If hacking on consumer hardware is about figuring out what it can do, and pushing it in directions that the manufacturer never dared to dream, then this is a very fine hack indeed. [Portasynthica3] takes on the Yamaha PSR-E433, a cheap beginner keyboard, discovers a shell baked into it, and takes it from there.
[Portasynthinca3] reverse engineered the firmware, wrote shellcode for the device, embedded the escape in a MIDI note stream, and even ended up writing some simple LCD driver software totally decent refresh rate on the dot-matrix display, all to support the lofty goal of displaying arbitrary graphics on the keyboard’s dot-matrix character display.
Now, we want you to be prepared for a low-res video extravaganza here. You might have to squint a bit to make out what’s going on in the video, but keep in mind that it’s being sent over a music data protocol from the 1980s, running at 31.25 kbps, displayed in the custom character RAM of an LCD.
As always, the hack starts with research. Identifying the microcontroller CPU lead to JTAG and OpenOCD. (We love the technique of looking at the draw on a bench power meter to determine if the chip is responding to pause commands.) Dumping the code and tossing it into Ghidra lead to the unexpected discovery that Yamaha had put a live shell in the device that communicates over MIDI, presumably for testing and development purposes. This shell had PEEK and POKE, which meant that OpenOCD could go sit back on the shelf. Poking “Hello World” into some free RAM space over MIDI sysex was the first proof-of-concept.
The final hack to get video up and running was to dig deep into the custom character-generation RAM, write some code to disable the normal character display, and then fool the CPU into calling this code instead of the shell, in order to increase the update rate. All of this for a thin slice of Bad Apple over MIDI, but more importantly, for the glory. And this hack is glorious! Go check it out in full.
MIDI is entirely hacker friendly, and it’s likely you can hack together a musical controller that would wow your audience just with stuff in your junk box. If you’re at all into music, and you’ve never built your own MIDI devices, you have your weekend project.
Thanks [James] for the gonzo tip!
sysex messages are a bit of a nightmare to implement. because vendors have to design them from scratch.
7-bit JSON over MIDI 2.0 at least gives a vendor the option to grab a rock solid parser written by someone who knows what they are doing. Parsers are where many of these overflow exploits occur.
once you start using JSON in your ecosystem, you start to process strings properly because handling strings for the keys and values is like 90% of the work. And hopefully you start using a library to do the heavy lifting, hopefully avoiding some more overflow exploits.
Versus most embedded projects where developers think every string is just an array of characters, a FIXED sized array of characters because that’s “safer” in the minds of an embedded developer.
It’s going to take a while before MIDI 2.0 catches on. In part because 2.0 supports 1.0 so well. but also because 1.0 serial interface isn’t compatible with 2.0. So 1.0 being the lowest common denominator is usually good enough for the job is going to win most of the time.
What excites me is a move to use ethernet for 2.0. And if I had a music hardware company, I’d want to figure out a way to use power-over-ethernet and MIDI 2.0 over ethernet. It would make studios very easy to wire, with an ethernet switch to tie it all together, and enough power on every jack for a synthesizer. I wonder how well VLANs would play with it, might blow musicians heads to add that to the mix, but if you could pull equipment in from any room without getting up is quite a boon for audio engineers. Add Aoe (Audio over Ethernet) to the mix, and now you’ve reduced the need for gobs of snake cables .
What’s exciting for me, is that all this stuff is simple enough and off-the-shelf. So that I could prototype something on a Raspberry Pi or even an ESP32 with basically what I already have in my closet.