Kick-out Guitar Pro
I checked my emails for the Guitar Pro 6 Fretlight Ready™ Linux download link. Of course, it was dead.I went to the Fretlight Website, but the linux edition was no more available. Google told me the new location of GuitarProFretlight-TRIAL.deb
Installed, and got an error. Don't ask me why, that bundles a dead old zLib library. So, I deleted that annoying /opt/Guitarpro/zlib***.so.
After realizing how dead was the linux edition support, and how soon it will fail on newer distros, I finally got my Guitar Pro running.
But the experience turned to be really painful : All you get is a blinking neck. Your fingers will never be smart enough to learn with the lights.
So, I decided I could do better than that. But it required to get full control over the Fretlight.
Reverse-engineering fun
This is the exciting hacker stuff. You got a lighty guitar, USB-chained to your computer, on which an obscure software is running. Of course, you have no idea what's inside. But we'll see how to find out.
The KGB agent : USBMon
First thing we need, is a spy. There's some atomic weapons recipes we needs to discover in the USB communications. That's pretty cool, the linux kernel comes with an handy option for debugging USB. It's called usbmon.
So, prior playing, you should modprobe usbmon.
Then, get your devices : cat /sys/kernel/debug/usb/devices
Here it is, on bus 03 :
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 60 Spd=1.5 MxCh= 0
D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0925 ProdID=2000 Rev= 0.01
S: Manufacturer=OPTEK Music Systems, Inc.
S: Product=OPTEK Fretlight Guitar
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=450mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=03(HID ) Sub=00 Prot=00 Driver=(none)
E: Ad=81(I) Atr=03(Int.) MxPS= 1 Ivl=50ms
E: Ad=02(O) Atr=03(Int.) MxPS= 7 Ivl=10ms
For the real geek, you can get a lot of raw dump from cat /sys/kernel/debug/usb/usbmon/3u (Remember bus 03 ?).
f3c16600 3524174352 S Ii:3:060:1 -115:32 1 <
f3c16600 3524202258 C Ii:3:060:1 0:32 1 = 03
f48456c0 3524202455 S Io:3:060:2 -115:8 7 = 2aa3139a 32ce01
f48456c0 3524206253 C Io:3:060:2 0:8 7 >
f48456c0 3524206373 S Ii:3:060:1 -115:32 1 <
f48456c0 3524266272 C Ii:3:060:1 0:32 1 = 03
f3c16600 3524266489 S Io:3:060:2 -115:8 7 = a5fb4731 237602
f3c16600 3524270255 C Io:3:060:2 0:8 7 >
f3c16600 3524270378 S Ii:3:060:1 -115:32 1 <
f3c16600 3524298264 C Ii:3:060:1 0:32 1 = 03
f3c16600 3524298433 S Io:3:060:2 -115:8 7 = e2b75463 4e5b03
f3c16600 3524302259 C Io:3:060:2 0:8 7 >
Nice, ain't it ?
But since only few people can read through the Matrix, you most likely want some help.
Wireshark, the stripping goggles.
This is a tool I used some years ago, mostly for stealing MSN passwords, unencrypted over the network.Once your kernel have usbmon loaded, Wireshark become interesting for our USB-related projects :
Then, select that bus, start recording, plug your Fretlight, and start Guitar Pro.
You get the same dump as previous, but in a more human readable format :
So you can see what kind of message is broadcast.
Master the rules
Here, we have some "settings" transactions, and then a lot of URB_INTERRUPT, both in and out.
Those interrupts contains data. (see "Leftover Capture Data" in the above screnshoot).
When sending out (Guitar Pro to Fretlight), we got 7 bytes of data.
When retrieving in, we got 1 byte of data.
It's easy to guess that "out" is lights and "in" is pedal switch.
XX XX XX XX XX XX 01
XX XX XX XX XX XX 02 and
XX XX XX XX XX XX 03
And when changing the song Guitar Pro is playing, thoses XX are replaced by other hexadecimals values, depending on which lights are on.
"in" is much easier :
There's 4 possible values : 00: none, 01: switch A, 02: switch B, 03: both (1+2)
So we got sufficient clues. It's time to start experiment.
Taking the control
To be continued...
@fretlightguitar Looks like an open-source fretlight SDK will be released very soon... #tuxguitar twitter.com/NicoGeekSx/sta…
— Nico.sx (@NicoGeekSx) Décembre 20, 2012
