Bc2000 (for the BCF2000 & BCR2000)

--- In bc2000@yahoogroups.com, "Dan Gendreau" <gendreau@...> wrote:
>
> Just a quick note about custom firmware efforts.
> I have been making some small steps toward decoding it.
> 
> The firmware flash memory is 512kb in size, split into 2 banks of
> 256kb. When you update the firmware via sysex, it writes to the bank
> that is currently not in use and switches banks on reboot.
> 
> The good news is that the current BC2000 firmware only uses 68-72kb of
> the 256kb available for a firmware, so there is quite a lot of room
> for custom code in there.
> 
> There seems to be a boot-loader in the first 4kb of each bank that
> never changes. Based on their FAQ, I suspect that this boot-loader is
> capable of accepting a sysex firmware update via the MIDI-In port even
> if the main firmware and USB code is corrupted. This means it should
> be possible to experiment with writing a custom firmware without
> completely bricking your BC2000.
> 
> My first short term goal is to decompile the 4kb boot-loader and
> figure out how it decodes midi firmware update packets.

As you may have noticed, BC Manager 1.0 includes a routine that
upgrades the BCF/BCR's firmware by means of the syx-firmware files
published by Behringer.
A firmware syx-file for the BCR defines 16 sections of 16 SysEx
messages, each message encrypting 256 bytes of actual firmware. So all
in all exactly 64 kB is upgraded. For the BCF there are 17 sections,
i.e. 68 kB.
An upgrade operation causes the display of the BCF/BCR to flash each
section's internal address while their 16 SysEx messages are being
been received (or HAVE been received? I forget which). In any case,
the first address shown is indeed "2". So there's a strong suggestion
that the area before section 2 is "fixed" and contains among other
things the decrypting algorithm.

I also intended to include firmware syx-file decrypting/encrypting
routines in BC Manager 1.0. To that end I managed to crack several
stages of the BCF/BCR's firmware encryption method. Unfortunately I
haven't been able to crack it completely, but it would help enormously
if I could see the actual firmware lifted from the ROM chip. Maybe I
haven't looked well, but I haven't seen any of this data in the files
section of the Yahoo group, so could someone send this to me?

By the way, it would also help if someone could send me firmware
syx-files for versions other than 1.07 and 1.10. (Were any other
versions ever available from the Behringer website?)

Mark.