Share this page!

stacksmashing Profile picture
Twitter logo
12 Nov, 20 tweets, 5 min read
My Nintendo Game and Watch arrived a day early! Let’s tear it down and see how it works - and how easy it is to hack it!
For opening it up you unfortunately need some Y-style screwdrivers - let’s see what’s underneath!
Interesting, an STM32H7B0VBT6 is the main processor! Cortex-M7, 128 KBytes Flash, 1024 KBytes of RAM. Also some unpopulated headers close by that expose SWD (the Arm Cortex-M debug interface)!
Next to it is a Macronix 25U8035 8Mb flash - definitely a candidate to be dumped!
Found the SWD pinout! Will check later whether it's enabled or locked!
Let’s see whether SWD is enabled!
SWD is enabled, but the device is secure unfortunately, so we can't simply dump the firmware via SWD!
Thought I bricked it for a second, but removing the battery (the connector lifts UP!) fixed it *phew* - time to dump the flash!
Dumped the flash using a Minipro and a SOIC8 clip - works in system! (Though I had the battery unplugged)
Checksums for those playing along at home:
MD5: 1f5a35ca9b4e6439639c70a01a113620
SHA256: e3a59ee061cd730957b17a34cde5575e49ef24168188b602ca317e8e1f3403fe
Checking the entropy of the dump it seems like it might be encrypted or compressed - no strings, no knows compression headers. Have to keep digging!
I figure before I continue (and possibly break it!) I should try to play the actual game first! 😀
Soo.. Should I try to use a fault injection attack to gain access to SWD, which will risk bricking it?
In the meantime: Found that the frame-buffer is readable from memory via SWD!
Awesome, seems like it loads a Super Mario Bros. NES ROM into RAM (device RAM contents left, original Super Mario Bros. ROM right)
The desk is slowly getting messy - but definitely having fuh!😀
Tried some simple stuff such as AES ECB with every possible key from the RAM contents, but no luck yet!
Some somewhat good news: I flipped some bits in the flash image and the device still boots. So no strong flash validation!
SUCCESS!! YESSSSS
So, eventually managed to bypass the Game & Watch ROM encryption 1 day before the official release 😁 Will try to release a video on it in the next few days with details on how that works!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with stacksmashing

stacksmashing Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @ghidraninja