Reverse Engineering A PokeWalker

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker”

Make Your Own Pet Fire Breathing Dragon

[Jorvon Moss] a.k.a. [Odd_Jayy] is known as a maker of “companion robots” which he carriers perched on top of his shoulders. (I don’t know about you, but we’re getting some pretty strong Ash and Pikachu vibes.)

In one of his recent builds, he decided to give his companion bot a bit of sizzle. His Widget Dragon Companion Bot is an impressive 3D printed build, divided into a surprisingly few parts. The robot is controlled using an Adafruit Crickit, marketed specifically for robotics projects, and is easily programmed using the increasingly popular Microsoft MakeCode.

With a few servos, [Odd Jay] was able to animate his bot giving it more of an “alive” feel. Finally, he added a vape pen to give the dragon some pyrotechnic effects.

This is just the kind of energy we love to see here at Hackaday. While you’re around, take a look at some of [Odd_Jayy’s] other robot projects and head over to his Instagram page to see more real-time project updates.

Pokemon Cries And How They Work

If you grew up watching the Pokémon TV series, you’d naturally be familiar with the cries of all your favourite Pocket Monsters. Most of the creatures in the anime tend to say their own name, over and over again. Pour one out for the legions of parents who, upon hearing a distant “PIKA PIKA!”,  still involuntarily twitch to this day.

However, the games differ heavily in this area. Generation I of Pokémon was released on the Game Boy, which simply didn’t have the sound capabilities to deliver full bitstream audio. Instead, sounds were synthesized for the various Pokémon based on various parameters. It’s quite a deep and involved system, but never fear – help is at hand via [Retro Game Mechanics Explained].

The video breaks down, at a bitwise level, how the parameters are stored for each Pokémon’s cry, and how they are synthesized. It’s broken down into easily understandable chunks, explaining first how the Game Boy’s sound hardware works, with two pulse channels and a noise channel, before later expanding upon why some Pokémon have the same or similar cries.

It’s a tour de force in retro game reverse engineering, and expertly presented with high quality graphical guides as to what’s going on at the software level. There’s even an emulator you can use to explore the various cries from the original game, and generate your own, too.

Now that we’re up to speed with Pokémon, how about fixing bugs in a 37 year old game? Video after the break.

Continue reading “Pokemon Cries And How They Work”

Game-Ception: Pokemon Red Playable Inside Minecraft

If you’ve ever wanted to take a dive into and visualize a game’s code, this could be a seminal example in a literal sense. After twenty-one months of effort, the entire Pokemon Red game is now playable inside Minecraft.

[Mr. Squishy] is the mad genius behind this project, laboriously re-coding the game literally block by block. A texture pack is needed for the specific sprites, but otherwise it is playable without mods. It’s not immediately apparent when loading in to the level, but chip your way through the floor of the stadium and you are confronted by something awe-inspiring: sprawling constructions, like great soaring cliffs, comprising approximately 357,000 command blocks — equating to the same in lines of code. Every animation, tracked stat, attack and their effects, the various pokemon and their properties, and so on are rendered in the game’s physical space for you to wander through.

Beneath that are levels of maps, positional data, properties of those areas, NPCs, and a clever glitch that [Mr. Squishy] used to keep everything loaded at once.

Continue reading “Game-Ception: Pokemon Red Playable Inside Minecraft”

There’s A Mew Underneath The Truck Next To The SS Anne

Before we dig into this, I need to spend a paragraph or two conveying the knowledge of a twelve-year-old in 1996. Of course, most Hackaday readers were twelve at least once, but we’re just going to do this anyway. The payoff? This is an arbitrary-code-execution virus for Pokemon, and maybe the most amazing Game Boy hack of all time.

In the first generation of Pokemon games, there is a spectacularly rare Pokemon. Mew, the 151st Pokemon, could learn every move in the game. It was a psychic type, which was overpowered in the first gen. You could not acquire a Mew except by taking your Game Boy to a special event (or to Toys R Us that one time). If someone on the playground had a Mew, they really only had a GameShark.

There was a mythos surrounding Mew. Legend said if you went to the SS Anne and used Strength to move a truck sprite that appeared nowhere else in the game, a Mew would appear. Due to the storyline of the game, you didn’t have the ability to get to this truck the first time you passed it. However, if you started a new game – thus losing all your progress and your entire roster of Pokemon – you could test this theory out. Don’t worry, you can just trade me all your good Pokemon. I’ll give them back once you have a Mew. Screw you, Dylan. Screw you.

Now the Mew truck trick is real. You can do it on a copy of Red or Blue on an original Game Boy. If this hack existed in 1998, kids would have lost their god damned minds.

The basis for this hack comes from [MrCheeze], who created a ‘virus’ of sorts for the first generation of Pokemon games. Basically, given the ability to manually edit a save file, it is possible to replicate this save file over a Game Link cable. The result is a glitchy mess, but each Pokemon game has the same save file when it’s done.

Combine this virus with arbitrary code execution, and you have something remarkable. [MrCheeze] created a save file that allows you to move the truck next to the SS Anne. When the truck is moved, a Mew appears. It’s exactly what everyone was talking about over the sound of their sister’s Backstreet Boys marathon.

The new ‘Mew Truck virus’ is not as glitchy as the first attempt at a self-replicating save file. In fact, except for the music glitching for a few seconds, nothing appears abnormal about this Pokemon virus. It’s only when the Mew truck trick is attempted does something seem weird, and it’s only weird because we know it shouldn’t happen. Combine the self-replicating nature of this virus, and you have something that would have drawn the attention of Big N. This is a masterpiece of Pokemon-based arbitrary code execution and a hack that may never be equaled.

You can check out the video below.

Continue reading “There’s A Mew Underneath The Truck Next To The SS Anne”

Hackaday Links: March 5, 2017

Statistically, more celebrities died in 2016 than would be expected. 2017 is turning out to be a little better, but we did recently lose the great [Bill Paxton]. Game over, man. Game over. A few years ago, [Benheck] built his own pinball machine. It’s Bill Paxton Pinball. A great build, and worth revisiting, just like another viewing of Aliens and Apollo 13.

Some of the most popular 3D-printable objects are [flowalistik]’s low-poly Pokemon series. They’re great models, even though he missed the most obvious Pokemon. Of [flowalistik]’s low-poly Pokemon models, the Bulbasaur is a crowd favorite. Because this model is constructed from flat planes joined at an angle, it’s possible to make a huge low-poly Bulbasaur on a laser cutter or a CNC router. Go home Bulbasaur, you’re drunk. We are eagerly awaiting details on how this grass and poison-type tank was made.

For the last few months, [Matthew Cremona] has been building a huge bandsaw mill in his backyard. It’s built for cutting logs into lumber, and this thing is massive. He’s been posting build log videos for the last few months, but this week he’s finally gotten to where we want him to be: he’s cutting gigantic logs. In the coming weeks, he’s going to be cutting a maple crotch that’s 60 inches (1.5 meters) across.

It’s still a bit early, but here are the details for the 2017 Open Hardware Summit. It’s October 5th in Downtown Denver. If you want to speak at OHS, here you go. If you want to sponsor OHS, here you go. Tickets are over on Eventbrite.

What happens when you give away a new Raspberry Pi Zero W to the fifth caller? This. In other news, Adafruit somehow acquired a real New York City payphone. I’ve heard they were replacing these with WiFi hotspots, which means there are a ton of payphones in a warehouse somewhere? Can anyone hook us up?

Pokémon Center Charging Station

If you watch Pokémon Go enthusiasts, you may have noticed something of a community spirit among gamers congregating at busy in-game locations. [Spencer Kern] wanted to encourage this, so produced what he describes as a water cooler for Pokémon Go players, a Pokémon-styled charging station with multiple USB ports.

His build centres on a Yeti 400 solar power pack and a large multi-port USB hub, for which he has built a detailed wooden housing in the style of a Pokémon Center from the earlier Nintendo games. The idea is that gamers will congregate and plug in their phones to charge, thus bringing together a real-world social aspect to the game. We can see the attraction to gamers, however we suspect most Hackaday readers would join us in not trusting a strange USB socket and using only a USB cable not equipped with data conductors.

pokemon-center-usersStill, the housing has seen some careful design and attention to detail in its construction. He started with a 3D CAD model from which he created a set of 2D templates to print on paper and from which to cut the wood. As many of his dimensions as possible were taken from common wood stock to save machining time, and the structure was assembled using wood glue before being sanded and filled. Finally, the intricate parts such as the Pokémon logo were 3D printed, and spray painted. The result is a pretty good real-world replica of the Pokémon Center that you’d recognise if you were a player of the original games, and he reports it was a hit with gamers in his local park.

We’ve covered quite a few Pokémon Go hacks recently, but many of them have had a less physical and more virtual basis. We did see a real-world Pokémon-catching Pokéball though, and of course there was also the automated Pokémon egg incubator.

Thanks [Genki] for the tip.