Custom Firmware on the OP-1

ah yes. I did on that screenshot. I since took your advice and changed each layer manually. Still, no dice. I’ve given up, alas!

I wanted to have Rick and Morty playing the synth

Have you compared the SVG to the original in an HTML editor?
I used Dreamweaver to compare the code, that can reveal differences that may not be visually apparent in Illustrator.

Has anyone started poking around with the OP-1 field firmware?
It’s 57mb compared to the OG firmware being ~12mb so it’s way bigger.
I ran binwalk on the FW and got this but I’m not sure if it’s accurate:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2519731       0x2672B3        PARity archive data
25335672      0x1829778       MySQL MISAM compressed data file Version 4
43732036      0x29B4C44       MySQL MISAM index file Version 5

Since they increased the protections on the OG OP-1 firmware since we started messing with it I suspect it’s highly likely for the new firmware to be quite locked down and encrypted, unfortunately.

Yes, I have. I think I might have the potential to run custom firmware on the OP-1 Field in a similar way that you an TobascoEye discovered. I wont know for sure until I get my OP-1 Field though.

Feel free to share your findings

I’m not really sure what all the header information is in the firmware, but the encrypted blob begins at offset 0x380. Once I actually get the device, I think I’ll be able to share more.

Hello!
I’d like to see custom firmware for OP-1 made by the community. I created this subreddit https://www.reddit.com/r/op1hackers/ as an attempt to get more people interested in OP-1 hacking. I’m fairly new to this (please be kind), so I’d like to invite people active in this community to be moderators of this subreddit ^^.
I’d also like to ask a few questions so I can speed up.

• Are current firmware builds encrypted?
• What checks have TE created to verify firmware? Are they signing releases?
• Is it possible to create a custom bootloader to run custom code?
• Have the firmware been successfully de-compiled? I read that there was issues with compressed blocks.
• from a hardware perspective, Is it possible to make extra engines, fx and sequencers? How much room for improvement do we have?

I would also like to thank everyone for all the hard work they have put into so far, you have already done so much. And the tools you’ve made are incredible!

Welcome! Always good to see more people getting involved in this.

Are current firmware builds encrypted?

As far as I remember/understand yes they are.

What checks have TE created to verify firmware? Are they signing releases?

Cant remember if they have some checks in place.

Is it possible to create a custom bootloader to run custom code?

It is possible to modify the bootloader binary, but to add custom code it would need to be dissasembled, modified and recompiled which hasn’t been done yet.

Have the firmware been successfully de-compiled? I read that there was issues with compressed blocks.

Not fully, yes there are some issues with that. I haven’t personally worked on the decompilation so can’t say much about it.

from a hardware perspective, Is it possible to make extra engines, fx and sequencers? How much room for improvement do we have?

From a hardware perspective yes, but in practice this is very tricky to do due to the decompilation and recompilation issues. The resources (cpu, ram, storage) of the OG OP-1 are also quite limited so there’s not too much room for adding new stuff.

These answers will likely be on the SoC’s vendor’s website. and in here

Most of my work has been with the OP-Z, in this respect, but I’ve been able to load “custom” firmware onto the OP-Z, so it appears that the firmware provided don’t have to be signed, at least for the OP-Z.

Thanks for the reply.

Looking at the document made by @tabascoeye document It’s clear how complex and challenging this is. I’ll admit, this is out of my comfort zone, but I’m going to jump into it and try to work things out.

I think the key to this is to try to get our hands on a developer board. (This will be nearly impossible, it’s not like TE is a huge company (I don’t think we’ll have the opportunity to “Xbox Underground” it)).

I’m curious to see if it is possible to unlock the hidden developer menu of the stock board. (Not sure how this works, I’ll have to look into BlackFins.)

@tabascoeye, is that IDA virtual machine still there, and is it possible to get a copy?
thanks

This Thread is almost 4 years old now. What a ride!

I suspect the OP-1f uses a different (newer) BlackFin, but very very likely still a BlackFin because otherwise they would have to rewrite everything from scratch and it would no longer be an OP-1.

Also, I don’t think TE started the whole “signed firmwares” thing. It is annoying to get it right and secure enough (trust me, I know from work).

I don’t believe I still have the IDA files from old OP-1 disassembly tries, but the fact was that we were always missing the part where some Blocks of the main FW are XTEA encrypted in flash and either the IDA loader plugin for the LDR files would need to decrypt those blocks so the disassembly and analysis works better, or IDA would need to “run” the code and get the correct OTP value of the encryption key fed at the right time/place.
These days, this would be easier… see below…

The info is all there. I helped someone here revive their OP-1 with a new, off-the-shelf CPU which would not work because of the missing secrets on the OTP memory, so he wrote a customized Boot loader which would spit out the OTP contents to the display and I had that running on my working OP-1 while recording the screen with my phone.

So if I had the time on my hands I would probably:

• try Ghidra instead of IDA for a change:
  GitHub - sualk/ghidra-blackfin: Blackfin CPU support for ghidra
• decrypt the LDR file before loading it with IDA or Ghidra
  GitHub - sualk/op1-decryptor
• (using the super secret “password” in the OTP mem)
  GitHub - Tolsi/op1dumps: Anything to replace the processor or the flash chip in your TE OP-1

To finally hopefully get a nice, analyzed and logical disassembled firmware.

BUT: To do any meaningful modifications, you would need to reverse the whole process.
The full memory would need to go back into Blocks to become an LDR file again.
Not sure if the XTEA encryption is needed or if the OP-1 would also accept one where those blocks are plain…
If you finally have a modified, repacked .ldr file, you can pack it into the ususal .op1 “zip” and try to upgrade to it on your OP-1.

Like I said all those years ago: It might be easier to get DOOM running on it than to modify the TE firmware in any significant way because you need to use the Toolchain half-way backwards and then forwards again, which isn’t intended use at all

Would still love to see anyone do it!
Ghidra is free btw…

Well I’m not so sure about the Blackfin, if they didn’t wrote like assembly stuff for the OG, i expect fixed point algorithms can be ported to any architecture quite easily. It’s pretty difficult the other way around tho the newest blackfins are 7xx series also found in the opz but I kind of hesitant about it because they have still somewhat limited on performance compared to other alternatives that simply wasn’t here before. Nxp has m7 + m4 arm chips that clocks around 1GHz now, it surely is tempting to use m4 for ui and other house keeping jobs and M7 for DSP. I also think it might be possible to switch to a SHARC. Im quite interested on which chip is being used tbh. Sure hope someone disassembles a unit or asks to a developer (beta testers ? )

Well I was wrong, it looks like they have blackfin 7xx in there

bruh. I’m working in embedded since 15 years. Just trust me
Seriously though, they have coded everything against the VDK Kernel from Analog devices and are using those toolchains for both OG OP-1 and the OP-Z.
It just doesn’t make sense for a small team to change CPU architecture without some very serious reasons.
(my team did and it was neccessary but also a multi-year effort)

First time poster, quick question, anyone think it’s possible to upload the OP-1F graphics into the OP-1? I like the new colour scheme and some of the updated artwork. I’m sure there’s UI changes that wouldn’t port over exactly but the background art should be able to get swapped right?

@TabascoEye hey, can we create a new repo for OP-1 field firmware? I suggest github.com/op1hacks/op1-field-fw-archive

If you don’t want to maintain it, I can also help with that. Just invite @fjl to the org on GitHub.

That GitHub Org belongs to @wavi so I don’t think I can invite anyone

I have downloaded the currently available OP-1 Field firmwares and will try to make a repo for them at some point. I’d love to know more about how the new firmware is built but haven’t had time to investigate yet