search

usb-tools / USBProxy-legacy

A proxy for USB devices, libUSB and gadgetFS - this project is unmaintained, try here: https://github.com/usb-tools/Facedancer
GNU General Public License v2.0
431 stars 102 forks source link

USBProxy crash on Huawei K3570 #66

Closed dpeddi closed 2 years ago

dpeddi commented 6 years ago

Hi,

I followed https://gimx.fr/wiki/index.php?title=Bbb_sniffer guide to setup my environment.

I'm trying to analize the stream between my host and this device, but after starting usb-mitm, it produce a lot of errors and finally exit with abort. The log is really long to be attached, but probably the issue is on start.. so i would procede step by step.

I've added some printf and I can see that opening and writing complete correctly on the first interface while the other one fails. 

searching in [/tmp/gadget-yDT3DF]
Starting setup reader thread (7741) for EP00.
Starting setup writer thread (7742) for EP00.
Processing interface 0
Processing interface 0 alt:0
Processing interface 0 81
Opened EP81
Processing interface 0 82
Opened EP82
Processing interface 0 1
Opened EP01
Processing interface 1
Processing interface 1 alt:0
Processing interface 1 83
Error writing to EP 0x83 131 Invalid argument rc=-1
Opened EP83
Processing interface 2
Processing interface 2 alt:0
Processing interface 2 84
Error writing to EP 0x84 132 Invalid argument rc=-1
Opened EP84
[...]

Just for confirmation I've changed for (ifc_idx=0;ifc_idx<ifc_count;ifc_idx++) { to: for (ifc_idx=1;ifc_idx<ifc_count;ifc_idx++) {

Processing interface 1
Processing interface 1 alt:0
Processing interface 1 83
Openingo EP 0x83 131 musb-hdrc
open_endpoint() opening path /tmp/gadget-8fgimi/ep3in
Error writing to EP 0x83 131 Invalid argument rc=-1 musb-hdrc
Opened EP83
Processing interface 2
Processing interface 2 alt:0

But opening on interface >1 still doesn't work..

Sending ACK
gadgetfs: 1 events received
LibUSB> 80 06 02 03 09 04 ff 00
LibUSB<.
<------>2e 03 48 00 75 00 61 00 77 00 65 00 69 00 20 00 20 00 20 00 43 00 6f 00 6e 00 66 00 69 00 67 00
<------>75 00 72 00 61 00 74 00 69 00 6f 00 6e 00
gadgetfs: 1 events received
LibUSB> 01 0b 00 00 02 00 00 00
libusb: error [submit_bulk_transfer] submiturb failed error -1 errno=22
Transfer error on EP84 (xfertype 2): Input/Output Error attempt:1
LibUSB<.
Sending ACK
gadgetfs: 1 events received
LibUSB> 21 43 0e 00 01 00 00 00
Error sending setup packet: Pipe error
Stalling EP00
gadgetfs: 1 events received
LibUSB> 80 06 01 03 09 04 ff 00
LibUSB< 1a 03 30 00 32 00 35 00 30 00 66 00 33 00 30 00 30 00 30 00 30 00 30 00 30 00
gadgetfs: 1 events received
LibUSB> 21 22 03 00 03 00 00 00
lsusb -vv

Bus 001 Device 003: ID 12d1:1465 Huawei Technologies Co., Ltd..
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 ?
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  idVendor           0x12d1 Huawei Technologies Co., Ltd.
  idProduct          0x1465.
  bcdDevice            0.00
  iManufacturer           4 HUAWEI Technology
  iProduct                3 HUAWEI Mobile
  iSerial                 0.
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          201
    bNumInterfaces          7
    bConfigurationValue     1
    iConfiguration          2 Huawei   Configuration
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               5
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         1
      bInterfaceCount         2
      bFunctionClass          2 Communications
      bFunctionSubClass       0.
      bFunctionProtocol       0.
      iFunction               0.
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      6 Ethernet Networking
      bInterfaceProtocol    255.
      iInterface              0.
      CDC Header:
        bcdCDC               1.10
      CDC Ethernet:
        iMacAddress                      1 0250f3000000
        bmEthernetStatistics    0x00000000
        wMaxSegmentSize               1536
        wNumberMCFilters            0x0001
        bNumberPowerFilters              0
      CDC Union:
        bMasterInterface        1
        bSlaveInterface         2.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               5
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0.
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        4
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x86  EP 6 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval              32
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        5
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x05  EP 5 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        6
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              0.
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x06  EP 6 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x88  EP 8 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 ?
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0001
  Self Powered

on the host

[715746.422153] usb 1-4: reset high-speed USB device number 84 using ehci-pci
[715746.630730] option 1-4:1.0: GSM modem (1-port) converter detected
[715746.632116] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB33
[715747.244886] usb 1-4: USB disconnect, device number 84
[715747.259166] cdc_ether: probe of 1-4:1.1 failed with error -71
[715747.259360] option 1-4:1.3: GSM modem (1-port) converter detected
[715747.260397] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB34
[715747.260510] option 1-4:1.4: GSM modem (1-port) converter detected
[715747.261349] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB35
[715747.264922] option1 ttyUSB33: GSM modem (1-port) converter now disconnected from ttyUSB33
[715747.264972] option 1-4:1.0: device disconnected
[715747.265535] option1 ttyUSB34: GSM modem (1-port) converter now disconnected from ttyUSB34
[715747.265581] option 1-4:1.3: device disconnected
[715747.265862] option1 ttyUSB35: GSM modem (1-port) converter now disconnected from ttyUSB35
[715747.265908] option 1-4:1.4: device disconnected
dpeddi commented 6 years ago

interesting reading: https://sourceforge.net/p/libusb/mailman/message/35965754/

dpeddi commented 6 years ago

Trying now with your Debian-USBProxy.img.xz but I get same issue...

S4mw1s3 commented 6 years ago

interesting reading: https://sourceforge.net/p/libusb/mailman/message/35965754/

That is indeed interesting. I'm also experiencing these errno=22 errors with a simple usb<->rs232 device :(

libusb: debug [submit_bulk_transfer] need 1 urbs for new transfer with length 64
libusb: debug [libusb_handle_events_timeout_completed] doing our own event handling
libusb: debug [handle_events] poll() 3 fds with timeout in 60000ms
libusb: debug [handle_events] poll() returned 1
libusb: debug [reap_for_handle] urb type=3 status=0 transferred=2
libusb: debug [handle_bulk_completion] handling completion status 0 of bulk urb 1/1
libusb: debug [handle_bulk_completion] last URB in transfer --> complete!
libusb: debug [usbi_handle_transfer_completion] transfer 0x22fe600 has callback 0xb6bbfbd9
libusb: debug [sync_transfer_cb] actual_length=2
libusb: debug [libusb_free_transfer] transfer 0x22fe600
libusb: debug [libusb_alloc_transfer] transfer 0x22fe600
libusb: debug [libusb_submit_transfer] transfer 0x22fe600
libusb: debug [submit_bulk_transfer] need 1 urbs for new transfer with length 64
gadgetfs: 1 events received
Sending ACK
LibUSB> 40 09 10 00 00 00 00 00
libusb: error [submit_bulk_transfer] submiturb failed error -1 errno=22
libusb: debug [submit_bulk_transfer] first URB failed, easy peasy
libusb: debug [libusb_free_transfer] transfer 0x22fe600
Transfer error receiving on EP81 (xfertype 2): Input/Output Error

Which board and kernel are you using?

debian@beaglebone:~$ cat /proc/device-tree/model 
TI AM335x BeagleBone Black
debian@beaglebone:~$ 
debian@beaglebone:~$ uname -a
Linux beaglebone 4.9.52-ti-r64 #1 SMP PREEMPT Sat Sep 30 00:11:40 UTC 2017 armv7l GNU/Linux
debian@beaglebone:~$
dpeddi commented 6 years ago

cat /proc/device-tree/model TI AM335x BeagleBone Black root@beaglebone:~# root@beaglebone:~# uname -a Linux beaglebone 4.4.88-ti-r125 #1 SMP Thu Sep 21 19:23:24 UTC 2017 armv7l GNU/Linux root@beaglebone:~# ^C

dpeddi commented 6 years ago

thank you... probably I have another issue as well: [ 369.615003] musb_g_ep0_irq 804: SETUP packet len 0 != 8 ?

this seems gadgetfs related

S4mw1s3 commented 6 years ago 
dpeddi  [23:15:44] 15 Transmit and 15 Receive Endpoints other than the mandatory Control Endpoint 0.
dpeddi  [23:17:24] lsusb -vv | grep -i endpointaddress| grep IN | wc -l 9
dpeddi  [23:17:31] lsusb -vv | grep -i endpointaddress| grep OUT | wc -l 6
dpeddi  [23:28:46] i've upgraded to debian 9.1 
dpeddi  [23:28:57] and now in dmesg i get : [   90.309997] musb_g_ep0_irq 804: SETUP packet len 0 != 8 ? 
dpeddi  [23:37:21] a guy posted a patch "https://www.spinics.net/lists/linux-usb/msg97114.html"
dpeddi  [23:37:30] probably never applied to "http://elixir.free-electrons.com/linux/v4.4.88/source/drivers/usb/musb/musb_gadget_ep0.c"
dpeddi  [23:41:09] but since my setup packet is 0 there isn't so much to dump :-(

From what I saw on IRC, you already got to the point where you got "SETUP packet len 0 != 8". How come you didn't experience the errno=22 error then? You used an older version of USBProxy?

dpeddi commented 6 years ago

No i haven't got... I wrong... What i found produce just a dump and wont solve.

dpeddi commented 6 years ago

I'm trying to skip loading into gadgetfs of some interfaces: for example i'm not interested in the usb_storage this device provide... where i should look to avoid the notification of such interface?

tnx

straithe commented 2 years ago

Sorry for not responding to this in a timely manner. @dpeddi are you still experiencing this issue?

dpeddi commented 2 years ago

Currently i'm busy in other projects. I don't have any more an usbproxy compatible hardware.

straithe commented 2 years ago

Ok. I'm sorry I couldn't get to this in time. I am going to close this issue at this time. If you do get usbproxy compatible hardware again and would like to explore this issue, just tag me!