Rooting the KORG Kronos

Disclaimer: The following file is provided without any warranties. Backup all your settings before using it - maybe you'll need to ...


Samstag, 12. September 2015

Compiling a Linux kernel for the KORG Kronos

It is not a secret that the KORG Kronos is running Linux with RTAI extensions.

To understand how the Kronos software works and also for development of custom software, it would certainly be useful to be able to compile our own kernel that loads and runs KORG's proprietary modules and the Kronos software.

The Version Magic String of the kernel distributed with the Kronos is " SMP preempt mod_unload ATOM". Futhermore, /proc/version tells us that the kernel was compiled using GCC 4.5.0.

Let us have a look at the kernel log output related to RTAI:
RTAI[hal]: <3.8.1> mounted over IPIPE-NOTHREADS 2.6-03.
RTAI[hal]: compiled with gcc version 4.5.0 (GCC) .
RTAI[malloc]: global heap size = 2097152 bytes, <BSD>.
RTAI[sched]: IMMEDIATE, MP, USER/KERNEL SPACE: <with RTAI OWN KTASKs>, <uses LINUX SYSCALLs>, kstacks pool size = 524288 bytes.
RTAI[sched]: hard timer type/freq = APIC/10416873(Hz); default timing: periodic; linear timed lists.
RTAI[sched]: Linux timer freq = 1000 (Hz), TimeBase freq = 1666440000 hz.
RTAI[sched]: timer setup = 999 ns, resched latency = 2944 ns.

Since the kernel and RTAI are distributed under the GPL, KORG should deliver all sources necessary to build the kernel together with the compiled binary file (or include a written offer to send the sources on request).

In some documentation, it says that the sources for GPLed code would ship on "Accessory Disk 2". 

Since KORG is distributing the compiled Linux kernel online in the Kronos Firmware Update downloads, the Kernel sources should also be available online. I have not been able to find them, so this is probably a GPL violation.

Since I have bought a Kronos, I also own the Accessory Disks and - indeed - on Accessory Disk 2, there are the sources for the Linux kernel version and RTAI 3.8.1 together with two patches (scroll to the bottom of this post to see the patches in detail).

If you do not have the Accessory Disks, the sources are of course also available for download:

So, we should have everything to build our own kernel for the Kronos, right?

Unfortunately, we are still missing one crucial part of information: the kernel configuration. Usually, this configuration is compiled into the kernel and available under /proc/config.gz, but KORG has disabled that feature. So, we need to find the kernel configuration by trial and error. It is important to get this right if you want to load the proprietary modules from KORG. The rely on sizes of data structures that may differ if the kernel configuration differs. In that case, the system will behave strange and/or just crash.

Download the kernel configuration I have found by trial and error here. It is not perfect, but matches close enough.

Now, we can boot our own kernel on the synthesizer. But something is strange - the proprietary modules will not load. loadmod.ko which is supposed to mount the encrypted loop filesystems with the synthesizer software just errors out. I have already explained the reason for that behavior.

What KORG did here is a clear violation of the Linux kernel's software license - the GPL. All sources necessary to build the software must be made available with the distributed binary.

To remedy this problem (I really want my own kernel on my Kronos), I have developed a set of patches that imitate the behaviour of the kernel distributed by KORG close enough, so that loadmod.ko works:

This patch is taken directly and unmodified out of the RTAI archive (RTAI 3.8.1). It implements lots of changes and hooks that the RTAI modules need to integrate themselves into the kernel.

This patch exports two symbols (orig_mem_size and orig_mem_start). orig_mem_size is used by OA.ko (the actual synthesizer running in kernel mode) to determine how much memory is available on the system. This is important because OA.ko bypasses the kernel's dynamic memory management by ioremapping physical memory that is not used by the kernel.

This patch implements some cryptographic helpers that KORG hid inside the generic cdrom driver. Those functions are used by loadmod.ko to calculate the keys required to the security IC. If they are not implemented properly in the kernel, loadmod.ko cannot read the secret per-device key that is used to decrypt the authorization file (detailed explanation).

This patch exports do_generic_file_read() which is required by KORG's proprietary modules.

This patch enables FB_DEFERED_IO which is required by KORG's framebuffer driver (the Kronos' screen is actually a framebuffer which is sent to the OMAP via USB). Also it enables support for the legacy firewire driver which is used by KORG, but masked by BROKEN in the kernel.

This patch backports the XHCI driver from a later kernel version as the experimental driver in does not support isochronous transfers (which are required by the NKS4 board).
The patch is required only if you want to upgrade your synthesizer with a XHCI-only mainboard.

Eva (the userspace part of the Kronos firmware responsible for the UI) communicates with OA.ko (the kernel part of the Kronos firmware) via mmapped memory ranges. This patch removes the kernel's default limit on mmapped memory to accommodate Eva's requirements.

This patch replaces the stock .config (kernel configuration file) with the kernel config I researched for the Kronos. There are some small additions (USB debugging, XHCI support) that do not forfeit binary compatibility between Korg's proprietary kernel modules and the compiled kernel.

This patch is actually published by Korg on their rescue CD. Changes permissions for hardware sensor access.

This patch is actually published by Korg on their rescue CD. Patches module loading to trade memory usage for system startup time.

The latest set of patches (2016-04-02) is available here.

Using those patches, you can now compile your own bzImage for the Kronos and use it as a starting point for your own development. Have fun!

6 Kommentare:

  1. Dieser Kommentar wurde vom Autor entfernt.

  2. Dieser Kommentar wurde vom Autor entfernt.

  3. "This comment was removed by the author." Why? Where da kernel config at?

  4. The file has been deleted, can you kindly possible Reupload to another link. Thanks.

  5. From what I gather, the Kronos is now abandoned and no longer sold. We are left to make updates to it as we see fit.