From owner-freebsd-bluetooth@FreeBSD.ORG Mon May 14 17:25:15 2007 Return-Path: X-Original-To: freebsd-bluetooth@freebsd.org Delivered-To: freebsd-bluetooth@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F8F516A403 for ; Mon, 14 May 2007 17:25:15 +0000 (UTC) (envelope-from sec@42.org) Received: from ice.42.org (ice.42.org [194.77.85.2]) by mx1.freebsd.org (Postfix) with ESMTP id 693E213C448 for ; Mon, 14 May 2007 17:25:14 +0000 (UTC) (envelope-from sec@42.org) Received: by ice.42.org (Postfix, from userid 1000) id D1435C475; Mon, 14 May 2007 19:25:12 +0200 (CEST) Date: Mon, 14 May 2007 19:25:12 +0200 From: Stefan `Sec` Zehl To: Maksim Yevmenkin Message-ID: <20070514172512.GC24803@ice.42.org> X-Current-Backlog: 2709 messages References: <20070513140148.GA24803@ice.42.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.2i I-love-doing-this: really X-Modeline: vim:set ts=8 sw=4 smarttab tw=72 si noic notitle: Accept-Languages: de, en X-URL: http://sec.42.org/ Cc: freebsd-bluetooth@freebsd.org Subject: Mediapad HID dump (was Re: send something TO a hid device) X-BeenThere: freebsd-bluetooth@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Using Bluetooth in FreeBSD environments List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 17:25:15 -0000 Hi, On Sun, May 13, 2007 at 16:14 -0700, Maksim Yevmenkin wrote: > also > would be nice to have hid descriptor dump (i assume hid reports are > used to send information to the pad). I have now completed my rudimentary HID report descriptor parser, and can now present the parsed HID: As far as I can see, it is a basic Keyboard-Style HID, with two different "Reports", one for the normal keys, one for the "Media Keys" using the "Consumer Control" page. Sending to the device is only decribed as two different-length "Vendor-defined" statements. The "Security Code Character Entered" are (I assume) what Windows uses to display "*"s when entering the PIN during the pairing process. This dump also conforms my suspicion of an error inside the FreeBSD hid parser. The report ID 0x03 specifies 16-bit keypresses, which are parsed incorrectly. -- I will dig into that, and try to produce a patch for it tomorrow. 05 01 | Usage Page(Generic desktop controls) 09 06 | Usage(Keyboard) a1 01 | Collection(Application (mouse,keyboard)) 05 07 | Usage Page(Key Codes) 85 01 | Report ID(0x01) 19 e0 | Usage Minimum(0xe0:Keyboard LeftControl) 29 e7 | Usage Maximum(0xe7:Keyboard Right GUI) 15 00 | Logical Minimum(0) 25 01 | Logical Maximum(1) 75 01 | Report Size(1) 95 08 | Report Count(8) 81 02 | --- Input(Data,Variable) 95 01 | Report Count(1) 75 08 | Report Size(8) 81 01 | --- Input(Constant) 95 05 | Report Count(5) 75 01 | Report Size(1) 05 08 | Usage Page(LEDs) 19 01 | Usage Minimum(0x01:Num Lock) 29 05 | Usage Maximum(0x05:Kana) 91 02 | --- Output(Data,Variable) 95 01 | Report Count(1) 75 03 | Report Size(3) 91 01 | --- Output(Constant) 95 06 | Report Count(6) 75 08 | Report Size(8) 15 00 | Logical Minimum(0) 26 a4 00| Logical Maximum(164) 05 07 | Usage Page(Key Codes) 19 00 | Usage Minimum(0x00:Reserved (no event indicated)) 29 a4 | Usage Maximum(0xa4:Keyboard ExSel) 81 00 | --- Input(Data) c0 | End Collection 05 0c | Usage Page(Consumer) 09 01 | Usage(Consumer Control) a1 01 | Collection(Application (mouse,keyboard)) 85 03 | Report ID(0x03) 75 10 | Report Size(16) 95 02 | Report Count(2) 15 01 | Logical Minimum(1) 26 8c 02| Logical Maximum(652) 19 01 | Usage Minimum(0x01:Consumer Control) 2a 8c 02| Usage Maximum(0x028c:Not in Definition List: 652) 81 60 | --- Input(Data,NoPreferred,NullState) c0 | End Collection 06 00 ff| Usage Page(Vendor-Defined) 09 01 | Usage(1) a1 01 | Collection(Application (mouse,keyboard)) 85 10 | Report ID(0x10) 75 08 | Report Size(8) 95 06 | Report Count(6) 15 00 | Logical Minimum(0) 26 ff 00| Logical Maximum(255) 09 01 | Usage(1) 81 00 | --- Input(Data) 09 01 | Usage(1) 91 00 | --- Output(Data) c0 | End Collection 06 00 ff| Usage Page(Vendor-Defined) 09 02 | Usage(2) a1 01 | Collection(Application (mouse,keyboard)) 85 11 | Report ID(0x11) 75 08 | Report Size(8) 95 13 | Report Count(19) 15 00 | Logical Minimum(0) 26 ff 00| Logical Maximum(255) 09 02 | Usage(2) 81 00 | --- Input(Data) 09 02 | Usage(2) 91 00 | --- Output(Data) c0 | End Collection 05 06 | Usage Page(Generic device controls) 09 27 | Usage(Reserved(39)) a1 01 | Collection(Application (mouse,keyboard)) 85 ff | Report ID(0xff) 95 01 | Report Count(1) 75 02 | Report Size(2) 09 24 | Usage(Security Code Character Entered) 09 26 | Usage(Security Code Cleared) 81 02 | --- Input(Data,Variable) 75 06 | Report Size(6) 81 01 | --- Input(Constant) c0 | End Collection CU, Sec -- I have seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser Gate. All those moments will be lost in time, like tears in rain. Time to die.