Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.
Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.
The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.
There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.
Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).
Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.
The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.
The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.
Bringing old things back to life holds a great sense of joy for most people. The never ending pursuit of recapturing our youth leads us down roads we’ve long forgotten. Along the way, we tend to bump into forgotten memories which jostle other forgotten memories which allows us to relive happy times we haven’t thought of in years, sometimes even decades. For some, the roar of a 351 small block sweeps them back to high school and the fast nights of cruising down main street with the FM radio cranked up as high as it would go. For those of us who were born in the 80’s and 90’s, video games can bring back such memories. Who among us can forget our first encounter with Link, the elegant theme music of Final Fantasy or up-up-down-down-left-right-left-right-b-a-select-start?
Advances in processor technology has allowed us to relive our favorite games via emulators – programs that emulate processors of older computers. The games are ‘dumped’ from the ROM chips (where they are stored) into files. These game files can then be loaded into the emulator program, which allows you to play the game as if you were playing it on the original system.
Technology is truly a beautiful thing. It allows us to move forward, allows us to do today that which was not possible yesterday. There are a few cases, however, where this paradigm does not hold true. One of these has to do with the Nintendo Entertainment System and its “Zapper” gun controller. The NES was the most popular game console of its time, and rightfully so. From the minds of Nintendo engineers, programmers and audio experts came some of the best video games ever made. Unfortunately, some of these great games cannot be played on your Raspberry Pi favorite emulator due to the incompatibility of the Zapper gun and modern digital monitors. None of us can forget the fun that Duckhunt brought. The game came as standard issue with all NES systems, so we’ve all played it. But its nostalgia is currently entombed by a technological quirk that has yet to be solved.
From one hacker to another – this can no longer be tolerated. First, we’re going to learn how the Zapper works and why it doesn’t work with digital displays. Then we’re going to fix it.
[ijsf] recently came across a very old synthesizer from a defunct West German company. This was one of the first wavetable synths available, and it’s exceptionally rare. Being so rare, there isn’t much documentation on the machine. In an attempt at reverse engineering, [ijsf] decided to dump the EPROMs and take a peek at what made this synth work. There wasn’t an EPROM programmer around to dump the data, but [ijsf] did have a few ARM boards around. It turns out building a 27-series PROM dumper is pretty easy, giving [ijsf] an easy way to dig into the code on this machine.
The old EPROMs in this machine have 5v logic, so [ijsf] needed to find a board that had a ton of IOs and 5v tolerant inputs. He found the LPC2148, which has a nice USB system that can be programmed to dump the contents of a PROM over serial. Interfacing the PROM is as simple as connecting the power and ground, the address lines, data, and the signal lines. After that, it’s just a matter of stepping through every address according to the timing requirements of the PROM. All the data was dumped over a serial interface, and in just a few seconds, [ijsf] had 32768 bytes of ancient data that made this old synth tick.
For one reason or another, [Dragao] has an old Sonic The Hedgehog cartridge that throws an illegal instruction somewhere in the Marble Zone stage. While the cause of this illegal instruction is probably cosmic rays, how to repair this cartridge isn’t quite as clear. It can be done, though, using BIOS chips from an old computer.
[Dragao] got the idea of repairing this cartridge from Game Boy flash carts. These cartridges use chips that are a simple parallel interface to the address and data lines of the Game Boy’s CPU, and Sega Genesis / Mega Drive flash cart would work the same way. The problem was finding old DIP flash chips that would work. He eventually found some 8-bit wide chips on the motherboard of an old computer, and by stacking the chips, he had a 16-bit wide Flash chip.
To program the chips, [Dragao] wired everything up to an Arduino Mega, put a ROM on the chip, and wired it up to the old Sega cartridge. Surprisingly or unsurprisingly, everything worked, and now [Dragao] has a fully functioning copy of Sonic The Hedgehog.
The Macintosh Classic – a small all-in-one computer with a 9″ monochrome screen – was one of the more interesting machines ever released by Apple. It was the company’s first venture into a cost-reduced computer, and the first Macintosh to sell for less than $1000. Released in 1990, its list of features were nearly identical to the Macintosh Plus, released four years earlier. The Classic also had an interesting feature not found in any other Mac. It could boot a full OS, in this case System 6.0.3, by holding down a series of keys during boot. This made it an exceptional diskless workstation. It was cheap, and all you really needed was a word processor or spreadsheet program on a 1.44 MB floppy to do real work.
[Steve] over at Big Mess O’ Wires had the same idea as the Apple engineers back in the late 80s. Take a Macintosh Plus, give it a bit more ROM, and put an OS in there. [Steve] is going a bit farther than those Apple engineers could have dreamed. He’s built a rewritable ROM disk for the Mac Plus, turning this ancient computer into a completely configurable diskless workstation.
The build replaces the two stock ROM chips with an adapter board filled with 29F040B Flash chips. They’re exactly what you would expect – huge, old PDIPs loaded up with Flash instead of the slightly more difficult to reprogram EEPROM. Because of the additional space, two additional wires needed to connected to the CPU. The result is a full Megabyte of Flash available to the Macintosh at boot, in a computer where the normal removable disk drive capacity was only 800kB.
The hardware adapter for stuffing these flash chips inside a Mac Plus was made by [Rob Braun], while the software part of this build came from [Rob] and [Doug Brown]. They studied how the Macintosh Classic’s ROM disk driver worked, and [Rob Braun] developed a stand-alone ROM disk driver with a new pirate-themed startup icon. [Steve] then dug in and created an old-school Mac app in Metrowerks Codewarrior to write new values to the ROM. Anything from Shufflepuck to Glider, to a copy of System 7.1 can be placed on this ROM disk.
This isn’t the first time we’ve seen ROM boot disks for old Macs. There was a lot of spare address space floating around in the old Mac II-series computers, and [Doug Brown] found a good use for it. Some of these old computers had optional ROM SIMM. You can put up to 8 Megabytes in the address space reserved for the ROM, and using a similar ROM disk driver, [Doug] can put an entire system in ROM, or make the startup chime exceptionally long.
[nitro2k01] got his hands on a Game Fighter, a clone of the original Game Boy. While there’s a ton of information about the boot ROM and operation of the original Game Boy, not much is known about these clones. [nitro2k01] wanted to learn more, so he used a clock-glitching technique to dump the device’s ROM and made some interesting discoveries about its copyright protection and boot process along the way.
Reading the contents of the Game Boy ROM is a bit challenging. The ROM is readable while booting, but afterwards the address space of the ROM is remapped for interrupt vectors and other uses. There are a couple of methods to get around this, but the simplest method involves glitching the crystal by grounding one of its leads. This causes the CPU to jump to random locations in memory. Eventually the CPU will jump to a location where the boot ROM is accessible (if you’re lucky!).
Although [nitro2k01]’s clone can run the same games as the Game Boy, it has a different boot ROM and also has some significant hardware differences. [nitro2k01] managed to use a modified version of the crystal-grounding technique to glitch his clock and dump the clone’s boot ROM. He found that the clone uses an unusual variation on the Game Boy’s copyright-checking technique, along with some other oddities. [nitro2k01] also posted a disassembly of the boot ROM, which he explains in detail.