Paper ROM


This low-resolution memory device packs in just a few bytes of data. But it’s enough to spell out [Michael Kohn's] name. He’s been experimenting with using paper discs for data storage.

His technique becomes immediately clear when you view the demo video below. The disc spins multiple times with the sensor arm reading one track. This gives the system the chance to measure the black band in order to get the data timing figured out. Once the outer track has been read the servo controlling the read head swings it to the next until all of the data is captured.

An Arduino is monitoring the QTR-1RC reflectance sensor which makes up the reading head. It uses the black band width in order to establish the size of an individual byte. Interestingly enough, the white parts of the disc do not contain data. Digital 0 is a black area 1/4 the width of the large black strip, and digital 1 is half as wide.

[Michael's] set up the generator which makes the discs so that he can easily increase the resolution. The limiting factor is what the reading hardware is able to detect.

[Read more...]

Tamagotchi ROM dump and reverse engineering

tamagotchi-rom-dump-and-reverse engineering

Often the true key to success is persistence and that holds true for this project which dumped the ROM from the current generation of Tamagotchi toys. If you’re a fan of learning the secrets built into consumer electronics — and you know we are — you’ll want to go back and watch the 24-minute lecture on Tamagotchi hacking which [Natalie Silvanovich] gave a 29C3 last year. She had made quite a bit of headway hacking the playable pods, but wasn’t able to get her hands on a full ROM dump from the General Plus chip on board processor. This update heralds her success and shares the details of how it was done.

As we learned form the video lecture it was a huge chore just to figure out what processor this uses. It turned out to be a 6502 core with a few other things built in. After prowling the manufacturer’s website she found example code for writing to Port A. She was then able to execute her own code which was designed to dump one byte of ROM at a time using the SPI protocol.

[Natalie] posted her code dump if you’re interested in digging through it. But as usual we think the journey is the most interesting part.

[Thanks Itay]

Reading Game Boy carts with I2C


After seeing a Game Boy emulator for the first time, [Thijs] was amazed. A small box with just a handful of electronics that turns a Game Boy cartridge into a file able to be run on an emulator is simply magical. [Thijs] has learned a lot about GB and GBC cartridges in the mean time, but still thinks the only way to really learn something is to roll up your sleeves and get your hands dirty. Thus was born [Thijs]‘ Game Boy cartridge dumper, powered by a pair of I2C port expanders and a Raspberry Pi.

Inspired by a build to dump ROMs off Super Nintendo games with the help of a Raspberry Pi, [Thijs] grabbed all the hardware necessary to create his own GB cart dumper. A DS Lite cartridge adapter provided the physical connection and a pair of MCP23017 I/O expanders – one soldered to a Slice of PI/O board – provided the electrical connections.

In the end, [Thijs] managed to dump the ROMs off the Japanese editions of Pokemon Yellow and Gold in about 13 minutes. This is a much slower transfer rate of 26 minutes per SNES cart in the post that gave [Thijs] the inspiration for this build. Still, [Thijs] will probably be the first to say he’s learned a lot from this build, especially after some problems with dumping the right banks from the cartridge.

Finding 1s and 0s with a microscope and computer vision


One day, [Adam] was asked if he would like to take part in a little project. A mad scientist come engineer at [Adam]‘s job had just removed the plastic casing from a IC, and wanted a little help decoding the information on a masked ROM. These ROMs are basically just data etched directly into silicon, so the only way to actually read the data is with some nitric acid and a microscope. [Adam] was more than up for the challenge, but not wanting to count out thousands of 1s and 0s etched into a chip, he figured out a way to let a computer do it with some clever programming and computer vision.

[Adam] has used OpenCV before, but the macro image of the masked ROM had a lot of extraneous information; there were gaps in the columns of bits, and letting a computer do all the work would result in crap data. His solution was to semi-automate the process of counting 1s and 0s by selecting a grid by hand and letting image processing software do the rest of the work.

This work resulted in rompar, a tool to decode the data on de-packaged ROMs. It works very well – [Adam] was able to successfully decode the ROM and netted the machine codes for the object of his reverse engineering.

Web-based TI graphing calculator emulator


You can leave the TI graphing calculator at home thanks to this web-based TI-83 and TI-84 emulator. As with pretty much all emulators, this depends on a ROM image from the actual hardware to work. But if you have one of the supported calculators (TI-83+, TI-83+ SE, TI-84+, or TI-84+SE) you can dump the image yourself and this should work like a charm.

[Christopher Mitchell] calls the project jsTIfied because he wrote it in JavaScript and HTML5 (that’s where the js comes from) and it’s based on the Texas Instruments line of hardware (hence the capital TI). After agreeing that you’re not getting any ROMs from his site you can choose the file to load on your browser. The image of the calculator has working buttons and will show the boot screen just like the real thing. You can use it like normal but you can load load up programs for the environment. See this demonstrated after the break.

We’ve seen some arguments online about the price of the TI line over the years. Prices haven’t dropped much over the decades even though they’re making pretty much the same hardware. It’s cool to see someone figure out how to emulate the hardware — and on a web interface to boot! But we’re left wondering why TI isn’t selling an equivalent app for iOS and Android or at least leveraging what must be millions in each production run for a lower retail price?

[Read more...]

Programming a Game Boy while playing Pokemon

We hope our readers are familiar with the vast number of ROM hacks for the original 1st-gen Pokemon games. With certain sequences of button presses, it’s possible to duplicate items in the player’s inventory, get infinite money, or even catch a glimpse of the elusive MissingNo. [bortreb] is familiar with all these hacks, but his efforts to program a Game Boy from inside Pokemon is by far the greatest Pokemon glitch ever created.

This ‘total control’ ROM hack was inspired by [p4wn3r]‘s extremely impressive 1 minute and 36 second long speed run for Pokemon Yellow. The technique used in [p4wn3r]‘s run relies on the fact the warp points in Pokemon Yellow are right after the item list in the Game Boy’s memory. By corrupting the item list, [p4wn3r] figured out how to make the front door of his house warp directly to the end of the game resulting in the fastest Pokemon speed run ever.

Realizing this ROM hack is able to control the CPU with only the player’s inventory, [bortreb] wanted to see how far he could push this hack. He ended up writing a bootstrapping program by depositing and discarding items from the in-game PC, and was then able to reprogram the Game Boy with a number of button presses on the D-pad, select, start, A and B buttons.

The resulting hack means [bortreb] can actually make Pong, Pacman, a MIDI player, or even a copy of Pokemon Blue. In the video after the break, you can see all of [bortreb]‘s speed run along with the finale of playing a MIDI file of the My Little Pony theme song. [bortreb] has a really amazing hack on his hands here that really pushes the definition of what can be done by tinkering around with a Pokemon ROM.

[Read more...]

Storing user data on your FPGA

We’ve seen FPGAs used to recreate everything from classic arcade games to ancient computers, but with each of these builds a common problem arises. Once you’ve got the hardware emulated on an FPGA, you’ve also got to get the ROMs into the project as well. In a very interesting hack, [Mike] figured out that the serial Flash chip that stores the FPGA settings has a lot of space free, so why not store user data there?

[Mike] got the idea from seeing a recreation of the classic BombJack arcade game we featured last month. In that build, [Alex] needed to store 112Kb of game data stored in 16 ROM chips. Unfortunately, [Alex]‘s FPGA only had space for 40Kb of data. After realizing his FPGA had a 512Kb SRAM chip, [Alex] decided to put all the sprites, sounds, and levels of BombJack in the SRAM.

Impressed with [Alex]‘s build, [Mike] set to work generalizing the hack to work with other projects. [Mike] notes that only a few FPGA boards are capable of storing user data next to the  configuration bitstream; the hack is impossible on the Digilent Basys2 board, but it works wonderfully on a Papilio One 250K.

As a very cool build that makes FPGA-related builds even easier, we’ve got to tip our hat to [Mike] for writing up a great tutorial.


Get every new post delivered to your Inbox.

Join 94,027 other followers