Elvis Cartridge has been hacked (updated: Article is on the way)

361 posts / 0 new
Last post
RetroPlayer
RetroPlayer's picture

Sevik,

Of course. I don't know what I was thinking. It would be used with the ALE and CLE, not just data to be stored. I was forgetting about the multiplexed bus for some reason.

Awesome document, BTW. Thanks!

Any thoughts on which finished flash reader mod article you guys would like to see? I know most of you discussing this with me on this thread could probably just do it on their own already, but I am thinking for everyone else.

RetroPlayer
RetroPlayer's picture

I just ordered a second bust from newegg. For one, I don't know how much longer these will be on the market. And second, it would be nice to have a second head to keep together to test things out, while having the other one hooked up on my workbench.

BTW, newegg.com has the busts for $69 with free 2 day shipping (in the US) and this is cheapest price I have seen.
http://www.newegg.com/Product/Product.aspx?Item=N82E16882639003

If you are going to get one, that's probably the lowest it will go and prices like that probably mean it has reached the end of its market life. I paid $300 for the first one that was a Christmas gift for my mother and mine was $99+$20 shipping in March.

Eh, who knows, maybe the retailers will start dropping them in the bargain bins even cheaper, but $70 is good enough for me.

RetroPlayer
RetroPlayer's picture

If you want to make your life easier, grab one of these:

http://www.epboard.com/eproducts/memadapter.htm#xD-PictureCardtoDIPAdapter

EXD-0015: xD Picture Card to DIP18 adapter w/connector

The smartmedia pins are bigger, but they alternate, making it confusing when wiring everything up. The xD pins are alomst straight through, but they are very tiny.

30 gauge wirewrap wire just ends up snapping off. I was able to wire up an xD socket using 24 gauge stranded wire, but let me tell you; it isn't pretty and not exactly stable.

$35 + Shipping for the adapter, but if I had known up-front that I was going to find a FAT formatted volume on the cartridge, I would have bought only one reader and one of these. You get the benefit of the research! :)

Anyway, I got the xD socket hooked up to the main board, copied over the files from the cartridge, modified them a bit strategically... and then realized that I have absolutely no idea where the remote is. And since the remote is required to enter Song or Monologue mode, I am not going to be able to test him out yet. I should get my second Elvis bust either tomorrow or Wednesday and will use that remote. The TSOP48 adapter for my programmer probably won't be here until next week. This will hopefully give me enough time to play with modifying the animation scripts and having them decoded by this weekend.

In case you think I am making this all up :) I put a picture in the gallery.

Currahee
Currahee's picture

what do it do

RetroPlayer
RetroPlayer's picture

What does what do, Currahee? The adapter in the link?

It has the xD card socket on a board that brings out the pins so they are easier to solder to. I have an expensive soldering station, and it is still very difficult to solder wires onto the tiny contacts. I would like to come up with something to make this more doable for the average hacker.

========================================================
epBoards just refunded my money and said they do not have them in stock at the moment... darn it...

But, I did get the tsop48 adapter and the xD reader today... I made myself promise not to pull the flash until I finish decoding the animation scripts. That is all that is left to finish up that level of mod. Modifying the cartridge to make Elvis move and talk as another character is probably enough for most people.

The rest of the hacks after that will be much more advanced and fewer people will want or have the capability to do them. Well, unless I can come up with some easier ways. It depends on what I discover from reading the flash and pinning out the CPU board completely.

RetroPlayer
RetroPlayer's picture

I know most people are waiting for me to complete this, but for anyone planning to follow in my tracks right now; give me until this weekend before you do anything. The pinouts and such that have been listed work, but not without some twisting things around.

I will get everything synchronized so that it is clearly understandable and can be followed. Hopefully by this weekend, I will also have the animation scripts sorted out. I'll then write something up so that you know what you need to get and what you need to do. Let me make the mistakes, so you don't have to! :)

So, hang in there. Hooking things up wrong might cook your Elvis.

I have been thinking about what the most convenient and universal hack would be for most people and I think hacking the cartridge or making a new cartridge would be the simplest and most convenient. I have lost a lot of parts to my first Elvis including the cartridge housing. But, when I get the new Elvis bust, I will be modifying the cartridge from and putting an xD socket on that. I was originally thinking of cutting out a slot in the base to install the socket somewhere, but for those people that don't want to open their Elvis, but just want to do the custom behavior, this would probably be best. Then they only need to tear apart an xD reader for the socket and the original cartridge. The only downside is that they will not have the original cartridge contents if they want them... unless they also wire it up like I did originally to the remainder of the reader to get them before doing the mod. I will not be posting the files anywhere. If I do, it will draw negative attention to what we are doing and probably put an end to our efforts. At the very least, I am sure that the MP3s are licensed. It wouldn't be any different than me ripping a music CD and sharing it with everyone. If you want to keep the original contents, that will have to be your responsibility. I will show you how to extract them in the article.

When I get the new Elvis, I will be documenting the mod (including videos) with step by step instructions from the beginning as someone following along would. This new bust will only get the finished mods and the old one will become Frankenstein, the guinea pig, to test everything out. That way if I break something, I only have to repair one.

Heh... maybe I should redo that head literally as a Frankenstein monster!

Currahee
Currahee's picture

thanks Retro Player

RetroPlayer
RetroPlayer's picture

Looks like the new Elvis will be arriving today. I won't be able to work on him much as I have to meet with a client. I have 'reset' myself a little bit. I have been working too many angles at once and I am going to end up being too far to document the mod clearly. So, one thing at a time now...

When I get the new Elvis, I need to document pulling the existing data off the cartridge for those that want to back up their cart.

I will take apart the cartridge and install an xD socket. I found a better way based on an article I found on modding the Mattel Juicebox, but had to order a part, so by the time I get the article up, it will show the easier, better way of doing it. I really think soldering directly to an xD socket is going to stop alot of people from wanting to do this project.

OK, after making my new cart, I will begin decoding the animation scripts, try out different MP3s and try to determine if one of them are used to halt playback. Also, I need to determine if the songs and monologues play in order. Basically, everything I can find out about the behavior of the cartridge. This will help us optimize its usefulness. I think a great complimentary project would be to decode the remote signals and find out how to emulate them from a PC. At that point, we should have an acceptable level of control over the Elvis before beginning the next level of modifications. And most people would actually be fine with stopping there. It would be useful at that point for pre-recorded displays such as a halloween prop. And with enough recorded animations, you might even be able to offer some level of interactivity with assistance (human or computer control.) If the animations could be called at random, that would be golden. But I don't see how that would be possible. We'll probably be lucky if they even play sequentially instead of randomly.

RetroPlayer
RetroPlayer's picture

Added some new pictures to the gallery. I only had a few minutes to mess with this today, so what you see is as far as I have gotten. I have the measurements and fitting all figured out, and will hopefully be able to get it put together tomorrow morning after work. Then, finally, I can properly test out Elvis and work on decoding the animation scripts.

RetroPlayer
RetroPlayer's picture

I played with his stock functions and here's what I found:
The songs and monologues are played in order. But... he goes into his little quips in between songs or monologues. Usually too fast to jump to the next clip.

Maybe this has to do with the files that end in FF or not? I'll add this to my list of things to check. Hopefully there is some co-relation and not random, because this really messes up the illusion of putting him into a different character.

With no cartridge in him, there are 14 autonomous clips.
His mouth doesn't open during sing-through mode, he just bops to the music. Ocassionally he sneers.

There are different random clips in the different modes other than autonomous, as well as clips interacting with mode changes. I think I caught 5 random clips in the various modes.

For the 14 clips in autonomous mode and without the cartridge, they play in sequence from start up, but then they are random after that.

I do notice his eyebrows moving either individually or together. I didn't notice his upper lip moving on both sides at the same time.

More later (tomorrow)

RetroPlayer
RetroPlayer's picture

Since it seems that everybody has abandoned this thread... I'll talk about something else while I am waiting to finish this.

My "for pay" project coming up will be to design a helicopter cockpit that will be part of a traveling Coast Guard Rescue exhibit. It is designed for children, so it isn't meant to be realistic. But will have lots of buttons, dials, switches, audio clips, noises, blinky lights, and LCD screens all made interactive. Also lots of little secret combinations and "easter eggs" for them to discover. Maybe a moving part here and there, but we want to keep that to a minimum.

I believe it will be going national (not 100% sure - I work indirectly for the customer), so watch for it in your town. Everything electronic in there will be my work. :)

Now, off to my real job.

sevik
sevik's picture

:)) It's not abandoned :)) Be sure many peoples read this thread...

But writing something or doing real work is completely different thing :))

Now you are in research stage and there no many room to help you :)) When something will twist and blink and will be easy way to follow your work - much more people will be actively doing something :))

I have stats about Robopanda hacks thread - each day approx 10 people read it :)) But really writes something only milw :))

RetroPlayer
RetroPlayer's picture

Thanks, Sevik, I was feeling a little lonely in here. :) Things have been incredibly slow. I wish I had a decent electronics distributor nearby, so I didn't have to order anything, but there just aren't that many people interested in electronics around here. Even the radioshack in town (major national retailer) stopped carrying parts long before the rest of the country did. There was a pretty cool surplus electronics place in town about 12 years ago, but they went the way of the dodo bird.

I usually order at least 5x whatever quantity I need of a part for this reason. Chances are that if I needed it once, I will need it again. I have literally hundreds of thousands of parts, but of course, every project there will be something I didn't think of or use before.

============================================================================
Right now, I am pretty concerned about the usefulness of this hack on its own. When he is first powered on, before accepting any commands from the remote he will say "Hello ladies and gentlemen," "Hello, darling" (after looking off to the side and winking. These actions are not on the cartridge, but built in. And then there is the fact that he mixes in random actions in between monologues and songs, seemingly without any chance to stop him. It looks like to be really effective, his main flash is going to need to be modified. Maybe all of his random quips could be moved off to the cartridge.

Anyway, this is where I cam going to need lots of help (4mem8, you listening?) Once we get the mods in place, there will need to be a lot of testing to determine the limits of what we can do at this level of modification. There may be ways around them (except the startup actions.) Also, the remote is really going to need to be decoded. I can sample all of the IR codes and figure out what they are, and hopefully I can write some code and make some hardware to test out all possible combinations to see if there are any hidden commands.

Before leaving for work tonight, I took the jacket off the new Elvis (I hate the jacket) and removed the rubber cap on the power jack (I hate that too.) Then I tried to removed the IR sensors from the jacket. Man, they are glued on big time!! I think it is just lots of fabric hot glue, so maybe my heat gun will help get them out. Either that or I will just cut the wires and make a new circuit. I think I have all the parts.

Finally, I think that the modified cartridge is going to turn out looking pretty good. The cartridge hangs out of the back about 9mm which means that when I cut the top off the cartridge to fit the xD socket in, there should be plenty of room. There should also be plenty of room for the "other" way I found to do this that will be easier for people to do that do not have the equipment that I have. And I found my other cartridge housing, so I can do a tut on that method, too. But, I won't be getting the part until Friday.

Stay tuned! Sorry, it's taking so long.

sevik
sevik's picture

When you will have firmware image on hand - there can be some firmware upgrade/bootloader mode like in canon cams - when presence of file with some magic filename triggers loading of that file instead of main firmware.

See http://chdk.wikia.com/wiki/FAQ

It's not directly applicable of course, but some likely possibilities can exist. Something like replacing of main script, default wav's, etc.

RetroPlayer
RetroPlayer's picture

Hopefully by this weekend, Sevik. I didn't want to paint myself into a corner by messing with something like that before I finished decoding the animation scripts. I have already had to undo some stuff I have done because I was getting ahead of myself.

I suppose now that I have two busts, I can probably pull the flash off the older one. I might talk myself into doing it today while I am preparing the cartridge mod. Especially seeing that the usefulness of the cartridge hack alone is pretty limited without modifying the main flash.

It would be great if there was a bootloader in there. Keep in mind that there is no guarantee that there is firmware code on that flash. All of the sunplus MCUs that I can find the datasheets for have built-in flash and RAM. And there is no RAM on the main board, so at least we know the internal RAM is being used. Also, it is only a 4MB flash and two of the address lines don't appear to be connected, so it is using even less than that. So, I am really only expecting to find audio and animation scripts in that flash.

I hope there's more, but I am not going to get my hopes up too high.

Maybe, just maybe, they put a bootloader in the built-in flash and the main program in the external flash.

There is a serial eeprom on the board, but I bet that is configuration code for the MP3 decoder. I'll read that off, too. My time is becoming a little more limited, but hopefully I can get all this done by the end of the weekend. I should have everything I need now.

RetroPlayer
RetroPlayer's picture

Added pictures of the modified cartridge and the process of doing it. I have not soldered it up yet. I have to settle my nerves a little before attempting that. I did put the capacitors back on, though. You can't see them in the pictures.

I think I am going to go pull the flash off the older main board and attempt to dump it. I can use my hot air iron for that. :) Not that most people have one of these, but it is awesome for removing parts. Too awesome sometimes. If you ever get to use one, mask off the part you want to remove with tin foil surrounding it to make a heat sink. Otherwise you will end up with little resistors and caps flying all over the place.

RetroPlayer
RetroPlayer's picture

I had the two jumpers (J79 and J80) wrong. They are going to NC on the 29LV400. They are meant for accomodating bigger flash chips (these would be address lines in a bigger chip.) So, the full 512KB of flash is available to the CPU.

Added some more pictures to the gallery. Some of these will be used for reference in later mods.

RetroPlayer
RetroPlayer's picture

Well, I have dumped the main board flash. I can see the MP3s and animation scripts in there. They look the same as those files on the cartridge.

Oddly, I extracted the first MP3 and it is a japanese voice saying "play." That's it... I'll continue extracting the files and documenting their offsets and lengths. That's going to be tedious. But at least it's not encrypted.

I haven't stumbled across anything that looks like code yet, but I just started digging.

RetroPlayer
RetroPlayer's picture

OK, found some code. The first 64K is filled with MP3s and animation scripts (actually, not filled, there is a lot of zero space, I extracted the first 6 files and they were all small clips with what sounds like a japanese or chinese accent.)

Some code starts at 65536(0x10000) The flash used in this has 64K sectors, so that makes sense to put things right on the boundries.

RetroPlayer
RetroPlayer's picture

Looks like everything is on nice, clean 64K boundries. This should make extracting all the pieces much easier. The second 64K sector has what looks like two pieces of code and some type of data table. I can see the strings for the file name prefixes to look for on the cartridges.

sevik
sevik's picture

It looks suspiciously that code located on second block... is it possible that address lines of flash traced on PCB not accirding to pinout but in some other order?...

but contents of first block and blocks 3-7 looks similar - mp3s first, animations second, zeroes last...

RetroPlayer
RetroPlayer's picture

Hmm, lots of hidden MP3s on here. The first 64K is all several Japanese words and then some test tones, one for each stereo channel and then one for both channels.

There are some jokes on here and some poor quality recordings that probably didn't get used because they didn't sound right.

There's the "Is that a peanut butter and banana sandwich" quip that I have never heard, and it sounds like the voice actor is laughing while saying it.

sevik
sevik's picture

mp3's placed on 8 bytes boundaries - given 0x7FFFF flash size - good match to 16bit CPU...

RetroPlayer
RetroPlayer's picture

I was worried about that, but I doubt it. The MP3s play back fine when extracted. If you just change the filename to .mp3, you can listen to all of the mp3s in the flash.

RetroPlayer
RetroPlayer's picture

There are lots of MP3 files without any ID3 tag or TAG headers. I can see the frames, but I don't know enough about the MP3 format internals to know how to separate them. The headerless ones look like the main ones that we want to modify.

RetroPlayer
RetroPlayer's picture

It does look like the only code in the flash (if it is actually code) is in that second 64K sector only. Sevik, if you look at it, you can see the song, cosong, mono, and songna strings in plain ascii. These are all the file prefixes from the cartridge. The data table must be offsets to the MP3s and animation scripts. And the asian words and test tones indicate that there must be a way to activate a test or debug mode.

I changed that to "Asian" because I only know a little Japanese and I don't recognize any of the words. The accent sounds Japanese to me, but this was developed in China from what I understand. If anyone knows Chinese or Japanese well, PM me.

sevik
sevik's picture

Yes, I see filename prefixes.

But I can't find index for mp3s and animations... Seeking...

sevik
sevik's picture

there is animations index at 0x1A47A with start_address/2

RetroPlayer
RetroPlayer's picture

Sevik,

Are you sure about that offset? It drops me in the middle of data with similiar stuff around it. If so, how in the heck did you figure out that was an index? It's right in the middle of everything else.

RetroPlayer
RetroPlayer's picture

This is what I see:

0001A440 0600 D8F7 0600 69F8 ......i.
0001A448 0600 69F8 0600 5AF9 ..i...Z.
0001A450 0600 5AF9 0600 7BFA ..Z...{.
0001A458 0600 7BFA 0600 6CFB ..{...l.
0001A460 0600 6CFB 0600 BDFC ..l.....
0001A468 0600 BDFC 0600 0EFE ........
0001A470 0600 8D4A 0300 AE4B ...J...K
0001A478 0300 AE4B 0300 8F4D ...K...M
0001A480 0300 C150 0300 A255 ...P...U
0001A488 0300 A255 0300 835A ...U...Z
0001A490 0300 835A 0300 645F ...Z..d_
0001A498 0300 645F 0300 4564 ..d_..Ed
0001A4A0 0300 4564 0300 2669 ..Ed..&i
0001A4A8 0300 2669 0300 076E ..&i...n
0001A4B0 0300 076E 0300 E872 ...n...r
0001A4B8 0300 5C4A 0300 8D4A ..\J...J
0001A4C0 0300 0EFE 0600 47FE ......G.
0001A4C8 0600 E872 0300 A973 ...r...s
0001A4D0 0300 DA73 0300 0B74 ...s...t
0001A4D8 0300 A973 0300 DA73 ...s...s
0001A4E0 0300 0B74 0300 3C74 ...t..

Pages