A Straightforward Guide To Unlocking The Nintendo Game And Watch

Nintendo’s reborn tiny handheld game has certainly attracted the attention of hardware hackers, and we’ve been treated to a succession of exploits as its secrets have been one by one unlocked. With relatively straightforward hardware it conceals potential far beyond a simple Mario game or two, and it’s now at the stage of having a path to dumping both its SPI Flash and internal Flash, unlocking its processor, and running arbitrary code. The process of unlocking it is now atraightforward enough to warrant a HOWTO video, to which [stacksmashing] has treated us. It’s early days and this is still touted as for developers rather than gamers, but it serves to show where work on this console is going.

The console’s STM32 architecture means that programming hardware is straightforward enough to find, though we’re cautioned against using the cheap AliExpress type we might use with a Blue Pill or similar. Instead the snap-off programmer that comes with an STM Nucleo board is a safer choice that many people are likely to have already.

The relative simplicity of the process as seen in the video below must conceal an immense amount of work from multiple people. It’s a succession of scripts to sequentially unlock and back up the various firmwares with STM payloads for each step. Finally the STM32 itself is unlocked, and the backed-up Nintendo firmware can be returned to the device or instead a custom firmware can be created. Aside from the DOOM we’ve already seen there are work-in-progress NES and Game Boy emulators, and fascinatingly also work on bare-metal games.

Given the lack of custom chips in this console it is easily possible that its hardware could be directly cloned and that Nintendo might have unintentionally created a new general purpose hacker’s handheld gaming platform. There are a few hardware works-in-progress such as increasing the SPI Flash size and finding the unconnected USB pins, so we look forward to more exciting news from this quarter.

15 thoughts on “A Straightforward Guide To Unlocking The Nintendo Game And Watch

  1. I was curious that he cautioned against using the AliExpress ST_link gadgets, since I have been using them daily for many months. But he does give concrete reasons. One is that they don’t properly control the reset line (something I have never wished for) and the other that they don’t self adjust to different power levels. Again something that I don’t expect or need.

    So I can sleep at night once again. And on a bit more thought, I only connect 4 wires (3.3, gnd, SWD, SWC). My unit has a RST pin, or has one labeled as such. I wonder what ails it.

    1. The 3.3V pin in the $2 ST-Link clone is just a power output instead of input from target I/O rail. So you don’t even need to connect the 3.3V unless you want it to power your uC. Internally, the /Reset target signal is present as they are using the same firmware anyway.

      There are other Chinese JTAG/SWD clones that handles it correctly.

  2. I get thet it’s fun to hack devices to do things they weren’t meant to, but if you just want a device that does *the thing*, how about something intended to do that? How about something from a company that doesn’t have a history of abusing their customers?

    How about spending $32 on a https://www.hardkernel.com/shop/odroid-go/ and getting some nice hardware that’s completely open source and from a company that doesn’t persecute their users?

    Is that not beefy enough? How about $59 for a much more powerful system: https://www.hardkernel.com/shop/odroid-go-advance-black-edition/

    1. I agree with willmore. Of course, this is Hackaday, ao people should hack whatever hardware makes them happy :-)

      But with that said, Nintendo have been so hostile to homebrew for so long I can’t bring myself to put in the time to get familiar with their universe, because you’re just a “cease and desist” away from having all the fun toys taken away.

      Those Odroid boxes seem pretty neat. I had a GPX32 ten years ago which was great fun. Being able to play games from a bunch of different platforms was really good. Sega, Nintendo, Amiga… Although the lack of keyboard was tricky for some Amiga games.

      If you really must have a “nintendo” look and feel, the Pi-Boy looks awesome. Nice screen, lots of buttons, and inside that gameboy inspired case is a Raspberry Pi, whichever Pi you want! (I’m not affiliated with these guys, but when I have some spare cash, this is what I’ll probably buy!) https://www.experimentalpi.com/PiBoy-DMG–Full-Kit_p_18.html

  3. The STM32 microcontroller series has a bunch of firmware protection and encryption features, soooo Nintendo just decided to ignore them? Heck, they didn’t even bother to grind the part number off the top of the processor. It’s like they WANTED this thing to be hacked! But why? To let other people write games for free so Nintendo can sell more over-priced hardware? Nah, that can’t be it. The hardware is so generic $20 Chinese clones will start popping-up on Alibaba/Aliexpress any day now. This is weird. It’s looking like the Engineers at Nintendo are just plain incompetent. Do the Japanese have an equivalent to the U.S. H-1B Visa? If yes, that might explain it.

      1. @Maave said: “…User hacks are inconsequential because Nintendo isn’t selling additional games.”

        User hacks certainly are consequential. They kill the product commercially for Nintendo. Allow me to clarify:

        1. The unprotected firmware now lives in the wild and third-party games and even emulators are being run on it today.

        2. The generic hardware is trivial to reverse engineer (schematics are already in the wild) and all the components are of gumball variety, cheap and readily available.

        These two things make the appearance of Chinese clones inevitable at a fraction (2/5-1/2) of Nintendo’s $50 street price. Once that happens, as far as Nintendo is concerned the product is essentially dead to them. And all this happened since the product release on 24-Nov-2020, just 10 days ago. None of this would have happened if Nintendo’s Engineers would have taken a few extra minutes to enable the on-chip firmware protection in the STM32H7B0VBT6 processor. The more I think about this it seems there are just two possibilities inside Nintendo: (a) Incompetence, or (b) Sabotage.

    1. @Drone, I think Nintendo _did_ try to lock down the firmware, but the community has spent the last few weeks laboriously hacking away until they have been able to unlock the whole thing. From the article: “It’s a succession of scripts to sequentially unlock and back up the various firmwares with STM payloads for each step. Finally the STM32 itself is unlocked…”

      I mentioned un an earlier post that I have no time for Nintendo, but the achievement of unlocking this device is still a beautiful example of a huge community effort, and the amount of work and dead ends they must have encountered along the way shouldn’t be underestimated :-)

  4. I was thinking and scrolling the internet a bit.
    And see that the flash can be upgraded, but then the CPU can also be upgraded?

    On:
    https://www.st.com/en/microcontrollers-microprocessors/stm32h7-series.html

    “The STM32H7 single-core and value lines are pin-to-pin compatible with the STM32F7 series of very high-performance MCUs and STM32F4 series of high-performance MCUs for the most common packages”

    So is this possible, but is it also helpful?

    STM32H7B3RI

    Or:

    STM32H7B0 replaced by STM32H750 is still 200mhz faster ;-)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.