Anna Antonenko, a developer who works on built-in systems and operating systems in their spare time, recently shared the results of their reverse engineering project on the Yamaha PSR-E433 musical synthesizer. While exploring the synthesizer, they discovered a hidden Shell interface that allows for code execution at the firmware level. This Shell interface can be accessed by sending MIDI packages with SYSEX messages when connecting the synthesizer via a USB port. Detailed information about the chip, firmware, code examples, and debug dumps can be found on Anna’s GitHub repository here.
Anna’s interest in reverse engineering was piqued a few years ago when they decided to clean the synthesizer and explore its internal components. They came across the Yamaha SWL01U chip, for which detailed information was scarce online. After finding a guide on a similar model that included a diagram of the chip, Anna delved deeper into the device, making use of the JTAG and UART port connections on the board.
By utilizing the debugger openocd, Anna was able to establish a connection to the JTAG interface and extract the firmware contents stored in the ROM and Flash memory. The firmware images were then analyzed using the Ghidra reverse engineering package.