First post, by HwAoRrDk
I'm attempting to reverse-engineer, using Ghidra, version 6.30 of the Logitech MouseWare driver to find out what potential 'asterisk' commands it's capable of sending to Logitech serial mice. This all started because while some of these commands are documented (e.g. "*n", "*o", etc. for changing baud rates), there are others that still remain a mystery (either in purpose or expected response - e.g. "*#"), so I figured why not try and find out what the mouse driver actually does?
I've thrown the binary (MOUSE.COM, 55KB) into Ghidra and disassembled it as a 16-bit real-mode executable with a memory origin of 0x100. It's identified a whole bunch of functions. And I've managed to go through and identify a large number of strings - mostly messages (inc. the loading message with box-char borders), INI config file keys/values, and command line args. Some oddities: all are null-terminated strings, except the command-line args, which oddly are Pascal strings (i.e. length-prefix), and there are a hell of a lot of empty (i.e. only spaces) strings that seem as if they are 'blanking' strings for overwriting/substituting for other strings. All the null-terminated strings are arranged in 'blocks' followed by a table of pointers to each string in that block; the code only appears to reference the tables, not the strings directly. I even think I've identified the INT33h handler entry point (thanks to this blog post).
In order to try and get to the code that sends commands to the serial mouse, I thought a good place to start would be to identify where it sends data on the serial port, and work backwards. Firstly, it doesn't appear to use INT14h BIOS routines (there are zero instances of an INT 0x14 instruction anywhere, nor a CD 14 byte pair anywhere in the binary), so I assume it must talk to the UART hardware directly. Okay, so it'll be using 3F8/2F8 I/O port base addresses. So I search for all uses of an OUT instruction and come up with only 5 instances in the disassembled code. However, none of them appear to do anything with the UART! 😕
The first is in an apparently general-purpose function that appears to read an arbitrary I/O port register (with IN), bitwise-AND an argument value with the read value, and write it back (with OUT) to the register. The second is in a similar function to the first, but instead bitwise-ORs with the inverted argument value. The third is in a function that appears to read the PIT counter value (via 0x0043). The 4th and 5th are both in the same lengthy function, whose purpose is unclear to me, but appears to do something with reading/writing VGA registers. It sets the target IN/OUT address by reading from a table elsewhere, which appears to be populated with VGA port addresses (0x3C2, 0x3C4, 0x3CE, 0x3D4).
I'm totally mystified that there are no other I/O writes anywhere in the disassembled code! No instruction variants like OUTS, OUTSB, or OUTSW either.
I feel like I may be missing something because there's still a lot of 'junk' data that Ghidra has not disassembled that I suspect may be more code, but there's obviously no point blindly disassembling it without knowing it is: a) actually code, and b) called from somewhere/something (which it apparently isn't). Could there be more interrupt handlers? How do I figure that out?
So I'm kind of stuck. Does anyone have any advice?
