Internal console in some Yamaha keyboards, thru midi USB and Python script

Started by Lionel N, Jan 25, 2025, 09:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Lionel N

Jan 25, 2025, 09:45 AM Last Edit: Jan 25, 2025, 05:51 PM by overover
Hello,

Some days ago, I discovered that someone could use successfully the JTAG of a PSS-A50 :
Guets are not allowed to view links. In order to access the links, please Register or Login

Catherine/@whitequark could connect to the JTAG using her own "glasgow" HW (kind of "Bus Pirate") :
Guets are not allowed to view links. In order to access the links, please Register or Login

By the way, she confirmed what I also suspected : the YMW830 is powered by an Armv7 core.
Unfortunately, on my side, I did not get the JTAG to communicate for now with usual diy tools (FT232 JTAG or BlackMagicProbe).

Catherine could extract the QSPI firmware, which is not the main outstanding thing from my current situation, since I did it months or years ago with a QSPI flash reader, but she could also extract the 48k Internal "ROM" from the YMW830 SWLL, and that's really awesome.

There's a mega.nz/file link in the discussion flow.

PSS-A50, PSS-F30, PSS-E30, SHS-300, PSR-F50, PSR-F51, PSR-F52, PSR-E253/YPT-255, PSR-E263/YPT-260, PSR-E273/YPT-270, PSR-E283/YPT-280 are all based on this YMW830 SWLL.

Then, also, some days ago, someone made a great discovery : It is possible to access to an internal console of some Yamaha keyboards, using the USB connection and a Python script :
Guets are not allowed to view links. In order to access the links, please Register or Login

How awesome is that ?!

Porta/portasynthinca3 was able to extract the firmwares from her PSR-E433, using a FT232R-based JTAG dongle / OpenOCD (internal ROM of the SOC and external Flash), and performed a partial retro-engineering of her PSR-E433 firmware!

Porta discovered that Yamaha made a shell that runs on top of MIDI SysEx messages, on the USB. She wrote a Python script in order to be able to access to the console.

Some commands are available to read/write any address, means RAM, ROM or Flash or even registers.

And that was not enough : she even was able to add/write her own arm code inside the ram, just by using the console. And the result is here : Guets are not allowed to view links. In order to access the links, please Register or Login


Back to PSS-A50 / PSS-E30 / PSS-F30

PSS-A50 has USB, but PSS-E30 and PSS-F30 do not have any! But since on the PCB, the Rx/Tx of the YMW830-V is easily reachable, I could connect a cheap USB<->midi DIN (I had to modify it in order to extract the Rx/Tx at 3.3V levels - using a cheap level converter 5V<->3.3V).

Now I can confirm that the internal 48k ROM of the YMW830 is the same for the PSS-A50, PSS-F30, PSS-E30 I own.

The thing is that only the PSS-A50 has a dynamic touch response, while PSS-E30 and PSS-F30 are not managing dynamic touch in the SW, despite the fact the keyboards are the same from a HW point of view (dual switch per key - except some diodes shall be added on the PSS-E30/F30 PCB - PCB is the same for both pss-A50, PSS-F30, PSS-E30). PSS-A50 had an additional chip to manage the MIDI USB connection.

Dynamic touch response is possible on PSS-E30/F30 ? That is a point I would like to investigate for a hack.
Preliminary analysis shows that some code is present in both of firmwares, but some not. Curiously, for example, the three TouchSensitivity tables are present.
  •  

overover

#1
Jan 25, 2025, 05:57 PM
Hi  @Lionel N,

Thank you for this detailed information! I hope that some of our forum members, who have relevant expertise, can make use of your discoveries.


Best regards,
Chris
● Everyone kept saying "That won't work!" - Then someone came along who didn't know that, and - just did it.
● Never put the Manual too far away: There's more in it than you think! ;-)
  •  

Lionel N

#2
Today at 04:25 PM
Quote from: Lionel N on Jan 25, 2025, 09:45 AM...
Then, also, some days ago, someone made a great discovery : It is possible to access to an internal console of some Yamaha keyboards, using the USB connection and a Python script :
Guets are not allowed to view links. In order to access the links, please Register or Login

How awesome is that ?!

Porta/portasynthinca3 was able to extract the firmwares from her PSR-E433, using a FT232R-based JTAG dongle / OpenOCD (internal ROM of the SOC and external Flash), and performed a partial retro-engineering of her PSR-E433 firmware!

Porta discovered that Yamaha made a shell that runs on top of MIDI SysEx messages, on the USB. She wrote a Python script in order to be able to access to the console.

Some commands are available to read/write any address, means RAM, ROM or Flash or even registers.

And that was not enough : she even was able to add/write her own arm code inside the ram, just by using the console. And the result is here : Guets are not allowed to view links. In order to access the links, please Register or Login
...

This might interest @pjd
  •  
Print
Go Up Pages1
User actions