Enter BSL with fn + F1 + F4

Compile a small C function for checking pressed keys and entering BSL
(Bootloader) mode and add the code to the end of the original binary. Call the
function from the code checking fn + F* keys.

Makefile

@@ -31,9 +31,14 @@ main.o: section_data_patch.bin section_isr.bin
 	--change-section-address .vectors=0xff80 \
 	--set-start 0x8000 section_data_patch.bin $@
 
+build/enter_bsl.o: shellcode/enter_bsl.c
+	@echo "Compiling shellcode..."
+	$(QUIET)msp430-gcc -Os -mmcu=msp430f5510 -c $< -o $@
+
 # The main.o is an relocatable elf which we convert to an actual elf
-# for IDA to like it
-main.elf: main.o
+# for IDA to like it. Also link in our own objects
+main.elf: build/main.o enter_bsl.o
+	@echo "Create main.elf..."
 	$(QUIET)msp430-gcc -O0 -mmcu=msp430f5510 \
 	-Wl,--section-start=.text=0x8000 \
 	-Wl,--entry=0x9ca6 \

patch.py

@@ -1,3 +1,7 @@
+#
+# Script for patching Novatouch TKL firmware. Will switch the caps
+# lock key to ctrl and change places of backspace and \.
+#
 import md5
 import argparse
 
@@ -61,7 +65,7 @@ scancode_table2 = [0x00, 0x35, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23,
 key_id_ctrl = 17
 key_id_caps = 20
 key_id_backspace = 112
-key_id_backslash = 108
+key_id_backslash = 117
 
 # Hex offsets to scancode tables in the raw original fw. These tables
 # will be overwritten by our modified tables above
@@ -94,6 +98,16 @@ def original_fw_valid(path):
         m.update(orig.read())
         return m.hexdigest() == orig_fw_md5
 
+def write_jump_to_bsl():
+    '''Make fn + F1 + F4 jump to BSL (firmware update mode)'''
+    # Replace mov instruction with a call to our own code for checking
+    # which F keys are currently pressed. If fn + F1 + F4 is pressed
+    # jump to 0x1000 (BSL entry addr).
+
+    # bytecode for asm 'call 0xa780; nop'
+    dest.seek(0x83a)
+    dest.write('b01280a70343'.decode('hex'))
+
 if __name__ == '__main__':
     # Remap caps to ctrl
     scancode_table1[key_id_caps] = scancode_table1[key_id_ctrl]
@@ -126,3 +140,5 @@ if __name__ == '__main__':
             dest.seek(string_table_offset)
             for text in usb_hid_strings:
                 write_usb_string(dest, text)
+
+            write_jump_to_bsl()

shellcode/enter_bsl.c

@@ -0,0 +1,26 @@
+#include <intrinsics.h>
+#include <msp430f5510.h>
+
+// Declare pointers to variables we access in Novatouch fw
+unsigned char* const repeat_flags = (unsigned char*)0x2404;
+unsigned char* const repeat_rate = (unsigned char*)0x252f;
+unsigned char* const num_for_7x_c1 = (unsigned char*)0x2530;
+
+void check_bsl_enter() {
+    // We just replaced this copy to get here, perform it here instead
+    // (although it seems to be redundant because it is never actually
+    // read)
+    *num_for_7x_c1 = *repeat_rate;
+
+    // Enter BSL if fn + f1 + f4 is pressed
+    if (*repeat_flags & 0x9) {
+        __dint();
+        // Maybe need to slow down clock to 8 MHz also, not sure what
+        // is configured by Novatouch fw
+        USBKEYPID = 0x9628;
+        USBCNF &= ~PUR_EN;
+        USBPWRCTL &= ~VBOFFIE;
+        USBKEYPID = 0x9600;
+        ((void (*)())0x1000)();
+    }
+}