IBM LPFK reverse engineering
Michael B. Brutman
mbbrutman-cctalk at brutman.com
Sun Aug 17 10:56:38 CDT 2008
Philip Pemberton wrote:
> I've just been playing around with the LPFK again.
> In loopback mode, it seems to actively send data out of the 8051's
> serial port, then loop it back through. I've caught it sending data at
> 9600 Baud, apparently 8 bit data with a parity bit:
> Keys numbered left to right, top to bottom:
> Key Binary data
> #11 S_0101_0000_1
> #14 S_1011_0000_0
> Format: StartBit_D0-D3_D4-D7_Parity
> It appears that keys are numbered from zero, odd parity.
> Of course this doesn't really help with the "active" mode. I suspect the
> loopback switch is being used to toggle a GPIO, and redirect TXD to RXD
> In "active" mode, sending a serial BREAK causes the LPFK to reset
> itself. Sending "SFFFFFFFF" followed by an LF causes the LEDs to blink
> once, then shut off.
> I don't think there's much that can be done with the LPFK without
> desoldering the 8051 chip and reading out the program. Catch is, the
> chip has probably had its encryption table programmed, and probably the
> lock bits as well...
I'm kind of glad that somebody else has replicated my frustration, but
now what? (I'm spent many hours on this, but I don't know the 8051 at
all .. I've been debugging with a light box.)
Are we just missing the magic bytes to send to it to get it talking when
in 'active' mode?
More information about the cctech