PO hacks

@darenager The debug interface is serial, similar to I2C with a clock line and a shared I/O bus, but the voltage levels on those exposed pads appear to be all wrong for that. TE could be redefining the EFM32 pin functions for the debug interface right after power up, maybe to protect the firmware. They could have some magic key combo to bypass that, who knows. I will most likely need to look at the voltages on the pads using an oscilloscope, since the original function is guaranteed to be there for a few microseconds after a reset. I could also try to connect using all possible permutations, but I’m a bit afraid of causing a short.


@tsoon I was hopping we could somehow use Teensy sound library, but I suspect it only works on Cortex-M4.

I figured it out! The two pads with weird voltages are connected to the left channel in/out return signals. I guess they did that for factory testing purposes. These pads are also used by the debug interface, including the one connected to the Play LED. That means the debug interface is being disabled by the code and it won’t be possible to read the original firmware (unless some magic key combo that overrides this indeed exists). It should still be possible to flash a new firmware, but I have not tested it yet. I will publish the details once I confirm it works.

Now I need those pogo pins!

1 Like

Operator Ninja @punji

I figured it out! The two pads with weird voltages are connected to the left channel in/out return signals. I guess they did that for factory testing purposes.
I was thinking first that the pads are made for easing hacking, but I'm not quite sure anymore. You can easily solder audio in/out stuff directly to the 3.5mm plug. And if I was TE, I would put all protection over the software since that's the thing in these devices; after all they are just a PCB with processor, display and a DAC. Chinese could manufacture these under $10.. And without the LCD maybe cheaper? The LCD is just a funny and cool gimmick, but not absolutely necessary for operating these devices.

And because PO's are basically same HW (gfx not counted) they don't want people go flashing firmware across different PO's?

I would like to make first hack; I'm syncing my PO-12 and taking ofcourse the audio out and it's really clumsy with the plugs pointing out different directions. Any ideas how to make the PO-12 portable? Slim 3.5mm plugs?


@tsoon I agree with your assessment.


Regarding portability and cable clutter, one idea I had was to create a case/frame to mount all 3 units in a triangular prism and get the audio in/outs and battery power hardwired somehow. So, the contraption would look like this:


triangular_prism

Sure, that can’t be placed in a table top anymore, haha! :slight_smile:

My original plan was to mount them side by side and wire all the jacks to a bank of jacks to act as a kind of patchbay.

Resistance is futile!

image

Robot hospital.

^ You may wonder if it has flatlined, but rest assured, it still lives!

I was finally able to put together a pogo pin connector and attach the PO-16 to the EFM32 Starter Kit J-Link interface. As we already suspected, the MCU debug port is locked, meaning that the original firmware cannot be read… :frowning:


SEGGER J-Link Commander V4.80h (’?’ for help)
Compiled Feb 28 2014 21:56:56
DLL version V4.80h, compiled Feb 28 2014 21:56:51
Firmware: Energy Micro EFM32 compiled Mar 1 2013 14:08:50
Hardware: V7.00
S/N: 440027079
Feature(s): GDB
VTarget = 2.871V
Info: Found SWD-DP with ID 0x2BA01477

****** Error: Could not power up debug port: Control/Status register reads 2BA01477
Info: Found SWD-DP with ID 0x2BA01477
Info: Energy Micro AAP found: Chip is locked.

nicely done @punji now i wonder what it would take to convince TE to release a ‘dev version’ with no firmware and freely writable >.>

@KrisM Just to clarify, we may still unlock the POs to load a new firmware, but that will erase the original one.

It would be great if TE released an open source firmware with just the basic support to jump start us on creating a new flavor of PO, but it seems very unlikely, given that they ignored all my requests to provide some information about the exposed pads and the MCU connections…

Awesome work! @punji

^ Thanks. Btw, I’m keeping detailed technical notes here:


http://hackingthepo.weebly.com/

Instead of trying to flash the PO right away, which would prevent me from doing any further investigations on the original firmware, I have chosen to start developing on the EFM32 Starter Kit instead. For that, I have put together a small prototype board with the Cirrus DAC chip, a couple POTs, a few switches and a LED. That should be enough to validate the concept and, if successful, justify loosing the original firmware on my PO-16:
FullSizeRender
^ Thanks. Btw, I'm keeping detailed technical notes here:


http://hackingthepo.weebly.com/


@punji Man, you’re really taking the deep jump! That’s already awesome and consistent work, keep going on! Nice PCB!

I think TE should open up little bit since it’s quite clear that these units will be hacked, mostly because of punji’s work. I’m quite sure that quite shortly we see here a PO running custom firmware.

https://youtu.be/59fPX4CAQwk

At this point I’m far more excited for a custom unit than a hacked PO. Replicating the synths will undoubtedly be difficult. But the idea of unique sequencer and synth bleep machines has me far too excited! I envision getting really wierd- for instance run it from 9v and power analog ic effects on the same board. (Pt2399 delay/reverb; fuzz; ringmod 567, phaser etc; maybe make it semi modular! I had planned on getting really into teensy but now I think my time may be better spent learning about multiplexing(for the rows and columns of keys) and waiting for revelations about digital synthesis. What about CMOS synths as a tone generator?

Maybe a sid chip?

^ As I explained in the hacking site, the PO keys are not multiplexed, meaning that there are 23 GPIO pins assigned to them. These pins may be freely set as input or output, so the most obvious way of “extending” the PO hardware is to sacrifice some of the keys and implement a multiplexing logic to the remaining ones, e.g., split the 16 lines used for the sequencer keys into 8 lines for a 4x4 keyboard matrix plus 8 lines for some new hardware. Some of the logic lines may even be set to output analog levels using the internal 12-bit DACs, easing the integration. But, as you said, we need to first create a custom PO firmware…


I looked into the SID chip a while ago, but it was hard to buy them. I ended up buying a Votrex SC-01 voice synthesizer used in the Qbert machines, but have yet to use it somewhere…