PORTS Forum
Ports and Interfaces => USB => Topic started by: ulao on January 18, 2019, 09:40:24 pm
-
I'm sniffing a usb 2.0 device and I see endpoint 2 showing this. I though a pid0 was required but it is only sending pid1 data. Though I'm used to looking at control data, maybe this is different.
To catch this packet do I just watch on endpoint2 for interface | class
bmRequestType == 0x11?
for example
/* Handle HID Class specific requests */
if (USB_ControlRequest.bmRequestType == (REQDIR_DEVICETOHOST | REQTYPE_CLASS | REQREC_INTERFACE))
{
//do something
}
-
It's very rare that endpoint 2 is configured for control transfers because there is no advantage to having multiple control endpoints.
-
Sure but I can't really question what its doing and why, it just is.
From the best I can tell the default end point is not used (other then the report for the button data ). Endpoint 1 is in, and 2 is out. This is what enpoint 1 looks like (81) its an in.
Now this is a device for a game console so the rules may be different but it does also work on a PC (does not use either endpoints 1 or 2). So my mission here is to mimic the endpoint point out. I have cloned this controller 1:1 as far as the descriptors go but thus far I do not understand the endpoint method for 1 and 2. I'm wondering is they are even control data?
Connection Status Device connected
Current Configuration 1
Speed Full (12 Mbit/s)
Device Address 2
Number Of Open Pipes 2
Device Descriptor Bridge - Wii
Offset Field Size Value Description
0 bLength 1 12h
1 bDescriptorType 1 01h Device
2 bcdUSB 2 0110h USB Spec 1.1
4 bDeviceClass 1 00h Class info in Ifc Descriptors
5 bDeviceSubClass 1 00h
6 bDeviceProtocol 1 00h
7 bMaxPacketSize0 1 40h 64 bytes
8 idVendor 2 0F0Dh Hori Co., Ltd
10 idProduct 2 00C1h
12 bcdDevice 2 0572h 5.72
14 iManufacturer 1 01h "Bliss-Box"
15 iProduct 1 02h "Bridge - Wii"
16 iSerialNumber 1 00h
17 bNumConfigurations 1 01h
Configuration Descriptor 1 Bus Powered, 500 mA
Offset Field Size Value Description
0 bLength 1 09h
1 bDescriptorType 1 02h Configuration
2 wTotalLength 2 0029h
4 bNumInterfaces 1 01h
5 bConfigurationValue 1 01h
6 iConfiguration 1 00h
7 bmAttributes 1 80h Bus Powered
4..0: Reserved ...00000
5: Remote Wakeup ..0..... No
6: Self Powered .0...... No, Bus Powered
7: Reserved (set to one)
(bus-powered for 1.0) 1.......
8 bMaxPower 1 FAh 500 mA
Interface Descriptor 0/0 HID, 2 Endpoints
Offset Field Size Value Description
0 bLength 1 09h
1 bDescriptorType 1 04h Interface
2 bInterfaceNumber 1 00h
3 bAlternateSetting 1 00h
4 bNumEndpoints 1 02h
5 bInterfaceClass 1 03h HID
6 bInterfaceSubClass 1 00h
7 bInterfaceProtocol 1 00h
8 iInterface 1 00h
HID Descriptor
Offset Field Size Value Description
0 bLength 1 09h
1 bDescriptorType 1 21h HID
2 bcdHID 2 0111h 1.11
4 bCountryCode 1 00h
5 bNumDescriptors 1 01h
6 bDescriptorType 1 22h Report
7 wDescriptorLength 2 0050h 80 bytes
Endpoint Descriptor 02 2 Out, Interrupt, 5 ms
Offset Field Size Value Description
0 bLength 1 07h
1 bDescriptorType 1 05h Endpoint
2 bEndpointAddress 1 02h 2 Out
3 bmAttributes 1 03h Interrupt
1..0: Transfer Type ......11 Interrupt
7..2: Reserved 000000..
4 wMaxPacketSize 2 0040h 64 bytes
6 bInterval 1 05h 5 ms
Endpoint Descriptor 81 1 In, Interrupt, 5 ms
Offset Field Size Value Description
0 bLength 1 07h
1 bDescriptorType 1 05h Endpoint
2 bEndpointAddress 1 81h 1 In
3 bmAttributes 1 03h Interrupt
1..0: Transfer Type ......11 Interrupt
7..2: Reserved 000000..
4 wMaxPacketSize 2 0040h 64 bytes
6 bInterval 1 05h 5 ms
-
Endpoints 1 and 2 are interrupt endpoints.
-
But I'm still confused on these points? If you share the confusion let me know if not let me know where I fall short of understanding.
1) I though a pid0 was required
2) If all I see is pid1 can I even catch that in my device (bmRequestType == 0x11?)?
3) In most implementation of USB for the device you catch incoming data with the control in. In this case its endpoint 2 with an address of 3. Will I need to work some sorcery with LUFA to get this to work. Not sure how much (if any) experience you have with LUFA.
4) I don't even think the descriptor allows this?
Endpoint Descriptor 02 2 Out, Interrupt, 5 ms
...
2 bEndpointAddress 1 02h 2 Out
I tried to change the address to 3 #define JOYSTICK_OUT_EPADDR (ENDPOINT_DIR_OUT | 3) but the endpoint also goes to 3.
Endpoint Descriptor 03 2 Out, Interrupt, 5 ms
...
2 bEndpointAddress 1 03h 3 Out
So I'm not even sure how you do that.
Or am I misunderstanding how this works, does the host assign any address it wants to the enpoint?
-
In the descriptors you posted, it looks like endpoint 2 is an interrupt OUT endpoint and endpoint 1 is an interrrupt IN endpoint.
2 bEndpointAddress 1 02h 2 Out
3 bmAttributes 1 03h Interrupt
2 bEndpointAddress 1 81h 1 In
3 bmAttributes 1 03h Interrupt
The hardware usually manages the pids.
bmRequestType is only for control transfers.
-
Ah!, sorry very good then, I need to set up for interrupts transfers. Don't see how to do that with LUFA but I'll keep searching.