The New Nintendo Game & Watch Is Certainly Some Hardware We'll Be Keeping a Watchful Eye On!
Hacking the Nintendo Game & Watch — the day before release? @ghidraninja has done just that!
You have to hand it to Nintendo, they know their market.
I mean, look at the competition. Sony and Microsoft both seem set on squeezing the latest silicon into their offerings — with the size of games console this year looking to overshadow the Christmas trees they might sit under... Indeed, the Microsoft Marketing Meme Team have even capitalized on that fact to great effect!
Next-gen consoles with eye-watering performance, graphics, and indeed price tags, have stolen much of the stage light when it comes to the marketing that makes it onto many of our screens — or at least perhaps in my case, where I was only just the other week made aware of the new, but oh so familiar looking fun from Nintendo: the Game & Watch: Super Mario Bros.
While I'm not quite young enough to understand what a TikTok is, I'm also not quite old enough to have experienced the Game & Watch in its original incarnation.
Originally released in 1980, the Game & Watch was the brainchild of Gunpei Yokoi — the legendary Nintendo employee, often cited with the creation of the iconic Game Boy.
Preceding the Game Boy by many years, the original Game & Watch devices were a far simpler affair, usually containing a single game that could be played by users, and a secondary function — as the name implies — of a clock. With a monochrome LCD display, a four-bit Sharp SM5xx CPU, a small amount of ROM/RAM and a LCD driver, there really wasn't much to these devices.
Despite the simplicity, they were phenomenally popular, with the customer demand soon sparking subsequent releases of different game titles and even hardware formats — a total of 59 consumer available variants, with a ultra-rare 60th version of the hardware released to fortunate few.
Fast forward 35 years, and Nintendo has decided that the G&W could do with a lick of paint, amongst other goodies, and have released a limited run of the G&W, featuring the full NES versions of Super Mario Bros. (1 & 2)!
This modern day Mario Bros. hardware release has a few more tricks up it's sleeve than a fancy new coat of paint — and in this part of town, you can be sure that a few people have already made some considerable efforts towards cataloging the new circuitry contained within this red and gold clamshell casing.
The most prominent efforts seen so far on my radar have come from Thomas Roth (stacksmashing / @ghidraninja), who managed the impressive feat of injecting custom ROM content into the device, the day before it was released for general sale!
To get a feel for what the implications of this are — and the potential possibilities it might allow — we can follow along on with some of his Twitter thread, where he gives us a great insight as to just what has gone into the new system.
Removing the rear half of the case quickly reveals the entirety of the console circuitry — there aren't any parts hidden away on the underside of the PCB — what you see here is what you get, so what is it that we can see here?
First and foremost, our eyes are drawn to the largest IC present on the PCB, a STM32H7B0 32-bit Cortex-M7 from STMicroelectronics. It's no surprise to see a ST here — we've previously seen three separate ST MCU in the Switch console, so there's obviously a strong partnership here!
This looks like a solid choice for any application with a display in the design spec — with a maximum clock speed of 240 MHz, and more memory (and types there of) than you can shake a stick at, there's more than enough resource available to make the most of the integrated TFT LCD controller.
"The STM32H7B0 Value line provides 128 Kbytes of Flash memory, 1.4 Mbytes of SRAM with a scattered architecture: 192 Kbytes of TCM RAM (including 64 Kbytes of ITCM RAM and 128 Kbytes of DTCM RAM for time-critical routines and data), 1.18 Mbytes of user SRAM, and 4 Kbytes of SRAM."
Where as the on-chip memory capacity of the STM32 might already seem sufficient for running some SNES emulation, the actual content of the game ROM is stored elsewhere...
A good candidate for that would likely be the SOIC-8 device situated next door to the MCU is an SOICW-8, with package markings that identify it as a Macronix 25U8035 32 Mbit SPI flash device.
While the STM32H7 has more than enough space to store the original contents of the game ROM data, keeping things on an external memory not only can simplify programming in some cases, but also means that that there is the likely possibility that we might see some other titles released, based on the same hardware we see here.
With a dump of the flash in hand, Roth is able to draw the conclusion that while this is a good candidate for the ROM data, it appears to be encrypted, or compressed in some fashion.
Encryption might seem like a dead end for enthusiasts looking to explore the possibility of running custom code on the device. However, Roth was able to overcome this potential showstopper, with an observation of how the system managed its code excecution.
Getting some SWD
Cortex MCUs will generally have some form of programming and debug interface exposed on the PCB, and this is increasingly commonly implemented as the SWD (Serial Wire Debug) interface. With the same functionality as JTAG, but fewer pins, it offers all the features one might want to have fun with when fuzzing a device.
While designers can choose to implement levels of device protection, and can lock out certain functions — as Nintendo has done — to prevent dumping of the internal flash, the level of protection set on the Game & Watch STM still enables Roth to dump out the RAM of the device once it has booted.
With a dump of the system RAM, Roth tests a hunch to search the data for known strings that are contained within the original Super Mario Bros. ROM to check for any matches.
Bingo. Further probing of the RAM data led to the discovery of both versions of the SMB ROMs located at specific offsets in memory, and some suggestively patterned data that Roth suggests resembles image data.
With a little bit of Python scripting, he is able to parse the RAM dump taken, and from that, decode and reconstruct the framebuffer currently being drawn!
While this is more of a demonstration of the sort of data you can glean from such an interface, having access to the system RAM can give you access to the unencrypted data that has been read in from the external flash. You can see where this is going...
Testing that changing a few bytes within the flash doesn't cause the system to fail to boot, he can draw the conclusion that there isn't much going on in the way of validation of the flash image.
Safe with this knowledge, a few more iterations of byte substitution in various locations show signs of a deterministic relationship in the affected data in RAM.
Roth does a great job of explaining how he was able to discern the encryption used to protect the contents of the flash, but more importantly, demonstrates that he is able use this knowledge to encrypt his own custom ROM data, such that it is successfully loaded by the STM32 and run without issue!
Hacked! But what about the rest of the hardware?
Well, there's not actually too much to hark on about with the rest of the Game & Watch hardware. It's true to its heritage as an affordable platform, and even this modern day implementation keeps it simple.
The USB-C connector, which looks like it can take a bit of abuse, is a power-only affair — it's not connected to the STM32, but I'm sure that is probably just a matter of time...
Speaking of power, it's just about possible to make out a Texas Instruments BQ2407x Lithium-ion charger, which is a self-managed device — again, keeping the design as simple as possible. With built-in power path functionality, it means that it can supply system power while simultaneously charging the battery.
To the right of the above shot, we can pick out what is likely a buck/boost DC-DC just underneath the curve of the battery wiring, potentially a converter device with what looks like an external FET switch, to the right of that block. To the bottom right of that image, we've got what looks like an LDO, probably somewhere down the 1.8V range.
These, like the DSBGA packaged speaker amplifier found on the right hand side of the PCBA, are all pretty hard parts to ID, so that's where we'll leave the overview. Hopefully we'll see some more fun hardware hacks coming in the near holiday season!