BASIC Interpreter Hidden in ESP32 Silicon

We’ve been keeping up with the ongoing software developed for the ESP32 WiFi chip, and that means a lot of flashing, hooking up random wires, and rebooting. Along the way, we stumbled on an Easter egg: the ESP32 processor has a built-in BASIC interpreter to fall back on.

That’s a cool little hack to find, but we couldn’t find some crucial functions that would have made it a lot more useful. Still, it’s great fun to play around in real-time with the chip. And you’ll absolutely get an LED blinking faster in ESP32 BASIC than you will on an Arduino!

Continue reading “BASIC Interpreter Hidden in ESP32 Silicon”

SNES EPROM Programmer with Arduino

Most video game manufacturers aren’t too keen on homebrew games, or people trying to get more utility out of a video game system than it was designed to have. While some effort is made to keep people from slapping a modchip on an Xbox or from running an emulator for a Playstation, it’s almost completely impossible to stop some of the hardware hacking that is common on older cartridge-based games. The only limit is usually the cost of an EPROM programmer, but [Robson] has that covered now with his Arduino-based SNES EPROM programmer.

Normally this type of hack involves finding any cartridge for the SNES at the lowest possible value, burning an EPROM with the game that you really want, and then swapping the new programmed memory with the one in the worthless cartridge. Even though most programmers are pricey, it’s actually not that difficult to write bits to this type of memory. [Robson] runs us through all of the steps to get an Arduino set up to program these types of memory, and then puts it all together into a Super Nintendo where it looks exactly like the real thing.

If you don’t have an SNES lying around, it’s possible to perform a similar end-around on a Sega Genesis as well. And, if you’re more youthful than those of us that grew up in the 16-bit era, there’s a pretty decent homebrew community that has sprung up around the Nintendo DS and 3DS, too.

Thanks to [Rafael] for the tip!

Reverse Engineering the Sony PocketStation

[Robson Couto] never actually owned a PlayStation in his youth, but that doesn’t mean he can’t have a later in life renaissance. In particular a Japan only accessory called the PocketStation caught his interest.

The item in question resided in the PlayStation’s memory card slot. It’s purpose was to add additional functionality to games and hopefully sell itself. Like the PokeWalker, Kinect, etc. It’s an age old tactic but the PocketStation had some interesting stuff going on (translated).

The biggest was its processor. Despite having a pathetic 32×32 mono screen, it hosted the same processor as the GameBoy Advance. Having acquired a card from an internet auction house [Robson] wanted to load up some of the ROMs for this device and see what it was like.

It took quite a bit of work. Luckily there is a ton of documentation floating around the internet thanks to the emulation scene and it wasn’t long before he convinced a microcontroller to pretend to be the memory card slot. Now anyone with some skill and a small piece of gaming history can play around with the rare ROM dump for the PocketStation.

Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”

Deaccelerating The Apple IIc Plus

The Apple IIc Plus is arguably – very arguably from my experience – the best Apple II computer ever made. It’s portable, faster than the IIe, had a much higher capacity built-in drive, and since the Plus could run at 4MHz, it was faster than the strange eight or sixteen bit Apple IIGS. Recently, [Quinn] has been fascinated with the IIc Plus, and has gone so far as to build a custom gamepad and turn the IIc Plus into a laptop. Now, she’s turned her attention to the few things Apple got wrong with the Apple IIc Plus – the startup beep and defaulting to 4MHz on every boot instead of Apple II’s standard 1MHz that’s used in the Apple II, II Plus, IIe, and IIc non-Plus.

The original Apple II is surprisingly primitive. Apart from writing a loop of NOPs and counting cycles, there’s no way to keep time. There is no clock, no timer, no tick counters, and no interrupts. If you’re writing a game for the Apple II that depends on precise timing, the best you’ll be able to manage is a delay loop. This worked for a time, until the Apple IIc Plus was released with a default clock of 4MHz. It was a great idea for AppleWorks and other productivity apps, but [Quinn] is doing retrocomputing, and that means games. Booting the Apple IIc Plus into its 1MHz mode means turning it on and holding escape while resetting the computer every time. It’s very annoying, but a mod to make the IIc Plus run at 1MHz by default would turn her into one of the most accomplished currently active Apple II developers.

The process of booting into the IIc Plus’ 1MHz mode requires holding down escape while restarting the computer. This should tell you something: it’s not a hardware switch that changes speed. It’s in the ROM, and that means diving into the Technical Reference Manual, looking at the listings in the ROM monitor, and figuring out how everything works.

The IIc Plus ROM is incredibly complex – it’s 32k of hand assembled code with jump tables bouncing everywhere. After a ton of research, [Quinn] successfully reverse engineered the ‘slow down if the ESC key is pressed’ routine, allowing her to boot the machine at 1MHz by default, and 4MHz if there’s a soft reset with the option key pressed. Everything works great, and [Quinn] has the video to prove it

This isn’t [Quinn]’s first attempt at hacking the lowest levels of the Apple IIc Plus ROM. Because the IIc Plus ran at 4MHz by default, the startup beep was so very wrong. She fixed that, and with two very useful patches under her belt, she burned a few new chips with her ROM patches. In total, there’s only a few dozen bytes of hers in the new 32k ROM, but that’s enough to make her one of the top current firmware developers for the Apple II platform.

The Trouble With Intel’s Management Engine

Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

Continue reading “The Trouble With Intel’s Management Engine”

Saving Old Voices by Dumping ROMs

Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).

Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.

IMG_0695We tracked [David]’s website down. He posted a brief entry describing his emulation and ROM-dumping setup. He says he used it for testing out his (software) TMS5200 speech-synthesizer emulation.

The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.

The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.

Continue reading “Saving Old Voices by Dumping ROMs”