I recently bought a Roland FA-08 music keyboard, it is interesting because it has two of what Roland call "Virtual SRX" slots. These work by downloading a .zip file from Roland's website (http://axial.roland.com/category/fa-06_fa-07_fa-08/ - EXP files, not BANK), placing the .bin file inside onto a usb thumb drive, and then you flash it to the keyboard from the drive, which provides you with a selection of new sounds that are on that expansion module. The keyboard is still on the market in different sizes as the FA-08/FA-07/FA-06.
My goal is to write a program or tool that will allow people to mix and match different sounds from different expansions and combine them into customized expansions, making more efficient use of the space, perhaps even paving the way for user-created completely custom instruments eventually. You can download a sample file at:
http://axial.roland.com/downloads/FA_EXP-07.zip
Expansion format
Inside the file is the header, which is always $20 bytes long and padded with spaces if it isn't.
Code: Select all
Roland SRX O°X§SRX-10 BgBrsEns Next at $40 offset is a $40/64 byte "key" or "description" of some sort
Code: Select all
1C D9 D9 1C D9 99 9C 5C 99 5C 5C D9 5C D9 D9 9C 99 9C 5C D9 5C D9 D9 9C D9 9C 9C 5C 9C 5C 5C D9 9D 5D 9D 9C 5D 9C 9C DD 9C 9D DD 9D 9D 9D 9D 1C 9C 9D DD 9D 5D 9D 9D 9C 9D 9C 9C DD 9C 5D D9 9DThen finally at the $C0 offset we have the data which appears to be encoded and possibly encrypted.
There is another gap of 00s and description block, then another data block. This pattern repeats. The description blocks are strange because they all look very similar, which doesn't make sense for all the instrument names.
In this expansion there are new sounds for the keyboard called "TromboneSect" and "DynaBrass" (SoundList_EXP-07_je01_W.pdf inside the zip file has the patch list) and these words are shown on the keyboard screen tone list after install, but they don't show up anywhere in the raw binary file. The file contains 100 tones (patches) and 261 waveforms so these are in there somehow.
The data isn't likely compressed because it is 32MB in size exactly, and as you can see in the header they are all based on Roland's original hardware SRX modules released, but reduced a little bit, presumably to fit into the 32MB RAM in each virtual slot in the device (original SRX modules were 64MB)
I couldn't figure out much more than this, signsrch turned up nothing probably due to the encryption. It's possible the device decrypts the bin at flash-time, leaving an unencrypted ROM on the device to use, OR it is using a very fast simple encoding format quick enough for the device to realtime decode the data with little overhead so it can be played on the device.
Firmware format
To figure out how to decrypt this, I wondered if perhaps the Firmware for the device itself contained the public key. Since roland recently released a firmware update we can also get the firmware for the device on the website here:
https://static.roland.com/assets/media/ ... s_v201.zip
This started off quite easy, inside the FA_UPA.bin firmware file was the ".ustar" keyword which made me realise this was a .tar file. Renaming it to FA_UPA.tar allowed me to extract the following files:
fantom_s_up.bin
fantom_e_up.bin
fantom_c_up.bin
fantom_c_up.bin appears to be a disk image or archive, but definitely compressed. You can see some fragments of filenames inside:
Code: Select all
3228C1: %1/sd/Rýo.Pd/FA/SÿCREEN SAÿVER/%04do.BIN
199308: /TEST_¿SD.BIN
fantom_s_up.bin is harder to decode. It has a linux style reference to BOOT_IMAGE at the end and perhaps a command to cd to the etc/ folder
Code: Select all
545D94: BOOT_IMAGE
02DA70: cdetc<eW\3Xp
This could indicate it is running an embedded *nix system of some kind and that the s and c bin files are in fact disk images.
For fantom_s_up.bin signsrch found the following:
Code: Select all
offset num description [bits.endian.size]
--------------------------------------------
001982cb 877 SHA256 Initial hash value H (0x6a09e667UL) [32.be.32&]
001982cb 1031 SHA256 [32.be.288&]
0019844a 1029 SHA224 [32.be.288&]
Could just be a coincidence, unless there are SHA256 codes to check the integrity in the firmware, which is possible.
The fantom_e_up.bin looked a lot different to the other files, so I wondered if this might be a low-level firmware for some hardware in the keyboard.
Thats as far as I got. I'm hoping maybe someone will help me figure this out, either with advice, tools, guidance or help so I can decompress/decrypt the expansion files and/or firmware files in an effort to help me make this program. Thanks for reading all this!
