0

I'm curious if anyone has any insight on how I can manipulate or mod the code for the built-in software of a digital piano (specifically the Kawai ES8 - or really any digital piano with a display screen). Like if I wanted to change the default chord progressions for the backing tracks, etc.

Note that I don't want to connect it to my computer and read the MIDI data (latency issues) - I want to be able to mod the built-in code directly on the digital piano. I'm getting no luck googling so wanted to see if anyone could point me in the right direction.

Much appreciated!

blondeonia
  • 3
  • 2
  • Does the manufacturer provide firmware updates? – Igor Skochinsky Apr 22 '20 at 21:00
  • @IgorSkochinsky yes they do - it is a SYS file but I'm not sure how to open it (and if it is encrypted). Opening with Notepad++ makes it look like gibberish – blondeonia Apr 22 '20 at 21:03
  • The sofware for my Kawai CA78 is contained in multiple SYS files. These are a combination of an (ARM) firmware blob, an ELF executable and an Android application. – Ian Cook Apr 22 '20 at 21:33
  • The Kawai ES8 firmware appears to be for the SuperH architecture and Renesas HI7000/4 realtime OS based. – Ian Cook Apr 22 '20 at 21:37
  • Thank you @IanCook - I'm curious to how you have found this out. And do you know if it is encrypted? Do you have suggestions of resources I could look into to find out how to manipulate this code? – blondeonia Apr 22 '20 at 21:49
  • I looked at a hex/ascii dump. There's quite a lot of readable text, mostly UI messages, but also one that references the OS. So at least chunks of it aren't compressed. I'm not familiar enough with SH machine code though to tell if this part is in the clear or not. Looking at the PCB (either open the case and have a look or try to find an image online) should help confirm the exact CPU. Something like Ghidra might help you dig deeper. – Ian Cook Apr 22 '20 at 22:12
  • Thanks @IanCook did you try to do something similar? I'm curious to how that went for you. I would appreciate it if you could reach out to me via email to the address listed on my profile. Many thanks for all the help so far. – blondeonia Apr 23 '20 at 21:50
  • No, I just wanted to know what was in mine and haven't tried to modify anything. I've posted a proper answer now with some suggestions on how you could progress. – Ian Cook Apr 25 '20 at 07:28
  • I really appreciate it @IanCook - you've got me from nothing to something. It has been really tough finding information on this so I'm very grateful that you've volunteered your time and effort to give these detailed answers – blondeonia Apr 27 '20 at 01:13

1 Answers1

0

The first thing I'd do is look at a hexdump. The manufacturer provides firmware updates and specifically I've looked at the file ES08_040.SYS.

This clear shows some very readable text scattered throughout the file. Here's some examples -

00010e10:   00 02 01 02 02 02 03 02 01 01 00 00 01 01 01 01 ................
00010e20:   01 00 00 00 20 20 20 4b 41 57 41 49 20 20 45 53 ....   KAWAI  ES
00010e30:   38 20 20 20 20 44 69 67 69 74 61 6c 20 50 69 61 8    Digital Pia
00010e40:   6e 6f 20 20 44 65 73 74 3a 20 56 65 72 23 20 3a no  Dest: Ver# :
00010e50:   20 43 53 20 00 00 00 00 20 20 20 20 20 20 20 20  CS ....        
00010e60:   20 20 20 20 20 20 20 20 00 00 00 00 ff ff ff ff         ........

000540f0:   30 00 00 00 00 00 00 00 52 49 46 46 00 00 00 00 0.......RIFF....
00054100:   57 41 56 45 66 6d 74 20 10 00 00 00 01 00 02 00 WAVEfmt ........
00054110:   44 ac 00 00 10 b1 02 00 04 00 10 00 64 61 74 61 D...........data
00054120:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0006aca0:   31 20 54 6f 75 63 68 20 43 75 72 76 65 20 32 2d 1 Touch Curve 2-
0006acb0:   31 20 c0 af c1 b6 b0 cc de 20 20 20 20 20 32 2d 1 .......     2-
0006acc0:   32 20 56 6f 69 63 69 6e 67 20 20 20 20 20 32 2d 2 Voicing     2-

These strongly suggest that the firmware update file is not encrypted or compressed.

The most useful though is here -

00001530:   43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 Copyright (C) 20
00001540:   30 30 20 28 32 30 30 38 29 20 52 65 6e 65 73 61 00 (2008) Renesa
00001550:   73 20 54 65 63 68 6e 6f 6c 6f 67 79 20 43 6f 72 s Technology Cor
00001560:   70 2e 20 61 6e 64 20 52 65 6e 65 73 61 73 20 53 p. and Renesas S
00001570:   6f 6c 75 74 69 6f 6e 73 20 43 6f 72 70 2e 20 41 olutions Corp. A
00001580:   6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 ll rights reserv
00001590:   65 64 2e 48 49 37 30 30 30 2f 34 28 52 30 52 34 ed.HI7000/4(R0R4
000015a0:   30 37 30 30 54 78 57 30 32 78 29 56 2e 32 2e 30 0700TxW02x)V.2.0
000015b0:   32 2e 30 34 dd 0d 30 d1 60 62 20 f6 6f 03 d0 0c 2.04..0.`b .o...

Google suggest that this is an RTOS for SuperH cores.

To confirm the architecture, I tried disassembling the first part of the dump that looks like code (i.e. at offset 0x00000800) This produces very plausible code confirming SH.

00000800  7ffc  add #-4, r15
00000802  d60a  mov.l 0x0000082c, r6
00000804  d20a  mov.l 0x00000830, r2
00000806  3268  sub r6, r2
00000808  e500  mov #0, r5  
0000080A  a005  bra 0x00000818
0000080C  2f22  mov.l  r2, @r15
0000080E  6053  mov r5, r0
00000810  468b  mov.b r0, @r6+
00000812  61f2  mov.l @r15, r1
00000814  ...
00000824  000b  rts

Most interesting though is the instruction at offset 0x00000810. This is only a valid instruction in the SH-2A architecture. (For short sequences, there are online disassemblers that let you easily change architectures so you can see which work.)

Given we know that it's SH-2A, this page seems to indicate that the MCU is likely to be from one of SH72xx families.

To dig further in to the code, it helps to understand more about the MCU in terms of memory maps, embedded peripherals. In your case, as you have the hardware, opening it up and having a look at the PCB inside will probably give you the ids of the MCU and other key components.

If you key objective is changing data (e.g. chord progressions) this is, in theory, easier than anything other than trivial modifications to code.

You do however need to identify where in the firmware this info is stored. Understanding the code itself can help with this.

Another challenge you may face is how to persuade the firmware update process to accept your modified firmware. You will probably have to play with version numbers and may have to reverse engineer some form of integrity check (e.g. checksum)

This may be harder if the relevant validation code is in a bootloader, not in firmware. Again, reading the relevant MCU manuals may help. In addition, getting hold of the relevant Renesas SDK/Build Tools would help too.

You might want to try making a trivial modification to one of the early UI messages in the firmware (e.g. 1 character) and try upload this. Whether this works or not will give you a good idea of the amount of effort you are getting yourself into.

Finally, it is possible to badly mess-up firmware updates and 'brick' you device enough that it will need returning to the manufacturer for repair. Do this at your own risk.

There are tools that can help with much of this process. e.g. binwalk will find the RTOS name and binwalk -A fill identify a few sequences of SuperH instructions.

Ian Cook
  • 2,548
  • 11
  • 18