Patching my guitar amp's firmware

78 pointsposted 4 days ago
by birdculture
(mforney.org)

13 Comments

chinkinthearmor

an hour ago

If I were an alien and saw this, I would run. Terrifying.

My brain hurts any time I hear about a completed hardware hack, but this write-up just takes the cake. My experience with hardware RE is limited to a class project hacking a cheap router, and there even after 3 weeks I couldn't make sense of the can of worms that is interfacing with JTAG using OpenOCD. It's like looking at bats and then shouting into the dark and somehow you get the right words for echolocation. Then you do it for 10 animals in a row. I will check out Wrongbaud's guide.

So my question is: how do you learn to speak the dozens of languages for hardware? Every step in this project, from soldering custom modules to figuring out correct JTAG settings to inferring flash layout to reversing checksums, seems like it would take me a lifetime. What was the path to be able to do this in one lifetime?

supertroop

an hour ago

It is so easy to use signature verification and even encrypted XIP with Mcuboot it just blows my mind that companies don’t.

Also the level of reverse engineering here is kinda bananas. I almost don’t believe he was able to find the transfer functions for the dsp bias equations w/o some source guidance. I mean that’s just bad ass if he did it without help.

mforney

an hour ago

I followed the code path when you change the cabinet type, and saw it write some values to the DSP based on a 2D array of doubles, one for each cabinet, each with 41 values, and it was processing them 5 at a time. Looking at the values, they were all in the range -2 to 2, and were very reminiscent of biquad filters I had learned about in another project (https://mforney.org/blog/2025-06-06-babyface-midi-protocol.h...) which was still pretty fresh in my mind.

I tried plotting them, and I got something that looked right when I inverted the denominator coefficients. I guess this is fairly standard practice because then the difference equation is all positive sums and it can be implemented with a bunch of multiply-accumulates.

However there were still some discrepancies in overall gain between different types (most lined up, but a couple did not). I saw another array of integers indexed by the cabinet type that had negative values, most with -23 but a couple with -12, which I figured must be a decibel gain correction. It was only after accounting for that and seeing the final graph in the post where everything lined up and looked plausible that I was pretty sure I had it right.

So, mostly just general familiarity with digital EQ filters and a bit of luck.

jkingsman

6 hours ago

Wow, that is a deep level of commitment and learning/exploring; I love it. While I'm sure this is informed by deep preexisting knowledge (to a point -- it's still badass in its own right), I can't help but admire these skills and feel a little inferior about my own.

What a badass level of deep dive.

shermantanktop

7 hours ago

I’m always very impressed by this type of hardware/firmware reverse engineering. So many places to get completely stuck and fizzle out.

I assume that happens a lot, but few people would write a blog about their inability to break a protocol or decipher a memory layout.

SoleilAbsolu

8 hours ago

Love it! I have the THR10 non-"C" version of this amp and often wondered if it's hackable.

tyfighter

8 hours ago

Nice :) I did this for my Axe-Fx II and III a long time ago, but I never published any of it for fear of being sued. Really, I just wanted to learn about DSP techniques and that was enough for me.

alexjplant

7 hours ago

Sorry WHAT?! I was under the impression this whole time that this wasn't feasible due to asymmetric key encryption with the private keys baked deep into the hardware. Perhaps I'm misremembering but Cliff (the founder) is very big on protecting trade secrets so I'm rather surprised you were able to. Or do you mean you were able to flash new firmware, not reverse-engineer the existing one?

Either way I don't blame you for not writing it up. The same guy just recently accused another industry player of "infringing on [his] idea" with a product because he "filed a preliminary patent". I've been using Fractals since long before they were cool but based on the guy's forum posts I think he's having a hard time navigating the modern internet cultural landscape (the tenuous nature of his legal argument notwithstanding). It's a real shame as he's clearly super talented but I think trolls have gotten to him.

tyfighter

7 hours ago

I never encountered any encryption/protection of any kind on the II (had 3 bootloaders: a simple memory loader -> a huffman tree decompressor -> another simple memory loader) and even though I got pretty far on the III I could see there being some kind of key embedded in the firmware somewhere. I was able to disassemble any .syx firmware release that came out. I wrote my own IDA Pro modules for the TigerSHARC (II) and TI-C66x (III). II took a while but I learned a lot. When the III came out I started over. I spent a lot of time reverse engineering the amp block code, but stopped about 8 years ago. Back then he wasn't even compressing the firmware yet, so it was easy.

webprofusion

5 hours ago

This is awesome, couldn't the firmware just be extracted from the updater though?

mforney

an hour ago

Unfortunately there were no firmware updates for the THR10c, so the only way to get the firmware is to dump it from the device.

webprofusion

4 hours ago

Would love to see this done for the Spark amp as well, this level of hardware hacking is beyond my skill set.

I recently built my own Multi FX app/plugin (https://guitar.soundshed.com) and am looking for ways to squeeze it (or a version of it's signal chain) into commodity hardware as replacement DSP signal chain.

platevoltage

6 hours ago

Man I love this stuff. I'm not big on digital guitar amps, but digital synths are another story.