It is based on the wor on DK63 from smp4488.

VID 0x05AC

PID 0x024F

VID 0C45 is not used for this keyboard therefore for uploading the firmware via USB interface, it is needes to update the VIC and PID to the above.

For default flashing: Bus 001 Device 006: ID 0c45:7044 Microdia.

or Bus 001 Device 011: ID 0c45:7040 Microdia

For keyboard: Bus 001 Device 009: ID 05ac:024f Apple, Inc.

This project is to reverse engineer the Kmove / DIERYA DK63 to get QMK running on it. Use this information at your own risk. I'm not liable if you break something.

• Vendor Page
• Firmware Download
• User Manual
• Reddit Post
• BlitzWolf KB1 Downloads
• BlitzWolf Suppourt

• Identify MCU VS11K09A-1 / Sonix SN32F248BF
• Find data sheet VS11K09A-1 / Sonix SN32F248B
• Find SDK and dev tools
• Get SWD working
• Ability to flash firmware
• Get origional firmware
• Enable SWD in current firmware
• Port Chibios to Sonix SN32F248BF porting guide
  • Get compiler to work with SN32F248BF Keil packs
  • USB LLD
  • GPIO LLD
  • UART LLD
  • Timers LLD
  • SPI LLD
  • I2C LLD
• Get QMK firmware working
  • Basic keyboard functionality Build Tools
  • RGB Leds and animations VSPW01 RGB Matrix
  • Bluetooth PAR2801QN-GHVC docs
• Dump origional bootloader

• Download this flashing software for windows: SONiX_USB_MCU_ISP_Tool_V2.3.1.7-.zip

• Put your keyboard in boot/recovery/flash mode via connecting boot pin to ground before connecting the keyboard via USB.

• Then flash the binary via the software after setting the following configuration:

• Main MCU - EVision VS11K09A-1, Seems to be based on the Sonix SN32F248BF
• Bluetooth - !TON PXI Pixart PAR2801QN-GHVC
  • FCC Doc
  • PAR2801QN-GHVC
• LED driver Charging Chip - EVision VSPW01

1. Hookup SWCLK, SWDIO, and Ground using the testpoints outlined below
   • Note: These pins are being use by the MCU to control functionality. Im tyring to enable SWD in the default firmware to debug without Debug Recovery Mode.
2. Hookup the other ends of the wires to your debugger. I used a Raspberry PI 3 and the ST-Link V2.
3. Using the ground point hold the boot pin to ground while turning on the power.

Keyboard Layout www.keyboard-layout-editor.com

They seem to be driven by GPIO and transistors.

• Figure out pin map and matrix
• Caps lock LED

Appears to be an another ARM Cortex M0 MCU with UART and GPIO.

• SWD debugging
• Pin map to main MCU

1. Download Resource Hacker (Not sure of a mac or linux variant)
2. Download Firmware Update tool
3. Extract the firmware .rar and open the .exe in RH
4. Look for RCData 4000:0, this is the hex file of the firmware
5. Right click on 4000:0 and choose Save Resource to BIN file
6. Save the firmware so it can be examined or uplodaded.

1. Download the USB MCU ISP tool
2. Open the program and click load file.
3. Select SN32F4xB and then the firmware file.
4. The VID should alread be 0C45 and enter 766B for the PID.
5. Click Start
6. Profit!

• I was not able to get this to work with the st-link software on windows.
• I did manage to get it to work with openocd using this config
• Working on the SN32F24X config here

• Coretex M0 Exploit
• Keil ROM Self-Test Checksum

1. set $pc=0x1FFF0301
2. cont

• Docker Machine on OS X

• Ghidra
• SVD-Loader for Ghidra automates the entire generation of peripheral structs and memory maps for over 650 different microcontrollers
• Binary Ninja
• Cutter
• radare2
  • Disassembling arm binary using radare2
• Wireshark USB caprture
• Firmware patch framework nexmon
• ARM Assembly Tutorial

Firmware Updater Executable Analysis https://www.hybrid-analysis.com/sample/21cf79c4f5982e0d73e8269c03a043f16898292920074491d5452eea5155e1eb?environmentId=100

VS11K09A-1 VS 32-Bit Cortex-M0 Micro-Controller http://evision.net.cn/include/upload/kind/file/20190413/20190413174647_5965.pdf

DEF CON 26 IoT VILLAGE - Dennis Giese - How to modify ARM Cortex M based firmware A step by step app https://www.youtube.com/watch?v=Qvxa6o2oNS0

BalCCon2k16 - Travis Goodspeed - Nifty Tricks for ARM Firmware Reverse Engineering https://www.youtube.com/watch?v=GX8-K4TssjY

Getting STLink V2 Serial Number https://armprojects.wordpress.com/2016/08/21/debugging-multiple-stm32-in-eclipse-with-st-link-v2-and-openocd/

SUE 2017 - Reverse Engineering Embedded ARM Devices - by pancake https://www.youtube.com/watch?v=oXSx0Qo2Upk

Analyzing Keyboard Firmware https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-2 https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-3

Hacking the fx-CP400 https://the6p4c.github.io/2018/01/15/hacking-the-gc-part-1.html

Raspberry PI OpenOCD SWD / JTAG https://iosoft.blog/2019/01/28/raspberry-pi-openocd/

OpenOcd Creating Flash Drivers https://github.com/doctek/COOCDFlash/wiki/Creating-and-using-flash-drivers

Stack Exchange ARM Firmware Reverse Engineering Walkthrough https://reverseengineering.stackexchange.com/questions/15311/running-a-binary-identified-as-an-arm-excutable-by-binwalk-disasm/15317 https://reverseengineering.stackexchange.com/questions/15006/approach-to-extract-useful-information-from-binary-file

QMK Nuvoton Port PR [qmk/ChibiOS-Contrib#10]

• https://docs.qmk.fm/
• https://github.com/qmk/qmk_firmware/blob/ee700b2e831067bdb7584425569b61bc6329247b/tmk_core/protocol/chibios/README.md
• http://wiki.chibios.org/dokuwiki/doku.php?id=chibios:guides:port_guide
• https://github.com/ChibiOS/ChibiOS/tree/14f274991fc85b70dd4294c482f6d4ce79e72339/os/hal/boards/OLIMEX_MSP430_P1611
• http://www.sonix.com.tw/article-en-998-21393
• https://ydiaeresis.wordpress.com/2018/04/23/i-dont-steal-bikes-part-2/
• https://interrupt.memfault.com/blog/cortex-m-fault-debug#registers-prior-to-exception
• https://github.com/bnahill/PyCortexMDebug
• http://zuendmasse.de/blog/2018/01/21/gdb-+-svd/
• https://mcuoneclipse.com/2018/01/27/converting-a-raw-binary-file-into-an-elf-dwarf-file-for-loading-and-debugging/
• https://mcuoneclipse.com/2019/05/26/reverse-engineering-of-a-not-so-secure-iot-device/