carlossless / sinowealth-kb-tool Goto Github PK

A utility for reading and writing flash contents on Sinowealth 8051-based HID devices through the commonly found ISP bootloader

License: MIT License

Rust 85.95% Nix 4.86% Shell 9.19%

8051 isp sinowealth gaming-kb nuphy redragon royal-kludge sh68f881 sh68f90 genesis

sinowealth-kb-tool's Introduction

sinowealth-kb-tool

A utility for reading and writing flash contents on Sinowealth 8051-based devices (keyboards and mice) since they all seem to have similar ISP bootloaders.

Disclaimer

This is an experimental tool, so use it at your own risk.

Usage

Reading

⚠️ A read operation will set an LJMP (0x02) opcode at address <firmware_size-5> if it's not already present there. When this opcode is set, the bootloader considers the main firmware enabled and jumps to it when the device is powered on. This opcode should already be set on most devices and therefore the read operation should not cause any issues.

⚠️ During reading the ISP bootloader will redirect values in 0x0001 - 0x0002 to <firmware_size-4> - <firmware_size-3>. Because of this, the produced payload will be different from how memory is actually laid out in the MCU flash.

# reads firmware excluding isp bootloader 
sinowealth-kb-tool read -p nuphy-air60 foobar.hex

# reads only isp bootloader section
sinowealth-kb-tool read -p nuphy-air60 -b bootloader.hex

# full dump including firmware and bootloader
sinowealth-kb-tool read -p nuphy-air60 --full full.hex

# custom device
sinowealth-kb-tool read \
    --vendor_id 0x05ac \
    --product_id 0x024f \
    --firmware_size 61440 \
    --bootloader_size 4096 \ # optional
    --page_size 2048 \ # optional
    --isp_iface_num 1 \ # optional
    --isp_usage_page 0xff00 \ # optional
    --isp_usage 0x0001 \ # optional
    --isp_index 0 \ # optional
    --reboot false \ # optional
    foobar.hex

Writing

⚠️ Same as the read operation, the ISP bootloader will write values meant for addresses 0x0001-0x0002 to <firmware_size-4> - <firmware_size-3>.

# overwrites firmware (does not touch the bootloader section)
sinowealth-kb-tool write -p nuphy-air60 foobar.hex

# custom device
sinowealth-kb-tool write \
    --vendor_id 0x05ac \
    --product_id 0x024f \
    --firmware_size 61440 \
    --bootloader_size 4096 \ # optional
    --page_size 2048 \ # optional
    --isp_iface_num 1 \ # optional
    --isp_usage_page 0xff00 \ # optional
    --isp_usage 0x0001 \ # optional
    --isp_index 0 \ # optional
    --reboot false \ # optional
    foobar.hex

Supported Hardware

Keyboards

Model	ISP MD5	MCU	MCU Label	Tested Read	Tested Write
Digital Alliance Meca Warrior X	2d169670eae0d36eae8188562c1f66e8	SH68F90	SH68F90S	✅	✅
E-Yooso Z11	3e0ebd0c440af5236d7ff8872343f85d	SH68F90?	BYK901	✅	✅
Genesis Thor 300 RGB	2d169670eae0d36eae8188562c1f66e8	SH68F90	SH68F90S	✅	✅
Genesis Thor 300	e57490acebcaabfcff84a0ff013955d9	SH68F881	SH68F881W	✅	✅
Hykker X Range 2017 (RE-K70-BYK800)	13df4ce2933f9654ffef80d6a3c27199	SH68F881	BYK801	✅	❓
Machenike K500-B61	2d169670eae0d36eae8188562c1f66e8	SH68F90?	BYK916	✅	✅
NuPhy Air60	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
NuPhy Air75	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
NuPhy Air96	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
NuPhy Halo65	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
Redragon K530 Draconic PRO	cfc8661da8c9d7e351b36c0a763426aa	SH68F90A	BYK916	✅	✅
Redragon K614 Anivia 60%	2d169670eae0d36eae8188562c1f66e8	SH68F90A	BYK916	✅	✅
Redragon K617 FIZZ 60%	2d169670eae0d36eae8188562c1f66e8	SH68F90A	BYK916	✅	✅
Redragon K641 SHACO PRO	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
Redragon K658 PRO SE	3e0ebd0c440af5236d7ff8872343f85d	SH68F90A	BYK916	✅	✅
Royal Kludge RK100	cfc8661da8c9d7e351b36c0a763426aa	SH68F90?	BYK916	✅	✅
Royal Kludge RK61	3e0ebd0c440af5236d7ff8872343f85d	SH68F90?	BYK916	✅	✅
Royal Kludge RK68 BT Dual	cfc8661da8c9d7e351b36c0a763426aa	SH68F90?	BYK901	✅	✅
Royal Kludge RK68 ISO Return	❓	SH68F90?	BYK916	✅	❓
Royal Kludge RK71	cfc8661da8c9d7e351b36c0a763426aa	SH68F90?	❓	✅	✅
Royal Kludge RK84	cfc8661da8c9d7e351b36c0a763426aa	SH68F90?	BYK916	✅	✅
Terport TR95	2d169670eae0d36eae8188562c1f66e8	SH68F90A	BYK916	✅	✅
Weikav Sugar65	2d169670eae0d36eae8188562c1f66e8	SH68F90	SH68F90S	✅	✅
Xinmeng K916	cfc8661da8c9d7e351b36c0a763426aa	SH68F90	❓	✅	✅
Xinmeng XM-RF68	2d169670eae0d36eae8188562c1f66e8	SH68F90	SH68F90U	✅	✅

Mice

Model	ISP MD5	MCU	MCU Label	Tested Read	Tested Write
Glorious Model O	46459c31e58194fa076b8ce8fb1f3eaa	❓	BY8948	✅	❓
Trust GXT 960	620f0b67a91f7f74151bc5be745b7110	❓	BY8801	✅	❓

Bootloader Support

Platforms

ISP MD5	Windows	macOS	Linux
13df4ce2933f9654ffef80d6a3c27199	?	?	ok
2d169670eae0d36eae8188562c1f66e8	ok	?	ok
3e0ebd0c440af5236d7ff8872343f85d	ok	ok	ok
46459c31e58194fa076b8ce8fb1f3eaa	?	?	ok
620f0b67a91f7f74151bc5be745b7110	?	fail¹	ok
cfc8661da8c9d7e351b36c0a763426aa	ok	fail¹	ok
e57490acebcaabfcff84a0ff013955d9	ok	?	?

Prerequisites

Linux

To enable running this tool without superuser privileges add the following udev rule with xxxx and yyyy replaced with your device Vendor ID and Product ID respectively.

# /etc/udev/rules.d/plugdev.rule
SUBSYSTEMS=="usb", ATTRS{idVendor}=="xxxx", ATTRS{idProduct}=="yyyy", MODE="0660", GROUP="plugdev"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0603", ATTRS{idProduct}=="1020", MODE="0660", GROUP="plugdev"

Make sure your user is part of the plugdev group.

macOS

If you encounter errors like:

hid_open_path: failed to open IOHIDDevice from mach entry...

Ensure that your terminal application has access to input monitoring.

Acknowledgments

Thanks to @gashtaan for analyzing and explaining the inner workings of the ISP bootloaders. Without his help, this tool wouldn't be here!

macOS does not recognize the composite device as an HID device ↩ ↩²

sinowealth-kb-tool's People

Contributors

Stargazers

Watchers

Forkers

swiftgeek donn sangnpq cloudenum gauravmanmode xieyt usr44 luro02 a-rint-a

sinowealth-kb-tool's Issues

[device-report] Weikav Sugar65

The Weikav Sugar65 is using a SinoWealth SH68F90S and use the same vendor_id and product_id as nuphy-air60

I got these md5s:

.\sinowealth-kb-tool-0.0.5.exe read -p nuphy-air60
         MD5: ba3592aa17b5549f2bf72a06d902a764
-b       MD5: 2d169670eae0d36eae8188562c1f66e8
--full   MD5: e19cdb907ac25f825a7caf8f0f88a9f9

The 0.0.6 version didn't work for me on windows so I tried the 0.0.5 version which worked

0.0.6:

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x05ac pId:0x024f
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10

0.0.5:

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x05ac pId:0x024f
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Waiting for ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!

[device-report] TERPORT TR95

TERPORT TR95 uses BYK916 chip, the ids are different from nuphy-air60
Bootloader MD5: 2d169670eae0d36eae8188562c1f66e8
I haven't tried writing the firmware

pub const PART_TERPORT_TR95: Part = Part {
flash_size: 61440, // 61440 until bootloader
bootloader_size: 4096,
page_size: 2048,
vendor_id: 0x258a,
product_id: 0x0049,
};

[device-report] NuPhy Halo65

Thank you very much for your work. This is not a real issue, rather I just want to pass on to you the information that the utility works with Halo 65. Compiled and was able to dump the firmware using the nuphy-air60 part.

[device-report] maybe Dareu EK681

Device Info

Sinowealth Device: SH68F90A_
IC Label: Sinowealth SH68F90A

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049

Operations Tested

Read
Write

Platforms Tested

[X ] linux
macos
windows

Need the other same vid and pid keyboard hex

I have a keyboard with some special reason that use the chip with ek861's chip, but the keyboard model is ek871. The keyboard can be used well except the left key replace with fn key. So I want to flash the same vid and pid keyboard's hex files to make the key recovery normal. 
Does anyone can help me? Please send me the hex file  to my email [email protected]. Thx a lot!
I think the most fit keyboard is reddragon k641, the rk71 is the same layout,but the pid is not the same. I dont know may it will make bricked . Or someone can help me to compile a 71key layout with smk? When I try to make a smk. I meet the error.
![screenshot](https://github.com/carlossless/sinowealth-kb-tool/assets/26353584/f111f8d9-57fa-4477-bbfb-bac610512334) 
I cant deal with it.
I also have the ek861's hex.If someone need it , can call me.

[device-report] RK68 ISO Return

Sorry if this is useless information

I think it can't go into isp mode for whatever reason.
Since I'm not really into all the stuff you did I have no idea what can be done😥

(I saw a few people wanting qmk on their rk keyboards with the BYK916 - including me - and I didn't find a way to do it so I thought your project is the closest there is to it, yet I'm stuck again)
I just want to have layers on my keyboard without needing any software☹️

pub const PART_RK_68_ISO_RETURN: Part = Part {
flash_size: ?,
bootloader_size: ?,
page_size: ?,
vendor_id: 0x258a,
product_id: 0x00a9,
};

[device-report] E-Yooso Z-11 with yellow LEDs

Device Info

Sinowealth Device: SH68F90?
IC Label: _example BYK901
Product Page: https://www.aliexpress.com/item/1005005775806125.html

Part Info

firmware_size: 168972
vendor_id: 0x258a
product_id: 0x002a
bootloader_size: 11276

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 3e0ebd0c440af5236d7ff8872343f85d
Stock Firmware MD5: 03205dbb8dc26354fe04786d0d7f7625

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

sudo usbhid-dump --entity=all --model=258a
003:021:001:DESCRIPTOR         1712708430.881304
 05 01 09 80 A1 01 85 01 19 81 29 83 15 00 25 01
 75 01 95 03 81 02 95 05 81 01 C0 05 0C 09 01 A1
 01 85 02 19 00 2A 3C 02 15 00 26 3C 02 95 01 75
 10 81 00 C0 06 00 FF 09 01 A1 01 85 05 15 00 26
 FF 00 19 01 29 02 75 08 95 05 B1 02 C0 05 01 09
 06 A1 01 85 06 05 07 19 04 29 70 15 00 25 01 75
 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 09 15
 00 26 FF 00 09 00 75 08 96 F8 01 B1 02 C0 06 00
 FF 09 01 A1 01 85 0A 15 00 26 FF 00 09 00 75 08
 95 29 B1 02 C0 06 00 FF 09 01 A1 01 85 0B 15 00
 26 FF 00 09 00 75 08 95 7E B1 02 C0 05 01 09 02
 A1 01 85 0D 09 01 A1 00 05 09 15 00 25 01 19 01
 29 05 75 01 95 05 81 02 95 03 81 01 05 01 16 00
 80 26 FF 7F 09 30 09 31 75 10 95 02 81 06 15 81
 25 7F 09 38 75 08 95 01 81 06 05 0C 0A 38 02 95
 01 81 06 C0 C0 06 00 FF 09 01 A1 01 85 0C 15 00
 26 FF 00 09 00 75 08 96 80 07 B1 02 C0

003:021:000:DESCRIPTOR         1712708430.882968
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
 15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
 95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
 91 03 C0

Other Outputs

Dmesg Output

[339005.632758] usb 3-3: new full-speed USB device number 22 using xhci_hcd
[339005.775552] usb 3-3: New USB device found, idVendor=258a, idProduct=002a, bcdDevice=12.10
[339005.775566] usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[339005.775571] usb 3-3: Product: Gaming KB
[339005.775574] usb 3-3: Manufacturer: SINO WEALTH
[339005.778909] input: SINO WEALTH Gaming KB  as /devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/0003:258A:002A.002C/input/input103
[339005.833222] hid-generic 0003:258A:002A.002C: input,hidraw0: USB HID v1.11 Keyboard [SINO WEALTH Gaming KB ] on usb-0000:00:14.0-3/input0
[339005.838636] input: SINO WEALTH Gaming KB  System Control as /devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:258A:002A.002D/input/input104
[339005.893098] input: SINO WEALTH Gaming KB  Consumer Control as /devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:258A:002A.002D/input/input105
[339005.893395] input: SINO WEALTH Gaming KB  Keyboard as /devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:258A:002A.002D/input/input106
[339005.893683] input: SINO WEALTH Gaming KB  Mouse as /devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:258A:002A.002D/input/input107
[339005.894348] hid-generic 0003:258A:002A.002D: input,hiddev96,hidraw1: USB HID v1.11 Keyboard [SINO WEALTH Gaming KB ] on usb-0000:00:14.0-3/input1

sinowealth-kb-tool read -p xinmeng-xm-rf68 z11.hex Output

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!
INFO  [sinowealth_kb_tool::isp] Enabling firmware...
INFO  [sinowealth_kb_tool::isp] Reading...
INFO  [sinowealth_kb_tool::isp] Rebooting...
INFO  [sinowealth_kb_tool] MD5: 03205dbb8dc26354fe04786d0d7f7625

sinowealth-kb-tool read -p xinmeng-xm-rf68 -b z11-boot.hex Output

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!
INFO  [sinowealth_kb_tool::isp] Enabling firmware...
INFO  [sinowealth_kb_tool::isp] Reading...
INFO  [sinowealth_kb_tool::isp] Rebooting...
INFO  [sinowealth_kb_tool] MD5: 3e0ebd0c440af5236d7ff8872343f85d

[device-report] Trust GXT 960

Device Info

Sinowealth Device: unknown
IC Label: BY8801
Product Page: https://www.trust.com/de/product/23758-gxt-960-graphin-ultra-lightweight-gaming-mouse

Part Info

firmware_size: 61440
vendor_id: 0x145f
product_id: 0x02b6
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page: 0xff00 # necessary if not default
isp_usage: 0x0001 # necessary if not default
isp_index: 0 # necessary if not default

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 620f0b67a91f7f74151bc5be745b7110
Stock Firmware MD5: 95fe8060ab83c8bf9eee6d5cbc86652d

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output


003:011:001:DESCRIPTOR         1711043111.675525
 05 01 09 06 A1 01 85 01 05 07 19 E0 29 E7 15 00
 25 01 75 01 95 08 81 02 95 06 75 08 15 00 26 FF
 00 05 07 19 00 2A FF 00 81 00 C0 06 0C 00 09 01
 A1 01 85 02 25 01 15 00 75 01 0A B5 00 0A B6 00
 0A B7 00 0A CD 00 0A E2 00 0A A2 00 0A E9 00 0A
 EA 00 95 08 81 03 0A 83 01 0A 94 01 0A 86 01 0A
 88 01 0A 8A 01 0A 92 01 0A A8 02 0A 84 01 95 08
 81 03 0A 21 02 0A 23 02 0A 24 02 0A 25 02 0A 26
 02 0A 27 02 0A 2A 02 0A B1 02 95 08 81 03 C0 06
 00 FF 09 01 A1 01 85 04 15 00 26 FF 00 09 00 75
 08 96 07 02 B1 02 C0 06 00 FF 09 01 A1 01 85 07
 15 00 26 FF 00 09 00 75 08 95 07 81 00 C0 06 00
 FF 09 01 A1 01 85 05 15 00 26 FF 00 09 00 95 05
 75 08 B1 02 C0

003:011:000:DESCRIPTOR         1711043111.678519
 05 01 09 02 A1 01 09 01 A1 00 05 09 19 01 29 05
 15 00 25 01 75 01 95 05 81 02 95 03 81 01 05 01
 09 30 09 31 16 00 80 26 FF 7F 75 10 95 02 81 06
 09 38 15 80 25 7F 75 08 95 01 81 06 05 0C 0A 38
 02 95 01 81 06 C0 C0

I ran

sudo ./sinowealth-kb-tool read \
                 --vendor_id 0x145f \
                 --product_id 0x02b6 \
                 --firmware_size 61440 \
                 --bootloader_size 4096 \
                 --page_size 2048 \
                 --isp_iface_num 1 \
                 --isp_usage_page 0xff00 \
                 --isp_usage 0x0001 \
                 --isp_index 0 \
                 --reboot false \
                 foobar.hex

[device-report] royal kludge rk84 iso layout (ger)

Device Info

Sinowealth Device: example SH68F90A
IC Label: example BYK916
Product Page: https://rkgamingstore.com/products/rk84-75-percent-keyboard?variant=43341644857565

Part Info

firmware_size: 61440
vendor_id: 0x258A
product_id: 0xF4
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page: 0xff00 # necessary if not default
isp_usage: 0x0001 # necessary if not default
isp_index: 0 # necessary if not default

Operations Tested

Is firmware R/W ment? if so, no.

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: beefcafebeefcafebeefcafebeefcafe
Stock Firmware MD5: deadbeefdeadbeefdeadbeefdeadbeef

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# RK84 ISO Layout using win-hid-dump

258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_01&col03#9&1c1eb664&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  06  00  FF  09  01  A1  01  85  05  15  00  25  01  35  00  45
  01  65  00  55  00  75  01  95  28  B1  03  C1  00
  (29 bytes)
258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_01&col05#9&1c1eb664&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  06  00  FF  09  01  A1  01  85  0A  09  00  15  00  25  FF  35
  00  45  00  65  00  55  00  75  08  95  40  B1  02  C1  00
  (31 bytes)
258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_01&col04#9&1c1eb664&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
DESCRIPTOR:
  05  01  09  06  A1  01  85  06  05  07  19  04  29  70  15  00
  25  01  35  00  45  01  65  00  55  00  75  01  95  6D  81  02
  95  0B  81  03  C1  00
  (38 bytes)
258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_00#9&8ee9a26&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
DESCRIPTOR:
  05  01  09  06  A1  01  05  07  19  E0  29  E7  15  00  25  01
  35  00  45  01  65  00  55  00  75  01  95  08  81  02  95  38
  81  03  05  08  19  01  29  05  95  05  91  02  95  03  91  03
  C1  00
  (50 bytes)
258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_01&col02#9&1c1eb664&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  05  0C  09  01  A1  01  85  02  15  00  25  01  35  00  45  01
  65  00  55  00  75  01  95  10  81  03  C1  00
  (28 bytes)
258A:00F4: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_00f4&mi_01&col01#9&1c1eb664&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  05  01  09  80  A1  01  85  01  19  81  29  83  15  00  25  01
  35  00  45  01  65  00  55  00  75  01  95  03  81  02  95  05
  81  03  C1  00
  (36 bytes)

[device-report] Xinmeng M71 v2 (same with Yunzii AL71)

Device Info

Sinowealth Device: SH6890A
IC Label: Sinowealth SH6890AS
PCB label: BYK926
Product Page:
https://mechkeys.com/products/xinmeng-m71-aluminum-mechanical-keyboard?variant=45043999867103
Variant:
https://www.yunzii.com/en-ca/products/yunzii-al71-mechanical-keyboard
They are almost the same (Yunzii has a version M71B I don't know what it is, but M71 and AL71 are the same), AL71 is rebrand name of M71. They use the same software (in AL71 software has a folder name M71) and since AL71 is flexcut, it's equal to M71v2 (v1 is 1.6mm non flex-cut). Reference
https://www.reddit.com/r/keyboards/comments/175pvtn/110_keyboard/

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x010c
isp_index: 1

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: Unknown (eg beefcafebeefcafebeefcafebeefcafe)
Stock Firmware MD5: 189f254a5715fba9ccd610890f5b90fc (with bootloader flag)
c6b1be8743ec87eb0c3aa630939c6e41 ( with full dump flag)

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# Xinmeng M71 using win-hid-dump
...
WinHIDdump:
...
258A:010C: BY Tech - Gaming Keyboard
PATH:\\?\hid#vid_258a&pid_010c&mi_00#a&9f2aaa&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
DESCRIPTOR:
  05  01  09  06  A1  01  05  07  19  E0  29  E7  15  00  25  01
  35  00  45  01  65  00  55  00  75  01  95  08  81  02  95  38
  81  03  05  08  19  01  29  05  95  05  91  02  95  03  91  03
  C1  00
  (50 bytes)
...
258A:010C: BY Tech - Gaming Keyboard
PATH:\\?\hid#vid_258a&pid_010c&mi_01&col05#a&2476686c&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  06  00  FF  09  01  A1  01  85  05  15  00  25  01  35  00  45
  01  65  00  55  00  75  01  95  28  B1  03  C1  00
  (29 bytes)

Edit: Update winhiddump with direct cable plugged to mainboard.

[device-report] Redragon Fizz K617-RGB

The config is same as TERPORT_TR95 including VID and PID.
Even the Bootloader hash is also same.

pub const PART_FIZZ_K617: Part = Part {
    flash_size: 61440, // 61440 until bootloader
    bootloader_size: 4096,
    page_size: 2048,
    vendor_id: 0x258a,
    product_id: 0x0049,
};

Bootloader MD5: 2d169670eae0d36eae8188562c1f66e8

I haven't tried write operations on the keyboard.

Doesn't work on Windows (tested with Air96)

2023-08-13T21:16:57.963Z INFO  [sinowealth_kb_tool::isp] Found Device. Entering ISP mode...
2023-08-13T21:16:57.965Z INFO  [sinowealth_kb_tool::isp] Waiting for bootloader device...
2023-08-13T21:16:58.993Z INFO  [sinowealth_kb_tool::isp] Device didn't come up...
2023-08-13T21:16:58.993Z INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
2023-08-13T21:16:59.016Z INFO  [sinowealth_kb_tool::isp] Found Device. Entering ISP mode...
2023-08-13T21:16:59.016Z INFO  [sinowealth_kb_tool::isp] Waiting for bootloader device...
2023-08-13T21:17:00.035Z INFO  [sinowealth_kb_tool::isp] Device didn't come up...
2023-08-13T21:17:00.035Z INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 3/10
[and so on...]

When I use my tool to set it to ISP mode:

2023-08-13T21:17:33.342Z INFO  [sinowealth_kb_tool::isp] No KB found. Trying bootloader directly...
2023-08-13T21:17:33.389Z INFO  [sinowealth_kb_tool::isp] Connected!
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: InvalidParam', src/isp.rs:169:55
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

This is a Python version of the system from Nudelta to find the "channels" to communicate with the keyboard, in this case configured to set the device into ISP mode: https://gist.github.com/WinkelCode/e4e16dfed3ce6f146b5dcfad2943ff72

Original sources here: https://github.com/donn/nudelta/blob/main/lib/nuphy.cpp#L169

Observed ISP bootloader behavior

I've opened up this issue to temporarily log various observed behavior that the ISP bootloader seems to exhibit. This mostly concerns ISP bootloader 3e0ebd0c440af5236d7ff8872343f85d found on SH68F90A (BYK916))

Exhibit 1 - no LJMP at 0xEFFB

When the device has firmware preloaded with no LJMP instruction at 0xEFFB, the first read cycle (magic_sauce) made through the ISP bootloader will cause it to add an LJMP 0x0000 at 0xEFFB. This will only be visible through a separate programming device (as a sinolink) since reading firmware through ISP will blank out regions 0xEFFB - 0xEFFD.

Writing the resulting dump from the read operation back without modification will cause the bootloader to overwrite the LJMP at 0x0000 and most likely brick the device.

Interestingly the bootloader does seem to detect that an LJMP 0x0000 is not valid and replaces that address to point back to itself - 0xF000. Unfortunately, this still causes the device to brick itself, because the bootloader code doesn't seem to have the necessary init routines. I have not verified this yet, but I assume it does not initialize the HRCLK/SYSCLK which should be necessary for USB peripheral operation.

[device-report] Magebee K61

Doesn't enumerate as ISP in dmesg. From HID descriptor it should work with usage_page == 0xff00 && usage == 0x0001.

Device Info

Sinowealth Device: ?
IC Label: BYK903
PCB Label: BYK901
Product Page: https://pl.aliexpress.com/item/1005004869547787.html

Part Info

firmware_size: ?
vendor_id: 0x258a
product_id: 0x013b
bootloader_size: ? # necessary if not default, otherwise remove this line
page_size: ? # necessary if not default, otherwise remove this line
isp_usage_page: ? # necessary if not default, otherwise remove this line
isp_usage: ? # necessary if not default, otherwise remove this line
isp_index: ? # necessary if not default, otherwise remove this line

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: beefcafebeefcafebeefcafebeefcafe
Stock Firmware MD5: deadbeefdeadbeefdeadbeefdeadbeef

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

001:099:001:DESCRIPTOR         1712737273.934683
 05 01 09 80 A1 01 85 01 19 81 29 83 15 00 25 01
 75 01 95 03 81 02 95 05 81 01 C0 05 0C 09 01 A1
 01 85 02 19 00 2A 3C 02 15 00 26 3C 02 95 01 75
 10 81 00 C0 06 00 FF 09 01 A1 01 85 05 15 00 26
 FF 00 19 01 29 02 75 08 95 05 B1 02 C0 05 01 09
 06 A1 01 85 06 05 07 19 04 29 70 15 00 25 01 75
 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 09 15
 00 26 FF 00 09 00 75 08 96 F8 01 B1 02 C0 06 00
 FF 09 01 A1 01 85 0A 15 00 26 FF 00 09 00 75 08
 95 29 B1 02 C0 06 00 FF 09 01 A1 01 85 0B 15 00
 26 FF 00 09 00 75 08 95 7E B1 02 C0 05 01 09 02
 A1 01 85 0D 09 01 A1 00 05 09 15 00 25 01 19 01
 29 05 75 01 95 05 81 02 95 03 81 01 05 01 16 00
 80 26 FF 7F 09 30 09 31 75 10 95 02 81 06 15 81
 25 7F 09 38 75 08 95 01 81 06 05 0C 0A 38 02 95
 01 81 06 C0 C0 06 00 FF 09 01 A1 01 85 0C 15 00
 26 FF 00 09 00 75 08 96 80 07 B1 02 C0

001:099:000:DESCRIPTOR         1712737273.936511
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
 15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
 95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
 91 03 C0

[device-report] Redragon Shaco Pro (k641 pro)

Device Info

Sinowealth Device: SH68F90A
IC Label: BYK916
Product Page: https://redragonshop.com/products/shaco-k641-aluminum-wireless-keyboard

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page: 0xff00 # necessary if not default
isp_usage: 0x0001 # necessary if not default
isp_index: 0 # necessary if not default

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 3e0ebd0c440af5236d7ff8872343f85d
Stock Firmware MD5: c506173c042656d078dbaf54906ac44b

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# Redragon Shaco Pro using hid-dump
❯ sudo usbhid-dump -m 258a:0049
001:035:001:DESCRIPTOR         1710647674.196170
 06 01 00 09 80 A1 01 85 01 19 81 29 83 15 00 25
 01 95 03 75 01 81 02 95 01 75 05 81 01 C0 05 0C
 09 01 A1 01 85 02 19 00 2A FF 02 15 00 26 FF 7F
 95 01 75 10 81 00 C0 06 00 FF 09 01 A1 01 85 03
 15 00 26 FF 00 09 2F 75 08 95 03 81 02 C0 05 01
 09 06 A1 01 85 04 05 07 19 04 29 70 15 00 25 01
 75 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 05
 15 00 26 FF 00 19 01 29 02 75 08 95 05 B1 02 C0
 06 00 FF 09 01 A1 01 85 06 15 00 26 FF 00 19 01
 29 02 75 08 96 07 04 B1 02 C0 05 01 09 02 A1 01
 85 07 09 01 A1 00 05 09 15 00 25 01 19 01 29 05
 75 01 95 05 81 02 95 03 81 01 05 01 16 00 80 26
 FF 7F 09 30 09 31 75 10 95 02 81 06 15 81 25 7F
 09 38 75 08 95 01 81 06 05 0C 0A 38 02 95 01 81
 06 C0 C0 06 00 FF 09 01 A1 01 85 08 15 00 26 FF
 00 09 00 75 08 96 7D 01 B1 02 C0

001:035:000:DESCRIPTOR         1710647674.199069
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
 15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
 95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
 91 03 C0

Hi. I'm trying to read the stock firmware and bootloader of this keyboard with

sinowealth-kb-tool-bin read --full \
    --vendor_id 0x258a \
    --product_id 0x0049 \
    --firmware_size 61440 \
    --bootloader_size 4096 \
    --page_size 2048 \
    --reboot false \
    StockFW.hex

Most of the times it will give this error and leaves the keyboard in the bootloader mode with random rgb lights:

Error log

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 3/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
thread 'main' panicked at src/isp.rs:242:64:
called `Result::unwrap()` on an `Err` value: HidApiError { message: "hid_error is not implemented yet" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The keyboard won't work until re plugged.

But sometimes it will work just fine.

Successful read log

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 3/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 4/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0049
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!
INFO  [sinowealth_kb_tool::isp] Enabling firmware...
INFO  [sinowealth_kb_tool::isp] Reading...
INFO  [sinowealth_kb_tool] MD5: f885cbb3a33602ae52bae90d491e1303

[device-report] Xinmeng XM-RF68

Device Info

Model: Xinmeng XM-RF68
Sinowealth Device: SH68F90
IC Label: SH68F90U (K901+K3632 printed in manual)
Product Page: http://www.szxinmeng.com.cn/product/details/95 (non-working)

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x002a

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Hello,
I have two of these keyboards. One working and one semi-working. I believe the MCUs to be similar/identical to the Royal Kludge RK61 and RK100. In fact, the reason that one of my keyboards is "semi-working" is that I managed to "successfully" flash firmware from the RK100 onto my XM-RF68 using Royal Kludge's Windows customization/upgrade tool. Surprisingly the damage was only to about 5 keys which no longer function as expected.

I was hoping that I would be able to use your program to dump the firmware from the working XM-RF68 and write it to the "semi-working" one (currently with RK100 firmware).

The keyboards show up as "258a:002a SINO WEALTH Gaming KB" when plugged in.

Unfortunately the devices cannot be read using the following command:

# sinowealth-kb-tool read --vendor_id 0x258a --product_id 0x002a --firmware_size 61440 XM-RF68.hex

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 10/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x002a
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
ERROR [sinowealth_kb_tool] Device not found

Thanks, Ivan.

[device-report] Machenike K500-B61

Device Info

Sinowealth Device: example SH68F90A
IC Label: BYK916
Product Page: https://global.machenike.com/products/k500-b61

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 2d169670eae0d36eae8188562c1f66e8
Stock Firmware MD5: 5a02eda2240f5532d2493c81a928c861

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# K500-B61 using usbhid-dump
...
001:008:001:DESCRIPTOR         1711664651.046945
 06 01 00 09 80 A1 01 85 01 19 81 29 83 15 00 25
 01 95 03 75 01 81 02 95 01 75 05 81 01 C0 05 0C
 09 01 A1 01 85 02 19 00 2A FF 02 15 00 26 FF 7F
 95 01 75 10 81 00 C0 06 00 FF 09 01 A1 01 85 03
 15 00 26 FF 00 09 2F 75 08 95 03 81 02 C0 05 01
 09 06 A1 01 85 04 05 07 19 04 29 70 15 00 25 01
 75 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 05
 15 00 26 FF 00 19 01 29 02 75 08 95 05 B1 02 C0
 06 00 FF 09 01 A1 01 85 06 15 00 26 FF 00 19 01
 29 02 75 08 96 07 04 B1 02 C0 05 01 09 02 A1 01
 85 07 09 01 A1 00 05 09 15 00 25 01 19 01 29 05
 75 01 95 05 81 02 95 03 81 01 05 01 16 00 80 26
 FF 7F 09 30 09 31 75 10 95 02 81 06 15 81 25 7F
 09 38 75 08 95 01 81 06 05 0C 0A 38 02 95 01 81
 06 C0 C0

001:008:000:DESCRIPTOR         1711664651.049886
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
 15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
 95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
 91 03 C0
...

[device-report] Royal Kludge RK 61 rgb wired 2022

Device Info

Sinowealth Device: SH68F90?
IC Label: BYK916
Product Page: can't find the official product page for this version (wired rgb), here is the amazon page where I bought it https://www.amazon.com/RK-ROYAL-KLUDGE-Ultra-Compact-Switch-White/dp/B0832CZNS5/ . The pcb is labeled "130-81802-10 US 2022/08/16". There seem to be at least 2 HW versions of this keyboard using the same product name: there is also a 2019 edition that uses rebranded SN32F248BF MCU (https://github.com/euwbah/rk61-rgb-sonixqmk-firmware).

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x00c7
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page and other isp options were not used

Operations Tested

[ X] Read
[ X] Write

Platforms Tested

[ X] linux

Checksums

Bootloader MD5: 3e0ebd0c440af5236d7ff8872343f85d
Stock Firmware MD5: 0e2019195dac58e1463bf9c458db913a

HID Dump

A dump from usbhid-dump --model=0x258a

HID Tool Output


001:025:001:DESCRIPTOR         1704352530.015456
 05 01 09 80 A1 01 85 01 19 81 29 83 15 00 25 01
 75 01 95 03 81 02 95 05 81 01 C0 05 0C 09 01 A1
 01 85 02 19 00 2A 3C 02 15 00 26 3C 02 75 10 95
 01 81 02 C0 06 00 FF 09 01 A1 01 85 05 19 01 29
 02 15 00 26 FF 00 75 08 95 05 81 02 C0 05 01 09
 06 A1 01 85 06 05 07 19 04 29 70 15 00 25 01 75
 01 95 78 81 02 C0

001:025:000:DESCRIPTOR         1704352530.026447
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 75 01 95 08 81 02 75 08 95 01 81 01 05 07 19 00
 29 FF 15 00 26 FF 00 75 08 95 06 81 00 05 08 19
 01 29 05 15 00 25 01 75 01 95 05 91 02 75 03 95
 01 91 01 C0

[device-report] Digital Alliance Meca Warrior X

Hello,

I've forked this project to add my own keyboard which is a Digitial Alliance Meca Warrior X. It uses SH68F90S MCU as indicated in the chip marking below.

What I did is added this PART configuration

pub const PART_DA_WARRIOR_X: Part = Part {
    flash_size: 61440, // 61440 until bootloader
    bootloader_size: 4096,
    page_size: 2048,
    vendor_id: 0x258a,
    product_id: 0x0090,
};

I got the Vendor ID and Product ID from Windows Device Manager, but I don't know about the flash_size, bootloader_size and page_size.

Anyway here's the log:

2023-11-14T16:52:41.155Z INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0090
2023-11-14T16:52:41.155Z DEBUG [sinowealth_kb_tool::isp] Opening: "\\\\?\\HID#VID_258A&PID_0090&MI_01&Col05#8&2c5f1391&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}"
2023-11-14T16:52:41.168Z INFO  [sinowealth_kb_tool::isp] Found Regular device. Entering ISP mode...
2023-11-14T16:52:41.169Z INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
2023-11-14T16:52:41.861Z INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10

I have little experience with embedded programming (mostly arduino).

If you able to assist me, I would love to help and get this tool working on this keyboard and hopefully able to flash QMK Firmware.

[bug] Machinike K550 B61

Hi, @carlossless, just to add a note about report #58, yesterday I was testing sinowealth using the -p machenike-k500-b61 and the read operation was successful but the write was returning a mismatch firewall error, previous I was using the flag -p redragon-k617-fizz and both operation succeed without problems.
Another detail, I verified another Machenike keyboard K500 B94, and it uses the same mcu (BYK916) and also has the idVendor and idProduct as 0x258a and 0x0049, but I couldn't test sinowealth-kb-tool in them (keyboard isn't mine).

[device-report] NuPhy Air96

Once again, bootloader MD5 as reported by the program is 3e0ebd0c440af5236d7ff8872343f85d

Side note: MD5s for the rest of the FW is different between BT/USB mode.

[question] What do I need to watch out when flashing?

I was wondering if someone could give me insights on what I should be watching out when flashing. I have a RK84 RGB ISO Return Keyboard and dumped both the isp and bootloader. I would like to try and flash smk onto it but worry something could go wrong. Does smk also change the bootloader? and if it doesnt and I still mess up is it then possible to enter bootloader and flash back the original firmware with this tool? or do I need to physically open the device and short the reset pins or something like that?

Royal Kludge RK61 rgb wired: write verification error?

Hello,

The tool can read and write the original firmware without reporting errors. But it reports an error on verification when writing a custom smk firmware:

> make flash
sinowealth-kb-tool write -p royalkludge-rk61-rgb-wired bin/main.hex
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00c7
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00c7
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!
INFO  [sinowealth_kb_tool::isp] Erasing...
INFO  [sinowealth_kb_tool::isp] Writing...
INFO  [sinowealth_kb_tool::isp] Reading...
INFO  [sinowealth_kb_tool::isp] Verifying...
ERROR [sinowealth_kb_tool] Firmware Mismatch @ 0xeffb --- 0x02 != 0x00
make: *** [Makefile:59: flash] Error 1

If then I use the tool to read the flashed smk firmware from the keyboard and write it again then this verification error is not reported anymore... Anyway this doesn't seem to affect the programming, the smk custom firmware has been running happy. Let me know if you need more information about this or if this can be considered an expected no harmful behavior.

Thank you!

[device-report] Royal kludge RK G68

Device Info

Sinowealth Device: SH68F90A
IC Label: BYK916
Product Page: http://en.rkgaming.com/product/13/

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049
bootloader_size: 4096 # necessary if not default, otherwise remove this line
page_size: 2048 # necessary if not default, otherwise remove this line
isp_usage_page: 0xff00 # necessary if not default, otherwise remove this line
isp_usage: 0x0001 # necessary if not default, otherwise remove this line
isp_index: 0 # necessary if not default, otherwise remove this line

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: cfc8661da8c9d7e351b36c0a763426aa
Stock Firmware MD5: 9dc83b7be7eefd21418c20a129525e3e without ISP

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# Royal Kludge RK G68 using win-hid-dump
...
258A:0049: SINO WEALTH -
PATH:\\?\hid#vid_258a&pid_0049&mi_01&col03#8&269fe19f&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  06  00  FF  09  01  A1  01  85  05  15  00  25  01  35  00  45
  01  65  00  55  00  75  01  95  28  B1  03  C1  00
  (29 bytes)
258A:0049: SINO WEALTH - RK Bluetooth Keyboard
PATH:\\?\hid#vid_258a&pid_0049&mi_01&col05#8&269fe19f&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
DESCRIPTOR:
  06  00  FF  09  01  A1  01  85  0A  09  00  15  00  25  FF  35
  00  45  00  65  00  55  00  75  08  95  40  B1  02  C1  00
  (31 bytes)
...

Questions

@carlossless, I have been able to read without problems, now I want to flash the VIA firmware, there is one called rkg68_via.hex here: https://www.caniusevia.com/docs/download_firmware, I can use sinowealth-kb-tool to write this firmware? Do you think I can leave it like a brick? I would like to be able to use the entire VIA or QMK environment. But seeing that there are so many variants of Royal Kludge (68) I don't know if the firmware offered on the VIA website is suitable for my keyboard. Mine is RGB, ANSI layout with Bluetooth, 2.4Ghz and USB-C, in addition to having 2 USB ports. There is another version of this keyboard, the RK68 that does not have those 2 extra USB ports.

[Question] Redragon Shaco Pro (k641 pro)

Device Info

Sinowealth Device: SH68F90A
IC Label: BYK916
Product Page: https://redragonshop.com/products/shaco-k641-aluminum-wireless-keyboard

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page: 0xff00 # necessary if not default
isp_usage: 0x0001 # necessary if not default
isp_index: 0 # necessary if not default

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 3e0ebd0c440af5236d7ff8872343f85d
Stock Firmware MD5: idonthave

HID Dump

I don't have, But I have wireshark capture of changing the modes from the software before it bricked.

Hello. This is not an issue, I just have a question. Sorry if it is stupid. I have a redragon shaco pro (k641 pro) keyboard and while I was trying to reverse engineer the rgb protocol, I have bricked its firmware and it is not detected by linux or windows anymore. It says
device descriptor read/64, error -71.
I don't have any backups. Is there any way to put it into ISP Mode and flash smk on it with this tool? I tried using this tool
https://github.com/gashtaan/sinowealth-fw-disabler
But nothing happened. I tried to manually flash smk with arduino and jtag on it by modifying https://github.com/gashtaan/sinowealth-8051-bl-updater data and address but after I flashed it when I plugged it in, the leds just blinked for a moment and descriptor read error came. I got a dump with https://github.com/gashtaan/sinowealth-8051-dumper and it shows all zeros after 0x0fff until the last 4096 bytes which is the bootloader. My manual flash file and dump after flashing it are attached. It looked like that 0xeffd also was flashed wrong but when I tried to reflash that byte I somehow made it worse. Now the entire 0xeff0 - 0xefff looks like this
8093BA0108955D983AE03A97F1F700C0
But the bootloader is intact.

BTW, Thanks very much for the nice tool and nice firmware, I'm sure they are very useful.

[device-report] Redragon DRACONIC K530 PRO

Device Info

Sinowealth Device: SH68F90A
IC Label: BYK916
Product Page: https://redragonshop.com/collections/redragon-mechanical-keyboard/products/mini-wireless-keyboard-draconic-k530

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: cfc8661da8c9d7e351b36c0a763426aa
Stock Firmware MD5: ec9caa25d6979e18919725ba449b81a4

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# Redragon DRACONIC K530 PRO using linux usbhid-dump
...
❯ sudo usbhid-dump -m 258a:0049
001:035:001:DESCRIPTOR         1712170898.477694
 05 01 09 80 A1 01 85 01 19 81 29 83 15 00 25 01
 75 01 95 03 81 02 95 05 81 01 C0 05 0C 09 01 A1
 01 85 02 19 00 2A 3C 02 15 00 26 3C 02 95 01 75
 10 81 00 C0 06 00 FF 09 01 A1 01 85 05 15 00 26
 FF 00 19 01 29 02 75 08 95 05 B1 02 C0 05 01 09
 06 A1 01 85 06 05 07 19 04 29 70 15 00 25 01 75
 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 09 15
 00 26 FF 00 09 00 75 08 96 F8 01 B1 02 C0 06 00
 FF 09 01 A1 01 85 0A 15 00 26 FF 00 09 00 75 08
 95 29 B1 02 C0 06 00 FF 09 01 A1 01 85 0B 15 00
 26 FF 00 09 00 75 08 96 7A 01 B1 02 C0 05 01 09
 02 A1 01 85 0D 09 01 A1 00 05 09 15 00 25 01 19
 01 29 05 75 01 95 05 81 02 95 03 81 01 05 01 16
 00 80 26 FF 7F 09 30 09 31 75 10 95 02 81 06 15
 81 25 7F 09 38 75 08 95 01 81 06 05 0C 0A 38 02
 95 01 81 06 C0 C0 06 00 FF 09 01 A1 01 85 0C 15
 00 26 FF 00 09 00 75 08 96 80 07 B1 02 C0

001:035:000:DESCRIPTOR         1712170898.478814
 05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
 95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
 15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
 95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
 91 03 C0

Hi, I have got a bricked k530 and fixed it using my method that I used for my k641. This is the report of this tool. If you need any more info please let me know quickly because I have to return it in three days. Thx so much for the great tool.

[device-report] Glorious Model O

Device Info

Sinowealth Device: unknown
IC Label: BY8948-00006
Product Page: https://web.archive.org/web/20220609205659mp_/https://www.gloriousgaming.com/products/glorious-model-o-black

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0036
bootloader_size: 4096 # necessary if not default
page_size: 2048 # necessary if not default
isp_usage_page: 0xff00 # necessary if not default
isp_usage: 0x0001 # necessary if not default
isp_index: 0 # necessary if not default

Operations Tested

Read
Write

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 46459c31e58194fa076b8ce8fb1f3eaa
Stock Firmware MD5: a16ac7d66d970b0c574870eaf7ba8302

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

003:012:001:DESCRIPTOR         1711043772.918294
 05 01 09 06 A1 01 85 01 05 07 19 E0 29 E7 15 00
 25 01 75 01 95 08 81 02 95 06 75 08 15 00 26 FF
 00 05 07 19 00 2A FF 00 81 00 C0 06 0C 00 09 01
 A1 01 85 02 25 01 15 00 75 01 0A B5 00 0A B6 00
 0A B7 00 0A CD 00 0A E2 00 0A A2 00 0A E9 00 0A
 EA 00 95 08 81 03 0A 83 01 0A 94 01 0A 86 01 0A
 88 01 0A 8A 01 0A 92 01 0A A8 02 0A 84 01 95 08
 81 03 0A 21 02 0A 23 02 0A 24 02 0A 25 02 0A 26
 02 0A 27 02 0A 2A 02 0A B1 02 95 08 81 03 C0 06
 00 FF 09 01 A1 01 85 04 15 00 26 FF 00 09 00 75
 08 96 07 02 B1 02 C0 06 00 FF 09 01 A1 01 85 07
 15 00 26 FF 00 09 00 75 08 95 07 81 00 C0 06 00
 FF 09 01 A1 01 85 05 15 00 26 FF 00 09 00 95 05
 75 08 B1 02 C0

003:012:000:DESCRIPTOR         1711043772.921288
 05 01 09 02 A1 01 09 01 A1 00 05 09 19 01 29 05
 15 00 25 01 75 01 95 05 81 02 95 03 81 01 05 01
 09 30 09 31 16 00 80 26 FF 7F 75 10 95 02 81 06
 09 38 15 80 25 7F 75 08 95 01 81 06 05 0C 0A 38
 02 95 01 81 06 C0 C0

Device seems to enter bootloader mode but fails to find device after. The mouse will enumerate as
0603:1021 Novatek Microelectronics Corp.

I ran

sudo ./sinowealth-kb-tool read \
                 --vendor_id 0x258A \
                 --product_id 0x0036 \
                 --firmware_size 61440 \
                 --bootloader_size 4096 \
                 --page_size 2048 \
                 --isp_iface_num 1 \
                 --isp_usage_page 0xff00 \
                 --isp_usage 0x0001 \
                 --isp_index 0 \
                 --reboot false \
                 ModelO.hex

with --isp_index 0, 1 or 2 same result.

[device-report] Redragon IRELIA K658 PRO

Device Info

Sinowealth Device: SH68F90A
IC Label: BYK916
Product Page: https://redragonshop.com/products/irelia-k658-pro-90-full-transparent-keyboard

Part Info

firmware_size: 61440
vendor_id: 0x258a
product_id: 0x0049

Operations Tested

Read
Write (Linux Mint only)

Platforms Tested

linux
macos
windows

Checksums

Bootloader MD5: 3e0ebd0c440af5236d7ff8872343f85d
Stock Firmware MD5: da07d2bde42817f2c8ac51fdbe49c3d2

HID Dump

A dump from usbhid-dump, win-hid-dump or mac-hid-dump

HID Tool Output

# Redragon K658 Irelia Pro using usbhid-dump
...
001:010:001:DESCRIPTOR 1713041695.200599
06 01 00 09 80 A1 01 85 01 19 81 29 83 15 00 25
01 95 03 75 01 81 02 95 01 75 05 81 01 C0 05 0C
09 01 A1 01 85 02 19 00 2A FF 02 15 00 26 FF 7F
95 01 75 10 81 00 C0 06 00 FF 09 01 A1 01 85 03
15 00 26 FF 00 09 2F 75 08 95 03 81 02 C0 05 01
09 06 A1 01 85 04 05 07 19 04 29 70 15 00 25 01
75 01 95 78 81 02 C0 06 00 FF 09 01 A1 01 85 05
15 00 26 FF 00 19 01 29 02 75 08 95 05 B1 02 C0
06 00 FF 09 01 A1 01 85 06 15 00 26 FF 00 19 01
29 02 75 08 96 07 04 B1 02 C0 05 01 09 02 A1 01
85 07 09 01 A1 00 05 09 15 00 25 01 19 01 29 05
75 01 95 05 81 02 95 03 81 01 05 01 16 00 80 26
FF 7F 09 30 09 31 75 10 95 02 81 06 15 81 25 7F
09 38 75 08 95 01 81 06 05 0C 0A 38 02 95 01 81
06 C0 C0 06 00 FF 09 01 A1 01 85 08 15 00 26 FF
00 09 00 75 08 96 7D 01 B1 02 C0

001:010:000:DESCRIPTOR 1713041695.202649
05 01 09 06 A1 01 05 07 19 E0 29 E7 15 00 25 01
95 08 75 01 81 02 95 01 75 08 81 03 95 06 75 08
15 00 26 FF 00 05 07 19 00 2A FF 00 81 00 25 01
95 05 75 01 05 08 19 01 29 05 91 02 95 01 75 03
91 03 C0
...

[bug] Custom vendor read mode - Device Not Found

Hello. I tried to read firmware from Redragon CASTOR PRO (K631RGB-PRO-BRW) and I got this error:

As you can see, my device was displayed in the "list" command, but when I tried to read it, it failed. I tried to use the "firmware-size" argument instead of the "part" argument, but it also failed. Can you give me advice on why it completed unsuccessfully and what the "firmware-size" argument means? Where can I get this value? Thanks.

[device report] Royal Kludge RK100

pub const PART_ROYALKLUDGE_RK100: Part = Part {
    firmware_size: 61440, // 61440 until bootloader
    bootloader_size: 4096,
    page_size: 2048,
    vendor_id: 0x258a,
    product_id: 0x0056,
};

INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0056
INFO  [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO  [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x0056
INFO  [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO  [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO  [sinowealth_kb_tool::isp] Connected!
INFO  [sinowealth_kb_tool::isp] Enabling firmware...
INFO  [sinowealth_kb_tool::isp] Reading...
INFO  [sinowealth_kb_tool] MD5: cfc8661da8c9d7e351b36c0a763426aa

Product URL: http://en.rkgaming.com/product/14/
This is the RGB variant of the product, but I suspect that the backlit and the Pro variants of the product are using the same mcu. (I'd have to check their firmware updaters to be sure)

I note that the bootloader md5 is the same as the Xinmeng K916, but I don't remember the precise label on the mcu at this time.

Side note: Couldn't put the keyboard into ISP mode while within Windows, the 05 75 ... report would never get sent. USB captures in Wireshark seem to corroborate this. (The vendor's firmware updater binary wouldn't detect either)

Possibly similar issue to #15

[device-report] Royal Kludge RK71

INFO [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00ea
INFO [sinowealth_kb_tool::isp] Found regular device. Entering ISP mode...
INFO [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO [sinowealth_kb_tool::isp] Retrying... Attempt 2/10
INFO [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00ea
INFO [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO [sinowealth_kb_tool::isp] Retrying... Attempt 3/10
INFO [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00ea
INFO [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO [sinowealth_kb_tool::isp] Retrying... Attempt 4/10
INFO [sinowealth_kb_tool::isp] Looking for vId:0x258a pId:0x00ea
INFO [sinowealth_kb_tool::isp] Regular device didn't come up...
INFO [sinowealth_kb_tool::isp] Regular device not found. Trying ISP device...
INFO [sinowealth_kb_tool::isp] Connected!
INFO [sinowealth_kb_tool::isp] Enabling firmware...
INFO [sinowealth_kb_tool::isp] Reading...
INFO [sinowealth_kb_tool] MD5: e5277ac8658db28e33b3542aa06e4136

not tested writing

carlossless / sinowealth-kb-tool Goto Github PK

sinowealth-kb-tool's Introduction

sinowealth-kb-tool

Disclaimer

Usage

Reading

Writing

Supported Hardware

Keyboards

Mice

Bootloader Support

Platforms

Prerequisites

Linux

macOS

Acknowledgments

Footnotes

sinowealth-kb-tool's People

Contributors

Stargazers

Watchers

Forkers

sinowealth-kb-tool's Issues

Device Info

Part Info

Operations Tested

Platforms Tested

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Other Outputs

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Exhibit 1 - no LJMP at 0xEFFB

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Device Info

Part Info

Operations Tested

Platforms Tested

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums

HID Dump

Device Info

Part Info

Operations Tested

Platforms Tested

Checksums