04-05-2020, 08:13 PM
(01-15-2020, 05:17 PM)resistanceisfutile Wrote: How I suspect the keyboard and touchpad firmware update process works:
According to the SH68F83 datasheet, two flashing modes are described. ICP (JTAG) after an undocumented waveform is modulated - followed by the flash - the protocol also undocumented. Another mode, SSP (Self-Sector Programming) is described. This mode is performed by code running on the 8051 MCU, and would thus require said code to be part of the firmware image.
- A firmware fw_tp_update.hex is flashed to the SH68F83. This firmware appears to be named XW-TPUTOOL_TV3-US-H1-12-00.
- The touchpad update firmware receives tpfw.bin over USB and then flashes it to the touchpad IC (likely over i2c at 400KHz, but could be some OOB bitbang over the i2c bus)
- The fw_ansi.hex or fw_iso.hex are then flashed back to the SH68F83.
Dissassembly of the 8051 code in the available images has so far been fruitless. The SH68F83 has many application-specific SFRs that - while listed in the datasheet - do not appear in any of the dissassemblies I have tried (after modifying a disassembler to print their names).
If SSP mode is being used, then there should be code in the firmware images that more or less does the following:Another theory is that there is perhaps an undocumented USB flashing mode and the updater tool (which I've been told was derived from a mysterious reverse-engineered? windows-based flash tool).
- Get a block of data from the USB transceiver. Using the TX* and RX* SFRs.
- Fill XPAGE, IB_OFFSET, and IB_DATA SFRs with the flash sector, offset into the sector, and data to write.
- Kick off a state "gate" by sequentially filling IB_CON1, IB_CON2, IB_CON3, IB_CON4, and IB_CON5 with a magic numbers.
I've been attempting to understand the disassembled firmware and have made some progress in understanding the update mechanism. I'm documenting in detail what I've done in my fork of Jack Humbert's fork of the keyboard updater utility where he started doing some disassembly and reverse engineering mostly to understand the keycodes and generate custom mappings.
I've determined that 0x3000 - 0x4000 in the keyboard firmware is responsible for handling the firmware updates and specifically the function at 0x3D3C starts the SSP mode, going through all the IB_CON steps. I'm trying to get a better idea of the whole update procedure before I go on trying to understand the touchpad communication since the update mechanism will determine how risky updating the firmware with custom code will be. Having access to the ICP documentation would definitely make this less necessary but right now I feel this is the only way to determine how easily we can test new firmware that touches actual logic (as opposed to just the mostly data patches made so far by Jack Humbert) without bricking the keyboard and touchpad.