IBM LPFK reverse engineering

Philip Pemberton classiccmp at
Sun Aug 17 02:15:26 CDT 2008

I've just been playing around with the LPFK again.

In loopback mode, it seems to actively send data out of the 8051's serial 
port, then loop it back through. I've caught it sending data at 9600 Baud, 
apparently 8 bit data with a parity bit:

Keys numbered left to right, top to bottom:
   Key	Binary data
   #11	S_0101_0000_1
   #14	S_1011_0000_0

Format: StartBit_D0-D3_D4-D7_Parity

It appears that keys are numbered from zero, odd parity.

Of course this doesn't really help with the "active" mode. I suspect the 
loopback switch is being used to toggle a GPIO, and redirect TXD to RXD somewhere.

In "active" mode, sending a serial BREAK causes the LPFK to reset itself. 
Sending "SFFFFFFFF" followed by an LF causes the LEDs to blink once, then shut 

I don't think there's much that can be done with the LPFK without desoldering 
the 8051 chip and reading out the program. Catch is, the chip has probably had 
its encryption table programmed, and probably the lock bits as well...

classiccmp at

More information about the cctech mailing list