Subscribe via RSS
21Aug/187

INTERLINK – Reverse-Engineering the Protocol

I've recently been playing with INTERLINK. Firstly, it was between two real machines, but then I managed to get DOSbox to talk to another DOSbox instance and a real physical PC. From here, there was a thought... why need DOSbox to host the INTERLINK server when I could possibly emulate the conversation and then create an app that'd work on all versions of Windows (or other OS') and then allow easier serial transfers to older equipment.

This post will be a work in progress for quite a while. I'll be updating it as I find time to work through the 'conversation' between the hosts... I might also spend a little time on reversing the actual source of INTERLINK itself.

Snooping in on the Conversation

As per the previous post, I created a quick .NET app to listen in to the serial conversation. This was done via the help of Eltima's Virtual Serial Port Driver. A pair of virtual ports was created and DOSbox was hooked onto one side. From here, I hooked my app onto the other side of the virtual pair and then into the real physical port. A real computer was then hooked onto the end of that port. You could also use two DOSbox instances here, along with two pairs of virtual ports.

dosbox-to-real

You can download the source of my serial snooping app here.

The Conversation

This is where it now gets a LOT harder. Below shows the client (green/left) talking to the DOSbox server (blue/right). From the conversation, the client works out what drives are shared: A: and C: to D: and E:.

A: and C: A:, C: and D:
0xAA
Hello?
Hi!
0x00
0x55
0xFF
0x5A
0x11
0x80
0x7B
0x02 0x00 0x00 0x5D 0x03
0x80
0x81
0x7A
0x22 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x01 0x00 0x00 0x01 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xD9 0x73 0x50 0x42 0xAA 0x8D 0x75 0x72 0x1F 0x12
0x81
0x02
0xFD
0x02
0x04 0x82
0x79
0x21 0x00 0x00 0x00 0x00 0x00 0x00 0x0A 0x01 0x01 0x00 0x01 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xF7 0x0C 0x71 0xEA 0xB0 0x04
0x82
0x03
0x83
0x78
0x24 0x01 0x01 0x00 0x16 0x06 0x03 0x03 0xFF 0xFF 0xFF 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0x95 0x6E
0x83
0x00
0x80
0x7B
0x57 0x01 0x0A 0x16 0x06 0x06 0xFF 0xFF 0xFF 0x00 0x02 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xC2 0x08 0xC2 0x08 0xC2 0x08 0x42 0x28 0x42 0x28 0x42 0x28 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xF2 0x73
0x80
0x01
0x81
0x7A
0x02 0x1C 0x00 0x1B 0x1D
0x81
0x02
0x82
0x79
0x17 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xD5 0x2F
0x82
0x03
0x83
0x78
0x02 0x1C 0x02 0x3B 0x5F
0x83
0x00
0x80
0x7B
0x17 0x28 0x32 0x36 0x38 0x4D 0x62 0x29 0x00 0x00 0x00 0x4D 0x53 0x2D 0x44 0x4F 0x53 0x5F 0x36 0x00 0x00 0x00 0x00 0x00 0xCA 0xC7
0x80
0x01

Other side receives drive D:\

0xFC
Ping
Pong
0xFC
0xFC
Ping
Pong
0xFC
0xFC
Ping
Pong
0xFC
0xAA
Hello?
Hi!
0x00
0x55
0xFF
0x5A
0x11
0x80
0x7B
0x02 0x00 0x00 0x5D 0x03
0x80
0x81
0x7A
0x22 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x01 0x00 0x00 0x01 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xD9 0x73 0x50 0x42 0xAA 0x8D 0x75 0x72 0x1F 0x12
0x81
0x02
0xFD
0x02
0x04 0x82
0x79
0x21 0x00 0x00 0x00 0x00 0x00 0x00 0x0A 0x01 0x01 0x00 0x01 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xD9 0x73 0x50 0x42 0xAA 0x8D 0x75 0x72 0x28 0xD6
0x82
0x03
0x83
0x78
0x24 0x01 0x01 0x00 0x16 0x06 0x03 0x03 0xFF 0xFF 0xFF 0x00 0x02 0x03 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0x77 0xE9
0x83
0x00
0x80
0x7B
0x57 0x01 0x0A 0x16 0x06 0x07 0xFF 0xFF 0xFF 0x00 0x02 0x03 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xFE 0xC2 0x08 0xC2 0x08 0xC2 0x08 0xC2 0x08 0x42 0x28 0x42 0x28 0x42 0x28 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xF4 0x61
0x80
0x01
0x81
0x7A
0x02 0x1C 0x00 0x1B 0x1D
0x81
0x02
0x82
0x79
0x17 0x00 0x35 0x33 0x36 0x4D 0x62 0x29 0x00 0x00 0x00 0x00 0x53 0x2D 0x44 0x4F 0x53 0x5F 0x36 0x00 0x00 0x00 0x00 0x00 0x00 0x23
0x82
0x03
0x83
0x78
0x02 0x1C 0x02 0x3B 0x5F
0x83
0x00
0x80
0x7B
0x17 0x28 0x32 0x36 0x38 0x4D 0x62 0x29 0x00 0x00 0x00 0x4D 0x53 0x2D 0x44 0x4F 0x53 0x5F 0x36 0x00 0x00 0x00 0x00 0x00 0xCA 0xC7
0x80
0x01
0x81
0x7A
0x02 0x1C 0x03 0x2B 0x7E
0x81
0x02
0x82
0x79
0x17 0x28 0x35 0x33 0x36 0x4D 0x62 0x29 0x00 0x00 0x00 0x00 0x53 0x2D 0x44 0x4F 0x53 0x5F 0x36 0x00 0x00 0x00 0x00 0x00 0x78 0xF4
0x82
0x03
0xFE
Ping
Pong
0xFE
0xFE
Ping
Pong
0xFE
0xFE
Ping
Pong
0xFE

The grey boxes are my annotations for what I believe is occurring. More will be added as I work it all out.

Filed under: Retro Leave a comment
Comments (7) Trackbacks (1)
  1. I can see an Arduino based Interlink server on the horizon if you could somehow emulate the data packets. Keep up with this interesting project!

    • That’s an awesome idea. I think it’d be easier searching for the source code tho! Disassembling/snooping traffic will take way too long.

      • Yeah, I agree. Have you tried snooping output from the command for “INTERSVR.EXE /RCOPY”
        This uses some kind of serial comms to copy the INTERSVR.EXE and INTERLNK.EXE through a NULL modem cable to another computer. The receiving computer needs the command “MODE COM1:2400,N,8,1,P” to receive these files. I’m not too skilled at reverse engineering 16-bit DOS executables and your efforts, so far, is the only low level info I have found on the net for the interlink programs.

  2. Any progress in reversing so far?


Leave a comment


*