[fprint] Writing a driver for138a:003c (VFS471)

Patrick Boettcher patrick.boettcher at posteo.de
Tue Oct 14 01:29:14 PDT 2014 

Hi,

On Mon, 13 Oct 2014 22:21:27 +0300 Vasily Khoruzhick
<anarsoul at gmail.com> wrote:

> On Mon, Oct 13, 2014 at 9:31 PM, Jonathan Daniel
> <jonathandaniel at email.com> wrote:
> > Hello,
> 
> Hi Jonathan,
> 
> Firstly, please don't use HTML formatting in your messages to mail
> list.
> 
> > I have started the journey to write a driver for this device
> > (138a:003c), I own this device, its
> > built in to the HP Elitebook 8560w. From what i've gathered I need
> > to sniff the USB data

I have exactly the same device.

> > from a working driver and send/receive the right data at the right
> > moment with libusb.
> >
> > So i'm currently dumping all the traffic, and when I scan a finger,
> > I get ~84059 bytes from
> > the device back to the host, sometimes twice or thrice. There is
> > more data sent and received
> > but this is the biggest bulk, so i'm thinking this is the image
> > itself, is that a solid assumption
> > or could it be the device sends something else this large. Also,
> > how can I check if it's true, is there
> > a way to transform the bytes into an image just to see if its
> > right? How can I make sure it's not encrypted,
> > and if it's encrypted what are my options?
> 
> Take a look at those bytes, it's very likely that sensor is 8bpp or
> even 4bpp, so image pixels should contains similar values (at least at
> the beginning and at the end of image). If they look like a random
> data - then it's very likely that protocol is protect with encryption.
> 
> There could be 2 options: whole protocol is encrypted or only image
> payload is encrypted.

In 2012 I spend some days on looking at USB-frames sent from within a
VirtualBox using the windows drivers, captured with usbmon.
Unfortunately I ran out of time and have never finished anything. 
 
> If image is encrypted, you should analyze traffic and figure out (with
> a lot of tries :)) which one command enables encryption. Usually, I'm
> omitting a single transfer and then just capturing traffic again to
> see if there're differences.

From what I saw

1) There are clear messages to and fro the device - config stuff I
assume.

2) I saw big chunks of data coming from the device (something around
64KB maybe more (the 84059 Jonathan reports?) ) which I assumed are the
actual finger-print bitmaps. Looking (with wireshark) at these bits it
seems unencrypted in the beginning and later on are encrypted as it has
changed to random bytes.

3) Astonishingly for me is that the host is sending, from time to time,
big chunks (6K or 2K) data to the device. Inside there are sections of
0xff-sequences and random data.

Please keep the list informed about any progress, I'm willing to help
and test.

regards,
--
Patrick.

More information about the fprint mailing list