Amazing work. I briefly explored trying to RE a more modern piece of hardware, the Tascam Portastudio DP-24SD, in order to try to fix some well-known bugs and limitations. Your article inspired me to maybe give it another go.
Previously, I managed to decode a firmware update file for the unit, but quickly found out that it uses a special-purpose DSP chip, and I wasn't able to easily find public documentation for its instruction set. So I gave up. Do you have a gut feeling on if REing and hacking this firmware could be done by a dedicated amateur, or is this probably more like professional-level work and I should find something better to do?
The https://github.com/blackjetrock/ghidra-6303 repository your post links to (containing a SLEIGH spec for the HD6303) is no longer available, did you happen to save a local clone that could be re-uploaded somewhere?
Seems like a good place to mention The Usual Suspects, a group that has built emulation of the Motorola DSP5630 and associated hardware to allow playable virtual instruments.
These guys do amazing work! I wish Korg hadn't beat them to the MicroKorg VST though. I've used the MicroKorg extensively in music over the years, and would have loved an accurate VST. Unfortunately the filter in Korg's VST doesn't quite match the original, and I can't recreate some of my patches. For understandable reasons these guys aren't going to step on Korg's toes and compete with an actual commercial product.
These guys are awesome .. their interaction with Kemper&co, about their amazing emulation work, not so much.
There's a hard lesson for hardware manufacturers to be learned in this drama.
If Kemper were supportive, they'd have a very clear road to a next-gen Virus TI (a "Proton"?) on the horizon .. but the word on the street has it that they're hostile to the effort of emulating the Motorola DSP ...
I hope you get a chance to work on some other synths in the future .. would be fun to see you apply your skills to, for example, the UNO synths, or the Arturia *Freaks' .. would be hilarious to see custom firmwares for those modern synths, some day.
Lately I've been working on the Casio CZ101. Hopefully in the next few weeks I'll publish a partially annotated disassembled firmware on my Github, along with article too talking about its interesting NEC μPD7810G CPU. Mostly because there's almost no other information about the CPU available online, despite featuring in some prominent 80s synths.
Following Pajen's awesome lead, I poked around inside the Korg Volcas, but I didn't accomplish enough to write about it. A 16KiB EPROM full of hand-crafted 8-bit assembly is a totally different animal to 256KiB of compiler optimised ARM! One modern synth whose firmware I loaded up in Ghidra is the Prophet X: After Espen Kraft's video complaining about it, I thought I'd have a peek inside it for myself. Sequential published the firmware without stripping out the debug symbols, so if anyone else is interested there's a real possibility of progress!
I've been doing quite a bit of work on the Juno 106 ROMs but haven't really got my head around Ghidra yet. I've just been working from the service manuals for various versions (including the HS-60, which is probably the most complete scan of a manual) and the programming reference for the μPD7810. I notice that all of my Juno boards leave out the EPROM socket and latch that would allow it to run from external ROM - I wonder if there was ever an "upgrade" from an early version?
Hey thanks for the shoutout! I loved your article here, it is a wonderful intro to this kind of work. I started the Volca RE work on IDAPro, but moved over to Ghidra later...
If someone could help me reverse engineer the Zoom ARQ96 firmware in order to fix the stupid LFO mod amount implementation (LFO is basically unusable), add velocity note control to the step sequencer, and why not, add basic USB MIDI Input recording support, and ideally, a chord mode, it would be great...
For the LFO mod amounts I imagine the values are hardcoded somewhere, so it shouldn't be that hard. Adding a new UI for velocity levels or a chord mode would be more complex though. Even better if there was a Zoom engineer around here who could guide me a bit...
The ARQ96 is an incredibly niche product all things considered, but especially compared to the DX7. It's also ~10 years old rather than ~40 years old. It's a completely different beast.
Zoom released few firmware updates, but v1.x to v2.x was a very significant change. Are you using the latest version?
Author here, thank you for posting this! If anyone has any questions about the article, I'd be happy to answer them!
Amazing work. I briefly explored trying to RE a more modern piece of hardware, the Tascam Portastudio DP-24SD, in order to try to fix some well-known bugs and limitations. Your article inspired me to maybe give it another go.
Previously, I managed to decode a firmware update file for the unit, but quickly found out that it uses a special-purpose DSP chip, and I wasn't able to easily find public documentation for its instruction set. So I gave up. Do you have a gut feeling on if REing and hacking this firmware could be done by a dedicated amateur, or is this probably more like professional-level work and I should find something better to do?
The https://github.com/blackjetrock/ghidra-6303 repository your post links to (containing a SLEIGH spec for the HD6303) is no longer available, did you happen to save a local clone that could be re-uploaded somewhere?
Thank you very much for pointing this out! Fortunately I still have the code locally. I'll try to raise another PR to get 6303 support into Ghidra.
I found this: https://github.com/NationalSecurityAgency/ghidra/pull/6314
Interesting work, thank you. May I ask what you are going to do with it? Do you want to emulate it on a PC, or redesign it to make a VST plugin?
I just wanted to say thank you. This is a great read.
Thank you! I really appreciate it.
Very cool! I have a DX7IIFD with an EEPROM in it. It will be cool to see what I can do with this!
Seems like a good place to mention The Usual Suspects, a group that has built emulation of the Motorola DSP5630 and associated hardware to allow playable virtual instruments.
https://dsp56300.wordpress.com/
These guys do amazing work! I wish Korg hadn't beat them to the MicroKorg VST though. I've used the MicroKorg extensively in music over the years, and would have loved an accurate VST. Unfortunately the filter in Korg's VST doesn't quite match the original, and I can't recreate some of my patches. For understandable reasons these guys aren't going to step on Korg's toes and compete with an actual commercial product.
They've also been working on emulating the JP-8080, as per recent discord announcements.
The JP-8080 uses custom DSP chips designed by Roland, and Roland do not provide a Virtual Instrument (VST) for this much desired synth.
These guys are awesome .. their interaction with Kemper&co, about their amazing emulation work, not so much.
There's a hard lesson for hardware manufacturers to be learned in this drama.
If Kemper were supportive, they'd have a very clear road to a next-gen Virus TI (a "Proton"?) on the horizon .. but the word on the street has it that they're hostile to the effort of emulating the Motorola DSP ...
Oh wow didn’t know next gen virus is a thing
> All I had when I started was a copy of the firmware, a copy of the service manual, and a can-do attitude
This is how some of the best reverse engineers in the industry got started, especially when it comes to video game cheats.
Great work, ajxs, been following you for years.
I hope you get a chance to work on some other synths in the future .. would be fun to see you apply your skills to, for example, the UNO synths, or the Arturia *Freaks' .. would be hilarious to see custom firmwares for those modern synths, some day.
Thank you! I really appreciate your support!
Lately I've been working on the Casio CZ101. Hopefully in the next few weeks I'll publish a partially annotated disassembled firmware on my Github, along with article too talking about its interesting NEC μPD7810G CPU. Mostly because there's almost no other information about the CPU available online, despite featuring in some prominent 80s synths.
Following Pajen's awesome lead, I poked around inside the Korg Volcas, but I didn't accomplish enough to write about it. A 16KiB EPROM full of hand-crafted 8-bit assembly is a totally different animal to 256KiB of compiler optimised ARM! One modern synth whose firmware I loaded up in Ghidra is the Prophet X: After Espen Kraft's video complaining about it, I thought I'd have a peek inside it for myself. Sequential published the firmware without stripping out the debug symbols, so if anyone else is interested there's a real possibility of progress!
Oh this is relevant to my interests.
I've been doing quite a bit of work on the Juno 106 ROMs but haven't really got my head around Ghidra yet. I've just been working from the service manuals for various versions (including the HS-60, which is probably the most complete scan of a manual) and the programming reference for the μPD7810. I notice that all of my Juno boards leave out the EPROM socket and latch that would allow it to run from external ROM - I wonder if there was ever an "upgrade" from an early version?
https://github.com/ErroneousBosh/j106roms
Hey thanks for the shoutout! I loved your article here, it is a wonderful intro to this kind of work. I started the Volca RE work on IDAPro, but moved over to Ghidra later...
A disassembly of the operating system for the series II Fairlight CMI would be fascinating, I would think.
Your bio suggests that you live in Sydney, so it would be particularly appropriate for you to examine code that was written in Rushcutters Bay!
If someone could help me reverse engineer the Zoom ARQ96 firmware in order to fix the stupid LFO mod amount implementation (LFO is basically unusable), add velocity note control to the step sequencer, and why not, add basic USB MIDI Input recording support, and ideally, a chord mode, it would be great...
https://zoomcorp.com/en/us/digital-instruments/digital-instr...
For the LFO mod amounts I imagine the values are hardcoded somewhere, so it shouldn't be that hard. Adding a new UI for velocity levels or a chord mode would be more complex though. Even better if there was a Zoom engineer around here who could guide me a bit...
Did you read the section about what made the DX7 hardware a good target for this project?
https://ajxs.me/blog/Introduction_to_Reverse-Engineering_Vin...
The ARQ96 is an incredibly niche product all things considered, but especially compared to the DX7. It's also ~10 years old rather than ~40 years old. It's a completely different beast.
Zoom released few firmware updates, but v1.x to v2.x was a very significant change. Are you using the latest version?
(2024)