Okay, here's the scoop on the URB frames... Captured a bunch of stuff with wireshark, in this instance the software is sending commands for a 'device reset'. Thankfully some components of the app are written in .NET so I can run em through ILSpy, this gives me a great starting point in ghidra-
Starting with ILSpy I can look at the external references to the DisplayPadSDK.dll and see how they're being called and what parameters are being passed. This is useful to me because it tells me how the DLL is being used and what kind of data the .dll is working with.
After some digging in ghidra I narrowed down a couple of consistent functions such as the fun_CRCMessage? that appears to validate/format the message that gets sent to the device. When I saw the CONCAT14(byBrightness,0x312) I got the idea that this might be visible in the pcap and wow! There it is!
So I spent the next hour or so digging into various functions in the DLL and notating which headers are what and ended up with some nicely commented frames in wireshark. Next step is to try and emulate some of these via python in Linux...
