SK108 - gloryhzw/qmk_tool GitHub Wiki

Spec

  • MCU: STM32L562RE 512 KB flash + 256 KB SRAM (according to the pcb designer, only some L5 batches since too pricey now)
  • LED
    • 108 keys: IS31FL3741A x1 I2C
    • 18 underglows: MCU-controlled WS2812B 3+3+6*2 = 18

Actually, the keyboard is a SK108 MAX according the IAP PID. The original got STM32F411 mcu.

SWD Pads

Method Status
High boot0 pin NG. RDP lv 2.
SWD attach at reset NG. RDP lv 2. No SWD.
Analyze GD firmware update protocol Done. The GDS is protected by .NET reactor 6.x. By de4dot it, the IAP protocol is clear. A simple loop for writing 128KB FW in 64-byte packets.
Decrypt stock firmware Ongoing. The decryption is in the keeb side. Only a 16-byte decrypt clue in the GDS for FW version, VID/PID, CHECKSUM. 4+8+4 = 16.

Note 1.

  • there is a way to enter IAP (In-Application Programming): press A+S+D+F before plugin

21 bytes command packet OUT to EP 3, and 21 bytes IN (0x83 ep)

Encryption (XOR byte by byte)

Normal mode (report id 4, 20B packet) VID 0x31D6 PID 0x0078

  • Write [142, 150, 206, 106, 242, 114, 153, 72, 88, 97, 39, 88, 232, 154, 127, 1, 149, 238, 237, 47]
  • Read [106, 109, 100, 102, 63, 46, 240, 67, 10, 65, 234, 143, 43, 252, 224, 231, 213, 82, 123, 165]

IAP mode (report id 0, 64B packet) VID 0x31D6 PID 0x0079

  • Write NA
  • Read XOR key, but not used (protocol keeb no response)
  public enum MASTER_CMD
  {
    DRIVER_INIT = 0,
    SLAVE_INIT = 1,
    DEV = 2,
    KEY = 3,
    KEY_SEQ = 4,
    MB = 5,
    MB_EQ = 6,
    MA = 7,
    MT = 8,
    ME = 9,
    ME_SEQ = 10, // 0x0000000A
    MC = 11, // 0x0000000B
    KEY_LAYER = 12, // 0x0000000C
    INDICATOR = 13, // 0x0000000D
    BAT = 177, // 0x000000B1
    KEY_M1_CRC = 193, // 0x000000C1
    KEY_M2_CRC = 194, // 0x000000C2
    ME_CRC = 197, // 0x000000C5
    FACTORY_RESET = 204, // 0x000000CC
    IAP_MODE = 221, // 0x000000DD   // send report 4. packet 8, 221, xxx to keeb (before encrypt)
    HOOK_OP = 225, // 0x000000E1
    HOOK_ED = 226, // 0x000000E2
    DRIVER_OP = 241, // 0x000000F1
    DRIVER_ED = 242, // 0x000000F2
    FN_OP = 243, // 0x000000F3
    FN_ED = 244, // 0x000000F4
    PLAY_NEXT = 245, // 0x000000F5
    PLAY_PREVIOUS = 246, // 0x000000F6
    PLAY_PAUSE = 247, // 0x000000F7
    SAVE_END = 254, // 0x000000FE
  }

			array[114, 0] = "vid_31d6";
			array[114, 1] = "pid_0078"; // Normal mode PID
			array[114, 2] = "mi_02";
			array[114, 3] = "4"; // Normal mode report id = 4
			array[115, 0] = "vid_31d6";
			array[115, 1] = "pid_0079"; // IAP mode PID
			array[115, 2] = "";
			array[115, 3] = "0"; // IAP report id = 0

References

SK108 L5 IS31FL3741A PCB