Reverse Engineering a Samsung Scanner Button, page 6
Pages: 1 2 3 4 5 6 7 8
Step 6: Analyse the data, part2
Let's take a look at what that data looks like:
| ffff88007a52b9c0 | 3119564503 | S Ci:1:003:0 s | a1 00 0000 0100 0102 258< <--- last query before scan |
| ffff88007a52b9c0 | 3119564773 | C Ci:1:003:0 0 | 112 = 00704d46 473a5361 6d73756e 673b434d 443a5350 4c2c5552 462c4657 562c5049 |
| ffff88007a52b9c0 | 3119576468 | S Bo:1:003:2 -115 | 4 = 1ba81200 |
| ffff88007a52b9c0 | 3119576520 | C Bo:1:003:2 0 | 4 > |
| ffff88007a52b9c0 | 3119580453 | S Bi:1:003:1 -115 | 1024 < |
| ffff88007a52b9c0 | 3119583015 | C Bi:1:003:1 0 | 70 = a8004310 53616d73 756e6720 5343582d 33343030 20536572 69657320 20202020 |
| ffff88007a52b9c0 | 3119585456 | S Bo:1:003:2 -115 | 255 = 1ba813fb 00000000 00000000 00000000 00000000 00000000 00000000 00000000 |
| ffff88007a52b9c0 | 3119585516 | C Bo:1:003:2 | 0 255 > |
| ffff88007a52b9c0 | 3119588454 | S Bi:1:003:1 -115 | 1024 < |
| ffff88007a52b9c0 | 3119597640 | C Bi:1:003:1 0 | 255 = a8000000 00f91000 01646404 00000000 01000000 00000000 00000000 00000000 |
| ffff88007adc6500 | 3120434460 | S Bo:1:003:2 -115 | 4 = 1ba81200 |
| ffff88007adc6500 | 3120434551 | C Bo:1:003:2 0 | 4 > |
| ffff88007adc6500 | 3120437446 | S Bi:1:003:1 -115 | 1024 < |
| ffff88007adc6500 | 3120437548 | C Bi:1:003:1 0 | 70 = a8004310 53616d73 756e6720 5343582d 33343030 20536572 69657320 20202020 |
| ffff88007adc6500 | 3120440465 | S Bo:1:003:2 -115 | 255 = 1ba813fb 00000000 00000000 00000000 00000000 00000000 00000000 00000000 |
| ffff88007adc6500 | 3120440550 | C Bo:1:003:2 0 | 255 > |
| ffff88007adc6500 | 3120443440 | S Bi:1:003:1 -115 | 1024 < |
| ffff88007adc6500 | 3120447420 | C Bi:1:003:1 0 | 255 = a8000000 00f91000 01646404 00000000 01000000 00000000 00000000 00000000 |
We will discover that the first line is the last query before the bulk data transfer (scan).
Our goal is to find the top of the bulk data transfer. What exactly are we looking for?
First I will point out what strikes us right away… Notice the URB status of the top two commands (the tail end of the red string), the first one is ‘s', and the second one is ‘0'.
These two status indicators are meaningful to us because, if we look at the ones below those two commands we see status indicators such as ‘-115' and then again ‘0'.
Also notice the sudden size increase of the data (the blue strings). My guess is that all of those queries and responses that you see below the top two lines are the bulk data transfer of the scan itself.
So, we seem to have identified the last two control messages (the last query and response before the bulk data transfer) and after locating this point, we can now look above that query (time stamp 3119564503) to try and find the control message query and response that tells the scanner to perform a scan.
So, here are the lines above the 3119564503 time stamp that contain what we are hunting for:
| ffff88007a52b9c0 | 3115373453 | S Ci:1:003:0 s | c1 9a 0000 0100 0008 8 < <--- here is the check to see if the scan button was pressed |
| ffff88007a52b9c0 | 3115373605 | C Ci:1:003:0 0 | 8 = 1b9a0000 00000000 <--- the answer is 'no', and you will see why |
| ffff880023078d80 | 3116831450 | S Ci:1:003:0 s | c1 23 0100 0100 0008 8 < |
| ffff880023078d80 | 3116831696 | C Ci:1:003:0 0 | 8 = 4e4f5453 50505254 |
| ffff88007a52b9c0 | 3118409452 | S Ci:1:003:0 s | 80 06 0303 0000 0404 1028 < |
| ffff88007a52b9c0 | 3118409648 | C Ci:1:003:0 0 | 32 = 20035a00 38004200 4e004200 38004b00 44004300 45003000 30004400 51005700 |
| ffff88007a52b9c0 | 3118413453 | S Ci:1:003:0 s | 80 06 0302 0000 0404 1028 < |
| ffff88007a52b9c0 | 3118413648 | C Ci:1:003:0 0 | 32 = 20035300 43005800 2d003300 34003000 30002000 53006500 72006900 65007300 |
| ffff88007a52b9c0 | 3118415447 | S Ci:1:003:0 s | 80 06 0301 0000 0404 1028 < |
| ffff88007a52b9c0 | 3118415642 | C Ci:1:003:0 0 | 60 = 3c035300 61006d00 73007500 6e006700 20004500 6c006500 63007400 72006f00 |
| ffff88007a52b9c0 | 3118552453 | S Ci:1:003:0 s | a1 00 0000 0100 0101 257 < |
| ffff88007a52b9c0 | 3118552632 | C Ci:1:003:0 0 | 112 = 00704d46 473a5361 6d73756e 673b434d 443a5350 4c2c5552 462c4657 562c5049 |
Take a look at time stamp 3115373453 and the response:
| ffff88007a52b9c0 | 3115373453 | S Ci:1:003:0 s | c1 9a 0000 0100 0008 8 < |
| ffff88007a52b9c0 | 3115373605 | C Ci:1:003:0 0 | 8 = 1b9a0000 00000000 |
This is an interesting command. The command is a submission 'S' , so we know that the host sends it and it goes to device 3 on bus 1, endpoint 0. Following suit of what we have seen so far, control messages are going to the first endpoint (0) as we might expect. It's URB status is 's' so it is a setup URB.
What should catch our attention is the command itself: 'c1 9a 0000 0100' , and it is sending an 8 byte (or 8 character) buffer '0008 8' along with the command. Let's look at the response:
8 = 1b9a0000 00000000
What we see here is the device sending a callback 'C' , with an URB status of '0' (acknowledged) and it returns the 8 byte buffer that was sent with an 'answer' inside of it. The answer is of course '1b 9a 00 00 00 00 00 00'.
In these last few blocks, we see something different:
| ffff88007a52b9c0 | 3118556455 | S Ci:1:003:0 s | c1 9a 0000 0100 0008 8 < <--- here is the check to see if the scan button was pressed |
| ffff88007a52b9c0 | 3118556632 | C Ci:1:003:0 0 | 8 = 1b9a0100 00000000 <---here the answer changes since the third byte = 01 instead of 00 |
| ffff88007a52b9c0 | 3118894549 | S Ci:1:003:0 s | c1 23 0100 0100 0008 8 < |
Sure enough, again we see the check to see if the button was pressed:
| ffff88007a52b9c0 | 3118556455 | S Ci:1:003:0 | s c1 9a 0000 0100 0008 8 < |
But the answer is different:
| ffff88007a52b9c0 | 3118556632 | C Ci:1:003:0 0 | 8 = 1b9a0100 00000000 |
Before we had '1b 9a 00 00 00 00 00 00'. But this time we get '1b 9a 01 00 00 00 00 00'.
This is what we have been looking for and we are done analyzing. The response has '01' in the third byte, which means that the button has been pressed.
Now, all we have to do is mimic that instruction, sending an 8 byte character buffer to the first endpoint exactly the way that the Windows driver does, and we will get back an answer. When we see '01' in the third byte position, the button has been pressed.