USB调试笔记
USB设备通过BUSHOUND抓包IRP被取消USTS状态为0xC0010000
2022-07-15
464
0
通过BUSHOUND抓包内容为:
16.0 CTL 80 06 00 02 00 00 20 00 GET DESCRIPTOR 336us
16.0 32 IN 09 02 20 00 01 01 00 80 e1 09 04 00 00 02 08 06 .. ............. 16ms
50 00 07 05 82 02 00 02 00 07 05 01 02 00 02 00 P...............
16.0 URB 88 00 08 00 00 00 00 00 78 a3 50 08 73 2b 00 00 CONTROL TRANSFER 3us
00 00 00 00 00 00 00 00 70 c9 67 01 8d d4 ff ff
0b 00 00 00 20 00 00 00 40 5a ec f4 8c d4 ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02 00 00 00 01 00 00 00 b8 77 68 0c 8d d4 ff ff
b8 77 68 0c 8d d4 ff ff 88 13 fa ee 8c d4 ff ff
88 13 fa ee 8c d4 ff ff 00 00 00 00 00 00 00 00
80 06 00 02 00 00 20 00
16.1 URB 80 00 09 00 00 00 01 c0 78 a3 50 08 73 2b 00 00 BULK/INT XFER 18sc
00 00 00 00 00 00 00 00 20 ca 84 f2 8c d4 ff ff
00 00 00 00 00 00 00 00 58 f6 2c fe 8c d4 ff ff
20 95 f4 05 8d d4 ff ff 00 00 00 00 00 00 00 00
05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
16 RESET 57us
可以看到,当使用16.1端点进行数据传输的时候出错,然后设备RESET了。
通过分析16.1的URB,可以判官此为批量传输或者为中断传输(BULK_OR_INTERRUPT_TRANSFER),已知设备为U盘,所以肯定为批量传输,并且端点地址为1,所以发送的数据为U盘BOT的CBW命令。
使用本站的工具USB中断批量传输X64 URB数据在线分析:http://www.usbzh.com/tool/urb-bulk-or-interrupt.html 对该URB进行自动分析:
_URB_CONTROL_DESCRIPTOR_REQUEST
_URB_HEADER Hdr
USHORT Length 80 00
USHORT Function 09 00
USBD_STATUS Status 00 00 01 C0
PVOID UsbdDeviceHandle 78 A3 50 08 73 2B 00 00
ULONG UsbdFlags 00 00 00 00
ULONG reversed 00 00 00 00
PVOID Reserved 20 CA 84 F2 8C D4 FF FF
ULONG Reserved0 00 00 00 00
ULONG TransferBufferLength 00 00 00 00
PVOID TransferBuffer 58 F6 2C FE 8C D4 FF FF
PMDL TransferBufferMDL 20 95 F4 05 8D D4 FF FF
PVOID UrbLink 00 00 00 00 00 00 00 00
_URB_HCD_AREA hca
PVOID Reserved[8]
05 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
USHORT Reserved1 0NAN 0NAN
UCHAR Index 0NAN
UCHAR DescriptorType 0NAN
USHORT LanguageId 0NAN 0NAN
USHORT Reserved2 0NAN 0NAN
可以看到USBD_STATUS为0xC0010000,通过查询USTC表 http://www.usbzh.com/article/detail-645.html 可知为USBD_STATUS_CANCELED.原文内容为:
The USB stack reports this error whenever it completed a transfer because of an AbortPipe request from the client driver.
所以表示此IRP已经被取消了,取消的原因是因为端点abort了。
这通常发生在驱动程序发出URB_FUNCTION_ABORT_PIPE 或 URB_FUNCTION_RESET_PIPE 时,因为任何排队的 URB都被清除了。设备随后处于停止状态表明可能发生了意外复位或电源转换。
而后面的RESET表示设备复位RESET了。
HID人机交互QQ群:564808376
UAC音频QQ群:218581009
UVC相机QQ群:331552032
BOT&UASP大容量存储QQ群:258159197
STC-USB单片机QQ群:315457461
USB技术交流QQ群2:580684376
USB技术交流QQ群:952873936
