Some suggestions

[wfdewith]

I am really interested in this project. I am willing to write a Linux flashing tool when I get my Poker which would behave exactly the same as the Windows version, so that you can flash your keyboard without having to use Windows.

I also think NKRO is a bit tricky, because the official USB standard only supports 6KRO, and getting NKRO to work is quite hard, and the keyboard will most likely not function properly in some OS's and the BIOS.

Because I am still waiting for my Poker, there is not much I can do right now, but if you have a working firmware dump, I am also interested in writing the actual new firmware from scratch.

[erichkeane]

Alright, great! I was hoping we could write a flashing tool that works on both operating systems. I tried to work with the current flashing tool, but was unable to figure out what it was doing! If you can find the sys-calls being made, that would be helpful!

I'm going to get my board soldered today so I can pull the firmware, so hopefully I'll have that checked in soon. I also wish to have a firmware written from scratch (I don't have much hope in modifying the current firmware, since decompiling doesn't sound like fun), I'm doing the dump more to see if we can use existing firmware flashing mechanisms to flash our custom ones.

As far as NKRO, I noticed a few others do it, but I didn't realize it might not work on other OS's. (It actually explains a lot about something!). The Teensy accomplished it and apparently Vortex did too, so I'm hopeful we could at least make it a compiler flag.

I'm glad you're interested, I hope we can get some solid work done on this to make the Poker 2 ACTUALLY fully programmable.

[wfdewith]

Alright, great! I was hoping we could write a flashing tool that works on both operating systems. I tried to work with the current flashing tool, but was unable to figure out what it was doing! If you can find the sys-calls being made, that would be helpful!

I ordered my Poker II from Massdrop, and it is shipped to an aunt of a friend of mine in the USA, but I live in Europe, so that friend will bring the keyboard when he will visit his aunt. The only problem is: the next time this happens is in August. I did this to dodge import duties and taxes, which would have made the keyboard cost at least 50% more. If this is going to be a serious project, I might order another Poker II just for this, but I am not sure if my budget allows this. It will also depend on your planning.

I think the best way to find out what the flashing tool does is flashing the keyboard with a USB sniffer like USBPcap to see what happens. To me it seems easier than trying to decompile the current tool.

As far as NKRO, I noticed a few others do it, but I didn't realize it might not work on other OS's. (It actually explains a lot about something!). The Teensy accomplished it and apparently Vortex did too, so I'm hopeful we could at least make it a compiler flag.

I am not sure (I still need to look into this) but I believe this is usually done by identifying the keyboard as multiple keyboards. It's a bit of a dirty hack, but if we manage to #ifdef shield it, it should indeed be possible.

I'm glad you're interested, I hope we can get some solid work done on this to make the Poker 2 ACTUALLY fully programmable.

There are some rumors about POK3R firmware being open source and all that, and that it uses the same controller and PCB as the Poker II. Even if this is true, I still think this is a great project if only for the experience.

I look forward to working on this.

[erichkeane]

I set up the flashing tool yesterday (I had a friend solder some leads for me), and unfortunately there is a 'flash lock' bit that prevents the tool from reading the data. It seems that I would be able to do a complete clear of the device, however that would require anyone wanting to USE my firmware to have a flashing tool.

I'm not completely given up on this, but I would still love the ability for others to upgrade to a custom firmware without having to go through the flashing tool.

[wfdewith]

Doesn't this just prevent dumping the current firmware, not necessarily flashing something else? Flashing cannot be locked since Vortex released a firmware updater.

[erichkeane]

That is correct, it would permit me to clear the firmware currently on the chip it looks, but since it is my only Poker 2, I don't want to give up the current ISP mode, in case we can come up with a way to program it over the standard method.

I feel that this reprogramming method would be fairly useless to people if a $50 programmer and fine-soldering tools was a requirement.

[wfdewith]

So we need to figure out whether the Vortex updater decrypts the bin files, or the Poker II itself. If it's the first case, we can figure it out by analyzing the USB packets, but if it's the second case, it's going to be a lot harder.

And you're right about buying a $50 programmer would be a bit useless for most people.

[erichkeane]

Yep, exactly! I've uploaded a few USB dumps to the repo that should be useful (and open-able in the latest Wireshark), however I'm not terribly sure what is going on. That should at least tell us where it was decrypted.

Additionally, the .bin file encryption (according to a stack overflow post on topic, see Readme for link) is likely just a shift/mask. If we can create our own flashing tool based on the USB output (and not have to figure out the rest of the format), it would likely be possible to make a converter of our own firmware files fairly trivially.

This would allow us to reuse the ISP mode of the Poker 2, bootstrapping our custom firmware.

[wfdewith]

We might be able to use the command that is send to the Poker II to read the firmware version number to read the firmware section.

[erichkeane]

I suspect that we'd have to read the firmware while it isn't being actively run, so I'd imagine the read would happen in ISP mode.

I was able to force my device INTO ISP mode, but the stock Nuovoton tool didn't seem to be able to detect it. I imagine there is a possibility that KBC wrote a slightly customized one, so the tool won't work.

If you wanted something that would be really helpful, my HID/USB skills aren't great. So looking into the dump files to see if you can figure out what is going on would likely be extremely helpful!

[wfdewith]

I will look into it. I don't have much experience with USB HID either, but I do know something about embedded systems and interrupt based programming.

If we aren't able to figure this out, we might want to look into Nuvoton's programmer, since that one might work. The only problem with this project is the risk of bricking your Poker II, so we should be careful.

[erichkeane]

Thanks! I'm sadly without HID experience either, so I'll be looking into it as well.