Swapping The ROMs In Mini Arcade Cabinets

You’ve probably seen a few of these miniature arcade games online or in big box retailers: for $20 USD or so you get scaled-down version of a classic arcade cabinet, perfect for a desk toy or to throw up on a shelf as part of your gaming collection. Like any good Hackaday reader, you were probably curious about what makes them tick. Thanks to [wrongbaud], we don’t have to wonder anymore.

Over the course of several blog posts, [wrongbaud] walks readers through the hardware and software used in a few of these miniature games. For example, the Rampage cabinet is using a so-called “NES on a Chip” along with a SPI flash chip to hold the ROM, while Mortal Kombat is using a Genesis emulation solution and parallel flash. It wouldn’t be interesting if they didn’t throw you a few curves now and again, right?

But these are more than simple teardowns. Once [wrongbaud] gives an overview of the hardware, the next step is reading the respective flash storage and trying to make sense of the dumped data. These sort of games generally reuse the hardware among a number of titles, so by isolating where the game ROM is and replacing it, they can be made to play other games without hardware modification. Here, this capability is demonstrated by replacing the ROM data for Rampage with Yoshi’s Cookie. Naturally it’s one of those things that’s easier said than done, but it’s an interesting proof of concept.

The Mortal Kombat cabinet is a newer addition to the collection, so [wrongbaud] hasn’t progressed quite as far with that one. The parallel flash chip has been dumped with the help of an ESP32 and a MCP23017 I/O expander, and some Genesis ROM headers are identifiable in the data, but there’s still some sifting to be done before the firmware structure can be fully understood.

Even if you’re not in the market for a diminutive arcade experience, the information that [wrongbaud] has collected here is really phenomenal. From understanding protocols such as I2C and SPI to navigating firmware dumps with a hex editor, these posts are an invaluable resource for anyone looking to get started with reverse engineering.

Why Buy Toys When You Can Build Them Instead?

Like many creative individuals who suddenly find themselves parents, [Marta] wanted to make something special for his children to play with. Anybody can just purchase an off-the-shelf electronic toy, but if you’ve got the ability to design one on your own terms, why not do it? But even compared to the fairly high standards set by hacker parents, we have to admit that the amount of time, thought, and effort that was put into the “Marta Musik Maschine” is absolutely phenomenal.

[Marta] was inspired by the various commercial offerings which use RFID and other technologies to identify which characters the child is playing with and respond accordingly. But since he didn’t want to get locked into one particular company’s ecosystem and tinkering with the toys seemed frowned upon by their creators, he decided to just come up with his own version.

Over the course of many posts on the Musik Maschine’s dedicated website, [Marta] explains his thought process for every design consideration of the toy in absolutely exquisite detail. Each of the writeups, which have helpfully been broken down for each sub-system of the final toy, are arguably detailed and complete enough to stand as their own individual projects. Even if you’re not looking to get into the world of DIY electronic toys, there’s almost certainly an individual post here which you’ll find fascinating. From the finer points of interfacing your Python code with arcade buttons to tips for designing 3D printed enclosures, there’s really something for everyone here.

The children of hackers are often the envy of the neighborhood thanks to the one-of-a-kind playthings provided by their parents, and considering the level of commitment [Marta] has put into a toddler toy, we can’t wait to see what he comes up with next.

Continue reading “Why Buy Toys When You Can Build Them Instead?”

Reverse Engineering A Two-Wire Intercom

There was a time when an intercom was simply a pair of boxes with speakers joined by a couple of wires, with an audio amplifier somewhere in the mix. But intercoms have like everything else joined the digital age, so those two wires now carry a load of other functionality as digital signalling. [Aaron Christophel] installs these devices for a living, and has posted a fascinating reverse engineering video that we’ve also placed below the break.

Power for the system is present as a constant 24V DC, and the audio is still an old-fashioned analogue signal that we’ll all be familiar with. On that 24V DC though are imposed a series of pulse trains to trigger the different alarms and other functions, and he describes extracting these with an oscilloscope before showing us the circuitry he’s used to send and receive pulses with an Arduino. The bulk of the video is then devoted to the software on the Arduino, which you can also find in a GitHub repository.

The result is an interesting primer for anyone who fancies a bit of serial detective work, even if they don’t have a intercom to hand.

Continue reading “Reverse Engineering A Two-Wire Intercom”

Reverse-Engineering Xiaomi IoT Firmware

IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.

That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.

Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.

Continue reading “Reverse-Engineering Xiaomi IoT Firmware”

Reverse Engineering Liberates Dash Cam Video

If you’ve purchased a piece of consumer electronics in the last few years, there’s an excellent chance that you were forced to use some proprietary application (likely on a mobile device) to unlock its full functionality. It’s a depressing reality of modern technology, and unless you’re willing to roll your own hardware, it can be difficult to avoid. But [krishnan793] decided to take another route, and reverse engineered his DDPAI dash camera so he could get a live video stream from it without using the companion smartphone application.

Like many modern gadgets, the DDPAI camera creates its own WiFi access point that you need to connect to for configuration. By putting his computer’s wireless card into Monitor mode and running Wireshark, [krishnan793] was able to see that the smartphone was communicating with the camera using some type of REST API. After watching the clear-text exchanges for awhile, he not only discovered a few default usernames and passwords, but the commands necessary to configure the camera and start the video stream.

After hitting it with the proper REST messages, an nmap scan confirmed that several new services had started up on the device. Unfortunately, he didn’t get any video when he pointed VLC to the likely port numbers. At this point [krishnan793] checked the datasheet for the camera’s Hi3516E SoC and saw that it supported H.264 encoding. By manually specifying that as the video codec when invoking VLC, it was able to play a video stream from port 6200. A little later, he discovered that port 6100 was serving up the live audio.

Technically that’s all he wanted to do in the first place, as he was looking to feed the video into OpenCV for other projects. But while he was in the area, [krishnan793] also decided to find the download URL for the camera’s firmware, and ran it through binwalk to see what he could find out. Not surprisingly the security turned out to be fairly lax through the entire device, so he was able to glean some information that could be useful for future projects.

Of course, if you’d rather go with the first option and build your own custom dash camera so you don’t have to jump through so many hoops just to get a usable video stream, we’ve got some good news for you.

Dealing With Missing Pin Allocations

Blindsided by missing pin allocations? Perhaps you’re working on a piece of hardware and you notice that the documentation is entirely wrong. How can you get your device to work?

[Dani Eichhorn]’s troubles began when running an IoT workshop using a camera module. Prior to the work, no one had through to check if all of the camera modules ordered for the participants were the same. As it turns out, the TTGO T-CAM module had a number of revisions, with some even receiving a temperature/pressure sensor fixed on top of the normal board.

While the boards may have looked the same, their pin allocations were completely different.Changing the pin numbers wouldn’t have been difficult if they were simply numbered differently, but because the configurations were different, errors started to abound: Could not initialize the camera

As it turns out, even the LillyGo engineers – the manufacturers of the board – may have gotten a bit lost while working on the pin allocations, as [Eichhorn] was able to find some of the pins printed right onto the PCB, hidden behind the camera component.

To find information not printed on the board, a little more digging was required. To find the addresses of the devices connected to the I2C bus, running a program to find peripherals listening on the bus did the trick. This was able to print out the addresses of the SSD1306 OLED display driver and the microphone for the board at hand.

To find the pins of peripherals not printed on the PCB or hidden on the silkscreen, a GPIO scanner did the trick. This in particular worked for finding the PIR (passive infrared) motion sensor.

We picked up a few tips and tricks from this endeavor, but also learned that reverse-engineering anything is hard, and that there isn’t any one method for finding pin allocations when the documentation’s missing.

Hackaday Links: September 8, 2019

We start this week with very sad news indeed. You may have heard about the horrific fire on the dive boat Conception off Santa Cruz Island last week, which claimed 33 lives. Sadly, we lost one of our own in the tragedy: Dan Garcia, author of the wildly popular FastLED library. Dan, 46, was an Apple engineer who lived in Berkley; his partner Yulia Krashennaya died with him. Our community owes Dan a lot for the work he put into FastLED over the last seven years, as many an addressable LED is being driven by his code today. Maybe this would be a good chance to build a project that uses FastLED and add a little light to the world, courtesy of Dan.

In happier news, the biggest party of the hardware hacking year is rapidly approaching. That’s right, the 2019 Hackaday Superconference will be upon us before you know it. Rumor has it that there aren’t that many tickets left, and we haven’t even announced the slate of talks yet. That’s likely to clean out the remaining stock pretty darn quickly. Are you seriously prepared to miss this? It seems like a big mistake to us, so why don’t you hop over and secure your spot before you’re crying into your Club-Mate and wondering what all the cool kids will be doing in November.

Of course one of the highlights of Superconference is the announcement of the Hackaday Prize winner. And while we naturally think our Prize is the best contest, that doesn’t mean there aren’t others worth entering. MyMiniFactory, the online 3D-printing community, is currently running a “Design with Arduino” competition that should be right up the alley of Hackaday readers. The goal is simple: submit a 3D-printed design that incorporates Arduino or other electronics. That’s it! Entries are accepted through September 16, so you’ve still got plenty of time.

Sometimes you see something that just floors you. Check out this tiny ESP32 board. It doesn’t just plug into a USB port – it fits completely inside a standard USB Type A jack. The four-layer board sports an ESP32, FTDI chip, voltage regulator, an LED and a ceramic antenna for WiFi and Bluetooth. Why would you want such a thing? Why wouldn’t you! The board is coming soon on CrowdSupply, so we hope to see projects using this start showing up in the tipline soon.

Here’s a “why didn’t I think of that?” bench tip that just struck us as brilliant. Ever had to probe a board to trace signal paths? It’s a common enough task for reverse engineering and repairs, but with increasingly dense boards, probing a massive number of traces is just too much of a chore. Hackaday superfriend Mike Harrison from “mikeselectricstuff” makes the chore easier with a brush made from fine stainless wires crimped into a ring terminal. Attached to one probe of a multimeter, the brush covers much more of the board at a time, finding the general area where your trace of interest ends up. Once you’re in the neighborhood you can drop back to probing one pad at a time. Genius! We’d imagine a decent brush could also be made from a bit of coax braid too.

Another shop tip to wrap up this week, this one for woodworkers and metalworkers alike. Raw materials are expensive, and getting the most bang for your buck is often a matter of carefully laying out parts on sheet goods to minimize waste. Doing this manually can be a real test of your spatial relations skills, so why not automate it with this cut list optimizer? The app will overlay parts onto user-defined rectangles and snuggle them together to minimize waste. The program takes any units, can account for material lost to kerfs, and will even respect grain direction if needed. It’s built for wood, but it should prove useful for sheet metal on a plasma cutter, acrylic on a laser, or even PCBs on a panel.