If hacking on consumer hardware is about figuring out what it can do, and pushing it in directions that the manufacturer never dared to dream, then this is a very fine hack indeed. [Portasynthica3] takes on the Yamaha PSR-E433, a cheap beginner keyboard, discovers a shell baked into it, and takes it from there.
[Portasynthinca3] reverse engineered the firmware, wrote shellcode for the device, embedded the escape in a MIDI note stream, and even ended up writing some simple LCD driver software totally decent refresh rate on the dot-matrix display, all to support the lofty goal of displaying arbitrary graphics on the keyboard’s dot-matrix character display.
Now, we want you to be prepared for a low-res video extravaganza here. You might have to squint a bit to make out what’s going on in the video, but keep in mind that it’s being sent over a music data protocol from the 1980s, running at 31.25 kbps, displayed in the custom character RAM of an LCD.
As always, the hack starts with research. Identifying the microcontroller CPU lead to JTAG and OpenOCD. (We love the technique of looking at the draw on a bench power meter to determine if the chip is responding to pause commands.) Dumping the code and tossing it into Ghidra lead to the unexpected discovery that Yamaha had put a live shell in the device that communicates over MIDI, presumably for testing and development purposes. This shell had PEEK and POKE, which meant that OpenOCD could go sit back on the shelf. Poking “Hello World” into some free RAM space over MIDI sysex was the first proof-of-concept.
The final hack to get video up and running was to dig deep into the custom character-generation RAM, write some code to disable the normal character display, and then fool the CPU into calling this code instead of the shell, in order to increase the update rate. All of this for a thin slice of Bad Apple over MIDI, but more importantly, for the glory. And this hack is glorious! Go check it out in full.
MIDI is entirely hacker friendly, and it’s likely you can hack together a musical controller that would wow your audience just with stuff in your junk box. If you’re at all into music, and you’ve never built your own MIDI devices, you have your weekend project.
Thanks [James] for the gonzo tip!
sysex messages are a bit of a nightmare to implement. because vendors have to design them from scratch.
7-bit JSON over MIDI 2.0 at least gives a vendor the option to grab a rock solid parser written by someone who knows what they are doing. Parsers are where many of these overflow exploits occur.
once you start using JSON in your ecosystem, you start to process strings properly because handling strings for the keys and values is like 90% of the work. And hopefully you start using a library to do the heavy lifting, hopefully avoiding some more overflow exploits.
Versus most embedded projects where developers think every string is just an array of characters, a FIXED sized array of characters because that’s “safer” in the minds of an embedded developer.
It’s going to take a while before MIDI 2.0 catches on. In part because 2.0 supports 1.0 so well. but also because 1.0 serial interface isn’t compatible with 2.0. So 1.0 being the lowest common denominator is usually good enough for the job is going to win most of the time.
What excites me is a move to use ethernet for 2.0. And if I had a music hardware company, I’d want to figure out a way to use power-over-ethernet and MIDI 2.0 over ethernet. It would make studios very easy to wire, with an ethernet switch to tie it all together, and enough power on every jack for a synthesizer. I wonder how well VLANs would play with it, might blow musicians heads to add that to the mix, but if you could pull equipment in from any room without getting up is quite a boon for audio engineers. Add Aoe (Audio over Ethernet) to the mix, and now you’ve reduced the need for gobs of snake cables .
What’s exciting for me, is that all this stuff is simple enough and off-the-shelf. So that I could prototype something on a Raspberry Pi or even an ESP32 with basically what I already have in my closet.
Interesting idea about modernizing audio using MIDI over Ethernet + Power over Ethernet + Audio over Ethernet. I never heard of AoE, I just read about it now on Wikipedia, it’s cool to see that various solutions exist.
Interesting idea, but I think there are a few reasons that this hasn’t happened yet and might never happen. For one, recording studios have been on the decline for a couple of decades and are certainly a much smaller market than they were back when MIDI was invented. Meanwhile, for many of those that are still going, hardware has been gently eased out.
That’s not to say big traditional studios with tons of gear don’t exist anymore, but in those there’s always going to be a need to plug in an 808 or a Prophet or whatever else that long precedes the new standard. Of course, that can easily be fixed with a box to handle the ADC, but then you’re asking studios to find space, and buy a bunch of boxes and cables, and throw away functioning patch bays and snakes and so on, just so they can introduce some more (low, but not insignificant) latency in their signal path and push an already ADC+DAC’d signal into their desk/pre-amp.
Then there’s a question of fidelity – to my knowledge AoE has been built to be plenty ‘good enough’ for broadcast, usually up to 48kHz/24 bit, but telling the studios that are running at 192kHz or whatever that this lower sample rate box will simplify their cabling probably isn’t going to persuade many.
It’s definitely a cool idea which would have strong appeal in lower end project and home studios, but I can’t really see it becoming an industry standard.
Other psr keyboards also have this shell. you can see the commands in the downloadable firmware files which are not obfuscated. Being blind I would really like to use this hack to read from the display over midi and make a screen reader for them. I know that would be something many people would love but I’ll probably never get round to it.
Hopefully someone will find this interesting enough to do some more useful PSR keyboard hacks in the future. That seems like a good project for university students or a hacker club.
Keyboards last and are repaired for much longer than almost all home computers. 1.0 needs no changes or incompatibility problems. Looks like more dongles and lag to interface all the classics at sometime soon.
I can see lag being a problem in all sorts of LAN wiring in a studio, it all has to be faster than the speed of sound for musicians to play with. Using the 1 foot per millisecond reference the best musicians want to play together on a small stage not spread out past the acoustic delay of 10-15 milliseconds. This why so many have to use in ear monitoring now on giant stages. The music doesn’t sound live as a result.
With one keyboard lag needs to be even less, the acoustic delay is zero, right here. Then all the delays add up. I’m curious to know the delay of a grand piano action at a fast touch, key touch to hammer strike.