RSS

Patching my guitar amp's firmware

birdculture4 pts0 comments

Patching my guitar amp's firmware - mforney.org

I’m having a lot of fun with reverse engineering lately, so when I<br>was looking over the service manual for my guitar amp, a Yamaha<br>THR10c, and saw references to a UART header in the schematic, I got<br>excited. I wondered if anything cool was hiding in there. Next to<br>it was a JTAG header. I knew next to nothing about JTAG, but had<br>heard the name before associated with hardware hacking, so maybe<br>that would be useful as well.

Yamaha THR10c

UART and JTAG headers in schematic

I had a few ideas of some changes I wanted to make to the firmware,<br>so my main goal with this project was to find a way to dump the<br>firmware and reflash the amp with a modified firmware.

One initial idea I had in mind was to add a way to toggle the guitar<br>speaker simulation on and off so I could hook it up to real guitar<br>speakers (either through a modification to add speaker out jacks,<br>or hooking it up to a TPA3118 power amp module). While not<br>officially supported, you can do this in the stock firmware by using<br>a computer or phone to send a special MIDI SysEx command over USB.<br>However, the speaker simulation reverts back to normal when you<br>change the amp model, and the volume is raised considerably as a<br>side-effect.

Another thing I wanted was a mode where the internal speaker would<br>play even when the headphone port was connected (for instance, to<br>additional speakers or a mixer).

Hardware

I opened up the amp as described in the service manual and located<br>CB3 and CB4 on the main PCB.

Unpopulated UART and JTAG ports

Identifying and soldering the connectors

It seemed easy enough to solder on connectors to these headers, I<br>just needed to identify which connectors to use. I measured the pin<br>pitch of CB4 at 2mm, and CB3 at 1mm. The UART connector was pretty<br>easy to identify as from the JST PH series (B4B-PH-K).

The JTAG connector wasn’t so obvious to me. Was it two staggered<br>rows of 2mm pitch or one row of 1mm pitch with staggered contacts?<br>I searched through online connector identifiers, as well as DigiKey<br>and Mouser product indexes, but I didn’t find anything that seemed<br>to match. I eventually noticed a similar footprint on another part<br>of the board that used an flat flexible cable (FFC). This is why I<br>hadn’t found it before; I didn’t think to look through FFC connectors.<br>I saw a JST marking on that one, and I believe it is from the FMN<br>series. Mouser didn’t have the 8-pin reverse version in stock<br>(08FMN-BMTTR-A-TB), so I went with the compatible Molex 52808-0870.

CB3 and CB4 connectors

Once I received the new connectors in the mail, I removed the main<br>PCB from the case and then cleared the CB4 through-holes with a<br>solder pump. This was a bit tricky for the ground pin, which conducts<br>heat to the ground plane very easily, but with some patience I<br>eventually got it all clean. I then soldered on the new connectors.<br>I don’t have much experience with SMD soldering, so CB3 gave me<br>some trouble, but I’m happy with how it turned out.

CB3 and CB4 connectors soldered on main PCB

I fed cables for the two new connectors though slots at the back<br>of the amp so I could close it up and still use it while working<br>on this project.

Testing the UART

Now that I had connectors in place I hooked it up to my computer<br>using a USB-UART cable and powered on the amp. Unfortunately, nothing<br>was printed at all. I tried a bunch of different common baud rates<br>and still nothing. I confirmed with an oscilloscope that there was<br>no activity on TX.

Well, that’s a bummer. Maybe I’ll have better luck with JTAG.

JTAG

After reading more about JTAG and what it’s used for, it seemed<br>quite promising. JTAG is a serial interface designed for hardware<br>testing, and is commonly used for debugging embedded processors.<br>It has four main pins, TCK, TMS, TDI, and TDO, which are used to<br>interact with a state machine called a TAP controller. TCK, TMS,<br>and TDI are all outputs from your JTAG adapter; TMS is used to<br>navigate the state machine, TDI provides data input, and TCK is a<br>clock which samples the inputs and advances to the next state. TDO<br>is an output from the TAP controller and provides data output.<br>Optionally, there is also a TRST pin used to reset the controller.

There are lots of diagrams showing the TAP state machine available<br>online, and I think having a basic mental model was helpful for<br>getting started.

One of the best resources I found was a post by wrongbaud,<br>which walked through the whole process of using JTAG with a device<br>you know nothing about.

It seems that the most popular and well supported JTAG adapters are<br>the FTDI FT2232H-based ones. One benefit of this chip is it has two<br>multi-purpose channels, so I can use JTAG on one and UART on the<br>other (assuming I could get it working). There are lots of options<br>available here, but most of the links to these products from the<br>UrJTAG and OpenOCD documentation were dead. I went with the FTDI<br>FT2232H Mini Module.

FTDI FT2232H Mini Module

The JTAG header (CB3) on my...

jtag connectors uart firmware from guitar

Related Articles

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.