World’s First MIDI Shellcode

submited by
Style Pass
2025-01-05 08:00:02

I gained remote code execution via MIDI messages to trick my synth into playing Bad Apple on its LCD. This blog post is about my journey with this reverse engineering project.

I’ve had this Yamaha PSR-E433 synth for a very long time, and a couple of years ago I decided to open it up — partly because it was in need of cleaning, and partly because I was really curious about its internals. After removing some screws and digging up the main circuit board (labeled “DMLCD”), I was quite amused to find two flash chips, one RAM chip and an absolute unit of a chip labeled “YAMAHA SWL01U”, which I guessed had to be the brains of the operation. Using that part number I wasn’t able to find any information about the chip online apart from an article that claimed it was based around a “SuperH” CPU core – an ISA that I’ve encountered for the first time ever in that article. So, after finishing the cleanup I just put the synth back together, which left me wondering about what that mysterious chip really had under the hood.

Fast forward to a few months ago, when I took apart the poor synth again – this time purely out of curiosity. What sparked that curiosity was a service manual for a similar synth (the E443, I own an E433) that I found online, which among other things featured a pinout of that main chip that listed pin descriptions so enticing (“TESTN – Test Mode”, “PROTN – Determines if the product is a prototype”) that I just had to get a look at what was going on. There were also two bidirectional UART interfaces, and by looking at the schematic I could see that one of the two transmit pins wasn’t connected anywhere, suggesting that the chip maybe emits some kind of log via that pin. Oh, and it also had JTAG test points nicely broken out on the board - basically a 5-pin interface for various production line testing and debugging-adjacent tasks.

Leave a Comment