Nintendo Hacks

607 Articles

34C3: Hacking The Nintendo Switch

December 29, 2017 by 37 Comments

There’s a natural order to the world of game console hacking: every time a manufacturer releases a new game console they work in security measures that prevent the end user from running anything but commercially released games, and in turn every hacker worth his or her salt tries to break through. The end goal, despite what the manufacturers may have you believe, is not to run “bootleg” games, but rather to enable what is colloquially referred to as “homebrew”. That is to say, enabling the novel concept of actually running software of your choice on the hardware you paid for.

At 34C3, noted console hackers [Plutoo], [Derrek], and [Naehrwert] have demonstrated unsigned code running on Nintendo’s latest and greatest and while they are keeping the actual exploit to themselves for now, they’ve promised that a platform for launching homebrew is coming shortly for those who are on firmware version 3.0.0. From the sound of it, after 9 months on the market, Switch owners will finally have complete access to the hardware they purchased.

The key to running the team’s own code was through a WebKit exploit that was already months old by the time the Switch was released. Loading up an arbitrary webpage was the tricky part, as the Switch generally uses its web browser for accessing official sources (like the online game store). But hidden away in the help menus of Tetris, the developers helpfully put a link to their website which the Switch will dutifully open if you select it. From there it’s just a matter of network redirection to get the Switch loading a webpage from your computer rather than the Internet.

It’s easier to ask for forgiveness than permission.

But as the more security-minded of our readers may have guessed already, that just gets you into the browser’s sandbox. The team now had to figure out a way to break out and get full control of the hardware. Through a series of clever hacks the team was able to learn more about the Switch’s internal layout and operating system, slowly working their way up the ladder.

A particularly interesting hack was used to get around a part of the Switch’s OS that is designed to check which services code is allowed to access. It turns out that if code doesn’t provide this function with its own process ID (PID), the system defaults to PID 0 because the variable is not initialized. In other words, if you don’t ask the operating system which functions you have access to, you will get access to them all. This is a classic programming mistake, and a developer at Nintendo HQ is likely getting a very stern talking to right about now.

But not everything was so easy. When trying to get access to the boot loader, the team sniffed the eMMC bus and timed the commands to determine when it was checking the encryption keys. They were then able to assemble a “glitcher” which fiddled with the CPU’s power using FPGA controlled MOFSETs during this critical time in an attempt to confuse the system.

The rabbit hole is pretty deep on this one, so we’d recommend you set aside an hour to watch the entire presentation to see the long road it took to go from a browser bug to running their first complete demo. It’s as much a testament to the skill of  [Plutoo], [Derrek], and [Naehrwert] as it is the lengths at which Nintendo went to keep people out.

We’ve seen other attempts at reverse engineering Nintendo’s hardware, but by the looks of it, the Switch has put up a much harder fight than previous console generations. Makes you wonder what tricks Nintendo will have up their sleeves for the next generation.

Continue reading “34C3: Hacking The Nintendo Switch”

Reverse Engineering The Nintendo Wavebird

December 14, 2017 by 21 Comments

Readers who were firmly on Team Nintendo in the early 2000’s or so can tell you that there was no accessory cooler for the Nintendo GameCube than the WaveBird. Previous attempts at wireless game controllers had generally either been sketchy third-party accessories or based around IR, and in both cases the end result was that the thing barely worked. The WaveBird on the other hand was not only an official product by Nintendo, but used 2.4 GHz to communicate with the system. Some concessions had to be made with the WaveBird; it lacked rumble, was a bit heavier than the stock controllers, and required a receiver “dongle”, but on the whole the WaveBird represented the shape of things to come for game controllers.

Finding the center frequency for the WaveBird

Given the immense popularity of the WaveBird, [Sam Edwards] was somewhat surprised to find very little information on how the controller actually worked. Looking for a project he could use his HackRF on, [Sam] decided to see if he could figure out how his beloved WaveBird communicated with the GameCube. This moment of curiosity on his part spawned an awesome 8 part series of guides that show the step by step process he used to unlock the wireless protocol of this venerable controller.

Even if you’ve never seen a GameCube or its somewhat pudgy wireless controller, you’re going to want to read though the incredible amount of information [Sam] has compiled in his GitHub repository for this project.

Starting with defining what a signal is to begin with, [Sam] walks the reader though Fourier transforms, the different types of modulations, decoding packets, and making sense of error correction. In the end, [Sam] presents a final summation of the wireless protocol, as well as a simple Python tool that let’s the HackRF impersonate a WaveBird and send button presses and stick inputs to an unmodified GameCube.

This amount of work is usually reserved for those looking to create their own controllers from the ground up, so we appreciate the effort [Sam] has gone through to come up with something that can be used on stock hardware. His research could have very interesting applications in the world of “tool-assisted speedruns” or even automating mindless stat-grinding.

The King Of All Game Genies In An Arduino

November 20, 2017 by 16 Comments

While Nintendo is making a killing on nostalgic old consoles, there is a small but dedicated group of hackers still working with the original equipment. Since the original NES was rolled out in the 80s, though, there are a few shortcomings with the technology. Now, though, we have Arduinos, cheap memory, and interesting toolchains. What can we do with this? Absolutely anything we want, like playing modern video games on this antiquated system. [uXe] added dual-port memory to his ancient NES console, opening up the door to using the NES as a sort of video terminal for an Arduino. Of course, this is now also the King of All Game Genies and an interesting weekend project to boot.

Most NES cartridges have two bits of memory, the PRG and CHR ROMs. [uXe] is breaking out the cartridge connector onto an exceptionally wide rainbow ribbon cable, and bringing it into a custom Arduino Mega shield loaded up with two 16K dual-port RAM chips. These RAM chips effectively replace the PRG and CHR ROMs Since these are dual-port RAM chips, they can be written to by the Arduino and read by the NES simultaneously.

The NES sees one port of the RAM and can read and write from it while the Arduino still has access to make changes to the other post while that’s happening. A trick like this opens up a whole world of possibilities, most obviously with tiling and other graphics tricks that can push beyond the console’s original capabilities. [uXe] is currently playing Arduboy games on the NES — a really neat trick to pull off. Well done [uXe]!

Be sure to check out the video below of the NES running some games from the Arduboy system. It seems to integrate seamlessly into the hardware, so if you’ve always had a burning desire to fix crappy graphics on some of your favorite games, or run some special piece of software on an NES, now might just be your time to shine.

Continue reading “The King Of All Game Genies In An Arduino”

Homebrew SNES Mini Aims For Historical Accuracy

November 15, 2017 by 8 Comments

While “normies” are out fighting in the aisles of Walmart to snap up one of the official “Classic Mini” consoles that Nintendo lets slip out onto the market every once and awhile, hackers have been perfecting their own miniature versions of these classic gaming systems. The “Classic Mini” line is admittedly a very cool way to capitalize on nostalgic masses who have now found themselves at the age where they have disposable income, but the value proposition is kind of weak. Rather than being stuck with the handful of generation-limited games that Nintendo packed into the official products, these homebrew consoles can play thousands of ROMs from systems that stretch across multiple generations and manufacturers.

But for those old enough to remember playing on one of these systems when they first came out, these modern reincarnations always lack a certain something. It never feels quite right. That vaguely uncomfortable feeling is exactly what [ElBartoME] is aiming to eliminate with his very slick miniature SNES build. His 3D printed case doesn’t just nail the aesthetics of the original (PAL) console, but the system also uses real SNES controllers in addition to NFC “cartridges” to load different ROMs.

The project’s page on Thingiverse has all the wiring diagrams and kernel configuration info to get the internal Raspberry Pi 3 to read an original SNES controller via the GPIO pins. He also gives a full rundown on the hardware and software required to get the NFC-enabled cartridges working with EmulationStation to launch the appropriate game when inserted. Though he does admit this is quite a bit trickier than the controller setup.

[ElBartoME] has put a video up on YouTube that shows him inserting his mock cartridges and navigating the menus with an original SNES controller. If it wasn’t for the fact that the console is the size of a smartphone and the on-screen display is generations beyond what the SNES could pull off, you’d think he was playing on the real thing.

We’ve seen some incredibly impressive emulation boxes based on the Raspberry Pi, and builds which tried to embrace original hardware components, but this particular project may represent the best of both worlds.

Continue reading “Homebrew SNES Mini Aims For Historical Accuracy”

Reverse Engineering The Nintendo Switch Joy-Cons

November 6, 2017 by 26 Comments

The Switch is Nintendo’s latest effort in the console world. One of its unique features is the Joy-Cons, a pair of controllers that can either attach directly to the console’s screen or be removed and used individually. But how do they work? [dekuNukem] decided to find out.

The reverse engineering efforts begin with disassembly. Surprisingly, there is no silkscreen present on the board to highlight test points or part numbers. This is likely to conflate intended to stymie community efforts to work with the hardware, as different teams may create their own designations for components. Conversely, the chips inside still have their identifying markings present, which does ease identification somewhat.

There are some interesting choices made – the majority of the buttons are scanned in a matrix configuration by the on-board microcontroller, making it harder to spoof button presses. The controllers communicate over Bluetooth, switching to a physical serial connection when attached directly to the screen. This runs at a blistering 3,125,000 BPS after the initial handshake is completed.

Overall it’s a fairly comprehensive reverse engineering effort, and [dekuNukem] has provided excellent detail in the writeup for anyone else looking to get involved. There’s still some work left to do, like investigating the rumble messages, but it’s an excellent start and very comprehensive.

Perhaps you’re more interested in older Nintendo hardware? Check out this comprehensive effort to figure out NES console-to-cartridge security methods.

Teensy Script Plays Nintendo Switch, Strikes Out

October 25, 2017 by 9 Comments

The most recent of the Zelda franchise, Breath of the Wild, is known for its many, many puzzles.  One of the more frustrating ones involved bowling with a giant snowball at the top of a hillside.  [Bertrand] did not like this, so he cheated the system hacked the Nintendo Switch so that he “genuinely earned” a strike every time he played.  He achieved this by writing a script for a Teensy module that got him those sweet rupees.

The Teensy houses an Atmel 90USB1286 microcontroller.  When paired with LUFA software, it can emulate numerous controllers including keyboards, joysticks, etc.  It also handily has a Mini-B USB connector located on its rear, allowing it to communicate to the Switch with ease.  After confirming the hardware was compatible, [Bertrand] looked towards the software side noticing the similarity between what already existed and what he was attempting to accomplish.  He happened upon this in a Splatoon 2 fork that allows players to draw posts. 

In essence, it takes image files as input and emulates the controls and buttons to draw a 1-bit version of the image automatically.  This takes care of syncing the hardware as well as how to simulate the button presses.  But instead of reading an image file, it needed to take a custom script as the input.  This required starting from scratch.  The first logical step — of course — was to create a language similar to Logo, a name that surely brings back memories of the time of big hair and shoulder pads.  He only needed a handful of simple commands to control Link:

typedef enum {
	UP,
	DOWN,
	LEFT,
	RIGHT,
	X,
	Y,
	A,
	B,
	L,
	R,
	THROW,
	NOTHING,
	TRIGGERS
} Buttons_t;

Continue reading “Teensy Script Plays Nintendo Switch, Strikes Out”

DIY Nintendo Switch May Be Better Than Real Thing

October 20, 2017 by 20 Comments

Nintendo’s latest Zelda-playing device, the Switch, is having no problems essentially printing money for the Japanese gaming juggernaut. Its novel design that bridges the gap between portable and home console by essentially being both at the same time has clearly struck a chord with the modern gamer, and even 8 months after its release, stores are still reporting issues getting enough of the machines to meet demand.

But for our money, we’d rather have the Raspberry Pi powered version that [Tim Lindquist] slaved over for his summer project. Every part of the finished device (which he refers to as the “NinTIMdo RP”) looks professional, from the incredible job he did designing and printing the case down to the small details like the 5 LED display on the top edge that displays volume and battery level. For those of you wondering, his version even allows you to connect it to a TV; mimicking the handheld to console conversion of the real thing.

[Tim] has posted a fascinating time-lapse video of building the NinTIMdo RP on YouTube that covers every step of the process. It starts with a look at the 3D model he created in Autodesk Inventor, and then goes right into the post-printing prep work where he cleans up the printed holes with a Dremel and installs brass threaded inserts for strength. The bulk of the video shows the insane amount of hardware he managed to pack inside the case, a true testament to how much thought was put into the design.

For the software side, the Raspberry Pi is running the ever popular RetroPie along with the very slick EmulationStation front-end. There’s also a Teensy microcontroller on board that handles the low-level functions such as controlling volume, updating the LED display, and mapping the physical buttons to a USB HID device the Raspberry Pi can understand.

The Teensy source code as well as the 3D models of the case have been put up on GitHub, but for a project like this that’s just the tip of the iceberg. [Tim] does mention that he’s currently working on creating a full build tutorial though; so if Santa doesn’t leave a Switch under the tree for you this year, maybe he can at least give you a roll of filament and enough electronics to build your own.

While this isn’t the first time a Raspberry Pi has dressed up as a Nintendo console, it may represent the first time somebody has tried to replicate a current-generation gaming device with one.

Continue reading “DIY Nintendo Switch May Be Better Than Real Thing”