How read USB snoop (and use under Linux)

First, I am sorry for my bad english. I'm not english native speaker and explanation technical things is hard for me...

Warning

These informations are from my personal experience. They can be incorrectness and bad. These document describe only part of "controll layer" usb.

Create USB snoop

How to create USB Snoop in windows, you can read at: http://groups.google.com/group/microdia/web/usb-sniffing-on-windows

And under Linux: http://www.quietearth.us/articles/2006/10/16/USB-Snoop-in-linux and for read snoop (by user) you need any software, such as USBmon from Pete Zaitcev http://people.redhat.com/zaitcev/linux/usbmon.5.tar.gz

Snoop example

This example snoop is from SniffUsb 2.0.

[71828 ms] UsbSnoop - FilterDispatchAny(eb8fdfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL
[71828 ms] UsbSnoop - FdoHookDispatchInternalIoctl(eb8fe1ea) : fdo=89060de8, Irp=88ce3a68, IRQL=0
[71828 ms]  >>>  URB 7 going down  >>> 
-- URB_FUNCTION_VENDOR_DEVICE:
  TransferFlags          = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000004
  TransferBuffer       = 88e5d9f8
  TransferBufferMDL    = 00000000
    00000000: 13 13 81 02
  UrbLink                 = 00000000
  RequestTypeReservedBits = 00000000
  Request                 = 00000004
  Value                   = 00000019
  Index                   = 00000000
[71829 ms] UsbSnoop - MyInternalIOCTLCompletion(eb8fe126) : fido=00000000, Irp=88ce3a68, Context=88e8fe08, IRQL=2
[71829 ms]  <<<  URB 7 coming back  <<< 
-- URB_FUNCTION_CONTROL_TRANSFER:
  PipeHandle           = 8905c210
  TransferFlags        = 0000000a (USBD_TRANSFER_DIRECTION_OUT, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000004
  TransferBuffer       = 88e5d9f8
  TransferBufferMDL    = 88c6fe30
  UrbLink              = 00000000
  SetupPacket          =
    00000000: 40 04 19 00 00 00 04 00
[71829 ms] UsbSnoop - FilterDispatchAny(eb8fdfd2) : IRP_MJ_INTERNAL_DEVICE_CONTROL
[71829 ms] UsbSnoop - FdoHookDispatchInternalIoctl(eb8fe1ea) : fdo=89060de8, Irp=88ce3a68, IRQL=01
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

Setup packet

Data form setup packet is on line 25. All values are in hexadecimal, little-endian.

Offset	Name	Width (in bytes)	Description
0	bmRequestType	1	Maps of bits characterize request. bit 7 - data direction 0 = Host-to-device 1 = Device-to-host bits <6:5> - type of request 0 = Standard 1 = Class 2 = Vendor 3 = reserved bits <4:0> - logical recipient of data 0 = device 1 = interface 2 = Endpoint 3 = other 4 to 31 = reserved
1	bRequest	1	request specification
2	wValue	2	Connotation depends on request.
4	wIndex	2	Connotation depends on request. Mostly index or offset.
6	wLength	2	Length data part of request (in bytes).

Use usb_control_msg in linux kernel (kernel module):

int usb_control_msg(struct usb_device * dev,  unsigned int pipe,
         __u8 request, __u8 requesttype, __u16 value, __u16 index,
         void * data,
         __u16 size, int timeout);

TransferBuffer

In example snoop are data from transfer buffer on line 9.

Write m560x register

"Skeleton" of transfer buffer for write register value is:

0x13, 0x00, 0x81, 0x00

13 14 81 02

Its write value 0x02 to register with address 0x14.

Setup packet for write m5602 register:

bmRequestType: 0x40
bRequest: 0x04
wValue: 0x0019
wIndex: 0x0000
wLength: 0x0004

(in example snoop "40 04 19 00 00 00 04 00")

Read m560x register

Setup packet for read m5602 register:

bmRequestType: 0xc0
bRequest: 0x04
wValue: 0x0014
wIndex: 0x8100 + register address to read
wLength: 0x0001

Write sensor register

Setup packet for write sensor register via m5602:

bmRequestType: 0x40
bRequest: 0x04
wValue: 0x0019
wIndex: 0x0000
wLength: 0x0018 or 0x001c

"Skeleton" of transfer buffer (if is transffered only one byte):

    0x23, 0x74, 0x81, 0x06,
    0x23, 0x62, 0x81, 0x80,
    0x13, M5602_XB_I2C_DEV_ADDR (0x6a), 0x81, S5K83A_I2C_SLAVE_WRITE_ADDRESS (0x5a),
    0x13, M5602_XB_I2C_REG_ADDR (0x6b), 0x81, 0x00 (sensor reg. addr.),
    0x13, M5602_XB_I2C_DATA (0x6c), 0x81, 0x00 (sensor first byte value),
    0x13, M5602_XB_I2C_CTRL (0x68), 0x81, 0x11

In green are values for m5602 and s5k83a sensor.

If is transffered two bytes:

    0x23, 0x74, 0x81, 0x06,
    0x23, 0x62, 0x81, 0x80,
    0x13, M5602_XB_I2C_DEV_ADDR (0x6a), 0x81, S5K83A_I2C_SLAVE_WRITE_ADDRESS (0x5a),
    0x13, M5602_XB_I2C_REG_ADDR (0x6b), 0x81, 0x00 (sensor reg. addr.),
    0x13, M5602_XB_I2C_DATA (0x6c), 0x81, 0x00 (sensor first byte value),
    0x13, M5602_XB_I2C_DATA (0x6c), 0x81, 0x00 (sensor second byte value),
    0x13, M5602_XB_I2C_CTRL (0x68), 0x81, 0x11

In snoop transffer buffer for write sensor register like this

    00000000: 23 74 81 06 23 62 81 80 13 6a 81 5a 13 6b 81 09
    00000010: 13 6c 81 88 13 68 81 11

or like this (for two bytes)

    00000000: 23 74 81 06 23 62 81 80 13 6a 81 5a 13 6b 81 14
    00000010: 13 6c 81 00 13 6c 81 20 13 68 81 12

(address is in red, values in green)