Touchpad, Keyboard, I2C oh my.
#1
As of the latest firmware update for the keyboard and touchpad that is miles better for the keyboard, users have been reporting a sort of input lag with the touchpad. With the right libinput tweaks, it is a little annoying but usable.

I too did some experimenting, but did not get very far.

The keyboard is driven by the SH68F83, which presents two interfaces over USB - one for keyboard and one for touchpad. The touchpad is connected to the SH68F83 over an i2c bus. An eeprom is also connected to the SH68F83 i2c bus and is used only for persisting the kill switches states. When the touchpad is touched, interrupts are fired alerting the SH68F83 to read registers and proxy data back to the OS over USB.


@xalius has been attempting to reverse the the firmware that runs on the SH68F83, a USB/keyboard MCU with an 8051 core.

How I suspect the keyboard and touchpad firmware update process works:
  1. A firmware fw_tp_update.hex is flashed to the SH68F83. This firmware appears to be named XW-TPUTOOL_TV3-US-H1-12-00.
  2. The touchpad update firmware receives tpfw.bin over USB and then flashes it to the touchpad IC (likely over i2c at 400KHz, but could be some OOB bitbang over the i2c bus)
  3. The fw_ansi.hex or fw_iso.hex are then flashed back to the SH68F83.
According to the SH68F83 datasheet, two flashing modes are described. ICP (JTAG) after an undocumented waveform is modulated - followed by the flash - the protocol also undocumented. Another mode, SSP (Self-Sector Programming) is described. This mode is performed by code running on the 8051 MCU, and would thus require said code to be part of the firmware image.
Dissassembly of the 8051 code in the available images has so far been fruitless. The SH68F83 has many application-specific SFRs that - while listed in the datasheet - do not appear in any of the dissassemblies I have tried (after modifying a disassembler to print their names).

If SSP mode is being used, then there should be code in the firmware images that more or less does the following:
  • Get a block of data from the USB transceiver. Using the TX* and RX* SFRs.
  • Fill XPAGE, IB_OFFSET, and IB_DATA SFRs with the flash sector, offset into the sector, and data to write.
  • Kick off a state "gate" by sequentially filling IB_CON1, IB_CON2, IB_CON3, IB_CON4, and IB_CON5 with a magic numbers.
Another theory is that there is perhaps an undocumented USB flashing mode and the updater tool (which I've been told was derived from a mysterious reverse-engineered? windows-based flash tool).

Access to the i2c bus is available on the touchpad. Can access the eeprom here too. I forgot to mark V33 (3.3V) is the pad next to D1.

[Image: yYI8392.jpg]

From the factory, the eeprom is erased (all 0xFF). What this tells us is the firmware running the SH68F83 is checking for 0xFF at address 0x00 of the eeprom and ensuring none of the kill switches are enabled.

The 3 LSBs of address 0x00 in the eeprom correspond to the state of the kill switches:
Pine+F10 = Bit 1
Pine+F11 = Bit 2
Pine+F12 = Bit 3

All other bits will be zero. Once a kill switch is pressed, the 3 LSBs will hold the state of each switch and the rest of the bits will remain zero forever. High = kill switch enabled, Low = disabled.

When the system boots, the SH68F83 firmware accesses the eeprom to read these 3 bits. This occurs regardless of what is happening with the SoC.

All I have is a Bus Pirate - and it's not fast enough to sniff even the 100KHz i2c. I was able to capture partial data from both the eeprom accesses and from the touchpad. However, the flash operation over i2c (or OOB something?) was either running at 400KHz or it's not i2c. The idea is to get a dump of what gets sent to the touchpad IC during step-2 of the firmware updater tool, as that is when i saw the largest burst of traffic over i2c.

Regarding the touchpad IC. The spec sheet from the pinebookpro wiki says the touchpad is using a PCT1336QN - for which a datasheet is available. It is a QFN48. Even though the pcb is the same model number, they're not using a PCT1336QN. It's a QFN40 part number HLK H2168. Searches for any information on this part have come up with nothing. No idea what it is. And without a $400 Saleae, I've exhausted my options.

Hoping somebody with more toys and experience can pick up from here? Here's what we're hoping for:
  • A proper dissassembly of the SH68F83's 8051 code from the firmware .hex files.
  • A dump of sniffed i2c traffic during a firmware update of the touchpad.
  • A dump of sniffed i2c traffic while using the touchpad, with correlation to what was happening on the touch pad (tapping, two fingers, scroll, pressing the buttons, etc.)
  • What the heck is the HLK H2168? Datasheets or any info anyone can find about this chip are greatly appreciated.

Additional note: I found the bCountryCode byte in both the ISO and ANSI firmwares in what I think is what the datasheet refers to as the "Information Block", which could be useful. Gave @xalius a link to my patched firmwares for testing. This could be helpful in terms of further updates - the flasher tool could detect the country code and thus eliminate the need to specify it when running the update.


Messages In This Thread
Touchpad, Keyboard, I2C oh my. - by resistanceisfutile - 01-15-2020, 05:17 PM
RE: Touchpad, Keyboard, I2C oh my. - by C_Elegans - 01-15-2020, 06:03 PM
RE: Touchpad, Keyboard, I2C oh my. - by C_Elegans - 01-15-2020, 06:33 PM
RE: Touchpad, Keyboard, I2C oh my. - by C_Elegans - 01-16-2020, 10:03 AM
RE: Touchpad, Keyboard, I2C oh my. - by C_Elegans - 01-16-2020, 12:01 PM
RE: Touchpad, Keyboard, I2C oh my. - by akirakyle - 04-05-2020, 08:13 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Yet another new Pinebook keyboard problem MikoBob 3 381 09-11-2024, 07:05 AM
Last Post: MikoBob
  Pinebook Pro Revised Keyboard Firmware jackhumbert 73 145,686 09-13-2023, 03:43 AM
Last Post: k3dAR
  Separate ISO keyboard for PBP Besouro 0 998 06-04-2023, 02:51 PM
Last Post: Besouro
  Touchpad Issues - August 2022 Run SteveCaruso 5 3,636 12-14-2022, 11:00 PM
Last Post: doug
Information Keyboard Duplicate Keypress Fix RjraymondDuplicate 0 1,277 02-17-2022, 11:52 PM
Last Post: RjraymondDuplicate
  keyboard and usb ports not working User 24565 3 3,176 02-15-2022, 10:12 AM
Last Post: wdt
  Replacing the Keyboard gabb 6 7,378 01-11-2022, 07:39 AM
Last Post: Valenoern
  power on PBP if your keyboard is dead? stozi 0 1,525 11-29-2021, 01:55 PM
Last Post: stozi
  Replacement scissor switches (ANSI keyboard)? zackw 3 4,400 08-09-2021, 09:20 PM
Last Post: tllim
  Touchpad notchy on new 2021 pinebook pro Neilcob 21 22,457 07-28-2021, 09:14 AM
Last Post: dsimic

Forum Jump:


Users browsing this thread: 1 Guest(s)