[sane-devel] reverse engineering / usbsnoop

Bertrik Sikken bertrik@zonnet.nl
Sat, 11 Sep 2004 18:36:47 +0200 

Mbosowo I Sampson wrote:

> After reading reams of documentation, I think I have a grasp on how the 
> USB protocol works. I started snooping the usb traffic of my hp scanjet 
> 3970 so I can start writing the backend for it. I have a couple of 
> questions...
> 
> With Snoopy Pro it seems to stop logging information once the actual 
> scan begins. Someone else posted something on SF page about it stopping 
> once the bulk transfer began. I was wondering if anyone knew how to get 
> around this. I tried sniffit, but the documentation says it only works 
> for NT 2000.

I think you're hitting a nice point there:
it's a bit unclear what _the_ tool for USB sniffing currently is
(at least to me).

I tried the following programs:

sniffusb 0.12 and 0.13. http://www.wingmanteam.com/usbsnoopy/
+ logs in text format (for easy perl processing).
- does not work with windows xp
- chokes sometimes on large USB bulk
transfers.
All perl scripts that I have seen were made to parse the format of the
logs created by this program.

usb snoopy pro. http://sourceforge.net/projects/usbsnoop/
- logs in binary format (-> no further discussion necessary)

sniff-bin . http://benoit.papillault.free.fr/usbsnoop/
This program looks similar to sniffusb
+ logs in plain text (although slightly different format from sniffusb)
+ works under windows xp

If I were to reverse engineer a protocol again, I think I would
use sniff-bin.

> I was looking at a usb dump,
> http://reapoff.sourceforge.net/hpscanner/full_scan.dump.gz
> 
> posted by this guy,
> http://reapoff.sourceforge.net/hpscanner/hp4470c.txt
> 
> On this page he says that the chipset he was looking at had 244 
> registers. How exactly can you tell that by the logs?

I'm not sure, I don't think you can tell that from the log.
According to the text, USB transfers starting with 0x80 and 0x88
indicate register get/set. Perhaps he counted all unique register
transfer commands?

> I'm looking at the logs, and I'm not sure where to start. I was to start 
> simple by writing a stand alone application that tuns on the lamp, then 
> build on it from there. I have a session log, but I have no idea how to 
> find out what register and values are needed to turn on the lamp. Any tips?

Is the protocol similar to the one used in the hp4400/4470?
Can you post a link to your log?

> I wanted to post the Snoopypro log here, but apprently its a binary 
> file. I tried to use usb-robot to control the scanner from linux, its 
> not working, and there doesn't seem to be any documentation on usb-robot 
> anywhere. lovely.

I think usb-robot is not compatible with the snoopypro logs.

Regards,
Bertrik