USB HID learning: packet analysis

As used herein, Bus Hound tool for USB HID device data packets for analysis, combined with official manuals and online articles to sort. Knowledge is not mentioned in the text, the proposed venue and reference resources.
In the author's experience, can not directly read the agreement intuitive understanding, the best tool to use packet capture, analyze real data binding agreement document, ONVIF protocol case, IEEE802.3 (802.11) case, USB protocol is the same.

First, pre-knowledge

1.1 descriptor

USB host device is identified by a variety of descriptors with device descriptor, interface descriptor, end descriptor, character descriptor, and the like report descriptor.
Back HID, when the USB host configuration descriptor, the device returns the first HID descriptor request for the device: the device descriptor, a configuration descriptor, interface descriptor, HID descriptor, endpoint descriptor. Data analysis below, these substantially is in accordance with the order.
USB HID device is to transmit data through the report, are: input reports, report output, the report characteristics.
Input Report: is sent to the host device, for example, moving the mouse and mouse usb mouse clicks information back to the computer, the keyboard key data back to the computer. Enter a report by the interrupt input terminal input.
Output report: sending host to a USB device, such as the numeric keypad on the keyboard lock lamp and lamp caps lock. Report is a data packet, which contains data to be transmitted.
Report descriptor: descriptive report and a report which is used to do data. Through it, USB host can analyze the intended meaning of the report data inside.

1.2 Data Format

8-byte data request command, the Bus Hound, set in front of the data word with CTL. The format shown in Figure 1:
Here Insert Picture Description
FIG. 1
the bmRequestType indicates the request type, viewed in the figure, which composition appears complicated, but the actual analysis data, it was found that several specific values, such as 0x80 / 0x81 / 0x20 / 0x21, and many more.
wValue can be understood as a 2-byte value, the specific meaning of the expression, depending on the type of request. Note, USB using the little-endian format, the need to adjust the order of more than 2 bytes .
wIndex similar, but generally denotes the index or offset.
bRequest using a specific request code byte, as shown in FIG.
Here Insert Picture Description
figure 2

1.3 Other

bDescriptorType descriptor type indicates, are:

1:设备描述符
2:配置描述符
3:字符串描述符
4:接口描述符
5:终端描述符
0x21:HID描述符
0x22:报告描述符
0x23:物理描述符

Equipment category bDeviceClass:

0x00:接口描述符中提供类的值
0x02:通信类
0x09:集线器类
0xDC:用于诊断用途的设备类
0xE0:无线通信设备类
0xFF:厂商定义的设备类

Interface Type bInterfaceClass:

0x01:音频类
0x02:CDC控制类
0x03:HID人机接口类
0x05:物理类
0x06:图像类
0x07:打印机类
0x08:大数据存储类
0x09:集线器类
0x0A:CDC数据类
0x0B:智能卡类
0x0D:安全类
0xDC:诊断设备类
0xE0:无线控制器类
0xFE:特定应用类(包括红外的桥接器等)
0xFF:厂商定义的设备

Interface HID descriptor bInterfaceProtocol:

0:NONE
1:键盘
2:鼠标
3~255:保留

HID report categories:

1:输入报告
2:输出报告
3:特征报告(feature report)
04-ff:保留

Two, Bus Hound use

The software download and install process is omitted.
Click on the toolbar to operate the various icons.
"Capture" to capture interface, the lower right corner to start and stop button.
Save "Save" can grab the data as a file for future analysis.
"Settings" need to increase the length of the packet, otherwise, the captured data was incomplete, misleading. I used the parameters shown in Figure 3:
Here Insert Picture Description
Figure 3

"Devices" to see the USB device, and select capture devices. Figure 4:
Here Insert Picture Description
Figure 4

Third, packet capture analysis

In this paper, using the USB keyboard data analysis. Open the Tools monitor, and then plug in the keyboard, to get the data. Which capture shown in Figure 5:
Here Insert Picture Description
Figure 5

An example of data stored as follows:

  Device - Device ID (followed by the endpoint for USB devices)
            (31) USB Composite Device
            (34) USB Input Device
            (35) USB Input Device
            (36) HID Keyboard Device
            (37) HID-compliant consumer control device
            (38) HID Keyboard Device
            (39) HID Keyboard Device
  Phase  - Phase Type
            CTL   USB control transfer       
            IN    Data in transfer           
            OUT   Data out transfer          
  Data   - Hex dump of the data transferred
  Descr  - Description of the phase
  Cmd... - Position in the captured data


Device  Phase  Data                      Description       Cmd.Phase.Ofs(rep)
------  -----  ------------------------  ----------------  ------------------
  31.0  CTL    80 06 00 01  00 00 12 00  GET DESCRIPTOR           1.1.0        
  31.0  IN     12 01 10 01  00 00 00 08  ........                 1.2.0        
               6d 02 02 00  01 01 00 00  m.......                 1.2.8        
               00 01                     ..                       1.2.16       

第一部分是描述保存的数据格式,第二部分是真正的数据。第2列 Phase 表示数据的类型,最后一列表示数据的序号(如1.x表示第1次发送/返回的信息,2.x表示第2次,以此类推)。为方便分析 USB 请求流程,下面从开始的数据包进行分析——亦从 USB 设备插入到 USB 主机开始(最后一列从1.x开始)。

3.1 设备描述符

一个USB设备只有一个设备描述符。设备描述符主要记录的信息有:设备所使用的USB协议版本号、设备类型、端点0的最大包大小、厂商ID(VID,由 USB 组织分配)和产品ID(PID)、设备版本号、厂商字符串索引、产品字符串索引、设备序列号索引、可能的配置数等。

数据如下:

  31.0  CTL    80 06 00 01  00 00 12 00  GET DESCRIPTOR           1.1.0        
  31.0  IN     12 01 10 01  00 00 00 08  ........                 1.2.0        
               6d 02 02 00  01 01 00 00  m.......                 1.2.8        
               00 01                     ..                       1.2.16  

请求数据为:

31.0  CTL    80 06 00 01  00 00 12 00 

解析如下:

bmRequestType 80:数据方向从设备端到主机端;标准的请求;USB设备接收
bRequest 06:请求为 GET_DESCRIPTOR
wValue 00 01:(?)
wIndex 00 00:从偏移地址0开始读取设备描述符
wLength 12 00:下一阶段数据的长度为18个字节(小端格式,实际为0x0012,即18)

返回数据字段说明如图6所示。
Here Insert Picture Description
图6
数据为:

  31.0  IN     12 01 10 01  00 00 00 08  ........                 1.2.0        
               6d 02 02 00  01 01 00 00  m.......                 1.2.8        
               00 01                     ..                       1.2.16

解析如下:

12 长度为18
01 表示设备描述符
1001 转换后为0110,表示USB协议版本1.1 (注:USB协议版本使用bcd表示)
00 设备类型(USB分配)
00 设备子类
00 协议码
08 端点0的最大包为8(注:仅有8、16、32、64这几个值)
6d02 VID,转换后为0x026d
0200 PID,转换后为0x0002
0101 设备版本号

本文使用的键盘信息如图7所示(主要核对VID和PID):
Here Insert Picture Description
图7

3.2 配置描述符

设备描述符里决定了该设备有多少种配置,每种配置都有一个配置描述符。配置描述符主要记录的信息有:配置所包含的接口数、配置的编号、供电方式、是否支持远程唤醒、电流需求量等。
数据如下:

  31.0  CTL    80 06 00 02  00 00 3b 00  GET DESCRIPTOR           3.1.0        
  31.0  IN     09 02 3b 00  02 01 00 a0  ..;.....                 3.2.0        
               32 09 04 00  00 01 03 01  2.......                 3.2.8        
               01 00 09 21  11 01 00 01  ...!....                 3.2.16       
               22 41 00 07  05 81 03 08  "A......                 3.2.24       
               00 0c 09 04  01 00 01 03  ........                 3.2.32       
               00 00 00 09  21 11 01 00  ....!...                 3.2.40       
               01 22 5b 00  07 05 82 03  ."[.....                 3.2.48       
               08 00 0c                  ...                      3.2.56       

(注:2.x数据与3.x有重复,故舍去)

请求:

31.0  CTL    80 06 00 02  00 00 09 00

bmRequestType 80:数据方向从设备端到主机端;标准的请求;USB设备接收
bRequest 06:请求为 GET_DESCRIPTOR
wValue 00 02:?
wIndex 00 00:从偏移地址0开始读取设备描述符
wLength 09 00:下一阶段数据的长度为9个字节(小端格式,实际为0x0009,即9)

返回数据字段说明如图8所示。
Here Insert Picture Description
图8

数据:

  31.0  IN     09 02 3b 00  02 01 00 a0 
               32 09 04 00  00 01 03 01 
               01 00 09 21  11 01 00 01 
               22 41 00 07  05 81 03 08 
               00 0c 09 04  01 00 01 03 
               00 00 00 09  21 11 01 00 
               01 22 5b 00  07 05 82 03 
               08 00 0c                
09 本描述符数据长度
02 类型,表示配置描述符
3b00 即003b,表示此次数据长度。包括其它描述符(配置、接口、终端和HID)的总长度
02 本配置支持的接口数量为2
01 设置配置命令(Set Configuration)的参数值
00 字符串描述符索引值,0表示没有
a0 电源和唤醒方式 a0表示总线供电(Bus Powered),远程唤醒(Remote Wakeup)
32:耗电电流,单位为2mA,此值表示50(0x32)*2=100mA

这里要说明的是,与配置描述符一起返回的有另外6个描述符。关键数据为09 04(2个)、09 21(2个)、07 05(2个)。在接下来的小节继续分析。

3.3 接口描述符

配置描述符之后紧接着就是接口描述符,接口描述符指明了接口的类型,对应的端点的数量。
在每个配置描述符中又定义了该配置有多少个接口,每个接口都有一个接口描述符。接口描述符主要记录的信息有:接口的编号、接口的端点数、接口所使用的类、子类、协议等。
本描述符字段说明如图9所示。
Here Insert Picture Description
图9

09 04 00 00 01 03 01 01 00    (1)
09 04 01 00 01 03 00 00 00    (2)

09 本描述符长度
04 类型值,表示接口描述符
00 接口数量为0
00 备用的接口描述符编号
01 接口终端数量为1
03 接口类型值,3表示HID(由USB分配)
01 子类型
01 协议码,1表示键盘。2为鼠标,0为无
00 本接口字符串描述符索引

可以看到,这里接口描述符指定的接口类别为 HID。注意,此处显示的是2个描述符数据,(1) 表示是键盘,但(2)却不是,原因为何,暂无深究。

3.4 HID描述符

HID 描述符指定了 HID 规范版本、HID 相关描述符类型(注:物理描述符不是必须的)。
本描述符字段说明如图10所示。
Here Insert Picture Description
图10

09 21 11 01 00 01 22 41 00
09 21 11 01 00 01 22 5b 00

09 本描述符长度
21 类别,21为HID描述符
1101 转换后为0111,表示USB协议版本为1.11(bcd码)
00 国家码
01 HID描述符数量为1
22 描述符类型,0x22为报告描述符,0x21为HID描述符,0x23为物理描述符
4100 描述符长度,此处为0x0041

3.5 端点描述符

端点描述符描述了数据的传输类型、传输方向、数据包大小和端点号(也可称为端点地址)等。
本描述符字段说明如图11所示。
Here Insert Picture Description
图11

07 05 81 03 08 00 0c
07 05 82 03 08 00 0c

07 本描述符长度
05 类别,5表示端点描述符
81 端点地址,Bit7表示方向,1为输入,0为输出,低4比特为端点号。81为输入的1号,82为输入的2号
03 端口属性,00表示控制,01为同步,02为批量,03为中断
0800 转换后为0x0008,表示最大包长度为8
0c 轮询时间间隔,单位ms

四、报告描述符

HID 特有的描述符共6种,本节分析其中的2种(另外的拿不到数据),捕获的数据来源一款 HID 设备。
请求数据遵循图1格式,具体如图12所示。
Here Insert Picture Description
图12
从图中可知,HID 请求类别只有0x21或0xa1两种。6种描述符请求如图13所示。
Here Insert Picture Description
图13

4.1 设置报告描述符

请求数据及解析:

  47.0  CTL    21 09 00 03  00 00 20 00  SET REPORT              19.1.0 
21 请求类别 0x21最高比特为0,表示数据方向从主机到设备(即输出)
09 请求,9表示设置报告
0003 低字节为报告ID,其值为0,高字节为报告类别,3表示 feature,1为输入报告,2为输出报告
0000 索引值
2000 转换后为0x0020,表示报告数据长度为32字节

本描述符字段说明如图14所示。
Here Insert Picture Description
图14
设置的输出数据示例如下:

  47.0  OUT    55 55 01 4c  61 74 65 01  UU.Late.                19.2.0 
               02 c2 00 00  00 00 00 00  ........                19.2.8 
               00 00 00 00  00 00 00 00  ........                19.2.16
               00 00 00 00  00 00 00 00  ........                19.2.24

4.2 获取报告描述符

请求数据及解析:

  47.0  CTL    a1 01 00 03  00 00 20 00  GET REPORT              20.1.0 
a1 请求类别 0xa1最高比特为1,表示数据方向从设备到主机(即输入)
01 请求,1表示获取报告
后面数据同上

本描述符字段说明如图15所示。
Here Insert Picture Description
图15
输入的数据示例如下:

  47.0  IN     55 55 01 4c  61 74 65 01  UU.Late.                20.2.0 
               03 c3 00 00  00 00 00 00  ........                20.2.8 
               00 00 00 00  00 00 00 00  ........                20.2.16
               00 00 00 00  00 00 00 00  ........                20.2.24

在开发中,报告ID是十分重要的,前面示例的ID为0,下面给出给出报告ID为9的数据:

  47.0  CTL    21 09 09 03  00 00 21 00  SET REPORT               3.1.0        
  47.0  OUT    09 55 55 04  30 00 bb 00  .UU.....                 3.2.0        
               f6 00 77 00  00 00 00 00  ..w.....                 3.2.8        
               00 00 00 00  00 00 00 00  ........                 3.2.16       
               00 00 00 00  00 00 00 00  ........                 3.2.24           
  47.0  CTL    a1 01 09 03  00 00 21 00  GET REPORT               5.1.0(3)     
  47.0  IN     09 3c 3c 3c  3c 3c 3c 3c  .<<<<<<<                 5.2.0        
               3c 3c 3c 3c  3c 3c 3c 3c  <<<<<<<<                 5.2.8        
               3c 3c 3c 3c  3c 3c 3c 3c  <<<<<<<<                 5.2.16       
               3c 3c 3c 3c  3c 3c 3c 3c  <<<<<<<<                 5.2.24       
               3c                        <                        5.2.32      

Can be seen that, when the ID of 9, more preceding data ID, and the ID is not 0. However, when using hidapi library settings feature report, you must add an additional 1-byte ID, otherwise it will fail. Acquiring real data after the ID, you can skip to a byte.

V. Summary

In fact, this is only part of the analysis of the data categories, limited to the conditions can not analyze all the data. In the purpose enough, no longer HID-depth study.
Report descriptor, saw several official documents, and online articles, or scratching their heads, it's not much I experience, one of the applications, it may be the USB host and USB device transmission of custom data. That does not need to care about the official document describing the complex, as a fixed-format data to analyze, of course, it requires both sides agreed well in advance.
Thank the many USB network of articles, we do a lot of reference, plus another personal organize and understand, but where the error is inevitable, inappropriate, please correct me Fang.

VI Resources

The USB (iii) USB descriptors and commands (requests)
as USB (iv) the HID device class protocol
USB descriptor parsed

2020.2.9 Sunday night

Published 481 original articles · won praise 244 · Views 1.1 million +

Guess you like

Origin blog.csdn.net/subfate/article/details/104242617