Reverse engineering the firmware

[maranite]

The kronos commmunity has a couple of enthusiasts who've figured out how to hack Kronos.

I would dearly like to make some minor mods to the Krome - like making the sequencer easier to use (more screen real estate), making RPPR more usable, etc. Not interrested in causimg Korg any losses, but insteaf want to improve existing features where Krog appeared to loose the plot.

Is there anyone on the forums who knows how to reverse engineer ARM firmware? Or does anyone know if its possible to enter an NDA with Korg to facilitate contributions? I've tried several times to make contact with Richard Formadoni (Krome product manager) with no success.

Any suggestions welcome!

[sqz]

There are several tools to reverse engineer ARM firmware.
Tools like binwalk are usually used for scrambled firmwares (which korg rarely does).
Try to figure out the exact ARM chipset, and check http://onlinedisassembler.com or the linux radare tools.

Reverse engineering is timeconsuming (and legal when you purchased the product itself).

[michelkeijzers]

Note that it is illegal to go in this kind of road.

I'm afraid the only reasonable ways except trying to get a job at Korg, is to notify it as 'wish' and hope Korg themselves will pick it up.

[maranite]

Duly noted Michael.

Binwalk and onlinedisassembler both comeup empty handed.
The firmware appears to contain "nth byte" obfustication... I.e in a hex editor you'll see the word "KOR.G"... or "progr.am"

Arm diassemblers rapdily start reporting invalid instructions.... so the file format definately has some sort of structure or encoding to it (I.e. not vanilla executable). The tail of the file contains many similar repeated blocks... which I'm assuming are either the bitmaps used to represrnt instruments, or (perhaps more likely) the DSP code that gets downloaded into the korg edsx engine.

...long road ahead.

[maranite]

For what it's worth....

The Krome has a BOOT.CMP file (the bootloader), and MAINAPP.CMP which is the main application that "runs" the synth.

MAINAPP.CMP has a large Lempel-Ziv compressed section starting at offset 1992315... the compressed data comes in 9-part blocks, where the first byte is indicates which of the remaining 8 parts are 1-byte literals (indicated by a 1) or 2-byte dictionary lookups, where the last 4 bits are the "length -3" of the decompressed phrase, and the upper 12 bits are the dictionary index.

I'm coming unstuck with the header (first 1.9 MB) of the file - it appears to contain uncompressed data, but it doesn't look like ARM based instructions.

Does anybody know what sort of CPU architecture the Krome has?
From error messages seen on it's predecessor (the M50) I assumed it was an ARM cpu, but that doesn't tie up to what I'm seeing in the firmware.

Anybody know what CPU the Krome has?

[maranite]

... as an interesting aside, the word "KARMA" appears twice in the firmware, yet it doesn't feature on the synth.

Share code-base / disabled feature?

[maranite]

I've managed to decode the compressed parts of the firmware file now.

Some interesting / amusing facts:

* Firmware is written in C++ (no surprises there) and appears to share a common code-base with the M3 and M50. The literal strings include:

"Hello there! How are you?No updating was required at this time.
The M50 already has the latest version of the system files.
USB Hub power exceeded
Please disconnect USB device
Sampling Play from HDD
Buffer overrun error occurred
Sampling to HDD"

... so sample management / playback appears to have been deliberately crippled on the Krome.

Elsewhere.... string that indicate the existence of hidden admin menus:
"Check out discriptions.
1. MIDI 2. USB 3. Boot Sys. 4. Normal Sys. 5. Backup ROM 6. EEPROM 7. TG 8. FPGA 9. Key Scanner 10. SD-Card"


* It looks as though the Krome uses FAT12 as it's internal file-system.
* The names and indices for the "ROM" (SD-Card) samples are indeed stored in the firmware.
* The names (and possibly DSP code) for the effects are stored in firmware - so it's probable that new effects could be introduced with firmware updates.



... Still a L-O-N-G road to walk before I'll be able to make any improvements (like turning off the flashing tempo LED except during record) - but I'll persevere. If anyone wants to get involved, give me a shout!

[Kromeheaven]

Great job
Interested...really

[maranite]

Hi Cyph.

Knew I could count on you

For the past few days I've been spinning my wheels trying to figure out where the compressed data starts.... but thats purely out of wanting to know how to reconstruct an "authentic" firmware file.

I'm all too happy to share my code with you (c#, not java... sorry!) that decompresses the firmware. At the very least you will be able to study the data blocks and text of the firmware already. I'm eager to get the executable code (the first 1.9mb) into IDA Pro to see what's going on there. It looks like it could be an ELF format executable.... if this proves true then its very likely that the Krome is runnong either *nix OS, or at least uses a *nix family bootloader.

Let me know how I can help you get involved!

[yank]

Hello friends , this sounds very interesting.
Get the luck with this !

[Bald Eagle]

A while back someone went all out rev eng the Kronos. Korg did not approve as it violates the license agreements. If you get to deep you could run into problems.

I understand their concern but they could also open up select components. It just helps make their products better.

[Kromeheaven]

A while back someone went all out rev eng the Kronos. Korg did not approve as it violates the license agreements. If you get to deep you could run into problems.

I understand their concern but they could also open up select components. It just helps make their products better.

Yes, we all know that it's bad to discover the true

In fact, (and I only speak for myself), it is just some kind of challenge for this good product, the krome.

The goal is absolutly not to harm Korg...and if we feel that someone could use our work in a bad way, we just have to stop what we do...(for example, I've not released kromatool, because many people wanted it only to sell samples...piracy is not what I want)

If one day, Korg releases an open source synth...they will win the jackpot...for sure. It's just about martketing : people love to fully exploit their product.

Do not worry, for me it's under control.

[maranite]

Yes, same sentiment here. I really dont want any harm to come to Korg - and I believe that if the user community is able to address their niggles with the Krome without any development cost for Korg, then this will be mutually beneficial.

In terms of legalities, it very much depends on what we do.... it is lawfuly in most countries to study (reverse engineer) any product you own, and as long as you dont produce derived works that compete with or undermine the proprietor, then no law has been broken... no matter what any "licensing agreement" (which none of us have signed) says.

It does, however, blow my mind that Korg don't listen to their customers requests for simple improvements (like turning off the tempo light), and that they havent released an open source synth. They could be selling so many more units with far lower development costs... the mind boggles!

[Bald Eagle]

Korg doesn't really listen .. You get what you buy. If you want a company that listens go to Moog. I suggested a feature for the Sub 37 and was pleasently surprised with a test OS upgrade the same day.

[castorex]

and if we feel that someone could use our work in a bad way, we just have to stop what we do...(for example, I've not released kromatool, because many people wanted it only to sell samples...piracy is not what I want)

I am surprised to read a new explanation, the first one was about a man that hacked your tool to propose a fake... for the buzz. And you said that you will not release other Krome/Kross tool until this situation exists.
I have seen the facebook page of this man, and that's ridiculous... and I did not understand your strange reaction at time. Your work was serious, his fake and unusable copy was a joke.
Now I read your brand new explanations and i am very confused.
I don't see the relation between selling sample banks and piracy ???
If some people sell some copyright samples... they will have some problems for sure.
Perhaps many people would be happy to buy or create by themselves new samples for their instrument.
But this is your work, you can decide what you want and give explanations you want... naturally. I propose you write this explanation in your Kromeheaven site which gives the previous one... and I am afraid that your fans will continue to wait for a long time