libusb_handle_events_completed cause seqfault

[patryk4815]

Hi. Nice work!
I have some problems with running proxy.

Is it possible to "mitm" the communication between the flash drive and my external computer?

"pendrive" <-> (USB <- raspberrypi -> USB OTG) <-> my external pc

My setup:
Raspberry Pi 4 B - 8gb ram
Kernel 5.15.34
libusb-1.0.25

Im getting seqfault in libusb_handle_events_completed(NULL, NULL);

stacktrace:

After commenting this line libusb_handle_events_completed(NULL, NULL); it looks working better, but still failing?

Device is: fe980000.usb
Driver is: fe980000.usb
vendor_id is: 2316
product_id is: 4096
5 Devices in list
Target device not found
Device opened successfully
Setup USB config successfully
Start hotplug_monitor thread, thread id(3243)
Start for EP0, thread id(3241)
event: connect, length: 0
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0100, wIndex: 0x0000, wLength: 18
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_DEVICE
Control transfer succeed
ep0: transferred 18 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0302, wIndex: 0x0409, wLength: 2
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_STRING
Control transfer succeed
ep0: transferred 2 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0302, wIndex: 0x0409, wLength: 18
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_STRING
Control transfer succeed
ep0: transferred 18 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0301, wIndex: 0x0409, wLength: 2
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_STRING
Control transfer succeed
ep0: transferred 2 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0301, wIndex: 0x0409, wLength: 32
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_STRING
Control transfer succeed
ep0: transferred 32 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0f00, wIndex: 0x0000, wLength: 5
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_BOS
Control transfer succeed
ep0: transferred 5 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0f00, wIndex: 0x0000, wLength: 22
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_BOS
Control transfer succeed
ep0: transferred 22 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0200, wIndex: 0x0000, wLength: 9
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_CONFIG
Control transfer succeed
ep0: transferred 9 bytes (in)
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0200, wIndex: 0x0000, wLength: 44
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_CONFIG
Control transfer succeed
ep0: transferred 44 bytes (in)
event: control, length: 8
  bRequestType: 0x00 (OUT), bRequest: 0x09, wValue: 0x0001, wIndex: 0x0000, wLength: 0
  type = USB_TYPE_STANDARD
  req = USB_REQ_SET_CONFIGURATION
Found desired configuration at index: 0
ep #0:
  name: ep1in
  addr: 1
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #1:
  name: ep1out
  addr: 1
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #2:
  name: ep2in
  addr: 2
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #3:
  name: ep2out
  addr: 2
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #4:
  name: ep3in
  addr: 3
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #5:
  name: ep3out
  addr: 3
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #6:
  name: ep4in
  addr: 4
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #7:
  name: ep4out
  addr: 4
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #8:
  name: ep5in
  addr: 5
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #9:
  name: ep5out
  addr: 5
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #10:
  name: ep6in
  addr: 6
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #11:
  name: ep6out
  addr: 6
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
ep #12:
  name: ep7in
  addr: 7
  type: iso blk int
  dir : in  ___
  maxpacket_limit: 1024
  max_streams: 0
ep #13:
  name: ep7out
  addr: 7
  type: iso blk int
  dir : ___ out
  maxpacket_limit: 1024
  max_streams: 0
bNumEndpoints is 2
bulk_out: addr = 1, ep = #1
Creating thread for EP01
Start reading thread for EP01, thread id(3244)
bulk_in: addr = 2, ep = #2
Creating thread for EP82
Start writing thread for EP01, thread id(3245)
Start reading thread for EP82, thread id(3246)
process_eps done
Start writing thread for EP82, thread id(3247)
event: control, length: 8
  bRequestType: 0xa1  (IN), bRequest: 0xfe, wValue: 0x0000, wIndex: 0x0000, wLength: 1
  type = USB_TYPE_CLASS
  req = unknown = 0xfe
Control transfer succeed
ep0: transferred 1 bytes (in)
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 36 bytes to queue
EP82(bulk_in): wrote 36 bytes to host
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 36 bytes to queue
EP82(bulk_in): wrote 36 bytes to host
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
event: control, length: 8
  bRequestType: 0x80  (IN), bRequest: 0x06, wValue: 0x0300, wIndex: 0x0000, wLength: 255
  type = USB_TYPE_STANDARD
  req = USB_REQ_GET_DESCRIPTOR
  desc = USB_DT_STRING
Control transfer succeed
ep0: transferred 4 bytes (in)
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 18 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 18 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 8 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 8 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 4 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 4 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 36 bytes to queue
EP82(bulk_in): wrote 36 bytes to host
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
EP82(bulk_in): wrote 512 bytes to host
EP82(bulk_in): wrote 13 bytes to host
EP1(bulk_out): read 31 bytes from host
EP1(bulk_out): enqueued 31 bytes to queue
EP82(bulk_in): enqueued 1024 bytes to queue
EP82(bulk_in): enqueued 512 bytes to queue
EP82(bulk_in): enqueued 13 bytes to queue
ioctl(USB_RAW_IOCTL_EP_WRITE): Cannot send after transport endpoint shutdown
ioctl(USB_RAW_IOCTL_EP_READ): Cannot send after transport endpoint shutdown

[AristoChen]

Hi,

Thank you for spending time on this project!

I am sorry that I am busy preparing coding interview for my next job, so I won’t be able to check what went wrong in near future (probably a month). Will check this out when I get my next job.

[AristoChen]

Hi @patryk4815,

Finally have some time to check this.

Is it possible to "mitm" the communication between the flash drive and my external computer?

Yes, it is possible, but I haven't implement it yet, so you might need to edit the code to modify the USB packet before sending to Host or Device.

Im getting seqfault in libusb_handle_events_completed(NULL, NULL);

Unfortunately, I have tried all USB devices that I have, still not able to reproduce the issue currently. I found that libusb_handle_events(NULL) is used to handle hotplug in libusb official example, could you try this when you have time? thanks!