Remoticon 2021 // Jeroen Domburg [Sprite_tm] Hacks The Buddah Flower

Nobody likes opening up a hacking target and finding a black epoxy blob inside, but all hope is not lost. At least not if you’ve got the dedication and skills of [Jeroen Domburg] alias [Sprite_tm].

It all started when [Big Clive] ordered a chintzy Chinese musical meditation flower and found a black blob. But tantalizingly, the shiny plastic mess also included a 2 MB flash EEPROM. The questions then is: can one replace the contents with your own music? Spoiler: yes, you can! [Sprite_tm] and a team of Buddha Chip Hackers distributed across the globe got to work. (Slides here.)

[Jeroen] started off with binwalk and gets, well, not much. The data that [Big Clive] dumped had high enough entropy that it looks either random or encrypted, with the exception of a couple tiny sections. Taking a look at the data, there was some structure, though. [Jeroen] smelled shitty encryption. Now in principle, there are millions of bad encryption methods out there for every good one. But in practice, naive cryptographers tend to gravitate to a handful of bad patterns.

Bad pattern number one is XOR. Used correctly, XORing can be a force for good, but if you XOR your key with zeros, naturally, you get the key back as your ciphertext. And this data had a lot of zeros in it. That means that there were many long strings that started out the same, but they seemed to go on forever, as if they were pseudo-random. Bad crypto pattern number two is using a linear-feedback shift register for your pseudo-random numbers, because the parameter space is small enough that [Sprite_tm] could just brute-force it. At the end, he points out their third mistake — making the encryption so fun to hack on that it kept him motivated!

Decrypted, the EEPROM data was a filesystem. And the machine language turned out to be for an 8051, but there was still the issue of the code resident on the microcontroller’s ROM. So [Sprite_tm] bought one of these flowers, and started probing around the black blob itself. He wrote a dumper program that output the internal ROM’s contents over SPI. Ghidra did some good disassembling, and that let him figure out how the memory was laid out, and how the flow worked. He also discovered a “secret” ROM area in the chip’s flash, which he got by trying some random functions and looking for side effects. The first hit turned out to be a memcpy. Sweet.

[Neil555]’s Rosetta Stone
Meanwhile, the Internet was still working on this device, and [Neil555] bought a flower too. But this one had a chip, rather than a blob, and IDing this part lead them to an SDK, and that has an audio suite that uses a derivative of WMA audio encoding. And that was enough to get music loaded into the flower. (Cue a short rick-rolling.) Victory!

Well, victory if all you wanted to do was hack your music onto the chip. As a last final fillip, [Sprite_tm] mashed the reverse-engineered schematic of the Buddha Flower together with [Thomas Flummer]’s very nice DIY Remoticon badge, and uploaded our very own intro theme music into the device on a badge. Bonus points? He added LEDs that blinked out the LSFR that were responsible for the “encryption”. Sick burn!

Editor’s Note: This is the last of the Remoticon 2 videos we’ve got. Thanks to all who gave presentations, to all who attended and participated in the lively Discord back channel, and to all you out there who keep the hacking flame alive. We couldn’t do it without you, and we look forward to a return to “normal” Supercon sometime soon.

The Game Boy As You Have Never Seen It Before Is Newest From [Sprite_tm]

Explain a Game Boy to a child in 2021 and they’ll have little idea of how much impact that chunky grey brick had back in the day. Search for a YouTube video to demonstrate, and you might find the one we’ve put below the break. It starts with the classic Tetris on the Game Boy, then moves on to Super Mario World before treating us to Sonic the Hedgehog, and finally Doom. All seminal games of the Game Boy’s heyday, with one small problem. The last three were never Game Boy titles, and certainly wouldn’t have run on the device’s limited hardware. Most of you will by now not be surprised to find that the narrator is none other than [Sprite_tm], and his Game Boy has one of the nicest Raspberry Pi conversions we’ve ever seen.

Given his previous work we expected the cartridges to have an ESP32 on board that  somehow mapped into Game Boy display memory, but in fact he’s swapped the original Nintendo motherboard with a replacement carrying an ICE40 FPGA on one side to handle the Nintendo hardware and a Pi Zero on the other to do the heavy lifting. Insert a Game Boy cartridge and it emulates the original to the point you’d never suspect it wasn’t the real thing, but insert one of the non Game Boy cartridges and it passes an identifier to the Pi which launches a script to run the appropriate Pi code. So the Mario and Sonic games are running in Pi-based emulators, and Doom is running natively on the Pi. It gives the appearance of a seamless gaming experience, wherein lies its charm.

This project certainly has the quality we’ve come to expect from Sprite, and a quick flick through these pages will show plenty of previous examples. One of the most recent was a miniature working DEC VT100 terminal containing an emulated PDP minicomputer.

Continue reading “The Game Boy As You Have Never Seen It Before Is Newest From [Sprite_tm]”

Machine Inside Of A Chip: How Sprite_TM Built The FPGA Game Boy Badge

Kids of the 1990’s would call you a liar if you told them that within thirty years you’d go to a conference and be handed a Super Nintendo Entertainment System to wear around your neck. But that’s what happened with the badge Jeroen Domburg, aka [Sprite_TM], designed for the 2019 Hackaday Superconference. It’s built in the Game Boy form factor, complete with a cartridge slot, beautiful screen, and the familiar button layout. But there’s so much more here, like the HDMI port on the bottom and the ability to completely reconfigure the device by dropping a binary file onto it over USB.

Of course what makes this possible is the FPGA at the heart of the design. The story of how the badge was developed is shared in great detail during Sprite’s Supercon talk. The timeline, the hardware choices, and the oopses along the way make for a great story. But what you really don’t want to miss is how he built the machine inside of the FPGA — the collection of Verilog code known as “gateware” that brings together the System-on-a-Chip (SoC). From his delight at being able to spawn more processor cores by changing a single variable, to the fascinating SNES-inspired graphics subsystem, the inside story shared below is even more interesting than the physical device itself.

Continue reading “Machine Inside Of A Chip: How Sprite_TM Built The FPGA Game Boy Badge”

Sprite_TM’s Magic Paintbrush

When it comes to hackers we love, there’s no better example than Jeroen Domburg, a.k.a. Sprite_TM. Sprite’s now working for Espressif, makers of the fantastic ESP8266 and ESP32, where he created a miniature Game Boy and turned this PocketSprite into a real product. He’s installed Linux on a hard drive, and created a Matrix of virtualized Tamagotchis. In short, if you’re looking for someone who’s building the coolest, most technical thing of sometimes questionable utility, you need look no further than Sprite_tm.

Sprite was back at this year’s Superconference, and again he’s bringing out the big guns with awesome hardware hacks. This time, though, Sprite is tapping into his artistic side. Sprite is very accomplished in making PCB art and DaveCAD drawings, but actual art is something that’s been out of reach. No problem, because you can just buy an inkjet printer and make your own art. Sprite’s doing something different, and he’s turning his inkjet into a Magic Paintbrush.

Continue reading “Sprite_TM’s Magic Paintbrush”

Hack Chat: The Incredible Sprite_tm And The ESP32

This Friday at 5pm PST, [Sprite_tm] will be leading a Hack Chat talking about the ESP32.

[Sprite_tm] should require no introduction, but we’re going to do it anyway. He’s can install Linux on a hard drive. He can play video games on his keyboard. He built the world’s tiniest Game Boy, and gave the greatest talk I’ve ever seen. Right now, [Sprite] is in China working on the guts of the ESP32, the next great WiFi and Bluetooth uberchip.

[Sprite] recently packed his bags and headed over to Espressif, creators of the ESP32. He’s one of the main devs over there, and he’s up to his neck in the varied and weird peripherals contained in this chip. His job includes porting NES emulators to a WiFi-enabled microcontroller. If you want to learn about the latest and greatest microcontroller, this is the guy you want to talk to, and he’s taking all questions.

Note that we usually do these things earlier in the day but this week we start rolling at 5 PM Pacific Friday to help match up with [Sprite’s] timezone. You can figure out when this event will happen with this handy time and date converter.

Here’s How To Take Part:

Buttons to join the project and enter the Hack Chat
Buttons to join the project and enter the Hack Chat

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. Log into hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

And Tindie Too

In addition to [Sprite]’s Hack Chat on Friday, we’re going to have a Tindie Chat in the Tindie Dog Park on Friday at noon, Pacific time. You can figure out when that’ll be in your local time by following this link.

In the Tindie Chat, we’re going to be talking about all the aspects of selling hardware on Tindie. This is a phenomenal community that keeps on growing, and right now there’s some really, really cool hardware being offered up from makers and creators around the world.

Upcoming Hack Chats

We have a few more Hack Chats on the books. On February 10th, we’ll be talking RF with [Jenny List]. Sparkfun will be around for a Hack Chat on February 17th. If stats are your thing, we’ll have a chat on the ins and outs of R in a few weeks.

[Sprite_tm] Gives Near Death VFD A Better Second Life

[Sprite_tm] picked up some used VFD displays for cheap, and wanted to make his own custom temperature and air-quality display. He did that, of course, but turned it into a colossal experiment in re-design to boot. What started out as a $6 used VFD becomes priceless with the addition of hours of high-powered hacking mojo.

You see, the phosphor screen had burnt-in spots where the old display was left static for too long. A normal person would either live with it or buy new displays. [Sprite_tm] ripped off the old display driver and drives the row and column shift registers using the DMA module on a Raspberry Pi2, coding up his own fast PWM/BCM hybrid scheme that can do greyscale.

He mapped out the individual pixels using a camera and post processing in The Gimp to establish the degradation of burnt-in pixels. He then re-wrote a previous custom driver project to compensate for the pixels’ inherent brightness in firmware. After all that work, he wrapped the whole thing up in a nice wooden frame.

There’s a lot to read, so just go hit up his website. High points include the shift-register-based driver transplant, the bit-angle modulation that was needed to get the necessary bit-depth for the grayscale, and the PHP script that does the photograph-based brightness correction.

Picking a favorite [Sprite_tm] hack is like picking a favorite ice-cream flavor: they’re all good. But his investigation into hard-drive controller chips still makes our head spin just a little bit. If you missed his talks about the Tamagotchi Singularity from the Hackaday SuperCon make sure you drop what you’re doing and watch it now.

[Sprite_TM]’s Keyboard Plays Snake

Hackaday Prize judge, hacker extraordinaire, and generally awesome dude [Sprite_TM] spends a lot of time at his computer, and that means a lot of time typing on his keyboard. He recently picked up a board with the latest fad in the world of keyboards, a board with individually addressable LEDs. He took this board to work and a colleague jokingly said, ‘You’ve had this keyboard for 24 hours now, and it has a bunch of LEDs and some arrow keys. I’m disappointed you haven’t got Snake running on it yet.” Thus began the quest to put the one game found on all Nokia phones on a keyboard.

The keyboard in question is a Coolermaster Quickfire Rapid-I, a board that’s marketed as having an ARM Cortex CPU. Pulling apart the board, [Sprite] found a bunch of MX Browns, some LEDs, and a 72MHz ARM Cortex-M3 with 127k of Flash and 32k of RAM. That’s an incredible amount of processing power for a keyboard, and after finding the SWD port, [Sprite] attempted to dump the Flash. The security bit was set. There was another way, however.

Coolermaster is actively working on the firmware, killing bugs, adding lighting modes, and putting all these updates on their website. The firmware updater is distributed as an executable with US and EU versions; the EU version has another key. Figuring the only difference between these versions would be the firmware itself, [Sprite] got his hands on both versions, did a binary diff, and found only one 16k block of data at the end of the file was different. There’s the firmware. It was XOR encrypted, but that’s obvious if you know what to look for.

flashdata The firmware wasn’t complete, though; there were jumps to places outside the code [Sprite] had and a large block looked corrupted. There’s another thing you can do with an executable file: run it. With USBPcap running in the background while executing the firmware updater, [Sprite] could read exactly what was happening when the keyboard was updating. With a small executable that gets around the weirdness of the updater, [Sprite] had a backup copy of the keyboard’s firmware. Even if he bricked the keyboard, he could always bring it back to a stock state. It was time to program Snake.

The first part of writing new firmware was finding a place that had some Flash and RAM to store the new code. This wasn’t hard; there was 64k of Flash free and 28K of unused RAM. The calls to the Snake routine were modified from the variables the original firmware had. If, for example, the original keyboard had a call to change the PWM, [Sprite] could change that to the Snake routine.

Snake is fun, but with a huge, powerful ARM in a device that people will just plug into their keyboard, there’s a lot more you can do with a hacked keyboard. Keyloggers and a BadUSB are extremely possible, especially with firmware that can be updated from a computer. To counter that, [Sprite] added the requirement for a physical condition in order to enter Flash mode. Now, the firmware will only update for about 10 seconds after pressing the fn+f key combination.

There’s more to playing Snake on a keyboard; Sprite has also written a new lighting mode, a fluid simulation thingy that will surely annoy anyone who can’t touch type. You can see the videos of that below.

Continue reading “[Sprite_TM]’s Keyboard Plays Snake”