EvilZone

Hacking and Security => Reverse Engineering => : maranite October 09, 2014, 08:23:38 PM

: Reverse engineering Arm (Korg) firmware
: maranite October 09, 2014, 08:23:38 PM

I've been puzzled for weeks now by the firmware for the Korg Krome keyboard, and need some help with reversing the file.

Korg's firmware update contain a file called mainapp.cmp

I cant find any resources online that suggest what a cmp file is (in an ARM context) and havent found any magic keys in the file that give it away.

I dont have access to the bootloader, so hacking any deobfustication code is out of the question too.


How do I go about this task?  It looks as though its extremely unlikely to succeed when:
1. The firmware is not nix based
2. The updates dont include the full firmware.
3. The bootloader is locked inside a SoC  (which appears to have jtag disabled)

Is there an approach for this sort of thing, or am I at a dead end?

: Re: Reverse engineering Arm (Korg) firmware
: Stackprotector October 09, 2014, 08:53:47 PM

Can you share some of the files on here? Might be a cool challenge for some.

: Re: Reverse engineering Arm (Korg) firmware
: HTH October 10, 2014, 01:35:46 AM

I too am curious. I could probably shed some light on it, as could many others here.

Side question: Have you looked at HOW JTAG is disabled? I know that they've been disabled in many ways, from removing a jumper, to in the software, to just straight up making the pins hard to find. That may help you, finding and reenabling it i mean.

: Re: Reverse engineering Arm (Korg) firmware
: 0E 800 October 10, 2014, 01:43:52 AM

This seems to be the best bet:

OP thread on another forum:
http://www.korgforums.com/forum/phpBB2/viewtopic.php?t=92884

There are several tools to reverse engineer ARM firmware.
Tools like binwalk are usually used for scrambled firmwares (which korg rarely does).
Try to figure out the exact ARM chipset, and check http://onlinedisassembler.com or the linux radare tools.

Reverse engineering is timeconsuming (and legal when you purchased the product itself).

: Re: Reverse engineering Arm (Korg) firmware
: maranite October 12, 2014, 08:21:48 PM

That thread on korgforums was started by me.

Binwalk and onlinedisassembler both comeup empty handed.
The firmware appears to contain "nth byte" obfustication...  I.e in a hex editor you'll see the word "KOR.G"... or "progr.am"    I dont know for a fact that the cpu is arm based, its an assumption given that the predecessor (the M50 which has a nearly identical GUI and features) is ARM based.

But.. running the hex into Arm diassemblers rapdily starts reporting invalid instructions.... so the file format definately has some sort of structure or encoding to it (I.e. not vanilla executable). The tail of the file contains many similar repeated blocks... which I'm assuming are either the bitmaps used to represrnt instruments, or (perhaps more likely) the DSP code that gets downloaded into the korg edsx engine.

The avtual firmware can be downloaded at http://i.korg.com/uploads/Download/USA_KROME_V103_E1.zip (http://i.korg.com/uploads/Download/USA_KROME_V103_E1.zip).