Nintendo’s reborn tiny handheld game has certainly attracted the attention of hardware hackers, and we’ve been treated to a succession of exploits as its secrets have been one by one unlocked. With relatively straightforward hardware it conceals potential far beyond a simple Mario game or two, and it’s now at the stage of having a path to dumping both its SPI Flash and internal Flash, unlocking its processor, and running arbitrary code. The process of unlocking it is now atraightforward enough to warrant a HOWTO video, to which [stacksmashing] has treated us. It’s early days and this is still touted as for developers rather than gamers, but it serves to show where work on this console is going.
The console’s STM32 architecture means that programming hardware is straightforward enough to find, though we’re cautioned against using the cheap AliExpress type we might use with a Blue Pill or similar. Instead the snap-off programmer that comes with an STM Nucleo board is a safer choice that many people are likely to have already.
The relative simplicity of the process as seen in the video below must conceal an immense amount of work from multiple people. It’s a succession of scripts to sequentially unlock and back up the various firmwares with STM payloads for each step. Finally the STM32 itself is unlocked, and the backed-up Nintendo firmware can be returned to the device or instead a custom firmware can be created. Aside from the DOOM we’ve already seen there are work-in-progress NES and Game Boy emulators, and fascinatingly also work on bare-metal games.
Given the lack of custom chips in this console it is easily possible that its hardware could be directly cloned and that Nintendo might have unintentionally created a new general purpose hacker’s handheld gaming platform. There are a few hardware works-in-progress such as increasing the SPI Flash size and finding the unconnected USB pins, so we look forward to more exciting news from this quarter.
Today the newly-released Nintendo Game & Watch can play DOOM. Sure, there are caveats…this is a watered down version due to the restraints of the hardware itself. But the important thing is that this shows the hardware has been fully owned. This is code written to replace the firmware that ships on the STM32 within, and that makes this a gorgeous little hardware platform that is completely open to homebrew hacking.
We’ll have to wait for more details on exactly how to dump firmware, but [stacksmashing] drops enough of a mention in the video below to confirm the obvious. A common approach to dumping code from a locked microcontroller is to find a vulnerability that grants execution of custom code. Being able to run just a few lines of your own code is enough set up something as simple as looping through all internal flash memory addresses and dumping them over a few GPIO pins. In this case our two heroes discovered some ARM code was being loaded from the EEPROM onto the STM32, and managed to inject their own directives to perform the dump. They have promised full details soon.
What we have today is a pretty tricky hack not just to load code, but to get DOOM to run on meager hardware specs. Notably, 128 k of SRAM and 1.3 MB of external RAM. There’s also a bottleneck with the 1.1 MB of FLASH for storing game files. The textures were stripped down, and memory allocation was rewritten, but the proof of concept is there and the game runs. Homebrew, here we come!
It will come as no surprise to the average Hackaday reader that what we’re looking at here is a pocket-sized NES emulator, but until [stacksmashing] cracked his open, nobody was quite sure what kind of hardware is was running on. Thankfully there wasn’t an epoxy blob in sight, and all of the chips were easily identifiable. Armed with the knowledge that the Game & Watch is running on a STM32H7B0 microcontroller with a nearby SPI flash chip holding the firmware, it was just a matter of figuring out how the software worked.
But he was able to dump the RAM through SWD, which allowed him to identify where the Super Mario Bros NES ROM lived. By connecting the SPI flash chip to a reader and comparing its contents with what the system had in RAM, [stacksmashing] was able to figure out the XOR encryption scheme and come up with a tool that will allow you to insert a modified ROM into an image that can be successfully flashed to the chip.
So does that mean you can put whatever NES ROM you want on the new Game & Watch? Unfortunately, we’re not quite there yet. The emulator running on the device has a few odd quirks, and it will take some additional coaxing before its ready to run Contra. But we’ve seen enough of these devices get hacked to know that it’s just a matter of time.
Today we’re used to handheld game consoles like the Nintendo Switch, that let you roam around in 3D worlds which include not only 3D players but more terrain than many people walk around in real life in a week. But back in the early 1980s Nintendo’s handheld offering was the Game & Watch, which used a segmented LCD display. An entire segment could be used to represent the player, with player segments spread throughout the display. To move the player, the previous player segment would be turned off while another adjacent one would be on. That also meant that a console could play only one game. Despite these limitations they were very popular for their time.
[Thomas Tilley] decided to improve on the old Game & Watch in a different way, by making it bigger, much bigger. So big in fact that even many teenage players can’t reach both the button to move left and the button to move right in time, turning it into a highly co-operative two-player game. Judging by the video below, that made playing it double the fun. The game he chose to tackle is the Game & Watch Octopus, or Mysteries of the Sea and Mysteries of the Deep in the UK.
One of the earliest Nintendo products to gain popularity was the Game and Watch product line. Produced by Nintendo between 1980 and 1991, they are a source of nostalgia for many an 80s or 90s kid. These were those electronic handheld games that had pre-drawn monochrome images that would light up to make very basic animations. [Andrew] loved his old “Vermin” game as a kid, but eventually he sold it off. Wanting to re-live those childhood memories, he decided to build his own Game and Watch emulator.
The heart of [Andrew’s] build is a PIC18F4550 USB demo board he found on eBay. The board allows you to upload HEX files directly via USB using some simple front end software. [Andrew] wrote the code for his game in C using MPLAB. His device uses a Nokia 5110 LCD screen and is powered from a small lithium ion battery.
For the housing, [Andrew] started from another old handheld game that was about the right size. He gutted all of the old parts and stuck the new ones in their place. He also gave the housing a sort of brushed metal look using spray paint. The end result is a pretty good approximation of the original thing as evidenced by the video below. Continue reading “Give In To Nostalgia With A Retro Game And Watch”→