OP-Z Firmware Updates.


#66

The headphone output got extremely loud on my op-z after the update. It’s pretty much too loud the moment you turn it on and it’s very difficult to dial in a low volume. you have maybe one mm from silence to way too loud. is that happening to anyone else?
the speaker seems to be normal…


#67

Me too.


#68

What about the copy all tracks functionality? Everything else that guy got right the day before how come this is not in there? This is the main thing I was excited about… I wonder if it is in there and they forgot to put it in the notes? We need a way to copy tracks to other patterns, this seems like what I wanted but it’s not listed in the update.


#69

Is that what ”copy step now works on all tracks” means?


#70

Downloaded new firmware. Still a bit buggy but enjoying the Z. Yesterday tempo change and plug change on he motion track wouldn’t work. Quick off and on fixed it. Can’t be happening live tho :neutral_face:


#71

both speaker and (akgK99) headphone volume range feel spot on for me. I never did the last update.


#72

it was spot on until the new firmware.


#73

For me it was like you described with the older firmware and now it got better. Strange…


#76

this is not new


#77

My step length of 10 isn’t working anymore? Is that happening to you guys?


#78

Are you talking about track+shift+0? This has not changed, it was the same with the old firmwares. It is said to be some unannounced “advance by external trigger” thing, someone from TE posted that in the facebook group.


#79

Yeah that was it.


#80

What does the 9 to 16 step length mean?


#81

Previously with track+shift+9 you’d have the playback speed at a ninth of the regular speed, just like with the rest of the numbers except 0. Now track+shift+9 sets the playback speed to a sixteenth of the regular speed which makes a lot more sense musically. One of the biggest advantages of that would probably be long chord progressions on the master track transpose.


#82

for me this change (9-16) destroyed a project… is there a way to get a track play back at the old timing again on the new firmware?


#83

reinstall the old one, probably


#84

Or rerecord with step multiplier 16 and last step set to 9.


#85

Hey @TabascoEye, did you get any where else with this? I’ve been looking at it myself and confirmed the firmwares are encrypted. This is what I’ve found so far (apologies if someone else has brought this up, I’m new to the OP-Z scene):

  • At offset 0x04 has the value 0xFF, which is referred to as the “key index.” As far as I can tell, the OP-Z interprets this as a single byte value.
  • At offset 0x70: this is actually not a 20-byte value, but a 16-byte value which specifies the IV used in the encryption process. Not sure the algorithm used, but it’s most likely AES. Not sure of the mode either, but CBC or CTR are reasonable expectations according to the BF703 datasheet.
  • At offset 0x80 is a 4-byte value which specifies the “length.” I’m still trying to determine what this means exactly, as the 1.1.27 firmware has the value 0x0CB94A (833,866 bytes), yet the firmware file is 834,896 bytes.
  • I’ve also found that once the file is decrypted, a zip file should be produced called firmware_bin_only_with_bootloader.zip, at least with the 1.1.27 firmware.

Has anyone else been looking at this? I’m wondering if the key is included with the firmware file or if it’s hard coded into the OP-Z itself.

EDITS: I’ve put a similar post on the /r/OPZUser subreddit which I’ve been keeping more up-to-date than here since I’ve gotten more feedback there. I wanted to give an update here though. I’ve confirmed that CBC mode is being used to encrypt portions of the firmware file. When connecting the OP-Z to a computer and put into upgrade mode, a USB serial device is added to the computer. This can be used to view a debug console of sorts. Using this console and making modifications to the firmware file, I was able to use a padding oracle attack. From 0x300, the first few ciphertext blocks here are where the string firmware_bin_only_with_bootloader.zip is stored. The serial console suggests the firmware file from 0x300 to 0x3FF is a standalone encrypted section, but I haven’t confirmed this yet.


#86

I’ve made a few more discoveries, but it’s probably better to put this all on a wiki instead of keep updating the thread. This will also allow others to contribute. You can find the firmware page at https://github.com/billymeter/rez/wiki/Firmware. Thanks!


#87

keep up the good work dude! @_bt