13 August 2015
Thanks to Saleaes generous student discount, I was finally able to purchase a Logic 4 logic analyzer and start probing at the Surface Touch Cover. I hooked it up to my previous breakout board and recorded the signals on the pins at power-on and while pressing various keys.
After some analysis, it turns out my hypothesis about the protocol in my previous post was off the mark. Instead of HID over I2C, the keyboard uses duplex serial communication, and thankfully so, as serial is much easier to analyze and implement than the HID over I2C spec.
The serial configuration used is a bit strange:
I took a capture of the board at power-on and parsed some of the data into a spreadsheet. You can find it here or embedded down below. The cells are color-coded to make some of the patterns more apparent.
0, and the other begins at
0x1E4. These correspond to different header values, and are color-coded as yellow/orange or green/navy based on channel.
0packets are transactions initiated by the computer, and
0x1E4packets are initiated by the keyboard
0x1FF, 0x1FF, so its not likely to be something fancy like a CRC. Rows 7 and 13 have the same header and prologue, so it may be that identical headers implies identical prologues.
Im hoping to boil this information down to the minimum required to communicate with the Surface and replay enough packets to press a key.
Feel free to drop me a line if you discover something interesting or want the original capture data.