Pro M RGB Support

[hansemro]

HW info:

• Holtek HT32F1654 (Cortex-M3)
• GigaDevice 25Q40CT 4Mbit SPI Flash
• 3x Macroblock MBIA043GP (1 per channel)

CN2 header:

pin 1: 3v3
pin 2: SWDIO
pin 3: SWCLK
pin 4: nRST
pin 5: GND

SEL1 header:

pin 1: BOOT0
pin 2: GND

SEL2 header: short to enter ISP

pin 1: GND
pin 2: BOOT1

Tasks:

• [ ] Add photos
• [ ] Add schematic
• [ ] Write firmware patch
  • [x] Find FW offset: 0x3400
• [x] Patch pok3rtool: https://github.com/hansemro/pok3rtool/commits/cooler-master-dev
  • [x] Add Pro M RGB VID/PID/IPID
    • [x] firmware mode : 2516:004d
    • [x] bootloader mode : 2516:004e
    • [x] CYKB protocol
• [ ] Working firmware patch
• [x] Dump firmware (V1.03.01): https://github.com/hansemro/pok3r_re_firmware/tree/cmpromrgb/disassemble/cmpromrgb/v131
  • [ ] Annotate FW
• [x] Dump bootloader @ 0x0: https://github.com/hansemro/pok3r_re_firmware/tree/cmpromrgb/disassemble/cmpromrgb/builtin
  • [ ] Annotate
• [ ] Dump SPI flash
• [x] QMK port: https://github.com/hansemro/qmk_firmware/commits/promrgb_dev
  • [x] working key matrix
  • [x] nKey Rollover
  • [x] working USB
  • [x] Hold Esc while plugging in usb to reboot to bootloader
  • [x] FN+Esc to reboot to bootloader
  • [x] MBIA043 RGB matrix driver
    • [x] init
    • [x] LED matrix
    • [x] LED indicators for Caps Lock, Scroll Lock, Num Lock
  • [x] SPI flash driver (requires https://github.com/hansemro/ChibiOS-Contrib/commits/ht32-spi-tx-wc-fix)

[hansemro]

$ ht32-dfu-tool info
Claimed interface
Getting device info...
Model: HT32F1654
Version: v100
Page size: 1024 B
Flash size: 64512 B
Flash security: true
Option byte protection: true
Page protection: 0xfffff000 0xffffffff 0xffffffff 0xffffffff

[hansemro]

Finally managed to port QMK for Pro M White + RGB! These two were very hard to get my hands on, especially the RGB variant.

[hansemro]

The primary things holding me back from upstreaming my ports:

1. Fixing intermittent LED flickering on some keyboards (dedicated LED indicators on Pro M and Pok3r RGB)
2. Writing a generic MBI driver that supports various configurations
   • driver development branch: https://github.com/hansemro/qmk_firmware/tree/mbi_driver_dev
   • ~Need to look into ROW/COL iterator~ Handled.
   • Software timer fallback for PWM and timer routine?
   • ~Need to better understand how PWM and timer frequency relate to frame.~ Timer counter frequency = Frame Rate Timer period (in ticks) Number of LED GPIO pins
3. Writing an open source bootloader replacement with dfu-util compatibility
   • (An incomplete demo exists in ChibiOS-Contrib demos)
   • One that avoids jumping to an empty region of flash and halting would be nice.
   • ISP is always available to update bootloader or return to stock
     • Investigate how to boot to ISP
   • Should allow firmware to reboot to DFU mode similar to IAP.
4. Upstreamed SPI write collision fix: https://github.com/hansemro/ChibiOS-Contrib/commits/ht32-spi-tx-wc-fix
   • ~If this gets upstreamed, I would be fine enabling SPI driver by default.~ Merged

[hansemro]

https://github.com/hansemro/ht32_usb_dfu partially accomplishes 3 but does not currently avoid jumping to empty regions of flash. If the device does manage to get locked up, just short BOOT0 to ground and reset to reach DFU mode.

[hansemro]

Resolved flickering (1) for POK3R RGB by leveraging double buffering in https://github.com/hansemro/qmk_firmware/commit/06a38cd54c2c9ea3d95eee83a7f3e33ef9c509a2, where back buffer is used by rendering tasks and the front buffer is used for flushing completed color data to MBI buffers.

Update: flickering fixed for Pro M RGB in https://github.com/hansemro/qmk_firmware/commit/0764c102f298654a10ea5f0ebc6943b58a0c66e3

[Plecra]

Hi there! I have a stock Pro M RGB. Before I start tinkering with anything, are there any dumps that would be useful for the RE work? I see there's a TODO on dumping the spi flash.

[Plecra]

I've been having a look at the install instructions - is there no way to install the custom FW with the stock update mechanism? I'm not looking forward to ripping the feet off my keyboard :P

Edit: another question - have you dumped firmware from any of the pro m rgb update binaries? Getting junk from them so far, and I can't find V1.04 referenced in updatepackage

[hansemro]

are there any dumps that would be useful for the RE work? I see there's a TODO on dumping the spi flash.

SPI flash dumps are not particularly important unless you want to fully RE the stock firmware and make sense of the data written/read from external flash. It may also be useful for restoring from backup.

Most of the pending RE work was found to not be necessary after RE'ing Pro S RGB and Pro L White models.

have you dumped firmware from any of the pro m rgb update binaries?

Yes, the trick here is to extract FWUpdate.exe from masterkeys_pro_m_vX.XX.exe/bin/Setup/File/FWUpdate/. You can use 7z to extract this file. Afterwards, you should be able to use pok3rtool to pull the application firmware binary from FWUpdate.exe.

is there no way to install the custom FW with the stock update mechanism? I'm not looking forward to ripping the feet off my keyboard :P

Unfortunately, no other way has been found to avoid opening the keyboard and unlocking the processor. It may be worth investigating what triggers a hard fault when it boots into QMK or any other custom FW. The challenge here is that flash security also disables SWD debugging and booting from SRAM.

For that particular disassembly step, you only need to partially lift the left side of the rubber feet (with a tweezer) to expose the screw. For Pro M RGB, you only need to do this for the two upper pads (furthest away from you).