Free-for-all Filters And VPM – How The Hacktribe came to be

I really like my Electribe 2. I know, it gets a lot of hate from the EMX/ESX lovers, but the workflow really suits me, and, as you might know, I’ve got a heart for underdogs, especially when they are from Korg – don’t you think that even Korg’s blunders are more interesting than Roland’s successes?

A mutant Electribe

StableDiffusion 1.5 hallucinating the hell out of an Electribe with IMG2IMG and „Superman Drum Machine“ as prompt

Which doesn’t mean that Korg does everything right. As Electribe users know, you have to make up your mind: 

  • Do you want the (blue or grey) E2 synth („BlueTribe“), or
  • the (red or black) E2S sampler („RedTribe“)? 

The RedTribe sampler, gravitating a bit more towards hip-hop compared to the dancefloor-oriented BlueTribe, is generally more flexible – but you have to sacrifice the BlueTribe’s many additional filter types and synth oscillator models.

Which is a real shame considering that the hardware for BlueTribe and RedTribe is absolutely identical – apart from the colour scheme and the built-in samples. You can even crossgrade from BlueTribe to RedTribe and vice versa (involves a bit of hex editor manipulation and a sizeable risk of bricking the Electribe, but it’s doable – I did it once before settling on a black RedTribe for good).

So why doesn’t one just analyze the firmware, and copy&paste the BlueTribe goodness to the RedTribe ROM? It’s that kind of project you dream of for about 15 seconds until you realize how cumbersome this really is, and that it would be madness to commit yourself to that kind of ambitious hacking project.

Luckily, bangcorrupt has already done just that.

Behold: The Hacktribe!

In case you lived under a rock and haven’t heard of it: Hacker bangcorrupt has analyzed the Electribe’s bootloader, finding the requirements for installing modified firmware. And he modified Korg’s 2.02 Electribe Sampler firmware, adding the BlueTribe’s extra capabilities concerning filters and oscillators to it – and even more: VPM, Korg’s version of FM synthesis for people without a degree in acoustics.

It’s as simple as downloading the factory firmware, running a Python script that patches it, and updating your E2 to the Hacktribe firmware. If you want to keep running your existing RedTribe patterns, I created some small additional scripts for that – my tiny contribution to the project – and you will find soon find a step-by-step tutorial as a Python notebook that you can just click-and-run on Google Colab, saving you the intimidating Python installation business.

But for the moment, let’s geek out for a bit: I reached out to bangcorrupt, the hacker who did this, and asked him how he did the hack.

Hacktribing your RedTribe

We were communicating via mail – he answered my first set of questions – which were originally intended just to tell him what I wanted to know – in bulk. These are his answers; I’ve just added some links and notes in italics and square brackets where I felt like it. Everything else is bangcorrupt’s answers.

Q: How did you get the idea of doing it?

bangcorrupt: I got the idea from the firmware swap posted on korgforums years ago.
I wanted to create a hybrid based on the latest firmware version, with some added features and configuration options.

[With the first couple of firmware revisions, it was quite easy to swap the firmware of a RedTribe for a BlueTribe; with v2.02, Korg added checks to keep you from crossgrading, so you had to do a bit of hex editing and downgrading to do the swap. It was quite a feat and, honestly, not worth it, as you wouldn’t get the samples of the other machine – these seem to be stored in ROM, separate from the firmware. While it is quite easy to get someone with an E2S to perform an „Export All Samples“ for you, I have not seen the BlueTribe factory sample set in the wild yet.]

Q: Why didn’t you just stop when you realized how overwhelmingly complex the whole thing would become?

[Think about it.The Electribe is a complex machine – see this hardware breakdown in the Korg forums from 2015 which is one of the first things a prospective hacker might end up with. It hasn’t got just one microcontroller but three: The main processor is an ARM9 processor called AM1802 (datasheet), accompanied by a Blackfin 523 DSP from Analog Devices (datasheet) – a type of microprocessor optimized to process real-time data. There is also an additional feeble ARM Cortex M3 reading the front panel dials, which we may safely ignore if we’re lucky. Scanning the datasheets, you will find all sorts of scary words like „protecting code integrity“. There is obviously some kind of bootloader involved which you have to analyze to find out what it accepts as a firmware, and how it is loaded into memory. And once you mess things up, there is a considerable risk of bricking your Electribe for good – which did indeed happen, see below.]

bangcorrupt: Once I started seeing patterns and how they interrelate it was difficult to stop. I was really obsessed with it for a while; hopefully I can find the time to dedicate to taking it to the next level.

Q: Did you have a background in microcontroller development before?

bangcorrupt: I had a basic understanding of computer architecture and electronics, but most of what I know about microcontrollers and reverse engineering comes from working on Hacktribe.

[Which I, as a full-blown blunderer and tinkerer, find wonderfully serendipous and inspiring.]

Q: What were the challenges in doing it?

bangcorrupt: Everything. I’m learning how to do this as I go along, most of the tools and protocols are new to me. At one point I bricked my electribe and had to hack some other things to learn how to fix it.

Q: What kind of tools does one use for rewriting Electribe code?

bangcorrupt: A J-Link or a Raspberry Pi running OpenOCD will work as a JTAG debugger for the CPU.

[Let’s stop here for a moment and explain what a JTAG debugger actually is. Imagine you have some sort of program, and want to see what it does – especially if it doesn’t do what you want it to do. In that case, it would be handy to stop the code and look at registers and memory.

As long as the program is still running on your desktop computer, you can simulate and debug your program there, but once it has been transferred to the machine, you will have to use special hardware to do that.

When I did my first 8-bit development project some 30 to 40 years ago, we had to buy a murderously expensive type of hardware called a Z80 In-Circuit Emulator, a blue box that could act as a microcontroller in my machine but kept transmitting data on order to a PC. It has become much, much simpler these days, as all modern microcontrollers have a standard serial interface called JTAG. It takes orders and code, and transmits data if you want to talk to the processor, but you still have to have special hardware and software which does the talking.]

bangcorrupt: I couldn’t get the Raspberry Pi [running the OpenOCD JTAG debugger] working with the Blackfin DSP, but thanks to people sponsoring Hacktribe I was able to buy the official Analog Devices debug adapter.
Raspberry Pi will also work with the Cortex M3 on the panel board, but I want to try using Black Magic Probe [an open-source standalone JTAG debugger for ST Micro’s M3 hardware and others] on an STM32F103.
On the software side I’ve been using Ghidra for static analysis, with Rizin for patching and debugging.

[What is this for? The original programmers wrote high-level code in languages like C, and probably low-level Assembler code handling single processor instructions, before compiling and assembling their program code into the string of bytes in the SYSTEM.VSB file. Disassembler frameworks like Ghidra – by the NSA, for god’s sake! – and Rizin help you turn back these bytes into readable code, much like turning a meal back into a recipe – so you end up with code that your brain can process, and the JTAG debugger which helps you watch what it is actually doing. This gives you a good chance to understand what the code does, and how to expand it.]  

Q: How much of what your HackTribe code does was already in there, and what did you have to write from scratch?

bangcorrupt: This is hard to answer, it’s all interlinked. At the start I was hex editing the binary directly, changing pointers and conditional tests to run existing functions with new data. I’ve started reworking it into separate assembly code; the most new code I’ve written is probably for NRPN handling or FX editing. Even here I am using the existing functions as much as possible, just calling them in a different order with different arguments.

Q: And have you got a clue what the hell Korg thinks about all this?

bangcorrupt: I have nothing to do with Korg. I try to stay within the law and the license agreement, and as far as I know I have.

bangcorrupt’s answers are printed as they were given. All errors in the italics are mine.

Matrix-1000 Brain Surgery

Shot of opened Matrix-1000 with freshly socketed CPU, runningDremeling and ripping out the brain of a 25-year old vintage machine – I was so Frankenstein yesterday. Luckily, it worked, being the first step to a much improved Oberheim Matrix-1000 running with – at least – doubled system clock, and patched firmware. This takes up the work of Gligli who was the first to hack a faster CPU into the Matrix, and tries to take it one step further. 

Hacking a vintage instrument – my favourite guitar player calls this cruelty. Yet there are good reasons to do it: As I’ve mentioned before, the Matrix‘ CPU is actually too slow for what it tries to achieve, but the 8-bit 6809 chip could only be clocked to 2 MHz in its fastest version, and this is it.

So Gligli, a hacker from France known for his Prophet-600 firmware rewrite/retrofit, had the idea of using a 6309 CPU, a chip from the same era that, while maintaining drop-in compatibitily, offered faster instructions and could be overclocked to 4 MHz. So he replaced the CPU and the main oscillator, patched the firmware and – it worked.

Yet there are some issues with Gligli’s solution, in my humble opinion. The Matrix‘ peripheral chips are designed to work at 2 MHz; by doubling the CPU clock, they have only half the time to read or write data to the bus. Not all of the hardware is up to this; Gligli’s solution is simply writing everything twice, and that seems to work, but it’s not very trustworthy.

So I’m planning to install a CPU with a custom clock generator that is using asymmetrical cycles to give the peripherals more time to read and write. (I’ll have to build in new oscillator circuitry anyway, as I happened to buy 63C09E CPUs, which rely on external clock generation.) And there’s always the possibility to go even further and replace the CPU by a modern programmable logic chip, an FPGA, that can be loaded with a 6809-compatible core clocked even higher and has proper slowing-down logic to interface the old hardware. More on that later, suffice it to say that I simply want my Matrix’s CPU in a socket. And be it only to be able to revert to the original chip.

Weiterlesen

Next Project: Korg R3 Aftertouch Hack

Not there yet, but it’s in reach: An Aftertouch, e.g. channel pressure control, retrofit for the Korg R3 synth.

Korg R3 under press

 

I really like the Korg R3. No, there’s more: I bought it second-hand out of very rational considerations, and ‚ve come to love it deeply. There are people who don’t like it for its plastic housing, for the limitations in comparison with its more expensive sibling, the Korg Radias, others hate it simply for not being a first-generation Microkorg. In my experience, it’s an excellent virtual analog synth capable of doing massive bass as well as very unusual pads. It’s versatile, it’s compact, it’s cheap, and it sounds great. And unlike the Microkorg, it’s got a proper keyboard, albeit without aftertouch.

For some reason, the MIDI Thru jack in my R3 stopped working today, which is bothersome, but also a welcome excuse to open the R3’s housing and take a look inside. I had this idea of equipping it with an aftertouch sensor for even more variation and liveliness in playing. And now I’m confident it would work, although I won’t be able to do the mod for some time.  Weiterlesen

Tech Hack: Alesis IO Dock with USB Hub

Update, May 2014. I’ve put the unit on eBay. And I’ve summarised lessons learned from this hack here.

The Alesis IO Dock is a great product for iPad musicians – this small hack makes it even greater. It overcomes one limitation of the IO Dock: You can’t simply hook it to a USB hub. So I decided to build in an additional hub – which allows me to hook up additional class-compliant interfaces like my M-Audio Axiom master keyboard, and power them via the hub.

Yes, it works. No, it hasn’t been thoroughly tested yet. So try at your own risk.

The hacked IO Dock

The hack isn’t too sophisticated or demanding. Yet there are a couple of things we need to discuss before going to the step-by-step description. I’ve also tried to answer some questions that might arise in the FAQ.

What we’re doing:

We’re smuggling the USB hub into the connection between the iPad and the IO dock. (The video explains why.)

What you need:

  • A USB hub. Edit, 4-Jan-2012:  After giving it some more consideration I think that you might start with a normal hub rather than a powered one. (I used a powered hub Belkin F5U404.) This has certain limitations, though. Why? USB knows two basic types of port power – normal USB ports are supposed to deliver a 5V supply current of up to 100mA. That is enough to power simple interfaces and USB sticks. It is not enough to charge your phone, or to power a USB master keyboard.  So using a hub without power supply would normally mean that the iPad is not properly charged – but the way the iPad charges is actually hard-wired in the IO Dock’s iPad connector, so the iPad will charge even without a powered hub. (It is connected to the USB port’s input rather than to its output anyway).  IMPORTANT: As we will be using the IO Dock’s power supply, there are some limits to what we can drive with our hub. Please: See the FAQ. And I’ll have a more thorough look at the IO Dock’s power supply circuitry soon.
  • The hub’s connector cable. These cables have a flat A-type USB plug to go into your computer, and usually a micro-USB B-type plug like the ones for charging your phone (if you don’t have an iPhone, that is). We are going to cut up this cable and configure it to supply and interface the hub within the IO dock.
  • 2x 1.27mm 2mm grid pinstripe connectors – one 6-pin male, one 6-pin female. If you can, get connector strips with turned sockets; you can use them as plug and as female connector, like these ones. The original connector is like this one: [sample]
    EDIT, 19-Aug-13: Corrected the „these ones“ link to RS Components. Also see FAQ section.  EDIT, 10-Sep-14: Modelmakers may look in their boxes for JST PH connectors (thanks Wolfgang!)
  • A small 100uF/6.3V capacitor – or something along these lines – as a buffer for the hub’s power supply. If you haven’t already, see the FAQ.
  • Basic soldering tools and skills. 
  • A Dremel tool to cut out a hole for the additional USB ports in the IO Dock.
  • Glue to fix the hub within the housing – I used a run-of-the-mill hot glue gun.
  • A class-compliant USB device for testing. (What’s that? See the FAQ.)
  • Approximately 2 hours to do it.

Me with a surgical mask and a Dremel tool

Not really a project for the aspiring Evil Mad Scientist – there’s hardly any rocket science involved – but especially the Dremel brought out my inner Walter White.

So let’s get started!

Weiterlesen

Breaking: Kallt heißt jetzt Strala!

Nur nebenbei: Wer Lust hätte, sich einen Ikea-Moodstar zu basteln, jetzt wär‘ die Zeit!

(Okay, die Lampe heißt nicht mehr Kallt. An der Qualität des LED-Lichts ändert das m.E. nur wenig – eisig ist es. Kann mir nicht vorstellen, dass Ikea das Ding groß verkauft hat – außer an Typen wie mich. Was tun die Schweden? Haben einfach zwei Jahre gewartet, bis Gras über das Fiasko gewachsen war, und bringen dann das gleiche Produkt nochmal auf den Markt, unter neuem Namen. Und, ach ja: wenn ich mich richtig erinnere, ist die Lampe jetzt 5 Euro billiger. Die LED-Technik macht ständig erstaunliche Fortschritte.)

 

 

 

Leserversteher: Bild pusht Flip-Konkurrenten

Berlin (ots) – Für BILD.de optimierte Vado-Pocketcam von Creative ab 4. Dezember 2008 bei Lidl
Nach dem großen Erfolg der 1414-Leserreporter im Fotobereich erweitert BILD die Leserbeteiligung jetzt um bewegte Bilder. Die technischen Voraussetzungen dafür bietet eine preisgünstige und leicht zu bedienende Videokamera, die der Hersteller Creative in Kooperation mit BILD.de ab 4. Dezember 2008 in 3000 Lidl-Filialen anbietet. Das Besondere an der „BILD.de Leserreporter-Kamera“ für 69,99 Euro ist die Upload-Möglichkeit von Videos auf das Online-Portal von BILD.

Muss man das Gerätchen als Massenverdummungswaffe sehen – oder spricht da nicht eher jemand eine Einladung zum kreativen Basteln aus?

Halten wir fest: hinter dem Lidl/Bild-Angebot versteckt sich eine Creative Vado [Hersteller]. Die kostet sonst auf dem deutschen Markt rund 100 Euro, in den USA 100 Dollar – das Lidl-Angebot ist also ein Schnäppchen, auch wenn man dafür das Prekariatsbranding ertragen muss. Über die Bildqualität sind die Meinungen geteilt – während Gizmodo ein Urteil klar zugunsten der Flip fällte, sehen diese Rezensenten die Vado leicht vorn.

Und hier ein Video von einem, der mal beide Kameras nebeneinander gehalten hat – und die Vado ebenfalls nicht besonders bildstark findet.

Halten wir fest: ähnliche Geräteklasse, ähnliche Probleme. Auch die Vado hat ein Billigmikro und eine Einfachstoptik – und bei 70 Euro ist das finanzielle Risiko absehbar. Wird gekauft und geschleift – sie barmt ja geradezu danach, aus ihrem „Bild“-Gehäuse-Gefängnis befreit zu werden.

1984 zum kleinen Preis? Über die gesellschaftliche und mediale Seite der ganzen „Leserreporter“-Aktion kann man sich ja mit Recht Gedanken machen – der Bastler in mir ist pro.

Nachtrag: Wahre Worte von Mercedes Bunz (über medienlese.com):

Tatsächlich sind die eindringlichsten Bilder der letzten Ereignisse allesamt von Laien aufgenommen worden. Egal ob 09/11 oder der Tsunami 2004, egal ob Abu Ghraib oder die Hinrichtung Sadam [sic] Husseins, es waren private Aufnahmen, die Geschichte geschrieben haben. Und ja, diese Entwicklung muss man ernst nehmen. Das bedeutet nicht, dass man den Leser Bild-alike mit schlechtem Billigmaterial ausstatten muss.

Hacking the Flip for fun and profit

Die allseits beliebte Einknopfkamera Flip getestet und die ersten Codecstürme überstanden – Zeit für eine kurze Blogschau zum Thema „Aufbohren“: Überlegungen, wie man die Grenzen der Flip überschreitet.

Als da wären:

  • Die Flip ist viel zu leicht. Freihändig aufgenommene Szenen, zumal ruhige, wackeln wie der sprichwörtliche Kuhschwanz (vorausgesetzt, die Kuh ist auf Turkey und über das übliche Schlachtalter um Jahre hinaus). Was besonders schade ist, da sich die Einfach-Kamera besonders für ruhige, sonnendurchflutete Bilder anbietet.

Abhilfe: Eine „Steadicam“ – oder zumindest was in der Art. Richtige Steadicams® gleichen die Bewegungen des Körpers über eine Pendelmechanik und ein Gegengewicht aus – und halten die Kamera so wunderbar ruhig. (Eine der ersten Steadicam-Kinoszenen – und bis heute eine der eindrucksvollsten – ist in Kubricks „The Shining“ zu sehen: der Flug der Kamera hinter dem Dreirad des kleinen Danny. Schauder. – Gedreht hat sie Garrett Brown, der Erfinder der Steadicam [mehr], sein Bericht über die Dreharbeiten hier. Zitat: „I realized by the afternoon of the first day’s work that here was a whole new ball game, and that the word „reasonable“ was not in Kubrick’s lexicon.“ Aber ich schweife ab.)

Nun kostet ein SC-System über 3000 Dollar und sähe mit der Flip auch ziemlich doof aus. Aber es geht auch billiger:  Der Amerikaner Johnny Chung Lee hat das als erster in seiner „Poor Man’s Steadicam“ bewiesen. Und für den ganz kleinen Hausgebrauch tut’s ein hundsordinäres Mikrostativ mit Stahlgussfuß [Artikel bei Conrad] und dann noch ein filmisches Buch von einigem Gewicht: als besonders gut geeignet hat sich das Film-Standardwerk von James Monaco erwiesen. [Amazon]

Poorer Man's Steadicam: Standstativ mit Zusatzgewicht

Poorer Man's Steadicam: Standstativ mit Zusatzgewicht

Damit sind zwar lang noch keine Flüge möglich wie bei Kubrick – da fehlt wohl die zweite Hand – aber immerhin so was:

Und ansonsten mag’s die Flip gern solide – sie ist wie dafür gemacht, mit ein paar Gummi- oder Klebebändern an Fahrzeugen befestigt zu werden, siehe Test 1.– Problem gelöst, auf zum nächsten Punkt:

Eine Bolex mit Wechselobjektivteller

Eine Bolex mit Wechselobjektivteller

Abhilfe: Eine Lösung aus den 50ern feiert Auferstehung – das Wechselobjektiv. Mein Vater hatte so was – wenn ich mich richtig erinnere, eine Bolex, jedenfalls mechanisch für Normal 8, mit mechanischem Aufzug und eben einem Wechselteller mit drei Objektiven. Die einfache Variante hat  dieser Mountainbiker erkundet: Vorsatzobjektive.

Drittes Problem:

  • Mauer Sound. Als Kollege Kania mit der Flip auf der Clubnight war, kam am Ende nur Geknarze auf der Tonspur an – die Bässe waren für das arme Flip-Minimic zu viel. Bei anderen Gelegenheiten hätte man dem- oder derjenigen, die man vernimmt, gerne direkt ein Mikro unter die Nuschelnase gehalten, um überhaupt was zu verstehen.

Theoretisch kein Problem: wie man interne Mikros durch einen externen Eingang umgeht, kann man sich schön bei diesem Projekt anschauen, das einen Zoom-H2-Audiorekorder umbaut. Geht sicher auch bei der Flip.

Nun wird’s spannend: dafür muss man sie nämlich auseinander nehmen. Das Vorgängermodell F130W hat das schon hinter sich. Allerdings hatte diese Kamera noch Schrauben – beim Gehäuse der Flip geht’s nicht ohne Gewalt ab, und deshalb muss ich darauf verzichten, weil „meine“ Flip nur geliehen war. Aber gehen muss es! Next time.

Nachsatz: Leider habe ich trotz längerer Suche niemanden finden können, der eine Flip schon mal ganz auseinander gerissen hat. CNET, hilf!