Done so far,
I´v used http://benoit.papillault.free.fr/usbsnoop/
in windows to snoop the traffic during initialization.
The I used parser.pl and usbreplay.c from here,
I´v used http://linuxtv.org/hg/~mrechberger/v4l-dvb?mf=166769593...em2880/;style=gitweb
To replay the traffic in linux.
Then I found this link, look here for more details,
http://www.linuxtv.org/v4lwiki/index.php/USBVideo#USB_replay
Using a slightly modified log2bin.pl
if($_=~/-- URB_FUNCTION_VENDOR_DEVICE:/i){ instead of if($_=~/-- URB_FUNCTION_ISOCH_TRANSFER:/i){
I´ve ended up with some binary files trying to
knit it all together, below is hexdumps of the binary files.
Head of file
Snooped data
0000000 0101 1502 c28a 00b7 0000 b6d2 0000 d200
0000010 00b7 0000 0222 220a 1a12 e504 240d 60fa
0000020 140e 0660 0724 f370 22d3 f5e4 d30d e422
0000030 0df5 22d3 0232 4600 0100 0202 0303 0404
0000040 0505 22d3 0232 0011 d853 32ef 0232 700d
Guessed from windows driver
000a7c0 6568 6c6c 776f 726f 646c 0000 2000 0000
000a7d0 1502 c28a 00b7 0000 b6d2 0000 d200 00b7 <--- first firmware line ?
000a7e0 0000 0222 220a 1a12 e504 240d 60fa 140e
000a7f0 0660 0724 f370 22d3 f5e4 d30d e422 0df5
000a800 22d3 0232 4600 0100 0202 0303 0404 0505
000a810 22d3 0232 0011 d853 32ef 0232 700d 22d3
Original linux firmware
0000000 0010 0000 1402 c230 00b7 0000 b6d2 0000
0000010 d200 00b7 1000 0010 0000 2200 0f02 1226
0000020 ee18 0de5 fa24 0e60 0014 2010 0000 0660
0000030 0724 f370 22d3 f5e4 d30d e422 0df5 1000
0000040 0030 d300 3222 0002 0046 0201 0302 0403
------------------------------------------------
Tail of file
Snooped data, guessed end.
0001d70 18f5 22d3 f5e4 d20d d2e9 22af 22d3 22d3
0001d80 22d3 3232 3232 3232 3232 3232 3232 3232
0001d90 3232 3232 3232 3232 3232 3232 3232 3232
0001da0 3232 aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0001db0 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa <--- this is probably the last firmware line.
*
0002000 aaaa 0000 0106 894b 0044 0046 7900 8964
0002010 78d0 8964 7960 bad0 1021 3858 f72f 8041
Guessed windows driver end of firmware.
000c530 22d3 e690 e0ba 19f5 22d3 e690 e0ba 18f5
000c540 22d3 f5e4 d20d d2e9 22af 22d3 22d3 22d3
000c550 3232 3232 3232 3232 3232 3232 3232 3232
*
000c570 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
*
000c7d0 4cc4 e564 17a1 4eed 90bd fd74 d6a1 2354
*
000c7f0 f6d6 0000 0013 0000 ced6 0000 0002 0000
Original linux firmware
0002590 0032 a010 001c 3232 3232 3232 3232 3232
00025a0 aaaa aaaa aaaa 1000 1cb0 aa00 aaaa aaaa
00025b0 aaaa aaaa aaaa aaaa aaaa 00aa c010 001c
and quite a few similar lines like it until
00029f0 aaaa aaaa aaaa aaaa aaaa aaaa aaaa 00aa
0002a00
Current problems,
Start of firmware, does the linux driver add anything to the firmware ?
Usbmon of loaded original firmware or usbsnoop from old driver would be helpful, will try usbsnooping
with old driver (with original linux firmware).
End of file.
Size original firmware is 11K my estimate is 8K, why less code for more hardware versions ?
Note that the hexdumps above are in reversed 02 15 is 15 02.
I´ve replayed the sniffed transactions and the stick goes "green".
Offset to extract from the windows sysfile is, 42960 and size 8192
I´ve tried both with and without the additional 01 01 that preceeds and follows the firmware in the transaction log
Currently I´m stuck =(
to be continued....