/blob/e234a61f4992cf7934a7e2e7948397955dd6ba01/prototype/main.c#L1016 Message: Failed 'libusb_bulk_transfer(dev, 0x81, data, len, out_len, 10000)': -1 - LIBUSB_ERROR_IO

[nmikhailov]

Updated again, please check

[frederictobiasc]

Hi, now it is working without any errors. log The problem is, that this process happens without me putting any finger on the reader. There is not waiting at "Awaiting fingerprint" or "Waiting for finger..."

Awaiting fingerprint: interrupt: 0000 00 00 00 00 00 Waiting for finger... interrupt: 0000 02 00 40 10 00 Finger is on the sensor... interrupt: 0000 03 40 01 00 00 Scan in progress... interrupt: 0000 03 42 04 00 40 Scan succeeded! (v97)

Even if I put my finger on the reader, the output is "Fingerprint unknown". Would it help if I go on with dissecting the traffic between windows and the reader during the scanning process?

[nmikhailov]

Do you have any fingers enrolled in windows? Dumps won't help much I am afraid. All the traffic is encrypted.

[frederictobiasc]

Yes, fingerprints are enrolled in Windows and working. I assumed that I could decrypt the traffic with the dissector.lua.

[vikramambrose]

Just FYI this affects many new Thinkpad models.

T480/T480s, X1 Carbon 6th gen, X1 Yoga 3rd gen, X280

[nmikhailov]

@frederictobiasc Ok, here is what we can do:

1. You should get Process explorer from here - https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
2. Detach usb reader from VM.
3. Attach it and search for newly created WUDFHost.exe process in process explorer. Be careful as there might be several of them.
4. Start wireshark sniffing
5. Do fingerprint scan
6. Stop sniffing, save logs
7. In process explorer right click on WUDFHost.exe -> Create Dump -> Full Dump. Upload traffic and dumps somewhere.

[frederictobiasc]

@nmikhailov Okay, I will provide you with the requested dumps ASAP. :)

[erpalma]

It's interesting that after running the prototype, all the stored fingerprints are lost. I don't use Windows but I use the pre-boot EFI scan. Also on Windows it seems that if you have unlocked the fingerprint in EFI, then you don't need to scan again. It seems that there exists a way to just "ask" the reader if it has already been unlocked, right?

[nmikhailov]

Well, it's actually quite strange that you have lost enrolled fingerprints, it shouldn't happen unless you get "incomplete reverse engineering" message.

I haven't investigated " previous scan info mechanism" you are talking about, although it is very much possible it exist, I can even think of a way how it could have been done API wise.

Can you write some more about bios fingerprint related settings? What is possible and what is not. I have a feeling bios handling has progressed sine my time.

On Tue, Apr 3, 2018, 15:31 Francesco Palmarini notifications@github.com wrote:

It's interesting that after running the prototype, all the stored fingerprints are lost. I don't use Windows but I use the pre-boot EFI scan. Also on Windows it seems that if you have unlocked the fingerprint in EFI, then you don't need to scan again. It seems that there exists a way to just "ask" the reader if it has already been unlocked, right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmikhailov/Validity90/issues/34#issuecomment-378171354, or mute the thread https://github.com/notifications/unsubscribe-auth/ABgpCGOSBPwgdVi3H4Cdrc4ha8aQVg2yks5tkzNRgaJpZM4SpQNd .

[erpalma]

In bios you can just enable fingerprint authentication. You can set only if the bios will also ask for the supervisor pwd or just the fingerprint. I believe that, once enabled, the bios will ask you for the fingerprint if at least one was enrolled. At Windows boot I see the reader white led turning on for half a second and then the desktop appears. If I skip the fingerprint reading during bios (using pwd instead) then Windows ask me the finger. Right now I don't have a W10 VM but I can create one. Do you know if I can sniff the USB bus on Linux while a device is attached to the VM?

[nmikhailov]

Do you know if I can sniff the USB bus on Linux while a device is attached to the VM?

Yes, that it is what I am doing.

On Fri, Apr 6, 2018, 21:02 Francesco Palmarini notifications@github.com wrote:

In bios you can just enable fingerprint authentication. You can set only if the bios will also ask for the supervisor pwd or just the fingerprint. I believe that, once enabled, the bios will ask you for the fingerprint if at least one was enrolled. At Windows boot I see the reader white led turning on for half a second and then the desktop appears. If I skip the fingerprint reading during bios (using pwd instead) then Windows ask me the finger. Right now I don't have a W10 VM but I can create one. Do you know if I can sniff the USB bus on Linux while a device is attached to the VM?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nmikhailov/Validity90/issues/34#issuecomment-379262673, or mute the thread https://github.com/notifications/unsubscribe-auth/ABgpCG78ydZBI2m-cTQUmEDczwY8IpHtks5tl3VcgaJpZM4SpQNd .

[mvdnes]

I have not seen it in the discussion here, so I would like to mention that this reader is advertised as "Match-on-chip touch fingerprint reader".

The prototype is able to blink the LED's. Furthermore, in my case the fingerprint in the EFI setup menu still worked.

Unfortunately I cannot get the fingerprint reader working in a VM. I get this error: "This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)". (This was after installing the official drivers, before it was not recognized at all)

[nmikhailov]

@mvdnes Can you link driver download url? I would think one of the reasons why this might have happened is that they pushed for mandatory SGX.

[mvdnes]

You can download it from this lenovo download page. Here is a direct link.

[nmikhailov]

@mvdnes It still includes non-sgx version, so I don't think that it is a problem. Have you tried rebooting? Are you sure you have passthough correct usb device to VM?

[mvdnes]

Using another virtualization platform (VirtualBox istead of qemu/kvm) worked.

I have a ~wireshark dump~ and a ~WUDFHost dump~ for you.

[mvdnes]

I have used your cdb script to extract the AES keys myself. The dissector this repository provides works on it!

Here is the log archive. It contains a wireshark dump, debug trace and extracted AES keys.

The log was taken while unlocking Windows.

[spielkind]

@nmikhailov do you need more logs/dumps/traces? I have the same device at my X280.

[stackpivot]

@nmikhailov Owner of T480s here. What would be the best way helping for 06cb:009a to work?

[mrdanielps]

I'm working on getting the 138a:009d sensor (X380 Yoga) to work. It uses the same driver as both the 06cb:009a and the 06cb:0081, so they probably use the same protocol. The 9a branch always returned "Fingerprint UNKNOWN" with interrupt 05 00 31 04 db, but for some reason, repeating the scan before the last interrupt seems to do the trick. It's probably not the right way to do it, but I'm looking into it.

I pushed some code to the 9a branch over here. It'd be interesting to see if it works with the other sensors. Can anyone verify?

EDIT: Rebased with master and moved to branch 9d.

[felixonmars]

After changing the id matching part in main.c, I got the following error:

Failed 'EC_KEY_check_key(key) - 1': -1 - LIBUSB_ERROR_IO

Full output: https://paste.xinu.at/0bMCm/

[spielkind]

@mrdanielps I own a X280: Bus 001 Device 007: ID 06cb:009a Synaptics, Inc. With your 9a branch I get: Prototype version 15 No devices found

With your 9d branch I get: Fingerprint UNKNOWN!

He do not even wait until I put my finger on the scanner. https://pastebin.com/cTxe4E8U

[mrdanielps]

So if instead of repeating the whole scan procedure, I send a StgWindsor packet (4b 00 00..., or packet4 in the code) before waiting for the match result interrupt, it seems to work properly (at least on 9d). This commit is the only change in master to get it to work.

@spielkind Weird. It's actually detecting a finger and returning a mismatch. From one of the previous logs, without these changes, the 9a behaved similar to my model.

[spielkind]

Dunno, I've resettet all fingerprint data, then I get: 'Incomplete reverse engineering' ... after enrolling a new finger at my win10 vm (virtualbox) I get "Fingerprint UNKNOWN' again, without waiting for touching the sensor.

[tedsluis]

note: Thinkpad T580 is using this fingerprint reader as well:

(Windows) Synaptics WBDI, class=0xFF, subclass=0x10, vendor=0x06CB, product=0x009A

(Linux) lsusb -d 06cb:009a Bus 001 Device 006: ID 06cb:009a Synaptics, Inc.

[ramonmaruko]

Hello! What data do you still need to support 009a?

[ibrahima]

Found out that Ubuntu seems to have a list of laptops that use this fingerprint reader: https://certification.ubuntu.com/catalog/component/usb/2448/06cb%3A009a/

Not sure if that's helpful in any way, but it looks like most of the Thinkpads released this year use it.

[Zlogene]

@ibrahima, they clearly state that Ubuntu flawors may not work as expected without additional changes from a user, and as Ubuntu uses libfprint (as many others), which has no the driver yet, their certification means nearly nothing

[cnmicha]

@ibrahima Lenovo L380 is also affected and not on the list.

[ibrahima]

Oh yeah, I wasn't saying that the list implies that it should work or that it was exhaustive, merely that it is a list of such devices, however incomplete it may be. I just happened to find it and thought it might be slightly more useful than people chiming in one at a time about their laptops.

[cgarlati]

I have an X1 6th gen. Let me know if I can help in any way.

[mgiacopu]

I have a ThinkPad T580 which also uses this kind fingerprint reader. Let me know if I could be of any help, I'd really like to get it working also on Linux!

[noizo]

Hi. I have this reader on Lenovo P52

lsusb -d 06cb:009a -v

Bus 001 Device 003: ID 06cb:009a Synaptics, Inc. 
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          255 Vendor Specific Class
  bDeviceSubClass        16 
  bDeviceProtocol       255 
  bMaxPacketSize0         8
  idVendor           0x06cb Synaptics, Inc.
  idProduct          0x009a 
  bcdDevice            1.64
  iManufacturer           0 
  iProduct                0 
  iSerial                 1 
  bNumConfigurations      1

How can i help with test?

[AxeR21]

I have a ThinkPad T480. I'm studying computer science at the university so, if I can help in some way, let me know and I'll try to make my best. Thanks for your hard work

[federeghe]

This affects also Thinkpad L480.

Let us know how we can help! :)

[RaghavRao]

Also here with X1 Yoga 3rd Gen.

Is this project still active?

On Mon, Dec 10, 2018, 15:20 Federico Reghenzani notifications@github.com wrote:

This affects also Thinkpad L480.

Let us know how we can help! :)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nmikhailov/Validity90/issues/34#issuecomment-445958183, or mute the thread https://github.com/notifications/unsubscribe-auth/AGgR053Hp_k-qtFzhA9LPVgsdHRdX9-4ks5u3sH1gaJpZM4SpQNd .

[ix5]

Jesus people stop spamming this! Either take a look at the code or don't, some of us have email notifications set up for this and do not want to wade through tens of useless "me too" messages.

[NigelCunningham]

@ix5 would you avoid swearing, please? It also adds nothing to the conversation and causes unnecessary offence (including to Jesus himself!)

[anp369]

@mrdanielps I don't know if you're still interested but I got your prototype in the 9d branch (commit d7789c8 ) working with 138a:009d (Yoga X380) I enrolled the fingerprints in Windows before and the prototype was able to recognize my fingerprint again. leds work too. Let me know if you need any logs from this sensor

[scaleoutsean]

I don't know if you're still interested but I got your prototype in the 9d branch (commit d7789c8 ) working with 138a:009d (Yoga X380)

@anp369 thanks for trying. As the other guy is MIA, I tried your patch on T480 and got the same output as with master (as of now). On my T480 it's device Bus 001 Device 004: ID 06cb:009a Synaptics, Inc..

Prototype version 15
Found device 06cb:009a

step 1
usb write:
0000 01 
usb read:
0000 00 00 f0 b0 5e 54 a4 00  00 00 06 07 01 30 00 01 
0010 00 00 75 34 49 68 58 30  00 23 00 00 00 00 01 00 
0020 00 00 00 00 00 02 
Expected at char 012
Sensor not initialized, init byte is 0x2 (expected 0x02)
step 2
usb write:
...

There are few other discrepancies ("expected X bug got Y...") It's the same device and same output as with non-patched code, so I won't paste the entire output here as it probably doesn't add much value. But in the case you want to see it, I uploaded it to https://pastebin.com/SuGrT6nS (for 14 days).

[pcraciunoiu]

Hi all, joining this thread as I'd like to help get this worked out with testing, debug output, etc.

I have a ThinkPad X1 Carbon 6th gen from late last year.

If I make && make permissions && sudo ./prototype on master, I get the device:

Prototype version 15
Found device 06cb:009a

The 2nd option to test leds seems to work with green (white light in my case) and red blinking 3x.

1st option for scan fingerprint doesn't wait for the scan, or go back to the menu, so I am guessing it doesn't work. Happy to provide more output if it'd be helpful.

Curiously, if I check out the 9a branch, my device isn't found. Which seems wrong since clearly it's found right above. Listed on lsusb:

Bus 001 Device 005: ID 06cb:009a Synaptics, Inc. 

[felixonmars]

@pcraciunoiu I have exactly the same result as yours. Have you tried to roll in in a Windows virtual machine? In my case it doesn't work correctly either, and also stuck in the very beginning.

[pcraciunoiu]

Have not tried a Windows VM--not sure what the value of that is since I want it to work in Ubuntu? When I got the laptop I had set up the fingerprint reader on Windows 10 (host) and it worked fine.

[felixonmars]

You can capture the USB traffic if you use virtualbox. I am not expert though, and no progress so far to improve the prototype.

[mid-kid]

Sorry for bumping this thread, but I've followed the instructions in https://github.com/nmikhailov/Validity90/issues/34#issuecomment-376230153, and here's the results: https://transfer.sh/LnWdg/WUDFHost.dmp https://transfer.sh/J9y9M/fprint.pcapng Hopefully this helps a bit.

Guest info: Windows 10 Home x64, VirtualBox 6.0.4 Laptop: Thinkpad A485

[knz]

Using x380 and 138a:009d reader: the code linked from this comment https://github.com/nmikhailov/Validity90/issues/34#issuecomment-411724539 works fine!

@mrdanielps @nmikhailov any chance we could integrate this further in the driver?

[mrdanielps]

Using x380 and 138a:009d reader: the code linked from this comment #34 (comment) works fine!

@mrdanielps @nmikhailov any chance we could integrate this further in the driver?

If you're asking about libfprint, I guess I never linked to my own fork over here. Ignore the PPA in the README, it must be built from source. I should mention it's only been tested on a 138a:009d reader with the fingerprints enrolled in a VM.