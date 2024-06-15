[endes0] has been hacking with USB HID recently, and a Logitech M185 mouse’s USB receiver has fallen into their hands. Unlike many Logitech mice, this one doesn’t include a Unifying receiver, though it’s capable of pairing to one. Instead, it comes with a pre-paired CU0019 receiver that, it turns out, is based on a fairly obscure TC32 chipset by Telink, the kind we’ve seen in cheap smart wristbands. If you’re dealing with a similarly obscure MCU, how do you even proceed?
In this case, GitHub had a good few tools developed by other hackers earlier — a Ghidra integration, and a tool for working with the MCU using a USB-UART and a single resistor. Unfortunately, dumping memory through the MCU’s interface was unreliable and frustrating. So it was time to celebrate when fuzzing the HID endpoints uncovered a memory dump exploit, with the memory dumper code helpfully shared in the blog post.
From a memory dump, the exploration truly began — [endes0] uncovers a fair bit of dongle’s inner workings, including a guess on which project it was based on, and even a command putting the dongle into a debug mode where a TC32-compatible debugger puts this dongle fully under your control.
Yet another hands-on course on Ghidra, and a wonderful primer on mouse dongle hacking – after all, if you treat your mouse’s dongle as a development platform, you can easily do things like controlling a small quadcopter, or pair the dongle with a SNES gamepad, or build a nifty wearable.
One thought on “Uncovering Secrets Of Logitech M185’s Dongle”
Some months ago in an attempt to not have to spend $20 on another unifying receiver, I tried to see if I can use an old, thumbdrive sized dongle that came with a Logitech KBM set.
To my surprise it uses almost the same chip as the (early) unifying receivers (nrf24). However it’s the OTP variant, which means it has a limited number of permanent pairings and cannot have its firmware updated.
I got it to pair with my mouse, unfortunately it uses a different USB ID so the logitech software wouldn’t work with it and there was no way to change that.
While looking up all this stuff I also found Logitech have used 2 different chips for their receivers, nrf24 (OTP & flash) and a TI chip. Both compatible with each other afaik. I wonder if this one is as well despite not being branded unifying.
