Nintendo Hacks

616 Articles

Nintendo Switch Gets Making With Labo

January 20, 2018 by 20 Comments

Over the years, Nintendo has had little trouble printing money with their various gaming systems. While they’ve had the odd misstep here and there since the original Nintendo Entertainment System was released in 1983, overall business has been good. But even for the company that essentially brought home video games to the mainstream, this last year has been pretty huge. The release of the Nintendo Switch has rocketed the Japanese gaming giant back into the limelight in a way they haven’t enjoyed in a number of years, and now they’re looking to keep that momentum going into 2018 with a killer new gaming accessory: a cardboard box.

Some of the contraptions feature surprisingly complex internal mechanisms.

Well, it doesn’t have to be a box, necessarily. But no matter which way you fold it, it’s definitely a piece of cardboard. Maybe a few bits of string here and there. This is the world of “Nintendo Labo”, a recently announced program which promises to let Switch owners create physical objects which they can interact with via specially designed software for the console.

The Labo creations demonstrated in the bombastic announcement video make clever use of the very unique Switch hardware. The removable Joy-Con controllers are generally still used as input devices, albeit in less traditional ways. Twisting and tilting the cardboard creations, which take varied forms such as a fishing rod or motorcycle handlebars, relays input to the appropriate game thanks to the accelerometers and gyroscopes they contain.

Many of the more complex contraptions rely on a less-known feature of the controller: the IR depth camera. By pointing the controller’s camera inside of the devices, the motion of internal components, likely helped along by IR-reflective tape, can be tracked in three dimensions. In the video, the internal construction of some of the devices looks downright intimidating.

Which leads into the natural question: “Who exactly is this for?”

Clearly some of the gadgets, not to mention the folded cardboard construction, are aimed at children, an age group Nintendo has never been ashamed to appeal to. But some of the more advanced devices and overall concept seems like it would play better with creative teens and adults looking to push the Switch in new directions.

Will users be empowered to create their own hardware, and by extension, associated software? Will hackers and makers be able to 3D print new input devices for the Switch using this platform? This is definitely something we’ll be keeping a close eye on as it gets closer to release in April.

The popularity of the Switch has already given rise to a surprising amount of hacking given how new the console is. It will be interesting to see if the introduction of Labo has any effect on the impressive work already being done to bend the console to the owner’s will.

Continue reading “Nintendo Switch Gets Making With Labo”

Reverse Engineering A Pirate Nintendo Arcade Board

January 12, 2018 by 23 Comments

The Nintendo VS. System was a coin-op arcade system based on the Nintendo Entertainment System (NES) hardware. By being so closely related to the home console, it made it easy to port games back and forth between the two. Being an arcade system, there was significant financial incentive to pirate the boards and games, and many years later such a pirate board landed on the desk of [kevtris], who decided to reverse engineer it for our viewing pleasure.

The board in question runs Super Mario Brothers, and rather than using actual Nintendo hardware it instead relies on a standard MOS 6502 to recreate all the functions of the of the original CPU. A Z80 is pressed into service to emulate the original audio hardware, too. With much of the functionality recreated in TTL logic chips, the board is power hungry, drawing a ridiculous 3 amps when powered up. We wonder as to the fire safety of such machines all crammed into a hot, sweaty arcade of yesteryear.

[kevtris] does a great job of reverse engineering the system, even providing a full PDF schematic for the bootleg board. An old SEGA controller is hand-wired into the board to provide both game controls and act as a coin switch to allow the game to be played.

We’d love to hear the story of how these machines actually came to be, and the design process involved, but for now that may remain one for the ages. Arcade piracy was something the big companies fought against for years, with varying success – and we’ve seen arcade DRM hacked before.

[Thanks to Jero32 for the tip!]

Continue reading “Reverse Engineering A Pirate Nintendo Arcade Board”

34C3: Hacking The Nintendo Switch

December 29, 2017 by 37 Comments

There’s a natural order to the world of game console hacking: every time a manufacturer releases a new game console they work in security measures that prevent the end user from running anything but commercially released games, and in turn every hacker worth his or her salt tries to break through. The end goal, despite what the manufacturers may have you believe, is not to run “bootleg” games, but rather to enable what is colloquially referred to as “homebrew”. That is to say, enabling the novel concept of actually running software of your choice on the hardware you paid for.

At 34C3, noted console hackers [Plutoo], [Derrek], and [Naehrwert] have demonstrated unsigned code running on Nintendo’s latest and greatest and while they are keeping the actual exploit to themselves for now, they’ve promised that a platform for launching homebrew is coming shortly for those who are on firmware version 3.0.0. From the sound of it, after 9 months on the market, Switch owners will finally have complete access to the hardware they purchased.

The key to running the team’s own code was through a WebKit exploit that was already months old by the time the Switch was released. Loading up an arbitrary webpage was the tricky part, as the Switch generally uses its web browser for accessing official sources (like the online game store). But hidden away in the help menus of Tetris, the developers helpfully put a link to their website which the Switch will dutifully open if you select it. From there it’s just a matter of network redirection to get the Switch loading a webpage from your computer rather than the Internet.

It’s easier to ask for forgiveness than permission.

But as the more security-minded of our readers may have guessed already, that just gets you into the browser’s sandbox. The team now had to figure out a way to break out and get full control of the hardware. Through a series of clever hacks the team was able to learn more about the Switch’s internal layout and operating system, slowly working their way up the ladder.

A particularly interesting hack was used to get around a part of the Switch’s OS that is designed to check which services code is allowed to access. It turns out that if code doesn’t provide this function with its own process ID (PID), the system defaults to PID 0 because the variable is not initialized. In other words, if you don’t ask the operating system which functions you have access to, you will get access to them all. This is a classic programming mistake, and a developer at Nintendo HQ is likely getting a very stern talking to right about now.

But not everything was so easy. When trying to get access to the boot loader, the team sniffed the eMMC bus and timed the commands to determine when it was checking the encryption keys. They were then able to assemble a “glitcher” which fiddled with the CPU’s power using FPGA controlled MOFSETs during this critical time in an attempt to confuse the system.

The rabbit hole is pretty deep on this one, so we’d recommend you set aside an hour to watch the entire presentation to see the long road it took to go from a browser bug to running their first complete demo. It’s as much a testament to the skill of  [Plutoo], [Derrek], and [Naehrwert] as it is the lengths at which Nintendo went to keep people out.

We’ve seen other attempts at reverse engineering Nintendo’s hardware, but by the looks of it, the Switch has put up a much harder fight than previous console generations. Makes you wonder what tricks Nintendo will have up their sleeves for the next generation.

Continue reading “34C3: Hacking The Nintendo Switch”

Reverse Engineering The Nintendo Wavebird

December 14, 2017 by 21 Comments

Readers who were firmly on Team Nintendo in the early 2000’s or so can tell you that there was no accessory cooler for the Nintendo GameCube than the WaveBird. Previous attempts at wireless game controllers had generally either been sketchy third-party accessories or based around IR, and in both cases the end result was that the thing barely worked. The WaveBird on the other hand was not only an official product by Nintendo, but used 2.4 GHz to communicate with the system. Some concessions had to be made with the WaveBird; it lacked rumble, was a bit heavier than the stock controllers, and required a receiver “dongle”, but on the whole the WaveBird represented the shape of things to come for game controllers.

Finding the center frequency for the WaveBird

Given the immense popularity of the WaveBird, [Sam Edwards] was somewhat surprised to find very little information on how the controller actually worked. Looking for a project he could use his HackRF on, [Sam] decided to see if he could figure out how his beloved WaveBird communicated with the GameCube. This moment of curiosity on his part spawned an awesome 8 part series of guides that show the step by step process he used to unlock the wireless protocol of this venerable controller.

Even if you’ve never seen a GameCube or its somewhat pudgy wireless controller, you’re going to want to read though the incredible amount of information [Sam] has compiled in his GitHub repository for this project.

Starting with defining what a signal is to begin with, [Sam] walks the reader though Fourier transforms, the different types of modulations, decoding packets, and making sense of error correction. In the end, [Sam] presents a final summation of the wireless protocol, as well as a simple Python tool that let’s the HackRF impersonate a WaveBird and send button presses and stick inputs to an unmodified GameCube.

This amount of work is usually reserved for those looking to create their own controllers from the ground up, so we appreciate the effort [Sam] has gone through to come up with something that can be used on stock hardware. His research could have very interesting applications in the world of “tool-assisted speedruns” or even automating mindless stat-grinding.

The King Of All Game Genies In An Arduino

November 20, 2017 by 16 Comments

While Nintendo is making a killing on nostalgic old consoles, there is a small but dedicated group of hackers still working with the original equipment. Since the original NES was rolled out in the 80s, though, there are a few shortcomings with the technology. Now, though, we have Arduinos, cheap memory, and interesting toolchains. What can we do with this? Absolutely anything we want, like playing modern video games on this antiquated system. [uXe] added dual-port memory to his ancient NES console, opening up the door to using the NES as a sort of video terminal for an Arduino. Of course, this is now also the King of All Game Genies and an interesting weekend project to boot.

Most NES cartridges have two bits of memory, the PRG and CHR ROMs. [uXe] is breaking out the cartridge connector onto an exceptionally wide rainbow ribbon cable, and bringing it into a custom Arduino Mega shield loaded up with two 16K dual-port RAM chips. These RAM chips effectively replace the PRG and CHR ROMs Since these are dual-port RAM chips, they can be written to by the Arduino and read by the NES simultaneously.

The NES sees one port of the RAM and can read and write from it while the Arduino still has access to make changes to the other post while that’s happening. A trick like this opens up a whole world of possibilities, most obviously with tiling and other graphics tricks that can push beyond the console’s original capabilities. [uXe] is currently playing Arduboy games on the NES — a really neat trick to pull off. Well done [uXe]!

Be sure to check out the video below of the NES running some games from the Arduboy system. It seems to integrate seamlessly into the hardware, so if you’ve always had a burning desire to fix crappy graphics on some of your favorite games, or run some special piece of software on an NES, now might just be your time to shine.

Continue reading “The King Of All Game Genies In An Arduino”

Homebrew SNES Mini Aims For Historical Accuracy

November 15, 2017 by 8 Comments

While “normies” are out fighting in the aisles of Walmart to snap up one of the official “Classic Mini” consoles that Nintendo lets slip out onto the market every once and awhile, hackers have been perfecting their own miniature versions of these classic gaming systems. The “Classic Mini” line is admittedly a very cool way to capitalize on nostalgic masses who have now found themselves at the age where they have disposable income, but the value proposition is kind of weak. Rather than being stuck with the handful of generation-limited games that Nintendo packed into the official products, these homebrew consoles can play thousands of ROMs from systems that stretch across multiple generations and manufacturers.

But for those old enough to remember playing on one of these systems when they first came out, these modern reincarnations always lack a certain something. It never feels quite right. That vaguely uncomfortable feeling is exactly what [ElBartoME] is aiming to eliminate with his very slick miniature SNES build. His 3D printed case doesn’t just nail the aesthetics of the original (PAL) console, but the system also uses real SNES controllers in addition to NFC “cartridges” to load different ROMs.

The project’s page on Thingiverse has all the wiring diagrams and kernel configuration info to get the internal Raspberry Pi 3 to read an original SNES controller via the GPIO pins. He also gives a full rundown on the hardware and software required to get the NFC-enabled cartridges working with EmulationStation to launch the appropriate game when inserted. Though he does admit this is quite a bit trickier than the controller setup.

[ElBartoME] has put a video up on YouTube that shows him inserting his mock cartridges and navigating the menus with an original SNES controller. If it wasn’t for the fact that the console is the size of a smartphone and the on-screen display is generations beyond what the SNES could pull off, you’d think he was playing on the real thing.

We’ve seen some incredibly impressive emulation boxes based on the Raspberry Pi, and builds which tried to embrace original hardware components, but this particular project may represent the best of both worlds.

Continue reading “Homebrew SNES Mini Aims For Historical Accuracy”

Reverse Engineering The Nintendo Switch Joy-Cons

November 6, 2017 by 26 Comments

The Switch is Nintendo’s latest effort in the console world. One of its unique features is the Joy-Cons, a pair of controllers that can either attach directly to the console’s screen or be removed and used individually. But how do they work? [dekuNukem] decided to find out.

The reverse engineering efforts begin with disassembly. Surprisingly, there is no silkscreen present on the board to highlight test points or part numbers. This is likely to conflate intended to stymie community efforts to work with the hardware, as different teams may create their own designations for components. Conversely, the chips inside still have their identifying markings present, which does ease identification somewhat.

There are some interesting choices made – the majority of the buttons are scanned in a matrix configuration by the on-board microcontroller, making it harder to spoof button presses. The controllers communicate over Bluetooth, switching to a physical serial connection when attached directly to the screen. This runs at a blistering 3,125,000 BPS after the initial handshake is completed.

Overall it’s a fairly comprehensive reverse engineering effort, and [dekuNukem] has provided excellent detail in the writeup for anyone else looking to get involved. There’s still some work left to do, like investigating the rumble messages, but it’s an excellent start and very comprehensive.

Perhaps you’re more interested in older Nintendo hardware? Check out this comprehensive effort to figure out NES console-to-cartridge security methods.