Mistel Boroco MD600 Support/Unbricking

[ghost]

Hi,
Long story short, my USB port got disconnected while updating which left the kb unusable for a year.
After opening it up, I found that it has the same MCU and SPI flash as the Pok3r RGB, so I went ahead, used OpenOCD on rpi and flashed pok3r rgb bootloader, and now pok3r tool recognize it.
Flashing pok3r rgb firmware works, but of coarse layout messed, no rgb leds on, second split isn't working so the next step was to extract the firmware from the original updater (which i failed to find where vid/pid is stored before flashing p3rrgb bootloader).
I modified the pok3r-rgb installer checsum in the decoder function of pok3rtool, and was able to decode succesfully(?)

When I flash it, I get Checksum Error:

I'm not very experienced or knowledgeable, so I tried trimming the bin exactly as the pok3r-rgb size (both had a difference of ~50 bytes only) just to see if it's sizing issue but the issue remained, I'm completely lost now.

Thank you for your effort on this project.

[ChaoticEnigma]

Ah, so now I have the firmware for another keyboard. Goood...

So, that all looks good, just about what I'd expect. It looks like the updater package uses the same format as the Pok3r RGB, and they all use the same XOR key (lol).

Here's the snag you hit: most of the different bootloaders check for a specific word in the downloaded firmware, and the CRC routine returns 0 when it isn't there. The Pok3r RGB bootloader expects:

00000403 01000034 04000200

And the MD600 firmware has:

C0200403 01000034 04000200

This is located at 0x3bf8 in flash, which is offset 0x7f8 in the .bin file pok3rtool decode spits out. The easiest thing to do would be to just change that word in the firmware file (not the bootloader), and the bootloader should be happy.

Don't mess with the size of the firmware file, the CRC will always be wrong. The flash in these chips is also spotty, so if the CRC fails the first time you try to write it, try a few more times.

Out of curiosity, did you figure this out from the HT32 Unlocking wiki page? Did you use openocd-ht32? You got pretty far on your own!

[ghost]

Thanks a lot! It worked and now the keyboard is alive again! You saved me a hefty ~200 USD as Mistel refused to fix it.
Yes I used your openocd fork with RPi GPIO interface configuration and SWD on the headers in the following picture (CN2 with SEL2 shorted before powering up):

Unfortunately I could not dump the existing bootloader, I blame myself for not referencing this issue early here as I could have kept the bootloader intact and help others use this tool without reflashing bootloader, however I'm willing to dump the second keyboard part if it helps (left side) although it has different PID.
Here are some reference pics:


I'm not sure how to contribute (help adding support) without having a confirmation from other MD600 users that the Pok3r tool with pid modification (pok3r-rgbb) works ok, mine didn't even enter bootloader(IAP) mode after brick.
Some info:
PID after bootloader: 0143
PID before bootloader (mistel stock): 1143

For some reason, the mini USB port on my left side split does not work and thus I can't confirm that it works on the left split a swell.
Now to change the SPI flash as its the main reason why I updated the firmware before I tested the defective SPI flash for memory retention. Keyboard settings are not persistent, its a common issue with this keyboard as it seems to rewrite the entire block on every small setting change, or the flash is a lemon.
I'm willing to help as much as I can.
Edit1: Settings are now persistent after replacing the SPI flash from a $1.1 ESP-01 ESp8266 board that happens to have the same SPI flash family and package (*1Mb version) as its difficult to source discrete chips from where I live (not worth the shipping):


Edit2: *Turns out the replacement is 1MB as opposed to advertised 4MB, but it seems to work completely fine(32Mbit compared to original 4Mbit). I've been sold the wrong ESP-01s!

[ChaoticEnigma]

That's great, glad you got it working. Cool you were able to replace the SPI flash too. I'm not very familiar with split keyboards, are you supposed to be able to connect the host to the mini USB on either half? But that doesn't work on your left half? You said the PID is different on the left half, do you know what it is? That's odd, because there's only firmware for the right half (PID 0143) in the updater.

I expect what happened with your keyboard is the main firmware image was corrupted, but for some reason the updater enabled the firmware anyway (it writes a header before the image, the bootloader won't boot without it). The bootloader is dumb, it will happily jump into corrupted firmware if the header is present. This sucks because it will never enter IAP mode again, and the keyboard is effectively bricked.

Don't worry about the bootloader, I don't think there was any way to get it. My bootloader exploit requires cracked firmware to be downloaded by the bootloader, so it doesn't work on a bricked board. (Which is why I have a KBP V80 using a KBP V60 bootloader. Sound familiar?)

Also, fun fact: turns out the Vortex Numpad / Switch Tester I've been trying to crack forever is actually just an MD200 in a different case. So now I have the firmware for it! Thanks for pointing me towards Mistel.

[ghost]

Unfortunately I did not note the PID on the left side before bricking, it seems that the left side has the exact MCU as the right, without SPI flash, its probably slave only as it behaved very basic as master (Left side behavior connection results in a basic keyboard without backlight, no macro nothing) but even that does not seem to work for some reason after this fix, not sure if its the bootloader, maybe right side starts at different flash location address when the left side powers up and work as master? Either way I'm not sure why mistel even bothered adding that port considering that all functions do not work (nor backlight)
Left side does not work independently without connection to the right side.
Left side never got an update.
I do not have an oscilloscope (yet) to analyze the communication between.

That makes a lot of sense about the bricked firmware behavior.

Haha glad it worked out for you!

Interesting fact about the MD200, glad I helped in someway :)

Quote from updated manual:

The right side is the « master » side, this one must be plugged to both your
computer and the left side if you want to access the programming features
on both halves. The left side of the keyboard can be used alone (connected
to your computer but not to the right side of the keyboard) but this
conguration doesn’t allow you to use the programming features.
Note that you cannot use the entire keyboard if the left side is directly
connected to your computer. If the left side is connected to the right side and
the left side connected to your computer, only the left side will work.

[ChaoticEnigma]

Skimming through the documentation, it looks like you're right about the left side, which is disappointing. But looking at some pictures in this review, it looks like there is a SPI flash IC on the left side? Maybe they planned for a dual-master setup, and couldn't get it working in firmware?

Just as a tip, you don't need an oscilloscope to analyze digital signals, for that you'd usually use a logic analyzer, which you can get for <$100. In this case, we have the master firmware, so I'd probably go about disassembling that first.

I've added support for the MD200 and MD600 to pok3rtool, and your keyboard seems to be up and running, so I'll close this issue. Cheers!

[ghost]

I think you meant the left side? (As I mentioned that it doesn't have one) Yes there is not any, maybe early version? Mine has the pads though. I'm surprised the review has one.

Thanks for the help, glad its supported now :)
Edit1: Just realized the review is recent, very odd. I'm not sure what the flash would be serving anyways,

[ChaoticEnigma]

Yes, I meant left side. Okay, so yours is depopulated. Makes sense if they didn't use it.

[ghost]

Left Side USB description: (only works when the bridging cable is disconnected, probably different bootloader caused this)

Connection Status        : 0x01 (Device is connected)
Port Chain               : 1-3-3
Properties               : 0x01
 IsUserConnectable       : yes
 PortIsDebugCapable      : no
 PortHasMultiCompanions  : no
 PortConnectorIsTypeC    : no
ConnectionIndex          : 3
CompanionIndex           : 0
 CompanionHubSymLnk      : U
 CompanionPortNumber     : 3

      ======================== USB Device ========================

        +++++++++++++++++ Device Information ++++++++++++++++++
Device Description       : USB Composite Device
Device Path              : \\?\usb#vid_04d9&pid_014a#6&d90a1a8&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device ID                : USB\VID_04D9&PID_014A\6&D90A1A8&0&3
Hardware IDs             : USB\VID_04D9&PID_014A&REV_1101 USB\VID_04D9&PID_014A
Driver KeyName           : {36fc9e60-c465-11cf-8056-444553540000}\0046 (GUID_DEVCLASS_USB)
Driver                   : \SystemRoot\System32\drivers\usbccgp.sys (Version: 10.0.17134.1  Date: 2018-04-12)
Driver Inf               : C:\WINDOWS\inf\usb.inf
Legacy BusType           : PNPBus
Class                    : USB
Class GUID               : {36fc9e60-c465-11cf-8056-444553540000} (GUID_DEVCLASS_USB)
Interface GUID           : {a5dcbf10-6530-11d2-901f-00c04fb951ed} (GUID_DEVINTERFACE_USB_DEVICE)
Service                  : usbccgp
Enumerator               : USB
Location Info            : Port_#0003.Hub_#0003
Location IDs             : PCIROOT(0)#PCI(1400)#USBROOT(0)#USB(3)#USB(3), ACPI(_SB_)#ACPI(PCI0)#ACPI(XHC_)#ACPI(RHUB)#ACPI(HS03)#USB(3)
Container ID             : {0dccfa13-de21-11e8-b74d-0050b68360a3}
Manufacturer Info        : (Standard USB Host Controller)
Capabilities             : 0x84 (Removable, SurpriseRemovalOK)
Status                   : 0x0180400A (DN_DRIVER_LOADED, DN_STARTED, DN_REMOVABLE, DN_NT_ENUMERATOR, DN_NT_DRIVER)
Problem Code             : 0
Address                  : 3
Power State              : D0 (supported: D0, D1, D2, D3, wake from D0, wake from D1, wake from D2)
 Child Device 1          : USB Input Device
  Device ID              : USB\VID_04D9&PID_014A&MI_02\7&9D9337C&0&0002
  Class                  : HIDClass
   Child Device 1        : HID-compliant consumer control device
    Device ID            : HID\VID_04D9&PID_014A&MI_02&COL02\8&2D64B668&0&0001
    Class                : HIDClass
   Child Device 2        : HID-compliant system controller
    Device ID            : HID\VID_04D9&PID_014A&MI_02&COL01\8&2D64B668&0&0000
    Class                : HIDClass
 Child Device 2          : USB Input Device
  Device ID              : USB\VID_04D9&PID_014A&MI_01\7&9D9337C&0&0001
  Class                  : HIDClass
   Child Device 1        : HID-compliant vendor-defined device
    Device ID            : HID\VID_04D9&PID_014A&MI_01\8&1A349A2A&0&0000
    Class                : HIDClass
 Child Device 3          : USB Input Device
  Device ID              : USB\VID_04D9&PID_014A&MI_00\7&9D9337C&0&0000
  Class                  : HIDClass
   Child Device 1        : HID Keyboard Device
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_014A&MI_00\8&7047DEC&0&0000
    Class                : Keyboard

        ---------------- Connection Information ---------------
Connection Index         : 0x03 (3)
Connection Status        : 0x01 (DeviceConnected)
Current Config Value     : 0x01
Device Address           : 0x34 (52)
Is Hub                   : 0x00 (no)
Number Of Open Pipes     : 0x04 (4)
Device Bus Speed         : 0x01 (Full-Speed)
Pipe0ScheduleOffset      : 0x00 (0)
Pipe1ScheduleOffset      : 0x00 (0)
Pipe2ScheduleOffset      : 0x00 (0)
Pipe3ScheduleOffset      : 0x00 (0)
Data (HexDump)           : 03 00 00 00 12 01 10 01 00 00 00 40 D9 04 4A 01   ...........@..J.
                           01 11 00 01 00 01 01 01 00 34 00 04 00 00 00 01   .........4......
                           00 00 00 07 05 81 03 08 00 01 00 00 00 00 07 05   ................
                           83 03 40 00 01 00 00 00 00 07 05 04 03 40 00 01   ..@..........@..
                           00 00 00 00 07 05 82 03 40 00 01 00 00 00 00      ........@......

        --------------- Connection Information V2 -------------
Connection Index         : 0x03 (3)
Length                   : 0x10 (16 bytes)
SupportedUsbProtocols    : 0x03
 Usb110                  : 1 (yes)
 Usb200                  : 1 (yes)
 Usb300                  : 0 (no)
 ReservedMBZ             : 0x00
Flags                    : 0x00
 DevIsOpAtSsOrHigher     : 0 (Is not operating at SuperSpeed or higher)
 DevIsSsCapOrHigher      : 0 (Is not SuperSpeed capable or higher)
 DevIsOpAtSsPlusOrHigher : 0 (Is not operating at SuperSpeedPlus or higher)
 DevIsSsPlusCapOrHigher  : 0 (Is not SuperSpeedPlus capable or higher)
 ReservedMBZ             : 0x00
Data (HexDump)           : 03 00 00 00 10 00 00 00 03 00 00 00 00 00 00 00   ................

    ---------------------- Device Descriptor ----------------------
bLength                  : 0x12 (18 bytes)
bDescriptorType          : 0x01 (Device Descriptor)
bcdUSB                   : 0x110 (USB Version 1.10)
bDeviceClass             : 0x00 (defined by the interface descriptors)
bDeviceSubClass          : 0x00
bDeviceProtocol          : 0x00
bMaxPacketSize0          : 0x40 (64 bytes)
idVendor                 : 0x04D9 (Holtek Semiconductor, Inc.)
idProduct                : 0x014A
bcdDevice                : 0x1101
iManufacturer            : 0x00 (No String Descriptor)
iProduct                 : 0x01 (String Descriptor 1)
 Language 0x0409         : "USB-HID Keyboard"
iSerialNumber            : 0x00 (No String Descriptor)
bNumConfigurations       : 0x01 (1 Configuration)
Data (HexDump)           : 12 01 10 01 00 00 00 40 D9 04 4A 01 01 11 00 01   .......@..J.....
                           00 01                                             ..

    ------------------ Configuration Descriptor -------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x02 (Configuration Descriptor)
wTotalLength             : 0x005B (91 bytes)
bNumInterfaces           : 0x03 (3 Interfaces)
bConfigurationValue      : 0x01 (Configuration 1)
iConfiguration           : 0x00 (No String Descriptor)
bmAttributes             : 0xA0
 D7: Reserved, set 1     : 0x01
 D6: Self Powered        : 0x00 (no)
 D5: Remote Wakeup       : 0x01 (yes)
 D4..0: Reserved, set 0  : 0x00
MaxPower                 : 0x32 (100 mA)
Data (HexDump)           : 09 02 5B 00 03 01 00 A0 32 09 04 00 00 01 03 01   ..[.....2.......
                           01 00 09 21 11 01 00 01 22 40 00 07 05 81 03 08   ...!...."@......
                           00 01 09 04 01 00 02 03 00 00 00 09 21 11 01 00   ............!...
                           01 22 22 00 07 05 83 03 40 00 01 07 05 04 03 40   ."".....@......@
                           00 01 09 04 02 00 01 03 00 00 00 09 21 11 01 00   ............!...
                           01 22 65 00 07 05 82 03 40 00 01                  ."e.....@..

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x00
bAlternateSetting        : 0x00
bNumEndpoints            : 0x01 (1 Endpoint)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x01 (Boot Interface)
bInterfaceProtocol       : 0x01 (Keyboard)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 00 00 01 03 01 01 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 40 00                        .!...."@.
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0040 (64 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x81 (Direction=IN EndpointID=1)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0008 (8 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 81 03 08 00 01                              .......

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x01
bAlternateSetting        : 0x00
bNumEndpoints            : 0x02 (2 Endpoints)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x00 (None)
bInterfaceProtocol       : 0x00 (None)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 01 00 02 03 00 00 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 22 00                        .!...."".
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0022 (34 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x83 (Direction=IN EndpointID=3)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 83 03 40 00 01                              ....@..

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x04 (Direction=OUT EndpointID=4)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 04 03 40 00 01                              ....@..

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x02
bAlternateSetting        : 0x00
bNumEndpoints            : 0x01 (1 Endpoint)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x00 (None)
bInterfaceProtocol       : 0x00 (None)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 02 00 01 03 00 00 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 65 00                        .!...."e.
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0065 (101 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x82 (Direction=IN EndpointID=2)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 82 03 40 00 01                              ....@..

      -------------------- String Descriptors -------------------
             ------ String Descriptor 0 ------
bLength                  : 0x04 (4 bytes)
bDescriptorType          : 0x03 (String Descriptor)
Language ID[0]           : 0x0409 (English - United States)
Data (HexDump)           : 04 03 09 04                                       ....
             ------ String Descriptor 1 ------
bLength                  : 0x22 (34 bytes)
bDescriptorType          : 0x03 (String Descriptor)
Language 0x0409          : "USB-HID Keyboard"
Data (HexDump)           : 22 03 55 00 53 00 42 00 2D 00 48 00 49 00 44 00   ".U.S.B.-.H.I.D.
                           20 00 4B 00 65 00 79 00 62 00 6F 00 61 00 72 00    .K.e.y.b.o.a.r.
                           64 00                                             d.

Right side USB desc:

Connection Status        : 0x01 (Device is connected)
Port Chain               : 1-3-3
Properties               : 0x01
 IsUserConnectable       : yes
 PortIsDebugCapable      : no
 PortHasMultiCompanions  : no
 PortConnectorIsTypeC    : no
ConnectionIndex          : 3
CompanionIndex           : 0
 CompanionHubSymLnk      : U
 CompanionPortNumber     : 3

      ======================== USB Device ========================

        +++++++++++++++++ Device Information ++++++++++++++++++
Device Description       : USB Composite Device
Device Path              : \\?\usb#vid_04d9&pid_0143#6&d90a1a8&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device ID                : USB\VID_04D9&PID_0143\6&D90A1A8&0&3
Hardware IDs             : USB\VID_04D9&PID_0143&REV_1104 USB\VID_04D9&PID_0143
Driver KeyName           : {36fc9e60-c465-11cf-8056-444553540000}\0042 (GUID_DEVCLASS_USB)
Driver                   : \SystemRoot\System32\drivers\usbccgp.sys (Version: 10.0.17134.1  Date: 2018-04-12)
Driver Inf               : C:\WINDOWS\inf\usb.inf
Legacy BusType           : PNPBus
Class                    : USB
Class GUID               : {36fc9e60-c465-11cf-8056-444553540000} (GUID_DEVCLASS_USB)
Interface GUID           : {a5dcbf10-6530-11d2-901f-00c04fb951ed} (GUID_DEVINTERFACE_USB_DEVICE)
Service                  : usbccgp
Enumerator               : USB
Location Info            : Port_#0003.Hub_#0003
Location IDs             : PCIROOT(0)#PCI(1400)#USBROOT(0)#USB(3)#USB(3), ACPI(_SB_)#ACPI(PCI0)#ACPI(XHC_)#ACPI(RHUB)#ACPI(HS03)#USB(3)
Container ID             : {9f75932c-d6f0-11e8-b746-0050b68360a3}
Manufacturer Info        : (Standard USB Host Controller)
Capabilities             : 0x84 (Removable, SurpriseRemovalOK)
Status                   : 0x0180600A (DN_DRIVER_LOADED, DN_STARTED, DN_DISABLEABLE, DN_REMOVABLE, DN_NT_ENUMERATOR, DN_NT_DRIVER)
Problem Code             : 0
Address                  : 3
Power State              : D0 (supported: D0, D1, D2, D3, wake from D0, wake from D1, wake from D2)
 Child Device 1          : USB Input Device
  DevicePath           : \
  Device ID              : USB\VID_04D9&PID_0143&MI_00\7&2DAC373&0&0000
  Class                  : HIDClass
   Child Device 1        : HID Keyboard Device
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_0143&MI_00\8&31CE37B2&0&0000
    Class                : Keyboard
 Child Device 2          : USB Input Device
  DevicePath           : \
  Device ID              : USB\VID_04D9&PID_0143&MI_01\7&2DAC373&0&0001
  Class                  : HIDClass
   Child Device 1        : HID-compliant vendor-defined device
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_0143&MI_01\8&1E9E1B74&0&0000
    Class                : HIDClass
 Child Device 3          : USB Input Device
  DevicePath           : \
  Device ID              : USB\VID_04D9&PID_0143&MI_02\7&2DAC373&0&0002
  Class                  : HIDClass
   Child Device 1        : HID-compliant system controller
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_0143&MI_02&COL01\8&B6DFF36&0&0000
    Class                : HIDClass
   Child Device 2        : HID-compliant consumer control device
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_0143&MI_02&COL02\8&B6DFF36&0&0001
    Class                : HIDClass
   Child Device 3        : HID Keyboard Device
  DevicePath           : \
    Device ID            : HID\VID_04D9&PID_0143&MI_02&COL03\8&B6DFF36&0&0002
    Class                : Keyboard

        ---------------- Connection Information ---------------
Connection Index         : 0x03 (3)
Connection Status        : 0x01 (DeviceConnected)
Current Config Value     : 0x01
Device Address           : 0x35 (53)
Is Hub                   : 0x00 (no)
Number Of Open Pipes     : 0x04 (4)
Device Bus Speed         : 0x01 (Full-Speed)
Pipe0ScheduleOffset      : 0x00 (0)
Pipe1ScheduleOffset      : 0x00 (0)
Pipe2ScheduleOffset      : 0x00 (0)
Pipe3ScheduleOffset      : 0x00 (0)
Data (HexDump)           : 03 00 00 00 12 01 10 01 00 00 00 40 D9 04 43 01   ...........@..C.
                           04 11 01 02 00 01 01 01 00 35 00 04 00 00 00 01   .........5......
                           00 00 00 07 05 81 03 08 00 01 00 00 00 00 07 05   ................
                           83 03 40 00 01 00 00 00 00 07 05 04 03 40 00 01   ..@..........@..
                           00 00 00 00 07 05 82 03 40 00 01 00 00 00 00      ........@......

        --------------- Connection Information V2 -------------
Connection Index         : 0x03 (3)
Length                   : 0x10 (16 bytes)
SupportedUsbProtocols    : 0x03
 Usb110                  : 1 (yes)
 Usb200                  : 1 (yes)
 Usb300                  : 0 (no)
 ReservedMBZ             : 0x00
Flags                    : 0x00
 DevIsOpAtSsOrHigher     : 0 (Is not operating at SuperSpeed or higher)
 DevIsSsCapOrHigher      : 0 (Is not SuperSpeed capable or higher)
 DevIsOpAtSsPlusOrHigher : 0 (Is not operating at SuperSpeedPlus or higher)
 DevIsSsPlusCapOrHigher  : 0 (Is not SuperSpeedPlus capable or higher)
 ReservedMBZ             : 0x00
Data (HexDump)           : 03 00 00 00 10 00 00 00 03 00 00 00 00 00 00 00   ................

    ---------------------- Device Descriptor ----------------------
bLength                  : 0x12 (18 bytes)
bDescriptorType          : 0x01 (Device Descriptor)
bcdUSB                   : 0x110 (USB Version 1.10)
bDeviceClass             : 0x00 (defined by the interface descriptors)
bDeviceSubClass          : 0x00
bDeviceProtocol          : 0x00
bMaxPacketSize0          : 0x40 (64 bytes)
idVendor                 : 0x04D9 (Holtek Semiconductor, Inc.)
idProduct                : 0x0143
bcdDevice                : 0x1104
iManufacturer            : 0x01 (String Descriptor 1)
 Language 0x0409         : "Mistel"
iProduct                 : 0x02 (String Descriptor 2)
 Language 0x0409         : "MD600 RGB"
iSerialNumber            : 0x00 (No String Descriptor)
bNumConfigurations       : 0x01 (1 Configuration)
Data (HexDump)           : 12 01 10 01 00 00 00 40 D9 04 43 01 04 11 01 02   .......@..C.....
                           00 01                                             ..

    ------------------ Configuration Descriptor -------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x02 (Configuration Descriptor)
wTotalLength             : 0x005B (91 bytes)
bNumInterfaces           : 0x03 (3 Interfaces)
bConfigurationValue      : 0x01 (Configuration 1)
iConfiguration           : 0x00 (No String Descriptor)
bmAttributes             : 0xA0
 D7: Reserved, set 1     : 0x01
 D6: Self Powered        : 0x00 (no)
 D5: Remote Wakeup       : 0x01 (yes)
 D4..0: Reserved, set 0  : 0x00
MaxPower                 : 0x32 (100 mA)
Data (HexDump)           : 09 02 5B 00 03 01 00 A0 32 09 04 00 00 01 03 01   ..[.....2.......
                           01 00 09 21 11 01 00 01 22 40 00 07 05 81 03 08   ...!...."@......
                           00 01 09 04 01 00 02 03 00 00 00 09 21 11 01 00   ............!...
                           01 22 22 00 07 05 83 03 40 00 01 07 05 04 03 40   ."".....@......@
                           00 01 09 04 02 00 01 03 00 00 00 09 21 11 01 00   ............!...
                           01 22 86 00 07 05 82 03 40 00 01                  ."......@..

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x00
bAlternateSetting        : 0x00
bNumEndpoints            : 0x01 (1 Endpoint)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x01 (Boot Interface)
bInterfaceProtocol       : 0x01 (Keyboard)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 00 00 01 03 01 01 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 40 00                        .!...."@.
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0040 (64 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x81 (Direction=IN EndpointID=1)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0008 (8 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 81 03 08 00 01                              .......

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x01
bAlternateSetting        : 0x00
bNumEndpoints            : 0x02 (2 Endpoints)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x00 (None)
bInterfaceProtocol       : 0x00 (None)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 01 00 02 03 00 00 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 22 00                        .!...."".
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0022 (34 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x83 (Direction=IN EndpointID=3)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 83 03 40 00 01                              ....@..

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x04 (Direction=OUT EndpointID=4)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 04 03 40 00 01                              ....@..

        ---------------- Interface Descriptor -----------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x04 (Interface Descriptor)
bInterfaceNumber         : 0x02
bAlternateSetting        : 0x00
bNumEndpoints            : 0x01 (1 Endpoint)
bInterfaceClass          : 0x03 (HID - Human Interface Device)
bInterfaceSubClass       : 0x00 (None)
bInterfaceProtocol       : 0x00 (None)
iInterface               : 0x00 (No String Descriptor)
Data (HexDump)           : 09 04 02 00 01 03 00 00 00                        .........

        ------------------- HID Descriptor --------------------
bLength                  : 0x09 (9 bytes)
bDescriptorType          : 0x21 (HID Descriptor)
bcdHID                   : 0x0111 (HID Version 1.11)
bCountryCode             : 0x00 (00 = not localized)
bNumDescriptors          : 0x01
Data (HexDump)           : 09 21 11 01 00 01 22 86 00                        .!...."..
Descriptor 1:
bDescriptorType          : 0x22 (Class=Report)
wDescriptorLength        : 0x0086 (134 bytes)
Error reading descriptor : ERROR_INVALID_PARAMETER

        ----------------- Endpoint Descriptor -----------------
bLength                  : 0x07 (7 bytes)
bDescriptorType          : 0x05 (Endpoint Descriptor)
bEndpointAddress         : 0x82 (Direction=IN EndpointID=2)
bmAttributes             : 0x03 (TransferType=Interrupt)
wMaxPacketSize           : 0x0040 (64 bytes)
bInterval                : 0x01 (1 ms)
Data (HexDump)           : 07 05 82 03 40 00 01                              ....@..

      -------------------- String Descriptors -------------------
             ------ String Descriptor 0 ------
bLength                  : 0x04 (4 bytes)
bDescriptorType          : 0x03 (String Descriptor)
Language ID[0]           : 0x0409 (English - United States)
Data (HexDump)           : 04 03 09 04                                       ....
             ------ String Descriptor 1 ------
bLength                  : 0x0E (14 bytes)
bDescriptorType          : 0x03 (String Descriptor)
Language 0x0409          : "Mistel"
Data (HexDump)           : 0E 03 4D 00 69 00 73 00 74 00 65 00 6C 00         ..M.i.s.t.e.l.
             ------ String Descriptor 2 ------
bLength                  : 0x14 (20 bytes)
bDescriptorType          : 0x03 (String Descriptor)
Language 0x0409          : "MD600 RGB"
Data (HexDump)           : 14 03 4D 00 44 00 36 00 30 00 30 00 20 00 52 00   ..M.D.6.0.0. .R.
                           47 00 42 00                                       G.B.

[zuavra]

Has there been any further progress on support for MD600, or is no progress expected?