kopia lustrzana https://gitlab.com/sane-project/website
530 wiersze
16 KiB
HTML
530 wiersze
16 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
|
|
"http://www.w3.org/TR/REC-html40/loose.dtd">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>sane-devel: Re: HP Scanjet 3300 [also Re: HP 3400 scanner infor</TITLE>
|
|
<META NAME="Author" CONTENT="Adrian Perez Jorge (adrianpj@easynews.com)">
|
|
<META NAME="Subject" CONTENT="Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]">
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
|
|
<H1>Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]</H1>
|
|
<!-- received="Tue Jan 2 16:25:38 2001" -->
|
|
<!-- isoreceived="20010103002538" -->
|
|
<!-- sent="Tue, 2 Jan 2001 16:44:17 -0800" -->
|
|
<!-- isosent="20010103004417" -->
|
|
<!-- name="Adrian Perez Jorge" -->
|
|
<!-- email="adrianpj@easynews.com" -->
|
|
<!-- subject="Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]" -->
|
|
<!-- id="200101030044.QAA17058@mail13.bigmailbox.com" -->
|
|
<!-- inreplyto="HP Scanjet 3300 [also Re: HP 3400 scanner information]" -->
|
|
<STRONG>From:</STRONG> Adrian Perez Jorge (<A HREF="mailto:adrianpj@easynews.com?Subject=Re:%20HP%20Scanjet%203300%20[also%20Re:%20HP%203400%20scanner%20information]&In-Reply-To=<200101030044.QAA17058@mail13.bigmailbox.com>"><EM>adrianpj@easynews.com</EM></A>)<BR>
|
|
<STRONG>Date:</STRONG> Tue Jan 02 2001 - 16:44:17 PST
|
|
<P>
|
|
<!-- next="start" -->
|
|
<LI><STRONG>Next message:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<UL>
|
|
<LI><STRONG>Previous message:</STRONG> <A HREF="0012.html">Henning Meier-Geinitz: "Re: problem installing sane"</A>
|
|
<!-- nextthread="start" -->
|
|
<LI><STRONG>Next in thread:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<LI><STRONG>Reply:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<LI><STRONG>Reply:</STRONG> <A HREF="0038.html">Jay Higley: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<!-- reply="end" -->
|
|
<LI><STRONG>Messages sorted by:</STRONG>
|
|
<A HREF="date.html#13">[ date ]</A>
|
|
<A HREF="index.html#13">[ thread ]</A>
|
|
<A HREF="subject.html#13">[ subject ]</A>
|
|
<A HREF="author.html#13">[ author ]</A>
|
|
</UL>
|
|
<HR NOSHADE><P>
|
|
<!-- body="start" -->
|
|
('binary' encoding is not supported, stored as-is)
|
|
Hi Scott, Jay and all...
|
|
<BR>
|
|
<P> I've received an e-mail from Scott asking about SANE support for the
|
|
<BR>
|
|
hp4300. I asked him to run USB Snoopy and save a log file. I
|
|
<BR>
|
|
received the file one or two days ago, and I compared the log file and
|
|
<BR>
|
|
Jay's HP3300 log file. I must say I had no time to explore the whole
|
|
<BR>
|
|
file when Jay sent me the log (I asked for the file in October), but
|
|
<BR>
|
|
now in Christmas I have some time... so it was nice to inspect the
|
|
<BR>
|
|
protocol again.
|
|
<BR>
|
|
<P> I knew the hp4300 and hp3400 are more or less the same scanner, or
|
|
<BR>
|
|
at least it seems to be the same device driver in windoze. But those
|
|
<BR>
|
|
scanners and the hp3300 are more than friends! (maybe cousins or
|
|
<BR>
|
|
brothers ;)
|
|
<BR>
|
|
<P> There are too many common control commands, and that's what I have
|
|
<BR>
|
|
found...
|
|
<BR>
|
|
<P>I.- Little (and innacurate) introduction about URB control transfers in USB.
|
|
<BR>
|
|
----------------------------------------------------------------------------
|
|
<BR>
|
|
<P>The URB is a little packet made of bits, bytes and those stuff, that
|
|
<BR>
|
|
USB interfaces use to communicate. A (not so) special packet in made
|
|
<BR>
|
|
to send control commands to the device. Those URBs are labeled in the
|
|
<BR>
|
|
USB Snoopy log file with URB_FUNCTION_CONTROL_TRANSFER.
|
|
<BR>
|
|
<P>Other URB types than control transfers exists, but they are mainly for
|
|
<BR>
|
|
data transfers or USB configuration.
|
|
<BR>
|
|
<P>The most important information in an control URB is:
|
|
<BR>
|
|
<P>* Request: what is asked to the device to be done.
|
|
<BR>
|
|
* RequestTypeReserverBits: indicates that the operation is read (0x40) or
|
|
<BR>
|
|
write (0xc0) (This is a simplification)
|
|
<BR>
|
|
* Value: depends on the meaning of the command.
|
|
<BR>
|
|
* Index: also depends on the meaning of the command.
|
|
<BR>
|
|
* TransferBuffer contents: also this.
|
|
<BR>
|
|
<P>The control procotol --not the data-- is used to be handled in URB control
|
|
<BR>
|
|
transfers, and is defined by the values the above fields take during
|
|
<BR>
|
|
time.
|
|
<BR>
|
|
<P>If you look at the log files, you will find an example like this (line
|
|
<BR>
|
|
numbers and time removed):
|
|
<BR>
|
|
<P><EM>>>>>>>> URB 4 going down...
|
|
</EM><BR>
|
|
-- URB_FUNCTION_VENDOR_DEVICE:
|
|
<BR>
|
|
TransferFlags = 00000000 (USBD_TRANSFER_DIRECTION_OUT, ~USBD_SHORT_TRANSFER_OK)
|
|
<BR>
|
|
TransferBufferLength = 00000001
|
|
<BR>
|
|
TransferBuffer = ccaa7970
|
|
<BR>
|
|
TransferBufferMDL = 00000000
|
|
<BR>
|
|
|
|
<BR>
|
|
0000:
|
|
<BR>
|
|
a0
|
|
<BR>
|
|
UrbLink = 00000000
|
|
<BR>
|
|
RequestTypeReservedBits = 40
|
|
<BR>
|
|
Request = 0c
|
|
<BR>
|
|
Value = 0088
|
|
<BR>
|
|
Index = 0970
|
|
<BR>
|
|
|
|
<BR>
|
|
This packet was sent from the host computer to the scanner. All USB
|
|
<BR>
|
|
packets have (normaly) a reply. That is:
|
|
<BR>
|
|
<P><<<<<<< URB 4 coming back...
|
|
<BR>
|
|
-- URB_FUNCTION_CONTROL_TRANSFER:
|
|
<BR>
|
|
PipeHandle = ccd3812c
|
|
<BR>
|
|
TransferFlags = 00000002 (USBD_TRANSFER_DIRECTION_OUT, USBD_SHORT_TRANSFER_OK)
|
|
<BR>
|
|
TransferBufferLength = 00000001
|
|
<BR>
|
|
TransferBuffer = ccaa7970
|
|
<BR>
|
|
TransferBufferMDL = ccaa7980
|
|
<BR>
|
|
UrbLink = 00000000
|
|
<BR>
|
|
SetupPacket : 40 0c 88 00 70 09 01 00
|
|
<BR>
|
|
<P>This one is not very useful, except in case of a read operation. In
|
|
<BR>
|
|
such cases the buffer will be filled with info returned from the
|
|
<BR>
|
|
scanner, like in this case:
|
|
<BR>
|
|
<P><<<<<<< URB 48 coming back...
|
|
<BR>
|
|
-- URB_FUNCTION_CONTROL_TRANSFER:
|
|
<BR>
|
|
PipeHandle = ccd3812c
|
|
<BR>
|
|
TransferFlags = 00000003 (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
|
|
<BR>
|
|
TransferBufferLength = 00000001
|
|
<BR>
|
|
TransferBuffer = ccaa7940
|
|
<BR>
|
|
TransferBufferMDL = ccaa7980
|
|
<BR>
|
|
|
|
<BR>
|
|
0000:
|
|
<BR>
|
|
00
|
|
<BR>
|
|
UrbLink = 00000000
|
|
<BR>
|
|
SetupPacket : c0 0c 84 00 21 64 01 00
|
|
<BR>
|
|
<P><P>II.- Hacking the scanner.
|
|
<BR>
|
|
-------------------------
|
|
<BR>
|
|
<P> All my test were done using the hp4300 driver and its log file, but
|
|
<BR>
|
|
I have also contrasted this info with the hp3300 log file.
|
|
<BR>
|
|
<P> Firstly, I must say I have no idea about the values that the Index
|
|
<BR>
|
|
field gets during the scanning process. That's a mistery for me at
|
|
<BR>
|
|
the moment, until somebody give to me a second log file. Then I'll
|
|
<BR>
|
|
check if the field will get the same values.
|
|
<BR>
|
|
<P> But Value and Buffer contents seems to have some special patters.
|
|
<BR>
|
|
<P> When the computer wants to start talking to the scanner, it uses a
|
|
<BR>
|
|
special sequence. I have also found the piece of assembler code that
|
|
<BR>
|
|
generates that sequence, wich is:
|
|
<BR>
|
|
<P> Value Data
|
|
<BR>
|
|
===============
|
|
<BR>
|
|
0088 a0
|
|
<BR>
|
|
0088 a8
|
|
<BR>
|
|
0088 50
|
|
<BR>
|
|
0088 58
|
|
<BR>
|
|
0088 90
|
|
<BR>
|
|
0088 98
|
|
<BR>
|
|
0088 c0
|
|
<BR>
|
|
0088 c8
|
|
<BR>
|
|
0088 90
|
|
<BR>
|
|
0088 98
|
|
<BR>
|
|
0088 e0
|
|
<BR>
|
|
0088 e8
|
|
<BR>
|
|
<P>You can check those values in all log files, and you will see
|
|
<BR>
|
|
that (maybe) this sequence is repeated more than once during the log.
|
|
<BR>
|
|
The Value field 0x0088 is used only in the ``startup sequence''.
|
|
<BR>
|
|
<P>Here is the assembler code:
|
|
<BR>
|
|
<P>:067F4940 83EC08 sub esp, 00000008
|
|
<BR>
|
|
:067F4943 A130158006 mov eax, dword ptr [06801530]
|
|
<BR>
|
|
:067F4948 C744240000000000 mov [esp], 00000000
|
|
<BR>
|
|
:067F4950 83F801 cmp eax, 00000001
|
|
<BR>
|
|
:067F4953 C744240400000000 mov [esp+04], 00000000
|
|
<BR>
|
|
:067F495B 7579 jne 067F49D6
|
|
<BR>
|
|
:067F495D 68A0000000 push 000000A0
|
|
<BR>
|
|
:067F4962 E8394D0000 call 067F96A0
|
|
<BR>
|
|
:067F4967 68A8000000 push 000000A8
|
|
<BR>
|
|
:067F496C E82F4D0000 call 067F96A0
|
|
<BR>
|
|
:067F4971 6A50 push 00000050
|
|
<BR>
|
|
:067F4973 E8284D0000 call 067F96A0
|
|
<BR>
|
|
:067F4978 6A58 push 00000058
|
|
<BR>
|
|
:067F497A E8214D0000 call 067F96A0
|
|
<BR>
|
|
:067F497F 6890000000 push 00000090
|
|
<BR>
|
|
:067F4984 E8174D0000 call 067F96A0
|
|
<BR>
|
|
:067F4989 6898000000 push 00000098
|
|
<BR>
|
|
:067F498E E80D4D0000 call 067F96A0
|
|
<BR>
|
|
:067F4993 68C0000000 push 000000C0
|
|
<BR>
|
|
:067F4998 E8034D0000 call 067F96A0
|
|
<BR>
|
|
:067F499D 68C8000000 push 000000C8
|
|
<BR>
|
|
:067F49A2 E8F94C0000 call 067F96A0
|
|
<BR>
|
|
:067F49A7 6890000000 push 00000090
|
|
<BR>
|
|
:067F49AC E8EF4C0000 call 067F96A0
|
|
<BR>
|
|
:067F49B1 6898000000 push 00000098
|
|
<BR>
|
|
:067F49B6 E8E54C0000 call 067F96A0
|
|
<BR>
|
|
:067F49BB 68E0000000 push 000000E0
|
|
<BR>
|
|
:067F49C0 E8DB4C0000 call 067F96A0
|
|
<BR>
|
|
:067F49C5 68E8000000 push 000000E8
|
|
<BR>
|
|
:067F49CA E8D14C0000 call 067F96A0
|
|
<BR>
|
|
:067F49CF 83C430 add esp, 00000030
|
|
<BR>
|
|
:067F49D2 83C408 add esp, 00000008
|
|
<BR>
|
|
:067F49D5 C3 ret
|
|
<BR>
|
|
<P>[snip]
|
|
<BR>
|
|
<P>:067F96A0 8A442404 mov al, byte ptr [esp+04]
|
|
<BR>
|
|
:067F96A4 8D4C2404 lea ecx, dword ptr [esp+04]
|
|
<BR>
|
|
:067F96A8 51 push ecx
|
|
<BR>
|
|
:067F96A9 6A01 push 00000001 # buffer length
|
|
<BR>
|
|
:067F96AB 6888000000 push 00000088 # Value field
|
|
<BR>
|
|
:067F96B0 88442410 mov byte ptr [esp+10], al
|
|
<BR>
|
|
:067F96B4 E807000000 call 067F96C0
|
|
<BR>
|
|
:067F96B9 83C40C add esp, 0000000C
|
|
<BR>
|
|
:067F96BC C3 ret
|
|
<BR>
|
|
<P>q.e.d.
|
|
<BR>
|
|
<P>What other values the `Value' field can get? Inspecting the assembler
|
|
<BR>
|
|
code I could say... those:
|
|
<BR>
|
|
<P>Value length of the buffer direction
|
|
<BR>
|
|
===============================================
|
|
<BR>
|
|
0083 1 OUT (write)
|
|
<BR>
|
|
0084 1 IN (read)
|
|
<BR>
|
|
0085 1 OUT
|
|
<BR>
|
|
0087 1 OUT
|
|
<BR>
|
|
0088 1 OUT
|
|
<BR>
|
|
0082 8 OUT
|
|
<BR>
|
|
<P>What is the exact meaning of these command values? No idea yet, but
|
|
<BR>
|
|
we can try understand them by the way they are used.
|
|
<BR>
|
|
<P>There are some patterns that you will find frequently in the log
|
|
<BR>
|
|
file. Those are:
|
|
<BR>
|
|
<P> Type I
|
|
<BR>
|
|
<P> Value buffer contents
|
|
<BR>
|
|
===========================
|
|
<BR>
|
|
0087 14
|
|
<BR>
|
|
0083 (any byte)
|
|
<BR>
|
|
<P> Type II
|
|
<BR>
|
|
<P> Value buffer contents
|
|
<BR>
|
|
===========================
|
|
<BR>
|
|
0087 14
|
|
<BR>
|
|
0085 (any byte)
|
|
<BR>
|
|
<P> Type III
|
|
<BR>
|
|
<P> Value buffer contents
|
|
<BR>
|
|
===========================
|
|
<BR>
|
|
0087 14
|
|
<BR>
|
|
0087 34
|
|
<BR>
|
|
0084 (reads one byte)
|
|
<BR>
|
|
0087 14
|
|
<BR>
|
|
<P><P>Type II sequences are used to appear after Type I sequences.
|
|
<BR>
|
|
<P>The behaviour of Type III sequences is to read a (status) byte from
|
|
<BR>
|
|
the scanner/USB interface.
|
|
<BR>
|
|
<P>The byte values at Type I and II sequences are still an enigma.
|
|
<BR>
|
|
<P><P>The last one is the Type IV `sequence'. That's the more interesting.
|
|
<BR>
|
|
<P> Type IV
|
|
<BR>
|
|
<P> Value buffer contents
|
|
<BR>
|
|
===========================
|
|
<BR>
|
|
0082 (an 8-byte vector
|
|
<BR>
|
|
with a bulk tranfer
|
|
<BR>
|
|
length coded)
|
|
<BR>
|
|
[bulk transfer of data]
|
|
<BR>
|
|
<P><P>The 8-byte vectors I have found in the hp4300 log file are:
|
|
<BR>
|
|
<P> 01 01 00 00 60 00 00 00
|
|
<BR>
|
|
^ ^
|
|
<BR>
|
|
| +--- hi-byte (length)
|
|
<BR>
|
|
+------ lo-byte (length)
|
|
<BR>
|
|
<P> 00 00 00 00 2a 5d 00 00
|
|
<BR>
|
|
<P><P>This one is from the hp3300 log file:
|
|
<BR>
|
|
<P> 01 00 00 00 38 dc 00 00a
|
|
<BR>
|
|
<P>The length of the following bulk transfer is coded always in the same
|
|
<BR>
|
|
byte positions.
|
|
<BR>
|
|
<P>Some bulk transfers of Type IV sequences are sent _to_ the scanner
|
|
<BR>
|
|
(write) and others the data comes is sent _from_ the scanner (read).
|
|
<BR>
|
|
I could find the data that the computer sends to the scanner in the
|
|
<BR>
|
|
data segment of the dll, but the meaning of the data is also an
|
|
<BR>
|
|
enigma. I thought about gamma or calibration table values, but
|
|
<BR>
|
|
it doesn't seem to be the case.
|
|
<BR>
|
|
<P>III.- So... what now?
|
|
<BR>
|
|
---------------------
|
|
<BR>
|
|
<P> It will be nice to:
|
|
<BR>
|
|
<P><P>*) generate more log files, using the same scanning parameters and
|
|
<BR>
|
|
different ones to see what has changed and what not,
|
|
<BR>
|
|
<P>*) to know if there is a background program running that is checking
|
|
<BR>
|
|
the scanner/button status and produces interferences in the log file,
|
|
<BR>
|
|
<P>*) know if somebody (developers of SCSI, USB or pport SANE backends)
|
|
<BR>
|
|
can recognize the protocol,
|
|
<BR>
|
|
<P>*) find somebody who can use a windoze debugger and owns a hp4300,
|
|
<BR>
|
|
hp3400 or hp3300 scanner, to know when external events (scanner head
|
|
<BR>
|
|
moves, lamp on/off, etc) happens in what part of the log file, and
|
|
<BR>
|
|
maybe much more information,
|
|
<BR>
|
|
<P>*) excuse me for my english, copyright notices and publishing this in
|
|
<BR>
|
|
the SANE mailing list ;)
|
|
<BR>
|
|
<P>Cheers,
|
|
<BR>
|
|
<P><P><P>Adrian Perez Jorge
|
|
<BR>
|
|
<<A HREF="mailto:adrianpj@easynews.com?Subject=Re:%20HP%20Scanjet%203300%20[also%20Re:%20HP%203400%20scanner%20information]&In-Reply-To=<200101030044.QAA17058@mail13.bigmailbox.com>">adrianpj@easynews.com</A>>
|
|
<BR>
|
|
<P>------------------------------------------------------------
|
|
<BR>
|
|
Free Web space and web based email @EASYNEWS.COM
|
|
<BR>
|
|
<P><P><P><PRE>
|
|
--
|
|
Source code, list archive, and docs: <A HREF="http://www.mostang.com/sane/">http://www.mostang.com/sane/</A>
|
|
To unsubscribe: echo unsubscribe sane-devel | mail <A HREF="mailto:majordomo@mostang.com?Subject=Re:%20HP%20Scanjet%203300%20[also%20Re:%20HP%203400%20scanner%20information]&In-Reply-To=<200101030044.QAA17058@mail13.bigmailbox.com>">majordomo@mostang.com</A>
|
|
</PRE>
|
|
<P><!-- body="end" -->
|
|
<HR NOSHADE>
|
|
<UL>
|
|
<!-- next="start" -->
|
|
<LI><STRONG>Next message:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<LI><STRONG>Previous message:</STRONG> <A HREF="0012.html">Henning Meier-Geinitz: "Re: problem installing sane"</A>
|
|
<!-- nextthread="start" -->
|
|
<LI><STRONG>Next in thread:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<LI><STRONG>Reply:</STRONG> <A HREF="0014.html">Oliver Neukum: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<LI><STRONG>Reply:</STRONG> <A HREF="0038.html">Jay Higley: "Re: HP Scanjet 3300 [also Re: HP 3400 scanner information]"</A>
|
|
<!-- reply="end" -->
|
|
<LI><STRONG>Messages sorted by:</STRONG>
|
|
<A HREF="date.html#13">[ date ]</A>
|
|
<A HREF="index.html#13">[ thread ]</A>
|
|
<A HREF="subject.html#13">[ subject ]</A>
|
|
<A HREF="author.html#13">[ author ]</A>
|
|
</UL>
|
|
<!-- trailer="footer" -->
|
|
<HR NOSHADE>
|
|
<P>
|
|
<SMALL>
|
|
<EM>
|
|
This archive was generated by <A HREF="http://www.hypermail.org/">hypermail 2b29</A>
|
|
: <EM>Tue Jan 02 2001 - 16:27:26 PST</EM>
|
|
</EM>
|
|
</SMALL>
|
|
</BODY>
|
|
</HTML>
|