USB emulator/hijack

1. #include <linux/init.h>
2. #include <linux/kernel.h>
3. #include <linux/module.h>
4. #include <linux/usb.h>
5. #include <linux/uaccess.h>
6. #include <linux/slab.h>
7. #include <linux/mutex.h>
8.  
9. #define VENDOR_ID 0x058f /* Alcor Micro Corp. */
10. #define PRODUCT_ID 0x6387 /* Flash Drive */
11. #define USB_CLASS 8 /* Mass Storage */
12. #define SUBCLASS 6 /* SCSI */
13. #define PROTOCOL 80 /* Bulk-Only */
14.  
15. #define BULK_OUT_ENDP 0x01
16. #define BULK_IN_ENDP 0x82
17. #define PACKET_SIZE 512
18. #define TIMEOUT_MS 5000 /* Timeout in milliseconds */
19.  
20. static struct usb_device_id tala_table[] = {
21. {USB_DEVICE(VENDOR_ID, PRODUCT_ID)},
22. {USB_DEVICE_INFO(USB_CLASS, SUBCLASS, PROTOCOL)},
23. {} /* Terminating entry */
24. };
25.  
26. MODULE_DEVICE_TABLE(usb, tala_table);
27.  
28. static struct usb_device *device;
29. static unsigned char *bulk_buf;
30. static DEFINE_MUTEX(device_mutex);
31.  
32. static int tala_open(struct inode *i, struct file *f) {
33. if (!mutex_trylock(&device_mutex)) {
34. pr_err("tala: Device is busy.\n");
35. return -EBUSY;
36. }
37. pr_info("tala: Device opened.\n");
38. return 0;
39. }
40.  
41. static int tala_close(struct inode *i, struct file *f) {
42. mutex_unlock(&device_mutex);
43. pr_info("tala: Device closed.\n");
44. return 0;
45. }
46.  
47. static ssize_t tala_read(struct file *f, char __user *buf, size_t count, loff_t *off) {
48. int ret, actual_length;
49.  
50. if (count > PACKET_SIZE) {
51. pr_err("tala_read: Requested read size exceeds buffer limit.\n");
52. return -EINVAL;
53. }
54.  
55. /* Read data from the bulk IN endpoint */
56. ret = usb_bulk_msg(device, usb_rcvbulkpipe(device, BULK_IN_ENDP), bulk_buf,
57. count, &actual_length, TIMEOUT_MS);
58.  
59. if (ret) {
60. pr_err("tala_read: usb_bulk_msg failed (error %d).\n", ret);
61. return ret;
62. }
63.  
64. if (copy_to_user(buf, bulk_buf, actual_length)) {
65. pr_err("tala_read: Failed to copy data to user space.\n");
66. return -EFAULT;
67. }
68.  
69. pr_info("tala_read: Read %d bytes successfully.\n", actual_length);
70. return actual_length;
71. }
72.  
73. static ssize_t tala_write(struct file *f, const char __user *buf, size_t count, loff_t *off) {
74. int ret, actual_length;
75.  
76. if (count > PACKET_SIZE) {
77. pr_err("tala_write: Requested write size exceeds buffer limit.\n");
78. return -EINVAL;
79. }
80.  
81. if (copy_from_user(bulk_buf, buf, count)) {
82. pr_err("tala_write: Failed to copy data from user space.\n");
83. return -EFAULT;
84. }
85.  
86. /* Write data to the bulk OUT endpoint */
87. ret = usb_bulk_msg(device, usb_sndbulkpipe(device, BULK_OUT_ENDP), bulk_buf,
88. count, &actual_length, TIMEOUT_MS);
89.  
90. if (ret) {
91. pr_err("tala_write: usb_bulk_msg failed (error %d).\n", ret);
92. return ret;
93. }
94.  
95. pr_info("tala_write: Wrote %d bytes successfully.\n", actual_length);
96. return actual_length;
97. }
98.  
99. static struct file_operations tala_fops = {
100. .owner = THIS_MODULE,
101. .open = tala_open,
102. .release = tala_close,
103. .read = tala_read,
104. .write = tala_write,
105. };
106.  
107. static struct usb_class_driver tala_class = {
108. .name = "usb/skel%d",
109. .fops = &tala_fops,
110. .mode = 0660, /* Allow owner and group to read/write */
111. };
112.  
113. static int tala_probe(struct usb_interface *interface, const struct usb_device_id *id) {
114. int ret;
115.  
116. pr_info("tala: Device plugged in.\n");
117.  
118. device = interface_to_usbdev(interface);
119. bulk_buf = kzalloc(PACKET_SIZE, GFP_KERNEL);
120. if (!bulk_buf) {
121. pr_err("tala_probe: Failed to allocate memory for bulk buffer.\n");
122. return -ENOMEM;
123. }
124.  
125. ret = usb_register_dev(interface, &tala_class);
126. if (ret) {
127. pr_err("tala_probe: Failed to register device (error %d).\n", ret);
128. kfree(bulk_buf);
129. bulk_buf = NULL;
130. } else {
131. pr_info("tala: Device registered successfully (minor %d).\n", interface->minor);
132. }
133.  
134. return ret;
135. }
136.  
137. static void tala_disconnect(struct usb_interface *interface) {
138. usb_deregister_dev(interface, &tala_class);
139.  
140. if (bulk_buf) {
141. memset(bulk_buf, 0, PACKET_SIZE); /* Clear sensitive data */
142. kfree(bulk_buf);
143. bulk_buf = NULL;
144. }
145.  
146. pr_info("tala: Device disconnected.\n");
147. }
148.  
149. static struct usb_driver tala_driver = {
150. .name = "tala",
151. .id_table = tala_table,
152. .probe = tala_probe,
153. .disconnect = tala_disconnect,
154. };
155.  
156. static int __init tala_init(void) {
157. int ret;
158.  
159. pr_info("tala: Initializing driver.\n");
160. ret = usb_register(&tala_driver);
161. if (ret) {
162. pr_err("tala_init: usb_register failed (error %d).\n", ret);
163. }
164.  
165. return ret;
166. }
167.  
168. static void __exit tala_exit(void) {
169. pr_info("tala: Exiting driver.\n");
170. usb_deregister(&tala_driver);
171. }
172.  
173. module_init(tala_init);
174. module_exit(tala_exit);
175.  
176. /////////////
177. #include <linux/init.h>
178. #include <linux/kernel.h>
179. #include <linux/module.h>
180. #include <linux/usb.h>
181. #include <linux/uaccess.h>
182. #include <linux/slab.h>
183. #include <linux/usb/composite.h>
184. #include <linux/mutex.h>
185.  
186. #define VENDOR_ID 0x058f /* Alcor Micro Corp. */
187. #define PRODUCT_ID 0x6387 /* Flash Drive */
188. #define USB_CLASS 8 /* Mass Storage */
189. #define SUBCLASS 6 /* SCSI */
190. #define PROTOCOL 80 /* Bulk-Only */
191.  
192. #define BULK_OUT_ENDP 0x01
193. #define BULK_IN_ENDP 0x82
194. #define PACKET_SIZE 512
195. #define TIMEOUT_MS 5000 /* Timeout in milliseconds */
196.  
197. MODULE_LICENSE("GPL");
198. MODULE_AUTHOR("Mujtaba Asim, Improved by Assistant");
199. MODULE_DESCRIPTION("Secure USB driver with g_mass_storage support.");
200. MODULE_VERSION("0.0.4");
201.  
202. static struct usb_device_id tala_table[] = {
203. {USB_DEVICE(VENDOR_ID, PRODUCT_ID)},
204. {USB_DEVICE_INFO(USB_CLASS, SUBCLASS, PROTOCOL)},
205. {} /* Terminating entry */
206. };
207.  
208. MODULE_DEVICE_TABLE(usb, tala_table);
209.  
210. static struct usb_device *device;
211. static unsigned char *bulk_buf;
212. static DEFINE_MUTEX(device_mutex);
213.  
214. static struct usb_gadget *gadget;
215.  
216. static struct usb_composite_driver composite_driver;
217.  
218. static struct usb_configuration config;
219.  
220. static struct usb_gadget_driver gadget_driver = {
221. .function = "gadget_mass_storage",
222. .driver = {
223. .name = "usb_mass_storage_emulator",
224. .owner = THIS_MODULE,
225. },
226. };
227.  
228. // Mass storage device memory buffer
229. static unsigned char *storage_buffer;
230. #define STORAGE_SIZE 1024 * 1024 /* 1MB for example */
231.  
232. /* Read data from the storage buffer */
233. static ssize_t tala_read(struct file *f, char __user *buf, size_t count, loff_t *off)
234. {
235. int ret;
236.  
237. if (count > STORAGE_SIZE) {
238. pr_err("tala_read: Requested size exceeds storage limit.\n");
239. return -EINVAL;
240. }
241.  
242. if (copy_to_user(buf, storage_buffer, count)) {
243. pr_err("tala_read: Failed to copy data to user space.\n");
244. return -EFAULT;
245. }
246.  
247. pr_info("tala_read: Read %ld bytes from storage.\n", count);
248. return count;
249. }
250.  
251. /* Write data to the storage buffer */
252. static ssize_t tala_write(struct file *f, const char __user *buf, size_t count, loff_t *off)
253. {
254. if (count > STORAGE_SIZE) {
255. pr_err("tala_write: Requested size exceeds storage limit.\n");
256. return -EINVAL;
257. }
258.  
259. if (copy_from_user(storage_buffer, buf, count)) {
260. pr_err("tala_write: Failed to copy data from user space.\n");
261. return -EFAULT;
262. }
263.  
264. pr_info("tala_write: Wrote %ld bytes to storage.\n", count);
265. return count;
266. }
267.  
268. /* Open the device */
269. static int tala_open(struct inode *i, struct file *f) {
270. if (!mutex_trylock(&device_mutex)) {
271. pr_err("tala: Device is busy.\n");
272. return -EBUSY;
273. }
274. pr_info("tala: Device opened.\n");
275. return 0;
276. }
277.  
278. /* Close the device */
279. static int tala_close(struct inode *i, struct file *f) {
280. mutex_unlock(&device_mutex);
281. pr_info("tala: Device closed.\n");
282. return 0;
283. }
284.  
285. static struct file_operations tala_fops = {
286. .owner = THIS_MODULE,
287. .open = tala_open,
288. .release = tala_close,
289. .read = tala_read,
290. .write = tala_write,
291. };
292.  
293. /* Define mass storage endpoints and configuration */
294. static struct usb_endpoint_descriptor bulk_in_desc = {
295. .bEndpointAddress = BULK_IN_ENDP,
296. .bmAttributes = USB_ENDPOINT_XFER_BULK,
297. .wMaxPacketSize = cpu_to_le16(PACKET_SIZE),
298. };
299.  
300. static struct usb_endpoint_descriptor bulk_out_desc = {
301. .bEndpointAddress = BULK_OUT_ENDP,
302. .bmAttributes = USB_ENDPOINT_XFER_BULK,
303. .wMaxPacketSize = cpu_to_le16(PACKET_SIZE),
304. };
305.  
306. static struct usb_interface_descriptor interface_desc = {
307. .bNumEndpoints = 2,
308. .bInterfaceClass = USB_CLASS_MASS_STORAGE,
309. .bInterfaceSubClass = SUBCLASS,
310. .bInterfaceProtocol = PROTOCOL,
311. .endpoint = (struct usb_endpoint_descriptor[]) {
312. bulk_in_desc,
313. bulk_out_desc,
314. },
315. };
316.  
317. /* Mass Storage Driver Setup */
318. static int __init tala_init(void)
319. {
320. int ret;
321.  
322. pr_info("tala: Initializing USB gadget with g_mass_storage.\n");
323.  
324. storage_buffer = kmalloc(STORAGE_SIZE, GFP_KERNEL);
325. if (!storage_buffer) {
326. pr_err("tala_init: Failed to allocate memory for storage buffer.\n");
327. return -ENOMEM;
328. }
329.  
330. /* Initialize gadget driver */
331. ret = usb_gadget_register_driver(&gadget_driver);
332. if (ret) {
333. pr_err("tala_init: usb_gadget_register_driver failed (error %d).\n", ret);
334. kfree(storage_buffer);
335. return ret;
336. }
337.  
338. pr_info("tala: USB gadget initialized.\n");
339.  
340. return 0;
341. }
342.  
343. static void __exit tala_exit(void)
344. {
345. pr_info("tala: Exiting USB gadget driver.\n");
346.  
347. usb_gadget_unregister_driver(&gadget_driver);
348. kfree(storage_buffer);
349.  
350. pr_info("tala: Exiting driver.\n");
351. }
352.  
353. module_init(tala_init);
354. module_exit(tala_exit);
355.