_It just makes sense that a device with such a nice screen and powerful processor should be able to play more than a couple factory-installed games._ 🤔
I'm glad that people like you make these things and hack these seemingly unhackable things. Without people like you, we wouldn't have all these things that we use today pretty regularly. Thank you!
@@DrEmmettBr0wn Yes, but I'm just some random dude on the internet who knows a little HTML and CSS. Although I will admit, the video editing is very good here. I can say for certain this content is a lot better than something I could put out right now.
@@Lilly24244 this aint anything new communities come together all the time for this stuff. Think iphone jailbreak devs, or even gaming communites. The 3ds was blown wide open to the point you could download any game from Nintendo e-shop server and they could not stop you. still works to this day. The PS1 classic was was done pretty quickly along with the SNES/NES min's and even the Mini sega.
Loved the intro! I am not that technical, but I found this video to be very informative and well paced. Glad that you put this video together! Appreciate all the work on this even if it is more of a curiosity for me than anything else.
Great talk! There's a small mistake around 17:11 : When you have a ciphertext encrypted with AES-CBC and you flip n bits in one of the encrypted blocks, only the corresponding plaintext block + the bits at the same indices in the next plaintext block will be corrupt. The following blocks will decrypt normally. So if you set n bytes to zero (assuming they all belong to the same block), you'd get 16 + n corrupted bytes in the plaintext.
I wish I could give this video a thousand likes. Absolutely amazing mate! Great video! And what a community you have built around this little device. I can't wait to see more.
This must be the best console reverse-engineering talk ever! The game & watch turns out to be a great fit in terms of complexity for hardware hacking and homebrew!
That was a great presentation and summary of a lot of time and hard work invested in the game and watch. Thanks for sharing it with us and opening everything ;)
Man your videos are great, your projects are great, YOU are great ! Seriously this is really entertaining but also really instructive, your explainations are clear and understandable by what I would assume to be everybody and that's really cool ! Good job man, you have a lot of talent !
Great talk and amazing work! I bought one of these for my son for Christmas and had to buy myself one after seeing this unfold. I'm very much looking forward to hacking this. I'll be happy with emulation but would love to have a go at writing a homebrew game for it. As for the USB ... you just need to shrink the MiniPRO down until it fits inside the case :D
Hey ich wollte auch einfach mal danke sagen! Ich kann leider nichts zur community beitragen außer die hacks nach Anleitung durchzuführen, aber ich bin so dankbar für Leute wie dich, die das möglich machen, UND erklären wie man zum Ergebnis kommt! Definitv der Wahnsinn und hat mein Interesse geweckt selbst mal bisschen zu hacken.
it's surprising how many times this method works on so many different platforms. I used to have a job hacking keyless entry systems and we broken encryptions and did dumps in almost the same way.
Problem would be the savestates. If I understood him right, this is just a readable rom that can not save data because its loaded into ram and when you switch it off, it's gone.
All the dislikes are from the security team over at Nintendo. Nintendo: Great job team, its secure, they'll never hack this. stacksmashing: Hold my bowl of cereal.
Honestly, I feel like it's more that they wanted to crank out a fun portable device on the cheap. They weren't defeated; rather, people figured out a hundred other ways to have fun :)
I wasn't planning on getting this, as it doesn't have all of those original Game & Watch games on it. But I will probably get one to have when there is a way for the regular person to be able to easily put on those MAME Game & Watch recreated games on it. Thanks.
I bought this hoping i'd be able to soft mod it. Whelp, so much for that! Its still gonna be cool pulling this from the inside pocket of my Mario Levi denim jacket :)
I was thinking that to use the USB plug for data purposes, the only thing needed was to wire the two data pins from the microcontroller to the USB connector, but I just read the datasheet for that microcontroller, and while it has USB 2.0 OTG capabilities, there's no pins for it in the 100-pin package version Nintendo used for the game and watch. What a pity.
Would love to see how people will preserve Super Mario Maker for the Wii U (yes, the Wii U) and Super Mario 35 (the eShop download)'s online functionality after March.
I'm just going to take stab-in-the-dark, but.... How difficult would it be to fix the usb data lines so that they work ? (EG. soldering the data lines to the proper pins on the CPU, etc, and modifying the firmware to allow communication)
Hi, I am trying to follow along and use this video as a guide to replicate how the encryption was broken. I am a little stuck at comparing the RAM vs ROM. I have downloaded the ram at memory addresses 0x20000000, 0x240000000 and 0x30000000, but where did you find the original (unencrypted) rom in memory? I have an original rom and I cannot find this anywhere when comparing against the ram snapshot. I have used your bitmap extraction program and I can see the frame buffer and get a nice picture of the video but I can't find the unencrypted rom. you seem to have one ram file as well instead of 3? did you just combine the 3 ram addresses into one file? but mine still seem a lot smaller in size even when combined when compared to yours. ( although I am using the Zelda version game and watch)
You mentioned you were a trainer towards the beginning of the video. Could I get you to provide me with a little more information about this? Kind regards,
Got my game and watch for christmas and yeah It Is limited as It Is but a nice size and I love playing mario with infinite lives and being able to turn it on and continue any time but gameboy on this thing would be amazing!!
I had no idea you could get the encryption key if you know both ciphertext and part of the clear text. Does this only apply to AES-CTR? Do you think it would have been possible to hack this if Nintendo had used authenticated encryption?
I see. Does that mean that you could only replace the bytes that make up the ROMs (the cleartext that you know) in the flash? The streams differ in each block due to the counter, no? Did you later find the encryption key in the firmware dump? I also don't quite understand how this relates to iv reuse - did they not encrypt the entire flash in one go, but the ROMs independently, both times with the same key and iv and the counter reset to 0? I think I have some serious reading to do on encryption.
@@RWL2012 Are the things I concluced wrong? If so, why? AES-CTR uses a different XOR stream for every block (128 bits) due to the counter being increased. And since he didn't have the encryption key, there should be no way for him to get the XOR streams for blocks outside of the plain texts he knows (the ROMs). And IV reuse can only be a problem if you encrypt two different messages with the same IV. I don't see how that applies here - the Flash is one single thing to encrypt. Or did they actually have a filesystem on there and encrypt every file with the same Key & IV?
@@Pesthuf All he needed was the plaintext he knew from RAM dumping - this allowed him to change the data in those areas and one was enough to get control of code execution. But sometimes there are further attacks where you can brute force specific areas, etc, so if you know something is running AES-CTR, you have abilities to flip individual bits if you know where you need to be trying to flip them. You can just flip a section until you get the right combination via some futher effect, though it might take many attempts.
@stacksmashing - do you know if anyone has considered swapping the SPI flash for a Micro-SD card? The SPI protocol is the same as basic SD-card I/O. Fairly sure you could make a removable storage solution like this to store multiple games.
Couple of issues with that: - SDIO is 3.3V, so would need level shifters - A lot of microSD do not support that protocol anymore - The memory mapped mode does only work with SPI flash :)
@@davegsm82 He didn't mean that the voltage levels of the G&W could damage the micro SD card, but rather they are too low to be properly registered by the micro SD card's input circuitry.
The Mario romhacking community is one of the oldest and the largest, with a ton of hacks on SMB1. So, my question is, is it possible to run these without loading an emulator? For example, could you load a Mario Romhack on top of Ball? I personally want to load "Super Mario Bros Special for NES", an NES conversion of Hudsonsoft's SMB Special.
I can't wait until the RAM change is pretty much all you need to do to get it running emulators. Really the device just needs to emulate all NES and Game and Watch games and it's perfect.
Why do you think Nintendo went with RDP protection level 1 instead of 2? They seem to have gone to more rep how this time to try and prevent hacks, so why not lock it down completely?
I'm not entirely sure if RDP level 2 completely disables the debug port or just additionally locks RAM, but if it disables the port, leaving it at level 1 might help them to either fix bugs in unsold stock by allowing its reflashing (very unlikely), or allows them to debug issues with the product in the field to mitigate them in a later batch (more likely). They were probably not very concerned with this device getting hacked, as it does not contain much IP that was not already shared everywhere on the internet. And also since there are no new games to buy for it, as well as no internet connection, it getting hacked would neither affect sales nor their infrastructure so wouldn't be any concern to them. Encrypting the flash was most likely just to make it not too easy to just dump the ROM, but not to affect the performance and requirements on the CPU too much.
@@0xbenedikt I understand the idea of leaving themselves a way to debug. However, if they don't care about it being hacked, then it would make sense to me to not bother with RDP at all (leaving it at 0), so it would be easier to debig. It seems they thought putting it on 1 would deter hackers in some way. I suspect they just underestimated programmer abilities, like they did back on the Wii U, thinking indie games wouldn't sell.
_It just makes sense that a device with such a nice screen and powerful processor should be able to play more than a couple factory-installed games._ 🤔
*yes it does!*
I'm glad that people like you make these things and hack these seemingly unhackable things. Without people like you, we wouldn't have all these things that we use today pretty regularly. Thank you!
Hacking is easy. Explaining and making a video is the hard part.
@@DrEmmettBr0wn Yes, but I'm just some random dude on the internet who knows a little HTML and CSS. Although I will admit, the video editing is very good here. I can say for certain this content is a lot better than something I could put out right now.
I can't believe how well the community has pulled together to extend this awesome device. Thanks for all your hard work!
I can't believe how hands off Nintendo has been 🤣
@@Lilly24244 this aint anything new communities come together all the time for this stuff. Think iphone jailbreak devs, or even gaming communites. The 3ds was blown wide open to the point you could download any game from Nintendo e-shop server and they could not stop you. still works to this day. The PS1 classic was was done pretty quickly along with the SNES/NES min's and even the Mini sega.
@@Lilly24244 well if you still need help I recommend Rackzhack on Instagram he got all my device fixed
@@Lar_ry what's your point Larry?
I have followed your progress since day one on twitter and CZcams, Watched the live Rc3 with a great intro! Great talk, fun and informative!
Loved the intro! I am not that technical, but I found this video to be very informative and well paced. Glad that you put this video together! Appreciate all the work on this even if it is more of a curiosity for me than anything else.
Great talk!
There's a small mistake around 17:11 :
When you have a ciphertext encrypted with AES-CBC and you flip n bits in one of the encrypted blocks, only the corresponding plaintext block + the bits at the same indices in the next plaintext block will be corrupt. The following blocks will decrypt normally. So if you set n bytes to zero (assuming they all belong to the same block), you'd get 16 + n corrupted bytes in the plaintext.
Dispite the fact that i have the technical knowledge of a potato i found this video very interesting and informative thank you!
I'm impressed this project has come a long way. It's only a matter of time before hacked ones show up on Ebay.
It has been said but, great intro! Thank you for all the hard work you’ve put in for this. No way I can duplicate the process to try this myself.
People like you survive the apocalypse. Good job.
I wish I could give this video a thousand likes. Absolutely amazing mate! Great video! And what a community you have built around this little device. I can't wait to see more.
Thank you for this very informative video. I've never looked into hardware hacking before, but you are a very good, easy-to-listen-to teacher.
This must be the best console reverse-engineering talk ever! The game & watch turns out to be a great fit in terms of complexity for hardware hacking and homebrew!
It's not a bad talk. But there are some really good ones that really break it down more. But no doubt he did a wonderful job.
That was a great presentation and summary of a lot of time and hard work invested in the game and watch. Thanks for sharing it with us and opening everything ;)
This talk was awesome (I watched it during rC3).
Hands down the best CCC talk this year!
This just popped up in my reommended, and I gotta say... This is REALLY Cool!
Man your videos are great, your projects are great, YOU are great ! Seriously this is really entertaining but also really instructive, your explainations are clear and understandable by what I would assume to be everybody and that's really cool ! Good job man, you have a lot of talent !
Awesome video! Very well explained and entertaining!
8:17 I love how you moved your whole setup to make the view clear for the right side.
So awesome - the content but the delivery/deck too! Thanks!
wonderful video with very detail information, thanks
and no picture of your costume in the Q&A?
that was hilarious! xD
good job though, i enjoyed the talk.
Great summary! Thanks!
You've inspired me to get a G&W of my own. Super excited to unlock it and use it for Nefarious Purposes, like super-low-quality DOOM
Love the intro!
Great presentation my man!
super helpful and informative video, thank youu
I can't wait to see what else comes from this! My hope is to turn mine into a classic mario
intendo\g&w item.
Great talk. Thank you!
Thanks for the NOP Slide.... that's the best thing I've learned in months!
Something worth watching!
This is insanely well written and understandable for beginners.
Absolutely fantastic!
great job , great video.
Thank you.
lo digo en spanish porque es mas facil, es lo mejor que he visto acerca de hardware hacking sos mi idolo
Very explanatory 👍
This Intro man! Love it!
Amazing video and explanation.
Great talk and amazing work! I bought one of these for my son for Christmas and had to buy myself one after seeing this unfold. I'm very much looking forward to hacking this. I'll be happy with emulation but would love to have a go at writing a homebrew game for it. As for the USB ... you just need to shrink the MiniPRO down until it fits inside the case :D
Amazing video!
great work! you teached me a lot!
Good presentation ! Thanks
Nice summary of your work, the GBSMB is now selling in Mexico, I think I have a nice idea for a gift to myself :D
best TED talk of 2020 in my opinion
This isn't a ted talk?
@@canaDavid1 yeah I know, it's just a little joke ;)
Hey ich wollte auch einfach mal danke sagen! Ich kann leider nichts zur community beitragen außer die hacks nach Anleitung durchzuführen, aber ich bin so dankbar für Leute wie dich, die das möglich machen, UND erklären wie man zum Ergebnis kommt! Definitv der Wahnsinn und hat mein Interesse geweckt selbst mal bisschen zu hacken.
Awesome talk, thanks.
Nice,
I'd like to see more about IoT'Devices, thks.
Thanks for the great talk! Is there a way to wire usb data lines to MCU?
This is art
That is quite the intro overview.
HAHA intro was hilarious
i can just say,
you are amazing
mindblowing stuff
Great Work
Just got my G&W! I look forward to snagging a debugger and start poking around.
This channel is so underrated :(
it's surprising how many times this method works on so many different platforms. I used to have a job hacking keyless entry systems and we broken encryptions and did dumps in almost the same way.
0:18 that was epic 🤣
very amazing
Hell yes I am so hyped on this. Working on moving into some hardware hacking, and who doesn't love pissing off Nintendo
I was trying to find the guide to upgrade the storage to 60MB and the discord but no luck.
awesome
great video be nice if we had videos on step by step and tools to use on how to flash and setup that would be ace for learners like myself
You are Awesome 👏
Awesome. I had love to get Zelda from NES into my game&watch😁👍
How can i get Zelda?
Problem would be the savestates. If I understood him right, this is just a readable rom that can not save data because its loaded into ram and when you switch it off, it's gone.
All the dislikes are from the security team over at Nintendo.
Nintendo: Great job team, its secure, they'll never hack this.
stacksmashing: Hold my bowl of cereal.
Honestly, I feel like it's more that they wanted to crank out a fun portable device on the cheap. They weren't defeated; rather, people figured out a hundred other ways to have fun :)
Doesnt seems that they put much effort into seucring it to be honest.
I wasn't planning on getting this, as it doesn't have all of those original Game & Watch games on it. But I will probably get one to have when there is a way for the regular person to be able to easily put on those MAME Game & Watch recreated games on it. Thanks.
Id love to see the developers reaction to your video. Im sure at some point there would be a '' DAMN IT ''. haha
Plenty of Geek Points for you . Quite amazing what you are able to do "because you can" .
I bought this hoping i'd be able to soft mod it. Whelp, so much for that! Its still gonna be cool pulling this from the inside pocket of my Mario Levi denim jacket :)
great job.. too many ours spended in this project .. but work it out !
I was thinking that to use the USB plug for data purposes, the only thing needed was to wire the two data pins from the microcontroller to the USB connector, but I just read the datasheet for that microcontroller, and while it has USB 2.0 OTG capabilities, there's no pins for it in the 100-pin package version Nintendo used for the game and watch.
What a pity.
What are those probes you connected to the through-hole points of the debug port?
Would love to see how people will preserve Super Mario Maker for the Wii U (yes, the Wii U) and Super Mario 35 (the eShop download)'s online functionality after March.
👏👏👏👏👏
I'm just going to take stab-in-the-dark, but....
How difficult would it be to fix the usb data lines so that they work ?
(EG. soldering the data lines to the proper pins on the CPU, etc, and modifying the firmware to allow communication)
Hi, I am trying to follow along and use this video as a guide to replicate how the encryption was broken. I am a little stuck at comparing the RAM vs ROM. I have downloaded the ram at memory addresses 0x20000000, 0x240000000 and 0x30000000, but where did you find the original (unencrypted) rom in memory? I have an original rom and I cannot find this anywhere when comparing against the ram snapshot. I have used your bitmap extraction program and I can see the frame buffer and get a nice picture of the video but I can't find the unencrypted rom. you seem to have one ram file as well instead of 3? did you just combine the 3 ram addresses into one file? but mine still seem a lot smaller in size even when combined when compared to yours. ( although I am using the Zelda version game and watch)
Nice thumbnail, NOP slide
Sander Van Der Wel Game & Watch backplate needs a pull-out stand.
Can you use a usbasp or usb blaster for this?
You mentioned you were a trainer towards the beginning of the video. Could I get you to provide me with a little more information about this? Kind regards,
Got my game and watch for christmas and yeah It Is limited as It Is but a nice size and I love playing mario with infinite lives and being able to turn it on and continue any time
but gameboy on this thing would be amazing!!
I thought that nintendo already given strike to video that promote nintendo hacking
I had no idea you could get the encryption key if you know both ciphertext and part of the clear text. Does this only apply to AES-CTR? Do you think it would have been possible to hack this if Nintendo had used authenticated encryption?
You can't get the encryption key, you can only get the XOR-stream that was generated by AES-CTR - hence the need to have a unique nonce.
I see. Does that mean that you could only replace the bytes that make up the ROMs (the cleartext that you know) in the flash? The streams differ in each block due to the counter, no?
Did you later find the encryption key in the firmware dump?
I also don't quite understand how this relates to iv reuse - did they not encrypt the entire flash in one go, but the ROMs independently, both times with the same key and iv and the counter reset to 0?
I think I have some serious reading to do on encryption.
@@Pesthuf yes you do :P
@@RWL2012 Are the things I concluced wrong? If so, why?
AES-CTR uses a different XOR stream for every block (128 bits) due to the counter being increased. And since he didn't have the encryption key, there should be no way for him to get the XOR streams for blocks outside of the plain texts he knows (the ROMs).
And IV reuse can only be a problem if you encrypt two different messages with the same IV. I don't see how that applies here - the Flash is one single thing to encrypt. Or did they actually have a filesystem on there and encrypt every file with the same Key & IV?
@@Pesthuf All he needed was the plaintext he knew from RAM dumping - this allowed him to change the data in those areas and one was enough to get control of code execution. But sometimes there are further attacks where you can brute force specific areas, etc, so if you know something is running AES-CTR, you have abilities to flip individual bits if you know where you need to be trying to flip them. You can just flip a section until you get the right combination via some futher effect, though it might take many attempts.
@stacksmashing - do you know if anyone has considered swapping the SPI flash for a Micro-SD card? The SPI protocol is the same as basic SD-card I/O. Fairly sure you could make a removable storage solution like this to store multiple games.
Couple of issues with that:
- SDIO is 3.3V, so would need level shifters
- A lot of microSD do not support that protocol anymore
- The memory mapped mode does only work with SPI flash :)
@@stacksmashing interesting, every
@@davegsm82 He didn't mean that the voltage levels of the G&W could damage the micro SD card, but rather they are too low to be properly registered by the micro SD card's input circuitry.
Can we have some links to the hardware required to hack it?
Brevity is the soul of wit
Would it be possible to add a headphone jack to the Game & Watch?
It must kill someone to see their code ripped open and molested like this! Great work
The Mario romhacking community is one of the oldest and the largest, with a ton of hacks on SMB1. So, my question is, is it possible to run these without loading an emulator? For example, could you load a Mario Romhack on top of Ball? I personally want to load "Super Mario Bros Special for NES", an NES conversion of Hudsonsoft's SMB Special.
I can't wait until the RAM change is pretty much all you need to do to get it running emulators. Really the device just needs to emulate all NES and Game and Watch games and it's perfect.
Can you play mame games on this machine?
Where i can buy 16mb chip to replace 1mb any website?
Digikey, Mouser & co
take your time man. make it a better system.
Plot twist: Ninty's putting out these cheap retro consoles to evaluate the security flaws in their designs before using them in future devices.
What are u doing? WHAT?
Never. EVER. Blow in the cartridge.
It worked tho :P
Why do you think Nintendo went with RDP protection level 1 instead of 2? They seem to have gone to more rep how this time to try and prevent hacks, so why not lock it down completely?
I'm not entirely sure if RDP level 2 completely disables the debug port or just additionally locks RAM, but if it disables the port, leaving it at level 1 might help them to either fix bugs in unsold stock by allowing its reflashing (very unlikely), or allows them to debug issues with the product in the field to mitigate them in a later batch (more likely).
They were probably not very concerned with this device getting hacked, as it does not contain much IP that was not already shared everywhere on the internet. And also since there are no new games to buy for it, as well as no internet connection, it getting hacked would neither affect sales nor their infrastructure so wouldn't be any concern to them.
Encrypting the flash was most likely just to make it not too easy to just dump the ROM, but not to affect the performance and requirements on the CPU too much.
@@0xbenedikt I understand the idea of leaving themselves a way to debug. However, if they don't care about it being hacked, then it would make sense to me to not bother with RDP at all (leaving it at 0), so it would be easier to debig. It seems they thought putting it on 1 would deter hackers in some way. I suspect they just underestimated programmer abilities, like they did back on the Wii U, thinking indie games wouldn't sell.
0:17 NNNNNOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
why the blur? NINTENDO DONT EVEN THINK ABOUT IT!