Showing posts with label driver. Show all posts
Showing posts with label driver. Show all posts

Sunday, July 5, 2020

Refoss Smart Wi-Fi Garage Door Opener

I bought an "add-on" device that will enable my garage door opener accessible via WiFi, as well as other automated processes as part of my home automation project last year.  I bought it on Amazon: https://www.amazon.com/Refoss-Garage-Control-Compatible-Assistant/dp/B07PM59X4J/ref=cm_cr_arp_d_product_top?ie=UTF8&th=1

It had been working perfectly since I installed it last year, but since the last few days ago it has stopped.  I thought it must be something with the networking, so I followed the procedure instructed on the manual to configure it as a new device added to the eHomeLife on my iPhone, but with no luck.  The manual says, if the WiFi LED blinks rapidly, the device has been correctly set to access our home network.  But, I have not been able to connect my app to the device.

Curious to see what was going on, I logged on to my AP router and could see the device had been assigned a valid IP address (192.168.1.55) and I could even ping it.  That's all. I then did nmap to the device to see what ports were open.  I could only see the following:

nmap -O -sO 192.168.1.55
WARNING: Disabling OS Scan (-O) as it is incompatible with the IPProto Scan (-sO)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-05 21:44 Pacific Daylight Time
Nmap scan report for 192.168.1.55
Host is up (0.021s latency).
Not shown: 252 closed protocols
PROTOCOL STATE         SERVICE
1        open          icmp
6        open          tcp
17       open          udp
41       open|filtered ipv6
MAC Address: 48:E1:E9:51:07:50 (Chengdu Meross Technology)

Actually, if I press the WiFi button for more than 5 seconds to make it goes to configuration mode and then use the SSID of the device (it becomes an "AP" device temporarily), then open a browser to access it (at IP address 10.10.10.1, because my phone's IP was assigned 10.10.10.2), I could see basic web interface to set WIFI as well as to upgrade firmware.

Googling for "Meross" or "Refoss" firmware couldn't give anything.  The company's website also doesn't give any link or information about any firmware upgrade.  Also, What's the difference between "Meross" and "Refoss"? Is Refoss is a knock-off of Meross?  Both are Chinese companies.

Honestly, I am now tempted to develop a similar by myself, probably using ESP32 (as using Raspberry-Pi for such thing is too much for such thing, not to consider more power-hungry).

Thursday, January 17, 2013

Reverse Engineer USB protocol of Canon 4200F (part 1)

So far, there is no Linux driver support available for Canon Scanner 4200F, albeit with the latest and greatest kernel.  Blame the problem to Canon who doesn't want to support Linux community.

With the spirit of hacking, I now try to reverse-engineer the driver (which is only available for Windows, and probably iOS) to be able to write its bare minimum linux driver. I will try to post progress here, so you will see in the title "part x".

First, do this:


mount -t debugfs none_debugs /sys/kernel/debug
modprobe usbmon


do:

lsusb

On my system, it reveals (partially copied here):
..

Bus 001 Device 004: ID 056a:0017 Wacom Co., Ltd Bamboo Fun 4x5
Bus 001 Device 005: ID 046d:08d7 Logitech, Inc. QuickCam Communicate STX
Bus 001 Device 006: ID 04a9:221b Canon, Inc. CanoScan 4200F
Bus 001 Device 007: ID 046d:c52b Logitech, Inc. Unifying Receiver
...

Or, with the class hierarchy:


root@HP-m9000t:~# lsusb -t
1-3.4:1.0: No such file or directory
1-3.7.3:1.0: No such file or directory
/:  Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 07.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci_hcd/8p, 480M
    |__ Port 4: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M
        |__ Port 1: Dev 4, If 0, Class=vend., Driver=mceusb, 1.5M
        |__ Port 1: Dev 4, If 1, Class=HID, Driver=usbhid, 1.5M
        |__ Port 2: Dev 5, If 0, Class=stor., Driver=usb-storage, 480M
    |__ Port 8: Dev 3, If 0, Class=hub, Driver=hub/2p, 480M
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci_hcd/4p, 480M
    |__ Port 3: Dev 2, If 0, Class=hub, Driver=hub/7p, 480M
        |__ Port 1: Dev 3, If 0, Class=hub, Driver=hub/2p, 12M
            |__ Port 1: Dev 9, If 0, Class=HID, Driver=usbhid, 12M
            |__ Port 1: Dev 9, If 1, Class=HID, Driver=usbhid, 12M
            |__ Port 2: Dev 10, If 0, Class=audio, Driver=snd-usb-audio, 12M
            |__ Port 2: Dev 10, If 1, Class=audio, Driver=snd-usb-audio, 12M
            |__ Port 2: Dev 10, If 2, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 2: Dev 4, If 0, Class=HID, Driver=wacom, 12M
        |__ Port 3: Dev 5, If 0, Class=vend., Driver=gspca_zc3xx, 12M
        |__ Port 3: Dev 5, If 1, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 3: Dev 5, If 2, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 4: Dev 6, If 0, Class=vend., Driver=, 480M
        |__ Port 6: Dev 7, If 0, Class=HID, Driver=usbhid, 12M
        |__ Port 6: Dev 7, If 1, Class=HID, Driver=usbhid, 12M
        |__ Port 6: Dev 7, If 2, Class=HID, Driver=usbhid, 12M
        |__ Port 7: Dev 8, If 0, Class=hub, Driver=hub/4p, 12M
            |__ Port 2: Dev 11, If 0, Class=stor., Driver=usb-storage, 12M
            |__ Port 3: Dev 12, If 0, Class=vend., Driver=, 12M
            |__ Port 3: Dev 12, If 1, Class=vend., Driver=ftdi_sio, 12M
root@HP-m9000t:~# 

As can be seen above, there is no driver available for the scanner.



Then open with a text editor this file: /sys/kernel/debug/usb/devices.  Search for "Canon" (or search by Vendor and product ID found above).


T:  Bus=01 Lev=02 Prnt=02 Port=03 Cnt=04 Dev#=  6 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs=  1
P:  Vendor=04a9 ProdID=221b Rev= 2.00
S:  Manufacturer=Canon
S:  Product=CanoScan
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr= 10mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=83(I) Atr=03(Int.) MxPS=   1 Ivl=16ms

From the information above, we can see that the scanner uses three endpoints:

  • One OUT bulk endpoint
  • One IN bulk endpoint
  • One IN interrupt endpoint
We then can tell our PC uses OUT bulk for general control dan normal data to send to the scanner, uses  IN bulk endpoint to receive scanned/preview image from the scanner, and IN interrupt endpoint for receiving other interrupts (e.g, when any of the scanner's buttons is pressed)

How to use usbmon?

The captured data are stored in /sys/kernel/debug/usb/usbmon/<file>, where file can be "0u" to capture packets in all buses, and <bus#>u for a specific bus.  Where can we find the bus number information? See the content of file device above!.  The first line says "Bus=01", it means to capture packets to/from the scanner, we just need to cat file "1u" (the detail instruction/documentation about usbmon can be read here: http://lxr.linux.no/linux+v2.6.28.8/Documentation/usb/usbmon.txt)

An easier way is to use Wireshark (as root, because we need to gain access to usb devices).  Start capture for sometime and stop it.  Apply filter " usb.idVendor == 0x4a9 && usb.idProduct == 0x221b" or "usb.device_address == 6 && usb.bus_id==1".  In my case, I know the scanner is address 6 and bus=1.  Save the captured data to a file (select "Wireshark/tcpdump" format).  

To read it:

tshark -r pcapfile -T fields -V -e usb.capdata

or

tshark -r pcapfile -T fields -x

For example:

root@HP-m9000t:~# tshark -P -r ./usbscanner1.pcap -x -V -R "usb.bus_id==1 && usb.device_address==6"

tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Frame 528: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
    WTAP_ENCAP: 115
    Arrival Time: Jan 17, 2013 22:29:25.703289000 PST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1358490565.703289000 seconds
    [Time delta from previous captured frame: 0.000025000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 2.030187000 seconds]
    Frame Number: 528
    Frame Length: 64 bytes (512 bits)
    Capture Length: 64 bytes (512 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: usb]
USB URB
    URB id: 0xffff88013280d240
    URB type: URB_SUBMIT ('S')
    URB transfer type: URB_CONTROL (0x02)
    Endpoint: 0x80, Direction: IN
        1... .... = Direction: IN (1)
        .000 0000 = Endpoint value: 0
    Device: 6
    URB bus id: 1
    Device setup request: relevant (0)
    Data: not present ('<')
    URB sec: 1358490565
    URB usec: 703289
    URB status: Operation now in progress (-EINPROGRESS) (-115)
    URB length [bytes]: 40
    Data length [bytes]: 0
URB setup
    bmRequestType: 0x80
        1... .... = Direction: Device-to-host
        .00. .... = Type: Standard (0x00)
        ...0 0000 = Recipient: Device (0x00)
    bRequest: GET DESCRIPTOR (6)
    Descriptor Index: 0x00
    bDescriptorType: DEVICE (1)
    Language Id: no language specified (0x0000)
    wLength: 40

0000  40 d2 80 32 01 88 ff ff 53 02 80 06 01 00 00 3c   @..2....S......<
0010  c5 eb f8 50 00 00 00 00 39 bb 0a 00 8d ff ff ff   ...P....9.......
0020  28 00 00 00 00 00 00 00 80 06 00 01 00 00 28 00   (.............(.
0030  00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00   ................

Frame 529: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
    WTAP_ENCAP: 115
    Arrival Time: Jan 17, 2013 22:29:25.704138000 PST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1358490565.704138000 seconds
    [Time delta from previous captured frame: 0.000849000 seconds]
    [Time delta from previous displayed frame: 0.000849000 seconds]
    [Time since reference or first frame: 2.031036000 seconds]
    Frame Number: 529
    Frame Length: 82 bytes (656 bits)
    Capture Length: 82 bytes (656 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: usb]
USB URB
    URB id: 0xffff88013280d240
    URB type: URB_COMPLETE ('C')
    URB transfer type: URB_CONTROL (0x02)
    Endpoint: 0x80, Direction: IN
        1... .... = Direction: IN (1)
        .000 0000 = Endpoint value: 0
    Device: 6
    URB bus id: 1
    Device setup request: not relevant ('-')
    Data: present (0)
    URB sec: 1358490565
    URB usec: 704138
    URB status: Success (0)
    URB length [bytes]: 18
    Data length [bytes]: 18
    [Request in: 528]
    [Time from request: 0.000849000 seconds]
    [bInterfaceClass: Unknown (0xffff)]
DEVICE DESCRIPTOR
    bLength: 18
    bDescriptorType: DEVICE (1)
    bcdUSB: 0x0200
    bDeviceClass: VENDOR_SPECIFIC (0xff)
    bDeviceSubClass: 255
    bDeviceProtocol: 255
    bMaxPacketSize0: 64
    idVendor: 0x04a9
    idProduct: 0x221b
    bcdDevice: 0x0200
    iManufacturer: 3
    iProduct: 4
    iSerialNumber: 0
    bNumConfigurations: 1

0000  40 d2 80 32 01 88 ff ff 43 02 80 06 01 00 2d 00   @..2....C.....-.
0010  c5 eb f8 50 00 00 00 00 8a be 0a 00 00 00 00 00   ...P............
0020  12 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00   ................
0040  12 01 00 02 ff ff ff 40 a9 04 1b 22 00 02 03 04   .......@..."....
0050  00 01                            

usb.capdata is one of the fields.  There are many other fields we can display.  Check WireShark documentation http://www.wireshark.org/docs/dfref/u/usb.html for more detail.

Because there is still no clue from the collected data above (except information about host queried the scanner and the scanner responded back), I will try again on Windows, where there the original driver has been installed.

(to be continued...)