A utility for reading and writing flash contents on Sinowealth 8051-based devices (keyboards and mice) since they all seem to have similar ISP bootloaders.
This is an experimental tool, so use it at your own risk.
<firmware_size-5> if it's not already present there. When this opcode is set, the bootloader considers the main firmware enabled and jumps to it when the device is powered on. This opcode should already be set on most devices and therefore the read operation should not cause any issues.
0x0001 - 0x0002 to <firmware_size-4> - <firmware_size-3>. Because of this, the produced payload will be different from how memory is actually laid out in the MCU flash.
# reads firmware excluding isp bootloader
sinowealth-kb-tool read -p nuphy-air60 foobar.hex
# reads only isp bootloader section
sinowealth-kb-tool read -p nuphy-air60 -b bootloader.hex
# full dump including firmware and bootloader
sinowealth-kb-tool read -p nuphy-air60 --full full.hex
# custom device
sinowealth-kb-tool read \
--firmware_size 61440 \
--bootloader_size 4096 \
--page_size 2048 \
--vendor_id 0x05ac \
--product_id 0x024f \
foobar.hex0x0001-0x0002 to <firmware_size-4> - <firmware_size-3>.
# overwrites firmware (does not touch the bootloader section)
sinowealth-kb-tool write -p nuphy-air60 foobar.hex
# custom device
sinowealth-kb-tool write \
--firmware_size 61440 \
--bootloader_size 4096 \
--page_size 2048 \
--vendor_id 0x05ac \
--product_id 0x024f \
foobar.hex| Keyboard | ISP MD5 | MCU | MCU Label | Tested Read | Tested Write |
|---|---|---|---|---|---|
| NuPhy Air60 | 3e0ebd0c440af5236d7ff8872343f85d | SH68F90A | BYK916 | ✅ | ✅ |
| NuPhy Air75 | 3e0ebd0c440af5236d7ff8872343f85d | SH68F90A | BYK916 | ✅ | ❓ |
| NuPhy Air96 | 3e0ebd0c440af5236d7ff8872343f85d | SH68F90A | BYK916 | ✅ | ❓ |
| NuPhy Halo65 | 3e0ebd0c440af5236d7ff8872343f85d | SH68F90A | BYK916 | ✅ | ❓ |
| Terport TR95 | 2d169670eae0d36eae8188562c1f66e8 | SH68F90A | BYK916 | ✅ | ❓ |
| Redragon K617 FIZZ 60% | 2d169670eae0d36eae8188562c1f66e8 | SH68F90A | BYK916 | ✅ | ❓ |
| Redragon K614 Anivia 60% | 2d169670eae0d36eae8188562c1f66e8 | SH68F90A | BYK916 | ✅ | ✅ |
| Xinmeng K916 | cfc8661da8c9d7e351b36c0a763426aa | SH68F90 | ❓ | ✅ | ✅ |
| Hykker X Range 2017 (RE-K70-BYK800) | 13df4ce2933f9654ffef80d6a3c27199 | SH68F881 | BYK801 | ✅ | ❓ |
To enable running this tool without superuser privileges add the following udev rule with xxxx and yyyy replaced with your device Vendor ID and Product ID respectively.
# /etc/udev/rules.d/plugdev.rule
SUBSYSTEMS=="usb", ATTRS{idVendor}=="xxxx", ATTRS{idProduct}=="yyyy", MODE="0660", GROUP="plugdev"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0603", ATTRS{idProduct}=="1020", MODE="0660", GROUP="plugdev"
Make sure your user is part of the plugdev group.
Thanks to @gashtaan for analyzing and explaining the inner workings of the ISP bootloaders. Without his help, this tool wouldn't be here!