What follows is independent research as a fun thing to do on a Saturday night for $8. There’s a ready to use library here: https://github.com/jwrdegoede/mx5000tools The NEWS file is nearly 20 years old!!! 2006! 😃
Wireshark will pick up on more information if the keyboard is powered on cold while it's running. The keyboard's features all operate over HID commands which is great! The special features operate using DATA (0xa) and mostly 0x10 for their "Protocol Code". Setting the user name display is protocol code 0x11. Multi-media keys are also over protocol code 0x10 which I assume lets the Key Point software intercept them and re-map them to the commands the user sets
Protocol codes:
- 0x01: Keyboard
- 0x10: Unknown (Media keys and settings)
- 0x11: Unknown (Setting username)
- 0x12: Unknown (Sending text)
These mostly conform to the "Application Launch Buttons" from the HID Usage Tables
10 00 03 00 00 00 00
That 0x03 cleared at some point...
Last eight bytes are the advanced keys (digital media libarary, music, etc). It seems that it can track two presses at the same time. The mapping for the top eight:
b8 01: Video (AL Movie Browser) b7 01: Music (AL Audio Browser) b6 91: Pictures (AL Image Browser) 04 10: Bluetooth sync 8a 01: E-Mail (AL Email Reader) bc 01: Messenger (AL Instant Messaging) 06 01: Status (Security Enable) 07 10: Webcam (???) 00 00: The LCD screen buttons (all four of them)
30 02: Volume percent?
Ah, these conform to a spec: https://source.android.com/docs/core/interaction/input/keyboard-devices https://www.usb.org/sites/default/files/hut1_22.pdf
Payload: 0xa1 10 00 0b 02 00 00 00
So, it seems the four buttons on the LCD all report back as no buttons pressed. When a menu item is picked though, a message is sent.
The par of messages from the keyboard:
To computer:
10 00 0b 02 00 00 00 (ask for data?)
10 00 03 00 00 00 00 (key release?)
From computer:
10 00 80 a1 01 00 00
To computer:
10 00 80 a1 00 00 00 (8 bytes)
From computer:
12 00 90 00 <text message> (47 bytes, message starts at the 14th byte)
12 00 91 01 <text message>
12 00 91 02 <text message>
12 00 91 03 00 00 00 ...
...
12 00 91 0a 00 00 00 ...
12 00 91 0b 00 00 00 ...
12 00 93 0c 00 00 00 ...
I have a feeling that some of this is Bluetooth's L2CAP stuff since all I have from Wireshark is "Dynamically Allocated Channel" data.
The commands that are sent when selecting items under "Smart Keys" are the following. No other commands are sent other than the "no keys pressed".
10 00 0b 03 00 00 00 - Bluetooth
10 00 0b 04 00 00 00 - Home
10 00 0b 05 00 00 00 - Control panel
10 00 0b 06 00 00 00 - Set point
10 00 0b 01 00 00 00 - Playlist
10 00 0b 01 00 00 00 - Radio
10 00 03 00 00 00 d1 - Help
When selecting "back", it seems like it just send the same message as before? It's a lot of data to sift through.
The keyboard can display the currently logged in user. It seems to be with the following command:
From computer:
11 00 82 34 <len> 01 <ascii bytes> 00 <padding>
To computer:
10 00 82 34 00 00 00
If the name is too long it's truncated in the software and a period placed at the end. It seems that a name can only be 12 ASCII characters long. After it's sent, the keyboard responds back.
When changing this checkbox in the control software, commands are sent to the keyboard immediately without ok or apply buttons (I guess for live checking?). Two commands are sent. Not sure which command is for which feature
When enabling:
From computer:
10 00 81 01 00 00 00
To computer:
10 00 81 01 14 00 01
From computer:
10 00 80 01 14 00 00
To computer:
10 00 80 01 00 00 00
When disabling:
From computer:
10 00 81 01 00 00 00
To computer:
10 00 81 01 14 00 00
From computer:
10 00 80 01 14 00 01
To computer:
10 00 80 01 00 00 00
I think the last byte is a status flag...
03 = Both touch senstivie control and beep off 02 = Beep on, touch off 01 = Beep off, touch on
So, the flags are actually disabling it and the UI is showing the opposite
When enabling:
From computer:
10 00 81 01 00 00 00
To computer:
10 00 81 01 14 00 02
From computer:
10 00 80 01 14 00 00
To computer:
10 00 80 01 00 00 00
When disabling:
From computer:
10 00 81 01 00 00 00
To computer:
10 00 81 01 14 00 01
From computer:
10 00 80 01 14 00 03
To computer:
10 00 80 01 00 00 00
Farenheit:
From computer:
10 00 81 30 00 00 00
To computer:
10 00 81 30 01 00 00
From computer:
10 00 80 30 01 00 01
To computer:
10 00 80 30 00 00 00
Celcius:
From computer:
10 00 81 30 00 00 00
To computer:
10 00 81 30 01 00 01
From computer:
10 00 80 30 01 00 00
To computer:
10 00 80 30 00 00 00
The state of the various classic toggle keys comes in the form of an or'd status byte
From computer:
01 <state>
Where <state> bits are:
- 04 = scroll lock
- 02 = caps lock
- 01 = num lock
This is data being sent from the computer when a second keyboard toggles the state of caps lock
The Set Point software has a "Test sound" button for when new e-mails come in. This makes two beeps, a high pitch then a low.
High:
From computer:
10 00 81 50 00 00 00
To computer:
10 00 81 50 00 00 00
Low:
From computer:
10 00 81 50 02 00 00
To computer:
10 00 81 50 00 00 00
This is just a guess but it shows up occasionally in the commands
From computer:
10 ff 00 1c 00 00 00
To computer:
10 00 8f 1c 01 00 00
The above was when showing 21°C