鍵盤型號是 Miya68 Pro,PCB 型號是 Miya69-V2.2 (A)。MCU 上的文字是 HSAK3201 ARM。經過一翻努力追蹤,確定 MCU 是 Holtek 出的 HT32F1654。flash 內容是鎖住的,使用 eLink32Pro.exe 對 flash 執行 mass erase 操作後,就可以讀出晶片的資訊了。
在 PCB 上焊一個 4pin 的小接頭,pin 腳的間距是 1.24mm,所以要在原來的兩個孔之間再鑽一個小洞。只接了三條線,e-Link32 lite 和鍵盤各自用自己的電源。
使用 OpenOCD 讀取晶片的資訊。
設定檔 dap-tst.cfg 如下。因為使用 Ubuntu 的 openocd 套件,沒有HT32F1654 的資訊,先用 stm32f1x 的設定來讀資料。若要寫入資料,則需加入 HT32F1654 的資訊。
# openocd -f /app/dap-tst.cfg
adapter driver cmsis-dap
adapter speed 1000
transport select swd
source [find target/stm32f1x.cfg]
執行 openocd 的訊息如下。
# openocd -f /app/dap-tst.cfg
Open On-Chip Debugger 0.11.0
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : CMSIS-DAP: SWD Supported
Info : CMSIS-DAP: FW Version = 1.0.35
Info : CMSIS-DAP: Interface Initialised (SWD)
Info : SWCLK/TCK = 0 SWDIO/TMS = 1 TDI = 0 TDO = 0 nTRST = 0 nRESET = 1
Info : CMSIS-DAP: Interface ready
Info : clock speed 1000 kHz
Info : SWD DPIDR 0x2ba01477
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
Info : starting gdb server for stm32f1x.cpu on 3333
Info : Listening on port 3333 for gdb connections
使用 telnet 連上 port 4444,執行 dap info 得到的資訊如下。假如還沒解鎖,執行 dap info 會回報錯誤。
/# telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> dap info
AP ID register 0x24770011
Type is MEM-AP AHB3
MEM-AP BASE 0xe00ff003
Valid ROM table present
Component base address 0xe00ff000
Peripheral ID 0x0000000000
Designer ASCII code 0x00, <unknown>
Part is 0x0, Unrecognized
Component class is 0x1, ROM table
MEMTYPE system memory present on bus
ROMTABLE[0x0] = 0xfff0f003
Component base address 0xe000e000
Peripheral ID 0x04002bb000
Designer is 0x4bb, ARM Ltd
Part is 0x0, Cortex-M3 SCS (System Control Space)
Component class is 0xe, Generic IP component
ROMTABLE[0x4] = 0xfff02003
Component base address 0xe0001000
Peripheral ID 0x04002bb002
Designer is 0x4bb, ARM Ltd
Part is 0x2, Cortex-M3 DWT (Data Watchpoint and Trace)
Component class is 0xe, Generic IP component
ROMTABLE[0x8] = 0xfff03003
Component base address 0xe0002000
Peripheral ID 0x04002bb003
Designer is 0x4bb, ARM Ltd
Part is 0x3, Cortex-M3 FPB (Flash Patch and Breakpoint)
Component class is 0xe, Generic IP component
ROMTABLE[0xc] = 0xfff01003
Component base address 0xe0000000
Peripheral ID 0x04002bb001
Designer is 0x4bb, ARM Ltd
Part is 0x1, Cortex-M3 ITM (Instrumentation Trace Module)
Component class is 0xe, Generic IP component
ROMTABLE[0x10] = 0xfff41003
Component base address 0xe0040000
Peripheral ID 0x04002bb923
Designer is 0x4bb, ARM Ltd
Part is 0x923, Cortex-M3 TPIU (Trace Port Interface Unit)
Component class is 0x9, CoreSight component
Type is 0x11, Trace Sink, Port
ROMTABLE[0x14] = 0xfff42002
Component not present
ROMTABLE[0x18] = 0x0
End of ROM table
由以上的訊息確定 MCU 的核心是 Cortex-M3。
使用 eLink32Pro.exe 寫入 pok3r-custom/pok3r_re_firmware 的 disassemble/pok3r/builtin/firmware_builtin.bin,連上電腦,顯示的裝置是
Bus 001 Device 024: ID 04d9:1141 Holtek Semiconductor, Inc. USB-HID Keyboard
到此為止,成功解鎖以及寫入下載的 firmware,接下來就是要建立自己的 QMK 鍵盤,以及加上小紅點 (Trackpoint)。
沒有留言:
張貼留言