SK108 - gloryhzw/qmk_tool GitHub Wiki
Spec
- MCU: STM32L562RE 512 KB flash + 256 KB SRAM (according to the pcb designer, only some L5 batches since too pricey now)
- LED
- 108 keys: IS31FL3741A x1 I2C
- 18 underglows: MCU-controlled WS2812B 3+3+6*2 = 18
Actually, the keyboard is a SK108 MAX according the IAP PID. The original got STM32F411 mcu.
Method | Status |
---|---|
High boot0 pin | NG. RDP lv 2. |
SWD attach at reset | NG. RDP lv 2. No SWD. |
Analyze GD firmware update protocol | Done. The GDS is protected by .NET reactor 6.x. By de4dot it, the IAP protocol is clear. A simple loop for writing 128KB FW in 64-byte packets. |
Decrypt stock firmware | Ongoing. The decryption is in the keeb side. Only a 16-byte decrypt clue in the GDS for FW version, VID/PID, CHECKSUM. 4+8+4 = 16. |
Note 1.
- there is a way to enter IAP (In-Application Programming): press A+S+D+F before plugin
21 bytes command packet OUT to EP 3, and 21 bytes IN (0x83 ep)
Encryption (XOR byte by byte)
Normal mode (report id 4, 20B packet) VID 0x31D6 PID 0x0078
- Write [142, 150, 206, 106, 242, 114, 153, 72, 88, 97, 39, 88, 232, 154, 127, 1, 149, 238, 237, 47]
- Read [106, 109, 100, 102, 63, 46, 240, 67, 10, 65, 234, 143, 43, 252, 224, 231, 213, 82, 123, 165]
IAP mode (report id 0, 64B packet) VID 0x31D6 PID 0x0079
- Write NA
- Read XOR key, but not used (protocol keeb no response)
public enum MASTER_CMD
{
DRIVER_INIT = 0,
SLAVE_INIT = 1,
DEV = 2,
KEY = 3,
KEY_SEQ = 4,
MB = 5,
MB_EQ = 6,
MA = 7,
MT = 8,
ME = 9,
ME_SEQ = 10, // 0x0000000A
MC = 11, // 0x0000000B
KEY_LAYER = 12, // 0x0000000C
INDICATOR = 13, // 0x0000000D
BAT = 177, // 0x000000B1
KEY_M1_CRC = 193, // 0x000000C1
KEY_M2_CRC = 194, // 0x000000C2
ME_CRC = 197, // 0x000000C5
FACTORY_RESET = 204, // 0x000000CC
IAP_MODE = 221, // 0x000000DD // send report 4. packet 8, 221, xxx to keeb (before encrypt)
HOOK_OP = 225, // 0x000000E1
HOOK_ED = 226, // 0x000000E2
DRIVER_OP = 241, // 0x000000F1
DRIVER_ED = 242, // 0x000000F2
FN_OP = 243, // 0x000000F3
FN_ED = 244, // 0x000000F4
PLAY_NEXT = 245, // 0x000000F5
PLAY_PREVIOUS = 246, // 0x000000F6
PLAY_PAUSE = 247, // 0x000000F7
SAVE_END = 254, // 0x000000FE
}
array[114, 0] = "vid_31d6";
array[114, 1] = "pid_0078"; // Normal mode PID
array[114, 2] = "mi_02";
array[114, 3] = "4"; // Normal mode report id = 4
array[115, 0] = "vid_31d6";
array[115, 1] = "pid_0079"; // IAP mode PID
array[115, 2] = "";
array[115, 3] = "0"; // IAP report id = 0
References
- https://www.bilibili.com/video/BV1sT4y177EL
- .NET deobfuscator: https://github.com/NotPrab/.NET-Deobfuscator
- dedot all versions: https://github.com/ipwnosx/de4dot-All-Version-2021
- AES SCA: https://gethypoxic.com/blogs/technical/a-practical-guide-for-cracking-aes-128-encrypted-firmware-updates