Winio Drive-level keyboard simulation programming

Winio Drive-level keyboard simulation programming

The day before yesterday bored, turned over their interests in the project folder, found this put down a long project! It was a junior time thing. At that time is to improve my Warcraft three key speed, with a call counter switch software, the keyboard keys changed. It does help, but it's shareware, and it can't be used 40 of times unless it's registered. So there is a similar software to come out, search on the internet to find the Winio simulation button is the most reliable, decided to go into this direction. Hey... Technology is not enough, looked at the technical articles and code for a long time only to understand a little, and at that time, MFC technology is not home can not do anything to use ... Later listen to a brother said: Disassembly crack. So try again, incredibly really I cracked! It's been used now,!haha.

To finish the year, the point!

To achieve the driving level of simulation, then like the driver directly to the hardware chip data read and write! That's bull B!

1. First of all, tell me what this winio is all about!

The Winio library allows access to the I/O ports and physical memory directly in a 32-bit Windows application. It bypasses the protection mechanisms of Windows systems by using a kernel-mode device driver and several other underlying programming techniques.

Because the operating system protects some memory addresses, this does not make it possible for any program to directly access the hardware address or make random changes to the system's memory data! and the port address of our keyboard is within this address, so we can not easily access to!

But you can use the Winio library! It provides a lot of help! (It was written by a foreign bull man, this is his homepage http://www.internals.com/, it seems to have not been updated for a long time)

2. We have tools, how do we get started?

Don't worry first look at the principle, patience is necessary! First look at the reference articles written by others!

PS/2 Keyboard Hardware Overview

For drivers, the most important hardware associated with the keyboard is two chips. One is the Intel 8042 chip, located on the motherboard, the CPU through the IO port directly to communicate with this chip, to obtain the key scan code or send a variety of keyboard commands. The other is the Intel 8048 chip or its compatible chip, located in the keyboard, the chip is the main function of the keyboard from the hardware to get the keys generated by the scan code, and i8042 communication, control the keyboard itself.

When a key is pressed on the keyboard, i8048 directly obtains the scan code generated by the keyboard hardware. The i8048 is also responsible for the control of the keyboard itself, such as lighting the LED and extinguishing the LED indicator. i8048 through the PS/2 port and i8042 communication, the resulting scan code to the i8042. Through the read-write port, the CPU can read the data in the i8042 directly into the register of the CPU, or write the data in the CPU register to the i8042. PS/2 Port A total of 6 pins, you can unplug the PS/2 plug to see, these 6 pins, respectively, clock, data, power, power supply, and 2 pins are not used. Data transmission on the PS/2 port is serial because only one pin transmits it.

The following pictures are the inside of a keyboard, you can see the key matrix (key Martix) used to generate the scan code, you can see the chip in the keyboard (this is not i8048, is a compatible other model of the chip).

Detailed Picture: HTTP://JIURL.NEASE.NET/DOCUMENT/KBDDRIVER/JIURLKBD 1.htm

Note that i8042 does not necessarily appear on the motherboard alone and may be integrated into a chip.

1.2 Scan code, make code, break code, typematic

When a key on the keyboard is pressed, released, pressed, the keyboard will generate a scanning code (scan code), these scan codes will be i8048 directly. There are two types of scan codes, make code and break code. When a key is pressed or pressed, a make code is generated, and when a key is released, a break code is generated. Each key is assigned a unique make code and break code, so that the host can know which key is by scanning the code. The simple thing is to press the key to produce a make Code. Release the key and create a break Code.

And for the hold on the case. We can open a notepad and hold the ' a ' key, and we can see that it will not stop producing ' a ' until we release it. This is because, when holding down a key is not put, will be typematic, that is, automatically hit. At a certain time, the make Code for a pressed key is automatically generated until the key is released at the end. For typematic, there are two important parameters, one is Typematic Delay, which determines how long it takes to enter Typematic, and the other is typematic rate, which determines how many Ma can be produced in a second after entering Typematic. Ke Code. Now let's open Notepad, hold ' a ', and look closely and see that the interval between the first ' a ' and the second ' a ' is significantly longer than the other, and then the interval between each ' a ' is the same.

And for the simultaneous pressing of multiple keys. When a key is pressed and a make code is created, without being released, no break code is generated, and another key is pressed, then the make code of the other key is created, even if the two keys are pressed simultaneously. After these two keys are released, they each produce their own break Code. The same is true for more keys. For example, to press CTRL and a, the following situation is counted as both CTRL and A. Press CTRL to generate CTRL's make code, and then press A to produce a make code, and then release each to produce its own break code.

And the case of pressing a key, and then pressing another key. We can open a notepad, put the ' a ' button down, do not release, and then press the ' s ' key to not put. We can see that when the ' s ' is pressed, the ' a ' key is not loose, but there is no ' a ' appearing again, but ' s ' begins to appear, even if the ' s ' is released, ' a ' will not continue to appear.

1.3 Scan Code Set

So far, there are three sets of scan code set (scan code set), the PS/2 keyboard uses the second set by default. However, you can set the i8042 to allow i8042 to translate the resulting scan code into scan code set 1, so that all scan code that the keyboard drives from i8042 is the first set of scan code (the actual The same way). So we're only talking about Scan Code Set 1. It is necessary to note that Scan code and ASCII code are completely different.

In Scan code Set 1, the Make Code,break Code for most keys is a byte. The top bits of their make code are 0, which means that their make code is less than 0x7F. Their break code is the make code or the arithmetic 80h, that is, the low 7 bits of made code are unchanged, the highest bit is set to 1.

There are also some extended buttons whose Scan Code is double-byte. Their first byte is e0h, indicating that this is an extension key. The 2nd byte is the same as a single-byte Scan Code.

There is also a special key, Pause/break key, it's make Code for e1,1d,45 e1,9d,c5, note is the beginning of e1h. And it has no break Code.

The size of the value of make Code that we press to list all scan codes in scan code Set 1

KEY Make break

ESC 01 81

1 02 82

2 03 83

3 04 84

4 05 85

5 06 86

6 07 87

7 08 88

8 09 89

9 0A 8A

0 0B 8B

-0C 8C

= 0D 8D

Bksp 0E 8E

TAB 0F 8F

Q 10 19

W 11 91

E 12 92

R 13 93

T 14 94

Y 15 95

U 16 96

I 17 97

O 18 98

P 19 99

[1 A 9A

] 1 b 9B

ENTER 1C 9C

L_ctrl 1D 9D

A 1E 9E

S 1F 9F

D-A0

F A1

G A2

H A3

J A4

K-A5

L-A6

; A7

' A8

' 29 89

L_SHFT 2A AA

2 b AB

Z 2C AC

X 2D AD

C 2E AE

V 2F AF

B-B0

N-B1

M B2

, B3

. B4

/B5

R_SHFT B6

KP * PNS B7

L_alt B8

SPACE B9

CAPS 3 A BA

F1 3B BB

F2 3C BC

F3 3D BD

F4 3E be

F5 3F BF

F6 C0

F7 C1

F8 C2

F9 C3

F10 C4

NUM C5

SCROLL C6

KP 7 C7

KP 8 C8

KP 9 C9

KP-4A CA

KP 4 4 B CB

KP 5 4C CC

KP 6 4D CD

KP + 4E CE

KP 1 4F CF

KP 2 D0

KP 3 Wuyi D1

KP 0 D2

Kp. D3

F11 D7

F12 D8

KP EN e0,1c e0,9c

R_ctrl e0,1d e0,9d

Kp/e0,35 E0,B5

R_alt e0,38 E0,b8

HOME e0,47 E0,c7

Up ARROW e0,48 E0,c8

PG up e0,49 e0,c9

L ARROW e0,4b E0,CB

R ARROW e0,4d E0,CD

END e0,4f E0,CF

D ARROW e0,50 e0,d0

PG DN e0,51 e0,d1

INSERT e0,52 E0,d2

DELETE e0,53 E0,d3

L GUI e0,5b e0,db

R GUI e0,5c E0,DC

APPS e0,5d E0,DD

PRNT SCRN e0,2a, e0,37 e0,b7, E0,AA

PAUSE e1,1d,45 E1,9d,c5-none

Here to say a few of the driver does not help the digression, remember that is due to the scan code of the value of the speculation, before going to the order of the scan code, or the first such column scan code, only the value of scan code guess. In short, with this make code in the order, and we now keyboard keys on the layout of the comparison, we can roughly guess why the A-key made code value is 0x1e, why the H key make code value is 0x23. Let's take one of those short examples, a 1e,s 1f,d 20,f 21,g 22,h 23, and look at the a,s,d,f,g,h position on the keyboard. Can feel something, not feel even, this and the drive is irrelevant. From Scan Code Set 1, you might be able to guess what the earliest keyboard looks like. And some of the changes that occur on the keyboard. We note that F10 and F11,f12 's make Code is not linked together, it is estimated that the earlier keyboard has only 10 function keys, not the current 12 function keys. From the make Code of the key, there are some keys that might have been used, and now it doesn't appear on the keyboard.

It is also worth noting that if you have make code 0x60 key, then its break code should be 0x60+0x80=0xe0. Then the break code for this key will be confused with the 0xE0 that represents the extension code. But fortunately, there is no make Code for the 0x60 key, so there will be no confusing situation. i8042 Keyboard Controller

Keyboard driver directly read and write i8042 chip, through the i8042 indirect to the keyboard i8048 to send commands. So for the driver, the direct occurrence of contact only i8042, so we only introduce i8042, do not introduce i8048.

A chip like i8042,i8048, itself is a small processor, it has its own internal processor, has its own Ram, has its own registers, and so on.

The i8042 has 4 8 bits registers, which are the status register (State register), output buffer (input buffer), input buffer, and control register. Use two IO ports, 60h and 64H.

Status register (State register)

The status register is a 8-bit read-only register that can be read by the CPU at any moment. The definitions are as follows

Bit7:parity-even (p_e): Data parity error obtained from the keyboard

Bit6:rcv-tmout (r_t): Receive timeout, reset 1

Bit5:trans_tmout (T_T): Send timeout, reset 1

Bit4:kybd_inh (k_i): for 1, the keyboard is not banned. For 0, the keyboard is forbidden.

Bit3:cmd_data (c_d): 1, Input buffer content is command, 0, input buffer content is data.

Bit2:sys_flag (S_f): System flag, power-on Start 0, self-test via rear 1

Bit1:input_buf_full (i_b_f): Input buffer full 1,i8042 take away rear 0

Bito:out_buf_full (o_b_f): Output buffer full 1,cpu read back 0

Output buffer (outputs buffer)

The output buffer is a 8-bit read-only register. The driver reads the data from this register. This data includes the scan code, the response to the i8042 command, and the indirect response to the i8048 command.

Input buffer

The input buffer is a 8-bit write-only register. The content that the buffer driver sends. These include commands destined for i8042, commands that are sent indirectly to i8048 through i8042, and data that is used as command parameters.

Control register (Controller register)

This is also known as Controller Command Byte (the director of commands bytes). The definitions are as follows

BIT7: reserved, should be 0

BIT6: Translation of the second scan code into the first set

BIT5:1, disable mouse

BIT4: Reset 1, disable keyboard

BIT3: Reset 1, ignoring BIT4 in the status register

Bit2: Setting Bit2 in the status register

BIT1: Reset 1,enable Mouse Interrupt

Bito: Reset 1,enable Keyboard Interrupt

2 Ports 0x60,0x64

Call the 0x60 data port in the drive

0x64 called command port in the drive

1.5 commands

The driver can send the command directly to the i8042, can send the command to i8048 indirectly through i8042. This part of the order comes directly from < reference [1] >.

1.5.1 's orders to i8042.

Driver-to-keyboard controller Send command is implemented via write Port 64h, a total of 12 commands, respectively,

20h

Prepare to read command byte of the 8042 chip, whose behavior is to place the contents of the current 8042 Command byte in the output register, and the next read operation from the 60H port will read it out.

60h

Prepare to write command byte to the 8042 chip, and the next byte to be written by 60h will be placed in command byte.

a4h

Test if the keyboard password is set, the test result is placed in the output Register and can be read by 60h. The test result can have two values: the fah= password is set; f1h= has no password.

a5h

Set the keyboard password. The results are placed sequentially through the 60h port in the input register. The end of the password is an empty byte (the content is 0).

a6h

Let the password take effect. Before you publish this command, you must first use the A5H command to set the password.

AAh

Self-Test. The diagnostic results are placed in the output register and can be read by 60h. 55h=ok.

Adh

Disables the keyboard interface. Command Byte's bit-4 is set. When this command is published, keyboard will be prevented from sending data to the output Register.

AEh

Open the keyboard interface. Command Byte's bit-4 is cleared. When this command is released, keyboard will be allowed to send data to the output Register.

c0h

Prepare to read input Port. The contents of Input port are placed in the output register, which can then be read through the 60h port.

d0h

Prepare to read the Outport port. The result is placed in the output register and then read through the 60h port.

D1h

Prepare to write the output port. The bytes that are subsequently written through the 60h port are placed in the output port.

d2h

Prepare to write the data into the output register. The bytes subsequently written to the input register via 60h are placed into the output register, which is used to simulate data sent from keyboard. If the interrupt is allowed, an interrupt is triggered.

1.5.2 issued a 8048 order

There are 10 commands, respectively

EDh

Set the LEDs. Keyboard after receiving this command, an LED setup session begins. Keyboard first responds to an ACK (FAH), and then waits for the LED set byte to be written from the 60h port, and if it waits for one, it replies again to an ACK and then sets the LED based on this byte. And then wait ... Until a non-led setting byte (High is set), the LED setting session ends.

Eeh

Diagnose Echo. This command is purely to detect if the keyboard is normal, and if it is normal, when keyboard receives this command, it will reply to a eeh byte.

f0h

Select Scan Code set. A total of 3 scan code sets are possible for the keyboard system. When keyboard receives this command, it replies with an ACK, and then waits for a scan code set code from the 60h port. The system must send a scan code set code to keyboard after this command. When keyboard receives this code, it replies with an ACK again, and then sets the scan code set to what is required by the scan code set code that is received.

f2h

Read the keyboard ID. Since the 8042 chip is not only able to connect keyboard. This command is to read 8042 after the device ID that is received. The device ID is 2 bytes and the Keyboard ID is 83ABh. When the keyboard receives this command, it responds with an ACK first, and then returns the 2-byte keyboard ID one at a time.

F3h

Set Typematic Rate/delay. When keyboard receives this command, it replies with an ACK. Then wait for the set byte from 60h. Once received, an ACK is returned, and the keyboard Rate/delay is set to the appropriate value.

f4h

Clears the keyboard output Buffer. Once keyboard receives this command, it clears output buffer and then replies to an ACK. Then continue to accept keyboard's keystrokes.

f5h

Sets the default state (w/disable). Once keyboard receives this command, the keyboard is fully initialized to the default state. All previous settings for it will fail--output buffer is emptied and typematic Rate/delay is set to the default value. Then reply to an ACK, then wait for the next command. It is important to note that the keystroke acceptance of the keyboard is forbidden after this command is executed. If you want the keyboard to accept keystroke input, you must enable Keyboard.

f6h

Sets the default state. The only difference with the F5 command is that when this command is executed, the keystroke reception of the keyboard is allowed.

FEh

Resend. If keyboard receives this command, the data that you just sent to the 8042 Output register must be resent again. After the system detects an error from keyboard, you can use the Self command to let keyboard resend the bytes just sent.

FFh

Reset Keyboard. If keyboard receives this command, it first responds with an ACK, then starts its own reset program and carries out its own basic correctness test (bat-basic Assurance test). When this is all over, it returns to the system a single-byte end code (aah=success, fch=failed) and sets the scan code set of the keyboard to 2.

1.5.3 Read the data

00h/ffh

When an error is detected when the key is hit or released, the byte is placed after the output bufer, and if output buffer is full, the last byte of output buffer is substituted for this byte. Using scan code Set 1 o'clock, use 00h,scan Code 2 and Scan code 3 to use FFH.

AAh

BAT to complete the code. If the keyboard is detected successfully, this byte is sent to the 8042 Output register.

Eeh

echo Response. Keyboard uses Eeh to respond to echo requests from 60h.

f0h

In scan code set 2 and scan code set 3, it is used as the prefix for break code.

FAh

Ack. When keyboard receives a legitimate command or legitimate data from a 60h port at any time, it replies to a fah.

FCh

BAT failure code. If the keyboard detection fails, this byte is sent to the 8042 Output register.

FEh

Resend. When keyboard receives an illegal command or illegal data from the 60h port at any time, or the odd-even-error of the data, it responds to a FEH, requesting the system to resend the relevant command or data.

83ABh

When the keyboard receives a F2H command from 60h, it replies to 83h,abh in turn. 83AB is the ID of the keyboard.

Scan Code

Except for those special bytes, the rest is scan code.

1.6-Port operation

First of all, the port read and write operation, the driver using the function Read_port_uchar read operation, Read_port_uchar using the CPU read port instruction, in. The driver uses the function Write_port_uchar to write, the Write_port_uchar uses the CPU write port instruction, out.

1.6.1 Read Status register

Read the 64h port by reading the status register.

1.6.2 reading data

The data that needs to be read has, i8042 from i8048 to get the scan code of the key, i8042 command ack,i8042 from i8048 to get the ack of i8048 command, need to command re-send resend, some need to return results of the command to get results.

When data needs to be driven to read, the data is put into the output buffer while the bit0 (output_buffer_full) of the status register is set to 1, triggering a keyboard interrupt (the IRQ for the keyboard interrupt is 1). The keyboard interrupt service routine provided by the keyboard driver was executed due to keyboard interruption. In the keyboard interrupt service routine, the driver reads the data from the i8042. Once the data has been read, the bit0 of the status register will be cleared by 0.

Read the data method, first, read the status register, Judge Bit0, the status register Bit0 is 1, indicating that the output buffer has data. Ensure that the status register Bit0 is 1, then read the 60h port and read the data.

Here we are going to talk about a very useful digression, the previous IRQ, is Interrupt request line, interrupt request lines, is a hardware line, it is different from the interrupt vector. The interrupt vector is the ordinal number used to find the interrupt service routine in the Interrupt Descriptor List (IDT). The IRQ for the keyboard is 1, and the interrupt vector of the keyboard interrupt service routine is not 1. This is something to figure out.

1.6.3 orders to i8042,

When the command is sent to i8042, the command is placed into the input buffer, which causes the Bit1 of the status register to 1, indicating that the input buffer is full, and the Bit2 of the status register is 1, indicating that the input buffer is written as a command.

To i8042 the method of issuing commands, first, read the status register, Judge bit1, the status register bit1 is 0, the input buffer is empty, can be written. Ensure that the status register bit1 is 0, then write to the 64h port and write to the command.

1.6.4 Indirect orders to i8048,

Send these commands to the i8042, i8042 will forward i8048, the command is placed into the input buffer, while causing the status Register Bit1 1, indicating that the input buffer full, while causing the status Register Bit2 1, indicating that the input buffer is written to a command. Here we have to note that the command to i8048 is written by the 60h port, while the parameters behind the command are also written to the 60h port. i8042 how to tell if the input buffer is a command or a parameter, we discuss it in the arguments of the following command.

To i8048 the method of issuing commands, first, read the status register, Judge bit1, the status register bit1 is 0, the input buffer is empty, can be written. Ensure that the status register bit1 is 0, then write to the 60h port and write to the command. (Watch it!) ）

Parameters of the 1.6.5 command

Some commands require parameters, and after sending the command, we send its parameters, the parameters are put into the input buffer, and the Bit1 of the status register is 1, indicating that the input buffer is full. Here we have to note that the command to i8048, is to write the 60h port, send the command parameters, is also write 60h port. i8042 how to determine whether the content in the input buffer is a command or a parameter. i8042 is judged that if the current status register BIT3 is 1, indicating that a command has been written before, now by writing the 60h port into the input buffer content, it is treated as the parameters of the previous command, and caused the status register BIT3 0. If the Bit3 of the current status register is 0, indicating that there is no previous write command, then the contents of the input buffer are now placed by writing the 60h Port as an indirect command to i8048 and cause the Bit3 of the status register to 1.

The method that sends the parameter to the i8048, first, reads the status register, the Judgment Bit1, the status register bit1 is 0, the input buffer is empty, can write. Ensure that the status register bit1 is 0, then write to the 60h port and write the parameters. (as the scarlet Letter above said)

"1 PS/2 keyboard Hardware" mainly refer to the following information, about PS/2 keyboard hardware more content also please refer to the following information

[1] Http://pagoda-ooos.51.net/os_book/driver/driver-ke yboard_2.htm (Chinese)

[2] http://panda.cs.ndsu.nodak.edu/~achapwes/PICmicro/PS2.pdf (Chinese)

[3] http://panda.cs.ndsu.nodak.edu/~achapwes/PICmicro/(English)

Here is my code, used every second to virtual a CTRL + a operation.

HDkey.cpp: Defines the entry point of the console application.

//

#include "stdafx.h"

#include "Windows.h"

#include "winio.h"//program to be run with Winio.dll and Winio.sys (NT system); Winio.dll and Winio.vxd (under 98 system);

#include "time.h"

#define KEY_CMD 0x64//Keyboard command port

#define KEY_DAT 0x60//Keyboard Data port

Wait buffer is empty

void Kbcwait4ibe () {

DWORD ch=0; Note that in this loop, I did not change the keyboard command port data, but there is no dead loop,/Because the keyboard interrupt will be in the middle of the data read and zero, it will not cause a dead loop

do {getportval (key_cmd,&ch,1);//Read the command port of the keyboard to obtain CH

} while (Ch & 0x2),//bit1 is 1, indicating that the input buffer is full, repeated detection! Until empty

}

Key to press the

void Makekeydown (DWORD virtualkey) {

DWORD K_make_code=mapvirtualkey (virtualkey,0);//winuser. H inside the defined function!

Kbcwait4ibe ();

Setportval (key_cmd,0xd2,1);//d2 is to say, prepare to write the data into the output register. The bytes subsequently written to the input register via 60h are placed into the output register, which is used to simulate data sent from keyboard. If the interrupt is allowed, an interrupt processing is triggered. (see Principle document) Setportval (key_dat,k_make_code,1); }//Key to release void Makekeyup (DWORD Virtualkey) {DWORD K_make_code=mapvirtualkey (virtualkey,0);//Key Scan code DWORD K_BREAK_CODE=K_ make_code+0x80;//Key of the Code kbcwait4ibe (); Setportval (key_cmd,0xd2,1);//d2 is to say, prepare to write the data into the output register. The bytes subsequently written to the input register via 60h are placed into the output register, which is used to simulate data sent from keyboard. If the interrupt is allowed, an interrupt processing is triggered. (see Principle document) Setportval (key_dat,k_break_code,1); } void Main () {bool Intial; Intial=initializewinio (); while (1) {Makekeydown (Vk_control); Makekeydown (' A '); Makekeyup (' A '); Makekeyup (Vk_control); Sleep (1000); } Shutdownwinio (); }

In fact, it is quite simple, the most difficult or is to understand how the keyboard to produce a key message principle, to be very patient to see! And more reference to other people's implementation methods!

This winio is very cow b Ah! If used to do plug should be very cool!

Winio Drive-level keyboard simulation programming