[fprint] Advice on reversing and supporting a new fingerprint reader

Jaša Bartelj jasa.bartelj at gmail.com
Sun Aug 17 21:48:27 PDT 2014 

Hi!

I'm working on a student project where we are using SBCs (think
Raspberry Pi) with various devices. My assignment are fingerprint
readers and one of those is an Anviz U-Bio, formerly apparently also
known as OA99 (http://former.anviz.com/en/products/view.html?id=15).

The unit is a desktop device with a USB interface. The optical sensor
within is called AFOS307, judging by their website it is also used in
many other of their devices. The SOC inside is STM32F105 R8T6
(http://www.st.com/web/catalog/mmc/FM141/SC1169/SS1031/LN1564/PF221021).

Here's the Linux kernel messages at attachment:
[415414.469030] usb 6-1: new full-speed USB device number 6 using uhci_hcd
[415414.843056] usb 6-1: New USB device found, idVendor=0483, idProduct=5720
[415414.843062] usb 6-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[415414.843066] usb 6-1: Product: Mass Storage in FS Mode
[415414.843069] usb 6-1: Manufacturer: STMicroelectronics
[415414.843072] usb 6-1: SerialNumber: 00000000001B
[415414.852106] usb-storage 6-1:1.0: USB Mass Storage device detected
[415414.852407] scsi16 : usb-storage 6-1:1.0
[415415.859110] scsi 16:0:0:0: CD-ROM            ANVIZ    Smart
    1.00 PQ: 0 ANSI: 0 CCS
[415415.864082] sr1: scsi3-mmc drive: 0x/0x caddy
[415415.864577] sr 16:0:0:0: Attached scsi CD-ROM sr1
[415415.864819] sr 16:0:0:0: Attached scsi generic sg5 type 5

At first I had quite a bit of problems getting the reader to work with
their software but in the end found a Windows desktop application
which displayed an image. With USB capture I identified that the
device:
* class is 0x08 (USB Mass Storage),
* subclass is 0x06 (SCSI transparent command set) and
* the protocol is 0x50 (Bulk-Only Transport (BBB))
The SCSI INQUIRY returns a SCSI Device Type 0x05. This is common for
CD-ROM Devices, and these use SCSI MMC commands.

Here's the SCSI command reading loop that returns an image (numbers in hex):
86000000000800020000    # 1) host sends SCSI CDB 0x86 Access Control In
    f6002400000125f6    #    SCSI Payload (8 B Request Data for CDB 0x86)
                        #    device returns SCSI Status Good 0x00 for
SCSI CDB 0x86
85000000000800020000    # 2) host sends SCSI CDB 0x85
    f6002494005eeef6    #    SCSI Payload (8 B Response Data for CDB 0x85)
                        #    device returns SCSI Status Good 0x00 for
SCSI CDB 0x86
85000000940100020000    # 3) host sends SCSI CDB 0x85
    [ 37889 B ]         #    SCSI Payload (37889 B Response Data for CDB 0x85)
                        #    device returns SCSI Status Good 0x00 for
SCSI CDB 0x86
85000000940200020000    # 4) host sends SCSI CDB 0x85
    [ 37890 B ]         #    SCSI Payload (37890 B Response Data for CDB 0x85)
                        #    device returns SCSI Status Good 0x00 for
SCSI CDB 0x86

The returned payload always has the first byte set to 0xF6, the rest
is image data, a 256x296 matrix of uint8.

Here are my questions:
1) Do you have any advice on how to figure out the meaning of the
neaning of the SCSI Payload of the first command? I have tried
analyzing the library the desktop app uses for access in IDA Pro Free
but I haven't gotten far yet.
2) My prototype reader script uses sg3_utils. For adding support to
libfprint I would ideally need a SCSI library to communicate with the
device. The only suitable seems to be the abandoned libusal
(http://web.archive.org/web/20140714024716/http://www.cdrkit.org/). Is
it possible to add a dependency to libfprint or should I support the
device with only libsusb?

Thanks for your response, other advice is also welcome!

Jaša

More information about the fprint mailing list