For people interested in the technology behind the great sound - use the attached script on a .KUF file.
Read those:
http://documentation.renesas.com/doc/pr ... sh7705.pdf
http://documentation.renesas.com/doc/pr ... sh_3sm.pdf
The bootloader (KBTL) gets loaded by a smaller bootloader (which I call BOOT0) to address 0xCD00000 and executed there.
BOOT0 and KBTL are located in 512 KBytes of NOR-Flash, but only BOOT0 is XIP.
The application and objects are stored in a bigger NAND-Flash.
If you want debug messages, you need to solder a UART onto your mainboard. The correct part is a SC16C550. And of you need a level shifter (or just use a USB<->Serial adapter with 3.3V levels).
Have fun!
kufextract.py:
#!/usr/bin/python
import sys, struct
def LZ77readEncValue(data):
result = 0
rpos = 0
while True:
value = ord(data[rpos])
rpos += 1;
result <<= 7
result |= value & 0x7F
if not value & 0x80:
break;
return (rpos, result)
def LZ77unpack(data):
marker = data[0]
dout = ""
rpos = 1
print "Marker Byte: 0x%02X" % (ord(marker))
while rpos < len(data):
if data[rpos] == marker:
startpos = rpos
rpos += 1
(rcount, count) = LZ77readEncValue(data[rpos:])
rpos += rcount
if count == 0:
dout+=marker
continue
(rcount, back) = LZ77readEncValue(data[rpos:])
rpos += rcount
assert back <= len(dout)
startpos = len(dout) - back
dout += dout[startpos:startpos+count]
else:
dout+=data[rpos]
rpos += 1
return dout
offsets = ((0x58, 0x78), (0x78, 0x98), (0x98, 0xB8), (0xB8, 0xD8), (0xD8, 0xF8))
for file in sys.argv[1:]:
data = open(file, 'r').read()
print file
for offset in offsets:
(fourcc, pc3k, major, minor, nullA, offset, nullB, nullC) = struct.unpack('>4s4sLLLLLL', data[offset[0]:offset[1]])
if pc3k == "PC3K":
print "%s:%s V%i.%02i 0x%08X" % (pc3k, fourcc, major, minor, offset)
blockfmt = '>4sLLLLLLLLLL'
blocksz = struct.calcsize(blockfmt)
(fourccX, nullA, sizeX, nullB, nullC, nullD, nullE, nullF, nullG, nullH, nullI) = struct.unpack(blockfmt, data[offset:offset+blocksz])
print " %s %i %i %i %i %i %i" % (fourccX, nullA, sizeX, nullB, nullC, nullD, nullE)
print " NewOffset: 0x%08X" % (offset + blocksz + sizeX)
offset += blocksz
(fourccY, nullA, sizeY, nullB, nullC, nullD, nullE, nullF, nullG, nullH, nullI) = struct.unpack(blockfmt, data[offset:offset+blocksz])
print " %s %i %i %i %i %i %i" % (fourccY, nullA, sizeY, nullB, nullC, nullD, nullE)
print " NewOffset: 0x%08X" % (offset + blocksz + sizeY)
offset += blocksz
print " Data: ", ' '.join(["%02X" % (ord(byte)) for byte in data[offset:offset+16]])
f = open(file + "." + fourccX + "." + fourccY, 'w')
f.write(data[offset:offset+sizeY])
f.close()
if fourccY == "LZ77":
unpacked = LZ77unpack(data[offset:offset+sizeY])
f = open(file + "." + fourccX, 'w')
f.write(unpacked)
f.close()
Hahah. Touche, Fran. 
Will my "Hello Kurzweil!" binary count as an application?
(Just kidding - I am not located in the U.S. and already have a day job...)
Just noticed that this board is run by a Kurzweil software engineer...ooops...
But hey, this is kind of interesting: I would be interested to know what Kurzweil's policy regarding "Hackers" is. To be clear: it is not my intention to pirate anything (which is more or less impossible anyway because of the custom MARA DSPs).
It would be really cool if Kurzweil would even support (just a little) hacking their hardware... and it would set you apart from other big Ks who try to fix their broken wannabe security on their linux based synths with their lawyers...
Well, there isn't a public hacking policy from the company as far as I know... maybe in some legal stuff that I'm unaware.
As a software engineer, personally, I'm always curious, and most of the times amazed, to see what people can do
Regards,
Fran
Well, there isn't a public hacking policy from the company as far as I know... maybe in some legal stuff that I'm unaware.
As a software engineer, personally, I'm always curious, and most of the times amazed, to see what people can do
Assignment #1 for Darkstar.
Maybe he could develop a way to utilize the empty expansion slot for all of us that didn't buy the Kore64 seeing Kurzweil doesn't think that's possible. I would pay for that custom upgrade.
Hi Fran, I have a PC2X and PC3K6..... now I read Kurzweil uses Renesas uController for its keyboards.
I am an hardware/firmware engineer working with Renesas SH7032 and SH7086 uControllers and I would like to know (if possible) which uControllers are used in PC2X and PC3K (not for hacking, just for my knowledge).
Thanks
Kurzweil PC3K6 Kurzweil PC2X Kawai MP5 Korg M50 ("B" team: GEM S2; Yamaha CP-30 - Ex: Yamaha PSR8000, Korg DS8, Korg DW6000, Roland D50, Roland Jupiter-4) - http://jcsbinasco.wordpress.com/la-band/
@ioannes: SH7705 in PC3K
Hi,
Currently we use a variety of Renesas processors of the SH family, as you can see if you open any of the keyboards. Depending on the product you could see a different flavor of the processor.
Regards,
Fran
