Support 06cb:0081

[msterna]

Hi!
I am impressed with your work! I wanted to ask if your package allows you to build drivers for other Synaptics devices? I have a Lenovo Yoga with Synaptics 06cb:0081. I tried to replace the source in the download_driver.sh file with mine: https://download.lenovo.com/consumer/mobiles/f7ye02af.exe Unfortunately, the files look completely different. I tried with your package and overwriting my files, but of course it doesn't work.
I understand that your package is not universal and only supports 06cb:00BE?
Can you help me somehow or is it too much work for you?
I'm not a programmer. I only write tiny programs in Python, so it's too difficult for me.
I hope I wrote understandably because I use Google Translator.

[Popax21]

Hi! I am impressed with your work! I wanted to ask if your package allows you to build drivers for other Synaptics devices? I have a Lenovo Yoga with Synaptics 06cb:0081. I tried to replace the source in the download_driver.sh file with mine: https://download.lenovo.com/consumer/mobiles/f7ye02af.exe Unfortunately, the files look completely different. I tried with your package and overwriting my files, but of course it doesn't work. I understand that your package is not universal and only supports 06cb:00BE? Can you help me somehow or is it too much work for you? I'm not a programmer. I only write tiny programs in Python, so it's too difficult for me. I hope I wrote understandably because I use Google Translator.

At the moment, only 06cb:00be is supported. If you want to add support for 06cb:0081 yourself you are free to do so (I would merge it upstream if it works), however I am fairly busy at the moment + I can't really assist with the intricacies of hardware I do not have access to. You might want to take a look at #20 as a starting point.

[msterna]

I don't understand much, but I'll try. Maybe something will work out :) Thank you for your answer and of course I understand that you don't have the time or opportunity. It's different for me too. Best regards and thank you for your suggestion!

[msterna]

Hello!
I was able to modify and build it. However, in the logs I have something like this:

`paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Activated sandbox
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Received init message - USB device 1-3
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Initialized libcrypto
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Initialized libusb
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [WRN] PE file contains unsupported resource data directory!
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [WRN] PE file contains unsupported exception data directory!
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [WRN] Data directory 4 has invalid bounds! [end 0x36c60 > image end 0x36000]
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Loaded driver DLL 'synaAdvAdapter.dll' [224352 bytes]
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [WRN] PE file contains unsupported resource data directory!
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [WRN] PE file contains unsupported exception data directory!
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Loaded driver DLL 'synaWudfBioUsb.dll' [2337376 bytes]
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [INF] Initializing driver DLL 'synaAdvAdapter.dll'...
paź 13 17:10:33 archlinux tudor_host_launcher[42337]: [ERR] Unresolved import called!
paź 13 17:10:34 archlinux systemd[1]: Started Process Core Dump (PID 42342/UID 0).
paź 13 17:10:34 archlinux systemd-coredump[42343]: [🡕] Process 42337 (tudor_host) of user 3333 dumped core.

                                                Stack trace of thread 42337:
                                                #0  0x00007fcde64ac83c n/a (libc.so.6 + 0x8e83c)
                                                #1  0x00007fcde645c668 raise (libc.so.6 + 0x3e668)
                                                #2  0x00007fcde64444b8 abort (libc.so.6 + 0x264b8)
                                                #3  0x00007fcde6c0e630 unresolved_stub (libtudor.so + 0xe630)
                                                #4  0x00007fcde6fef2ca n/a (n/a + 0x0)
                                                #5  0x00005574ede45493 main (tudor_host + 0x3493)
                                                #6  0x00007fcde6445cd0 n/a (libc.so.6 + 0x27cd0)
                                                #7  0x00007fcde6445d8a __libc_start_main (libc.so.6 + 0x27d8a)
                                                #8  0x00005574ede445b5 _start (tudor_host + 0x25b5)
                                                
                                                Stack trace of thread 42341:
                                                #0  0x00007fcde6520f6f __poll (libc.so.6 + 0x102f6f)
                                                #1  0x00007fcde6fd46e5 n/a (libusb-1.0.so.0 + 0x106e5)
                                                #2  0x00007fcde6fd6468 libusb_handle_events_timeout_completed (libusb-1.0.so.0 + 0x12468)
                                                #3  0x00007fcde6fd64bf libusb_handle_events (libusb-1.0.so.0 + 0x124bf)
                                                #4  0x00005574ede446a7 usb_thread_func (tudor_host + 0x26a7)
                                                #5  0x00007fcde64aa9eb n/a (libc.so.6 + 0x8c9eb)
                                                #6  0x00007fcde652e654 __clone (libc.so.6 + 0x110654)
                                                ELF object binary architecture: AMD x86-64

paź 13 17:10:34 archlinux fprintd[42330]: Tudor host process died! Exit Code 134
`
I understand this is a driver error. For some reason it doesn't load. Do I think right? Can you suggest something?

CLI:
`

WARNING
Even though the CLI employs sandboxing, its security is in no way comparable to the one found in the libfprint integration.
A malicious driver could take over your local user account!
This CLI is only intended to be used for debugging and/or small scale tests.
Press 'y' to continue, any key to exit: y
[INF] Initializing libcrypto...
[INF] Initializing libusb...
[INF] Found sensor USB device [bus 1 addr 3 vid 0x06cb pid 0x0081]
[INF] Opening sensor USB device...
[INF] Dropping root privileges... [new uid=1000 new gid=984]
[INF] Initializing tudor driver...
[WRN] PE file contains unsupported resource data directory!
[WRN] PE file contains unsupported exception data directory!
[WRN] Data directory 4 has invalid bounds! [end 0x36c60 > image end 0x36000]
[DBG] DLL synaAdvAdapter.dll: PE+ image
[DBG] -> machine: 8664
[DBG] -> image size: 00036000
[DBG] -> entry point: 0000b338
[DBG] -> num data dirs: 16
[DBG] -> num sections: 6
[DBG] -> num relocations: 835
[DBG] Copied image memory to mapping at 0x7f9106772000 - 0x7f91067a8000
[DBG] Applied 835 relocations
[DBG] Applying memory protections to image
[DBG] -> section .text | 0x7f9106773000 - 0x7f91067941fb | r-x
[DBG] -> section .rdata | 0x7f9106795000 - 0x7f910679f6a8 | r--
[DBG] -> section .data | 0x7f91067a0000 - 0x7f91067a3e98 | rw-
[DBG] -> section .pdata | 0x7f91067a4000 - 0x7f91067a5e0c | r--
[DBG] -> section .rsrc | 0x7f91067a6000 - 0x7f91067a66c0 | r--
[DBG] -> section .reloc | 0x7f91067a7000 - 0x7f91067a76e0 | r--
[INF] Loaded driver DLL 'synaAdvAdapter.dll' [224352 bytes]
[WRN] PE file contains unsupported resource data directory!
[WRN] PE file contains unsupported exception data directory!
[DBG] DLL synaWudfBioUsb.dll: PE+ image
[DBG] -> machine: 8664
[DBG] -> image size: 0023b000
[DBG] -> entry point: 000fadd8
[DBG] -> num data dirs: 16
[DBG] -> num sections: 6
[DBG] -> num relocations: 1945
[DBG] Copied image memory to mapping at 0x7f91049e1000 - 0x7f9104c1c000
[DBG] Applied 1945 relocations
[DBG] Applying memory protections to image
[DBG] -> section .text | 0x7f91049e2000 - 0x7f9104af531c | r-x
[DBG] -> section .rdata | 0x7f9104af6000 - 0x7f9104b9bd80 | r--
[DBG] -> section .data | 0x7f9104b9c000 - 0x7f9104c10cc8 | rw-
[DBG] -> section .pdata | 0x7f9104c11000 - 0x7f9104c1832c | r--
[DBG] -> section .rsrc | 0x7f9104c19000 - 0x7f9104c199e8 | r--
[DBG] -> section .reloc | 0x7f9104c1a000 - 0x7f9104c1b0ac | r--
[INF] Loaded driver DLL 'synaWudfBioUsb.dll' [2337376 bytes]
[INF] Initializing driver DLL 'synaAdvAdapter.dll'...
[ERR] Unresolved import called!
Przerwane
`

[Popax21]

The driver tried to invoke a function which currently hasn't been implemented yet. You'll want to use the DBGIMPORT meson option to figure out which one it is, then you would probably have to implement it yourself.

[MagneFire]

I've done some testing with the mentioned driver and https://download.lenovo.com/consumer/mobiles/im7f04af07wp.exe (which seems slightly different).

The reason for the unresolved call is because the driver needs EncodePointer.

Other places where segfaults were observed was in GetProcAddress as it needs a handle to print some information.

I've solved some of these issues and implemented more stub functions. But it does not appear to be enough to get the driver the load.

Here's my work for reference: https://github.com/MagneFire/synaTudor/tree/f/0081. I've decided to base it on the work by @vixalien as it implements some more functions that the driver may require.

At the moment I'm not sure how to debug this any further as the gdb backtrace doesn't reveal much:

(gdb) bt
#0  0x00007ffff7f9ebf8 in ?? ()
#1  0x00007ffff7f9ebbc in ?? ()
#2  0x000055555555bd98 in ?? ()
#3  0x000055555558b2e0 in ?? ()
#4  0x0000555555581e50 in ?? ()
#5  0x00007ffff7f999d5 in ?? ()
#6  0x00007ffff7c43ce8 in _DYNAMIC () from /home/darrel/Downloads/fprint/synaTudor/build/cli/../libtudor/libtudor.so
#7  0x00007ffff7f98e8a in ?? ()
#8  0x0000000000000000 in ?? ()

tudo_cli output: tudor_cli.log

The backtrace appears to look the same regardless of the newly implemented (stub) functions.

[MagneFire]

The previously mentioned issue has been solved! It no longer segfaults.
Debugging previously was rather difficult with gdb as it just hung when attempting to step through the instructions. Using lldb has solved this issue for me.

The usage of lldb was of huge help in fixing the segfault as it became clear that it was trying to check if the beginning of the memory region contained the value 0x5A4D (This appears to be a Windows PE signature).
This issue was solved by allowing PROT_READ access to every part of the allocated memory (MagneFire@c9fbbcb).

Driver entry

The next issue lies in the way the driver is initialized. It uses the Windows API DriverEntry for this (https://learn.microsoft.com/en-us/windows-hardware/drivers/wdf/driverentry-for-kmdf-drivers). synaTudor tries to call this by calling:

synaTudor/libtudor/src/tudor/driver.c

Line 113 in 1d08e98

if((status = ((api_FxDriverEntryUm) find_dll_export(&tudor_driver_dll->image, "FxDriverEntryUm"))(&wdf_loader, NULL, &umdf_driver, &reg_path)) != 0) {

However, this function is not exported by the 06cb:0081 driver.
If we compare the one used in the current relink:

$ winedump -j export synaWudfBioUsb104.dll
Contents of synaWudfBioUsb104.dll: 1567712 bytes


  Name:            synaWudfBioUsb104.dll
  Characteristics: 00000000
  TimeDateStamp:   FFFFFFFF Sun Feb  7 07:28:15 2106
  Version:         0.00
  Ordinal base:    1
  # of functions:  2
  # of Names:      2
  Functions RVA:   00159318
  Ordinals RVA:    00159328
  Names RVA:       00159320

  Entry Pt  Ordn  Name
  00036540     1  FxDriverEntryUm
  0015B000     2  Microsoft_WDF_UMDF_Version

Done dumping synaWudfBioUsb104.dll

Now compared to the driver we're trying to use:

$ winedump -j export synaWudfBioUsb.dll
Contents of synaWudfBioUsb.dll: 2345480 bytes


  Name:            synaWudfBioUsb.DLL
  Characteristics: 00000000
  TimeDateStamp:   5B356890 Fri Jun 29 01:00:32 2018
  Version:         0.00
  Ordinal base:    1
  # of functions:  2
  # of Names:      2
  Functions RVA:   001CCB88
  Ordinals RVA:    001CCB98
  Names RVA:       001CCB90

  Entry Pt  Ordn  Name
  00017698     1  DllGetClassObject
  001CF008     2  Microsoft_WDF_UMDF_Version

Done dumping synaWudfBioUsb.dll

Notice that the FxDriverEntryUm entrypoint doesn't exist, instead DllGetClassObject exist. This appears be a generic method to obtain an object.

I've already tried to just use the synaWudfBioUsb104.dll in combination with synaAdvAdapter.dll (00cb:00c8 interface (?) with the 00cb:0081 biometric driver), but this results in another segfault:

(lldb) bt
* thread #1, name = 'tudor_cli', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x50)
  * frame #0: 0x000074edef6b49e9
    frame #1: 0x000063a80c021da0

I'll try to continue figure this issue out, but at this point I'm not even sure if mixing these DLLs is even supposed to work...

[Popax21]

Seems like this might be an UMDF1 driver instead of an UMDF2 driver. UMDF2 drivers use the DriverEntry functions to initialize, while UMDF1 drivers use the IDriverEntry COM interface. It seems like you want to find the driver's CLSID (it's probably in one of the driver's INI files somewhere), then obtain a reference to that interface using DllGetClassObject, then use the interface's methods to invoke the various initialization functions. Mixing the DLLs is not something which I would assume is supported, and will probably not work.

[MagneFire]

Thanks for that hint! I'll definitely look into this with some more detail.

For reference the CLSID seems to indeed be in the ini file:

DriverCLSID = "{96710705-B080-4B29-A3EC-B16935AE663A}"

This file also confirms that's it's indeed UMDF1:

UmdfLibraryVersion=1.11.0