Skip to content

HT32 Unlocking

Charlie Waters edited this page Mar 14, 2017 · 2 revisions

HT32 Unlocking

The Holtek HT32 variants (1654, 1655, 1755) that are used in a number of popular keyboards (Vortex, Cooler Master, KBP) ship with the flash security bits enabled, which prevents the flash from being read or modified with a JTAG tool. In order to debug or repair the firmware on these keyboards, the use of a JTAG tool is essential.

Once the firmware and bootloader have been extracted from a particular keyboard by other means, we are able to disable these security bits. This is done by mass-erasing the internal flash, then re-writing the bootloader. Once the bootloader is in place, the USB update protocol can be used to flash the main firmware.

With a hardware debugger supporting SWD connected to the 5-bin debug header on the keyboard (see wiki page for your keyboard), OpenOCD patched with HT32 flash support can be used to erase and write flash.

In the OpenOCD telnet prompt, type:

> ht32f165x mass_erase 0
ht32f165x probe: 64 pages, 0x400 bytes, 0x10000 total
ht32f165x mass erase complete

> flash write_image ../disassemble/pok3r_rgb/builtin_rgb/firmware_builtin_rgb.bin 0
ht32f165x probe: 64 pages, 0x400 bytes, 0x10000 total
wrote 8848 bytes from file ../disassemble/pok3r_rgb/builtin_rgb/firmware_builtin_rgb.bin in 118.387001s (0.073 KiB/s)

Make sure you use the correct bootloader file for your keyboard. Now, the keyboard will boot to the bootloader, and pok3rtool can be used to upload the main firmware.

Clone this wiki locally