[HN Gopher] Remote code execution via MIDI messages
___________________________________________________________________
Remote code execution via MIDI messages
Author : portasynthinca3
Score : 102 points
Date : 2025-01-05 07:40 UTC (15 hours ago)
(HTM) web link (psi3.ru)
(TXT) w3m dump (psi3.ru)
| purplesyringa wrote:
| This is such a ludicrous premise, I'm amazed you pulled it off.
|
| You mention "another packing optimization". I'm wondering, how
| are you transferring frames? The dot matrix is eight 7x5
| characters, i.e. 280 bits in total, which amounts to 40 7-bit
| groups per frame. You seem to be using twice that space in
| transmission, is it wasted on some control data or is the
| transmission just slightly suboptimal?
| portasynthinca3 wrote:
| Thanks!
|
| The dot matrix is actually eight 5x8 characters, or 320 bits in
| total. I'm packing those 320 bits into the the 4 bits per byte
| that are available to us in this shell protocol. Plus, another
| 9 bytes for the packet header and footer. Looks like I wrote 92
| in the article, I must have miscalculated that.
|
| I'm not using the full 7 bits because figuring out a way to do
| so turned out to be way too hard for me, so I opted for a
| solution that is negligibly worse than the optimal one, in
| comparison to the original one.
|
| If you're wondering about the exact algorithm, consider
| checking these files out, but please keep in mind that I
| haven't cleaned the code up yet: https://github.com/portasynthi
| nca3/swl01u/blob/master/fun/bi...,
| https://github.com/portasynthinca3/swl01u/blob/master/fun/ba...
| beardyw wrote:
| Thanks, a great read.
| Terr_ wrote:
| While I suggest reading the whole thing, the money-quotes:
|
| > So yeah, these [keyboard manufacturer] madlads made a shell
| that runs on top of MIDI SysEx messages on top of USB.
|
| > [T]he most interesting commands that we have are arbitrary
| memory read/write commands. So, if we really wanted to, we could
| just peek and poke the memory of the synth via MIDI.
|
| > If we wanted to, we could write these messages to a MIDI file
| and play it on the synth like any other MIDI file. Hey, that
| gives me an idea.....
|
| > From the countless sleepless nights of digging around in the
| firmware I've discovered a function that sends arbitrary data to
| the LCD controller.
| liotier wrote:
| Of course it is SysEx. SysEx is to standard MIDI what inline
| assembler is to Python. A world of undocumented proprietary stuff
| lurks within just about every MIDI device !
| fer wrote:
| Yeah, same thinking here. No standard, manufacturer-defined,
| everything-goes kind of messages.
| cluckindan wrote:
| Any mirrors not in Russia? My ISP blocks access.
| jeroenhd wrote:
| https://archive.is/N5t7a
| codetrotter wrote:
| Snapshot: https://archive.is/FVUHe
|
| There's an embedded YouTube video in the article as well, that
| appears twice. First at the top and then again further down.
|
| https://www.youtube.com/watch?v=u6sukVMijBg
|
| There are also several videos in the article that are hosted on
| the same site as the original article (so on the .ru site).
| Those are not included in the snapshot unfortunatelly. You'll
| see placeholders and the associated text that describes them
| but you can't view those via the snapshot.
|
| It also contains a link to a GitHub repo at the end.
|
| https://github.com/portasynthinca3/swl01u
| perching_aix wrote:
| > Now, we have to get a little philosophical here. In my eyes, RE
| is like a game of minesweeper. You start with an empty field not
| knowing the state of any of the cells, i.e. not knowing whether
| each individual cell contains a landmine or not. When you
| discover the state of a cell, you have the context to deduce the
| state of its neighbor cells. In minesweeper, you don't have a
| particular direction in which you progress. You never say "In
| this game of minesweeper, I want to go up no matter what", you
| just let the numbers nudge you in the direction that is the
| easiest to go in at the moment. I assert that this is also true
| for RE. Once you find out what a function or a variable does, you
| suddenly understand a little more about functions and variables
| that depend on the ones whose meaning you've just inferred. It
| may be beneficial not to set any particular goal with an RE
| project, and instead letting the complex network of intertwined
| functions and variables guide you towards understanding the
| system as a whole.
|
| That's such a nice way to think about it. Maybe I should try
| giving RE a go again.
| moosedev wrote:
| Great project, write-up, and sense of humor in the videos!
|
| > Using that part number I wasn't able to find any information
| about the chip online apart from an article that claimed it was
| based around a "SuperH" CPU core - an ISA that I've encountered
| for the first time ever in that article.
|
| Also found in Sega 32x, Sega Saturn, and Sega Dreamcast! And some
| early Pocket PCs (turn-of-the-century handhelds running Windows
| CE) like the HP Jornada series, although most Pocket PCs were
| ARM-based.
| trelbutate wrote:
| So, the repo's README claims the repo contains the image dumps,
| but they're not actually there. Is this correct?
___________________________________________________________________
(page generated 2025-01-05 23:00 UTC)