search

pok3r-custom / pok3r_re_firmware

Reverse engineering project for the POK3R and related keyboards.
219 stars 17 forks source link

Flash only bootloader? #37

Open ephb opened 2 years ago

ephb commented 2 years ago

Hey ChaoticEnigma,

I am currently trying to understand all the different parts of your project and want to thank you for making your findings public.

I would like to add support for the Tab90 because of its unique layout.

However the firmware for the Tab90M iso-de is reported as 1.00.6 by the updater and this can not be found anywhere online. I could probably start and modify the US firmware that you have already added to this repository but this means I could never go back to the original firmware.

I have cloned this project and started with documenting the keyboard, I have a debugger ready and soldered a header to cn2.

Do you know if there is any way to skip the mass erase step and just overwrite the bootloader directly? Alternatively I could start in an ANSI layout Tab90 and and work on that instead of risking iso Tab90 if I get stuck somewhere.

ChaoticEnigma commented 2 years ago

Unfortunately, I don't believe it is possible to modify the flash with a debugger while flash protection is enabled. The purpose of the mass erase is to clear the security bits in the last page of flash, which will disable the flash protection.

My method was to extract the firmware image from an updater exe, modify it to allow me to read from flash via the update protocol, use this to extract the bootloader code from flash, and then i could safely erase the flash and replace the bootloader.

The good news is the many firmware updaters are mostly not layout-specific. Some of them definitely contain multiple firmware images, seemingly for different layouts, but some seem to just contain a list of layouts. I think the Tab90 does the latter, where the firmware is the same for all layouts, and the layout is configured some other way. Possibly another value in flash, possibly the updater patches a specific part of the firmware image?

If you didn't see it, there is a script that scrapes firmware images out of a long list of updater exes. It looks like this script is also really out of date from what I have in my local repo... I will try and push that up this weekend.

For the Tab90 updater exe, here is the output I get. It looks like the one I have in this repo is 1.00.4.

updatepackage   INFO  - Layout: US Layout 0001 0080 0004
updatepackage   INFO  - Layout: EU Layout 0002 0080 0004
updatepackage   INFO  - Layout: JP Layout 0003 0080 0000
updatepackage   INFO  - Layout: US Layout 0001 0080 0000
updatepackage   INFO  - Layout: EU Layout 0002 0080 0000
updatepackage   INFO  - Layout: JP Layout 0003 0080 0000
updatepackage   INFO  - Layout: US Layout 0001 0080 0004
updatepackage   INFO  - Layout: EU Layout 0002 0080 0004
updatepackage   INFO  - Layout: US Layout 0001 0080 0000
updatepackage   INFO  - Layout: EU Layout 0002 0080 0000
updatepackage   INFO  - Description: Firmware Upgrade
updatepackage   INFO  - Company: IAP Version V1.0.0
updatepackage   INFO  - Product: Vortex
updatepackage   INFO  - Version: 20190426
updatepackage   INFO  - Signature: bytearray(b'.maaV105')
updatepackage   INFO  - 
updatepackage   INFO  - Section 0:
updatepackage   INFO  -   Description: 346
updatepackage   INFO  -   Version: V1.00.04
updatepackage   INFO  -   Layout: EU Layout
updatepackage   INFO  -   App VID/PID: 0000:0000
updatepackage   INFO  -   Boot VID/PID: 0000:0000
updatepackage   INFO  -   Firmware: 35084 bytes
updatepackage   INFO  -   Info - 180 bytes
updatepackage   INFO  -     1a000000560031002e00300030002e003000340000000000000000000000ffff
updatepackage   INFO  -     ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
updatepackage   INFO  -     ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
updatepackage   INFO  -     ffffffffffffffffffffffffffffffffffffffffffffffff0400800004000000
updatepackage   INFO  -     42010000ffffffef0100000000000000d9044603ffffffffffffffffffffffff
updatepackage   INFO  -     ffffffffffffffffffffffffffff1cffa55aff00
updatepackage   INFO  -   Version String: V1.00.04
updatepackage   INFO  -   a: 00800004
updatepackage   INFO  -   Version: 00000004
updatepackage   INFO  -   c: 00000142
updatepackage   INFO  -   d: efffffff
updatepackage   INFO  -   e: 00000001
updatepackage   INFO  -   f: 00000000
updatepackage   INFO  -   VID/PID: 04d9:0346
updatepackage   INFO  -   h: 00ff5aa5
updatepackage   INFO  - Firmware Out: tab90_v104.bin

Where this script scrapes out the "US Layout" and "EU Layout" strings from the updater exe, there are also those 6 bytes that may identify the layout. I will try and get some more coherent info together.

Out of curiosity, what are you trying to do? Do you want to patch changes directly into the Vortex firmware?

ephb commented 2 years ago

Hello Charlie, thank your for getting back to me so quickly.

Out of curiosity, what are you trying to do? Do you want to patch changes directly into the Vortex firmware?

I want to follow your process for unlocking other Vortex keyboards on the Tab90m and try to port qmk_pok3r for it. Starting with the firmware patch to get the flash to be readable.

But as I am usually working in C# or JavaScript this is a steep learning curve for me and I wanted to make sure I have a way to get the keyboard back to it's original state if I fail. But the ISO-DE Version comes with a firmware 1.00.06 that is not available anywhere. It makes sense that the security bits prevent tempering with flash.

Currently I am still at the state of understanding how your create the firmware patch in the first place. You use your script to scrape/ decrypt the bin from of the updater, create the disassembly/symbols (with reassemble?) follow the instructions to see which bytes need to be patched and flash it, correct?

I think the Tab90 does the latter, where the firmware is the same for all layouts, and the layout is configured some other way. Possibly another value in flash, possibly the updater patches a specific part of the firmware image?

That is why I am asking. I am not sure about this yet. And the fact that the updater states that it contains the US Layout with Version 1.00.04 had me hesitate.

The PCBs for both versions as well as the non-M Tab90 are definitely the same, they just get populated with switches in different positions. But while all the different pads for space work, it appears the pcb is also able to accommodate split spacebar layout, the pads for ANSI enter and for "| \" do not work. So I assumed there are some bits to configure the layout and enable the Bluetooth/battery daughterboard.

As far as I can tell from PCB markings in pictures this should be true for the Tab75 as well, I have not found any good pictures of the Tab60.

I have reached out to Vortex about the firmware 1.00.06 but have not heard back from them.