[sane-devel] Microtek ScanMaker 3800 backend: help?

Damjan Jovanovic dj015@yahoo.com
Wed, 7 Apr 2004 12:47:49 -0700 (PDT)

Hello everyone

I am working (or rather, trying to work) on a SANE
backend for the Microtek ScanMaker 3800 scanner, and I
need some help.

Since there is no documentation provided on how the
scanner works (commands used, etc), I am trying to
figure that out. It isn't coming along too well,
though. USB Snoopy somehow interferes with
communication between the driver and the scanner to
the point where nothing works, and Snoopy Pro even
crashes Windows 98 (which doesn't surprise me :-). So
I've tried a different approach.

>From what I've seen (by deleting all the files that
left the scanner working), the driver consists of
about 5 DLLs which send commands to MiiScan.SYS, a
kernel-mode driver that does the rest. By changing the
DLLs' import table, I've managed to capture the stuff
sent to MiiScan.SYS. Basically, the DLLs use
CreateFile() to open "\\.\MiiScan0", and then
ReadFile(), WriteFile(), and DeviceIoControl() to send
and receive stuff from the scanner.

Now the scanner uses USB, and has 1 bulk-in, 1
bulk-out, and 1 interrupt-in pipe. ReadFile() and
WriteFile() probably simply send data through the
bulk pipes, right? But for the life of me, I can't
figure out how DeviceIoControl() works - ie. what the
different buffers and I/O codes do.

So here are my questions:

1. Are USB interrupt-in pipes ever used by scanners,
and if so, for what? The scanner has buttons on the
front - does the interrupt pipe maybe transfer button
presses to the driver?

2. The scanner has an unlabelled port on the back that
looks like this:
   . . . . . . . .  (8 holes)
    . . . . . . .   (7 holes)
Is this a SCSI port by any chance? If so, is it a sure
sign that the scanner uses SCSI-over-USB? If so, how
are SCSI codes encoded into USB, and over which
pipe(s) are they sent?

3. Those of you that have reverse-engineered other
Microtek drivers, do you know what the
DeviceIoControl() codes mean? In particular, with the
I/O code of 0x22000C, the buffer contents sent to the
kernel-mode driver look like this:

(each letter is 1 byte)

and as I best can tell:
BB = size of byffer CCCC (from 1 to 32 bytes)
CCCC = pointer to a buffer
F = 0x40 for "writing" (scanner doesn't send anything
F = 0xC0 for "reading" (scanner sends something back)
G = F >> 7 (it ends up being 1 when F is 0xC0, and 0
when F is 0x40)
x = not set
What are AA, DD, and E, and how is a DeviceIoControl()
request handled? I am guessing by means of USB control
transfers, but what goes into the various USB control
packet fields?

4. Do any of you have, or know where to get, a good
Windows 98 DDK (Device Driver Kit) reference? Or at
least a good ddk/winddk.h header file (the one I got
from mingw32 is useless). If I can't find the
answer to question 3, the only thing left to do is
disassemble MiiScan.SYS...

5. Is anyone interested in helping? I am pretty sure
the driver would work with the ScanMaker 4800 too. I
can e-mail you the programs, logs, etc. I've used.

Thank you

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway