December 6th, 2014

Next Meetup

• Mid-End of January
• Usual Saturday @ 1 PM
• Massdrop will host @ new HQ

​

• If anyone is in SJ, I’m happy to drink and talk keyboards :D
• Though I’m basically gone for the rest of Dec.

Agenda

• Infinity Keyboard
• KLL - Keyboard Layout Language
• Kiibohd Firmware Status
• Keyboard Protocol Conversion

Infinity Keyboard

• Shipping soon! Likely after Christmas.
• Signature plastics is being annoying as usual
• Bent metal case�has been difficult�to scale production

Infinity Keyboard - Configurator

• A basic version will be ready at ship time
• A GUI utility will be provided to flash the keyboard on Windows/Mac (Linux it’s easier just to command line)
• Eventually a full featured configurator will be available with all of KLLs features
• Currently you need to compile your own firmware to take full advantage
• Compiling on Mac/Linux is the easiest
• Windows is doable, but tedious to setup

KLL - Keyboard Layout Language

• Updated the spec to allow compile time configuration
• This allows control over the macro storage size
• 8, 16 and 32 bit
• It’s a trade-off of max length of a macro and how much flash memory is left on the microcontroller
• https://www.writelatex.com/read/zzqbdwqjfwwf
• I’m working adding new features to KLL though they aren’t ready to announce yet :P

Kiibohd Firmware Status

• McHCK and Teensy 2.0++/3.0/3.1 support
• Teensy 2.0 doesn’t have enough RAM for KLL though technically it will still compile :P
• Looking at supporting even larger Freescale chips
• NKRO tested working Windows/Linux/Mac
• Support for protocol conversion and matrix scanning
• With DPH, supports capsense for Model F kebyoards
• KLL

Too much text...

Need a break

​

​

​

​

​

Unisys T27-K5 3753 0482

https://www.flickr.com/photos/triplehaata/sets/72157649026523137/

Kiibohd Firmware - Planned Features

• RAM optimizations
• LED triggers
• Trigger on release
• On-the-fly macros /w export
• Backlighting
• Split keyboard support
• And some secret stuff :P
• The more I get bugged about features the sooner I’ll implement them

Keyboard Protocols

Reverse Engineering Basics

Protocol Basics

• Two types of protocols
• Parallel & Serial
• Clocking
• Clock speed is the fundamental increment of time
• Alternating value between 0 and 1
• Used to increment to the next step
• The faster the clock, the more problems there are
• Data encoding (e.g. ASCII)

http://en.wikipedia.org/wiki/Parallel_communication#mediaviewer/File:Parallel_and_Serial_Transmission.gif

​

Parallel Bus

• Uses more than 1 pin for data
• 1 pin for clocking
• Rest of the pins for data
• Pros
• Simple
• Faster than serial (in theory)
• Cons
• More pins means expensive cables

Serial Bus

• Bits are sent sequentially
• Incremented by the clock
• At minimum only 1 pin is needed
• More pins can be used to help the protocol
• Pros
• Fewer pins, cheaper cables
• Cons
• More complicated protocol

http://www.eeherald.com/section/design-guide/esmod7.html

​

​

http://www.eeherald.com/section/design-guide/esmod7.html

​

​

Keyboard Protocol Basics

• Data transmission
• Press/Hold/Release/Off
• Input (e.g. hold, LEDs)
• Key Rollover
• USB HID - Universal Serial Bus Human Interface Device
• Press/Release Model
• LED state handled by OS
• Layout handled by OS

Circuits

• Vcc/Vdd - Positive DC voltage
• Vee/Vss - Negative DC voltage (usually Gnd)
• Don’t mix these up
• Magic smoke doesn’t go back :P
• PE - Physical Earth
• Used to isolate signals, not always the same as Gnd

Circuits

• Electricity is dangerous!
• 5 V is basically harmless
• But be careful, your heart will thank me...
• Ground circuits before testing
• Ground loops are dangerous
• Always plug all test equipment and computer into the same circuit

This...looks complicated.

Pull-up / Pull-down Resistors

• http://en.wikipedia.org/wiki/Pull-up_resistor
• No voltage/floating is not the same as Gnd
• Rule of thumb
• If an output/input line doesn’t do anything
• Add a pull-up/pull-down resistor
• If the line is low, use a pull-up
• If the line is high, use a pull-down

When the protocol sucks...

• Press only, ASCII out and 1 KRO
• Give up :P
• While sort’ve workable, not worth it
• Likely only two modifiers
• Ctrl and Shift
• Cannot move them or add more
• Controller replacement is recommended

Something tells me this protocol’s gonna suck...

When the protocol sucks...

• Press, hold and NKRO, no release
• Release can be inferred! Very doable to convert.
• Press, release for modifiers, hold for others
• If the modifiers are in a good position and you don’t need more, it’s worth it to convert
• Otherwise, just replace the controller
• Press, release
• It doesn’t suck! Easy conversion

Basic Reverse Engineering Steps

• Dismantle/Clean keyboard
• Nobody wants to look at 30 year old cheetos :P
• Take pictures
• Specifically of all the microchips and the pcb traces
• If you want help from someone on the internet, you’ll need to at least have these
• Attempt to find datasheets for microchips
• Not always possible, but will make things much easier

Basic Reverse Engineering Steps

Pictures like this are useful

Basic Reverse Engineering Steps

• Find Vcc and Gnd
• Easiest is to trace back from the datasheets
• Will often tell you a voltage/voltage range
• Not always +5V
• There are other ways to determine Vcc and Gnd
• Look for connections to the case (likely Gnd)
• Often there are more Gnd pins on the connector
• Vcc usually has fewer pins than Gnd

Basic Reverse Engineering Steps

• Draw pinout diagram of connector
• http://www.kbdbabel.org/conn/index.html
• Note down Vcc and Gnd on pinout
• Attempt to power on the keyboard!
• The keyboard “might” be working
• You don’t really know
• If the keyboard has leds try pressing those keys
• It might turn on :D

Basic Reverse Engineering Steps

• Attempt to probe the pins that are unknown
• Press keys and see if anything on the scope changes
• If nothing changes
• Add pull-up/pull-down resistor (100k Ohms is good)
• Try the next pin :P
• Maybe it’s an input pin
• You’ll need to trace the pin all the way to the microcontroller to know for certain

Basic Reverse Engineering Steps

• Sometimes I don’t get past this part
• Some chip or component is bad (debugging is hard)
• External clock is required on an input pin
• Initialization sequence might be needed
• Probe original computer
• Or learn assemble and dump the ROM
• Note down whether a pin is an input or output
• If there are a lot of pins, likely parallel

Basic Reverse Engineering Steps

So many pins...

Basic Reverse Engineering Steps

• Connect the output pins to the logic analyzer
• Start recording and press some keys
• For each key press you should get an event
• This event usually generates a unique number
• The goal is to figure out what this number is
• Then apply that rule to another keypress and see if it makes sense
• Press/Release generate slightly different numbers

Basic Reverse Engineering Steps

• If serial, determine the baud/clock rate
• Good logic analyzers can give you a measurement
• Doesn’t have to be exact, but try to be close
• Look at KBD Babel for hints
• http://www.kbdbabel.org/signaling/index.html
• Once the protocol is figured out
• Time to code!
• Or figure out how to do a controller replacement...

Programming Hints

• Try to use microcontroller hardware
• UART, SPI
• Sometimes you have to “bit-bang” GPIO pins
• Be careful of interrupts
• They can screw up protocol timing requirements
• But they can simplify coding if you use them correctly

Good luck!

Now for a couple of demos :D