Feature Request - include the Vortex Race 3

[floodedcodeboy]

I believe it uses the same base as the core and pok3r - this would be great, programming this board is a PITA

[ChaoticEnigma]

I don't have access to a Vortex Race 3, and I'm not sure my usual avenue of attack for cracking the firmware is available (yet). You may be able to help me out with that if you could find the USB VID (vendor ID) and PID (product ID) of the Race3. It should be a quick google for your platform.

[TsFreddie]

I just checked for you. VID_04D9, PID_0192. it would be nice if op can confirm.

[ChaoticEnigma]

That is good news. In that case, I already have the firmware for the Race 3. On Vortex's website, they added a firmware updater for the "New 75", which I suspected might be the Race 3. I'll add it to the firmware disassembly in this repository.

[TsFreddie]

I can confirm that IS the race 3. It is really confusing how they are marketing/naming their devices.

[floodedcodeboy]

So whats the action from that ? is there anything owners of a Race 3 could do to help? :D

[H-SG]

I'd also be interested in helping, I recently received a Race 3 and it inherited some annoying quirks from the pok3r

[ChaoticEnigma]

The Race 3 seems to have near identical hardware and firmware to other vortex keyboards, so it will be supported by the firmware I am writing for all the vortex boards. (ChaoticConundrum/tmk_pok3r). It will just require a different key and LED matrix mapping.

[drewcassidy]

Im looking at getting the Race 3 and would love to be able to remap some keys (without having to keep it in a different layer with that LED on all the time). I've had some experience with ARM chips and might be able to help, since I do have an SWD programmer.

I was just doing a half-assed attempt at finding the key codes in the firmware updater but don't know what's windows executable and what's the firmware itself

[ChaoticEnigma]

I can help with the firmware. Don't bother with the updater executables, (a) it is mostly windows junk, and (b) the firmware is encrypted anyway. pok3rtool has a handy decode command for getting the firmware out of the executables. Like so: pok3rtool decode vendor/vortex/RACE_V124.exe race_v124.bin

I also have a tool that makes disassembling firmware for reverse engineering much quicker (ChaoticConundrum/reassemble). Here's the extracted, disassembled firmware: race_v124.zip With the files in that zip, you can do reassemble -O -a 0x3400 -s symbols.sym -d data.sym race_v124.bin race_v124.s (obviously fix paths and such), which will write the disassembly to race_v124.s.

If you'd like to help, one thing I need for the Race3 is a copy of the bootloader. Basically, a patch needs to be made for the firmware that will allow pok3rtool to read the bootloader out of the flash. See the pok3r_rgb and vortex_core patched firmware in the diassemble directory. If you can find the same function in the race firmware, and apply a similar patch, pok3rtool can read out the bootloader with pok3rtool dump.

I know that's a lot of information, but I've been doing this a while. Let me know if you have any questions at all.

[barrar]

I just recieved a Race 3. I already disassembled the hardware and started looking into how to install custom firmware. I have worked with QMK on ChibiOS before, using a Teensy LC ARM. I'll try to grab the bootloader.

[barrar]

Some pictures of the Vortex Race 3, couldn't find any good ones online https://imgur.com/a/ydyg3

[ChaoticEnigma]

Nice pictures, looks a lot like the Core. I fiddled with the Race3 firmware a bit, and I think I've written a correct patch. Here's the source (seach for PATCH) and the binary: v124.zip.

The first thing to do is test if the Race3 uses the same protocol, so first try pok3rtool version -t race3 If that gives you a version (like V1.02.04), then you can try the next step.

There is a small risk of bricking the keyboard here if something is wrong/different than I expect. I think at worst, the keyboard wouldn't be able to be updated again (we're changing the update code).

The binary above should be loaded onto the Race3 with pok3rtool pok3rtool flash -t race3 "V124" race_v124.bin (if it fails once, you can try a second time. the pok3r rgb can be finnicky here for some reason)

If that goes well, try pok3rtool version -t race3 (should show V124) pok3rtool dump -t race3 race3_dump.bin (should print a bunch of hex)

And if anything doesn't go well (or it does), post the log files here. If you get through all those commands, post race3_dump.bin.

Good luck!

[barrar]

I'm using VMWare, so I have to reconnect it every time the USB loses connection. I know it's not the best but it works..... It looks like a command fails at [00:00:08:840] E open error It still reads back [00:00:00:012] N Version: V124

jeremiah@ubuntu:~/Desktop/pok3r_re_firmware/pok3rtool$ sudo ./pok3rtool flash -t race3 "V124" race_v124.s.bin 
[00:00:00:000] E WARNING: THIS TOOL IS RELATIVELY UNTESTED, AND HAS A VERY REAL RISK OF CORRUPTING YOUR KEYBOARD, MAKING IT UNUSABLE WITHOUT EXPENSIVE DEVELOPMENT TOOLS. PROCEED AT YOUR OWN RISK.
[00:00:00:001] E Type "OK" to continue:
OK
[00:00:01:853] N Proceeding...
[00:00:01:859] N Opened Vortex Race 3 (bootloader)
[00:00:01:859] N Update Firmware: race_v124.s.bin
[00:00:01:865] N Current Version: CLEARED
[00:00:01:910] N Firmware CRC: 7b9a2770
[00:00:01:975] N Current CRC: 1fcc5ad9
[00:00:01:975] N Erase...
[00:00:04:571] N Write...
[00:00:06:759] N New CRC: 7b9a2770
[00:00:06:796] N Write Version...
[00:00:06:835] N New Version: V124
[00:00:06:836] N Reset to Firmware
[00:00:08:840] E open error
[00:00:08:841] N false
jeremiah@ubuntu:~/Desktop/pok3r_re_firmware/pok3rtool$ sudo ./pok3rtool version -t race3
[00:00:00:005] N Opened Vortex Race 3
[00:00:00:012] N Version: V124
jeremiah@ubuntu:~/Desktop/pok3r_re_firmware/pok3rtool$ 

[ChaoticEnigma]

Yes, the USB PID is different in the bootloader and the main firmware, so you need two separate rules in VMWare. But that output looks very good, you can try the dump.

[barrar]

Here is the dump and disassembled code Desktop.zip

[ChaoticEnigma]

Ok, I've looked it over a bit, added some disassembly under disassemble/race3/bootloader. It looks perfect, so I can check that off the list. The purpose of this whole exercise is to be able to disable the flash protection so a debugger can be used, by mass erasing the microcontroller, without losing the bootloader.

[barrar]

Any advice on editing the key map? Should I buy a JTAG device or a raspberry pi?

[ChaoticEnigma]

Well, I am working on porting ChibiOS/TMK, but I do not know how long it will take to test a new USB stack.

I have focused most of my disassembly effort on USB and update protocol, so I do not know much about the key mapping. I think the rows/columns are mapped by a list of GPIO registers/port bitmasks. I expect there is a default keymap somewhere, which is copied to the external flash. Probably, after the flash is initialized, the keymap is read from the flash.

If you want to work on disassembly, I identified some functions for reading/writing flash in the POK3R V117 firmware. You could start from there, and work backwards.