nintendo

362 Articles

A Look At How Nintendo Mastered Dual Screens

January 28, 2021 by 24 Comments

When it was first announced, many people were skeptical of the Nintendo DS. Rather than pushing raw power, the unique dual screen handheld was designed to explore new styles of play. Compared to the more traditional handhelds like the Game Boy Advance (GBA) or even Sony’s PlayStation Portable (PSP), the DS seemed like huge gamble for the Japanese gaming giant.

But it paid off. The Nintendo DS ended up being one of the most successful gaming platforms of all time, and as [Modern Vintage Gamer] explains in a recent video, at least part of that was due to its surprising graphical prowess. While it was technically inferior to the PSP in almost every way, Nintendo’s decades of experience in pushing the limits of 2D graphics allowed them to squeeze more out of the hardware than many would have thought possible.

On one level, the Nintendo DS could be seen as a upgraded GBA. Developers who were already used to the 2D capabilities of that system would feel right at home when they made the switch to the DS. As with previous 2D consoles, the DS had several screen modes complete with hardware-accelerated support for moving, scaling, rotating, and reflecting up to four background layers. This made it easy and computationally efficient to pull off pseudo-3D effects such as having multiple backdrop images scrolling by at different speeds to convey a sense of depth.

On top of its GBA-inherited tile and sprite 2D engine, the DS also featured a rudimentary GPU responsible for handling 3D geometry and rendering. Hardware accelerated 3D could only used on one screen at a time, which meant most games would keep the closeup view of the action on one display, and used the second panel to show 2D imagery such as an overhead map. But developers did have the option of flipping between the displays on each frame to render 3D on both panels at a reduced frame rate. The hardware can also handle shadows and included integrated support for cell shading, which was a particularly popular graphical effect at the time.

By combining the 2D and 3D hardware capabilities of the Nintendo DS onto a single screen, developers could produce complex graphical effects. [Modern Vintage Gamer] uses the example of New Super Mario Bros, which places a detailed 3D model of Mario over several layers of moving 2D bitmaps. Ultimately the 3D capabilities of the DS were hindered by the limited resolution of its 256 x 192 LCD panels; but considering most people were still using flip phones when the DS came out, it was impressive for the time.

Compared to the Game Boy Advance, or even the original “brick” Game Boy, it doesn’t seem like hackers have had much luck coming up with ways to exploiting the capabilities of the Nintendo DS. But perhaps with more detailed retrospectives like this, the community will be inspired to take another look at this unique entry in gaming history.

Continue reading “A Look At How Nintendo Mastered Dual Screens”

Game Boy Replica Built In Brass

January 21, 2021 by 17 Comments

Nintendo’s Game Boy is legendary for being the meat in the handheld gaming revolution, as well as being nigh-on indestructible whether in the custody of children or soldiers in the Gulf War. However, [Jiri] decided to see if he could whip up a tribute of his own, in brass instead of plastic.

The hardware is based on the Odroid GO emulator firmware for the ESP32, running on a 2.2″ color TFT screen. It’s a great base for a custom build, which avoids gutting any precious classic hardware. It’s then assembled behind front plate milled out of brass, with delicate point-to-point brass wires giving it an artistic circuit sculpture look. The brass did prove difficult to work with at times, acting as a heat sink which prevented easy soldering of the standoffs in place. To get around this, [Jiri] used a hotplate to heat the plate from below, keeping it warm enough so that a hand iron could do the job.

The final result is a fun Game Boy emulator in a stylish case – though one you shouldn’t throw in a back pack lest it short out the exposed conductors. It would make a great gift for any lifelong Nintendo fan. [Jiri] is no strange to circuit sculpture, as we well know – we’ve featured his tools and methods before. Video after the break.

Continue reading “Game Boy Replica Built In Brass”

A Straightforward Guide To Unlocking The Nintendo Game And Watch

December 2, 2020 by 15 Comments

Nintendo’s reborn tiny handheld game has certainly attracted the attention of hardware hackers, and we’ve been treated to a succession of exploits as its secrets have been one by one unlocked. With relatively straightforward hardware it conceals potential far beyond a simple Mario game or two, and it’s now at the stage of having a path to dumping both its SPI Flash and internal Flash, unlocking its processor, and running arbitrary code. The process of unlocking it is now atraightforward enough to warrant a HOWTO video, to which [stacksmashing] has treated us. It’s early days and this is still touted as for developers rather than gamers, but it serves to show where work on this console is going.

The console’s STM32 architecture means that programming hardware is straightforward enough to find, though we’re cautioned against using the cheap AliExpress type we might use with a Blue Pill or similar. Instead the snap-off programmer that comes with an STM Nucleo board is a safer choice that many people are likely to have already.

The relative simplicity of the process as seen in the video below must conceal an immense amount of work from multiple people. It’s a succession of scripts to sequentially unlock and back up the various firmwares with STM payloads for each step. Finally the STM32 itself is unlocked, and the backed-up Nintendo firmware can be returned to the device or instead a custom firmware can be created. Aside from the DOOM we’ve already seen there are work-in-progress NES and Game Boy emulators, and fascinatingly also work on bare-metal games.

Given the lack of custom chips in this console it is easily possible that its hardware could be directly cloned and that Nintendo might have unintentionally created a new general purpose hacker’s handheld gaming platform. There are a few hardware works-in-progress such as increasing the SPI Flash size and finding the unconnected USB pins, so we look forward to more exciting news from this quarter.

Continue reading “A Straightforward Guide To Unlocking The Nintendo Game And Watch”

Zelda II Redux CRT Header Image

Zelda II Redux ROM Hack Plays How You Remember The Original

December 1, 2020 by 10 Comments

Going back to classic games can be a difficult experience. The forward passage of time leaves technology to stagnate, while the memories attached to those old games can morph in mysterious ways. Therein lies the problem with how you remember a game playing versus the reality of how it actually does. Developer [Jorge] saw that situation arising around Zelda II: The Adventure of Link, and it inspired him to create the Zelda II Redux ROM hack.

Years in the making, Zelda II Redux takes a relatively light-handed approach to revising the original NES game. Graphical enhancements include: a reworked HUD complete with the series’ tradition of hearts, animated enemy icons in the over world, a new title screen, and giving Link the shield from the Famicom Disk System release’s box art. Text speed has been increased and a revised translation of the Japanese script has been incorporated. Under the hood, all sorts of boss battles have been re-balanced while casting magic spells doesn’t require multiple return trips to the pause menu. Though Zelda II Redux’s most important feature may be the inclusion of manual saving via “Up + A” on the pause menu. There are also a whole host of other changes Zelda II Redux incorporates in order to bring Link’s second adventure more inline with the rest of the Legend of Zelda series that can be found on the project’s change log.

To play Zelda II Redux requies an IPS patching program, like LunarIPS, along with a clean dumped image of Zelda II: The Adventure of Link. Dumping NES cartridges is easier than ever these days due to many cartridge dumper devices being plug-and-play over USB. A successfully patched ROM file can be played in an emulator or on actual NES hardware through a flash cart. A video of a tool-assisted speedrun has been included below, so there may be some new strategies to employ.
Continue reading “Zelda II Redux ROM Hack Plays How You Remember The Original”

DOOM Running On The Nintendo Game & Watch

November 22, 2020 by 14 Comments

Today the newly-released Nintendo Game & Watch can play DOOM. Sure, there are caveats…this is a watered down version due to the restraints of the hardware itself. But the important thing is that this shows the hardware has been fully owned. This is code written to replace the firmware that ships on the STM32 within, and that makes this a gorgeous little hardware platform that is completely open to homebrew hacking.

Honestly, you had to assume this was going to happen pretty quickly considering the effort being thrown into it. We first reported on Tuesday that the EEPROM memory which stores the ROMs on the Game and Watch had been decoded. Shortly after that was published, [stacksmashing] and [Konrad Beckmann] were showing test patterns on the display and mentioning the audio was working as well. Turns out they were able to dump the stock firmware despite the chip being security locked.

We’ll have to wait for more details on exactly how to dump firmware, but [stacksmashing] drops enough of a mention in the video below to confirm the obvious. A common approach to dumping code from a locked microcontroller is to find a vulnerability that grants execution of custom code. Being able to run just a few lines of your own code is enough set up something as simple as looping through all internal flash memory addresses and dumping them over a few GPIO pins. In this case our two heroes discovered some ARM code was being loaded from the EEPROM onto the STM32, and managed to inject their own directives to perform the dump. They have promised full details soon.

What we have today is a pretty tricky hack not just to load code, but to get DOOM to run on meager hardware specs. Notably, 128 k of SRAM and 1.3 MB of external RAM. There’s also a bottleneck with the 1.1 MB of FLASH for storing game files. The textures were stripped down, and memory allocation was rewritten, but the proof of concept is there and the game runs. Homebrew, here we come!

Continue reading “DOOM Running On The Nintendo Game & Watch”

Reverse Engineering A PokeWalker

November 21, 2020 by 16 Comments

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker”

Exploring The New Super Mario Game & Watch

November 17, 2020 by 26 Comments

Nintendo has revived the classic Game & Watch, this time in glorious full-color and running the same Super Mario Bros that first graced the Nintendo Entertainment System (NES) back in 1985. Even though it’s only been on the market for a few days, [stacksmashing] has already made some impressive progress towards unlocking the full potential of this $50 retro handheld.

It will come as no surprise to the average Hackaday reader that what we’re looking at here is a pocket-sized NES emulator, but until [stacksmashing] cracked his open, nobody was quite sure what kind of hardware is was running on. Thankfully there wasn’t an epoxy blob in sight, and all of the chips were easily identifiable. Armed with the knowledge that the Game & Watch is running on a STM32H7B0 microcontroller with a nearby SPI flash chip holding the firmware, it was just a matter of figuring out how the software worked.

Connecting to the SWD header.

It didn’t take long to find that an unpopulated header on the board would give him access to the Serial Wire Debug (SWD) interface of the STM32, though unfortunately he found that the chip’s security mode was enabled and he couldn’t dump the firmware.

But he was able to dump the RAM through SWD, which allowed him to identify where the Super Mario Bros NES ROM lived. By connecting the SPI flash chip to a reader and comparing its contents with what the system had in RAM, [stacksmashing] was able to figure out the XOR encryption scheme and come up with a tool that will allow you to insert a modified ROM into an image that can be successfully flashed to the chip.

So does that mean you can put whatever NES ROM you want on the new Game & Watch? Unfortunately, we’re not quite there yet. The emulator running on the device has a few odd quirks, and it will take some additional coaxing before its ready to run Contra. But we’ve seen enough of these devices get hacked to know that it’s just a matter of time.

Continue reading “Exploring The New Super Mario Game & Watch”