Skip to content
/ dk63 Public

Trying to reverse engineer the DK63 keyboard from Dierya / Kemove

Notifications You must be signed in to change notification settings

smplman/dk63

Repository files navigation

DK63 Firmware Reverse Engineering

This project is to reverse engineer the Kmove / DIERYA DK63 to get QMK running on it. Use this information at your own risk. I'm not liable if you break something.

Keyboard

Tasks

  • Identify MCU VS11K09A-1 / Sonix SN32F248BF
  • Find data sheet VS11K09A-1 / Sonix SN32F248B
  • Find SDK and dev tools
  • Get SWD working
  • Ability to flash firmware
  • Get origional firmware
  • Enable SWD in current firmware
  • Port Chibios to Sonix SN32F248BF porting guide
    • Get compiler to work with SN32F248BF Keil packs
    • USB LLD
    • GPIO LLD
    • UART LLD
    • Timers LLD
    • SPI LLD
    • I2C LLD
  • Get QMK firmware working
  • Dump origional bootloader

Chips

Evision VS11K09A-1 Debug Recovery Mode / SWD

  1. Hookup SWCLK, SWDIO, and Ground using the testpoints outlined below connections
    • Note: These pins are being use by the MCU to control functionality. Im tyring to enable SWD in the default firmware to debug without Debug Recovery Mode.
  2. Hookup the other ends of the wires to your debugger. I used a Raspberry PI 3 and the ST-Link V2.
  3. Using the ground point hold the boot pin to ground while turning on the power.

LEDs

They seem to be driven by GPIO and transistors.

  • Figure out pin map and matrix
  • Caps lock LED

Bluetooth

Appears to be an another ARM Cortex M0 MCU with UART and GPIO.

  • SWD debugging
  • Pin map to main MCU

Extract default dk63 firmware.hex

  1. Download Resource Hacker (Not sure of a mac or linux variant)
  2. Download Firmware Update tool
  3. Extract the firmware .rar and open the .exe in RH
  4. Look for RCData 4000:0, this is the hex file of the firmware
  5. Right click on 4000:0 and choose Save Resource to BIN file
  6. Save the firmware so it can be examined or uplodaded.

Firmware Flash

  1. Download the USB MCU ISP tool
  2. Open the program and click load file.
  3. Select SN32F4xB and then the firmware file.
  4. The VID should alread be 0C45 and enter 766B for the PID.
  5. Click Start
  6. Profit!

ST-Link V2

  • I was not able to get this to work with the st-link software on windows.
  • I did manage to get it to work with openocd using this config
  • Working on the SN32F24X config here

Firmware Dump

GDB Recovery Mode

  1. set $pc=0x1FFF0301
  2. cont

Docker

Tools

Links

Firmware Updater Executable Analysis https://www.hybrid-analysis.com/sample/21cf79c4f5982e0d73e8269c03a043f16898292920074491d5452eea5155e1eb?environmentId=100

VS11K09A-1 VS 32-Bit Cortex-M0 Micro-Controller http://evision.net.cn/include/upload/kind/file/20190413/20190413174647_5965.pdf

DEF CON 26 IoT VILLAGE - Dennis Giese - How to modify ARM Cortex M based firmware A step by step app https://www.youtube.com/watch?v=Qvxa6o2oNS0

BalCCon2k16 - Travis Goodspeed - Nifty Tricks for ARM Firmware Reverse Engineering https://www.youtube.com/watch?v=GX8-K4TssjY

Getting STLink V2 Serial Number https://armprojects.wordpress.com/2016/08/21/debugging-multiple-stm32-in-eclipse-with-st-link-v2-and-openocd/

SUE 2017 - Reverse Engineering Embedded ARM Devices - by pancake https://www.youtube.com/watch?v=oXSx0Qo2Upk

Analyzing Keyboard Firmware https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-2 https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-3

Hacking the fx-CP400 https://the6p4c.github.io/2018/01/15/hacking-the-gc-part-1.html

Raspberry PI OpenOCD SWD / JTAG https://iosoft.blog/2019/01/28/raspberry-pi-openocd/

OpenOcd Creating Flash Drivers https://github.com/doctek/COOCDFlash/wiki/Creating-and-using-flash-drivers

Stack Exchange ARM Firmware Reverse Engineering Walkthrough https://reverseengineering.stackexchange.com/questions/15311/running-a-binary-identified-as-an-arm-excutable-by-binwalk-disasm/15317 https://reverseengineering.stackexchange.com/questions/15006/approach-to-extract-useful-information-from-binary-file

QMK Nuvoton Port PR [qmk/ChibiOS-Contrib#10]

About

Trying to reverse engineer the DK63 keyboard from Dierya / Kemove

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published