No f'n clue what the hell is going on here but I love it.
this post was submitted on 05 Jan 2025
43 points (95.7% liked)
Technology
61227 readers
4224 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
The thing the guy is poking at is a synthesizer, a device that lets you compose music and synthesizes the audio.
He got a service manual that showed some technical information about a similar synthesizer that indicated that some of the pins on one of the chips were used for a standard interface used to diagnose problems on devices, called JTAG. He guessed correctly that his similar synthesizer also used the same pins for this.
He made some guesses about what functionality was present, and was able to identify the microprocessor and download the device firmware using this port.
He then went looking for interesting bits of text in the firmware. What he ran across was something that appeared to be a diagnostic shell (I.e. you enter commands and can see a response) as well as the password to access it.
He didn't know how one reached the shell. He went digging in the firmware further and discovered that the device -- which acted as a MIDI device over USB to a host computer -- took in special MIDI commands that would go to this shell.
Now he had a way to access the shell any time he had one of these synths plugged into his computer via USB -- he didn't need to physically connect to the diagnostic pins on the chip.
One feature of the shell permitted modifying RAM on the synthesizer. It wasn't intended to let one upload executable code, but he uploaded it into some unused memory and then overwrote the frame pointer on the stack used by the shell program to point to that code (which a processor uses to know where to continue executing after running a subroutine) and then returned into his code, which let him get to the point where he could not just upload code to the microprocessor but also run it.
He wrote his own transfer program for high-speed data transfer over USB and modified the in-RAM code that displayed video.
This then let him upload video to part of the display and display it at a relatively high frame rate, which is the anime video shown in the last section. I believe that the laptop in the foreground is showing the original frames.
My understanding from two articles recently posted here is that it is a fad for hardware hackers to play this "bad apple" anime video on all sorts of old and low end devices.
Nice. I wonder how many synths out there have a shell accessible through MIDI, I should get one.
Its definitly interesting. Never would have thought of using midis for that haha.
Well since one can pack anything in custom sysex messages, might as well try posting to lemmy through midi.
I own a Yamaha PSR E403. This series is a lower end class of synthetizer/arranger keyboards targeted towards novice players. Mine also has an identical UI to the one presented here. I wonder if the hack would work on it as well, being a similar model.
My better keyboard is a Yamaha CP88 which is a lot more modern and has updatable firmware. I poked a bit with the update package using binwalk and as far as I could tell it's not encrypted, and runs some version of QNX. My hacking skills aren't as good, but I wonder if that one has similar exploits.
Looks yours is a 6 years older version of the same thing, so I think there's a decent chance the same thing will work. The tools are on the author's github: https://github.com/portasynthinca3/swl01u/blob/bf50f89b1d28701791a4866ef97944513e8c6a1c/shell.py