The KORG Kronos software contains yet another GPL violation in the proprietary kernel module loadmod.ko that is delivered with the recovery images on the support page.
The module is statically linked with the gmplib that is distributed under GPL/LGPL dual licensing. KORG does not provide the source code for loadmod.ko as required by the GPL.
In newer firmware versions, gmplib is no longer included in loadmod.ko, but in a different module called STGGmp.ko. So it looks like KORG is aware of the licensing problem but does not fix their old binaries.
Update: The statically linking version of loadmod.ko was not present in firmware version 3.0.2. It was then again distributed with firmware version 3.0.3. On 2015-12-25 firmware version 3.0.3 was replaced with a firmware that is internally branded as 3.0.3B - the only change between 3.0.3 and 3.0.3B was to replace the statically linking loadmod.ko with the dynamically linking version.
Freitag, 29. Mai 2015
What does /sbin/loadoa do?
=== increment progress ===
fopen("/proc/progress")
fscanf("%d")
add 1
fprintf("%d")
fflush()
fclose()
=== load modules (1st batch) ===
/sbin/insmod /usr/realtime/modules/rtai_hal.ko
/sbin/insmod /usr/realtime/modules/rtai_smp.ko
/sbin/insmod /usr/realtime/modules/rtai_sem.ko
/sbin/insmod /usr/realtime/modules/rtai_ndbg.ko
/sbin/insmod /usr/realtime/modules/rtai_fifos.ko
/sbin/insmod /sbin/STGEnabler.ko
/sbin/insmod /sbin/STGGmp.ko
=== set smp affinity ===
search "ehci_hcd" in /proc/interrupts
write '4' to "/proc/irq/%d/smp_affinity"
=== load modules (2nd batch) ===
/sbin/insmod /sbin/OmapNKS4Module.ko
/sbin/insmod /sbin/OmapVideoModule.ko
/sbin/insmod /sbin/GetPubIdMod.ko
/sbin/insmod /sbin/loadmod.ko
=== check if STG modules are alive ===
open /tmp/stgStatus
check if value is '1'
=== mount crypto FS (1st batch) ===
/bin/mount -n -t ignoreType ignoreDev /korg/rw/PCM/WaveMotion > /dev/null
/bin/mount -n -t ignoreType ignoreDev /korg/Mod > /dev/null
=== load modules (3rd batch, from cryptoFS) ===
/sbin/insmod /korg/Mod/KorgUsbAudioDriver.ko
/sbin/insmod /sbin/USBMidiAccessory.ko
=== fork ===
fork()
=> child stays and will update /proc/progress
parent writes progress child PID to "/tmp/progress.pid":
fopen("/tmp/progress.pid")
fprintf("%d")
fflush()
fclose()
=== mount 2nd disk if present ===
call "Has2ndInternalDisk":
ls /sys/block | grep sdb
udevinfo -a -p /sys/block/sdb | grep DRIVERS | grep usb
mount -t ext3 -o commit=1,noatime /dev/sdb1 /korg/rw2
mv -f /korg/rw2/Options/* /korg/rw/Options
mount --bind /korg/rw/HD /korg/ftp/SSD1
=== load modules (4th bath, from cryptoFS) ===
/sbin/insmod /korg/Mod/OA.ko Has2ndInternalDisk=?
=== mount more stuff ===
/bin/umount -n /korg/Mod
/bin/mount -n -t ignoreType ignoreDev /korg/Eva > /dev/null
/bin/mount -n -t ignoreType ignoreDev /korg/rw/PCM/WaveMotion > /dev/null
=== run fanctrld ===
/bin/fanctrld > /dev/null
=== run Eva ===
/korg/Eva/Eva > /dev/null
Why do you need to "authorize" your Synthesizer?
When you "authorize" your Kronos (for example after recovery), the authorization file actually contains the crypto keys necessary to access proprietary kernel modules, the actual synthesizer software and some "WaveMotion" data.
The keys are not there in plain, but encrypted with another key that is stored in the Kronos' security chip. The encryption key is probably different for each device so that one authorization file is only valid for one synth.
To access the security chip, you need a different key (see authorization and encryption in the AT88's datasheet) which is calculated from the Public ID and some magic numbers in the driver module.
So, when you "authorize" your Kronos, you get the crypto keys to access to the synthesizer software on it.
The keys are not there in plain, but encrypted with another key that is stored in the Kronos' security chip. The encryption key is probably different for each device so that one authorization file is only valid for one synth.
To access the security chip, you need a different key (see authorization and encryption in the AT88's datasheet) which is calculated from the Public ID and some magic numbers in the driver module.
So, when you "authorize" your Kronos, you get the crypto keys to access to the synthesizer software on it.
Donnerstag, 28. Mai 2015
Notes from inside the Kronos - Part II: The OMAP (NKS4)
The AM1806B is connected to the Kronos' PC as a USB 2.0 Device. It is used as an I/O helper for the PC with (at least) the following tasks:
- LCD Display Interface - the OMAP exports it's display interface via USB to the PC where one of KORG's proprietary drivers installs it as a framebuffer device. So the contents you see on the display are (except for the startup screen) rendered by the PC and sent to the OMAP via USB.
- Touch Screen Interface
- Audio Interface(s)
and audio mixing / routing - MIDI Interfaces(s)
- Interface to the PSOC which handles the mechanical user interface
- Interface to the Security IC
- USB Device Interface (The Kronos' USB Host Ports are provided by the Intel Mainboard)
Effects processing. Probably the OMAP handles the IFX and MFX (to be confirmed...)there is no effect processing on the OMAP. All effect processing is done on the PC.
The OMAP is often referred as "NKS4".
Mittwoch, 27. Mai 2015
Warranty void
The Ethernet port on the Kronos' mainboard is actually functional. So it's possible to add a extra Ethernet port to the Kronos without using a USB<->Ethernet adapter.
Notes from inside the Kronos - Part I: The security IC
The AT88SC0204CA is used for at least the following purposes:
- It defines the Kronos' Public ID
- It holds (part of) the AES keys that are used to encrypt the synthesizer software
- It is used to authenticate EXs
Dienstag, 26. Mai 2015
About the Linux kernel used in KORG Kronos
It is well known that KORG's Kronos Synthesizer uses a (more or less) standard Intel Mainboard/CPU for a large part of its functionality. The Intel CPU is running the Application Software with the User Interface, handles Storage and USB Host / Network connections, generates the synthesizer voices and does all the effects. Inside the Kronos, there is also a OMAP CPU that connects most of the audio related I/O Ports (Analog Audio, MIDI, USB Device). This OMAP CPU is connected to the PC as an USB device.
If we look at the software running on the Intel CPU, it becomes pretty clear that there is a Linux Kernel with RTAI realtime extensions. KORG provides the source code for the kernel and the RTAI extensions on the recovery discs as required by the GPL. However, if you try to replace the Linux Kernel with a kernel you compiled yourself, this will not work. To prevent people from modifying their Kronos, KORG did some subtle changes to the Linux kernel that make it impossible to load the driver modules for the OMAP CPU into a kernel that was not compiled by KORG.
The first problem we have do deal with when replacing the kernel is that KORG does not provide the kernel configuration file. It is also not included in the original kernel. This might be regarded as a violation of the GPL since the kernel configuration is clearly a source file required to build the kernel. Futhermore, KORG has modified specific functions (register_cdrom() and init_cdrom_command()) to provide some kind of Challenge/Response authentication mechanism. The driver modules call those modified functions and expect a certain behaviour that only the kernel compiled by KORG exposes.
This is a clear GPL violation since the modifications done to the kernel are not provided with the binary.
The register_cdrom()/init_cdrom_command() mechanism works like this:
If we look at the software running on the Intel CPU, it becomes pretty clear that there is a Linux Kernel with RTAI realtime extensions. KORG provides the source code for the kernel and the RTAI extensions on the recovery discs as required by the GPL. However, if you try to replace the Linux Kernel with a kernel you compiled yourself, this will not work. To prevent people from modifying their Kronos, KORG did some subtle changes to the Linux kernel that make it impossible to load the driver modules for the OMAP CPU into a kernel that was not compiled by KORG.
The first problem we have do deal with when replacing the kernel is that KORG does not provide the kernel configuration file. It is also not included in the original kernel. This might be regarded as a violation of the GPL since the kernel configuration is clearly a source file required to build the kernel. Futhermore, KORG has modified specific functions (register_cdrom() and init_cdrom_command()) to provide some kind of Challenge/Response authentication mechanism. The driver modules call those modified functions and expect a certain behaviour that only the kernel compiled by KORG exposes.
This is a clear GPL violation since the modifications done to the kernel are not provided with the binary.
The register_cdrom()/init_cdrom_command() mechanism works like this:
- Proprietary module calls register_cdrom() with a magic number in cdrom_device_info.for_data to identify itself to the kernel
- register_cdrom() writes a pointer to a statically allocated struct cdrom_generic_command into cdrom_device_info.handle (acutally, the pointer is obfuscated by some bitshifting and offset adding) and returns the (otherwise unused) errorcode -42
- Proprietary module inserts another magic number into the *(struct cdrom_generic_command) retrieved in step 2 and calls init_cdrom_command() with that pointer as argument
- init_cdrom_command() does a lot of obfuscation, looks up some magic values in static arrays and returns some values by writing them into the static struct cdrom_generic_command
This mechanism is used mainly by loadmod.ko - a proprietary module that is responsible for software update and software encryption. The module refuses to load if register_cdrom()/init_cdrom_command() are not implemented as described above.It also uses the scrambling done in init_cdrom_command() to deobfuscte the keys required to loop-mount Eva.img, Mod.img and WaveMotion.img after reading those keys from the security IC.
Donnerstag, 21. Mai 2015
NKS4 Statup Communication
| Request | Response | Comment | Module |
|---|---|---|---|
| 0x0000ee00 | 0x00006600 | Communication Check | OmapNKS4Module.ko |
| 0x0000f000 | 0x02647000 | Get OMAP/PSOC Versions | OmapNKS4Module.ko |
| 0x0000f101 | 0x00007101 | Read Port Configuration | OmapNKS4Module.ko |
| 0x003f9001 | Set Number of Analog Inputs | OmapNKS4Module.ko | |
| 0x2800b001 | Set All Analog Input Filter | OmapNKS4Module.ko | |
| 0x00037000 | Set Number of LEDs | OmapNKS4Module.ko | |
| 0x00c08101 | Configure Rotary Encoders | OmapNKS4Module.ko | |
| 0x00008301 | Configure Rotary Encoders | OmapNKS4Module.ko | |
| 0x00018201 | Configure Rotary Encoders | OmapNKS4Module.ko | |
| 0x00648000 | Set Rotary Encoder Sample Speed | OmapNKS4Module.ko | |
| 0x004e0000 | |||
| 0x2800b001 |
NKS4 USB Descriptor
ID 0944:1005 KORG, Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x0944 KORG, Inc.
idProduct 0x1005
bcdDevice 1.00
iManufacturer 1 KORG INC.
iProduct 2 KRONOS
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 351
bNumInterfaces 6
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x40
(Missing must-be-set bit!)
Self Powered
MaxPower 0mA
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 0
bInterfaceCount 3
bFunctionClass 1 Audio
bFunctionSubClass 0
bFunctionProtocol 0
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 1 Control Device
bInterfaceProtocol 0
iInterface 0
AudioControl Interface Descriptor:
bLength 10
bDescriptorType 36
bDescriptorSubtype 1 (HEADER)
bcdADC 1.00
wTotalLength 52
bInCollection 2
baInterfaceNr( 0) 1
baInterfaceNr( 1) 2
AudioControl Interface Descriptor:
bLength 12
bDescriptorType 36
bDescriptorSubtype 2 (INPUT_TERMINAL)
bTerminalID 1
wTerminalType 0x0101 USB Streaming
bAssocTerminal 0
bNrChannels 6
wChannelConfig 0x0003
Left Front (L)
Right Front (R)
iChannelNames 0
iTerminal 0
AudioControl Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (OUTPUT_TERMINAL)
bTerminalID 2
wTerminalType 0x0302 Headphones
bAssocTerminal 0
bSourceID 1
iTerminal 0
AudioControl Interface Descriptor:
bLength 12
bDescriptorType 36
bDescriptorSubtype 2 (INPUT_TERMINAL)
bTerminalID 3
wTerminalType 0x0713 Synthesizer
bAssocTerminal 0
bNrChannels 6
wChannelConfig 0x0003
Left Front (L)
Right Front (R)
iChannelNames 0
iTerminal 0
AudioControl Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (OUTPUT_TERMINAL)
bTerminalID 4
wTerminalType 0x0101 USB Streaming
bAssocTerminal 0
bSourceID 3
iTerminal 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 3 AUDIO OUT
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 1
bNumEndpoints 2
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 3 AUDIO OUT
AudioStreaming Interface Descriptor:
bLength 7
bDescriptorType 36
bDescriptorSubtype 1 (AS_GENERAL)
bTerminalLink 1
bDelay 0 frames
wFormatTag 1 PCM
AudioStreaming Interface Descriptor:
bLength 11
bDescriptorType 36
bDescriptorSubtype 2 (FORMAT_TYPE)
bFormatType 1 (FORMAT_TYPE_I)
bNrChannels 6
bSubframeSize 3
bBitResolution 24
bSamFreqType 1 Discrete
tSamFreq[ 0] 48000
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 5
Transfer Type Isochronous
Synch Type Asynchronous
Usage Type Data
wMaxPacketSize 0x0090 1x 144 bytes
bInterval 1
bRefresh 0
bSynchAddress 129
AudioControl Endpoint Descriptor:
bLength 7
bDescriptorType 37
bDescriptorSubtype 1 (EP_GENERAL)
bmAttributes 0x00
bLockDelayUnits 0 Undefined
wLockDelay 0 Undefined
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0003 1x 3 bytes
bInterval 1
bRefresh 6
bSynchAddress 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 4 AUDIO IN
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 1
bNumEndpoints 1
bInterfaceClass 1 Audio
bInterfaceSubClass 2 Streaming
bInterfaceProtocol 0
iInterface 4 AUDIO IN
AudioStreaming Interface Descriptor:
bLength 7
bDescriptorType 36
bDescriptorSubtype 1 (AS_GENERAL)
bTerminalLink 4
bDelay 0 frames
wFormatTag 1 PCM
AudioStreaming Interface Descriptor:
bLength 11
bDescriptorType 36
bDescriptorSubtype 2 (FORMAT_TYPE)
bFormatType 1 (FORMAT_TYPE_I)
bNrChannels 6
bSubframeSize 3
bBitResolution 24
bSamFreqType 1 Discrete
tSamFreq[ 0] 48000
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 5
Transfer Type Isochronous
Synch Type Asynchronous
Usage Type Data
wMaxPacketSize 0x0090 1x 144 bytes
bInterval 1
bRefresh 0
bSynchAddress 0
AudioControl Endpoint Descriptor:
bLength 7
bDescriptorType 37
bDescriptorSubtype 1 (EP_GENERAL)
bmAttributes 0x00
bLockDelayUnits 0 Undefined
wLockDelay 0 Undefined
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 3
bInterfaceCount 1
bFunctionClass 255 Vendor Specific Class
bFunctionSubClass 0
bFunctionProtocol 0
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 0
iInterface 5 NKS
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0080 1x 128 bytes
bInterval 4
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 4
bInterfaceCount 2
bFunctionClass 1 Audio
bFunctionSubClass 0
bFunctionProtocol 0
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 4
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 1 Audio
bInterfaceSubClass 1 Control Device
bInterfaceProtocol 0
iInterface 0
AudioControl Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 1 (HEADER)
bcdADC 1.00
wTotalLength 9
bInCollection 1
baInterfaceNr( 0) 5
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 5
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 1 Audio
bInterfaceSubClass 3 MIDI Streaming
bInterfaceProtocol 0
iInterface 6 LEGACY MIDI
MIDIStreaming Interface Descriptor:
bLength 7
bDescriptorType 36
bDescriptorSubtype 1 (HEADER)
bcdADC 1.00
wTotalLength 52
MIDIStreaming Interface Descriptor:
bLength 6
bDescriptorType 36
bDescriptorSubtype 2 (MIDI_IN_JACK)
bJackType 1 Embedded
bJackID 16
iJack 5 NKS
MIDIStreaming Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (MIDI_OUT_JACK)
bJackType 2 External
bJackID 64
bNrInputPins 1
baSourceID( 0) 16
BaSourcePin( 0) 1
iJack 0
MIDIStreaming Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (MIDI_OUT_JACK)
bJackType 1 Embedded
bJackID 48
bNrInputPins 1
baSourceID( 0) 32
BaSourcePin( 0) 1
iJack 6 LEGACY MIDI
MIDIStreaming Interface Descriptor:
bLength 6
bDescriptorType 36
bDescriptorSubtype 2 (MIDI_IN_JACK)
bJackType 2 External
bJackID 32
iJack 0
MIDIStreaming Interface Descriptor:
bLength 6
bDescriptorType 36
bDescriptorSubtype 2 (MIDI_IN_JACK)
bJackType 1 Embedded
bJackID 17
iJack 7 USB MIDI
MIDIStreaming Interface Descriptor:
bLength 9
bDescriptorType 36
bDescriptorSubtype 3 (MIDI_OUT_JACK)
bJackType 2 External
bJackID 65
bNrInputPins 1
baSourceID( 0) 17
BaSourcePin( 0) 1
iJack 0
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
bRefresh 0
bSynchAddress 0
MIDIStreaming Endpoint Descriptor:
bLength 5
bDescriptorType 37
bDescriptorSubtype 1 (GENERAL)
bNumEmbMIDIJack 1
baAssocJackID( 0) 16
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
bRefresh 0
bSynchAddress 0
MIDIStreaming Endpoint Descriptor:
bLength 5
bDescriptorType 37
bDescriptorSubtype 1 (GENERAL)
bNumEmbMIDIJack 1
baAssocJackID( 0) 48
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
bRefresh 0
bSynchAddress 0
MIDIStreaming Endpoint Descriptor:
bLength 5
bDescriptorType 37
bDescriptorSubtype 1 (GENERAL)
bNumEmbMIDIJack 1
baAssocJackID( 0) 17
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0001
Self Powered
Abonnieren
Posts (Atom)