DOOM Running On The Nintendo Game & Watch

November 22, 2020 by Mike Szczys 14 Comments

Today the newly-released Nintendo Game & Watch can play DOOM. Sure, there are caveats…this is a watered down version due to the restraints of the hardware itself. But the important thing is that this shows the hardware has been fully owned. This is code written to replace the firmware that ships on the STM32 within, and that makes this a gorgeous little hardware platform that is completely open to homebrew hacking.

Honestly, you had to assume this was going to happen pretty quickly considering the effort being thrown into it. We first reported on Tuesday that the EEPROM memory which stores the ROMs on the Game and Watch had been decoded. Shortly after that was published, [stacksmashing] and [Konrad Beckmann] were showing test patterns on the display and mentioning the audio was working as well. Turns out they were able to dump the stock firmware despite the chip being security locked.

We’ll have to wait for more details on exactly how to dump firmware, but [stacksmashing] drops enough of a mention in the video below to confirm the obvious. A common approach to dumping code from a locked microcontroller is to find a vulnerability that grants execution of custom code. Being able to run just a few lines of your own code is enough set up something as simple as looping through all internal flash memory addresses and dumping them over a few GPIO pins. In this case our two heroes discovered some ARM code was being loaded from the EEPROM onto the STM32, and managed to inject their own directives to perform the dump. They have promised full details soon.

What we have today is a pretty tricky hack not just to load code, but to get DOOM to run on meager hardware specs. Notably, 128 k of SRAM and 1.3 MB of external RAM. There’s also a bottleneck with the 1.1 MB of FLASH for storing game files. The textures were stripped down, and memory allocation was rewritten, but the proof of concept is there and the game runs. Homebrew, here we come!

Continue reading “DOOM Running On The Nintendo Game & Watch” →

Reverse Engineering A PokeWalker

November 21, 2020 by Matthew Carlson 14 Comments

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker” →

Exploring The New Super Mario Game & Watch

November 17, 2020 by Tom Nardi 26 Comments

Nintendo has revived the classic Game & Watch, this time in glorious full-color and running the same Super Mario Bros that first graced the Nintendo Entertainment System (NES) back in 1985. Even though it’s only been on the market for a few days, [stacksmashing] has already made some impressive progress towards unlocking the full potential of this $50 retro handheld.

It will come as no surprise to the average Hackaday reader that what we’re looking at here is a pocket-sized NES emulator, but until [stacksmashing] cracked his open, nobody was quite sure what kind of hardware is was running on. Thankfully there wasn’t an epoxy blob in sight, and all of the chips were easily identifiable. Armed with the knowledge that the Game & Watch is running on a STM32H7B0 microcontroller with a nearby SPI flash chip holding the firmware, it was just a matter of figuring out how the software worked.

It didn’t take long to find that an unpopulated header on the board would give him access to the Serial Wire Debug (SWD) interface of the STM32, though unfortunately he found that the chip’s security mode was enabled and he couldn’t dump the firmware.

But he was able to dump the RAM through SWD, which allowed him to identify where the Super Mario Bros NES ROM lived. By connecting the SPI flash chip to a reader and comparing its contents with what the system had in RAM, [stacksmashing] was able to figure out the XOR encryption scheme and come up with a tool that will allow you to insert a modified ROM into an image that can be successfully flashed to the chip.

So does that mean you can put whatever NES ROM you want on the new Game & Watch? Unfortunately, we’re not quite there yet. The emulator running on the device has a few odd quirks, and it will take some additional coaxing before its ready to run Contra. But we’ve seen enough of these devices get hacked to know that it’s just a matter of time.

Continue reading “Exploring The New Super Mario Game & Watch” →

Tiny Mario Clone On A Tiny Processor

October 14, 2020 by Jenny List 8 Comments

We’ve become used to seeing retro games running on commodity microcontrollers where once they would have required the bleeding-edge console hardware of their day. [Duncan]’s Mario clone takes the genre a little further, using not a processor with plenty of pins for peripherals, but instead the humble ATtiny85. Its eight pins drive two OLED displays, and accept input from the buttons of a cheap Nintendo-like controller.

The write-up is split between software and hardware sections, with all the software itself available from a GitHub repository. He’s bit-banging the i2C for the displays for an impressive turn of speed, and the ATtiny’s lack of pins is addressed by clever use of resistive dividers to present a different voltage for each button pressed. With a truth table of voltages he’s even able to detect multiple simultaneous button presses. Music is achieved with the chip’s limited resources by storing the sounds in EEPROM, and clocked it at 16 MHz for smooth gameplay.

The whole is mounted inside the shell of the controller, with its USB guts removed and replaced by a smart custom PCB. An unexpected problem with ground plane fill caused a temporary roadblock reading the buttons, but the finished product is a very Nintendo-like experience. We like it.

Orbital Tracking On The NES

September 26, 2020 by Tom Nardi 17 Comments

It’s easy to dismiss the original Nintendo Entertainment System as just, well, an entertainment system. But in reality the 6502 based console wasn’t so far removed from early home computers like the Apple II and Commodore 64, and Nintendo even briefly flirted with creating software and accessories geared towards general purpose computing. Though in the end, Mario and friends obviously won out.

Still, we’re willing to bet that nobody at Nintendo ever imagined their plucky little game system would one day be used to track the course of a space station in low Earth orbit. But that’s precisely what [Vi Grey] has done with his latest project, which is part of his overall effort to demonstrate the unexpected capabilities of the iconic NES. While you’ll need a bit of extra hardware to run the program on a real console, there’s no fundamental trickery that would have kept some developer from doing this in 1985 if they’d wanted to.

If you want to see your own 8-bit view of the International Space Station, the easiest way is with an emulator. In that case, [Vi] explains how you can load up his Lua script in Mesen or FCEUX to provide the ROM with the necessary tracking data from the Internet.

To run it on a real NES you’ll not only need some type of flash cart to get the ROM loaded, but also a TAStm32 board that’s used for tool-assisted speedruns. This allows the computer to essentially “type” the orbital data into the NES by emulating rapid controller button presses. That might seem like a tall order, but it’s important to note that neither device requires you to modify the original console; the code itself runs on a 100% stock NES.

If tracking spacecraft isn’t your thing, perhaps you’d be more interested in the some of the work [Vi] has previously done on the NES. We’re particularly fond of his polyglot ROM that is a ZIP file of its own source code.

Continue reading “Orbital Tracking On The NES” →

3D Print A Piece Of Nintendo History Before The Real One Is Gone

September 24, 2020 by Drew Littrell 13 Comments

Nintendo wasn’t always in the videogames business. Long before Mario, the company was one of the foremost producers of Hanafuda playing cards in Japan. From 1930 until 1959, Nintendo ran its printing business from a four-story art deco style building that featured distinctive plaques at the front entrance. We now have a chance to print those former Nintendo HQ plaques at home thanks to [Mr. Talida] who shared some 3D models on Twitter. Talida, a self-described “retro video game archivist”, recreated the plaques via photogrammetry from a number of reference photos he took from a visit to the Kyoto site late last year.

These 3D models come at a crucial time as the old Nintendo HQ building, which sat dormant for years, is set to be turned into a boutique hotel next year. According to JPC, the hotel will feature twenty rooms, a restaurant, and a gym and is expected to be completed by summer 2021 (although that estimate was from the “before” times). The renovation is expected to retain as much of the original exterior’s appearance as possible, but the Nintendo plaques almost assuredly will not be included. For a first-person tour of the former Nintendo headquarters building, there is a video from the world2529 YouTube channel provided below.

It is encouraging to see examples of this DIY-style of historical preservation. Many companies have proven themselves to be less-than-stellar stewards of their own history. Though if his Twitter timeline is any indication, [Mr. Talida] is up to something further with this photogrammetry project. A video export exhibiting a fully textured 3D model of the old Nintendo headquarters’ entrance was published recently along with the words, “What have I done.”

Continue reading “3D Print A Piece Of Nintendo History Before The Real One Is Gone” →

Game Boy Plays Forever

September 11, 2020 by Bryan Cockfield 14 Comments

For those of us old enough to experience it first hand, the original Game Boy was pretty incredible, but did have one major downside: battery consumption. In the 90s rechargeable batteries weren’t common, which led to most of us playing our handhelds beside power outlets. Some modern takes on the classic Game Boy address these concerns with modern hardware, but this group from the Delft University of Technology and Northwestern has created a Game Boy clone that doesn’t need any batteries at all, even though it can play games indefinitely.

This build was a proof-of-concept for something called “intermittent computing” which allows a computer to remain in a state of processing limbo until it gets enough energy to perform the next computation. The Game Boy clone, fully compatible with the original Game Boy hardware, is equipped with many tiny solar panels which can harvest energy and is able to halt itself and store its state in nonvolatile memory if it detects that there isn’t enough energy available to continue. This means that Super Mario Land isn’t exactly playable, but other games that aren’t as action-packed can be enjoyed with very little impact in gameplay.

The researchers note that it’ll be a long time before their energy-aware platform becomes commonplace in devices and replaces batteries, but they do think that internet-connected devices that don’t need to be constantly running or powered up would be a good start. There are already some low-powered options available that can keep their displays active when everything else is off, so hopefully we will see even more energy-efficient options in the near future.

Thanks to [Sascho] for the tip!

Continue reading “Game Boy Plays Forever” →