Page 1 of 10 12345678 ... LastLast
Results 1 to 15 of 147

Thread: USB drivers for Win 7 on 8th generation Intel chipset

  1. #1

    USB drivers for Win 7 on 8th generation Intel chipset

    Hi...have not done much reversing as of late, especially since RCE closed down. Taking an interest in tracing the usbxhci.sys driver for W10 to see if I can adapt it for use on Win 7 on an 8th generation Intel chipset.

    The chipset is an Intel B360 and it seems Intel no longer makes drivers for their own chipsets, having deferred to Micro$oft.

    Bit of history, then questions. I have loaded Win 10 on an Asus B360M-C mobo which uses an i5 - 8200 8th generation processor. I wanted to load an installed win 7 OS which I had on a hard drive. Surprisingly, it booted straight to the logon screen, graphics and all, using stock SP1 drivers. I had to rig USB to PS/2 adapters to get my mouse and keyboard working (another USB keyboard in a USB port to get past the boot screen) but after that I could log in and got straight to the desktop.

    Most of the stock W7 drivers seemed to be working fine....all but the USB drivers which require a USB 3/3.1 driver. Of course, m$oft has crippled W7 by not supplying the USB drivers. They claim to be protecting W7 users due to a lack of updates, but if that's the case, why are they detecting W7 on 7th and 8th gen chipsets and blocking those users from updates? And why do generic drivers work on this mobo for W10 and not W7?

    Questions:

    1)What is currently the best dissassembler/debugger? I have never learned Olly and did get started on Windbg. IDA, of course, is still there and I notice Ilfak has released a free version of IDA 7.

    2)If I start Olly what is the best platform? Does it work on win 7 and 10? The original seems pretty dated but Olly 2 does not seem to be popular for some reason.

    3)If kayaker is still out there, how's the paddling? Fixed ice yet to run on W7?

    4)If blabberer is still out there I could use your help getting going on windbg....again!!!

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    Hi Waxford its been a very long time yeah i am still here

    shoot the bangs let me see if i can dot them

  3. #3
    Quote Originally Posted by blabberer View Post
    Hi Waxford its been a very long time yeah i am still here shoot the bangs let me see if i can dot them
    Yeah...I have missed you guys. I regard you and kayaker as old friends, not to mention Woody and some of the other guys. I just saw 'disavowed' mentioned in another thread and believe it or not, a piece from +gthorne. Saw Delta's nym as well.

    Hope you are doing well.

    I have actually made some ground since I made the post a few days ago. Windbg does not seem as intimidating as I last remembered it.

    I am working on finding a way to d/l symbols. Apparently msoft has changed the way it used to allow bulk downloads.

    I am also wondering about the best platform. I have W10 running on an 8th generation board but it won't allow W7 to load USB drivers. I am looking into that as well, primarily to see if it's due to the hardware requirement or whether msoft has just gotten ornery and are forcing people to upgrade to W10.

    I have just been advised by a local supplier that he can get me a really good USB - serial interface. I was hoping I might be able to connect my laptop to windbg on my desktop via the interface and use remote debugging.

    I am running VMWare player ver 15 on W10 but right now I am running version 12 on Win7 with both softice and windbg loaded.

    I was able to run Windbg on the VM (with an XP Pro VM I had available), as far as loading an app and setting a BP to break on Winmain. Then the menu bar disappeared and I had to quit. That's my fault. There is an error windows displayed between start of code and winmain and I guess something got out of whack. It's claiming the OS is wrong...no kidding...but I am just trying to get it to dump its files so I can check to see what drivers it has.

    I am trying to remember our previous discussion on Windbg. Did you claim it was possible to trace right through ring 0 code?

    Also, we had discussion with kayaker about contexts as applied to softice. You have to ensure you are in the proper context before setting a BP.

    Does that apply to windbg as well? Can I simply set a BP at Kernel!_baseprocessstart, after loading an app, as in softice, and break in k32 near the code entry point? Then trace from there?

    In many ways, it seems that windbg may be quite similar to softice in that respect only far more sophisticated.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Hey Waxford, great to see you around!

    Sorry, no modern Softice port yet, I'm still trying to figure out how to get it to display in a large enough readable size font in an XP image in VMWare Player on a 4K monitor on Win10. Funny enough it's not High DPI aware, imagine that. I'm keeping my old Win 7 box for that kind of emergency old school reversing

    Just a couple of comments for background, I had a quick look at the Asus site for that B360 MB and there's a comment in the FAQ about usb drivers and Win7, something about setting XHCI Hand-off to Enabled in the BIOS, perhaps you're aware of that or it's already set. You're right it seems, searching for "B360" at the Intel driver site doesn't pick up any updated usb drivers, is there any possibility that the Intel® Driver & Support Assistant might detect any updates for your system?

    Oh, I started writing this before reading your last reply. I was going to mention that I'm interested in how you set things up to trace the driver and if you might use VMWare and remote debugging. I was also wondering if you can get USB 3 support with your Win7 image on VMWare Player itself running on that MB. I seem to remember having to get VMWare to update for that when I set it up on my new Win10 system.

    I used to use VirtualKD for remote Windbg debugging, would that be useful? It seems to still be actively developed.

    http://virtualkd.sysprogs.org/


    As a side note, the reason I'm interested in this is that I was just starting to think about researching/reversing to find out which driver(s) trigger the "USB Disconnect" sound you get when you unplug a usb device. For the past few months I've been getting that sound randomly when nothing is happening, sometimes several times a day, sometimes never. I've tried setting up a logging action with EventGhost but that didn't give enough information. I've also tried Procmon to trigger when the .wav file (that I changed to a custom sound file) is accessed. That only showed that Explorer opened the file and played it internally with winmm/PlaySoundW, but not what triggered Explorer to even open.

    It could be a lot of things causing it, but one possibility is an intermittent usb disconnect/reconnect, perhaps related to a wake-on device setting, something related to that was actually a Win7 hotfix at one point. I could simply ignore it or disable the sound, but what's the fun in that?


    Yeah, I was just commenting to blabberer and the others a short time ago about missing all the great discussions we had here. But hey, that doesn't mean we can't still have them! Cheers.

  5. #5
    Quote Originally Posted by Kayaker View Post
    Hey Waxford, great to see you around!
    Yeah...great to hear from you and I hope you are keeping well. I have visited site a few times but did not see much in the way of posts.

    Quote Originally Posted by Kayaker View Post
    Sorry, no modern Softice port yet, I'm still trying to figure out how to get it to display in a large enough readable size font in an XP image in VMWare Player on a 4K monitor on Win10. Funny enough it's not High DPI aware, imagine that. I'm keeping my old Win 7 box for that kind of emergency old school reversing
    I changed width to 160 and lines to 100. I am working on a 22" monitor and i could have gone to 120 lines. Even at that I have to squint bit.

    I have done considerable tracing tonight, however, and with my face close enough to the screen it has not be difficult to see. Had to get some rust out re table command and addr but got an app to break no problem at _baseprocessstart. It's running through ring 0 like nobody's business and very stable.

    Just noticed that my nms files are badly outdated. Go figure, I'm using the XP kernel, etc., and I don't recall msoft updating XP.

    Quote Originally Posted by Kayaker View Post
    Just a couple of comments for background, I had a quick look at the Asus site for that B360 MB and there's a comment in the FAQ about usb drivers and Win7, something about setting XHCI Hand-off to Enabled in the BIOS, perhaps you're aware of that or it's already set. You're right it seems, searching for "B360" at the Intel driver site doesn't pick up any updated usb drivers, is there any possibility that the Intel® Driver & Support Assistant might detect any updates for your system?
    I'm pretty sure I have XHCI handoff enable. Tonight I learned how to turn off Secure Boot in the AMI BIOS and in the boot menu area, an F8 takes you to the Safe Mode menu where there is an item at bottom of list to disable driver certification. Apparently you can turn it off permanently using 'bcdedit.exe /set nointegritychecks on'. I can direct you to a page on that if you like as well as one about certifying your own drivers (Linux-based but from what I've read it could likely be easy to do in Windows).

    Tried the Intel driver support app but no go. I am not claiming Intel is in cahoots with msoft because they were good enough to release W7 drivers for early 300 series chipsets (generation 8 and some 9). However, they have announced that as of Nov 2018 they are no longer issuing driver updates. They are handing off to msoft. I understand they have stopped making mobos as well.

    I tried to load the drivers they supplied for 300 series but mine must be too new. I don't see why they would not work on W7, even with the newer chipset. I have a peripheral card from Vantec, model UGT-PC341 working fine for W7 in and a PCIe slot.

    Quote Originally Posted by Kayaker View Post
    I was going to mention that I'm interested in how you set things up to trace the driver and if you might use VMWare and remote debugging. I was also wondering if you can get USB 3 support with your Win7 image on VMWare Player itself running on that MB. I seem to remember having to get VMWare to update for that when I set it up on my new Win10 system.
    Have not tried tracing the driver yet on Win 10. I have been trying to exhaust some driver loading issues first. As I said in my reply, I am onto a USB-Serial Port adapter that may work for remote debugging between my laptop and the desktop. Also, I have been setting up Windbg with symbols, etc.

    The thing that makes me suspicious is that I had W7 loaded on its own drive. When I plugged it into a SATA port on my new mobo, it fired up fine to the logon screen. Of course, I had no keyboard or mouse since they are both USB. Got past that because luckily my new mobo has PS/2 ports which worked find for logging on. However, to get there I had to get past a boot screen to select W7. I could have disabled it but I had another USB keyboard which I plugged into the new mobos USB port. It worked fine during boot, then the PS/2 setup, using two USB-PS/2 adapters got me the rest of the way.

    In Device Manager, there were hardly any drivers flagged. The video was working on a stock VGA driver which was already loaded and I got 1920 x 1080 resolution no problem. I did change a few drivers but the only outstanding drivera are the USB drivers, which were all missing. They would not simply disappear on their own, somebody had to remove them. I think we know who that someone might be.

    Msoft simply does not want anyone running W7 on newer mobos and processor. The reason seems apparent, W7 is equal to or better than W10 for performance, especially on a newer mobo with a 6 core processor.

    Quote Originally Posted by Kayaker View Post
    I used to use VirtualKD for remote Windbg debugging, would that be useful? It seems to still be actively developed.

    http://virtualkd.sysprogs.org/
    Worth checking out, thanks for link. Was that known as LiveKD as well?


    Quote Originally Posted by Kayaker View Post
    As a side note, the reason I'm interested in this is that I was just starting to think about researching/reversing to find out which driver(s) trigger the "USB Disconnect" sound you get when you unplug a usb device.
    Possible solution:
    https://www.maketecheasier.com/stop-random-usb-connect-noises-windows/

    Quote Originally Posted by Kayaker View Post
    Yeah, I was just commenting to blabberer and the others a short time ago about missing all the great discussions we had here. But hey, that doesn't mean we can't still have them! Cheers.
    I agree.

  6. #6

    re XHCI

    Quote Originally Posted by Kayaker View Post
    I was also wondering if you can get USB 3 support with your Win7 image on VMWare Player itself running on that MB. I seem to remember having to get VMWare to update for that when I set it up on my new Win10 system.
    Sorry, kayaker, I meant to comment on this.

    That's an interesting question but first about another question regarding XHCI Handoff. I am looking at it now in BIOS (AMI Aptio [2018] Version 2.19.1269) and it is enable, along with legacy USB support. Also, CSM is enabled, which deals with legacy devices.

    One thing concerning me is that BIOS also lists:

    USB Controllers: 2 XHCI

    USB Devices: 2 keyboards, 1 Mouse, 3 Hubs.

    I have 2 x XHCI controllers, one for the peripheral card and one I loaded somehow through device installation. However, the only hub showing in Device Manager is for the peripheral USB 3 device.

    I'll have to dig through the registry and sort this out before I go further. I may have a conflict. Also, I am not so sure that two USB hubs can exist together let alone three.

    With regard to VMWare Player, it did not occur to me they may be using their own W7 USB3 drivers. I'll look into that, thanks.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Actually I was going to thank you Waxford. I had seen that article you listed, I think, but somehow missed the Nirsoft USBDeview app they recommended. Instead I was using Nirsoft USBLogView which wasn't as useful. I believe that USBDeview gave me the clue I needed. None of the other usb monitoring I tried with EventGhost or USBLogView picked up that intermittent disconnect, but I think USBDeview did. The usb port it pointed to that might be giving me the problem is a downstream usb connection on the back of my monitor that I've got a cheap 4-port usb hub attached to. With more testing I might be able to figure out if the monitor usb port is at fault or hopefully just the cheap 4-port usb hub attached to it.

    Just for fun you could try USBDeview to see if it gives more information on your ports than Device Manager.

  8. #8
    Quote Originally Posted by Kayaker View Post
    Just for fun you could try USBDeview to see if it gives more information on your ports than Device Manager.
    I was past the Nirsoft site only a few days ago and d/l'd some very interesting stuff. Have not had the chance to look it over yet. Maybe the USB app is in what I d/l'd.

    There is a half decent USB app in the Microsoft Debugging Tools for Windows directory. It's in the same directory as Windbg. I think it used to be part of the Sysinternals package. Here's a link to the app and the source code:

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/usbview

  9. #9
    Quote Originally Posted by Kayaker View Post
    The usb port it pointed to that might be giving me the problem is a downstream usb connection on the back of my monitor that I've got a cheap 4-port usb hub attached to. With more testing I might be able to figure out if the monitor usb port is at fault or hopefully just the cheap 4-port usb hub attached to it.
    Not quite following. Do you mean you are feeding a USB hub from your motherboard USB connector then feeding the monitor from the hub?

    If so, it could be a power issue. The USB hubs on the mobo can typically supply 500 milliamps to peripheral devices. However, some peripheral hubs draw power from one USB port and distribute it to their outputs. If you have a low current devices like a mouse, or a unifying receiver attached they won't draw much current but something like a monitor might.

    I have a USB hub but it has it's own power supply. It can deliver 500 ma from each of its ports. The other day, I had the power bar feeding the USB hub its power turned off and even the unifying receiver for the mouse was acting crazy. When I turned on the power bar, the device started working normally.

    Speaking of that, I think I know where my 3rd hub is coming from as reported by my BIOS. It's the peripheral USB hub. I have the onboard peripheral hub, the external hub just mentioned, and the hub built into my mobo. However, my mobo hub shows no drivers in Device manager.

    Looks like I am....like it or not....going to have to investigate USB down to the driver level. Working in the dark does not work well, as you know.

    One problem is Intel. They have always supplied excellent technical manuals for their mobos and chipsets. I can't find anything on my current B360 Intel chipset.

    Also, as you know, there have been excellent books put out on the Windows subsystem but I don't recall mention of USB drivers and how USB interacts with the mobo. I am sure it has parallels with the serial port.

    There have been several recent protocols issued for USB recently. Prior to XHCI there was OHCI, UHCI, and EHCI. They are all backward compatible so a USB2 device, for example, can run of a USB 3 or 3.1 device.

    The only real difference between 3.0 and 3.1 is the speed, where 3.1 has double the speed of 3.0. (5 Gbps compared to 10 Gbps). So, I don't see why W7 is not capable of running 3.0 or 3.1 provided it has the proper drivers.

    My peripheral USB 3.0 card runs on W7 fine but they use a VIA VL 805 or VL 800 chip onboard to run the USB 3.0 from my mobos PCIe bus. On W10, all the mobo's native USB 3 ports work as well as the peripheral card's USB 3 ports.

    In essence, this is the problem. What is the difference between the W7 OS and the W8 and 10 OS's? You have far more experience with drivers than me, what do you think? Could it be as simple as a driver or is there maybe something in modules like K32, Win32, NTOSKRNL, or maybe HAL that has changed?

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    My Dell monitor has an auxiliary usb port (4 of them actually) on the back. I simply have a non-powered Orico usb hub plugged into one of them to make it more convenient to plug in external hard drives, printers etc. It's the connection to the Orico that seems to drop occasionally. You're right, it's quite possible the fact that the hub is non-powered could be the issue.

    I think you said that you tried an 8th gen usb3 driver for a C300 chipset, but that didn't work with your newer C360, is that right? Do you think that driver might be the one you would start reversing to try to modify to work with your system, seems like it might be the closest "fit" you have.

    As for trying to glean more information on usb internals, I noticed that some usb drivers like USBHUB3.sys and USBXHCI.sys import WppRecorder.sys. I started looking into that and found out that you can capture usb debug traces. I'm still working on the procedure, but I was able to get a trace of sorts on usbhub3.sys. Not that the results make much sense to me, but the procedure seems to work for getting at least some internal information. There are some examples of TraceView output that might give you an indication of whether the info would be of any use to you.

    https://channel9.msdn.com/Blogs/WinHEC/Video-Accessing-Driver-Logs-without-a-Debugger
    https://blogs.msdn.microsoft.com/usbcoreblog/2014/09/02/capturing-usb-debug-traces/
    https://techcommunity.microsoft.com/t5/Microsoft-USB-Blog/How-to-include-and-view-WPP-trace-messages-in-a-driver-8217-s/ba-p/270778

    I started with the steps in the first link to get an .etl file for usbhub3 and viewed that with an old copy of TraceView. I need to get the new version from the WDK as some of the log output didn't seem to be fully interpreted. That procedure seemed to give more of a "static" WPP output. I think the other links are geared towards a live tracing which might be of more use.

  11. #11
    Quote Originally Posted by Kayaker View Post
    You're right, it's quite possible the fact that the hub is non-powered could be the issue.
    Personally, I would not try to run a hard drive through an unpowered USB hub. Could be your problem.

    Quote Originally Posted by Kayaker View Post
    I think you said that you tried an 8th gen usb3 driver for a C300 chipset, but that didn't work with your newer C360, is that right? Do you think that driver might be the one you would start reversing to try to modify to work with your system, seems like it might be the closest "fit" you have.
    As of yet, I am still confused about the meanings of the 8th generation labels I don't think my B360 chipset is listed as C2xx, it is a C3xx if anything.

    However, here's a link to the Intel driver release for the C220/C610 series chipsets which Intel lists as 7th, 8th, and 9th generation. I plan to compare those drivers first in IDA with the W10 drivers for HUB and XHCI. I could send you a copy of my W10 drivers for comparison, if you're curious. Don't know if PM still works.

    https://downloadcenter.intel.com/download/22824

    Quote Originally Posted by Kayaker View Post
    As for trying to glean more information on usb internals, I noticed that some usb drivers like USBHUB3.sys and USBXHCI.sys import WppRecorder.sys.
    Thanks for heads up. At this stage, my head is a bit scrambled as to which way to go. I've been having fun with my VM version of ice tracing through an installer setup file to see if it will dump some stock files. Obviously, I need to get Windbg going with a remote monitor on Win 10. Or maybe run it from W7 and observe W10.

    At the moment, W7 is running USB 3 fine with the peripheral card. As you said, it's more fun peeking under the hood, spelunking as Matt Pietrek called it.

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Just an update on using TraceView to log internal messages put out by usbhub3.sys when connecting a usb stick as an example.

    Code:
    HUBHTX_Get20PortChangeEvent: PORT_STATUS_ERROR / HubHwVerifierPortDeviceDisconnected event: PortConnectChange & CCS=0; portNum 1, prevPS 0x0101, curPS 0x0100, curPC 0x0001
    HUBHTX_Get20PortChangeEvent: Called HubHwVerifierPortDeviceDisconnected
    Device Context 0xFFFFD00E5F713110 - USB\VID_0951&PID_1646&REV_0100 - Port Path 1:4:1:0:0:0
    DeviceHackFlags:0x8
    Nothing earth shattering, but it does at least lead to a function in usbhub3.sys code in IDA when you also load the PDB from MS:

    Code:
    .text:00000001C0004218                   HUBHTX_Get20PortChangeEvent proc near   ; CODE XREF: HUBPSM20_EnablingInterruptsAndGettingPortEvent+14
    .text:00000001C0004218                                                           ; HUBPSM20_GettingPortChangeEventInSuspended+B
    .text:00000001C0004218
    ....
    .text:00000001C0004218 4C 8B DC                          mov     r11, rsp
    .text:00000001C000421B 49 89 5B 08                       mov     [r11+8], rbx

    I'm using TraceView from an older WDK version but it seems to work OK. If you don't have it and don't want to install the full WDK, you can extract it from the iso (620MB) from here - GRMWDK_EN_7600_1\WDK\tracingtool_x64fre_cab001.cab

    https://www.microsoft.com/en-ca/download/details.aspx?id=11800


    ...

    I was going to ask you about the C220/C610 driver and wondered how it differed from the one you had. What defines "chipset support" when the general function of these drivers must be fairly similar?

  13. #13

    _baseprocessstart

    Kayaker...there are times when I break on _baseprocessstart then take a couple of steps and I'm into the start of code for my app. Other times, I can't get there. I have to go through countless steps of code in the system and never seem to come out the other end.

    Is that maybe because another proc is using _bpss? Have you found a way out of the code, maybe a BP further along the way, like GetProcessAddress or GetModuleHandle?

    Or is it maybe the VM?

  14. #14
    Quote Originally Posted by Kayaker View Post
    I was going to ask you about the C220/C610 driver and wondered how it differed from the one you had. What defines "chipset support" when the general function of these drivers must be fairly similar?
    Thanks for info on tracer. I will check it out.

    That's got me too, about the chipset's supported. I managed to download an Intel INF install for the B360 and it installed a lot of drivers for the chipset on W7. All but the USB drivers.

    I just noticed a log file from an earlier attempt to load the USB 3 driver for which I supplied a link above. It claims there are sections in its own INF that are missing. And the Dev_numbers listed do not include my device, which is DEV_A36D. It lists up till DEV_A2AF.

    Here's a typical error message from the install for Iusb3hub.inf:
    "Section <PackageInfo> Key <Sequence> not found in INF.

    It gives a ClassGUID, which is for the general class 'Universal Serial Bus Controller' then immediately below it tells you the Package.info.Name = iusb3hub, as in the title of the INF file. Then it gives PackageInfo.Sequence = 0. Then it says: "Error locating a device section, Skipping inf.

    That's why my hub is not getting loaded.

    Sorry to burden with all this, just thinking out loud.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    Kayaker...there are times when I break on _baseprocessstart then take a couple of steps and I'm into the start of code for my app. Other times, I can't get there. I have to go through countless steps of code in the system and never seem to come out the other end.

    Is that maybe because another proc is using _bpss? Have you found a way out of the code, maybe a BP further along the way, like GetProcessAddress or GetModuleHandle?

    Or is it maybe the VM?
    I recall that sort of thing happening when tracing in VMWare, F8 through an API call and it may give control back to the VM thread dispatcher. Setting a safety BP on GetProcAddress for example with a conditional IF PID=<your process> should help if you're trying to make the step from K32 to the beginning of your code.

Similar Threads

  1. Key generation
    By rebx in forum The Newbie Forum
    Replies: 4
    Last Post: December 17th, 2011, 12:46
  2. License generation WLSCGEN
    By calvin in forum The Newbie Forum
    Replies: 0
    Last Post: March 2nd, 2010, 04:38
  3. how does certificate generation work ?
    By p_2001 in forum The Newbie Forum
    Replies: 15
    Last Post: March 17th, 2009, 11:57
  4. FlexLM license generation
    By Killer_l00p in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 18th, 2001, 13:14
  5. FlexLM license generation
    By Killer_l00p in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: June 15th, 2001, 05:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •