EEVblog Electronics Community Forum
Electronics => Beginners => Topic started by: mogue on November 01, 2019, 09:49:57 pm
-
I'm working with the main PCB ("DM board") of a Yamaha Motif XS8. Due to my own error, the NOR Flash has been overwritten with incorrect data. This has rendered the onboard update functionality inaccessible; I'm unable to boot into the update mode in order to write the correct data. I've reached out to several authorized Yamaha repair centers as well as Yamaha themselves, and the situation is that Yamaha offers no solution to this issue: their recommendation is to replace the entire DM board (nominally $1,030 but actually unavailable).
Unwilling to give up without exhausting every conceivable solution, I am looking into any available method for rewriting the NOR Flash directly (for example via SPI). I have access to Yamaha's service manual which includes detailed circuit diagrams and part information. The specific NOR Flash chip is the Spansion S29GL512N10TFI020, part of their "S29GL-P MirrorBit Flash Family", and I have found its datasheet (https://www.digchip.com/datasheets/parts/datasheet/1073/S29GL512N10TFI020-pdf.php). My general plan is to get a hold of another Yamaha Motif XS, dump its flash, then write the contents directly to the "broken" flash. Afterward I would sell the second Motif to recoup some of the expense.
I am wondering, however, whether it might be feasible to "jump" a connection between the problem flash and a working board, in order to use the working board's update mode and a standard Yamaha update file in order to write to the problem flash on the other board. Given the working board would first have to boot into update mode via its own NOR Flash, I am uncertain whether the connection could be "switched" after boot and prior to executing the update. If possible, this would skip the step of dumping the the data from the working flash or working directly with SPI at all.
Any thoughts on whether I'm totally barking up the wrong tree would be greatly appreciated.
-
Hi
Welcome to the forum.
You may be better off (safer) using something like a bus pirate to read the data out of a working Motif XS8, save that as a raw binary data file on the host pc driving the bus pirate.
Then use the bus pirate again to write back to the erased flash.
Edit:
Scratch that idea. The bus pirate can only do serial buses like spi and i2c. You mentioned spi but looking at the close up of the flash part on the schematic, it is a 16bit device with a full address bus and 16 bit data bus. You would need something that can read the fash device in circuit, you may have to force the host processor to stop accessing the flash by holding it in reset.
-
Could be possible, but you'd need to clip on to both flash chips, and maybe desolder/disconnect pins temporarily.
It looks like you can get a clip to make life easier, then add a flash reader and it should be possible to read out the data without desoldering the chip.
https://www.aliexpress.com/item/32556890251.html (https://www.aliexpress.com/item/32556890251.html)
http://www.360-clip.com/ (http://www.360-clip.com/) (just for example photos)
-
Alternatively, download the official firmware which appears to be at https://usa.yamaha.com/support/updates/21001_en.html (https://usa.yamaha.com/support/updates/21001_en.html) , and figure out how to get a NOR flash image from it. No need to buy, possibly damage, and then try to sell another unit, although you will need a programmer.
Here's a recent example of someone trying to do this with a different piece of equipment: https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/ (https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/)
-
Alternatively, download the official firmware which appears to be at https://usa.yamaha.com/support/updates/21001_en.html (https://usa.yamaha.com/support/updates/21001_en.html) , and figure out how to get a NOR flash image from it. No need to buy, possibly damage, and then try to sell another unit, although you will need a programmer.
Here's a recent example of someone trying to do this with a different piece of equipment: https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/ (https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/)
This is actually where I started and what led to my error in rendering the NOR flash unbootable; I've been trying to lay the groundwork for modifying the OS (MontaVista Linux). Unfortunately the update files are inscrutable. Binwalk gives nothing but false positives. The only structure I've been able to discern is that the same format is used for the Motif XF and the S90XS: comparing hex dumps of the update files for those two keyboards as well as two different versions of the Motif XS update reveals several consistently identical blocks of data across the four files. Working from this information (http://www.devttys0.com/2013/06/differentiate-encryption-from-compression-using-math/), signs point strongly toward the files being encrypted (chi square distribution ranges from 225.8 to 263.91, and pi approximation error ranges from 0.00 to 0.01%). My next steps would be an attempt to pull the decryption key from the Motif XS, but that's stalled now that the thing is presently bricked.
MosherIV and thm_w, thanks also for your input. That 360-clip looks very promising.
-
There is an ancient hack that may work for you, if the flash chip is socketed.
Boot the working board into its update mode, and just before initiating the update, hot swap the flash chip for your corrupted one. Then run the update.
I was told of this many years ago, and there's absolutely no guarantee it'll work on a modern device. But ... who knows?
-
Alternatively, download the official firmware which appears to be at https://usa.yamaha.com/support/updates/21001_en.html (https://usa.yamaha.com/support/updates/21001_en.html) , and figure out how to get a NOR flash image from it. No need to buy, possibly damage, and then try to sell another unit, although you will need a programmer.
Here's a recent example of someone trying to do this with a different piece of equipment: https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/ (https://www.eevblog.com/forum/repair/worn-out-flash-memory-chip/)
This is actually where I started and what led to my error in rendering the NOR flash unbootable; I've been trying to lay the groundwork for modifying the OS (MontaVista Linux). Unfortunately the update files are inscrutable. Binwalk gives nothing but false positives. The only structure I've been able to discern is that the same format is used for the Motif XF and the S90XS: comparing hex dumps of the update files for those two keyboards as well as two different versions of the Motif XS update reveals several consistently identical blocks of data across the four files. Working from this information (http://www.devttys0.com/2013/06/differentiate-encryption-from-compression-using-math/), signs point strongly toward the files being encrypted (chi square distribution ranges from 225.8 to 263.91, and pi approximation error ranges from 0.00 to 0.01%). My next steps would be an attempt to pull the decryption key from the Motif XS, but that's stalled now that the thing is presently bricked.
MosherIV and thm_w, thanks also for your input. That 360-clip looks very promising.
That '8E54OS_.PGM' file is 4 times larger than the Flash NOR boot prom you have illustrated in the schematic. Could there be 4 of those flash IC in the design? Are you sure that that file isn't for the bootprom, but for the Wav-roms? No software, just audio samples?
-
That '8E54OS_.PGM' is 4 times larger than the Flash NOR boot prom you have illustrated in the schematic. Could there be 4 of those flash IC in the design? Are you sure that that file isn't for the bootprom, but for the Wav-roms? No software, just audio samples?
That particular "PGM" file, version 1.60 of the Motif XS OS, is 4 times larger than any other PGM file I have: v1.12 (http://www.motifator.com/index.php/support/view/motif_xs_os_updater_v1122) of the Motif XS, v1.06 (https://usa.yamaha.com/support/updates/21002_en.html) of the S90XS, and v1.50 (https://usa.yamaha.com/support/updates/61410_en.html) of the Motif XF (a newer but largely similar keyboard to the XS architecturally). I haven't a clue what accounts for this difference. To my memory, no update ever added new audio to the wave rom. I suppose it's possible that Yamaha replaced the wave rom in order to fix some sort of problem with the existing data, but never publicized the problem or solution?
There are two additional 64MB flash IC on the board, each dedicated to wave rom. There is also a small 1MB NOR flash which is dedicated to the Firewire interface, but given that the Firewire firmware update (https://usa.yamaha.com/support/updates/52019_en.html) is delivered in a separate file and installed from a computer connected via firewire cable (totally different method from the PGM installation), I don't think this particular bit is touched by the PGM file
I can be certain that the S90XS v1.06 PGM file contains an update for its bootloader; this file successfully loaded into the Motif XS and got far enough to break it (see attached photo), whereas the Motif XF file gave an error regarding a missing "update.sh" file after unpacking the PGM but before starting the actual update process. Yes, I got extremely foolhardy with investigating the behavior of these files...
In any case, even if that file contains more than just OS data, I am certain that the OS data is in there as well given the features that it and the bundled 1.56 update provide. I additionally identified that the onboard Samba server was updated from version 3.0.10 to 3.0.24 between versions 1.12 and 1.60 of the XS. So, there's definitely a Samba server somewhere in that particular '8E54OS_.PGM' file. I can't be certain that it includes the data for the bootloader.
If the analysis regarding encryption is correct, then at least some of the data in the file is both encrypted and compressed because the boot sequence described in the service manual includes a step labeled "Decompress Linux kernel on NOR flash to DDR SDRAM."
-
I guess this isn't much help but the name is close... 8)
https://www.youtube.com/watch?v=XCMrXC8D05Q (https://www.youtube.com/watch?v=XCMrXC8D05Q)
-
I can be certain that the S90XS v1.06 PGM file contains an update for its bootloader; this file successfully loaded into the Motif XS and got far enough to break it (see attached photo)
That looks suspiciously like the symptoms of the board in the other thread; also indicative of a bad flash IC ?
-
I can be certain that the S90XS v1.06 PGM file contains an update for its bootloader; this file successfully loaded into the Motif XS and got far enough to break it (see attached photo)
That looks suspiciously like the symptoms of the board in the other thread; also indicative of a bad flash IC ?
Well, I had just recently flashed back and forth between Motif XS version 1.12 and 1.60 a few times while investigating the Samba server (trying to use documented exploits to get a root shell on the Motif) and had no issues.
I wouldn't think it makes too much sense to infer anything about hardware failure based on flashing the firmware for a different device. The S90XS also ran MontaVista Linux but from a user-facing perspective it had a much more reduced interface and less capabilities than the Motif XS. I don't have access to the service manual for the S90XS, so I don't know exactly how they differ on the PCB level. To me it seems likely that the flash ICs differ enough between the two models that this firmware update script just attempted to erase something that didn't exist, threw an error, and quit.
-
The specific NOR Flash chip is the Spansion S29GL512N10TFI020, part of their "S29GL-P MirrorBit Flash Family", and I have found its datasheet (https://www.digchip.com/datasheets/parts/datasheet/1073/S29GL512N10TFI020-pdf.php).
Just dropping a correction here: that page is incorrect. While it claims to contain the datasheet for my flash chip, it actually links to the wrong one. The chip I'm working with is instead part of the "S29GL-N MirrorBit Flash Family" and this is the correct datasheet (https://www.mikrocontroller.net/attachment/73521/S29GL512N.pdf).
It appears that some(?) PS3 consoles have a chip from the same family (https://www.psdevwiki.com/ps3/Talk:Hardware_flashing#NOR). I'm hoping that this means I will be able to "treat the Motif like a PS3" and use existing software as-is for the reading and writing process.
I have a 360-clip and a Teensy++ 2.0 on the way.