Patch the MD firmware to fix the SDS lockup bug?

[yatli]

I admit this is ambitious, but I've been looking for relevant materials for a while.
Most significantly: https://github.com/mamedev/mame/blob/master/src/mame/drivers/elektronmono.cpp

... documents the specs and address space layout for the coldfire m68k processor.

https://edgeemu.net/details-39651.htm

... provides decoded binary image of the firmware.

Now, IF the bootloader is separated from the actual firmware, we can simply hack the firmware image, re-encode sysex, and burn it in without worrying about bricking the device (just be careful about I/O).

Toolings:

• gcc-m68k is good
• needs better decompiler than just objdump, maybe: https://github.com/REDasmOrg/REDasm
  • I'll see if I can write a m68k extension for this.
• Ghidra is the way to go: https://ghidra-sre.org/

Emulation environment

• Get MAME: https://www.mamedev.org/
  • Unarchive it to, say: ~/mame/
• Get MachineDrum firmware dump:
  • https://edgeemu.net/details-39651.htm
  • extract it to ~/mame/roms/machdrum/elektron_sps1-1uw_os1.63.bin
• Open up a terminal. Navigate to ~/mame
• ./mame64 machdrum -debug
• Get the guts of MD running as if in an IDE. 🚀

ColdFire internal modules mapping

How to interpret instructions like: move.l D0, $300068.l
Search for $68 in the 5206e manual. It corresponds to an internal register, pretty much like the AVR PORTA DDRA stuff.

• MBAR = 0x300000
• MBAR + $64 CSAR0 16 Chip Select Address Register - Bank 0
• MBAR + $68 CSMR0 32 Chip Select Mask Register - Bank 0
• MBAR + $CA Pin Assignment register (PAR)
• MBAR + $6E CSCR0 16 Chip Select Control Register - Bank 0
• MBAR + $70 CSAR1 16 Chip Select Address Register - Bank 1
• MBAR + $74 CSMR1 32 Chip Select Mask Register - Bank 1
• MBAR +$7A CSCR1 16 Chip Select Control Register - Bank 1
• MBAR + $7C CSAR2 16 Chip Select Address Register - Bank 2
• MBAR + $80 CSMR2 32 Chip Select Mask Register - Bank 2
• MBAR + $86 CSCR2 16 Chip Select Control Register - Bank 2
• MBAR + $88 CSAR3 16 Chip Select Address Register - Bank 3
• MBAR + $8C CSMR3 32 Chip Select Mask Register - Bank 3
• MBAR + $92 CSCR3 16 Chip Select Control Register - Bank 3
• MBAR + $A0 CSAR5 16 Chip Select Address Register - Bank 5
• MBAR + $A4 CSMR5 32 Chip Select Mask Register - Bank 5
• MBAR + $AA CSCR5 16 Chip Select Control Register - Bank 5
• MBAR + $1C5 PPDDR 8 Port A Data Direction Register
• MBAR + $1C9 PPDAT 8 Port A Data Register
• MBAR + $C6 DMCR 16 Default Memory Control Register

UART stuff

• UART1 UART2
• MBAR+$140 MBAR+$180 Mode Register (UMR1, UMR2) Mode Register (UMR1, UMR2)
• MBAR+$144 MBAR+$184 Status Register (USR) Clock-Select Register (UCSR)
• MBAR+$148 MBAR+$188 Command Register (UCR)
• MBAR+$14C MBAR+$18C Receiver Buffer (URB) Transmitter Buffer (UTB)
• MBAR+$150 MBAR+$190 Input Port Change Register (UIPCR) Auxiliary Control Register (UACR)
• MBAR+$154 MBAR+$194 Interrupt Status Register (UISR) Interrupt Mask Register (UIMR)
• MBAR+$158 MBAR+$198 Baud Rate Generator Prescale MSB (UBG1) Baud Rate Generator Prescale MSB (UBG1)
• MBAR+$15C MBAR+$19C Baud Rate Generator Prescale LSB (UBG2) Baud Rate Generator Prescale LSB (UBG2)
• MBAR+$170 MBAR+$1B0 Interrupt Vector Register (UIVR) Interrupt Vector Register (UIVR)
• MBAR+$174 MBAR+$1B4 Input Port Register (UIP)
  DO NOT ACCESS 1
• MBAR+$178 MBAR+$1B8
  DO NOT ACCESS 1 Output Port Bit Set CMD (UOP1) 2
• MBAR+$17C MBAR+$1BC
  DO NOT ACCESS 1 Output Port Bit Reset CMD (UOP0) 2

[yatli]

The first 1MB is the firmware code section.
Chop it out:

dd if=elektron_sps1-1uw_os1.63.bin of=os_code.bin bs=1024 count=1024

Disassemble it -- when running as OS, the base address should be 0x10000000:

m68k-linux-gnu-objdump --adjust-vma 0x10000000 -b binary -mm68k:5206e -D os_code.bin 

Note: better first find the entry point for the OS! The head of the firmware may be the bootloader!

[jmamma]

Nice.

I was looking at the binary over the weekend (trying to find Elvis)

The bootloader text (hold function on power on) can be seen at 0x24EO

[jmamma]

There's also another possibility of manipulating MDRAM in realtime by sending a corrupt Kit.

I'm guessing that the LFODest is not being ranged checked. So perhaps this is an entry point for manipulating certain memory addresses.

[yatli]

The bootloader text (hold function on power on) can be seen at 0x24EO

That sounds a little scary XD

[yatli]

There must be some kind of critical jump that switches from the bootloader to the OS.

[jmamma]

@yatli you might find this interesting.

This time last year I had a brief correspondence with the author of the skeleton driver.

"Yes, about 4 years ago we merged the MESS project (which was applying the MAME core emulation to non-arcade machines) into MAME itself and we'd already been working on various synths and drum machines, e.g. https://www.youtube.com/watch?v=ulQo5SjNTaQ&frags=pl%2Cwn . Most recently we got ROMs for the Akai/Roger Linn MPC-3000, which for reasons we don't understand is also the sound section of the SNK Hyper NeoGeo-64 arcade system.

With regard to the Elektron and Access gear, most of the initial reverse engineering (including dumping the ROMs and extracting clean ROM dumps from the factory firmware downloads) was actually done by some folks at a Norwegian synth repair shop. We do plan to continue the emulation, but we have limited resources in terms of people who can and want to work on emulating MIDI stuff. This is part of why we've been so busy recently converting MAME from a macro jungle to mostly standard C++14; not only does that make tooling more able to work with the code, hopefully it reduces some of the difficulty of learning what's going on."

[yatli]

FYI the instruction set manual:

CFPRM.pdf

[yatli]

which for reasons we don't understand is also the sound section of the SNK Hyper NeoGeo-64 arcade system.

pro gaming consoles.

[yatli]

I've got REDasm partially working with coldfire. Need a few more days to bring up the full functionality.

[yatli]

@jmamma does that look like anything you know?

I'm at least sure about one thing, it takes data from src, and writes to dst.

[jmamma]

I assume the DSP chips needed to be loaded up with code on boot.

[yatli]

Yep, done before the jump.

[jmamma]

So you're trying to ascertain what all the code in the unpack routine is ?

The bottom half looks like it's detecting strings. shrugs

[yatli]

I'm trying to run this piece of code on the host machine and extract the actual OS.

[yatli]

With MAME I can run the code, but it doesn't have the correct address mapping, so no data written

[jmamma]

Is it sample loading?

[jmamma]

What do you mean

doesn't have the correct address mapping, so no data written

?

[jmamma]

Did you just answer your own question :D ?

How do you go about configuring the emulator to write to RAM.

[yatli]

Real OS image decode success. Size = 404766, checksum OK (0)

[yatli]

Adding the image to disassembly as an overlay, at 0x200000...

[jmamma]

Excellent work.

When you have some time. Add to the documentation how you get the decompiler involved.

[yatli]

Sure :)

Funny thing is, the code doesn't run well on x64.
Have to compile it as 32-bit x86 so that the bit chewing magic could work.

[jmamma]

can you dump the extracted rom here ? Want to take a quick look.

[jmamma]

YES!!!!

[jmamma]

You've made history.

[yatli]

what happened??

[jmamma]

You uncovered Elvis.

[jmamma]

nobody has a photo of him. until now.

[yatli]

!

[jmamma]

this could be the greatest achievement of the decade 😂

[yatli]

When you first bring up the Elvis thing I thought 🤔 probably you're just joking...

Just dig out the backstory, whoops!

[jmamma]

I guess we have a new sprite to add to MCL 2.50

[jmamma]

[yatli]

#CASE_CLOSED 😎

[jmamma]

Is the DSP code unpacked ?

I wonder how easy it would be to disable 12bit emulation .

Samples are stored at 16bit.

[yatli]

They deliberately crip it down to 12bit??

[yatli]

I haven't unpacked DSP code. It's located somewhere else, and requires some register tampering

[yatli]

We can have a quick sync later today, I'll help to setup the environment for you.

[jmamma]

thanks @yatli

It's late evening here. If you have time to document I can async catch up tomorrow during the day.

[yatli]

Oh well. Lost some of my instincts -- fwrite should be used with mode "wb".
Problem fixed.

[yatli]

Entering MD_MAIN

[jmamma]

0722986
😀

[yatli]

This MCL is O.K. Too ❤

[yatli]

Closing now.

[tomduncalf]

This is really interesting, I'd been really curious about trying to decode the firmware, mostly just out of curiosity! Anywhere to follow for further updates on your work @yatli?

[TronicLabs]

@yatli I would also like to be able to follow your project,
because I would like to learn, to know what tools you are using, and how to.
Thanks for this wonderful work to both of us.

[yatli]

@tomduncalf @TronicLabs please understand that we are still communicating with Elektron to see if we can open more information wrt the firmware.

[tomduncalf]

@yatli no worries, I totally understand that it is a sensitive subject! Really cool that you were able to figure it out!

[TronicLabs]

@yatli
no problem I understand, let's wait with confidence ...