[sane-devel] Progress on CanoScan D1250U2

norbert lataille nonal@freesurf.fr
18 May 2003 21:20:32 +0200 

> I have 512Kb downstream, but depending on how much disk space we're
> talking about, that may be more of an issue. I've about 15GB free, with
> a 40GB disk currently sitting on the side if needed.

I believe it is time to explain how far I am. Currently, the
register_get/register_set/bulk_transfer functions of the USB protocol
are identified.

Basing on the USB traces taken from windows (produced by usbsnoopy), we
have perl/sed scripts transforming them into some kind of intermediate
formats (which is changing quite often - as soon as I get clues). 

There is a libusb based C code (somewhat ugly for now - it was not the
priority ;) playing those intermediate "scripts" at the scanner level.

One of these perl filters is getting rid of this useless code in the
script (which is pooling the scanner button state):
 REG(9200 9700 a310 a13f 970a )
 REG1(8b)
 GET_LATCH()=5f
 REG1(8b)
 GET_LATCH()=5f
 REG1(97)
 SEND_CMD(85,0F,0f)
 REG(9260 )
 REG1(8b)
 GET_LATCH()=c3

one other is transforming this "pooling" sequence into the
WAIT_FOR_BIT2() opcode:
  REG1(8b)
  GET_LATCH()=xx
  REG1(8b)
  GET_LATCH()=xx
  ...
  REG1(8b)
  GET_LATCH()=bb

etc...

Now the scripts files are getting smaller and smaller, and the final
goal is to get more and more code in the C parser, and nothing (except
START_300dpi() opcode) in the script file :)

The C interpretor is right now doing 75 and 300 dpi color scanning using
these script files. However, this is still work in progress and I could
not give it away without documenting it, telling where are the next
steps in opcode mangling, etc... That's why I said this is early stages
of the developpement.

> My firewall is set up to allow through ssh, so I can set up to allow you to
> push logs if you want, or I can pull them.
> 
> What are you using for the disassembly? Is there much useful information
> left or are you stuck with the horror of manually inferring structure
> from the code directly?

I found IDA usefull for disassembly documenting (it may work under wine
easily I believe - I can give you the IDA database that I've got). I
would like to try hacking the DLL to add verbosity  (there is already
some in c:\d1250fw.log), using a patcher or the Softice debugger.

There is not much left. We have WIN32 library functions, and DLL
exports, as usual. However, once get/set register functions are
identified, each DLL export (MoveCariage, SetLampOn, ...) are identified
as a list of get/set functions. However, the code is quite big !

Norbert