Hacking the NuPhy Air60 keyboard: part 1

Not too long ago, I got a NuPhy Air60 keyboard. I got it because I think it looks great! It has a mostly aluminum body, low profile switches along with low profile keycaps, switch sockets so that they can be removed without soldering, 2.4G wireless alongside Bluetooth, and RGB backlighting (yay?). Great right? I think so.

keyboard

What's not great about it is its software and its firmware. NuPhy has a Windows-only tool to configure the keyboard and from what I can tell it's very limited in what sort of key combinations it can support... For a long time, I've been using a GH60 with QMK until it broke on me and since then I've been mostly using Apple keyboards.

So I opened up the keyboard and when I was greeted with an IC that was labeled only with a "BYK916" I knew that this won't be easy... There was barely any information about chips like this. Seemingly Chinese companies would use this sort of labeling to hide away hardware implementation details or make their own custom packages, but I can't tell for sure.

BYK916

I tried looking for any info online and on my first try I found nothing... A little bit of time passed and I tried again - this time there was a reddit post mentioning that a package like this was found in another keyboard and is actually a relabeled Sinowealth SH68F90. Interesting! But it's still a dead end for me since I don't have any tools to program these chips. On my third try, I was lucky enough to find gashtaans sinowealth-8051-dumper which supported my MCU. I didn't own any Arduinos by this point, so I set out to buy a Nano, and along the way I also learned about the existence of the ATmega328P clone LogicGreen LGT8F328P, but I digress...

I set up my Arduino with the dumper firmware and was able to semi-successfully read firmware. Nice!

flash dumping setup

After a bit of rummaging through datasheets, buying a Sinolink programmer off of Taobao, and consulting others interested in this hardware I eventually figured out that I could use the already built-in ISP mode to upload my own firmware via USB, with no additional hardware needed. After a bit of sniffing and analyzing NuPhy's firmware update utility, I started building my own tool and...

I present you the sinowealth-kb-tool!

The tool is not only capable of replacing the existing device firmware but also reading it completely verbatim. Also, while working on the tool I became familiar with different variations of this bootloader in other keyboards out there in the wild and I hope to add support for more of them in the future!

Many thanks to @gashtaan for the dumper and @swiftgeek for his documentation efforts!

Now on to writing some firmware... See you in the next part!


Comments