Rendered at 07:49:46 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
chinkinthearmor 35 minutes ago [-]
If I were an alien and saw this, I would run. Terrifying.
My brain hurts any time I hear about a completed hardware hack, but this write-up just takes the cake. My experience with hardware RE is limited to a class project hacking a cheap router, and there even after 3 weeks I couldn't make sense of the can of worms that is interfacing with JTAG using OpenOCD. It's like looking at bats and then shouting into the dark and somehow you get the right words for echolocation. Then you do it for 10 animals in a row. I will check out Wrongbaud's guide.
So my question is: how do you learn to speak the dozens of languages for hardware? Every step in this project, from soldering custom modules to figuring out correct JTAG settings to inferring flash layout to reversing checksums, seems like it would take me a lifetime. What was the path to be able to do this in one lifetime?
supertroop 35 minutes ago [-]
It is so easy to use signature verification and even encrypted XIP with Mcuboot it just blows my mind that companies don’t.
Also the level of reverse engineering here is kinda bananas. I almost don’t believe he was able to find the transfer functions for the dsp bias equations w/o some source guidance. I mean that’s just bad ass if he did it without help.
shermantanktop 7 hours ago [-]
I’m always very impressed by this type of hardware/firmware reverse engineering. So many places to get completely stuck and fizzle out.
I assume that happens a lot, but few people would write a blog about their inability to break a protocol or decipher a memory layout.
jkingsman 5 hours ago [-]
Wow, that is a deep level of commitment and learning/exploring; I love it. While I'm sure this is informed by deep preexisting knowledge (to a point -- it's still badass in its own right), I can't help but admire these skills and feel a little inferior about my own.
What a badass level of deep dive.
tyfighter 7 hours ago [-]
Nice :) I did this for my Axe-Fx II and III a long time ago, but I never published any of it for fear of being sued. Really, I just wanted to learn about DSP techniques and that was enough for me.
alexjplant 7 hours ago [-]
Sorry WHAT?! I was under the impression this whole time that this wasn't feasible due to asymmetric key encryption with the private keys baked deep into the hardware. Perhaps I'm misremembering but Cliff (the founder) is very big on protecting trade secrets so I'm rather surprised you were able to. Or do you mean you were able to flash new firmware, not reverse-engineer the existing one?
Either way I don't blame you for not writing it up. The same guy just recently accused another industry player of "infringing on [his] idea" with a product because he "filed a preliminary patent". I've been using Fractals since long before they were cool but based on the guy's forum posts I think he's having a hard time navigating the modern internet cultural landscape (the tenuous nature of his legal argument notwithstanding). It's a real shame as he's clearly super talented but I think trolls have gotten to him.
tyfighter 6 hours ago [-]
I never encountered any encryption/protection of any kind on the II (had 3 bootloaders: a simple memory loader -> a huffman tree decompressor -> another simple memory loader) and even though I got pretty far on the III I could see there being some kind of key embedded in the firmware somewhere. I was able to disassemble any .syx firmware release that came out. I wrote my own IDA Pro modules for the TigerSHARC (II) and TI-C66x (III). II took a while but I learned a lot. When the III came out I started over. I spent a lot of time reverse engineering the amp block code, but stopped about 8 years ago. Back then he wasn't even compressing the firmware yet, so it was easy.
webprofusion 4 hours ago [-]
This is awesome, couldn't the firmware just be extracted from the updater though?
mforney 25 minutes ago [-]
Unfortunately there were no firmware updates for the THR10c, so the only way to get the firmware is to dump it from the device.
webprofusion 4 hours ago [-]
Would love to see this done for the Spark amp as well, this level of hardware hacking is beyond my skill set.
I recently built my own Multi FX app/plugin (https://guitar.soundshed.com) and am looking for ways to squeeze it (or a version of it's signal chain) into commodity hardware as replacement DSP signal chain.
SoleilAbsolu 7 hours ago [-]
Love it! I have the THR10 non-"C" version of this amp and often wondered if it's hackable.
platevoltage 6 hours ago [-]
Man I love this stuff. I'm not big on digital guitar amps, but digital synths are another story.
My brain hurts any time I hear about a completed hardware hack, but this write-up just takes the cake. My experience with hardware RE is limited to a class project hacking a cheap router, and there even after 3 weeks I couldn't make sense of the can of worms that is interfacing with JTAG using OpenOCD. It's like looking at bats and then shouting into the dark and somehow you get the right words for echolocation. Then you do it for 10 animals in a row. I will check out Wrongbaud's guide.
So my question is: how do you learn to speak the dozens of languages for hardware? Every step in this project, from soldering custom modules to figuring out correct JTAG settings to inferring flash layout to reversing checksums, seems like it would take me a lifetime. What was the path to be able to do this in one lifetime?
Also the level of reverse engineering here is kinda bananas. I almost don’t believe he was able to find the transfer functions for the dsp bias equations w/o some source guidance. I mean that’s just bad ass if he did it without help.
I assume that happens a lot, but few people would write a blog about their inability to break a protocol or decipher a memory layout.
What a badass level of deep dive.
Either way I don't blame you for not writing it up. The same guy just recently accused another industry player of "infringing on [his] idea" with a product because he "filed a preliminary patent". I've been using Fractals since long before they were cool but based on the guy's forum posts I think he's having a hard time navigating the modern internet cultural landscape (the tenuous nature of his legal argument notwithstanding). It's a real shame as he's clearly super talented but I think trolls have gotten to him.
I recently built my own Multi FX app/plugin (https://guitar.soundshed.com) and am looking for ways to squeeze it (or a version of it's signal chain) into commodity hardware as replacement DSP signal chain.