Comparison to GadgetFS¶

Raw Gadget is similar to GadgetFS, but provides a more low-level anddirect access to the USB Gadget layer for the userspace. The keydifferences are:

1. Every USB request is passed to the userspace to get a response, whileGadgetFS responds to some USB requests internally based on the provideddescriptors. However note, that the UDC driver might respond to somerequests on its own and never forward them to the Gadget layer.
2. GadgetFS performs some sanity checks on the provided USB descriptors,while Raw Gadget allows you to provide arbitrary data as responses toUSB requests.
3. Raw Gadget provides a way to select a UDC device/driver to bind to,while GadgetFS currently binds to the first available UDC.
4. Raw Gadget explicitly exposes information about endpoints addresses andcapabilities allowing a user to write UDC-agnostic gadgets.
5. Raw Gadget has ioctl-based interface instead of a filesystem-based one.

Userspace interface¶

To create a Raw Gadget instance open /dev/raw-gadget. Multiple raw-gadgetinstances (bound to different UDCs) can be used at the same time. Theinteraction with the opened file happens through the ioctl() calls, seecomments in include/uapi/linux/usb/raw_gadget.h for details.

The typical usage of Raw Gadget looks like:

1. Open Raw Gadget instance via /dev/raw-gadget.
2. Initialize the instance via USB_RAW_IOCTL_INIT.
3. Launch the instance with USB_RAW_IOCTL_RUN.
4. In a loop issue USB_RAW_IOCTL_EVENT_FETCH calls to receive events fromRaw Gadget and react to those depending on what kind of USB deviceneeds to be emulated.

Note, that some UDC drivers have fixed addresses assigned to endpoints, andtherefore arbitrary endpoint addresses can’t be used in the descriptors.Nevertheles, Raw Gadget provides a UDC-agnostic way to write USB gadgets.Once a USB_RAW_EVENT_CONNECT event is received via USB_RAW_IOCTL_EVENT_FETCH,the USB_RAW_IOCTL_EPS_INFO ioctl can be used to find out information aboutendpoints that the UDC driver has. Based on that information, the user mustchose UDC endpoints that will be used for the gadget being emulated, andproperly assign addresses in endpoint descriptors.

You can find usage examples (along with a test suite) here:

https://github.com/xairy/raw-gadget

Internal details¶

Currently every endpoint read/write ioctl submits a USB request and waits untilits completion. This is the desired mode for coverage-guided fuzzing (as we’dlike all USB request processing happen during the lifetime of a syscall),and must be kept in the implementation. (This might be slow for real worldapplications, thus the O_NONBLOCK improvement suggestion below.)

Potential future improvements¶

• Report more events (suspend, resume, etc.) through USB_RAW_IOCTL_EVENT_FETCH.
• Support O_NONBLOCK I/O.
• Support USB 3 features (accept SS endpoint companion descriptor whenenabling endpoints; allow providing stream_id for bulk transfers).
• Support ISO transfer features (expose frame_number for completed requests).