The holidays are upon us, and that can mean many furrowed brows trying to figure out what token gift they can give out this year as stocking-stuffers. Something that’s a bit more interesting than a coupon book or a lotto scratcher, but also affordable enough that you can buy a few of them without having to take part in that other great holiday tradition: unnecessary credit debit.
Which is how I came to possess, at least temporarily, one of these cheap handheld multi-games that are all over Amazon and eBay. The one I ordered carries the brand name Weikin, but there are dozens of identical systems available, all being sold at around the same $20 USD price point. With the outward appearance of a squat Game Boy, these systems promise to provide precisely 168 games for your mobile enjoyment, and many even include a composite video out cable and external controller for the less ambulatory classic game aficionado.
At a glance, the average Hackaday reader will probably see right through this ploy. Invariably, these devices will be using some “NES on a Chip” solution to emulate a handful of legitimate classics mixed in with enough lazy ROM hacked versions of games you almost remember to hit that oddly specific number of 168 titles. It’s nearly a foregone conclusion that at the heart of this little bundle of faux-retro gaming lies a black epoxy blob, the bane of hardware tinkerers everywhere.
Of course, there’s only one way to find out. Let’s crack open one of these budget handhelds to see what cost reduction secrets are inside. Have the designers secured their place on the Nice List? Or have we been sold the proverbial lump of coal?
Put your hand under you chin as here comes a 6 months long jaw-dropping reverse engineering work: getting the data back from a (not so) broken SD card. As you can guess from the picture above, [Joshua]’s first step was to desolder the card’s Flash chip as the tear-down revealed that only the integrated SD-to-NAND Flash controller was damaged. The flash was then soldered on a breadboard so it could be connected to a Digilent Nexys-2 FPGA board. [Joshua] managed to find a similar Flash datasheet, checked that his wire-made bus was reliable and generated two 12GiB dump files on his computer.
In order to extract meaningful data from the dumps he first had to understand how SD-to-NAND controllers work. In his great write-up he provides us with a background of the Flash technology, so our readers can better understand the challenges we face with today’s chips. As flash memories integrate more storage space while keeping the same size, they become less reliable and have nifty problems that should be taken care of. Controllers therefore have to perform data whitening (so neighboring blocks of data don’t have similar content), spread data writes uniformly around the flash (so physical blocks have the same life expectancy) and finally support error correcting codes (so damaged bits can still be recovered). We’ll let our users imagine how complex reverse engineering the implementation of such techniques is when you don’t know anything about the controller. [Joshua] therefore had to do a lot of research, perform a lot of statistical analysis on the data he extracted and when nothing else was possible, use bruteforce…