Author Topic: Poker 2 Firmware Hacking? (Read 2587 times)

thefreshmanwit · « **on:** Thu, 04 December 2014, 18:24:25 »

Hi All-
I've recently joined the world of mechanical keyboards, and most recently purchased a Poker 2 (though I have an infinity on order).

I discovered that after I purchased it, the 'normal' mode is not reprogrammable. I saw this link: https://geekhack.org/index.php?topic=50245.0 with the factory updated firmware, but this still wouldn't make the firmware fixable. However, I also note that the fact that there IS a programmer is promising, since this means the factory firmware supports flashing!

I also found this stack overflow question: http://reverseengineering.stackexchange.com/questions/5945/finding-the-actual-thumb-code-in-firmware where someone was beginning the process of figuring this out, and the question itself lead to what looks like the machine code inside the firmware files!

I had a few questions:
1- The original author (Firefly?) seems to have given up on the project of reverse engineering the firmware, but has anyone else taken it beyond this stack overflow post since?
2- If not, would there be any interest in starting? I'm a developer by trade, and hopefully I'd be able to at least make SOME headway with some help. Anyone interested in helping? Is this a good place to organize this sort of effort?

frosty · « **Reply #1 on:** Thu, 04 December 2014, 23:24:43 »

Vortex released some firmware for you to flash but that's about it.

tufty · « **Reply #2 on:** Fri, 05 December 2014, 03:50:27 »

Had a quick look.

From photos, it appears that the controller is a Nuvoton NUC122SC1AN. Cortex-M0 core, 32K flash, 4K SRAM, 4K Data flash, 4K ISP, etc, details here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/default.aspx

Data sheet here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=DA00-NUC122

Application notes and example code here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/ApplicationNotes.aspx

BSP here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=SW0720110512142523

Working from that lot, you should be able to work out what the original, 6KRO poker firmware is doing. Bear in mind that 99% of it is likely to be a cut & paste job from the example code.

That's where I'd start, anyway.

thefreshmanwit · « **Reply #3 on:** Fri, 05 December 2014, 10:31:48 »

Quote from: tufty on Fri, 05 December 2014, 03:50:27

Had a quick look.

From photos, it appears that the controller is a Nuvoton NUC122SC1AN. Cortex-M0 core, 32K flash, 4K SRAM, 4K Data flash, 4K ISP, etc, details here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/default.aspx

Data sheet here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=DA00-NUC122

Application notes and example code here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/ApplicationNotes.aspx

BSP here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=SW0720110512142523

Working from that lot, you should be able to work out what the original, 6KRO poker firmware is doing. Bear in mind that 99% of it is likely to be a cut & paste job from the example code.

That's where I'd start, anyway.

I'm sure you're right, though I'm hoping to push the custom firmware using the same flasher that vortex generated. I believe the right 'first step' is going to be to try to determine the .bin file format (since based on the stack exchange post it is a little strange).

tufty · « **Reply #4 on:** Fri, 05 December 2014, 14:06:40 »

I wouldn't bet any of my own money on Vortex having developed their own flashing tools and firmware. I'd say it's 99% likely (or more) that the "Vortex" flash file format and flashing tool are documented somewhere in the links I posted earlier.

thefreshmanwit · « **Reply #5 on:** Fri, 05 December 2014, 16:31:39 »

Quote from: tufty on Fri, 05 December 2014, 14:06:40

I wouldn't bet any of my own money on Vortex having developed their own flashing tools and firmware. I'd say it's 99% likely (or more) that the "Vortex" flash file format and flashing tool are documented somewhere in the links I posted earlier.

That makes a lot of sense, I could definitely see all of their stuff being slightly modified versions of Nuvoton's stuff. I found on this page: http://www2.nuvoton.com/NuvotonMOSS/Community/ProductInfo.aspx?tp_GUID=4b47b09d-b116-4ccd-aa85-31e261a87d30 an example of their "ISP Programming Tool". When the Poker2 goes into 'flashable mode' it calls itself a "ISP Device", so this might be what they based their programmer on.

Based on the application images however, it seems they customized it by removing a lot of things, though I don't see where the source to this code is. The included .bin files don't look very similar to what the Vortex stuff does, so I have a suspicion that the 'bin encoding' is Vortex's thing. I'm still looking into it, I'll keep this thread updated. Additionally, I've put up a github that'll hold at least a Readme of what I'm doing for those who hit this in the future and wish to continue whereever I leave off.

https://github.com/erichkeane/poker2firmwarehacking

News:

Author Topic: Poker 2 Firmware Hacking? (Read 2587 times)

thefreshmanwit

Poker 2 Firmware Hacking?

frosty

Re: Poker 2 Firmware Hacking?

tufty

Re: Poker 2 Firmware Hacking?

thefreshmanwit

Re: Poker 2 Firmware Hacking?

tufty

Re: Poker 2 Firmware Hacking?

thefreshmanwit

Re: Poker 2 Firmware Hacking?