Step 1: Enter DFU Mode on Your GMMK Pro

To interact with the keyboard’s firmware, we need to put it into DFU (Device Firmware Upgrade) mode. To get out of this mode, simply power cycle the board. But make sure to NEVER power cycle a MCU while it is flashing. Otherwise you most likely will end up with a bricked device.

How to Enter DFU Mode:

1. Unplug your keyboard.
2. Hold down the Spacebar + B keys.
3. Plug the keyboard back in while continuing to hold the keys.
4. Your computer should recognize the keyboard as a STM32 BOOTLOADER device.

To confirm the device is in DFU mode, run:

lsusb | grep STM

Expected output:

Bus 002 Device 005: ID 0483:df11 STMicroelectronics STM32 BOOTLOADER

Step 2: Install dfu-util

We will use dfu-util to read and analyze the firmware stored on your GMMK Pro.

Mac (Homebrew):

brew install dfu-util

Linux (Debian/Ubuntu):

sudo apt update && sudo apt install dfu-util -y

Windows:

• Download dfu-util from the official dfu-util page.
• Extract the binaries and use dfu-util.exe from the command line.

After installation, verify it is installed by running:

dfu-util --version

Step 3: Read the Firmware from Memory

Now that dfu-util is installed, let’s extract the firmware to check its size.

Identify the DFU Device

sudo dfu-util -l

Example output:

Found DFU: [0483:df11] ver=2200, devnum=1, cfg=1, intf=0, path="0-1", alt=0, name="@Internal Flash /0x08000000/128*0002Kg", serial="205E36552033"

Dump the Firmware

Extract the firmware to a file for analysis:

sudo dfu-util -d 0483:df11 -a 0 -s 0x08000000:524288 -U gmmk_pro_firmware.bin

• -d 0483:df11: Specifies the device ID.
• -a 0: Selects the internal flash memory.
• -s 0x08000000:524288: Reads up to 512 KB from the microcontroller’s flash memory.
• -U gmmk_pro_firmware.bin: Saves the extracted firmware to a file.

Now, check the firmware size:

ls -lh gmmk_pro_firmware.bin

Expected output:

-rw-r--r--  1 user  staff   256K Jan 1 00:00 gmmk_pro_firmware.bin

Step 4: Determine Revision Based on Firmware Size

The firmware size tells us which revision your keyboard is:

• 256 KB (Rev1) → Uses the STM32F303 microcontroller.
• 512 KB (Rev2) → Uses the STM32F411 microcontroller.

Microcontroller Differences

Since Rev1 uses a smaller flash partition (256 KB), its firmware will never exceed that size. Rev2, on the other hand, requires larger firmware (closer to 512 KB).

Conclusion: Identifying Your GMMK Pro Revision

By following this guide, you can determine whether your GMMK Pro is Rev1 or Rev2 by:

1. Entering DFU mode.
2. Installing and using dfu-util.
3. Extracting the firmware and checking its size.

If your firmware size is 256 KB, you have Rev1. If it’s closer to 512 KB (over 256 KB), you have Rev2.

This method is non-intrusive and does not modify your keyboard’s firmware, ensuring a safe way to determine your revision.

openapi: 3.0.1
info:
  title: Spritpreisrechner
  description: Spritpreisrechner Beschreibung
  contact:
    name: E-Control
    url: http://www.e-control.at
    email: office@e-control.at
  version: "2.0"
servers:
- url: //www.spritpreisrechner.at/api
tags:
- name: ping
  description: Ping Rest Controller
- name: regions
  description: Regions Rest Controller
- name: search
  description: Search Rest Controller
paths:
  /ping:
    get:
      tags:
      - ping
      summary: Returns a welcome message and current time of the application
      operationId: pingUsingGET_3
      responses:
        200:
          description: OK
          content:
            text/plain:
              schema:
                type: string
      deprecated: false
  /regions:
    get:
      tags:
      - regions
      summary: Delivers all possible regions that can be used for the region search
      operationId: getRegionsUsingGET
      parameters:
      - name: includeCities
        in: query
        description: Include cities to regions
        allowEmptyValue: false
        schema:
          type: boolean
          default: false
        example: false
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Region'
      deprecated: false
  /regions/units:
    get:
      tags:
      - regions
      summary: Delivers all possible administrative units with coordinates
      operationId: getAdministrativeUnitsUsingGET
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/BundeslandDTO'
      deprecated: false
  /search/gas-stations/by-address:
    get:
      tags:
      - search
      summary: Searches for gas stations at the given location
      operationId: searchGasStationsByAddressUsingGET
      parameters:
      - name: fuelType
        in: query
        description: 'Fuel type, allowed values: DIE, SUP, GAS'
        required: true
        allowEmptyValue: false
        schema:
          type: string
          enum:
          - DIE
          - SUP
          - GAS
      - name: includeClosed
        in: query
        description: Include closed gas stations
        allowEmptyValue: false
        schema:
          type: boolean
          default: false
        example: false
      - name: latitude
        in: query
        description: Latitude
        required: true
        allowEmptyValue: false
        schema:
          type: number
          format: double
      - name: longitude
        in: query
        description: Longitude
        required: true
        allowEmptyValue: false
        schema:
          type: number
          format: double
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/GasStationPublic'
      deprecated: false
  /search/gas-stations/by-region:
    get:
      tags:
      - search
      summary: Searches for gas stations at the given region
      operationId: searchGasStationsByRegionUsingGET_1
      parameters:
      - name: code
        in: query
        description: Region code
        required: true
        allowEmptyValue: false
        schema:
          type: string
      - name: fuelType
        in: query
        description: 'Fuel type, allowed values: DIE, SUP, GAS'
        required: true
        allowEmptyValue: false
        schema:
          type: string
          enum:
          - DIE
          - SUP
          - GAS
      - name: includeClosed
        in: query
        description: Include closed gas stations
        allowEmptyValue: false
        schema:
          type: boolean
          default: false
        example: false
      - name: type
        in: query
        description: 'Region type, allowed values: BL, PB'
        required: true
        allowEmptyValue: false
        schema:
          type: string
          enum:
          - BL
          - PB
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/GasStationPublic'
      deprecated: false
components:
  schemas:
    BezirkDTO:
      title: BezirkDTO
      type: object
      properties:
        c:
          type: integer
          format: int64
        g:
          type: array
          items:
            $ref: '#/components/schemas/GemeindeDTO'
        n:
          type: string
    BundeslandDTO:
      title: BundeslandDTO
      type: object
      properties:
        b:
          type: array
          items:
            $ref: '#/components/schemas/BezirkDTO'
        c:
          type: integer
          format: int64
        n:
          type: string
    Contact:
      title: Contact
      type: object
      properties:
        fax:
          type: string
        mail:
          type: string
        telephone:
          type: string
        website:
          type: string
    GasStationPublic:
      title: GasStationPublic
      required:
      - name
      type: object
      properties:
        contact:
          $ref: '#/components/schemas/Contact'
        distance:
          type: number
          format: double
        id:
          type: integer
          format: int64
        location:
          $ref: '#/components/schemas/Location'
        name:
          type: string
        offerInformation:
          $ref: '#/components/schemas/OfferInformation'
        open:
          type: boolean
        openingHours:
          type: array
          items:
            $ref: '#/components/schemas/OpeningHour'
        otherServiceOffers:
          type: string
        paymentArrangements:
          $ref: '#/components/schemas/PaymentArrangements'
        paymentMethods:
          $ref: '#/components/schemas/PaymentMethods'
        position:
          type: integer
          format: int32
        prices:
          type: array
          items:
            $ref: '#/components/schemas/Price'
    GemeindeDTO:
      title: GemeindeDTO
      type: object
      properties:
        b:
          type: number
        l:
          type: number
        n:
          type: string
        p:
          type: string
    Location:
      title: Location
      type: object
      properties:
        address:
          type: string
        city:
          type: string
        latitude:
          type: number
          format: double
        longitude:
          type: number
          format: double
        postalCode:
          type: string
    OfferInformation:
      title: OfferInformation
      type: object
      properties:
        selfService:
          type: boolean
        service:
          type: boolean
        unattended:
          type: boolean
    OpeningHour:
      title: OpeningHour
      required:
      - day
      type: object
      properties:
        day:
          type: string
          enum:
          - MO
          - DI
          - MI
          - DO
          - FR
          - SA
          - SO
          - FE
        from:
          type: string
        to:
          type: string
    PaymentArrangements:
      title: PaymentArrangements
      type: object
      properties:
        accessMod:
          type: string
        clubCard:
          type: boolean
        clubCardText:
          type: string
        cooperative:
          type: boolean
    PaymentMethods:
      title: PaymentMethods
      type: object
      properties:
        cash:
          type: boolean
        creditCard:
          type: boolean
        debitCard:
          type: boolean
        others:
          type: string
    Price:
      title: Price
      required:
      - fuelType
      type: object
      properties:
        amount:
          type: number
        fuelType:
          type: string
        label:
          type: string
    Region:
      title: Region
      type: object
      properties:
        cities:
          type: array
          items:
            type: string
        code:
          type: integer
          format: int64
        name:
          type: string
        postalCodes:
          type: array
          items:
            type: string
        subRegions:
          type: array
          items:
            $ref: '#/components/schemas/Region'
        type:
          type: string
          enum:
          - PB
          - BL

• Dashy – https://dashy.to/docs/quick-start (custom dashboards)
• Metabase – https://www.metabase.com/start/oss/ (database introspection and graphing)
• Slimtool – https://github.com/slimtoolkit/slim (docker image shrinking)
• Portainer – https://docs.portainer.io/start/install-ce/server/docker/linux (docker host manager)
• Proxmox – https://www.proxmox.com/de/downloads (virtual machine manager)
• Nginx Proxy Manager – https://nginxproxymanager.com
• TrueNAS – https://www.truenas.com/download-truenas-core/
• Vaultwarden – https://hub.docker.com/r/vaultwarden/server (small footprint bitwarden implementation)
• Uptime Kuma – https://uptime.kuma.pet (monitoring)
• Crater – https://crater.financial/open-source (invoice creating tool)
• Homebox – https://hay-kot.github.io/homebox/ (inventory management)

This approach is a very cheap way to get proper time code into cameras. If your device – like my notebook – has a built in microphone you could for example do the same as tentacle sync e and record time code on one and micro input on the other stereo channel of your for example digital camera. Of course syncing devices via ntp isn’t as accurate as syncing explicitly and having extra hardware for time code generation but this way I can use existing hardware instead of buying devices for hundreds of euros that aren’t shippable for weeks or months, cost a fortune and I don’t use very often.

In the following my notes about how to use ltc-tools and jack for time code generation.

First you need to install the dependencies:

brew install jack
brew install ltc-tools

With these in place you first have to start the jack daemon:

jackd --realtime -dcoreaudio

Then connect the time code generator with your desired frame rate

jltcgen -f 25

This now sends time code to jack input. On my system this input is named genltc:ltc. You can display all ports usable in jack via

jack_lsp

On my machine this gives the following output:

system:capture_1
system:playback_1
system:playback_2
genltc:ltc

capture_1 is my mic, playback_1 the left and playback_2 the right speaker.

To connect the time code generator with my left speaker (and immediately disconnect it again because of the annoying sound) the commands are:

# output time code on left and mic on right channel
jack_connect genltc:ltc system:playback_1
jack_connect system:capture_1 system:playback_2

# disconnect it again
jack_disconnect genltc:ltc system:playback_1
jack_disconnect system:capture_1 system:playback_2

If you don’t disconnect it your device should make some weird sound which is the time code. In case you connect the mic like in my sample make sure to use headphones otherwise you will create a feedback loop.

Some sidenote to the Audient guys and all those who are thinking to buy one of their interfaces. Yes, the pre-amps are really great but it’s really very annoying that the audio level resets every single time the interfaces is reconnected. I’m always disconnecting my whole workplace from power at the end of the day which means the audio level for my headphones is reset to 0 every day and it happened quite some times that I was wondering why I can’t hear somebody in a call until I remembered about that setting I have to do every time. So from that perspective and in combo with a dbx s286s the Focusrite 2i2 is much more user friendly – I am not using the pre-amps nor the id software from Audient anyway.

The CVE can be found here. With a score of 10/10 this should be addressed as soon as possible.

The spring blog says that a fix has been made in version 2.15.0 which is available since December 10th – the same day as the issue received big publicity.

Apache posted an article to announce 2.16.0 on December 13th.

Update: Debian security mailing list just announced this:

It was found that the fix to address CVE-2021-44228 in Apache Log4j, a Logging
Framework for Java, was incomplete in certain non-default configurations. This
could allow attackers with control over Thread Context Map (MDC) input data
when the logging configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern
(%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern
resulting in a denial of service (DOS) attack.

For the oldstable distribution (buster), this problem has been fixed
in version 2.16.0-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 2.16.0-1~deb11u1.

We recommend that you upgrade your apache-log4j2 packages.

So please make sure to update to 2.16.0 instead of 2.15.0.

Important Update

The log4j team already released 2.17.0 which is available for download. It fixes CVE-2021-45105.

Package        : apache-log4j2
CVE ID         : CVE-2021-45105
Debian Bug     : 1001891

It was found that Apache Log4j2, a Logging Framework for Java, did not protect
from uncontrolled recursion from self-referential lookups. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC)
input data can craft malicious input data that contains a recursive lookup,
resulting in a denial of service.

For the oldstable distribution (buster), this problem has been fixed
in version 2.17.0-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 2.17.0-1~deb11u1.

Update, 29.12.2021

Log4j has relased another version fixing CVE-2021-44832:

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

New version has already been release to public maven repos: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core

Spring Boot

Taken from an announcement on the Spring blog Spring Boot with its logback logger isn’t affected if you didn’t switch to log4j on purpose.

Also logback has just closed a CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-42550). But here the attacker needs write access to the logging config. Here the jira issue for it: https://jira.qos.ch/browse/LOGBACK-1591. An update has also been added to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot.

Spring Boot 2.6.2 has updated to 2.17.0 and doesn’t include 2.17.1 yet.

Android

Android is using its own log system and switching to log4j is a quite tricky task from what I’ve read so far. So the default logger in Android applications isn’t affected by log4shell as well.

JEE – Wildfly

Wildfly is using jboss-logging package and never relied on log4j. So wildfly users are also not affected as long as you don’t ship the artifact yourself. For further details read the article on wildfly news.

Other Applications

log4j is very widely spread in the java open source community and the chance that it is deeply knit into your applications is very high.

Typical javascript applications or flutter apps aren’t based on Java and therefor shouldn’t be affected themselves. But their backends could be!

SLF4j

“The Simple Logging Facade for Java (SLF4J) serves as a simple facade or abstraction for various logging frameworks (e.g. java.util.logging, logback, log4j) allowing the end user to plug in the desired logging framework at deployment time.” [http://www.slf4j.org/]

So the question if your application that is using slf4j is vulnerable can’t be answered so easily because it depends on the implementation you chose behind the scenes. Typical libs you can find in applications that are using log4j as their logging implementation behind the slf4j facade are log4j-core, log4j-slf4j-impl, log4j-over-slf4j, slf4j-log4j12, … Also the existence of a log4j.properties or log4j.xml file in the root of your classpath is a very good hint that the app is using log4j.

Of course I don’t take over any responsibility that the information on this page is correct or that your app is safe. Please review yourself and check your apps.

apt-get install pepperflashplugin-nonfree