How To Add More Games to the NES Classic

The hype around the NES Classic in 2016 was huge, and as expected, units are already selling for excessively high prices on eBay. The console shipped with 30 games pre-installed, primarily first-party releases from Nintendo. But worry not — there’s now a way to add more games to your NES Classic!

Like many a good hack, this one spawned from a forum community. [madmonkey] posted on about their attempts to load extra games into the console. The first step is using the FEL subroutine of the Allwinner SOC’s boot ROM to dump the unit’s flash memory. From there, it’s a matter of using custom tools to inject extra game ROMs before reburning the modified image to the console. The original tool used, named hakchi, requires a Super Mario savegame placed into a particular slot to work properly, though new versions have already surfaced eliminating this requirement.

While this is only a software modification, it does come with several risks. In addition to bricking your console, virus scanners are reporting the tools as potentially dangerous. There is confusion in the community as to whether these are false positives or not. As with anything you find lurking on a forum, your mileage may vary. But if you just have to beat Battletoads for the umpteenth time, load up a VM for the install process and have at it. This Reddit thread (an expansion from the original pastebin instructions) acts as a good starting point for the brave.

Only months after release, the NES Classic is already a fertile breeding ground for hacks — last year we reported on this controller mod and how to install Linux. Video of this ROM injection hack after the break.

Continue reading “How To Add More Games to the NES Classic”

BASIC Interpreter Hidden in ESP32 Silicon

We’ve been keeping up with the ongoing software developed for the ESP32 WiFi chip, and that means a lot of flashing, hooking up random wires, and rebooting. Along the way, we stumbled on an Easter egg: the ESP32 processor has a built-in BASIC interpreter to fall back on.

That’s a cool little hack to find, but we couldn’t find some crucial functions that would have made it a lot more useful. Still, it’s great fun to play around in real-time with the chip. And you’ll absolutely get an LED blinking faster in ESP32 BASIC than you will on an Arduino!

Continue reading “BASIC Interpreter Hidden in ESP32 Silicon”

SNES EPROM Programmer with Arduino

Most video game manufacturers aren’t too keen on homebrew games, or people trying to get more utility out of a video game system than it was designed to have. While some effort is made to keep people from slapping a modchip on an Xbox or from running an emulator for a Playstation, it’s almost completely impossible to stop some of the hardware hacking that is common on older cartridge-based games. The only limit is usually the cost of an EPROM programmer, but [Robson] has that covered now with his Arduino-based SNES EPROM programmer.

Normally this type of hack involves finding any cartridge for the SNES at the lowest possible value, burning an EPROM with the game that you really want, and then swapping the new programmed memory with the one in the worthless cartridge. Even though most programmers are pricey, it’s actually not that difficult to write bits to this type of memory. [Robson] runs us through all of the steps to get an Arduino set up to program these types of memory, and then puts it all together into a Super Nintendo where it looks exactly like the real thing.

If you don’t have an SNES lying around, it’s possible to perform a similar end-around on a Sega Genesis as well. And, if you’re more youthful than those of us that grew up in the 16-bit era, there’s a pretty decent homebrew community that has sprung up around the Nintendo DS and 3DS, too.

Thanks to [Rafael] for the tip!

Reverse Engineering the Sony PocketStation

[Robson Couto] never actually owned a PlayStation in his youth, but that doesn’t mean he can’t have a later in life renaissance. In particular a Japan only accessory called the PocketStation caught his interest.

The item in question resided in the PlayStation’s memory card slot. It’s purpose was to add additional functionality to games and hopefully sell itself. Like the PokeWalker, Kinect, etc. It’s an age old tactic but the PocketStation had some interesting stuff going on (translated).

The biggest was its processor. Despite having a pathetic 32×32 mono screen, it hosted the same processor as the GameBoy Advance. Having acquired a card from an internet auction house [Robson] wanted to load up some of the ROMs for this device and see what it was like.

It took quite a bit of work. Luckily there is a ton of documentation floating around the internet thanks to the emulation scene and it wasn’t long before he convinced a microcontroller to pretend to be the memory card slot. Now anyone with some skill and a small piece of gaming history can play around with the rare ROM dump for the PocketStation.

Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”

Deaccelerating The Apple IIc Plus

The Apple IIc Plus is arguably – very arguably from my experience – the best Apple II computer ever made. It’s portable, faster than the IIe, had a much higher capacity built-in drive, and since the Plus could run at 4MHz, it was faster than the strange eight or sixteen bit Apple IIGS. Recently, [Quinn] has been fascinated with the IIc Plus, and has gone so far as to build a custom gamepad and turn the IIc Plus into a laptop. Now, she’s turned her attention to the few things Apple got wrong with the Apple IIc Plus – the startup beep and defaulting to 4MHz on every boot instead of Apple II’s standard 1MHz that’s used in the Apple II, II Plus, IIe, and IIc non-Plus.

The original Apple II is surprisingly primitive. Apart from writing a loop of NOPs and counting cycles, there’s no way to keep time. There is no clock, no timer, no tick counters, and no interrupts. If you’re writing a game for the Apple II that depends on precise timing, the best you’ll be able to manage is a delay loop. This worked for a time, until the Apple IIc Plus was released with a default clock of 4MHz. It was a great idea for AppleWorks and other productivity apps, but [Quinn] is doing retrocomputing, and that means games. Booting the Apple IIc Plus into its 1MHz mode means turning it on and holding escape while resetting the computer every time. It’s very annoying, but a mod to make the IIc Plus run at 1MHz by default would turn her into one of the most accomplished currently active Apple II developers.

The process of booting into the IIc Plus’ 1MHz mode requires holding down escape while restarting the computer. This should tell you something: it’s not a hardware switch that changes speed. It’s in the ROM, and that means diving into the Technical Reference Manual, looking at the listings in the ROM monitor, and figuring out how everything works.

The IIc Plus ROM is incredibly complex – it’s 32k of hand assembled code with jump tables bouncing everywhere. After a ton of research, [Quinn] successfully reverse engineered the ‘slow down if the ESC key is pressed’ routine, allowing her to boot the machine at 1MHz by default, and 4MHz if there’s a soft reset with the option key pressed. Everything works great, and [Quinn] has the video to prove it

This isn’t [Quinn]’s first attempt at hacking the lowest levels of the Apple IIc Plus ROM. Because the IIc Plus ran at 4MHz by default, the startup beep was so very wrong. She fixed that, and with two very useful patches under her belt, she burned a few new chips with her ROM patches. In total, there’s only a few dozen bytes of hers in the new 32k ROM, but that’s enough to make her one of the top current firmware developers for the Apple II platform.

The Trouble With Intel’s Management Engine

Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

Continue reading “The Trouble With Intel’s Management Engine”