- Read about Radare. Apparently, they have “USB support” but I could only see a USB communication sniffer. So Radare doesn’t dissect USB pakets
- Installed GDB from git, because the GDB in Fedora 13 crashes way too often. I didn’t file as many new bugs this week though I seem to have worked around all my crashers…
- Fought a lot with git It’s incredibly hostile. I tried to rebase stuff and it keeps bugging me with old commits still being visible although I’ve changed them I probably haven’t understood what it does yet. Tried to fix as much as possible using git reflog. Of course, the man page references options (–verbose in my case) that are not existant. Brilliant. I don’t know why I actually expected git to help me.
This is hilarious, too:
muelli@bigbox ~/git/qemu $ git rebase setup_fds First, rewinding head to replay your work on top of it... Applying: Temporary migration to usb_packet_filter_setup_fds Using index info to reconstruct a base tree... Falling back to patching base and 3-way merge... Auto-merging usb-linux.c CONFLICT (content): Merge conflict in usb-linux.c Failed to merge in the changes. Patch failed at 0001 Temporary migration to usb_packet_filter_setup_fds When you have resolved this problem run "git rebase --continue". If you would prefer to skip this patch, instead run "git rebase --skip". To restore the original branch and stop rebasing run "git rebase --abort". muelli@bigbox ~/git/qemu $ nano usb-linux.c # hack hack hack muelli@bigbox ~/git/qemu $ git add usb-linux.c muelli@bigbox ~/git/qemu $ git rebase --continue Applying: Temporary migration to usb_packet_filter_setup_fds No changes - did you forget to use 'git add'? When you have resolved this problem run "git rebase --continue". If you would prefer to skip this patch, instead run "git rebase --skip". To restore the original branch and stop rebasing run "git rebase --abort". muelli@bigbox ~/git/qemu $
That one is brilliant, too:
muelli@bigbox ~/git/qemu $ git rebase -i setup_fds # Stupid me: I selected "f" for the very first entry in that edit window Cannot 'fixup' without a previous commit # Fair enough, let me restart then: muelli@bigbox ~/git/qemu $ git rebase setup_fds Interactive rebase already started # O_o WTF? What else, besides aborting, could I possibly do anyway?! muelli@bigbox ~/git/qemu $ git rebase --abort muelli@bigbox ~/git/qemu $ git rebase setup_fds # Now it works...
- Reimplemented host side USB filters to obtain valid USB communication. I have various simple filters: PassThrough, Logging and Replacing. The first one does nothing but return the data w/o any modification. The second one writes the bytes it reads and writes to files. The third one replaces 512 “A”s with 512 “B”s. Still need separate packets from the device in question to the host from packets from the host to the device to obtain valid device behaviour without reading all of the documentation. That will give me a good starting point to actually do the fuzzing.
That replace filter produced interesting results. I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.
Of course, Istanbul crashed while trying to make that screencast.
Note that the filter code actually changed by now, not only because I enhanced the protocol (in the version you’re seeing, only USB payload is exchanged. In the new version, also the PID, device address and device endpoint are filtered) but also because I refactored the communication bits into a USBPacket class.
I missed to show the pen drive from the host point of view after having copied the file in the guest, but the “bbbb” file is full of “B”s.
- I’m on my way to emulating a USB device, i.e. make the guest think it has a USB device attached but the device is a program running on the guest. I basically copied the USB serial driver and the HID driver and modified them to get packets from a pipe and send them to a pipe. I had serious problems with QEmu: QEmu didn’t register my new “device”. Now I called the right function to initialize the USB device and voila, it attaches it like it should.
Now I need to obtain valid USB communication using the filter so that I can respond to incoming packets properly.
- Dear lazyweb, I’m wondering whether I could make my OS load an application but then break on main() so that I can attach a debugger. I cannot run the application *with* GDB. Instead, I want to attach a GDB after the program is fully loaded. Maybe LD_PRELOADing on main() will work?