New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch the MD firmware to fix the SDS lockup bug? #88
Comments
The first 1MB is the firmware code section.
Disassemble it -- when running as OS, the base address should be 0x10000000:
Note: better first find the entry point for the OS! The head of the firmware may be the bootloader! |
Nice. I was looking at the binary over the weekend (trying to find Elvis) The bootloader text (hold function on power on) can be seen at 0x24EO |
There's also another possibility of manipulating MDRAM in realtime by sending a corrupt Kit. I'm guessing that the LFODest is not being ranged checked. So perhaps this is an entry point for manipulating certain memory addresses. |
That sounds a little scary XD |
There must be some kind of critical jump that switches from the bootloader to the OS. |
@yatli you might find this interesting. This time last year I had a brief correspondence with the author of the skeleton driver. "Yes, about 4 years ago we merged the MESS project (which was applying the MAME core emulation to non-arcade machines) into MAME itself and we'd already been working on various synths and drum machines, e.g. https://www.youtube.com/watch?v=ulQo5SjNTaQ&frags=pl%2Cwn . Most recently we got ROMs for the Akai/Roger Linn MPC-3000, which for reasons we don't understand is also the sound section of the SNK Hyper NeoGeo-64 arcade system. With regard to the Elektron and Access gear, most of the initial reverse engineering (including dumping the ROMs and extracting clean ROM dumps from the factory firmware downloads) was actually done by some folks at a Norwegian synth repair shop. We do plan to continue the emulation, but we have limited resources in terms of people who can and want to work on emulating MIDI stuff. This is part of why we've been so busy recently converting MAME from a macro jungle to mostly standard C++14; not only does that make tooling more able to work with the code, hopefully it reduces some of the difficulty of learning what's going on." |
FYI the instruction set manual: |
pro gaming consoles. |
I've got REDasm partially working with coldfire. Need a few more days to bring up the full functionality. |
@jmamma does that look like anything you know? I'm at least sure about one thing, it takes data from |
I assume the DSP chips needed to be loaded up with code on boot. |
Yep, done before the jump. |
So you're trying to ascertain what all the code in the unpack routine is ? The bottom half looks like it's detecting strings. shrugs |
I'm trying to run this piece of code on the host machine and extract the actual OS. |
With MAME I can run the code, but it doesn't have the correct address mapping, so no data written |
Is it sample loading? |
What do you mean doesn't have the correct address mapping, so no data written ? |
Did you just answer your own question :D ? How do you go about configuring the emulator to write to RAM. |
Real OS image decode success. Size = 404766, checksum OK (0) |
Adding the image to disassembly as an overlay, at 0x200000... |
Excellent work. When you have some time. Add to the documentation how you get the decompiler involved. |
Sure :) Funny thing is, the code doesn't run well on x64. |
can you dump the extracted rom here ? Want to take a quick look. |
YES!!!! |
You've made history. |
what happened?? |
nobody has a photo of him. until now. |
! |
this could be the greatest achievement of the decade 😂 |
When you first bring up the Elvis thing I thought 🤔 probably you're just joking... Just dig out the backstory, whoops! |
I guess we have a new sprite to add to MCL 2.50 |
|
Is the DSP code unpacked ? I wonder how easy it would be to disable 12bit emulation . Samples are stored at 16bit. |
They deliberately crip it down to 12bit?? |
I haven't unpacked DSP code. It's located somewhere else, and requires some register tampering |
We can have a quick sync later today, I'll help to setup the environment for you. |
thanks @yatli It's late evening here. If you have time to document I can async catch up tomorrow during the day. |
Oh well. Lost some of my instincts -- |
Entering |
0722986 |
|
Closing now. |
This is really interesting, I'd been really curious about trying to decode the firmware, mostly just out of curiosity! Anywhere to follow for further updates on your work @yatli? |
@yatli I would also like to be able to follow your project, |
@tomduncalf @TronicLabs please understand that we are still communicating with Elektron to see if we can open more information wrt the firmware. |
@yatli no worries, I totally understand that it is a sensitive subject! Really cool that you were able to figure it out! |
@yatli |
I admit this is ambitious, but I've been looking for relevant materials for a while.
Most significantly: https://github.com/mamedev/mame/blob/master/src/mame/drivers/elektronmono.cpp
... documents the specs and address space layout for the coldfire m68k processor.
https://edgeemu.net/details-39651.htm
... provides decoded binary image of the firmware.
Now, IF the bootloader is separated from the actual firmware, we can simply hack the firmware image, re-encode sysex, and burn it in without worrying about bricking the device (just be careful about I/O).
Toolings:
Emulation environment
./mame64 machdrum -debug
ColdFire internal modules mapping
How to interpret instructions like:
move.l D0, $300068.l
Search for
$68
in the 5206e manual. It corresponds to an internal register, pretty much like the AVRPORTA
DDRA
stuff.UART stuff
DO NOT ACCESS 1
DO NOT ACCESS 1 Output Port Bit Set CMD (UOP1) 2
DO NOT ACCESS 1 Output Port Bit Reset CMD (UOP0) 2
The text was updated successfully, but these errors were encountered: