[endes0] has been hacking with USB HID recently, and a Logitech M185 mouse’s USB receiver has fallen into their hands. Unlike many Logitech mice, this one doesn’t include a Unifying receiver, though it’s capable of pairing to one. Instead, it comes with a pre-paired CU0019 receiver that, it turns out, is based on a fairly obscure TC32 chipset by Telink, the kind we’ve seen in cheap smart wristbands. If you’re dealing with a similarly obscure MCU, how do you even proceed?
In this case, GitHub had a good few tools developed by other hackers earlier — a Ghidra integration, and a tool for working with the MCU using a USB-UART and a single resistor. Unfortunately, dumping memory through the MCU’s interface was unreliable and frustrating. So it was time to celebrate when fuzzing the HID endpoints uncovered a memory dump exploit, with the memory dumper code helpfully shared in the blog post.
From a memory dump, the exploration truly began — [endes0] uncovers a fair bit of dongle’s inner workings, including a guess on which project it was based on, and even a command putting the dongle into a debug mode where a TC32-compatible debugger puts this dongle fully under your control.
Yet another hands-on course on Ghidra, and a wonderful primer on mouse dongle hacking – after all, if you treat your mouse’s dongle as a development platform, you can easily do things like controlling a small quadcopter, or pair the dongle with a SNES gamepad, or build a nifty wearable.
We thank [adistuder] for sharing this with us!
Some months ago in an attempt to not have to spend $20 on another unifying receiver, I tried to see if I can use an old, thumbdrive sized dongle that came with a Logitech KBM set.
To my surprise it uses almost the same chip as the (early) unifying receivers (nrf24). However it’s the OTP variant, which means it has a limited number of permanent pairings and cannot have its firmware updated.
I got it to pair with my mouse, unfortunately it uses a different USB ID so the logitech software wouldn’t work with it and there was no way to change that.
While looking up all this stuff I also found Logitech have used 2 different chips for their receivers, nrf24 (OTP & flash) and a TI chip. Both compatible with each other afaik. I wonder if this one is as well despite not being branded unifying.
There is a modded unifier there, https://github.com/treeder/logitech_unifier/issues/4
not sure if it’s related to your issue. THT
oh hell yeah I just successfully used that to pair a spare M185 of mine to my Unifying receiver! now I have an extra mouse! thank you so much!
maybe you could buy the same chip on digikey/lcsc/aliexpress and replace the chip on the mouse’s PCB? and, well doneeeeee!
Been working on/with that chipset one for quite some years now, best example is the Xiaomi Mi Thermometer Custom firmware :)
Pretty nice and powerful overall
https://hackaday.com/2020/11/17/custom-firmware-for-cheap-bluetooth-thermometers/
of course you would ^_^ well doneeeee!~
Huh — I’ve been working on the TC32 this week! It’s fascinating, basically a Cortex M0 with a couple of different bits in each opcode…
Also, I was unable to make TlsrTools work. And ended up writing my own Pico-based debugger bridge. It’s faster (I think), cross-platform, and doesn’t need the resistor; there’s just a single connection from the Pico to the SWS pin. https://github.com/davidgiven/telinkdebugger
ooooo good work! this is a joy to see!
And yet the picture is of m235.
wait what it looks exactly like my M185, how can you tell?
I don’t believe that’s correct. The M235 has side grip panels that are concave and the top panel comes to more of a point at the rear of the mouse, whereas the shiny grey plastic surround on the M185 has a more “constant width” look from the top, as shown in the pic here.
Source: have junked far to many M185s with their non-pairable receivers for my liking (also Google image search, lol). I’m excited to see the progress made in this project!
you can pair them to unifying receivers btw 😭
No, that’s a m185. The m235’s sides are scooped in near the bottom.
I fucking love how that comment promptly attracted two people who know exactly how different Logitech mice look like