Reverse Engineering the Sony PocketStation

[Robson Couto] never actually owned a PlayStation in his youth, but that doesn’t mean he can’t have a later in life renaissance. In particular a Japan only accessory called the PocketStation caught his interest.

The item in question resided in the PlayStation’s memory card slot. It’s purpose was to add additional functionality to games and hopefully sell itself. Like the PokeWalker, Kinect, etc. It’s an age old tactic but the PocketStation had some interesting stuff going on (translated).

The biggest was its processor. Despite having a pathetic 32×32 mono screen, it hosted the same processor as the GameBoy Advance. Having acquired a card from an internet auction house [Robson] wanted to load up some of the ROMs for this device and see what it was like.

It took quite a bit of work. Luckily there is a ton of documentation floating around the internet thanks to the emulation scene and it wasn’t long before he convinced a microcontroller to pretend to be the memory card slot. Now anyone with some skill and a small piece of gaming history can play around with the rare ROM dump for the PocketStation.

Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”

Deaccelerating The Apple IIc Plus

The Apple IIc Plus is arguably – very arguably from my experience – the best Apple II computer ever made. It’s portable, faster than the IIe, had a much higher capacity built-in drive, and since the Plus could run at 4MHz, it was faster than the strange eight or sixteen bit Apple IIGS. Recently, [Quinn] has been fascinated with the IIc Plus, and has gone so far as to build a custom gamepad and turn the IIc Plus into a laptop. Now, she’s turned her attention to the few things Apple got wrong with the Apple IIc Plus – the startup beep and defaulting to 4MHz on every boot instead of Apple II’s standard 1MHz that’s used in the Apple II, II Plus, IIe, and IIc non-Plus.

The original Apple II is surprisingly primitive. Apart from writing a loop of NOPs and counting cycles, there’s no way to keep time. There is no clock, no timer, no tick counters, and no interrupts. If you’re writing a game for the Apple II that depends on precise timing, the best you’ll be able to manage is a delay loop. This worked for a time, until the Apple IIc Plus was released with a default clock of 4MHz. It was a great idea for AppleWorks and other productivity apps, but [Quinn] is doing retrocomputing, and that means games. Booting the Apple IIc Plus into its 1MHz mode means turning it on and holding escape while resetting the computer every time. It’s very annoying, but a mod to make the IIc Plus run at 1MHz by default would turn her into one of the most accomplished currently active Apple II developers.

The process of booting into the IIc Plus’ 1MHz mode requires holding down escape while restarting the computer. This should tell you something: it’s not a hardware switch that changes speed. It’s in the ROM, and that means diving into the Technical Reference Manual, looking at the listings in the ROM monitor, and figuring out how everything works.

The IIc Plus ROM is incredibly complex – it’s 32k of hand assembled code with jump tables bouncing everywhere. After a ton of research, [Quinn] successfully reverse engineered the ‘slow down if the ESC key is pressed’ routine, allowing her to boot the machine at 1MHz by default, and 4MHz if there’s a soft reset with the option key pressed. Everything works great, and [Quinn] has the video to prove it

This isn’t [Quinn]’s first attempt at hacking the lowest levels of the Apple IIc Plus ROM. Because the IIc Plus ran at 4MHz by default, the startup beep was so very wrong. She fixed that, and with two very useful patches under her belt, she burned a few new chips with her ROM patches. In total, there’s only a few dozen bytes of hers in the new 32k ROM, but that’s enough to make her one of the top current firmware developers for the Apple II platform.

The Trouble With Intel’s Management Engine

Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

Continue reading “The Trouble With Intel’s Management Engine”

Saving Old Voices by Dumping ROMs

Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).

Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.

IMG_0695We tracked [David]’s website down. He posted a brief entry describing his emulation and ROM-dumping setup. He says he used it for testing out his (software) TMS5200 speech-synthesizer emulation.

The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.

The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.

Continue reading “Saving Old Voices by Dumping ROMs”

Resurrecting Duckhunt

Bringing old things back to life holds a great sense of joy for most people. The never ending pursuit of recapturing our youth leads us down roads we’ve long forgotten. Along the way, we tend to bump into forgotten memories which jostle other forgotten memories which allows us to relive happy times we haven’t thought of in years, sometimes even decades. For some, the roar of a 351 small block sweeps them back to high school and the fast nights of cruising down main street with the FM radio cranked up as high as it would go.  For those of us who were born in the 80’s and 90’s, video games can bring back such memories. Who among us can forget our first encounter with Link, the elegant theme music of Final Fantasy or up-up-down-down-left-right-left-right-b-a-select-start?

Advances in processor technology has allowed us to relive our favorite games via emulators – programs that emulate processors of older computers. The games are ‘dumped’ from the ROM chips (where they are stored) into files. These game files can then be loaded into the emulator program, which allows you to play the game as if you were playing it on the original system.

Guts of NES Zapper

Technology is truly a beautiful thing. It allows us to move forward, allows us to do today that which was not possible yesterday. There are a few cases, however, where this paradigm does not hold true. One of these has to do with the Nintendo Entertainment System and its “Zapper” gun controller. The NES was the most popular game console of its time, and rightfully so. From the minds of Nintendo engineers, programmers and audio experts came some of the best video games ever made. Unfortunately, some of these great games cannot be played on your Raspberry Pi favorite emulator due to the incompatibility of the Zapper gun and modern digital monitors.  None of us can forget the fun that Duckhunt brought. The game came as standard issue with all NES systems, so we’ve all played it. But its nostalgia is currently entombed by a technological quirk that has yet to be solved.

From one hacker to another – this can no longer be tolerated. First, we’re going to learn how the Zapper works and why it doesn’t work with digital displays. Then we’re going to fix it.

Continue reading “Resurrecting Duckhunt”

Dumping Old PROMs With New Hardware

[ijsf] recently came across a very old synthesizer from a defunct West German company. This was one of the first wavetable synths available, and it’s exceptionally rare. Being so rare, there isn’t much documentation on the machine. In an attempt at reverse engineering, [ijsf] decided to dump the EPROMs and take a peek at what made this synth work. There wasn’t an EPROM programmer around to dump the data, but [ijsf] did have a few ARM boards around. It turns out building a 27-series PROM dumper is pretty easy, giving [ijsf] an easy way to dig into the code on this machine.

The old EPROMs in this machine have 5v logic, so [ijsf] needed to find a board that had a ton of IOs and 5v tolerant inputs. He found the LPC2148, which has a nice USB system that can be programmed to dump the contents of a PROM over serial. Interfacing the PROM is as simple as connecting the power and ground, the address lines, data, and the signal lines. After that, it’s just a matter of stepping through every address according to the timing requirements of the PROM. All the data was dumped over a serial interface, and in just a few seconds, [ijsf] had 32768 bytes of ancient data that made this old synth tick.