Alex-aut wrote on 2020-12-12, 09:08:

@mattw: I wonder, how did you do that great!!! job .... If such "job" will come once again, you should export your permutation-calculations to CUDA 😀

actually, in case of SC-88 there was no need of nVidia hundred-billion-transistors chip. just a cup or two of Pepsi to wake me up and couple of Sudoku-solving hours of fun - after all I did it manually and it took me just few hours. in fact almost everything necessary to be figured out in order to do it, I already posted previously here, but let me make a summary of the whole story and few additional notes.

So, in my opinion, most fatal mistake in such kind of protection is that they put the year and the date and and not only that, but it's one of the first thing they put in the data:

Re: About Roland Virtual Sound Canvas 3

that not only means first 6 bits (address lines 0 to 5) of the address line shuffling is easy to figure out ("11 11 11" bits gives 0x3F or first 64 bytes), even manually, but brute-force attack is possible, because you know there is year "199x" in those bytes (EDIT: also the algo below could be used). In fact that allows even in case data value bit-shuffling is not known (as in the above case), to figure it out with brute-force attack - after all it's only 8-bits.

After that you, basically do the algorithm I posted here (from here on I will use "algo" to refer to this algorithm):

Re: About Roland Virtual Sound Canvas 3

let me elaborate a little further:

the shuffling of the next 4 bits or address lines 6,7, 8, 9 ("11 11 11 11 11" or that's 0x3ff or block of 1024 bytes) using the above algo is ultra simple, because the data block consists mostly of "ff" and "00". So, it's even faster, because doing the algo for address line 6, actually gives idea for 7,8 and 9, even it doesn't give their exact order. In other words on this step in worst case you have (20 - 6)=14 tries to find out bit 7 and which are the possible options for bit 8, 9 and 10 and then to order those last 3 bits, only 6 additional tries are necessary in total at best. I would say in worst case up to this point you're at 25 tries at most, that' why at that point I made the comments here:

Re: About Roland Virtual Sound Canvas 3

Re: About Roland Virtual Sound Canvas 3

What I didn't realize until yesterday is that at this point it's practically cracked, because while on each next step of the algo the block to verify becomes 2 times larger (which at first glance makes it very hard to do manually), in reality you don't need to verify the whole block, but only if the "stitching" between the old block and the new block looks correct based on the structure of the data. Even I made note about that here:

Re: About Roland Virtual Sound Canvas 3

I didn't really realize at that point only the "stitching" between the old block and the new block is important to be verified and not the whole block. That means on StepX of the algo (X >=10, as previous is already done, see above), you need to just see if let's say last 16 bytes of data before address 2^X and first 16 bytes after that fit together. Let me give, example, with X=11, first 11 address lines define the block of first 2^11 -1 = 0x7ff bytes and then to make sure address line 12 is guessed it's enough to examine the "stitching" around address 0x7ff if the previously good block fits together to the next block based on the structure of the data.

It's really incredible, when get experience with doing manually the above algo how efficient it is. Honestly, I doubt I did more than 70 tries in total, which you can do without any effort, e.g. 10 tries per day, that takes like 10-15 minutes for 7 days. I also do not see a reason, why it won't work with any other ROM scrambled in such way - as far as the structure is the same, i.e. that they put the year and the date, then there is blocks mostly of "00" and "ff"that form the "header" and then they have block of those "exponents" up to address 0x7fff and then the "mantissa " data follows or even not exactly the same, but just any structured data with a known structure.

In conclusion, such protection is really weak, if the data are not random, but structured and that structure is known - In such case it allows even manual attack in very small number of steps, i.e. involving almost no time and effort.

@mattw: Thank you so much for this very great summary!!! It is a pleasure to read this stuff even several times. Most explanations are sounding, that "sharp eyes" for data structure is one of the most importend things, that is needed in this work. You said, that encryption was weak, that means, that you would have done this job @ at the beginning of 1990, with no I7 or Ryzen 5000 series. 😀
----
In the whole case i would like to argue in case of waveforms ownership some words:
If i buy a Piano, than i am buying the strings - they are making the sound - too. So i am the owner of the strings of my piano. If i am the owner of the strings (because i bought them within the piano), than i am allowed, to do everything i want with these strings. I can cut them out with a biting bliers and i can put them for example an a guitar or an ukulelle 😀
Therefore, if i buy a roland SC 88, the wave-data - they are creating the sound - should also be mine, not?
-----
2 weeks ago you meant, that romes ha ve 2 headers, and i do not have any explanation for this fact. So i would like to ask you to loose just one more sentence, why do they have 2 headers? Thank you once more for this great job an summary. A final summary should be done under the title "30 years old secret of sound lifted". 😀

Alex-aut wrote on 2020-12-12, 11:55:

You said, that encryption was weak, that means, that you would have done this job @ at the beginning of 1990, with no I7 or Ryzen 5000 series. 😀

I would say yes, I believe it was possible, because at least what I did, I did not use any modern CPU power to do it. in fact trying to use I7 processing power, doing "blindly" brute-force, failed me miserably as I mentioned here:

Re: About Roland Virtual Sound Canvas 3

because that totally ignores human-brain-power and its ability to see very fast patterns in structured data. Additionally, as far as they had oscilloscopes in the 90-ties (I am not sure if there were logic analyzers in the 90-ties) to do what @NewRisingSun and @kitrinx did with SC-55:

Re: About Roland Virtual Sound Canvas 3

it's even possible in an easier way. In fact I needed to do what I did with SC-88, because I have no SC-88 unit to do such measurements in hardware, only your ROM dumps. So, most likely, the main obstacle in the 90-ties was less people have access to such equipment like oscilloscopes, computers, etc because they were expensive. Nowadays, I can literally go to the nearest dumpster and find computer in the trash more powerful than anything in the 90-ties for free. Also, I think another factor is our ability to exchange information these days - I mean how many people in the 90-ties had Internet. I am sure there are many different view points on such question, we can only guess...

Alex-aut wrote on 2020-12-12, 11:55:

2 weeks ago you meant, that romes ha ve 2 headers, and i do not have any explanation for this fact. So i would like to ask you to loose just one more sentence, why do they have 2 headers?

at this point, my best guess is the Waveroms as data are just 8 x 1MB, they just store 2 of them in one 2MB ROM chip. I see no mystery about that- it could be even when they started to design the hardware there were physically 8 x 1MB ROM chips and then they switched to 2MB ROMs.

Alex-aut wrote on 2020-12-12, 11:55:

In the whole case i would like to argue in case of waveforms ownership some words:
If i buy a Piano, than i am buying the strings - they are making the sound - too. So i am the owner of the strings of my piano. If i am the owner of the strings (because i bought them within the piano), than i am allowed, to do everything i want with these strings. I can cut them out with a biting bliers and i can put them for example an a guitar or an ukulelle 😀
Therefore, if i buy a roland SC 88, the wave-data - they are creating the sound - should also be mine, not?

Unfortunately it doesn't work like that. Roland still owns the wave-data, even though any music you create with that data is not owned by them. This is because the wave data (and firmware) is part of the design of the SC55, all of which is copyrighted by Roland.
So theoretically they could go after you for violating their copyright, and, depending on the country you live in, you could also get into trouble with law enforcement for cracking the device's encryption (well, as far as it can be called "encryption"...). The US is particularly bad regarding the latter.
However, considering people have been and are selling sampled sounds and sound data from a variety of synthesizers on Ebay and elsewhere, it's unlikely they will. I can't say I've ever seen evidence of manufacturers suing people over that. Probably it's too much trouble, and usually the sample packs sold are for older synths that are not manufactured anymore.
I can imagine things would be different if someone were to crack the Integra7's waverom format and start selling that, because the Integra7 is a current product.

On the other hand, the electronic circuits in the SC55 themselves can be copied freely - thanks to a landmark US legal case that I honestly still don't understand how it could have happened in the first place... This is why there are many clones of popular synthesizers and drum machines available (e.g. TR707 clones).

mattw wrote on 2020-12-12, 12:35:

because that totally ignores human-brain-power and its ability to see very fast patterns in structured data. Additionally, as far as they had oscilloscopes in the 90-ties (I am not sure if there were logic analyzers in the 90-ties) to do what @NewRisingSun and @kitrinx did with SC-55:

Re: About Roland Virtual Sound Canvas 3

it's even possible in an easier way. In fact I needed to do what I did with SC-88, because I have no SC-88 unit to do such measurements in hardware, only your ROM dumps. So, most likely, the main obstacle in the 90-ties was less people have access to such equipment like oscilloscopes, computers, etc because they were expensive. Nowadays, I can literally go to the nearest dumpster and find computer in the trash more powerful than anything in the 90-ties for free. Also, I think another factor is our ability to exchange information these days - I mean how many people in the 90-ties had Internet. I am sure there are many different view points on such question, we can only guess...

Yeah, oscilloscopes were available in the 1990s (we had them at secondary school), but were quite expensive until the late 1990s. I don't think I ever saw logic analysers for sale at normal electronics suppliers until after 2000 though. Desktop computers also were effectively too slow for cracking encryption back then. At a certain point some smart cookies figured out they could use a cluster of hacked Sony PlayStations as a supercomputer for those kind of tasks because they were better suited for it than conventional PCs back then...

Alex-aut wrote on 2020-12-12, 11:55:

2 weeks ago you meant, that romes ha ve 2 headers, and i do not have any explanation for this fact. So i would like to ask you to loose just one more sentence, why do they have 2 headers?

at this point, my best guess is the Waveroms as data are just 8 x 1MB, they just store 2 of them in one 2MB ROM chip. I see no mystery about that- it could be even when they started to design the hardware there were physically 8 x 1MB ROM chips and then they switched to 2MB ROMs.

And that also explains how they later put that same Waverom in a single chip in newer modules. Anyway, congrats with your work, it was a bit too complex for me to follow, but fascinating nonetheless. 😀

yawetaG wrote on 2020-12-12, 18:54:

And that also explains how they later put that same Waverom in a single chip in newer modules.

yeah, and newer (or most likely the last) version of that Waverom is included in "SCCore.dll" from "Roland Sound Canvas VA VSTi Plugin", the date of it is "1994-12-08":

Re: About Roland Virtual Sound Canvas 3

Re: About Roland Virtual Sound Canvas 3

So, it's over 1 year after what's inside SC-88 Waverom, where the date is "1993-10-31".

I read in some list of ISA sound cards that is floating around Internet that:

-= ISA SOUNDCARD OVERVIEW =- wrote:

GMS931601+GMS931600 ROM 4MB sample set, GM/GS, based on 'illegally copied' and later 'licenced' Roland SoundCanvas samples.

and further more I read here:

Re: Sound cards - from best to worst

elianda wrote on 2010-01-25, 20:40:

The Naming of the Roland Licenced are 4 MB / 32 MBit ROM: GMS963200 (as on MaxiSound64) RAM: GSSBK320.94B […]
Show full quote

The Naming of the Roland Licenced are
4 MB / 32 MBit
ROM: GMS963200 (as on MaxiSound64)
RAM: GSSBK320.94B

Also, I read that SF2 has less settings (parameters) than 94B format and thus conversion from 94B to SF2 is not lossless. I cannot find anything about 94B format specifications and thus I can neither confirm or deny such claim. Anyone here knows anything about 94B file structure?

I got interested into the above, because previously I linked forensically Microsoft Roland licensed sounds:

Re: About Roland Virtual Sound Canvas 3

to the sounds inside VSC Soundbanks. So, I wonder how the sounds inside "GSSBK320.94B" match to that.

Another interesting question is : does 94B file structure have all necessary parameters for lossless conversation from SC-55/88 Waveroms to 94B or even from VSC Soundbank to 94B (here I assume main difference betweenSC-55/88 and VSC is the resolution as VSC Soundbank is 8-bit). That looks quite interesting option.

oh man, this is bottomless rabbit hole - after I guess few hours of research it seems 94B format is not public. Sure, it's possible to be reversed-engineered even I am not sure that I want to go that way, because I have no any knowledge how synth engines work in general.

So, for example, I see 94B has "LFO1 Amplitude" and "LFO2 Amplitude" as parameters. However, if SoundCanvas use 1 or 2 (or more) LFOs, etc, I have no idea.

Also, I see in 94B things like "Envelope Generator 2 Amplitude" and "Envelope Generator 3 Amplitude" - baffles me why there is no "Envelope Generator 1" though.

Anyway, if someone knowledgeable on the subject is able based on the above to at least say if 94B is more advanced than SF2 and how it compares to SoundCanvas synth parameters that would be great. It's good at least to know where 94B stands compared to SF2 and to what parameters SoundCanvas synth uses.

Sound Canvas has two LFOs.

yawetaG wrote on 2020-12-14, 16:37:

Sound Canvas has two LFOs.

That's good. So, at least as number of LFOs ,94B format is suitable. It will really be good if someone can compare SF2 vs. 94B in regards to suitability for SoundCanvas banks, because @NewRisingSun mentioned here:

Re: About Roland Virtual Sound Canvas 3

SF2 format is lacking a lot of necessary parameters. And as I mentioned 2 posts above - I read 94B to SF2 is not lossless conversion, because SF2 is lacking some settings that 94B has, which one more time I cannot confirm, because I am not familiar with SF2 in such details.

In any way, if someone can confirm 94B is better suitable I can take the task to reverse-engineer it. I've already looked a little into that. I understand 94B is much less popular than SF2, but probably almost everyone into retro computers owns at least one sound card that supports it.

it seems that comment made in "ISA SOUNDCARD OVERVIEW" list, that I quoted here:

Re: About Roland Virtual Sound Canvas 3

not only applies to the sounds, but 94B format and synth chips that support it, look pretty Roland-centric in general, at least, to me. For example, small part of what I looked from 94B format is that each instrument in it, has "Reverb" and "Chorus" definitions that are exactly as per what I can read in SC-55/SC-88 manuals:

1Reverb, 8 types:
2Room 1, Room 2,Room 3,Hall 1,Hall 2, Plate, Delay, Panning Delay 
3
4Reverb, 8 types:
5Chorus 1,Chorus 2,Chorus 3,Chorus 4, Feedback Chorus,  Flanger, Short Delay

Also, each instrument in 94B has the following parameters:

1Reverb Send Level
2Chorus Send Level
3
4Reverb Master Level
5Chorus Master Level

and those are explained in Roland PDFs as :

1Send Level: "Sets the level of the signal sent to chorus/reverb" 
2Master Level: "Adjusts the volume of the sound that has passed through chorus/reverb"

I mean it's even significant that I am reading Roland PDFs to understand parameters defined in 94B, it's just "Roland-centric" like that.

So, in 94B each instrument has On/Off for Reverb and Chorus and if they are set to On, then each of the above parameters are defined.

Anyway, 94B is totally possible to be reverse-engineered (no doubt it's a lot of work though). However, my main point is that the small portion I looked, it just starts to feel to me it's better suited to SoundCanvas and Roland, but that could be just wrong feeling - after all I pursued only the above parameters. However, they are identical to Roland GS specs. Maybe, SF2 has the same - I don't know. However, if SF2 doesn't have such parameters than at least regarding them 94B is better suited for SoundCanvas bank.

Reverb/chorus in the Sound Canvas applies to each part - i.e. you can change the instrument assigned to a part, but the reverb/chorus settings do not change.
The reverb/chorus send level (called "depth") and master level can even be set when the effect is off. "Off" actually means "bypass effect".

Level and panning also apply to the parts.
Part level is applied relative to the Sound Canvas' master level (i.e. the volume knob setting).
In the case of panning there is an additional setting besides the value that determines where the panning is in the range of left to right: random panning, which alternates the panning each time a note sounds. Roland actually uses an invalid value for the panning parameter to set this.

I am kind of reinventing the wheel, because others came to the same conclusion:

Re: Minimalist SC-55 setup - Naive dreams about reverse engineering the SC-55

that 94B and synth chips that support it are kind of "clones" of Roland synth engine. In any way, that is like double confirmation, that most likely pretty good results could be achieved with using 94B as container for SC Waveroms.

yawetaG wrote on 2020-12-14, 21:03:

master level can even be set when the effect is off

that could be the case with 94B, as well, i.e. I am not sure if Reverb/Chorus are turned to Off, the Master level is not applied.

So, it seems based on the above other forum posts, not "GSSBK32L.94B", but "GMSBK320.94B" is the one that sounds indistinguishably from real SC when run on "Dream SAM 9407". Now, we can expect the sounds, I really think there has to be something to it, because I also found this:

https://www.eetimes.com/atmel-and-crystal-sem … oland-corp-u-s/

However, I strongly believe that while initial sounds were cloned from SoundCanvas after the lawsuit, they probably received the same sounds like Microsoft, which are what's inside VSC soundbank:

Re: About Roland Virtual Sound Canvas 3

that have to explain why Dream Roland licensed ROMs do not sounds that good and close to real SoundCanvas.

mattw wrote on 2020-12-14, 21:46:

yawetaG wrote on 2020-12-14, 21:03:

master level can even be set when the effect is off

that could be the case with 94B, as well, i.e. I am not sure if Reverb/Chorus are turned to Off, the Master level is not applied.

I was a bit confusing. There is the master level of the effect (which is one of the two parameters you quoted earlier) and the master level of the synth itself (volume knob). With effects turned off, the effect master level is turned off too (but can be set). The synth master level is always applied.
Parts (1-16, once for each MIDI channel by default) have their own level, which is set relative to the synth master level. On top of that, various MIDI parameters can affect level, most obviously the expression controller.

With regards to the two envelopes on 94B, I think that might be because on the Sound Canvas there basically are two ways of controlling the synth: via MIDI controller numbers, and via sysex (system exclusive messages). Via sysex you get a different type of control than via the MIDI controllers. While you can set the AD(S)R envelope parameters separately via regular MIDI controllers, these only affect the amplitude envelope (TVA) or filter (TVF). When you use sysex to do the same thing, both amplitude and filter are affected at once (TVA and TVF). Hence two envelopes on 94B, one of which probably can only control either TVA or TVF, and the other probably does both.
It might also be that the unmentioned envelope 1 is the combined TVA/TVF envelope via sysex, and envelopes 2 and 3 are for TVA and TVF, respectively. But I'm not sure. Can 94B handle sysex?

yawetaG wrote on 2020-12-15, 07:31:

I was a bit confusing. ...
.... combined TVA/TVF envelope via sysex, and envelopes 2 and 3 are for TVA and TVF, respectively.

many thanks for those details, since I know nothing about how synth engine works in general, those details help me to imagine fast what could possibly be going on and understand more about 94B

yawetaG wrote on 2020-12-15, 07:31:

Can 94B handle sysex?

no, there are no sysex stored in 94B format per se, but the underlying chip/hardware that is reading/using the loaded 94B supports SysEx, including all Roland GS-specific SysEx. So, I think what is happening is that things like "Reverb Send Level" and all the rest parameters I listed stored in 94B are the default value for that particular instrument (they again are set with sending SysEx to the underlying synth chip to which 94B is loaded). So, those default values can be effectively overwritten with including the necessary SysEx additionally in the MIDI stream.

Anyway, on a fresh head today, I am thinking if there is so much to suggest that "GMSBK320.94B":

Re: About Roland Virtual Sound Canvas 3

is so close to SoundCanvas, but there are all kinds of speculations about the exact source of the sounds inside it and how they were obtained. What makes most sense is to assume all parameters in "GMSBK320.94B" are correct (no need to reverse-engineer that part of 94B, at least on this stage - just trust it blindly at least for the time being) and just replace all sounds in "GMSBK320.94B" with the corresponding ones from a known source, e.g. SoundCanvas Waveroms. That will result in 94B that is quite good, if not even perfect. I guess that means we need tool that is capable to take as input 94B bank and a sound and replace with it the corresponding sound in the 94B bank - have no idea if that is hard or easy, but that's another story.

@mattw: So let us pray, that resoldering will also be successful. As you can see, desoldered ROM's from SCC-1 + desoldered Control ROM. a 74 was comming within desoldering, 3 caps are exploded (3 x 100nF) but his will not bee a problem, standard 805 caps, fine to solder. Ok, now i am making proto pcb's to read them out.

yawetaG wrote on 2020-12-12, 18:54:

Anyway, congrats with your work, it was a bit too complex for me to follow, but fascinating nonetheless. 😀

Echoing all of these sentiments!

Alex-aut wrote on 2020-12-15, 10:39:

desoldered ROM's from SCC-1 + desoldered Control ROM

I think you did good work with the desoldering - I see no damaged traces, etc. So, let's hope you can successfully read them. I do believe soldering them back will be actually easier than desoldering. In any way, after you read them I can practice again, my algo on them:

Re: About Roland Virtual Sound Canvas 3

In fact I do believe there is good chance there will be no need to even apply the algo, because maybe they use the same scrambling as SC-55 or SC-88, who knows, we will see.

Pierre32 wrote on 2020-12-15, 11:18:

yawetaG wrote on 2020-12-12, 18:54:

Anyway, congrats with your work, it was a bit too complex for me to follow, but fascinating nonetheless. 😀

Echoing all of these sentiments!

yeah, you can skip those posts that are too much information - they serve as my notes, as well I am making them public in case someone else wants to follow and/or contribute some help or additional information.

NewRisingSun and I have also been working on this, I will post our code later today. I have mapped out the various bytes and their uses that I've found so far in this google spreadsheet:

https://docs.google.com/spreadsheets/d/13LyKT … dit?usp=sharing

Currently my code generates a respectable sounding soundfont from the sc-55 roms, either MKII or MKI.
My biggest problems right now are that the TVF and TVP are difficult to match well in a soundfont.

Here is the code:

https://github.com/Kitrinx/SC55_Soundfont

It's not very tidy yet, as it changes quickly and is mostly just experimentation, but it should serve as valuable documentation.

I have thought about using some of MUNT's code to pre-apply TVP and TVF as I do with TVA (that's why the resulting soundfont is so big) to make it work with SF2 format. Really a full emulator either original or forked from MUNT would be best. I think with not much more work a really reasonably good (but not perfect) soundfont can be made though.