135
edits
Changes
Jump to navigation
Jump to search
m
→DFU Routine -
===DFU Routine -===
DFU routine and bytes compared to trigger DFU over midi. Firmware is checking for a series of bytes sent from a different machine - these are user operations not part of diagnostic branch. (''Probable'') '''''DFU mode trigger (multi-byte pattern): AE E8 6A F7'''''
===Show Version Routine -===
</syntaxhighlight>
== Stealing the firmware - ==
I've been thinking: "how would I get the firmware off the flash, with no access to a programmer or firmware files?"
There is only a boot-loader (no JTAG or SWD) and the chip is fixed in boot mode with pins, and also, there is no firmware stored on the cpu! It would have to be: Take control of the bus, and write the firmware a byte at a time out with an MCU (pi pico, arduino, teensy)
If the device was sent into Show Version Mode, it accesses flash to read version and then send over UART to external device.
After this, the device must be powered off and rebooted, to return to normal boot mode. '''''ie''''' - stays in an idle or wait / sleep loop.
I'm sure that it's not accessing flash after the version string is collected. (though this could easily be checked with a scope)
This is probably the ideal time to use the 50 pin header pin and send a manual BREQ bus request; thus taking control of the flash access from the Bus Arbitrator Alesis IC. As long as WE# and CE# are also low (they should be if bus access is granted, though they could also be held low in case something woke up). Again this could easily be determined by entering the Show Ver. routine and looking at the pin activity. Sure it's possible.
==Roland RBUS==
