Hmm, hacking away. I thought the update process spewed out the number of the chip, I should have captured the output. The writes are done I think in usb_keyboard.c in a function called write_kb_fw(). So I gutted it to disable the write for testing.
But that disables too much, now when it runs I only see
Somewhere in there it reads some stuff from the flash and writes to the screen, maybe if I disable from "flash erase" to the end?
Well, no, it just shows a bunch of addresses. If there's a chip number it's not in the beginning of step 1. I thought I saw one somewhere in the process.
There's a step to unlock or whatever the USB, if you take that out the keyboard and touchpad are disabled. But I read it, and connected from a phone by ssh to do a screenshot and reboot.
Code:
int write_kb_fw(const unsigned char *data, int data_length) {
// dummy function
return 0;
}
int write_kb_fw0(const unsigned char *data, int data_length) // renamed
{
unsigned char hex_file[MAX_BINLEN];
unsigned char read_hex_file[MAX_BINLEN];
int hex_file_length;
int rc;
int try;
hex_file_length = read_hexdata(data, data_length, hex_file);
if (hex_file_length <= 0) {
printf(">>> Failed to read: %d\n", data_length);
return -1;
}
switch_to_boot_mode();
printf("
[*] Opening in boot mode\n");
for (try = 0; try < 20; try++) {
rc = open_boot_mode();
if (rc >= 0) {
break;
}
usleep(100*1000);
}
if (try == 20) {
printf(">>> Failed to open in boot mode\n");
goto finish;
}
unsigned char reportData[6] = {
0x5, 0x45, 0x45, 0x45, 0x45, 0x45
};
// flash erase
printf("
[*]Erasing flash\n");
rc = libusb_control_transfer(devh, 0x21, 0x09, 0x0305, 0,
reportData, sizeof(reportData), 100);
if (rc < 0) {
printf("failed to erase flash\n");
goto finish;
}
sleep(2);
printf("
[*]Writing firmware...\n");
// write FW
for (try = 0; try < 5; try++) {
rc = write_bulk(hex_file, hex_file_length);
if (rc == 0) {
break;
}
}
if (try == 5) {
printf("too many tries\n");
rc = -1;
goto finish;
}
printf("
[*]Reading back firmware...\n");
// read FW
for (try = 0; try < 5; try++) {
rc = read_bulk(read_hex_file, hex_file_length);
if (rc == 0) {
break;
}
}
if (try == 5) {
printf("too many tries\n");
rc = -1;
goto finish;
}
printf("
[*]Comparing firmwares...\n");
if (memcmp(hex_file, read_hex_file, 0x37fb)) {
printf("FATAL ERROR FW does differ\n");
for (int i = 0; i < hex_file_length; i++) {
if (hex_file[i] == read_hex_file[i]) {
continue;
}
printf(">>> 0x%04x] %02x != %02x\n", i, hex_file[i], read_hex_file[i]);
}
rc = -1;
goto finish;
}
#if 0
printf("
[*]Writing serial number...\n");
write_serial_number(1, 0x4100);
if (rc < 0) {
goto finish;
}
#endif
printf("
[*]Reseting device?\n");
reset_device();
printf("
[*]Finished succesfully!\n");
finish:
close_usb();
return rc;
}But that disables too much, now when it runs I only see
Code:
Running STEP-1...
[*]Flashing keyboard updater firmware...
[*]Please reboot now, and run `step-2`.Somewhere in there it reads some stuff from the flash and writes to the screen, maybe if I disable from "flash erase" to the end?
Well, no, it just shows a bunch of addresses. If there's a chip number it's not in the beginning of step 1. I thought I saw one somewhere in the process.
There's a step to unlock or whatever the USB, if you take that out the keyboard and touchpad are disabled. But I read it, and connected from a phone by ssh to do a screenshot and reboot.