Have you ever wondered how the chips and algorithms that made all those electronic music hits work? Us too!
At The Usual Suspects we create open source emulations of famous music hardware, synthesizers and effect units. After releasing some emulations of devices around the Motorola 563xx DSP chip, we made further steps into reverse engineering custom silicon chips to achieve what no one has done before: a real low-level emulation of the JP-8000. This famous synthesizer featured a special "SuperSaw" oscillator algorithm, which defined an entire generation of electronic and trance music. The main obstacle was emulating the 4 custom DSP chips the device used, which ran software written with a completely undocumented instruction set. In this talk I will go through the story of how we overcame that obstacle, using a mixture of automated silicon reverse engineering, probing the chip with an Arduino, statistical analysis of the opcodes and fuzzing. Finally, I will talk about how we made the emulator run in real-time using JIT, and what we found by looking at the SuperSaw code.
This talk is a sequel to my last year's talk "Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!", where I showed how I reverse engineered a pretty old device (1986) by looking at microscope silicon pics alone, with manual tracing and some custom tools. Back then I claimed that taking a look at a more modern device would be way more challenging, due to the increased complexity.
This time, in fact, I've reverse engineered a much modern chip: the custom Roland/Toshiba TC170C140 ESP chip (1995). Completing this task required a different approach, as doing it manually would have required too much time. We used a guided automated approach that combines clever microscopy with computer vision to automatically classify standard cells in the chip, saving us most of the manual work.
The biggest win though came from directly probing the chip: by exploiting test routines and sending random data to the chip we figured out how the internal registers worked, slowly giving us insights about the encoding of the chip ISA. By combining those two approaches we managed to create a bit-accurate emulator, that also is able to run in real-time using JIT.
In this talk I want to cover the following topics:
- What I learned since my previous talk by looking at more complicated chips
- Towards automating the silicon reverse engineering process
- How to find and exploit test modes to understand how stuff works
- How we tricked the chips into spilling its own secrets
- How the ESP chip works, compared to existing DSP chips
- How the SuperSaw oscillator turned out to work
Licensed to the public under http://creativecommons.org/licenses/by/4.0
Download
These files contain multiple languages.
This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.
Please look for "audio tracks" in your desktop video player.