Thursday, January 17, 2013

Reverse Engineer USB protocol of Canon 4200F (part 1)

So far, there is no Linux driver support available for Canon Scanner 4200F, albeit with the latest and greatest kernel.  Blame the problem to Canon who doesn't want to support Linux community.

With the spirit of hacking, I now try to reverse-engineer the driver (which is only available for Windows, and probably iOS) to be able to write its bare minimum linux driver. I will try to post progress here, so you will see in the title "part x".

First, do this:


mount -t debugfs none_debugs /sys/kernel/debug
modprobe usbmon


do:

lsusb

On my system, it reveals (partially copied here):
..

Bus 001 Device 004: ID 056a:0017 Wacom Co., Ltd Bamboo Fun 4x5
Bus 001 Device 005: ID 046d:08d7 Logitech, Inc. QuickCam Communicate STX
Bus 001 Device 006: ID 04a9:221b Canon, Inc. CanoScan 4200F
Bus 001 Device 007: ID 046d:c52b Logitech, Inc. Unifying Receiver
...

Or, with the class hierarchy:


root@HP-m9000t:~# lsusb -t
1-3.4:1.0: No such file or directory
1-3.7.3:1.0: No such file or directory
/:  Bus 08.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 07.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 05.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ehci_hcd/8p, 480M
    |__ Port 4: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M
        |__ Port 1: Dev 4, If 0, Class=vend., Driver=mceusb, 1.5M
        |__ Port 1: Dev 4, If 1, Class=HID, Driver=usbhid, 1.5M
        |__ Port 2: Dev 5, If 0, Class=stor., Driver=usb-storage, 480M
    |__ Port 8: Dev 3, If 0, Class=hub, Driver=hub/2p, 480M
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci_hcd/4p, 480M
    |__ Port 3: Dev 2, If 0, Class=hub, Driver=hub/7p, 480M
        |__ Port 1: Dev 3, If 0, Class=hub, Driver=hub/2p, 12M
            |__ Port 1: Dev 9, If 0, Class=HID, Driver=usbhid, 12M
            |__ Port 1: Dev 9, If 1, Class=HID, Driver=usbhid, 12M
            |__ Port 2: Dev 10, If 0, Class=audio, Driver=snd-usb-audio, 12M
            |__ Port 2: Dev 10, If 1, Class=audio, Driver=snd-usb-audio, 12M
            |__ Port 2: Dev 10, If 2, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 2: Dev 4, If 0, Class=HID, Driver=wacom, 12M
        |__ Port 3: Dev 5, If 0, Class=vend., Driver=gspca_zc3xx, 12M
        |__ Port 3: Dev 5, If 1, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 3: Dev 5, If 2, Class=audio, Driver=snd-usb-audio, 12M
        |__ Port 4: Dev 6, If 0, Class=vend., Driver=, 480M
        |__ Port 6: Dev 7, If 0, Class=HID, Driver=usbhid, 12M
        |__ Port 6: Dev 7, If 1, Class=HID, Driver=usbhid, 12M
        |__ Port 6: Dev 7, If 2, Class=HID, Driver=usbhid, 12M
        |__ Port 7: Dev 8, If 0, Class=hub, Driver=hub/4p, 12M
            |__ Port 2: Dev 11, If 0, Class=stor., Driver=usb-storage, 12M
            |__ Port 3: Dev 12, If 0, Class=vend., Driver=, 12M
            |__ Port 3: Dev 12, If 1, Class=vend., Driver=ftdi_sio, 12M
root@HP-m9000t:~# 

As can be seen above, there is no driver available for the scanner.



Then open with a text editor this file: /sys/kernel/debug/usb/devices.  Search for "Canon" (or search by Vendor and product ID found above).


T:  Bus=01 Lev=02 Prnt=02 Port=03 Cnt=04 Dev#=  6 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs=  1
P:  Vendor=04a9 ProdID=221b Rev= 2.00
S:  Manufacturer=Canon
S:  Product=CanoScan
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr= 10mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=83(I) Atr=03(Int.) MxPS=   1 Ivl=16ms

From the information above, we can see that the scanner uses three endpoints:

  • One OUT bulk endpoint
  • One IN bulk endpoint
  • One IN interrupt endpoint
We then can tell our PC uses OUT bulk for general control dan normal data to send to the scanner, uses  IN bulk endpoint to receive scanned/preview image from the scanner, and IN interrupt endpoint for receiving other interrupts (e.g, when any of the scanner's buttons is pressed)

How to use usbmon?

The captured data are stored in /sys/kernel/debug/usb/usbmon/<file>, where file can be "0u" to capture packets in all buses, and <bus#>u for a specific bus.  Where can we find the bus number information? See the content of file device above!.  The first line says "Bus=01", it means to capture packets to/from the scanner, we just need to cat file "1u" (the detail instruction/documentation about usbmon can be read here: http://lxr.linux.no/linux+v2.6.28.8/Documentation/usb/usbmon.txt)

An easier way is to use Wireshark (as root, because we need to gain access to usb devices).  Start capture for sometime and stop it.  Apply filter " usb.idVendor == 0x4a9 && usb.idProduct == 0x221b" or "usb.device_address == 6 && usb.bus_id==1".  In my case, I know the scanner is address 6 and bus=1.  Save the captured data to a file (select "Wireshark/tcpdump" format).  

To read it:

tshark -r pcapfile -T fields -V -e usb.capdata

or

tshark -r pcapfile -T fields -x

For example:

root@HP-m9000t:~# tshark -P -r ./usbscanner1.pcap -x -V -R "usb.bus_id==1 && usb.device_address==6"

tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Frame 528: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
    WTAP_ENCAP: 115
    Arrival Time: Jan 17, 2013 22:29:25.703289000 PST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1358490565.703289000 seconds
    [Time delta from previous captured frame: 0.000025000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 2.030187000 seconds]
    Frame Number: 528
    Frame Length: 64 bytes (512 bits)
    Capture Length: 64 bytes (512 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: usb]
USB URB
    URB id: 0xffff88013280d240
    URB type: URB_SUBMIT ('S')
    URB transfer type: URB_CONTROL (0x02)
    Endpoint: 0x80, Direction: IN
        1... .... = Direction: IN (1)
        .000 0000 = Endpoint value: 0
    Device: 6
    URB bus id: 1
    Device setup request: relevant (0)
    Data: not present ('<')
    URB sec: 1358490565
    URB usec: 703289
    URB status: Operation now in progress (-EINPROGRESS) (-115)
    URB length [bytes]: 40
    Data length [bytes]: 0
URB setup
    bmRequestType: 0x80
        1... .... = Direction: Device-to-host
        .00. .... = Type: Standard (0x00)
        ...0 0000 = Recipient: Device (0x00)
    bRequest: GET DESCRIPTOR (6)
    Descriptor Index: 0x00
    bDescriptorType: DEVICE (1)
    Language Id: no language specified (0x0000)
    wLength: 40

0000  40 d2 80 32 01 88 ff ff 53 02 80 06 01 00 00 3c   @..2....S......<
0010  c5 eb f8 50 00 00 00 00 39 bb 0a 00 8d ff ff ff   ...P....9.......
0020  28 00 00 00 00 00 00 00 80 06 00 01 00 00 28 00   (.............(.
0030  00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00   ................

Frame 529: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
    WTAP_ENCAP: 115
    Arrival Time: Jan 17, 2013 22:29:25.704138000 PST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1358490565.704138000 seconds
    [Time delta from previous captured frame: 0.000849000 seconds]
    [Time delta from previous displayed frame: 0.000849000 seconds]
    [Time since reference or first frame: 2.031036000 seconds]
    Frame Number: 529
    Frame Length: 82 bytes (656 bits)
    Capture Length: 82 bytes (656 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: usb]
USB URB
    URB id: 0xffff88013280d240
    URB type: URB_COMPLETE ('C')
    URB transfer type: URB_CONTROL (0x02)
    Endpoint: 0x80, Direction: IN
        1... .... = Direction: IN (1)
        .000 0000 = Endpoint value: 0
    Device: 6
    URB bus id: 1
    Device setup request: not relevant ('-')
    Data: present (0)
    URB sec: 1358490565
    URB usec: 704138
    URB status: Success (0)
    URB length [bytes]: 18
    Data length [bytes]: 18
    [Request in: 528]
    [Time from request: 0.000849000 seconds]
    [bInterfaceClass: Unknown (0xffff)]
DEVICE DESCRIPTOR
    bLength: 18
    bDescriptorType: DEVICE (1)
    bcdUSB: 0x0200
    bDeviceClass: VENDOR_SPECIFIC (0xff)
    bDeviceSubClass: 255
    bDeviceProtocol: 255
    bMaxPacketSize0: 64
    idVendor: 0x04a9
    idProduct: 0x221b
    bcdDevice: 0x0200
    iManufacturer: 3
    iProduct: 4
    iSerialNumber: 0
    bNumConfigurations: 1

0000  40 d2 80 32 01 88 ff ff 43 02 80 06 01 00 2d 00   @..2....C.....-.
0010  c5 eb f8 50 00 00 00 00 8a be 0a 00 00 00 00 00   ...P............
0020  12 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00   ................
0040  12 01 00 02 ff ff ff 40 a9 04 1b 22 00 02 03 04   .......@..."....
0050  00 01                            

usb.capdata is one of the fields.  There are many other fields we can display.  Check WireShark documentation http://www.wireshark.org/docs/dfref/u/usb.html for more detail.

Because there is still no clue from the collected data above (except information about host queried the scanner and the scanner responded back), I will try again on Windows, where there the original driver has been installed.

(to be continued...)



2 comments:

  1. Can you help me with my Canon LiDE 120???? Best of luck, way to go..

    ReplyDelete
  2. Sorry, I don't have the equipment so I cannot test.

    ReplyDelete