Trying to add keyboard to gadget

KALRONG commented 7 years ago

Hi,

First thanks for your great work :) I have been using your repository for my testings on PoisonTap and love it.

I have been trying to add a keyboard gadget without much success.

I modified the gadget.sh like this:

#!/bin/sh
#
# HackPi
#  by wismna
#  http://github.com/wismna/raspberry-pi/hackpi
#  14/01/2017
#

cd /sys/kernel/config/usb_gadget/
mkdir -p hackpi
cd hackpi

OS=`cat /home/pi/os.txt`
HOST="48:6f:73:74:50:43"
SELF0="42:61:64:55:53:42"
SELF1="42:61:64:55:53:43"
SELF2="42:61:64:55:53:43"

echo 0x04b3 > idVendor
echo 0x4010 > idProduct

echo 0x0100 > bcdDevice # v1.0.0
mkdir -p strings/0x409
echo "badc0deddeadbeef" > strings/0x409/serialnumber
echo "wismna" > strings/0x409/manufacturer
echo "PiZero" > strings/0x409/product

if [ "$OS" != "MacOs" ]; then
        # Config 1: RNDIS
        mkdir -p configs/c.1/strings/0x409
        echo "0x80" > configs/c.1/bmAttributes
        echo 250 > configs/c.1/MaxPower
        echo "Config 1: RNDIS network" > configs/c.1/strings/0x409/configuration

        echo "1" > os_desc/use
        echo "0xcd" > os_desc/b_vendor_code
        echo "MSFT100" > os_desc/qw_sign

        mkdir -p functions/rndis.usb0
        echo $SELF0 > functions/rndis.usb0/dev_addr
        echo $HOST > functions/rndis.usb0/host_addr
        echo "RNDIS" > functions/rndis.usb0/os_desc/interface.rndis/compatible_id
        echo "5162001" > functions/rndis.usb0/os_desc/interface.rndis/sub_compatible_id
fi

# Config 2: CDC ECM
mkdir -p configs/c.2/strings/0x409
echo "Config 2: ECM network" > configs/c.2/strings/0x409/configuration
echo 250 > configs/c.2/MaxPower

mkdir -p functions/ecm.usb0
# first byte of address must be even
echo $HOST > functions/ecm.usb0/host_addr
echo $SELF1 > functions/ecm.usb0/dev_addr

# Create the CDC ACM function
mkdir -p functions/acm.gs0

mkdir -p functions/hid.usb0
echo 1 > functions/hid.0/protocol
echo 1 > functions/hid.0/subclass
echo 8 > functions/hid.0/report_length
echo -ne \\x05\\x01\\x09\\x06\\xa1\\x01\\x05\\x07\\x19\\xe0\\x29\\xe7\\x15\\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\\x03\\x95\\x05\\x75\\x01\\x05\\x08\\x19\\x01\\x29\\x05\\x91\\x02\\x95\\x01\\x75\\x03\\x91\\x03\\x95\\x06\\x75\\x08\\x15\\x00\\x25\\x65\\x05\\x07\\x19\\x00\\x29\\x65\\x81\\x00\\xc0 > functions/hid.0/report_desc

# Link everything and bind the USB device
if [ "$OS" != "MacOs" ]; then
        ln -s configs/c.1 os_desc
        ln -s functions/rndis.usb0 configs/c.1
fi

ln -s functions/ecm.usb0 configs/c.2
ln -s functions/acm.gs0 configs/c.2
ln -s functions/hid.usb0 configs/c.2
# End functions
ls /sys/class/udc > UDC

But Im receiving a kernel panic on boot like this one:

[   24.552717] Unable to handle kernel NULL pointer dereference at virtual address 00000002
[   24.558020] pgd = d8534000
[   24.563353] [00000002] *pgd=18d4c831, *pte=00000000, *ppte=00000000
[   24.568837] Internal error: Oops: 17 [#1] ARM
[   24.574084] Modules linked in: usb_f_hid usb_f_acm u_serial usb_f_rndis bnep hci_uart btbcm bluetooth bridge stp llc brcmfmac brcmutil snd_bcm2835 cfg80211 snd_pcm rfkill snd_timer snd bcm2835_gpiomem uio_pdrv_genirq uio fixed usb_f_ecm u_ether libcomposite dwc2 udc_core ipv6 [last unloaded: usb_f_rndis]
[   24.586514] CPU: 0 PID: 818 Comm: ls Not tainted 4.9.24+ #993
[   24.592339] Hardware name: BCM2835
[   24.598413] task: d8d3c420 task.stack: da686000
[   24.604646] PC is at alloc_ep_req+0x30/0xa8 [libcomposite]
[   24.610500] LR is at 0x0
[   24.616628] pc : [<bf0b6fe8>]    lr : [<00000000>]    psr: a0000013
sp : da687d98  ip : 00000000  fp : da687db4
[   24.628734] r10: da6622c8  r9 : d8cd56c4  r8 : da662270
[   24.634894] r7 : d8cd56a8  r6 : d8cd7f80  r5 : da649a90  r4 : 00000000
[   24.640883] r3 : d8cd7fb4  r2 : 00000000  r1 : 00000000  r0 : d8cd7f80
[   24.646878] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   24.653058] Control: 00c5387d  Table: 18534008  DAC: 00000055
[   24.658985] Process ls (pid: 818, stack limit = 0xda686188)
[   24.665233] Stack: (0xda687d98 to 0xda688000)
[   24.671503] 7d80:                                                       00000003 da662270
[   24.677587] 7da0: 00000004 bf43cc80 da687dec da687db8 bf43b7f0 bf0b6fc4 bf4364ac bf0b1428
[   24.684054] 7dc0: 00000000 da687dd0 da68cd80 da662270 d8cd56a8 da67e5e0 d8cd571c da662270
[   24.690461] 7de0: da687e04 da687df0 bf0b20c0 bf43b75c d8cd56a8 da67e68c da687e3c da687e08
[   24.696805] 7e00: bf0b6384 bf0b2050 da5a5d10 da67e654 c013eb30 da5ae600 bf07bea4 da67e5e0
[   24.703416] 7e20: da67e5e0 bf07be98 00000000 d84f8000 da687e5c da687e40 bf079838 bf0b6144
[   24.709768] 7e40: 00000000 da5ae600 bf07bea4 da64bfe0 da687e84 da687e60 bf079d68 bf079808
[   24.716468] 7e60: 00000032 da64bfe0 d8d73700 da67e400 da67e590 0000000d da687eac da687e88
[   24.723184] 7e80: bf0b6d10 bf079c74 0000000d d8d73700 d8d73718 da687f80 d8c1a320 b6f82000
[   24.729725] 7ea0: da687edc da687eb0 c01baf30 bf0b6c6c da687f80 d8c1a320 da687f80 b6f82000
[   24.736592] 7ec0: da687f80 0000000d da686000 00000000 da687f4c da687ee0 c0143dec c01bae68
[   24.743193] 7ee0: b6f82000 da687fb0 01b73df8 00000000 da687fac da687f00 c0009204 c05d40f0
[   24.750081] 7f00: 593071f9 1312cebc 00002919 da459554 00000003 00001000 00000000 c0144be8
[   24.756947] 7f20: da686000 c0147320 da687f4c 0000000d d8c1a320 b6f82000 da687f80 c000ffc4
[   24.763685] 7f40: da687f7c da687f50 c0144c24 c0143dc0 00000002 d8c1a322 d8c1a320 d8c1a322
[   24.770704] 7f60: 0000000d b6f82000 c000ffc4 da686000 da687fa4 da687f80 c0145d34 c0144b80
[   24.777506] 7f80: 00000000 00000000 0000000d b6f82000 b6ef9b40 00000004 00000000 da687fa8
[   24.784647] 7fa0: c000fe40 c0145cec 0000000d b6f82000 00000001 b6f82000 0000000d 00000000
[   24.791555] 7fc0: 0000000d b6f82000 b6ef9b40 00000004 0000000d b6f82000 0000000d 00000000
[   24.798715] 7fe0: 00000000 bec1a85c b6e27008 b6e7e89c 60000010 00000001 00000000 00000000
[   24.806068] [<bf0b6fe8>] (alloc_ep_req [libcomposite]) from [<bf43b7f0>] (hidg_bind+0xa0/0x258 [usb_f_hid])
[   24.813255] [<bf43b7f0>] (hidg_bind [usb_f_hid]) from [<bf0b20c0>] (usb_add_function+0x7c/0x164 [libcomposite])
[   24.820842] [<bf0b20c0>] (usb_add_function [libcomposite]) from [<bf0b6384>] (configfs_composite_bind+0x24c/0x360 [libcomposite])
[   24.828355] [<bf0b6384>] (configfs_composite_bind [libcomposite]) from [<bf079838>] (udc_bind_to_driver+0x3c/0xe0 [udc_core])
[   24.836220] [<bf079838>] (udc_bind_to_driver [udc_core]) from [<bf079d68>] (usb_gadget_probe_driver+0x100/0x14c [udc_core])
[   24.843934] [<bf079d68>] (usb_gadget_probe_driver [udc_core]) from [<bf0b6d10>] (gadget_dev_desc_UDC_store+0xb0/0xcc [libcomposite])
[   24.852066] [<bf0b6d10>] (gadget_dev_desc_UDC_store [libcomposite]) from [<c01baf30>] (configfs_write_file+0xd4/0x17c)
[   24.859906] [<c01baf30>] (configfs_write_file) from [<c0143dec>] (__vfs_write+0x38/0x128)
[   24.868070] [<c0143dec>] (__vfs_write) from [<c0144c24>] (vfs_write+0xb0/0x1bc)
[   24.875963] [<c0144c24>] (vfs_write) from [<c0145d34>] (SyS_write+0x54/0xb0)
[   24.884219] [<c0145d34>] (SyS_write) from [<c000fe40>] (ret_fast_syscall+0x0/0x1c)
[   24.892172] Code: ebff044d e2506000 0a000013 e5952024 (e1d230d2)
[   24.900498] ---[ end trace c29f93dff280ffe1 ]---

Thanks in advance!

wismna commented 7 years ago

Hi, Glad to hear that you enjoy my project :)

As for your issue, in those lines:

echo 1 > functions/hid.0/protocol echo 1 > functions/hid.0/subclass echo 8 > functions/hid.0/report_length echo -ne \x05\x01\x09\x06\xa1\x01\x05\x07\x19\xe0\x29\xe7\x15\x00\x25\x01\x75\x01\x95\x08\x81\x02\x95\x01\x75\x08\x81\x03\x95\x05\x75\x01\x05\x08\x19\x01\x29\x05\x91\x02\x95\x01\x75\x03\x91\x03\x95\x06\x75\x08\x15\x00\x25\x65\x05\x07\x19\x00\x29\x65\x81\x00\xc0 > functions/hid.0/report_desc

Shouldn't the folder hid.0 be hid.usb0 instead, as it's the one you created just above?

KALRONG commented 7 years ago

Thanks a lot for your reply!

I was actually following some instructions about how to set the HID gadget and they left it like that, I have modified the file so now it looks like this:

mkdir -p functions/hid.usb0
echo 1 > functions/hid.usb0/protocol
echo 1 > functions/hid.usb0/subclass
echo 8 > functions/hid.usb0/report_length
echo -ne \\x05\\x01\\x09\\x06\\xa1\\x01\\x05\\x07\\x19\\xe0\\x29\\xe7\\x15\\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\\x03\\x95\\x05\\x75\\x01\\x05\\x08\\x19\\x01\\x29\\x05\\x91\\x02\\x95\\x01\\x75\\x03\\x91\\x03\\x95\\x06\\x75\\x08\\x15\\x00\\x25\\x65\\x05\\x07\\x19\\x00\\x29\\x65\\x81\\x00\\xc0 > functions/hid.usb0/report_desc

# Link everything and bind the USB device
if [ "$OS" != "MacOs" ]; then
        ln -s configs/c.1 os_desc
        ln -s functions/rndis.usb0 configs/c.1
fi

ln -s functions/ecm.usb0 configs/c.2
ln -s functions/acm.gs0 configs/c.2
ln -s functions/hid.usb0 configs/c.2

Now the kernel panic dissapears and I have the following message instead:

Jun  1 19:58:48 raspberrypi kernel: [   24.081945] usb0: HOST MAC 48:6f:73:74:50:43
Jun  1 19:58:48 raspberrypi kernel: [   24.082872] usb0: MAC 42:61:64:55:53:42
Jun  1 19:58:49 raspberrypi kernel: [   24.102106] usb1: HOST MAC 48:6f:73:74:50:43
Jun  1 19:58:49 raspberrypi kernel: [   24.103156] usb1: MAC 42:61:64:55:53:43
Jun  1 19:58:49 raspberrypi kernel: [   24.124311] Modules linked in: usb_f_hid usb_f_acm u_serial usb_f_rndis bnep hci_uart btbcm bluetooth bridge stp llc brcmfmac brcmutil snd_bcm2835 snd_pcm cfg80211 snd_timer rfkill snd bcm2835_gpiomem uio_pdrv_genirq fixed uio usb_f_ecm u_ether libcomposite dwc2 udc_core ipv6 [last unloaded: usb_f_rndis]
Jun  1 19:58:49 raspberrypi kernel: [   24.136718] CPU: 0 PID: 814 Comm: ls Not tainted 4.9.24+ #993
Jun  1 19:58:49 raspberrypi kernel: [   24.142517] Hardware name: BCM2835
Jun  1 19:58:49 raspberrypi kernel: [   24.148565] task: d8a48da0 task.stack: da704000
Jun  1 19:58:49 raspberrypi kernel: [   24.154539] PC is at alloc_ep_req+0x30/0xa8 [libcomposite]
Jun  1 19:58:49 raspberrypi kernel: [   24.160543] LR is at 0x0
Jun  1 19:58:49 raspberrypi kernel: [   24.166582] pc : [<bf0b6fe8>]    lr : [<00000000>]    psr: a0000013
Jun  1 19:58:49 raspberrypi kernel: [   24.166582] sp : da705d98  ip : 00000000  fp : da705db4
Jun  1 19:58:49 raspberrypi kernel: [   24.178603] r10: da65c2c8  r9 : da462cc4  r8 : da65c270
Jun  1 19:58:49 raspberrypi kernel: [   24.184763] r7 : da462ca8  r6 : d89d6e00  r5 : da65d890  r4 : 00000008
Jun  1 19:58:49 raspberrypi kernel: [   24.190610] r3 : d89d6e34  r2 : 00000000  r1 : 00000000  r0 : d89d6e00
Jun  1 19:58:49 raspberrypi kernel: [   24.196724] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Jun  1 19:58:49 raspberrypi kernel: [   24.202880] Control: 00c5387d  Table: 189f4008  DAC: 00000055
Jun  1 19:58:49 raspberrypi kernel: [   24.353740] [<bf0b6fe8>] (alloc_ep_req [libcomposite]) from [<bf4437f0>] (hidg_bind+0xa0/0x258 [usb_f_hid])
Jun  1 19:58:49 raspberrypi kernel: [   24.360802] [<bf4437f0>] (hidg_bind [usb_f_hid]) from [<bf0b20c0>] (usb_add_function+0x7c/0x164 [libcomposite])
Jun  1 19:58:49 raspberrypi kernel: [   24.368216] [<bf0b20c0>] (usb_add_function [libcomposite]) from [<bf0b6384>] (configfs_composite_bind+0x24c/0x360 [libcomposite])
Jun  1 19:58:49 raspberrypi kernel: [   24.375577] [<bf0b6384>] (configfs_composite_bind [libcomposite]) from [<bf079838>] (udc_bind_to_driver+0x3c/0xe0 [udc_core])
Jun  1 19:58:49 raspberrypi kernel: [   24.383313] [<bf079838>] (udc_bind_to_driver [udc_core]) from [<bf079d68>] (usb_gadget_probe_driver+0x100/0x14c [udc_core])
Jun  1 19:58:49 raspberrypi kernel: [   24.390890] [<bf079d68>] (usb_gadget_probe_driver [udc_core]) from [<bf0b6d10>] (gadget_dev_desc_UDC_store+0xb0/0xcc [libcomposite])
Jun  1 19:58:49 raspberrypi kernel: [   24.398825] [<bf0b6d10>] (gadget_dev_desc_UDC_store [libcomposite]) from [<c01baf30>] (configfs_write_file+0xd4/0x17c)
Jun  1 19:58:49 raspberrypi kernel: [   24.406483] [<c01baf30>] (configfs_write_file) from [<c0143dec>] (__vfs_write+0x38/0x128)
Jun  1 19:58:49 raspberrypi kernel: [   24.414438] [<c0143dec>] (__vfs_write) from [<c0144c24>] (vfs_write+0xb0/0x1bc)
Jun  1 19:58:49 raspberrypi kernel: [   24.422137] [<c0144c24>] (vfs_write) from [<c0145d34>] (SyS_write+0x54/0xb0)
Jun  1 19:58:49 raspberrypi kernel: [   24.430213] [<c0145d34>] (SyS_write) from [<c000fe40>] (ret_fast_syscall+0x0/0x1c)
Jun  1 19:58:49 raspberrypi kernel: [   24.446310] ---[ end trace 29bcb98f1e6e36e0 ]---

The behaviour Im getting is that everything comes up, my computer sees the usb ethernet BUT not the HID and when it seems to try to load it that message is shown and my computer shows the device as removed.

wismna commented 7 years ago

What OS are you plugging it to?

KALRONG commented 7 years ago

Currently on Linux: Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.25-1 (2017-05-02) x86_64 GNU/Linux

Just tested on a windows 10 with the same results and message on the log.

wismna / HackPi

Trying to add keyboard to gadget #13