Logitech Hack by piotr_go

PT5529B, or similar.

=========== A little logitech hacking update. ============
Some time ago, when I figured out the keyboard pairing, I released the k400. The keyboard cannot be paired. I think to myself, well, my fault.
Today I was tempted to bury more with her. It turned out that the fault was not mine, but logitech's.
Pairing data is stored in OTP (one-time programming) memory. The memory was quite small, so during the experiments it ran out quickly.
Planned aging of the product by logitech.

Nihil novi sub sole. One can try to "revive" the memory for an indefinite period of time with a thermal shock. Logitech also uses a different practice, noticeable in the USB receivers of the H600 and H800 headphones. After exceeding a certain limit, each subsequent pairing takes correspondingly longer. The receiver is not much cheaper than headphones, so the customer will buy another product.
I have the impression that the short period of memory life is also used by Sony in its portable audio products from the srs series with an integrated battery, where the charging process and of course pairing and sound adjustment are controlled by a microprocessor. At some point, the product pretends to start the charging process, signaling it with the indicator, but the actual charge controller itself is not controlled by the microcontroller. After charging the battery without the use of the processor, the product of course works perfectly fine until the battery is discharged The same applies to pairing via NFC, where after some time of use the device sends "wrong tag" but the manual connection via bluetooth still works Another thing is the lack of control of the class d amplifier, as if everything is working and the microcontroller is suddenly offended and does not send anything to the amplifier driver These, of course, are only unprovable theories, such as the long-standing case of Philips monitors.

Sas_AS wrote:

One can try to "revive" the memory for an indefinite period of time with a thermal shock.

It won't work, the memory is full, you would have to delete it, and that's only UV after exposing the structure.

Sas_AS wrote:

like the old case of philips monitors.

Some time ago I was reminded of it and I was looking for info in google but as you can see for money you can whiten.

Hello everyone,

I noticed that you guys were talking about Logitech keyboards and receivers in this thread. I have a Logitech k220 keyboard, the USB receiver does not exist anymore, but I want something else. Namely, I would like to turn it into a bluetooth keyboard. The K220 transmitter is based on the system
NRF 31504E, pictures of this circuit are on the 1st page of this thread. I would like to add that I have a bluetooth module based on bc417 - i.e. such an Arduin standard. Do any of you have an idea how to do it? Well, does anyone know how to get the output pinout of the NRF 31504E chip?

greetings
Wojtek

el_wojtaso wrote:

Well, does anyone know how to get the output pinout of the NRF 31504E chip?

I suspect that it is the same as nrf24LE1, but the OTP version programmed specifically for Logitech.
You will not reprogram it, even if you change it to flash version, the radio has nothing to do with BT except transmission band.

So there is nothing to dream about "catching" RX / TX signals from the keyboard board? Because in the intention, a separate module would be responsible for broadcasting BT.

el_wojtaso wrote:

So there is nothing to dream about "catching" RX / TX signals from the keyboard board?

Nothing of that. Even if the radio is in a separate chip, the data is encrypted.

@piotr_go I am thinking about a project in which I would like to use a Logitech K270 keyboard plate to convert another keyboard (wired) to a wireless one.
I see that the layout of the matrix for multiplexing keys is completely different than in the K270, so I thought that maybe I could reprogram the NRF31504E to the K270 (or at least change the matrix notation in the binary image).
From your experience - do you see any serious blockers of this task (apart from the lack of source code)?
Do you have any more NRF31504E documentation or other materials that could help me upload an image, modify it and burn it again?
Thanks for your help and congratulations on a very interesting research

The NRF31504E is probably the ROM version of some SoC Nordic, programmed at the factory.
It cannot be reprogrammed, and you will not find the program anywhere (rom versions do not have updates).
It remains for you to design your transmitter from scratch.