No title

Data pipe

The data pipe is 0x1 for sending data, 0x81 for receiving it.

On this pipe we can see 802.11 frames.

Some other frames have an unknown meaning.

1 Sequences of frames

1.1 Starting sequence

Here are the frames exchanged on the data pipe, following the mgmt readback. Each one of those frames is actually preceded by a control frame on the 0xe pipe (dev pipe), see below for details.

This exerpt is from usbsnoopver3.log

Known Structure

byte range	possible meaning
[0x00,0x03]	magic number indicating strange frame : 00 02 02 00
[0x04–0x0F]	length of the data from byte 0x10 δ₁, little endian
[0x10–0x11]	unknown
[0x12–0x13]	some length δ₂, little endian
[0x14–0x0B]	type indication:
	frame ?
[0x4A+δ₂,0x10+δ₁[	padding to device frame
[0x10+δ₁,end]	padding to USB frame

Table 1. frame structure for sent frames

1.1.1 Unknown frame

Same on ver2;

[5539 ms]  >>>  URB 807 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000068
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 56 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 4a 00 00 00 00 00 03 00 00 00 00 14 0a 06
    00000020: 02 00 1f 00 ff 03 00 00 00 00 1f 00 ff 03 00 00
    00000030: 00 00 1f 00 ff 03 00 00 00 00 1f 00 ff 03 00 00
    00000040: 00 00 1f 00 ff 03 00 00 00 00 1f 00 ff 03 00 00
    00000050: 00 00 1f 00 ff 03 00 00 00 00 1f 00 ff 03 00 00
    00000060: 00 00 00 00 00 00 00 00
  UrbLink              = 00000000

Same family :

[7501 ms]  >>>  URB 1019 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812c1760 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000068
  TransferBuffer       = 812e8008
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 56 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 4a 00 00 00 00 00 03 00 00 00 00 09 10 00
    00000020: 02 00 0f 00 ff 03 00 00 00 00 0f 00 ff 03 00 00
    00000030: 00 00 0f 00 ff 03 00 00 00 00 0f 00 ff 03 00 00
    00000040: 00 00 0f 00 ff 03 00 00 00 00 0f 00 ff 03 00 00
    00000050: 00 00 0f 00 ff 03 00 00 00 00 0f 00 ff 03 00 00
    00000060: 00 00 00 00 78 05 00 0c
  UrbLink              = 00000000

1.1.2 Unknown frame

i suspect this kind to be keepalive packets.

same on ver2

[5551 ms] UsbSnoop - MyDispatchInternalIOCTL(f6309e80) : fdo=813a3030, Irp=810c8868, IRQL=2
[5551 ms]  >>>  URB 809 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 00 00
    00000020: 00 00 00 00
  UrbLink              = 00000000

1.1.3 Unknown frame

[5565 ms]  >>>  URB 811 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00|00 0c
    00000020: 41 de 30 96|ff ff ff ff ff ff|00 bd 01 00 00 00
    00000030: 00 00 00 00 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 42 f6

on ver2 :

[5277 ms]  >>>  URB 816 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81306b00 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 8130b888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00 00 0c
    00000020: 41 de 30 96 ff ff ff ff ff ff 00 be 01 00 00 00
    00000030: 00 00 00 00 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 42 f6
  UrbLink              = 00000000

on ver4 :

[5373 ms]  >>>  URB 811 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812fe900 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 812f4008
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00 00 0c
    00000020: 41 de 30 96 ff ff ff ff ff ff 00 be 01 00 00 00
    00000030: 00 00 00 00 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 43 f6
  UrbLink              = 00000000

1.1.4 Unknown frame

[5581 ms]  >>>  URB 813 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00|00 0c
    00000020: 41 de 30 96|ff ff ff ff ff ff|02 bd 00 00 00 00
    00000030: 08 06 04 01 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 00 00
  UrbLink              = 00000000

on ver2 :

– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81306b00 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 8130b888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00 00 0c
    00000020: 41 de 30 96 ff ff ff ff ff ff 02 be 00 00 00 00
    00000030: 08 06 04 01 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 00 00
  UrbLink              = 00000000

on ver4: same as ver2.

1.1.5 Unknown frame

i suspect this kind to be keepalive packets.

[5583 ms]  >>>  URB 815 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 01 00
    00000020: 00 00 f4 01

ver2 same

1.1.6 Unknown frame

ver2 same.

Programming of the device frequency ?

[5584 ms]  >>>  URB 817 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000088
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 78 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 6c 00 00 00 00 00 01 00 00 00 02 00 78 00
    00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000030: 00 00 00 00|6c 09|02 00 02 00 f8 03 01 01 08 38
    00000040: 38 38 2f 2c 4f 73 7d 8b 97 a3 af 00 47 38 5d 6b
    00000050: 77 83 8f 00 3f 0c 43 51 5d 69 75 00 33 de 23 31
    00000060: 3d 49 55 00 27 c1 07 15 21 2d 39 00 1b ae 00 00
    00000070: 07 13 1f 00 0f a2 00 00 00 00 06 00 00 98 00 00
    00000080: 00 00 00 00 00 00 00 00

1.1.7 Unknown frame

i suspect this kind to be keepalive packets.

ver2 same

[5585 ms]  >>>  URB 819 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 00 00
    00000020: 00 00 00 00
  UrbLink              = 00000000

1.1.8 Unknown frame

same as 813

[5596 ms]  >>>  URB 821 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000044
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 34 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 28 00 00 00 00 00 00 00 00 00 00 00|00 0c
    00000020: 41 de 30 96|ff ff ff ff ff ff|02 bd 00 00 00 00
    00000030: 08 06 04 01 00 00 00 00 0c 48 02 00 10 06 03 00
    00000040: 00 00 00 00
  UrbLink              = 00000000

same differences for ver2

1.1.9 Return frame on usbver4

[5424 ms]  <<<  URB 749 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812fe91c [endpoint 0x00000081]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000070
  TransferBuffer       = 8130f974
  TransferBufferMDL    = 8131b2c8
    00000000: 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 4d 00 4c 00 6c 09 00 00 3a 00 00 bc e4 66 10 00
    00000020: 00 00 00 00 80 00 00 00 ff ff ff ff ff ff 00 09
    00000030: 5b c7 09 38 00 09 5b c7 09 38 a0 10 dc 71 5c 1a
    00000040: 00 00 00 00 64 00 21 04 00 06 63 6f 75 63 6f 75
    00000050: 01 04 82 84 8b 96 03 01 0b 2a 01 02 32 08 0c 12
    00000060: 18 24 30 48 60 6c 05 04 00 01 00 00 0d 61 0e 88
  UrbLink              = 00000000

1.1.10 Unknown frame

would this one prepare for a frequency hop ?

[5597 ms]  >>>  URB 823 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 01 00
    00000020: 00 00 f4 01

ver2 same

1.1.11 Unknown frame

very same on ver2, ver4

[5612 ms]  >>>  URB 825 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000088
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 78 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 6c 00 00 00 00 00 01 00 00 00 02 00 78 00
    00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000030: 00 00 00 00|71 09|02 00 02 00 f8 03 01 01 08 48
    00000040: 3e 39 2f 2c 4f 73 7b 89 95 a1 ad 00 47 38 5c 6a
    00000050: 76 82 8e 00 3f 0c 42 50 5c 68 74 00 33 de 22 30
    00000060: 3c 48 54 00 27 c1 06 14 20 2c 38 00 1b ae 00 00
    00000070: 06 12 1e 00 0f a2 00 00 00 00 05 00 00 98 00 00
    00000080: 00 00 00 00 00 00 00 00
  UrbLink              = 00000000

This frame is followed by this one, which resembles it tells about problems/nothing on the channel :

same on ver2

Does this mean the frequency is jammed, or kind of ?

[5729 ms]  <<<  URB 749 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cdc [endpoint 0x00000081]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000020
  TransferBuffer       = 812f40f4
  TransferBufferMDL    = 81182c68
    00000000: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 04 00 00 00 00 00 02 00 00 00 00 00 71 09
  UrbLink              = 00000000

Last number 71 09 is a unique ID found above @0x34. it's increased with each packet ?

On ver4, another on is sent :

[5431 ms]  >>>  URB 828 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812fe900 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000088
  TransferBuffer       = 812f4008
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 78 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 6c 00 00 00 00 00 01 00 00 00 02 00 78 00
    00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000030: 00 00 00 00 76 09 02 00 02 00 f8 03 00 01 08 48
    00000040: 3e 39 2f 2c 4f 72 7a 88 94 a0 ac 00 47 37 5b 69
    00000050: 75 81 8d 00 3f 0c 41 4f 5b 67 73 00 33 de 21 2f
    00000060: 3b 47 53 00 27 c1 05 13 1f 2b 37 00 1b ae 00 00
    00000070: 05 11 1d 00 0f a1 00 00 00 00 04 00 00 98 00 00
    00000080: 00 00 00 00 00 00 00 00
  UrbLink              = 00000000

before being replied to ? nope, this is something else:

[5513 ms]  <<<  URB 822 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812fe91c [endpoint 0x00000081]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000070
  TransferBuffer       = 811f7974
  TransferBufferMDL    = 8131b2c8
    00000000: 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 4d 00 4c 00 76 09 00 00 41 00 00 1d e5 f6 11 00
    00000020: 00 00 00 00 80 00 00 00 ff ff ff ff ff ff 00 09
    00000030: 5b c7 09 38 00 09 5b c7 09 38 b0 10 dc 01 5e 1a
    00000040: 00 00 00 00 64 00 21 04 00 06 63 6f 75 63 6f 75
    00000050: 01 04 82 84 8b 96 03 01 0b 2a 01 02 32 08 0c 12
    00000060: 18 24 30 48 60 6c 05 04 00 01 00 00 1d bb 49 be
  UrbLink              = 00000000

2 Making sense of this : device protocol

2.1 General outgoing frame format

2.1.1 Description

The protocol sequence is :

a first “signalling” frame on the 0xe pipe
the data frame on 0x1

Those two frames can be sent asynchronously, ie, no need to wait for the signalling frame completion in order to send the data.

The data frames can be of several types.

2.1.2 Frames' Structure

Signalling frame

It seems to be always of the same type, meaning that some data is about to be sent on 0x1.

See also mgmt annoucement.

PipeHandle = 812fe9fc [endpoint 0x0000000e] 
TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK) 
TransferBufferLength = 0000000a 
TransferBuffer = 813a4c46 
TransferBufferMDL = 00000000 00000000: 0f 08 00 00 00 40 40 00 00 00 
UrbLink = 00000000

p54u_dev_writel(netdev, ISL38XX_DEV_INT_REG, 0x40);

Data frame

Their meaning depends on the type of frame sent, see frame instances for tables.

byte range	possible meaning
[0x00,0x03]	magic number indicating type
[0x04–0x0F]	length of the data from byte 0x10 δ₁, little endian
[0x10–0x11]	subtype
[0x12–0x13]	device frame length δ₂, little endian
[0x14–0x49]	depends
[0x10+δ₁,end]	padding to USB frame

Table 2. frame structure for 802.11 payload

2.2 Outgoing frame instances

2.2.1 outgoing “set mode” frame

by mode i don't really know what i mean, but there clearly is a “mode change” depending on the operations that need to be done.

Structure

Data on wire

I guess the data is something close to a bitmask, what can/can't be received.

channel hopping/scanning ? :

[5597 ms]  >>>  URB 823 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 01 00
    00000020: 00 00 f4 01

prepares sending of bizarre frames

Usually followed by the sending of some frames :

00000000: 6c 07 02 00 5a 00 00 00 00 00 00 00 00 00 00 00

or 00 02 02 00 frames

[5585 ms]  >>>  URB 819 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 00 00
    00000020: 00 00 00 00
  UrbLink              = 00000000

allows receiving of data when we're fixed on a frequency ?

[7503 ms]  >>>  URB 1021 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812c1760 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 812e8008
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 03 00
    00000020: 03 00 00 00
  UrbLink              = 00000000

this state allows sending of 6c 07 02 frames allow 00 02 02 frames too.

shortly after there is this :

dont have a clue about this. Goes on receiving. then back to the previous, etc.. it alternates.

transition from previous to this one is quick. transition from this one to the previous is slow.

quick meaning: one frame incomes, then one back. the incoming frame

[7529 ms]  >>>  URB 1026 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812c1760 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 812e8008
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 14 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 00 00 00 00 0d 00 00 00 03 00 01 00
    00000020: 01 00 00 00
  UrbLink              = 00000000

allows sending ? Or they are queued and not sent. (see around URB 1217 in usbsnoop1, the acknowledgement arrives only after a send of the previous frame).

2.2.2 outgoing “set frequency” frame

Structure

byte range	possible meaning
[0x00,0x03]	magic number 00 02 02 00
[0x04,0x0F]	length of the data from byte 0x10 δ₁, little endian
[0x10,0x11]	type 01 80
[0x12,0x13]	device frame length δ₂, little endian
[0x14,0x0b]	type indication, always same for this kind
[0x0c,0x0f]	frequency mode : 02 00 78 00 @“scanning”, 06 00 28 00 @default freq
[0xC,0xC+δ₂]	frequency in MHz is in grey uses data from mgmt frame.
[0xC+δ₂,0x10+δ₁[	padding to device frame
[0x10+δ₁,end]	padding to USB frame

Table 3. frame structure for setting frequencies

Most of the frame is now known. Only byte 0x3f remains to be understood. See frequency-filling code in patch.

Data on wire

[5584 ms]  >>>  URB 817 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cc0 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000088
  TransferBuffer       = 8130f888
  TransferBufferMDL    = 00000000
    00000000: 00 02 02 00 78 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 6c 00 00 00 00 00 01 00 00 00 02 00 78 00
    00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000030: 00 00 00 00|6c 09|02 00 02 00 f8 03 01 01|08|38|
    00000040: 38 38 2f 2c|4f 73 7d 8b 97 a3 af 00|47 38 5d 6b
    00000050: 77 83 8f 00|3f 0c 43 51 5d 69 75 00|33 de 23 31
    00000060: 3d 49 55 00|27 c1 07 15 21 2d 39 00|1b ae 00 00
    00000070: 07 13 1f 00|0f a2 00 00 00 00 06 00|00 98 00 00
    00000080: 00 00 00 00|00 00 00 00

2.2.3 outgoing 802.11 data frame

byte range	possible meaning
[0x00,0x03]	magic number indicating 801.11 frame : 6c 07 02 00
[0x04–0x0F]	length of the data from byte 0x10 δ₁, little endian
[0x10–0x11]	unknown
[0x12–0x13]	device frame length δ₂, little endian
[0x14–0x49]	unknown
[0x4A-0x4A+δ₂[	802.11 frame, without FCS !
[0x4A+δ₂,0x10+δ₁[	padding to device frame
[0x10+δ₁,end]	padding to USB frame

Table 4. frame structure for 802.11 payload

Data on wire

PipeHandle = 812fe900 [endpoint 0x00000001] 
TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK) 
TransferBufferLength = 000001b4 
TransferBuffer = 812f4008 
TransferBufferMDL = 00000000 
00000000: 6c 07 02 00 a2 01 00 00 00 00 00 00 00 00 00 00 
00000010: 10 40 68 01 08 f0 30 81 01 00 07 07 28 27 26 24 
00000020: 11 11 10 10 00 00 00 00 00 00 00 00 00 00 00 00 
00000030: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 
00000040: 00 00 02 7f 33 00 00 00 02 38|08 01|00 00|00 09 
00000050: 5b c7 09 38|00 0c 41 de 30 96|ff ff ff ff ff ff|
00000060: 00 00|aa aa 03 00 00 00|08 00 45 00 01 48 2a e4 
00000070: 00 00 80 11 0e c2 00 00 00 00 ff ff ff ff 00 44 
00000080: 00 43 01 34 55 fb 01 01 06 00 15 58 7d 1b 00 00 
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000a0: 00 00 00 0c 41 de 30 96 00 00 00 00 00 00 00 00 
000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000170: 00 00 63 82 53 63 35 01 01 fb 01 01 3d 07 01 00 
00000180: 0c 41 de 30 96 0c 0f 6a 65 61 6e 2d 33 36 32 30 
00000190: 38 31 66 31 32 37 3c 08 4d 53 46 54 20 35 2e 30
000001a0: 37 0a 01 0f 03 06 2c 2e 2f 1f 21 2b ff 00 00 00 
000001b0: 00 00 00 00 
UrbLink = 00000000

2.3 General Incoming frame format

2.3.1 Description

Data is directly received.

2.3.2 Frame's Structure

2.4 Incoming frame instances

2.4.1 “nothing on this frequency channel” frame

Data on wire

The last 2 bytes indicate the frequency. This frame is incoming after a delay of 150ms after a channel hop when nothing is received.

[5729 ms]  <<<  URB 749 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cdc [endpoint 0x00000081]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000020
  TransferBuffer       = 812f40f4
  TransferBufferMDL    = 81182c68
    00000000: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 04 00 00 00 00 00 02 00 00 00 00 00 71 09
  UrbLink              = 00000000

2.4.2 802.11 management frame

Structure

byte range	possible meaning of the field
[0x00,0xF]	data length δ₁ from 0x10, little endian
[0x10,0x11]	unknown : linked to frame type
[0x12,0x13]	device frame length δ₂, little endian
[0x14,0x15]	identifier (found at other places) FREQUENCY !
[0x16,0x19]	reception power ?
[0x1A,0x23]	timestamp, little endian
[0x24,0x24+δ₂[	full 802.11 frame
[0x24+δ₂,0x10+δ₁[	padding to device frame

Table 5.

This is an association request frame

Data on wire

PipeHandle = 812fe91c [endpoint 0x00000081] 
TransferFlags = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) 
TransferBufferLength = 0000006c 
TransferBuffer = 8130f0f4 
TransferBufferMDL = 8131b2c8 
00000000: 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000010: 4d 00 47 00 9e 09 00 00 1c 00 00 1a 04 fd 78 00 
00000020: 00 00 00 00 80 00|00 00|ff ff ff ff ff ff|00 90 
00000030: 4b 62 20 1e|00 90 4b 62 20 1e|00 08 86 01 15 b0 
00000040: 70 01 00 00 64 00 11 00 00 0e 44 57 2d 42 2d 32 
00000050: 30 30 2d 31 34 62 33 33 01 04 82 84 0b 16 03 01
00000060: 0b 05 04 02 03 00 00 fd c2 97 b5 ff

2.4.3 802.11 data frame

Structure

byte range	possible meaning of the field
[0x00,0xF]	data length δ₁ from 0x10, little endian
[0x10,0x11]	unknown : linked to frame type
[0x12,0x13]	device frame length δ₂, little endian
[0x14,0x15]	identifier (found at other places) FREQUENCY !
[0x16,0x19]	reception power ?
[0x1A,0x23]	timestamp, little endian
[0x24,0x24+δ₂[	full 802.11 frame
[0x24+δ₂,0x10+δ₁[	padding to device frame

Table 6.

[0x10,0x13] : seems to take 55 00 for unicast pakets, 53 00 for broadcast paquets.

Data on wire

PipeHandle = 812fe91c [endpoint 0x00000081] 
TransferFlags = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK) 
TransferBufferLength = 00000194 
TransferBuffer = 811f7974 
TransferBufferMDL = 8131b2c8 
00000000: 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000010: 53 00 70 01 9e 09 00 08 99 00 00 90 9f 6c 77 00 
00000020: 00 00 00 00 08 02 2c 00 00 0c 41 de 30 96 00 09 
00000030: 5b c7 09 38 00 09 5b c7 09 38 10 15 aa aa 03 00 
00000040: 00 00 08 00 45 10 01 4c 00 00 00 00 40 11 cf 51 
00000050: c0 a8 14 0d c0 a8 14 e2 00 43 00 44 01 38 2d 29 
00000060: 02 01 06 00 15 58 7d 1b 00 00 00 00 00 00 00 00 
00000070: c0 a8 14 e2 c0 a8 14 0d 00 00 00 00 00 0c 41 de 
00000080: 30 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 
00000150: 35 01 02 36 04 c0 a8 14 0d 33 04 00 00 17 70 01 
00000160: 04 ff ff ff 00 0f 1c 6c 6f 63 61 6c 2e 67 78 61 
00000170: 61 66 6f 6f 74 2e 68 6f 6d 65 6c 69 6e 75 78 2e 
00000180: 6f 72 67 03 04 c0 a8 14 0d 06 04 c0 a8 12 0d ff 
00000190: 49 5a 27 b8 
UrbLink = 00000000

Ethereal sniffed data

Ethernet II frame, common data starts @0xC


0000 00 0c 41 de 30 96 00 09 5b c7 09 38 08 00 45 10 ..A.0... [..8..E. 
0010 01 4c 00 00 00 00 40 11 cf 51 c0 a8 14 0d c0 a8 .L....@. .Q...... 
0020 14 e2 00 43 00 44 01 38 2d 29 02 01 06 00 15 58 ...C.D.8 -).....X 
0030 7d 1b 00 00 00 00 00 00 00 00 c0 a8 14 e2 c0 a8 }....... ........ 
0040 14 0d 00 00 00 00 00 0c 41 de 30 96 00 00 00 00 ........ A.0..... 
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 
0110 00 00 00 00 00 00 63 82 53 63 35 01 02 36 04 c0 ......c. Sc5..6.. 
0120 a8 14 0d 33 04 00 00 17 70 01 04 ff ff ff 00 0f ...3.... p....... 
0130 1c 6c 6f 63 61 6c 2e 67 78 61 61 66 6f 6f 74 2e .local.g xaafoot. 
0140 68 6f 6d 65 6c 69 6e 75 78 2e 6f 72 67 03 04 c0 homelinu x.org... 
0150 a8 14 0d 06 04 c0 a8 12 0d ff

2.4.4 incoming 802.11 unknown frame

This is of the same type as 1.1.2

[6865 ms]  <<<  URB 867 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 81193cdc [endpoint 0x00000081]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000024
  TransferBuffer       = 813270f4
  TransferBufferMDL    = 81182c68
    00000000: 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 01 80 08 00 88 c8 30 81 08 00 07 07 00 01 88 00
    00000020: 10 00 00 00

2.5 Other exchanges

2.5.1 readback of some mgmt data

Asking frame

[12118 ms]  >>>  URB 1229 going down  >>> 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812c1760 [endpoint 0x00000001]
  TransferFlags        = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000040
  TransferBuffer       = 812e8008
  TransferBufferMDL    = 00000000
    00000000: 6c 07 02 00 30 00 00 00 00 00 00 00 00 00 00 00
    00000010: 00 80 24 00 b0 e8 37 81 0a 00 00 00 00 00 00 00
    00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  UrbLink              = 00000000

Response frame

Structure:

b0 e8 37 81 0a some address

af : number of packets received

1 : don't know. assiciated ?

c : channel

e5 ee 89 : byte transferred ? no. time?

17 : quality ?

[12119 ms]  <<<  URB 1159 coming back  <<< 
– URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
  PipeHandle           = 812c17b4 [endpoint 0x00000082]
  TransferFlags        = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
  TransferBufferLength = 00000040
  TransferBuffer       = 8129a0f4
  TransferBufferMDL    = 812bce28
    00000000: 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00000010: 00 80 24 00 b0 e8 37 81 0a 00 00 00 af 00 00 00
    00000020: 00 00 00 00 01 00 00 00 0c 00 00 00 00 00 00 00
    00000030: 00 00 00 00 e5 ee 89 00 b0 13 00 00 17 00 00 00
  UrbLink              = 00000000