Korg Forums

maranite · Posted: Thu Oct 09, 2014 5:08 pm Post subject: Reverse engineering the firmware

The kronos commmunity has a couple of enthusiasts who've figured out how to hack Kronos.

I would dearly like to make some minor mods to the Krome - like making the sequencer easier to use (more screen real estate), making RPPR more usable, etc. Not interrested in causimg Korg any losses, but insteaf want to improve existing features where Krog appeared to loose the plot.

Is there anyone on the forums who knows how to reverse engineer ARM firmware? Or does anyone know if its possible to enter an NDA with Korg to facilitate contributions? I've tried several times to make contact with Richard Formadoni (Krome product manager) with no success.

Any suggestions welcome!

sqz · Joined: 24 Mar 2013 Posts: 30

There are several tools to reverse engineer ARM firmware.
Tools like binwalk are usually used for scrambled firmwares (which korg rarely does).
Try to figure out the exact ARM chipset, and check http://onlinedisassembler.com or the linux radare tools.

Reverse engineering is timeconsuming (and legal when you purchased the product itself).
_________________
Korg Electribe SX Upgrade v3:
https://www.youtube.com/watch?v=iYAPfE6z0MI
A naysayer sees the difficulty in every opportunity, an artist sees the opportunity in every difficulty

michelkeijzers · Posted: Fri Oct 10, 2014 9:43 am Post subject:

Note that it is illegal to go in this kind of road.

I'm afraid the only reasonable ways except trying to get a job at Korg, is to notify it as 'wish' and hope Korg themselves will pick it up.
_________________

Developer of the free PCG file managing application for most Korg workstations: PCG Tools, see https://www.kronoshaven.com/pcgtools/

maranite · Posted: Sun Oct 12, 2014 6:16 pm Post subject:

Duly noted Michael.

Binwalk and onlinedisassembler both comeup empty handed.
The firmware appears to contain "nth byte" obfustication... I.e in a hex editor you'll see the word "KOR.G"... or "progr.am"

Arm diassemblers rapdily start reporting invalid instructions.... so the file format definately has some sort of structure or encoding to it (I.e. not vanilla executable). The tail of the file contains many similar repeated blocks... which I'm assuming are either the bitmaps used to represrnt instruments, or (perhaps more likely) the DSP code that gets downloaded into the korg edsx engine.

...long road ahead.

maranite · Posted: Sun Nov 02, 2014 5:25 pm Post subject:

For what it's worth....

The Krome has a BOOT.CMP file (the bootloader), and MAINAPP.CMP which is the main application that "runs" the synth.

MAINAPP.CMP has a large Lempel-Ziv compressed section starting at offset 1992315... the compressed data comes in 9-part blocks, where the first byte is indicates which of the remaining 8 parts are 1-byte literals (indicated by a 1) or 2-byte dictionary lookups, where the last 4 bits are the "length -3" of the decompressed phrase, and the upper 12 bits are the dictionary index.

I'm coming unstuck with the header (first 1.9 MB) of the file - it appears to contain uncompressed data, but it doesn't look like ARM based instructions.

Does anybody know what sort of CPU architecture the Krome has?
From error messages seen on it's predecessor (the M50) I assumed it was an ARM cpu, but that doesn't tie up to what I'm seeing in the firmware.

Anybody know what CPU the Krome has?

maranite · Posted: Sun Nov 02, 2014 5:29 pm Post subject:

... as an interesting aside, the word "KARMA" appears twice in the firmware, yet it doesn't feature on the synth.

Share code-base / disabled feature?

maranite · Posted: Tue Nov 04, 2014 3:51 pm Post subject:

I've managed to decode the compressed parts of the firmware file now.

Some interesting / amusing facts:

* Firmware is written in C++ (no surprises there) and appears to share a common code-base with the M3 and M50. The literal strings include:

"Hello there! How are you?No updating was required at this time.
The M50 already has the latest version of the system files.
USB Hub power exceeded
Please disconnect USB device
Sampling Play from HDD
Buffer overrun error occurred
Sampling to HDD"

... so sample management / playback appears to have been deliberately crippled on the Krome.

Elsewhere.... string that indicate the existence of hidden admin menus:
"Check out discriptions.
1. MIDI 2. USB 3. Boot Sys. 4. Normal Sys. 5. Backup ROM 6. EEPROM 7. TG 8. FPGA 9. Key Scanner 10. SD-Card"

* It looks as though the Krome uses FAT12 as it's internal file-system.
* The names and indices for the "ROM" (SD-Card) samples are indeed stored in the firmware.
* The names (and possibly DSP code) for the effects are stored in firmware - so it's probable that new effects could be introduced with firmware updates.

... Still a L-O-N-G road to walk before I'll be able to make any improvements (like turning off the flashing tempo LED except during record) - but I'll persevere. If anyone wants to get involved, give me a shout!

Kromeheaven · Posted: Wed Nov 05, 2014 6:33 pm Post subject:

Great job

Interested...really Smile

_________________
Korg MicroX / Korg Monotron / Korg Nautilus / Korg X3 / Korg Krome / Alesis QS

http://www.korgnautilus.com
http://www.kromeheaven.com

maranite · Posted: Fri Nov 07, 2014 8:45 pm Post subject:

Hi Cyph.

Knew I could count on you Very Happy

For the past few days I've been spinning my wheels trying to figure out where the compressed data starts.... but thats purely out of wanting to know how to reconstruct an "authentic" firmware file.

I'm all too happy to share my code with you (c#, not java... sorry!) that decompresses the firmware. At the very least you will be able to study the data blocks and text of the firmware already. I'm eager to get the executable code (the first 1.9mb) into IDA Pro to see what's going on there. It looks like it could be an ELF format executable.... if this proves true then its very likely that the Krome is runnong either *nix OS, or at least uses a *nix family bootloader.

Let me know how I can help you get involved!

yank · Junior Member Joined: 03 Feb 2013 Posts: 72

Hello friends , this sounds very interesting.
Get the luck with this !

Bald Eagle · Posted: Sat Nov 08, 2014 3:40 am Post subject:

A while back someone went all out rev eng the Kronos. Korg did not approve as it violates the license agreements. If you get to deep you could run into problems.

I understand their concern but they could also open up select components. It just helps make their products better.

Kromeheaven · Posted: Sat Nov 08, 2014 9:37 am Post subject:

maranite · Posted: Sun Nov 09, 2014 5:05 am Post subject:

Yes, same sentiment here. I really dont want any harm to come to Korg - and I believe that if the user community is able to address their niggles with the Krome without any development cost for Korg, then this will be mutually beneficial.

In terms of legalities, it very much depends on what we do.... it is lawfuly in most countries to study (reverse engineer) any product you own, and as long as you dont produce derived works that compete with or undermine the proprietor, then no law has been broken... no matter what any "licensing agreement" (which none of us have signed) says.

It does, however, blow my mind that Korg don't listen to their customers requests for simple improvements (like turning off the tempo light), and that they havent released an open source synth. They could be selling so many more units with far lower development costs... the mind boggles!

Bald Eagle · Posted: Mon Nov 10, 2014 12:59 am Post subject:

Korg doesn't really listen .. You get what you buy. If you want a company that listens go to Moog. I suggested a feature for the Sub 37 and was pleasently surprised with a test OS upgrade the same day.

castorex · Full Member Joined: 06 Jun 2014 Posts: 134