geekhack
geekhack Projects => Making Stuff Together! => Topic started by: thefreshmanwit on Thu, 04 December 2014, 18:24:25
-
Hi All-
I've recently joined the world of mechanical keyboards, and most recently purchased a Poker 2 (though I have an infinity on order).
I discovered that after I purchased it, the 'normal' mode is not reprogrammable. I saw this link: https://geekhack.org/index.php?topic=50245.0 with the factory updated firmware, but this still wouldn't make the firmware fixable. However, I also note that the fact that there IS a programmer is promising, since this means the factory firmware supports flashing!
I also found this stack overflow question: http://reverseengineering.stackexchange.com/questions/5945/finding-the-actual-thumb-code-in-firmware where someone was beginning the process of figuring this out, and the question itself lead to what looks like the machine code inside the firmware files!
I had a few questions:
1- The original author (Firefly?) seems to have given up on the project of reverse engineering the firmware, but has anyone else taken it beyond this stack overflow post since?
2- If not, would there be any interest in starting? I'm a developer by trade, and hopefully I'd be able to at least make SOME headway with some help. Anyone interested in helping? Is this a good place to organize this sort of effort?
-
Vortex released some firmware for you to flash but that's about it.
-
Had a quick look.
From photos, it appears that the controller is a Nuvoton NUC122SC1AN. Cortex-M0 core, 32K flash, 4K SRAM, 4K Data flash, 4K ISP, etc, details here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/default.aspx
Data sheet here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=DA00-NUC122
Application notes and example code here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/ApplicationNotes.aspx
BSP here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=SW0720110512142523
Working from that lot, you should be able to work out what the original, 6KRO poker firmware is doing. Bear in mind that 99% of it is likely to be a cut & paste job from the example code.
That's where I'd start, anyway.
-
Had a quick look.
From photos, it appears that the controller is a Nuvoton NUC122SC1AN. Cortex-M0 core, 32K flash, 4K SRAM, 4K Data flash, 4K ISP, etc, details here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/default.aspx
Data sheet here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=DA00-NUC122
Application notes and example code here : http://www2.nuvoton.com/hq/enu/ProductAndSales/ProductLines/MicrocontrollerApplicationIC/ARMMicrocontroller/ARMCortexTMM0/Pages/ApplicationNotes.aspx
BSP here : http://download.nuvoton.com/NuvotonMOSS/DownloadService/Member/DocumentsInfo.aspx?tp_GUID=SW0720110512142523
Working from that lot, you should be able to work out what the original, 6KRO poker firmware is doing. Bear in mind that 99% of it is likely to be a cut & paste job from the example code.
That's where I'd start, anyway.
I'm sure you're right, though I'm hoping to push the custom firmware using the same flasher that vortex generated. I believe the right 'first step' is going to be to try to determine the .bin file format (since based on the stack exchange post it is a little strange).
-
I wouldn't bet any of my own money on Vortex having developed their own flashing tools and firmware. I'd say it's 99% likely (or more) that the "Vortex" flash file format and flashing tool are documented somewhere in the links I posted earlier.
-
I wouldn't bet any of my own money on Vortex having developed their own flashing tools and firmware. I'd say it's 99% likely (or more) that the "Vortex" flash file format and flashing tool are documented somewhere in the links I posted earlier.
That makes a lot of sense, I could definitely see all of their stuff being slightly modified versions of Nuvoton's stuff. I found on this page: http://www2.nuvoton.com/NuvotonMOSS/Community/ProductInfo.aspx?tp_GUID=4b47b09d-b116-4ccd-aa85-31e261a87d30 an example of their "ISP Programming Tool". When the Poker2 goes into 'flashable mode' it calls itself a "ISP Device", so this might be what they based their programmer on.
Based on the application images however, it seems they customized it by removing a lot of things, though I don't see where the source to this code is. The included .bin files don't look very similar to what the Vortex stuff does, so I have a suspicion that the 'bin encoding' is Vortex's thing. I'm still looking into it, I'll keep this thread updated. Additionally, I've put up a github that'll hold at least a Readme of what I'm doing for those who hit this in the future and wish to continue whereever I leave off.
https://github.com/erichkeane/poker2firmwarehacking