diff options
author | Judah Fuller <[email protected]> | 2023-04-27 18:20:44 +0100 |
---|---|---|
committer | Judah Fuller <[email protected]> | 2023-04-27 18:20:44 +0100 |
commit | 169dcd734c13db096b2b848e3f8ac34ba876e074 (patch) | |
tree | 1c37c96082adb8ee9cb17a14dac191bfba19060b /docs | |
parent | ecd10d80bf47c48c7706baf085005f9a135a83c7 (diff) | |
download | OpenCortex-169dcd734c13db096b2b848e3f8ac34ba876e074.tar.gz OpenCortex-169dcd734c13db096b2b848e3f8ac34ba876e074.zip |
Add Content to Developer Docs
Diffstat (limited to 'docs')
-rw-r--r-- | docs/dev/Captures.md | 19 | ||||
-rw-r--r-- | docs/dev/Control.md | 0 | ||||
-rw-r--r-- | docs/dev/Crypto.md | 0 | ||||
-rw-r--r-- | docs/dev/README.md | 47 | ||||
-rw-r--r-- | docs/dev/Updates.md | 21 | ||||
-rw-r--r-- | docs/dev/dsp.md | 48 |
6 files changed, 128 insertions, 7 deletions
diff --git a/docs/dev/Captures.md b/docs/dev/Captures.md new file mode 100644 index 0000000..095ba74 --- /dev/null +++ b/docs/dev/Captures.md @@ -0,0 +1,19 @@ +# Captures + +[Back to developer documentaion main page](README.md) + +[Captures can now be decryped here](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/) + +Infomation about how Captures on the QCs works. + +## How it works (Needs updating) + +Captures are encrypted protobufs, with local encryption use the serial number, global does not. + +After cracking the encryption to the Neural Captures, and writing some code to decode the captures to JSON format. I was shocked to see that there is very little "Neural" about it. Recently it was discovered that the training process involves some kind of genetic algorithm and until now we haven't found a conrete reference to any neural network training. Looking at one of the captures you can see that the network consists of a 13 parameter network. + +## Links + +- [Capture Demo](http://research.spa.aalto.fi/publications/papers/smc19-black-box/) +- [Patent](https://patentimages.storage.googleapis.com/0e/b9/35/293f5bf8c3340a/EP3828878A1.pdf) +- [Capture Article](https://www.smc2019.uma.es/articles/S5/S5_02_SMC2019_paper.pdf) diff --git a/docs/dev/Control.md b/docs/dev/Control.md deleted file mode 100644 index e69de29..0000000 --- a/docs/dev/Control.md +++ /dev/null diff --git a/docs/dev/Crypto.md b/docs/dev/Crypto.md deleted file mode 100644 index e69de29..0000000 --- a/docs/dev/Crypto.md +++ /dev/null diff --git a/docs/dev/README.md b/docs/dev/README.md index 42edede..8c1c6f6 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md @@ -1,17 +1,50 @@ # Documentation of all the discoveries about Quad Cortex -## Known Topics +## Table of Contents -- [Decrypt Captures](Crypto.md#Captures) - -## Research In Progress +[Back to Main README](../../README.md) +- [Decrypt Captures](Captures.md) - [Custom DSP](DSP.md) - -## Planned Research - - [Live Update Patchers](Updates.md) ## General Info +### UI + +Lots of stuff is a png and there are no vectors being used, its built on swapping pictures, And the setup is just a slideshow. +/usr/lib/libzenhal.so seems to be their library for interacting with things like footswitches/expression inputs/midi/encoder/touch screen/leds/etc. + ## Misc Info + +## Tools + +Languages for the Project: + +- Python - for simple Scripting +- Golang - for compiled binaries (like dsp) + - Idealy Rust would be used, but it has a steep learning curve + +Ghidra - a very powerful piece of kit brought to us by the NSA of all places. +use the string window to look for interesting stuff, click it, brings you to a function + +[webSSH](https://github.com/billchurch/webssh2) our webpage could connect to ssh and just fetch the files by itself + +## Hardware + +The QC uses the Cortex-A5 + +That the QC uses [this for it's usb audio](https://www.thesycon.de/eng/u-hear-st.shtml) + +## Files + +Presents are unencrypted protobufs. +There are 16 different protobuf message types that we have the protobuf spec files for + +Thomy - In the end it would be fun as a PoC if we were to make our own amp for the QC. "The OpenCortex Beast" +evilsocket - if we manage to understand how the dsp works, we can just rewrite ZenUI from scratch +Thomy — Lol you're crazy +evilsocket — yes +evilsocket — most of the logic is just to handle graphics and settings, the "core" logic is not that complex, and it's all in those LDR files +Thomy — Instead of "ZenUI" we call it "RelaxUI" +evilsocket — RaphaelUI diff --git a/docs/dev/Updates.md b/docs/dev/Updates.md index e69de29..8a733b8 100644 --- a/docs/dev/Updates.md +++ b/docs/dev/Updates.md @@ -0,0 +1,21 @@ +# Updates + +[Back to developer documentaion main page](README.md) + +Infomation about the QCs update process, and how we can use it should be placed here. + +## How it works + +the update process first talks to an API to see if there's anything available and then downloads the update archive right + +## Man In The Middle updates + +SSL checks are disabled everywhere (in ZenUI too, not just the updater) ... this means that with some work we would have command execution on the unit without even opening it. +In the middle, we can literally patch (from any laptop on the same wifi) the update archive as it arrives, using t a transparent http proxy that gives you a scripting engine to modify buffers on the fly. + +we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers + +## Root Password + +Root password hash: root:$1$ExCeUIRg$umMdl8bKzRutUtKGFhUg10:10933:0:99999:7::: +It is salted, and has not been cracked yet. diff --git a/docs/dev/dsp.md b/docs/dev/dsp.md index e69de29..ef0d230 100644 --- a/docs/dev/dsp.md +++ b/docs/dev/dsp.md @@ -0,0 +1,48 @@ +# DSP + +[Back to developer documentaion main page](README.md) + +Infomation about how the dsp on the QCs works, and how we can develop code for it. + +## How it works + +### LDR Files & DSP Loading + +A LDR is basically a sequence of 4 unsigned longs blocks where each is: + +```c +printf("block code: 0x%08x\n", bh[block_code_idx]); +printf("target address: 0x%08x\n", bh[target_address_idx]); +printf("byte count: 0x%08x\n", bh[byte_count_idx]); +printf("argument: 0x%08x\n", bh[argument_idx]); +``` + +It's not an executable format, but it tells the DSP to literally "load this code at this address" +The original code should be recoverable from these files + +the dsp loading process works via /dev/mem + +[Sharc Runtime Loader](https://github.com/analogdevicesinc/runtime-sharc-loaderGitHubGitHub) +[U-Boot LDR Files](https://www.analog.com/media/en/technical-documentation/application-notes/EE407v01.pdf) + +### Architecture + +A single binary is splitted into different chunks and each is executed by a specific core +core0 gets the actual arm code and the models are handled (maybe passed from the code in core0 to core1) by core1 and core2 + +#### MEMORY LAYOUT + +```c +0x001609a8 DATA | <0 bytes> +0x001609a8 CODE | 0xab9c8000 +0x001609a8 CODE | 0xab9c8000 +0x00161320 CODE | 0xab9c8000 +``` + +all the opcodes are the same (addeq sb, r0, fp, lsr #25) +they just increment the pointer to the data, meaning, the actual logic is in the data section +All the data sections are sized as a multiple of 4, this would suggest these are arm instructions as well + +## Links + +- [SDK Examples](https://github.com/analogdevicesinc/runtime-sharc-loader/blob/master/SharcLoader/loader.c#L228GitHubruntime-sharc-loader/loader.c) |