Custom Firmware on the OP-1

OP-1
#787

Note what the error message says, sometimes it indicates a particular layer or stroke/object parameter that can give you a hint as to where the issue lies within the SVG. It can take some trial and error. From looking at your screenshot it kind of looks like you used a brushstroke on the heads, that may be part of the issue since the stock SVG always has a uniform stroke width (only the volume slider on the tape screen seems to allow for varied stroke weights in my experience).

1 Like
#788

ah yes. I did on that screenshot. I since took your advice and changed each layer manually. Still, no dice. Iā€™ve given up, alas!

#789

I wanted to have Rick and Morty playing the synth :frowning:

1 Like
#790

Have you compared the SVG to the original in an HTML editor?
I used Dreamweaver to compare the code, that can reveal differences that may not be visually apparent in Illustrator.

1 Like
#791

Has anyone started poking around with the OP-1 field firmware?
Itā€™s 57mb compared to the OG firmware being ~12mb so itā€™s way bigger.
I ran binwalk on the FW and got this but Iā€™m not sure if itā€™s accurate:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2519731       0x2672B3        PARity archive data
25335672      0x1829778       MySQL MISAM compressed data file Version 4
43732036      0x29B4C44       MySQL MISAM index file Version 5

Since they increased the protections on the OG OP-1 firmware since we started messing with it I suspect itā€™s highly likely for the new firmware to be quite locked down and encrypted, unfortunately.

1 Like
#792

Yes, I have. I think I might have the potential to run custom firmware on the OP-1 Field in a similar way that you an TobascoEye discovered. I wont know for sure until I get my OP-1 Field though.

2 Likes
#793

Feel free to share your findings :wink:

#794

Iā€™m not really sure what all the header information is in the firmware, but the encrypted blob begins at offset 0x380. Once I actually get the device, I think Iā€™ll be able to share more.

1 Like
#795

Hello!
Iā€™d like to see custom firmware for OP-1 made by the community. I created this subreddit https://www.reddit.com/r/op1hackers/ as an attempt to get more people interested in OP-1 hacking. Iā€™m fairly new to this (please be kind), so Iā€™d like to invite people active in this community to be moderators of this subreddit ^^.
Iā€™d also like to ask a few questions so I can speed up.

  • Are current firmware builds encrypted?
  • What checks have TE created to verify firmware? Are they signing releases?
  • Is it possible to create a custom bootloader to run custom code?
  • Have the firmware been successfully de-compiled? I read that there was issues with compressed blocks.
  • from a hardware perspective, Is it possible to make extra engines, fx and sequencers? How much room for improvement do we have?

I would also like to thank everyone for all the hard work they have put into so far, you have already done so much. And the tools youā€™ve made are incredible!

4 Likes
#796

Welcome! :slight_smile: Always good to see more people getting involved in this.

Are current firmware builds encrypted?

As far as I remember/understand yes they are.

What checks have TE created to verify firmware? Are they signing releases?

Cant remember if they have some checks in place.

Is it possible to create a custom bootloader to run custom code?

It is possible to modify the bootloader binary, but to add custom code it would need to be dissasembled, modified and recompiled which hasnā€™t been done yet.

Have the firmware been successfully de-compiled? I read that there was issues with compressed blocks.

Not fully, yes there are some issues with that. I havenā€™t personally worked on the decompilation so canā€™t say much about it.

from a hardware perspective, Is it possible to make extra engines, fx and sequencers? How much room for improvement do we have?

From a hardware perspective yes, but in practice this is very tricky to do due to the decompilation and recompilation issues. The resources (cpu, ram, storage) of the OG OP-1 are also quite limited so thereā€™s not too much room for adding new stuff.

3 Likes
#797

These answers will likely be on the SoCā€™s vendorā€™s website. and in here

2 Likes
#798

Most of my work has been with the OP-Z, in this respect, but Iā€™ve been able to load ā€œcustomā€ firmware onto the OP-Z, so it appears that the firmware provided donā€™t have to be signed, at least for the OP-Z.

2 Likes
#799

Thanks for the reply.

Looking at the document made by @tabascoeye document Itā€™s clear how complex and challenging this is. Iā€™ll admit, this is out of my comfort zone, but Iā€™m going to jump into it and try to work things out.

I think the key to this is to try to get our hands on a developer board. (This will be nearly impossible, itā€™s not like TE is a huge company (I donā€™t think weā€™ll have the opportunity to ā€œXbox Undergroundā€ it)).

Iā€™m curious to see if it is possible to unlock the hidden developer menu of the stock board. (Not sure how this works, Iā€™ll have to look into BlackFins.)

@tabascoeye, is that IDA virtual machine still there, and is it possible to get a copy?
thanks

2 Likes
#800

This Thread is almost 4 years old now. What a ride! :wink: :wink:

I suspect the OP-1f uses a different (newer) BlackFin, but very very likely still a BlackFin because otherwise they would have to rewrite everything from scratch and it would no longer be an OP-1.

Also, I donā€™t think TE started the whole ā€œsigned firmwaresā€ thing. It is annoying to get it right and secure enough (trust me, I know from work).

I donā€™t believe I still have the IDA files from old OP-1 disassembly tries, but the fact was that we were always missing the part where some Blocks of the main FW are XTEA encrypted in flash and either the IDA loader plugin for the LDR files would need to decrypt those blocks so the disassembly and analysis works better, or IDA would need to ā€œrunā€ the code and get the correct OTP value of the encryption key fed at the right time/place.
These days, this would be easierā€¦ see belowā€¦

The info is all there. I helped someone here revive their OP-1 with a new, off-the-shelf CPU which would not work because of the missing secrets on the OTP memory, so he wrote a customized Boot loader which would spit out the OTP contents to the display and I had that running on my working OP-1 while recording the screen with my phone.

So if I had the time on my hands I would probably:

To finally hopefully get a nice, analyzed and logical disassembled firmware.

BUT: To do any meaningful modifications, you would need to reverse the whole process.
The full memory would need to go back into Blocks to become an LDR file again.
Not sure if the XTEA encryption is needed or if the OP-1 would also accept one where those blocks are plainā€¦
If you finally have a modified, repacked .ldr file, you can pack it into the ususal .op1 ā€œzipā€ and try to upgrade to it on your OP-1.

Like I said all those years ago: It might be easier to get DOOM running on it than to modify the TE firmware in any significant way because you need to use the Toolchain half-way backwards and then forwards again, which isnā€™t intended use at all :wink:

Would still love to see anyone do it!
Ghidra is free btwā€¦

4 Likes
#801

Well Iā€™m not so sure about the Blackfin, if they didnā€™t wrote like assembly stuff for the OG, i expect fixed point algorithms can be ported to any architecture quite easily. Itā€™s pretty difficult the other way around tho :joy::joy: the newest blackfins are 7xx series also found in the opz but I kind of hesitant about it because they have still somewhat limited on performance compared to other alternatives that simply wasnā€™t here before. Nxp has m7 + m4 arm chips that clocks around 1GHz now, it surely is tempting to use m4 for ui and other house keeping jobs and M7 for DSP. I also think it might be possible to switch to a SHARC. Im quite interested on which chip is being used tbh. Sure hope someone disassembles a unit or asks to a developer (beta testers ? )

1 Like
#802

Well I was wrong, it looks like they have blackfin 7xx in there

3 Likes
#803

bruh. Iā€™m working in embedded since 15 years. Just trust me :wink:
Seriously though, they have coded everything against the VDK Kernel from Analog devices and are using those toolchains for both OG OP-1 and the OP-Z.
It just doesnā€™t make sense for a small team to change CPU architecture without some very serious reasons.
(my team did and it was neccessary but also a multi-year effort)

6 Likes
#804

First time poster, quick question, anyone think itā€™s possible to upload the OP-1F graphics into the OP-1? I like the new colour scheme and some of the updated artwork. Iā€™m sure thereā€™s UI changes that wouldnā€™t port over exactly but the background art should be able to get swapped right?

1 Like
#805

@TabascoEye hey, can we create a new repo for OP-1 field firmware? I suggest github.com/op1hacks/op1-field-fw-archive

If you donā€™t want to maintain it, I can also help with that. Just invite @fjl to the org on GitHub.

#806

That GitHub Org belongs to @wavi so I donā€™t think I can invite anyone

1 Like