BeagleBoard/GSoC/2010 Projects/USBSniffer

Google Summer of Code 2010 Project


 * Student: Nicolas Boichat
 * Mentors: Hunyue Yau, Laine Walker-Avina, Frans Meulenbroeks

BeagleBoard project: usbsniffer

Project at gitorious.org: http://gitorious.org/beagleboard-usbsniffer

Blog: http://beagleboard-usbsniffer.blogspot.com/ (RSS)

Abstract
The goal of this project is to use the BeagleBoard as an USB sniffer. The host computer would be connected to the slave USB port of the BeagleBoard, and the device to be sniffed on the host USB port.

The BeagleBoard would then forward USB data, while logging it.

This presents the following advantages over a software-based solution: No software modification is required; support of proprietary OSes; allows debugging of new USB stacks; and possibly lower-level debugging of USB frames...

Build and run instructions
To get the proxy driver to work, you need to follow these steps:

git clone git://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel.git cd beagleboard-usbsniffer-kernel git checkout origin/stable-20100726 -b stable-20100726 git clone git://gitorious.org/beagleboard-usbsniffer/helper-scripts.git cd helper-scripts/ git checkout origin/stable-20100730 -b stable-20100730
 * Clone my kernel git tree. Use the stable-20100726 branch . This can be done using the following commands:
 * Do not reconfigure the kernel (unless you need some extra modules): the git tree comes with a ready-made .config.
 * Compile and install the kernel.
 * Make sure your environment is set properly (at least CROSS_COMPILE=arm-angstrom-linux-gnueabi- and ARCH=arm should be set)
 * Run make uImage.
 * Copy the resulting uImage on the SD card.
 * Compile and install the kernel modules
 * make modules
 * To install the modules, the easiest is probably to set INSTALL_MOD_PATH to some directory on your host computer, run make modules_install</tt>, and copy the modules to the SD card, or via the network.
 * Note: in some cases, I had problem with the kernel not finding modules. In that case, run depmod -a</tt> on the BeagleBoard, and reboot.
 * Install libpcap-1.1.1 and tcpdump-4.1.1.
 * If you don't have a recent enough OpenEmbedded install, the recipes can be found in these 2 commits: and : apply these 2 commits, or update your OpenEmbedded distribution to the latest git.
 * Build libpcap and tcpdump, this can be done with a command like bitbake libpcap tcpdump</tt> provided you have the environment set properly (i.e., source ~/.oe/environment</tt> or use oebb.sh</tt>).
 * The 2 packages can be found in $OE_BASE/build/tmp-angstrom_2008_1/deploy/glibc/ipk/armv7a</tt>: libpcap_1.1.1-r1.5_armv7a.ipk</tt> and tcpdump_4.1.1-r1.5_armv7a.ipk</tt>.
 * Copy these on the BeagleBoard, and run opkg install name.ipk</tt> for both packages.
 * Clone the helper scripts git tree, branch stable-20100730</tt> :
 * Copy the content of the arm</tt> directory to the BeagleBoard

Then, you have 2 options, the automatic way:
 * Plug your device (through a USB hub if it is a low/full-speed device).
 * Run ./sniff</tt>, and follow the instructions. Data transfers will be logged to /media/ram/dump</tt>. This resulting file can be displayed using wireshark.
 * Use the device, it should work, and packets are captured.

or the manual way (mostly for testing purpose, as it does not log packets):
 * Run ./setup</tt> on the BeagleBoard, this will unload the g_ether</tt> gadget driver.
 * Plug your device (through a USB hub if it is a low/full-speed device).
 * Plug your PC to the BeagleBoard USB slave port (this can be done earlier as well).
 * Run ./unbind</tt>: This will unbind the device from the normal Linux driver.
 * Run <tt>./load</tt>: this will (re)load the <tt>g_proxy</tt> driver.
 * Use the device, it should work.

MUSB testing code
Some instructions on how to use the code to trigger the MUSB bug with short isochronous packets:

Checkout |http://gitorious.org/beagleboard-usbsniffer/musb-test. There are 2 directories: <tt>host</tt>, and <tt>device</tt>.

For the device side (on the beagleboard), you need to cross-compile <tt>usbtest</tt>. You need <tt>libaio</tt>, which can be built using Angstrom, and <tt>gadgetfs</tt> in the Linux kernel. Then, the gadgetfs driver is loaded as follows:

modprobe gadgetfs mkdir /dev/gadget/ -p mount -t gadgetfs none /dev/gadget ./usbtest -v -s 512 -p 2 -a 1 -I0 -x 18

The host code must be run on your host PC. It requires the <tt>usbtest</tt> module (<tt>CONFIG_USB_TEST=m</tt>), then isochronous IN transfers are tested with the following command: ./testusb -a -t 16 -g 1 -c 10

While running the test, you can monitor the USB traffic using usbmon, you should see isochronous packets of length 18, i.e., something like this: ... S Zi:2:100:1 -115:8:5232 1 -18:0:512 512 < ... C Zi:2:100:1 0:8:5240:0 1 0:0:18 18 = e6010203 e6050607 e6090a0b e60d0e0f e611

Every 4 bytes contains some kind of packet id (incrementing), the rest of the bytes are given by a mod 63 counter.

Bulk transfers can also be tested, with the following commands (device and host): ./usbtest -a 5 -s 514 ./testusb -a -t 4 -c 10 -s 1024

<tt>testusb</tt> will complain, since the packet is short (514 instead of 1024), but usbmon still shows that the transfer has been done correctly: ... S Bi:2:101:1 -115 1024 < ... C Bi:2:101:1 -121 514 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000