135
edits
Changes
m
This is probably the ideal time to use the 50 pin header. Send a manual BREQ bus request (pull BREQ low); thus taking control of the flash access from the Bus Arbitrator (Alesis IC). As long as WE# and CE# are low (they should be if bus access is granted, though they could also be held low in case something woke up). Again this could easily be determined by entering the Show Ver. routine and looking at the pin activity. Sure it's possible.== Digital Audio Formats - ==
→Cutter -: adat links added
Cutter was much more useful for what I wanted. Lots of functions were discovered and named with the help of LLMs. (as such, we can't take them as absolutely true, though they are likely to be mostly correct). I was digging around in it for a long time, super interesting - I discovered:
== Discovered Routines - == ===Diagnostic Mode Routine -===
Firmware checks for input (button push) in early boot. This branches into and launches diagnostic (Monitor) mode. I think that, after looking at it more: the device will start the tests automatically, when it enters diagnostic mode, and that the strings are an output flag. I don't think the tests are commanded with byte input. It seems firmware is checking for a hardware flag and, depending on value, reports NG or OK. I have to check this when I have the device on the bench.
|
|}
== Firmware Updating / Appropriating - ==
===Firmware Update Files -===
I have not yet performed a Diff of my firmware and the midi updates. I would have to reconstruct them first into a full image. I think my firmware is not corrupted though at this point. I will try and send the DFU command and the payload using a python script instead (see below)
The midi files are 4x33kb. Minus headers etc; 32kb actual payload x 4 = 128kb firmware. A 512kb NOR flash is generous space for this (4x bigger) Though remember its banked for DFU (when the update is written and verified it will switch active bank flag) Also it seems remapped to different addresses in runtime operation also. There are plenty of 0xFF regions though, so not everything is written with instructions. (though some of these are un-mapped memory regions for SRAM etc at the moment)
===DFU Python Script===
</syntaxhighlight>
=='Stealing' the firmware =Misappropriate Firmware -===
I've been thinking: "how would I get the firmware off the flash, with no access to a programmer or firmware files?"
There is only a boot-loader (no JTAG or SWD) and the chip is fixed in boot mode with pins, and also, there is no firmware stored on the cpu! It Attack vector would have to be: Take control of the bus, and write the firmware a byte at a time out with an MCU (pi pico, arduino, teensy)
If the device was sent into Show Version Mode, it accesses flash to read version and then send over UART to external device.
'''''ie''''' - stays in an idle or wait / sleep loop.
I'm sure that it's not accessing flash after the version string is collected. (though this could easily be checked with a scopeor LA) This is probably the ideal time to use the 50 pin header for an attack. Send a manual BREQ bus request (pull BREQ low); thus taking control of the flash access from the Bus Arbitrator (Alesis IC). As long as WE# and CE# are low (they should be if bus access is granted, though they could also be held low in case something woke up). Again this could easily be determined by entering the Show Ver. routine and looking at the pin activity. Sure it's possible. <br />
===Roland RBUS-===
From the VS2480 service manual we can see this schematic about the RBUS connector - it is a bi-directional transfer (audio in and audio out) so it crosses over (like a null modem cable)
===Tascam T-DIF-===
However this is only between TDIF and ADAT.
=== Alesis ADAT - ===https://www.vintagedigital.com.au/alesis-adat/ https://www.gearnews.com/the-history-of-adat-how-alesis-changed-digital-recording/ Nice write ups here with lots of details. I use optical ADAT. There is no pinout to mention. It uses TORX connectors, which are now obsolete. The connectors been modernised with a spring door to keep out dust. The original has removable dust caps which are invariably lost over time.<br />
==Repairs -==