Nintendo Hacks

615 Articles

Reverse Engineering A PokeWalker

November 21, 2020 by 16 Comments

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker”

Exploring The New Super Mario Game & Watch

November 17, 2020 by 26 Comments

Nintendo has revived the classic Game & Watch, this time in glorious full-color and running the same Super Mario Bros that first graced the Nintendo Entertainment System (NES) back in 1985. Even though it’s only been on the market for a few days, [stacksmashing] has already made some impressive progress towards unlocking the full potential of this $50 retro handheld.

It will come as no surprise to the average Hackaday reader that what we’re looking at here is a pocket-sized NES emulator, but until [stacksmashing] cracked his open, nobody was quite sure what kind of hardware is was running on. Thankfully there wasn’t an epoxy blob in sight, and all of the chips were easily identifiable. Armed with the knowledge that the Game & Watch is running on a STM32H7B0 microcontroller with a nearby SPI flash chip holding the firmware, it was just a matter of figuring out how the software worked.

Connecting to the SWD header.

It didn’t take long to find that an unpopulated header on the board would give him access to the Serial Wire Debug (SWD) interface of the STM32, though unfortunately he found that the chip’s security mode was enabled and he couldn’t dump the firmware.

But he was able to dump the RAM through SWD, which allowed him to identify where the Super Mario Bros NES ROM lived. By connecting the SPI flash chip to a reader and comparing its contents with what the system had in RAM, [stacksmashing] was able to figure out the XOR encryption scheme and come up with a tool that will allow you to insert a modified ROM into an image that can be successfully flashed to the chip.

So does that mean you can put whatever NES ROM you want on the new Game & Watch? Unfortunately, we’re not quite there yet. The emulator running on the device has a few odd quirks, and it will take some additional coaxing before its ready to run Contra. But we’ve seen enough of these devices get hacked to know that it’s just a matter of time.

Continue reading “Exploring The New Super Mario Game & Watch”

Dumping A N64 Development Cartridge Safely

November 2, 2020 by 8 Comments

Retro gaming enthusiasts have always had great interest in rarities outside the usual commercial titles. Whether they be early betas, review copies, or even near-complete versions of games that never made it to release, these finds can be inordinately valuable. [Modern Vintage Gamer] recently came across a pre-release version of Turok 3 for the Nintendo 64, and set about dumping and preserving the find. (Video, embedded below.)

With one-off cartridges like these, it’s important to take the utmost care in order to preserve the data onboard. Simply slapping it into a regular console might boot up the game, but carries with it a non-zero chance of damaging the cart. Instead, the first step taken was to dump the cart for archival purposes. When working with a prototype cart, commodity dumpers like the Retrode aren’t sufficient to do the job. [Modern Vintage Gamer] notes that a Doctor V64 or Gameshark with a parallel port could work, but elects to use a more modern solution in the form of the Ultrasave and 64drive.

With the cartridge backed up and duplicated onto the 64drive, the code can be run on a real console without risk of damage to the original. At first glance, the game appears similar to the final retail version. Analysis of the dump using a file comparison tool suggests that the only differences between the “80% Complete” ROM and the retail edition are headers, leading [Modern Vintage Gamer] to surmise that the game may have been rushed to release.

While in this case the dump didn’t net an amazing rare version of a retro game, [Modern Vintage Gamer] does a great job of explaining the how and why of the process of preserving a vintage cartridge. We look forward to the next rare drop that shakes up the retro world; we’ve seen efforts on Capcom arcade boards net great results. Video after the break.

Continue reading “Dumping A N64 Development Cartridge Safely”

N64 Power Adapter Works Around The World

October 29, 2020 by 6 Comments

Modern electronics such as phone and laptop chargers are pretty versatile no matter where you find yourself in the world. Capable of running off anything from 100-250V, all you need is a socket adaptor and you’re good to go. Video game consoles of the 1990s weren’t so flexible however. [MattKC] was tired of messing around with step down transformers to run his US market N64, and decided to rectify this, building a universal adapter to run the console instead.

It’s a proper hacked build, assembled out of a jumble of old parts. An broken N64 power adapter was harvested for its case and unique DC plug, which carries 12V and 3.3V to the console. Few compact power supplies exist delivering this pair of voltages, so [MattKC] got creative. An old router was sourced for its 12V 2A supply, and was combined with a 3.3V buck converter to supply both rails. With some creative bodging and plenty of mounting tape, the supplies were crammed inside the original case and wired up to the original jack and a figure 8 cable, allowing easy socket changes in different countries without the use of ugly adapters.

While few of us routinely travel with 25 year old Nintendo consoles, for those that do, the convenience of a single universal supply can’t be overstated. Fitting a step-down transformer into carry-on luggage simply isn’t practical, after all. We’ve featured similar hacks as far back as 2006, or more recently, a project seeking to rebuild a new PSU for the venerable Amiga 500. Video after the break.

Continue reading “N64 Power Adapter Works Around The World”

Cube64 Puts The Good Controllers On The GoldenEye Console

October 1, 2020 by 7 Comments

The Nintendo 64 was lauded for bringing quality 3D graphics and analog stick controls to the console realm, way back in 1996. Unfortunately, those analog sticks were never very good; if you’ve ever played four player Mario Kart 64, you know how it feels to be stuck with that controller. For a superior experience, consider building an adapter and upgrading to the GameCube controller instead.

Cube64 is a project that allows GameCube controllers to work with the original Nintendo 64 hardware. Using a PIC18F14K22 in its DIY version, or a PIC18F24Q10 in the SMD version, it’s the product of much work by [scanlime] and [darthcloud] to reverse engineer the N64 and GC controller protocols. The GameCube’s many buttons and sticks allow for easy mapping to the N64’s original button layout, and the hardware provides plenty of calibration options and maps to get things working exactly the way you like for the game you’re playing.

Given that original N64 controllers are getting hard to come by, a GameCube upgrade is a great way to go. They’ll likely be in production for years yet, thanks to the commercial influence of Super Smash Bros. Of course, the two consoles have been fine friends for years, as evidenced by this mashup console we featured back in the distant, peaceful past of 2013.

New Controllers On Old Nintendos With USB64

September 29, 2020 by 13 Comments

The Nintendo 64 made a big splash when it launched in 1996, not least of all for its innovative controller. Featuring a never-before-or-since seen trident design, and with an analog stick smack bang in the center, it changed what gamers expected from consoles from that day forward. Of course, those controllers are now much worse for wear, and technology has moved on somewhat. The latest development from [Ryzee119] aims to rectify this somewhat.

The result of that work is USB64, a tool designed to allow the use of USB controllers on the Nintendo 64. Using a Teensy 4.1, it builds upon earlier work to get the Xbox 360 controller working on the platform. However, the feature set has been greatly expanded, covering almost any use case imaginable. Mempacks are now efficiently emulated, and save files can be backed up to a PC via SD card. Additionally, the GameBoy Transferpak is emulated, meaning data can be transferred between GameBoy ROMs on an SD card and games on the N64. Even the N64 mouse is supported, and can be emulated with a regular USB mouse. Capable of doing all this for all four players, work is ongoing to increase the number of compatible aftermarket controllers for the utmost flexibility. [Ryzee119] also coded up a useful test ROM for the N64, which is invaluable when debugging controller hardware.

Console controllers take a lot of punishment, particularly from serious gamers, so we’re always eager to see projects that allow modern replacements to be used with old hardware. We’ve featured other great projects in this area before, too!

Orbital Tracking On The NES

September 26, 2020 by 17 Comments

It’s easy to dismiss the original Nintendo Entertainment System as just, well, an entertainment system. But in reality the 6502 based console wasn’t so far removed from early home computers like the Apple II and Commodore 64, and Nintendo even briefly flirted with creating software and accessories geared towards general purpose computing. Though in the end, Mario and friends obviously won out.

Still, we’re willing to bet that nobody at Nintendo ever imagined their plucky little game system would one day be used to track the course of a space station in low Earth orbit. But that’s precisely what [Vi Grey] has done with his latest project, which is part of his overall effort to demonstrate the unexpected capabilities of the iconic NES. While you’ll need a bit of extra hardware to run the program on a real console, there’s no fundamental trickery that would have kept some developer from doing this in 1985 if they’d wanted to.

Raspberry Pi Zero and TAStm32

If you want to see your own 8-bit view of the International Space Station, the easiest way is with an emulator. In that case, [Vi] explains how you can load up his Lua script in Mesen or FCEUX to provide the ROM with the necessary tracking data from the Internet.

To run it on a real NES you’ll not only need some type of flash cart to get the ROM loaded, but also a TAStm32 board that’s used for tool-assisted speedruns. This allows the computer to essentially “type” the orbital data into the NES by emulating rapid controller button presses. That might seem like a tall order, but it’s important to note that neither device requires you to modify the original console; the code itself runs on a 100% stock NES.

If tracking spacecraft isn’t your thing, perhaps you’d be more interested in the some of the work [Vi] has previously done on the NES. We’re particularly fond of his polyglot ROM that is a ZIP file of its own source code.

Continue reading “Orbital Tracking On The NES”