Getting data off a USB device, and identifying what the binary is.

benoliver999 · 2016-09-10 08:33:26

I have a device that records environmental data once a minute, and stores it in memory. You then plug it into Windows, load up custom software (and a driver), and pull the data off it. The software then allows you to save as CSV.

When you plug it into a Linux machine, it shows as 'MicroChip Technology Inc.', vendor id 04d8 Product id 000c

I want to write a driver for it, or just use libusb, or even pyusb to start with. However, first it'd be good to know what format the data comes in.

So I set up a Windows VM with the custom software and driver installed. Connected the device to the PC then 'connected' the device to the VM.

In the background I set up a wireshark capture for the relevant USB.

Then in the VM I opened the software and pressed 'read data'. The data appeared in the software just fine. I closed it, and shut off the Wireshark capture.

Then I inspected the wireshark packets. There is a 'GET DESCRIPTOR Request DEVICE' and a 'GET DESCRIPTOR Response DEVICE' packet, then the rest are all 'URB_BULK out' and 'URB_BULK in'

The device runs once a minute, and I ran it for four minutes at the time. In Wireshark I can see there are four packets from the device to the host that have plenty of 'Leftover Capture Data', which I assume is the payload. It looks like it sends one packet per data point.

So I took one of those packets, selected 'leftover capture data' and looked at the hex dump:

00000000  00 5d 66 8f 00 01 00 03  85 03 85 00 65 00 01 10  |.]f.........e...|
00000010  09 08 0a 15 31 00 01 00  00 01 00 00 00 01 03 06  |....1...........|
00000020  07 08 00 00 02 00 1a 00  06 00 01 00 00 3f 00 00  |.............?..|
00000030  27 10 00 00 03 e8 00 00  00 64 00 00 00 0a 00 00  |'........d......|
00000040  00 01 00 00 00 00 00 01  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 02 50 87 00  00 38 31 00 00 09 36 00  |.....P...81...6.|
00000060  00 01 c2 00 00 00 ba 00  00 00 2d 00 00 00 00 00  |..........-.....|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0

Here's another one from another packet:

00000000  00 5d 66 8f 00 01 00 03  85 03 85 00 65 00 02 10  |.]f.........e...|
00000010  09 08 0a 16 31 00 01 00  00 01 00 00 00 01 03 06  |....1...........|
00000020  07 08 00 00 02 00 1a 00  06 00 01 00 00 3f 00 00  |.............?..|
00000030  27 10 00 00 03 e8 00 00  00 64 00 00 00 0a 00 00  |'........d......|
00000040  00 01 00 00 00 00 00 01  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 02 32 0a 00  00 35 c0 00 00 09 5f 00  |.....2...5...._.|
00000060  00 01 ea 00 00 00 e0 00  00 00 31 00 00 00 00 00  |..........1.....|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0

This is where I have hit a dead end. I cannot identify the file type at all. Closest thing I got to an answer was trid, which told me it was a macbinary II file, but I used macutils and megatron with no luck, so I think it may be a false positive.

Just as an aside, to get this data into a binary I could run tests on, I selected 'leftover capture data' in wireshark, right-clicked, and clicked 'Export selected packet bytes'.

I am going into as much detail as I can because there may be something I am doing wrong, or some other techniques I could be using.

Is there another way I could go about ID-ing the file? Perhaps trying to do something on the Windows side? Is there anywhere else I should be looking at in Wireshark for clues? I'm thinking it is likely compressed, possibly encrypted (in which case I guess I am screwed unless I can get the key from the software).

Any help or advice would be appreciated, I feel like the only person who has tried anything with this machine! For those interested, it's an Airy P611.

frostschutz · 2016-09-10 08:45:23

Why do you expect there to be a file of known type?

It's common to just send some arbitrary data structure directly over the wire.

If you have a software that interprets these data for you, and presents them in a readable fashion, you'll have to see if you can identify any of the values you received in that raw data and thus reverse-engineer the data structure.

You mention CSV, so you should compare your hexdump with the CSV you received and see if you find a match.

benoliver999 · 2016-09-10 08:55:37

frostschutz wrote:

If you have a software that interprets these data for you, and presents them in a readable fashion, you'll have to see if you can identify any of the values you received in that raw data and thus reverse-engineer the data structure.
You mention CSV, so you should compare your hexdump with the CSV you received and see if you find a match.

Will do, thank you! If I take enough readings I might be able to see a pattern.

R00KIE · 2016-09-10 20:47:58

I don't have much to add to what frostschutz said, but if you can try to feed your device known stimulus, it might help you figure out which part of the data is headers/footers and what is what you really want and how it might be encoded.

Arch Linux

#1 2016-09-10 08:33:26

Getting data off a USB device, and identifying what the binary is.

#2 2016-09-10 08:45:23

Re: Getting data off a USB device, and identifying what the binary is.

#3 2016-09-10 08:55:37

Re: Getting data off a USB device, and identifying what the binary is.

#4 2016-09-10 20:47:58

Re: Getting data off a USB device, and identifying what the binary is.

Board footer