Remote code execution via MIDI messages
84 comments
·January 5, 2025moosedev
brian-armstrong
Many industrial applications as well. Mitsubishi used it in the ECU of some of its cars, including the Lancer Evolution.
publicmail
Early (2003 for sure) 350z had it as well.
purplesyringa
This is such a ludicrous premise, I'm amazed you pulled it off.
You mention "another packing optimization". I'm wondering, how are you transferring frames? The dot matrix is eight 7x5 characters, i.e. 280 bits in total, which amounts to 40 7-bit groups per frame. You seem to be using twice that space in transmission, is it wasted on some control data or is the transmission just slightly suboptimal?
portasynthinca3
Thanks!
The dot matrix is actually eight 5x8 characters, or 320 bits in total. I'm packing those 320 bits into the the 4 bits per byte that are available to us in this shell protocol. Plus, another 9 bytes for the packet header and footer. Looks like I wrote 92 in the article, I must have miscalculated that.
I'm not using the full 7 bits because figuring out a way to do so turned out to be way too hard for me, so I opted for a solution that is negligibly worse than the optimal one, in comparison to the original one.
If you're wondering about the exact algorithm, consider checking these files out, but please keep in mind that I haven't cleaned the code up yet: https://github.com/portasynthinca3/swl01u/blob/master/fun/bi..., https://github.com/portasynthinca3/swl01u/blob/master/fun/ba...
phkahler
Another option might be to modify the baud rate of the MIDI interface. MIDI is terribly slow at 1M/32 bps, and most UARTs can go at least 115200. That would also mean changing the baud rate on your PC software at that point in transmission, and would not allow a standard MIDI file to be used.
lambda
This was being done over USB midi, which is already faster than standard DIN midi AFAIK. Trying to change the baud rate of DIN midi on both ends of the communication seems like a lot of work.
lqstuart
> I’m very unexperienced when it comes to reverse engineering
Lol… where does that leave the rest of us in comparison
Cthulhu_
Knowing a lot but being aware you know nothing is like level 4 of experience, where level 1 is being new and eager but knowing you know nothing yet, level 2 is the "I am a god" stage, and level 3 is "I'm an idiot".
pottspotts
Yeah this is oft-repeated by particularly good "lay" engineers.
SideQuark
> World’s First MIDI Shellcode
There's been MIDI shell code for well over 20 years on pretty much all major platforms: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=midi
LegionMammal978
Plenty of buffer overflows. But has anyone actually written a shellcode for those?
SideQuark
Metasploit added automated shellcode generators into midi files at least a dozen years ago, likely earlier. https://www.exploit-db.com/exploits/18426
So to test this, surely they tried it once, and presumably Metasploit users generated tons of them .
And from having worked in this space a long time ago, such CVEs would trigger a host of malicious midi files looking for holes, especially since people embedded them in webpages around early 2000s.
Around that time I'd routinely take a MS update, diff the DLLs, reverse interesting location changes, and craft shellcode attacks during training to show people how it's not very hard. And there were tons of people across the spectrum able to do similarly. CVE disclosures made them much easier to develop.
lucasluitjes
That is amazing research! Reminds me a bit of the 2017 research of RCE on a DNA sequencing machine by synthesizing shellcode in actual DNA/RNA molecules [0]. I was gonna say "next up: OSC" but I guess MIDI is still dominant.
[0] https://www.usenix.org/conference/usenixsecurity17/technical...
liotier
Of course it is SysEx. SysEx is to standard MIDI what inline assembler is to Python. A world of undocumented proprietary stuff lurks within just about every MIDI device !
dhosek
I wish it was somehow possible to perform a piece of music that would cause remote code execution. It’d be so cool to plug in a MIDI keyboard, play an Am6,9/G# and have it open a terminal window with root access.
127
That doesn't make much sense as note on and note off messages are very simple and you can't insert arbitrary bytes with them, unless maybe you use some very particular run mode.
bluGill
Note on/off are just messages. We by convention map them to notes, but note 69 is A-440 on most keyboards, but you could see note 69 and play a C instead (this is somewhat common - have the computer transpose so you can play with others who play the music in a different key - better players can do this in their head but it is not a universal skill even with great players)
There is no reason you can't take a sequence of notes and do something else - pop up a root window for example. It isn't normally done because it would confuse everyone for no reason. (IIRC The original MIDI spec from the 1980s didn't have conventions of nearly as much and some midi devices did really weird things from note commands)
dhosek
I also wish I had a pony. Wishes don’t need to make much sense.
liotier
> I wish it was somehow possible to perform a piece of music that would cause remote code execution
Cue Frankie Goes to Hollywood's "Relax" triggering Derek Zoolander to kill the Malaysian leader during fashion week
null
Asooka
Oh there definitely is some MIDI device out there that will get a buffer overrun from a particular set of just regular note inputs. Maybe 11 notes at once due to the programmer thinking "humans have only 10 fingers, a static array of 10 elements is enough to hold all notes currently playing".
b3orn
More notes or voices playing than the player has fingers is quite common, a note doesn't stop just because you let go of the key. Sometimes you want it to ring out so most synthesizers handle that case. Some even let you configure the behaviour, for example you could reallocate the longest playing note or the closest note.
Perenti
I'm reminded of how in GEB by Hoffstaeder (sp?) the tortoise creates a recording that destroys any device you play it on.
odiroot
SysEx is awesome. I'm quite sad modern synths seem to use it less and less (Roland!!!).
Though Behringer is still quite good with it. E.g. their Deepmind can be pretty much 100% programmed with it, on top of already good MIDI CC scope.
liotier
Roland using less SysEx ? Here is a 26 pages PDF full of unofficial TB-3 SysEx documented by Dope Robot: https://www.doperobot.com/TB-3%20Sysex%20Implementation%20v1... - Roland's official documentation just scratches the surface.
helpfulContrib
[dead]
jamal-kumar
Wow, this is a whole thing I had no idea about. Was recently looking into what it would take to fuzz MIDI and while I found some resources to generate a .mid file to this end it wasn't exactly what I was hunting for. This is maybe something I should consider exploring instead, thanks!
portasynthinca3
> SysEx is to standard MIDI what inline assembler is to Python
I really like this comparison!
helpfulContrib
[dead]
1oooqooq
can't wait to see what sysEx hacks google will cram on chrome midi support they are building for the last couple years.
p0w3n3d
2030, browsers are TPMd DRMd and JAILed, one cannot simply access web with Firefox anymore:
so we have jailbroken the Chrome using MIDI protocol to install extension that blocks adsjeroenhd
WebMIDI already has SysEx support: https://developer.mozilla.org/en-US/docs/Web/API/Web_MIDI_AP...
1oooqooq
did you read the article?
of course webmidi must support sysEx, it's essential to work with midi2 at all. but mostly because you must parse the weird sized packet to properly ignore it.
what might show up are chrome specific sysEx messages which then leads to exploits as the article.
prashnts
I tried to make a bidirectional channel from a webpage to a python script over MIDI. I'd just found that with sysex you can pack any arbitrary data that you want, that python can create virtual MIDI devices, and that Chrome can then connect to such devices.
I'm sure I'd more code than what's in my 8yo repo, but the premise is simply https://github.com/prashnts/midipacks/blob/master/midipacks/...
fer
Yeah, same thinking here. No standard, manufacturer-defined, everything-goes kind of messages.
Terr_
While I suggest reading the whole thing, the money-quotes:
> So yeah, these [keyboard manufacturer] madlads made a shell that runs on top of MIDI SysEx messages on top of USB.
> [T]he most interesting commands that we have are arbitrary memory read/write commands. So, if we really wanted to, we could just peek and poke the memory of the synth via MIDI.
> If we wanted to, we could write these messages to a MIDI file and play it on the synth like any other MIDI file. Hey, that gives me an idea.....
> From the countless sleepless nights of digging around in the firmware I’ve discovered a function that sends arbitrary data to the LCD controller.
Terr_
P.S.: Now the real question is whether you can change the running-code on the keyboard so that it tries to infect other keyboards (of the same model) that might receive MIDI data originating from-it.
In a way, this is a peek at the nightmare of Internet of Things (IoT, where the S stands for Security.) Almost any device might have a backdoor in it, and it might even be a stupid backdoor, like #0000.
dylan604
> If we wanted to, we could write these messages to a MIDI file and play it on the synth like any other MIDI file. Hey, that gives me an idea.....
I'm imagining dubstep would be the result
odiroot
> > [T]he most interesting commands that we have are arbitrary memory read/write commands. So, if we really wanted to, we could just peek and poke the memory of the synth via MIDI.
This sounds easy but with SysEx having no delivery guarantees, and no sense of connection/session it can be frustrating. Totally normal to get "packet loss".
saagarjha
Curious if you can intersperse the Bad Apple commands with MIDI music so it plays the audio itself ;)
notpushkin
On the off chance any of the HN crowd is in Armenia: Porta will be giving a talk about this on January 10th at the Hacker Embassy. You should definitely come: https://t.me/hackerembassy/17
serverlessmania
Awesome, I'm trying to do this with Elektron machines, the Digitakt.
trelbutate
So, the repo's README claims the repo contains the image dumps, but they're not actually there. Is this correct?
portasynthinca3
My bad! I added *.bin to .gitignore last minute to exclude assembled code snippets, but looks like the dumps were excluded as well. I'm going to upload them in the next few hours
perching_aix
Seems to be. Probably a good shout considering those dumps would be protected by Yamaha's copyright.
the_plus_one
As someone who's reversed some basic MIDI stuff in an old video game and has always wanted to get into hardware hacking, I really enjoyed reading this article. Great work!
Great project, write-up, and sense of humor in the videos!
> Using that part number I wasn’t able to find any information about the chip online apart from an article that claimed it was based around a “SuperH” CPU core – an ISA that I’ve encountered for the first time ever in that article.
Also found in Sega 32x, Sega Saturn, and Sega Dreamcast! And some early Pocket PCs (turn-of-the-century handhelds running Windows CE) like the HP Jornada series, although most Pocket PCs were ARM-based.