├── Captures
    ├── flashing
    │   ├── ISPForce.pcap
    │   ├── nkro.pcap
    │   └── original.pcap
    ├── getfwversion(S1946V15).pcap
    └── typing1.pcap
├── DeckFirmwareFiles
    ├── L1983V36.bin
    ├── L2086V34.bin
    ├── L2226V28.bin
    └── L2227V35.bin
├── DuckyZeroFirmwareFiles
    ├── A2463V14.bin
    ├── L1886V25.bin
    ├── L1943V18.bin
    ├── L1986V15.bin
    ├── L2042V14.bin
    ├── L2056V11.bin
    ├── L2561V20.bin
    ├── L2568V13.bin
    ├── L2569V19.bin
    ├── L2569V20.bin
    └── L2572V15.bin
├── KBCFirmwareFiles
    ├── POKER II Time delay layer programming..bin
    ├── Poker II NKRO in USB mode.bin
    ├── Poker II custom dip v0.5.bin
    ├── Poker II original firmware.bin
    ├── ldrom
    │   └── B1946V10.bin
    └── poker II breathe-light.bin
├── KBCTool
    ├── ikbc-USB Updates.c
    └── ikbc-USB Updates.exe
├── PureProFirmwareFiles
    └── L1911V21.bin
└── README.md


/Captures/flashing/ISPForce.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/Captures/flashing/ISPForce.pcap


--------------------------------------------------------------------------------
/Captures/flashing/nkro.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/Captures/flashing/nkro.pcap


--------------------------------------------------------------------------------
/Captures/flashing/original.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/Captures/flashing/original.pcap


--------------------------------------------------------------------------------
/Captures/getfwversion(S1946V15).pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/Captures/getfwversion(S1946V15).pcap


--------------------------------------------------------------------------------
/Captures/typing1.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/Captures/typing1.pcap


--------------------------------------------------------------------------------
/DeckFirmwareFiles/L1983V36.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DeckFirmwareFiles/L1983V36.bin


--------------------------------------------------------------------------------
/DeckFirmwareFiles/L2086V34.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DeckFirmwareFiles/L2086V34.bin


--------------------------------------------------------------------------------
/DeckFirmwareFiles/L2226V28.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DeckFirmwareFiles/L2226V28.bin


--------------------------------------------------------------------------------
/DeckFirmwareFiles/L2227V35.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DeckFirmwareFiles/L2227V35.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/A2463V14.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/A2463V14.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L1886V25.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L1886V25.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L1943V18.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L1943V18.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L1986V15.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L1986V15.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2042V14.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2042V14.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2056V11.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2056V11.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2561V20.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2561V20.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2568V13.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2568V13.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2569V19.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2569V19.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2569V20.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2569V20.bin


--------------------------------------------------------------------------------
/DuckyZeroFirmwareFiles/L2572V15.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/DuckyZeroFirmwareFiles/L2572V15.bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/POKER II Time delay layer programming..bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/POKER II Time delay layer programming..bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/Poker II NKRO in USB mode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/Poker II NKRO in USB mode.bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/Poker II custom dip v0.5.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/Poker II custom dip v0.5.bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/Poker II original firmware.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/Poker II original firmware.bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/ldrom/B1946V10.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/ldrom/B1946V10.bin


--------------------------------------------------------------------------------
/KBCFirmwareFiles/poker II breathe-light.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCFirmwareFiles/poker II breathe-light.bin


--------------------------------------------------------------------------------
/KBCTool/ikbc-USB Updates.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCTool/ikbc-USB Updates.c


--------------------------------------------------------------------------------
/KBCTool/ikbc-USB Updates.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/KBCTool/ikbc-USB Updates.exe


--------------------------------------------------------------------------------
/PureProFirmwareFiles/L1911V21.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/erichkeane/poker2firmwarehacking/114a86366b11e0810647a4d7fdc9ebe44e0db6f2/PureProFirmwareFiles/L1911V21.bin


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | poker2firmwarehacking
 2 | =====================
 3 | KBC/Vortex Poker 2 Mechanical Keyboard Firmware hacking
 4 | 
 5 | Flash tool and firmware files can be found attached to this post: https://geekhack.org/index.php?topic=50245.0
 6 | 
 7 | Brief debugging/firmware file decoding has been done here: 
 8 | 
 9 | http://reverseengineering.stackexchange.com/questions/5945/finding-the-actual-thumb-code-in-firmware
10 | 
11 | Seemingly doing this decodes the firmware:
12 | rotate left 4 bits and invert:  
13 | c = (((c & 0x0f) << 4) | ((c & 0xf0) >> 4)) ^ 0xff
14 | 
15 | Processor is an ARM Cortex-M0 in a NUC122SC1AN:
16 | 
17 | http://www.nuvoton.com/hq/products/microcontrollers/arm-cortex-m0-mcus/nuc120-122-123-220-usb-series/nuc122sc1an/?__locale=en
18 | 
19 | "Valid" code seems to begin at 0x120.  Header is potentially everything before that, Footer is the last 16 bytes.  Last 4 bytes look to be some sort of checksum.
20 | 
21 | 1/30/15 update:
22 | I've since picked up a Nu-Link-Pro programmer that should allow me to both see what is on the chip, and program it directly.  The hope is that I can decode the firmware format from Vortex using that.
23 | 
24 | TODO:
25 | =====
26 | 1- Solder leads to my poker (Done!)
27 | 
28 | 2- Use the Vortex tool to flash a known firmware file (Done)
29 | 
30 | 3- Dump said firmware using the Nu-Link-Pro, compare the two firmware files to check for compatibility.  :: Apparently the Processor has a 'flash-lock' in place that prevents the tool from downloading firmware.  I'm going to try a USB Sniffer to see what actually gets written to the device.
31 | 
32 | 4- If possible and necessary, write a tool to convert the 'dumped' to the Vortex tool format.  This would allow for programming WITHOUT the NU-Link, since the version on the chip would be in the 'programmed' state.
33 | 
34 | 5- Begin custom firmware development!
35 | 
36 | 5a- Start with getting IPS mode to work as closely to the Vortex version as possible, since hopefully this would allow us to reuse their tool to program the boards
37 | 
38 | 5b- Attempt identification of keys on board and dip-switches
39 | 
40 | 5c- write base version for key functionality
41 | 
42 | 5d- LEDs? (difficult, since my board doesn't have LEDs installed, might have to solder them on).
43 | 
44 | 5e- NKRO?
45 | 
46 | 5f- More firmware functionality?  Programability?  Layers? etc?
47 | 


--------------------------------------------------------------------------------