GK64 ISP Boot ROM

[hansemro]

@wgwoods Are you able to dump the bootrom at the memory region [0x00400000:0x00401fff] with your modified firmware? I am interested in the RE effort to eventually write a more generic (and cross-platform) ISP programmer as I have recently done for Holtek HT32s. I am aware of the file dump/BBD8-bootrom.flash, but the filesize is greater than expected and I am not sure if that is what I am looking for.

Unfortunately, I don't think a vendor DFU tool was ever publicly released that actually uses ISP protocol in the bootrom, so there are no packet dumps to analyze and I think this is the only way to proceed without direct vendor support.

Tasks:

• Dump ISP bootrom
• Annotate bootrom enough to decode commands and the packet format
• Decode ISP commands:
  • TODO

[hansemro]

Building gcc with nds v3 support: https://gist.github.com/hansemro/279be7a2ec02f1a81830f526a1773514

[hansemro]

GK68XS can reset to ISP by sending b'\x03\x03' command to IAP/CDBOOT bootloader.

keyboard mode: 1ea7:0907 SHARKOON Technologies GmbH Keyboard
IAP/CDBOOT mode: 1ea7:0905 SHARKOON Technologies GmbH CDBoot
ISP mode: 040b:6821 Weltrend Semiconductor USB Device

[hansemro]

We'll need to eventually figure out if there are other ways to enter ISP without the use of a jtag interface or from IAP...

[hansemro]

ID 040b:6821 Weltrend Semiconductor USB Device
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x040b Weltrend Semiconductor
  idProduct          0x6821 
  bcdDevice            0.01
  iManufacturer           1 .
  iProduct                2 USB Device
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
Device Status:     0x0000
  (Bus Powered)