Elvis Cartridge has been hacked (updated: Article is on the way)

361 posts / 0 new
Last post
RetroPlayer
RetroPlayer's picture

Or, did you mean all of this:
0001A11C 0400 A01A 0400 A01A ........
0001A124 0400 8C34 0400 8C34 ...4...4
0001A12C 0400 CC4B 0400 CC4B ...K...K
0001A134 0400 986A 0400 986A ...j...j
0001A13C 0400 587A 0400 587A ..Xz..Xz
0001A144 0400 D09B 0400 D09B ........
0001A14C 0400 18B7 0400 18B7 ........
0001A154 0400 54C3 0400 54C3 ..T...T.
0001A15C 0400 94E0 0400 94E0 ........
0001A164 0400 6CEA 0400 6CEA ..l...l.
0001A16C 0400 A0F8 0400 A0F8 ........
0001A174 0400 D010 0500 D010 ........
0001A17C 0500 8C2A 0500 8C2A ...*...*
0001A184 0500 6047 0500 6047 ..`G..`G
0001A18C 0500 2855 0500 2855 ..(U..(U
0001A194 0500 B060 0500 B060 ...`...`
0001A19C 0500 8C7B 0500 8C7B ...{...{
0001A1A4 0500 6884 0500 6884 ..h...h.
0001A1AC 0500 6C8C 0500 6C8C ..l...l.
0001A1B4 0500 8C96 0500 8C96 ........
0001A1BC 0500 709D 0500 709D ..p...p.
0001A1C4 0500 58A3 0500 58A3 ..X...X.
0001A1CC 0500 CCAA 0500 CCAA ........
0001A1D4 0500 74B7 0500 74B7 ..t...t.
0001A1DC 0500 FCCB 0500 FCCB ........
0001A1E4 0500 20D5 0500 20D5 .. ... .
0001A1EC 0500 50DB 0500 50DB ..P...P.
0001A1F4 0500 54EC 0500 54EC ..T...T.
0001A1FC 0500 C8F3 0500 C8F3 ........
0001A204 0500 240A 0600 240A ..$...$.
0001A20C 0600 9C19 0600 9C19 ........
0001A214 0600 9C22 0600 9C22 ..."..."
0001A21C 0600 3829 0600 3829 ..8)..8)
0001A224 0600 4030 0600 4030 ..@0..@0
0001A22C 0600 083E 0600 083E ...>...>
0001A234 0600 1045 0600 1045 ...E...E
0001A23C 0600 8C4A 0600 8C4A ...J...J
0001A244 0600 5050 0600 5050 ..PP..PP
0001A24C 0600 9859 0600 9859 ...Y...Y
0001A254 0600 3C5E 0600 3C5E .. 0001A25C 0600 1C6C 0600 1C6C ...l...l
0001A264 0600 FC73 0600 FC73 ...s...s
0001A26C 0600 747A 0600 747A ..tz..tz
0001A274 0600 C082 0600 C082 ........
0001A27C 0600 C08B 0600 C08B ........
0001A284 0600 1894 0600 1894 ........
0001A28C 0600 CCA0 0600 0000 ........
0001A294 0300 9003 0300 9003 ........
0001A29C 0300 6C06 0300 6C06 ..l...l.
0001A2A4 0300 FC09 0300 FC09 ........
0001A2AC 0300 680D 0300 680D ..h...h.
0001A2B4 0300 D410 0300 D410 ........
0001A2BC 0300 6414 0300 6414 ..d...d.
0001A2C4 0300 1C17 0300 1C17 ........
0001A2CC 0300 B019 0300 B019 ........
0001A2D4 0300 681C 0300 681C ..h...h.
0001A2DC 0300 D41F 0300 D41F ........
0001A2E4 0300 8C22 0300 8C22 ..."..."
0001A2EC 0300 F02B 0300 F02B ...+...+
0001A2F4 0300 1436 0300 1436 ...6...6
0001A2FC 0300 3840 0300 3840 ..8@..8@
0001A304 0300 5C4A 0300 CCA0 ..\J....
0001A30C 0600 EDA4 0600 EDA4 ........
0001A314 0600 CEA8 0600 CEA8 ........
0001A31C 0600 47AC 0600 47AC ..G...G.
0001A324 0600 D0B0 0600 D0B0 ........
0001A32C 0600 41B3 0600 41B3 ..A...A.
0001A334 0600 82B8 0600 82B8 ........
0001A33C 0600 A3BC 0600 A3BC ........
0001A344 0600 84BE 0600 84BE ........
0001A34C 0600 05C3 0600 05C3 ........
0001A354 0600 86C4 0600 86C4 ........
0001A35C 0600 C7C6 0600 C7C6 ........
0001A364 0600 88CA 0600 88CA ........
0001A36C 0600 79CE 0600 79CE ..y...y.
0001A374 0600 FAD2 0600 FAD2 ........
0001A37C 0600 0BD5 0600 0BD5 ........
0001A384 0600 BCD6 0600 BCD6 ........
0001A38C 0600 A5DA 0600 A5DA ........
0001A394 0600 F6DB 0600 F6DB ........
0001A39C 0600 17DD 0600 17DD ........
0001A3A4 0600 98DE 0600 98DE ........
0001A3AC 0600 B9DF 0600 B9DF ........
0001A3B4 0600 7AE0 0600 7AE0 ..z...z.
0001A3BC 0600 9BE1 0600 9BE1 ........
0001A3C4 0600 2CE3 0600 2CE3 ..,...,.
0001A3CC 0600 5DE6 0600 5DE6 ..]...].
0001A3D4 0600 AEE7 0600 AEE7 ........
0001A3DC 0600 9FE8 0600 9FE8 ........
0001A3E4 0600 40EB 0600 40EB ..@...@.
0001A3EC 0600 61EC 0600 61EC ..a...a.
0001A3F4 0600 F2EF 0600 F2EF ........
0001A3FC 0600 63F2 0600 63F2 ..c...c.
0001A404 0600 B4F3 0600 47FE ......G.
0001A40C 0600 38FF 0600 8F4D ..8....M
0001A414 0300 B04E 0300 B04E ...N...N
0001A41C 0300 C150 0300 B4F3 ...P....
0001A424 0600 D5F4 0600 D5F4 ........
0001A42C 0600 96F5 0600 96F5 ........
0001A434 0600 87F6 0600 87F6 ........
0001A43C 0600 D8F7 0600 D8F7 ........
0001A444 0600 69F8 0600 69F8 ..i...i.
0001A44C 0600 5AF9 0600 5AF9 ..Z...Z.
0001A454 0600 7BFA 0600 7BFA ..{...{.
0001A45C 0600 6CFB 0600 6CFB ..l...l.
0001A464 0600 BDFC 0600 BDFC ........
0001A46C 0600 0EFE 0600 8D4A .......J
0001A474 0300 AE4B 0300 AE4B ...K...K
0001A47C 0300 8F4D 0300 C150 ...M...P
0001A484 0300 A255 0300 A255 ...U...U
0001A48C 0300 835A 0300 835A ...Z...Z
0001A494 0300 645F 0300 645F ..d_..d_
0001A49C 0300 4564 0300 4564 ..Ed..Ed
0001A4A4 0300 2669 0300 2669 ..&i..&i
0001A4AC 0300 076E 0300 076E ...n...n
0001A4B4 0300 E872 0300 5C4A ...r..\J
0001A4BC 0300 8D4A 0300 0EFE ...J....
0001A4C4 0600 47FE 0600 E872 ..G....r
0001A4CC 0300 A973 0300 DA73 ...s...s
0001A4D4 0300 0B74 0300 A973 ...t...s
0001A4DC 0300 DA73 0300 0B74 ...s...t
0001A4E4 0300 3C74 0300 88DA .. 0001A4EC 080B 0100 ....

sevik
sevik's picture

it's middle of index :))

but around it it's many records in format XX XX 03 00 and XX XX 06 00

03 00 - it's animations
06 00 - something else

I'm searched for animation start addresses and it's /2 /4 /8 ... :))

sevik
sevik's picture

Yes, all this data seems to be a directory of stuff in flash

RetroPlayer
RetroPlayer's picture

Good job. There are also 05s and 04s. Mp3s for some? Maybe some indicate the not used stuff? One the test stuff?

We have:
Used Animations
Used MP3s
Test audio clips (and possibly animations)
Unused Animations
Unused MP3s

I am going to extract all of the files inidividually and prepare them to put on a cartridge so I can see what the animations do. When I do that, I will shoot some video so people can hear the hidden stuff.

sevik
sevik's picture

if you have an logic analyzer.... :))

Than we can take approach like with robopanda - trace access of CPU to this data - and we will have dependencies and index regions very quickly :))

RetroPlayer
RetroPlayer's picture

Alright, I hate to leave everyone hanging, but if I don't get to sleep, it's going to be a very long night at work.

RetroPlayer
RetroPlayer's picture

I do. Good point.

Not sure what you mean by "dependencies" though. If you can explain what your thinking, I will attempt it after finishing with the cartridge and decoding the animation scripts.

sevik
sevik's picture

06 00 seems to be animations for 0x60000 block

start_address = 0x60000 + value * 2

sevik
sevik's picture

when you see that CPU reads from address 0x1000 with value 0x4562 and after this reads from 0xAAC4 (0x4562*2+0x2000) - than probably later address is calculated from first :))

This is approach used in Robopanda cartridge hacking :)) Which mainly based on SPI traces of CPU reading SPI rom on cartridge.

sevik
sevik's picture

I'm going to home too :))

RetroPlayer
RetroPlayer's picture

Last thing:

The datasheet for this flash chip, which lists the sector boundries is MX29LV400CBTC-70G. That will probably be helpful to figure out where data starts and stops. The flashfs code will likely make use of these boundries.

I really think we are dealing with the real code being in the microcontroller, though. At this point, I am hoping that there is some secret to dropping it into some low level debug mode.

sevik
sevik's picture

In robopanda real code is in MCU, but in cartridge there is bytecode with full access to all peripherials which interpreted by MCU firmware.

RetroPlayer
RetroPlayer's picture

Just a thought here...
The audio input jack on the front of the Elvis looks unusually complex. One of the input actually goes through the ADC chip. I am beginning to wonder if a controller pendant is plugged in here, perhaps.

The line going into the ADC is labeled RA (I'll double check this) which maybe, could mean Resistor Array, which is a similar method of control to the controls on your steering wheel in your car. Basically, a string of resistors in series with switches at each resistor to pull the line to ground. Different switches create a different voltage. This is measured by an ADC and the computer translates that into a command.

Or... it could just be a one wire interface. There IS a switch in the audio jack that is sensed to put Elvis in song mode or "iPod" mode, but I think this switch is going to a different line. I am going to have to pull that jack out and take a look at it. If it is a 4 conductor jack, then I might be onto something.

RetroPlayer
RetroPlayer's picture

Hmm, looks like the "switch" in the jack is connected to pins shared by the three conductors. Probably only used to sense whether a mono or stereo jack is plugged in. A mono jack would ground one of the channels (left, I believe.) By using the ADC chip, they are isolating the CPU.

Now, there is a small J77 jumper on the board that is connected together. It is one input to an AND gate and is pulled high. The jumper is connecting one IO pin of the CPU to one input on the AND gate. The output of the AND gate is connected to another CPU IO pin. Maybe cutting this trace would yield a different function in the CPU? It might be checking this line at power up.

I really need to build a riser for the Elvis bust so I can work on the main board with everything attached. Anyway, I will try this out tomorrow morning while I am finishing up the cartridge.

The other thing I would like to try is to run him without the flash installed. Since it looks like there is only audio clips and animation scripts, as well as some indexes and tables (it doesn't really look like code to me) Maybe that is enough to prevent him for running Elvis clips.

There are so many possibilities, including the function of the cartridge pins changing if some type of trainer mode is activated. Remember there is a connector not used which has the cartridge CE pin on it. There must be a reason for that. It's going to take a bit of trial and error to figure this out, but I think we'll find something.

RetroPlayer
RetroPlayer's picture

Alright, I just had to try it before I leave. With J77 jumper cut, Elvis does not startup as norml, doesn't respond to the cartridge, and no response to the remote. At least visually.

This means that the condition of the J77 jumper is checked at startup. And that jumper is there for a reason. I will have to investigate this further. A compare of logic analyzer captures with and without this jumper would probably help. Just gotta figure out where to hook it up and what to look for.

sevik
sevik's picture

the best - capture address lines and CS of 29LV400 and cartridge slot pins.
In this case you can see all activity but you need a lot of channels in logic analyzer. So if you have less - capture only 29lv cs + address (from top to bottom) and cartride CS. So you will have trace of 29lv with resolution of several bytes and indication of NAND activity.

I think first 100-200ms will be enought for code and indexes detection.

For start - just check access patterns on CS lines of 29LV and NAND - to estimate amount of activity and timing of startup sequence.

sevik
sevik's picture

index at 0x1A11A seems to be just index of start offsets without filetypes

first column - what was considered file type but really just top half of address, second - address of 16-bit word. third - address*2 (offset in bytes), after "|" - dump of first bytes.

seems
03 - 0x00000
04 - 0x20000
05 - 0x40000
06 - 0x60000

[seva@sevasoft][/home/seva/src/elvis] ./a.py | sort|uniq
0003 0000 00000 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 0390 00720 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 066C 00CD8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 09FC 013F8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 0D68 01AD0 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 10D4 021A8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 1464 028C8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 171C 02E38 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 19B0 03360 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 1C68 038D0 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 1FD4 03FA8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 228C 04518 | FF E2 43 44 B2 4E 00 11 90 ED 48 7F A0 BC 00 04
0003 2BF0 057E0 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 3614 06C28 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 4038 08070 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0003 4A5C 094B8 | 00 00 6A 00 49 00 32 00 00 00 6B 00 51 00 32 00
0003 4A8D 0951A | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0003 4BAE 0975C | 00 00 61 00 52 00 31 00 00 00 62 00 51 00 32 00
0003 4D8F 09B1E | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0003 4EB0 09D60 | 00 00 61 00 51 00 31 00 00 00 62 00 50 00 32 00
0003 50C1 0A182 | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00
0003 55A2 0AB44 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0003 5A83 0B506 | 00 00 61 00 54 00 31 00 00 00 62 00 51 00 32 00
0003 5F64 0BEC8 | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00
0003 6445 0C88A | 00 00 61 00 54 00 31 00 00 00 62 00 46 00 32 00
0003 6926 0D24C | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00
0003 6E07 0DC0E | 00 00 61 00 54 00 31 00 00 00 62 00 46 00 32 00
0003 72E8 0E5D0 | 00 00 61 00 61 00 31 00 00 00 62 00 51 00 32 00
0003 73A9 0E752 | 00 00 6A 00 49 00 34 00 00 00 6B 00 51 00 39 00
0003 73DA 0E7B4 | 00 00 6A 00 49 00 34 00 00 00 6B 00 41 00 39 00
0003 740B 0E816 | 00 00 6A 00 49 00 34 00 00 00 6B 00 61 00 39 00
0003 743C 0E878 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0004 0000 20000 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0004 1AA0 23540 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0004 348C 26918 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0004 4BCC 29798 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 20
0004 6A98 2D530 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 4A
0004 7A58 2F4B0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 D2
0004 9BD0 337A0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 F8
0004 B718 36E30 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 06
0004 C354 386A8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 D4
0004 E094 3C128 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 0E
0004 EA6C 3D4D8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 99
0004 F8A0 3F140 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 20
0005 10D0 421A0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 07
0005 2A8C 45518 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 5A
0005 4760 48EC0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 87
0005 5528 4AA50 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 0D
0005 60B0 4C160 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 09
0005 7B8C 4F718 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 4A
0005 8468 508D0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 0A
0005 8C6C 518D8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 1B
0005 968C 52D18 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 0A
0005 9D70 53AE0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 4E
0005 A358 546B0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 06
0005 AACC 55598 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 08
0005 B774 56EE8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 2A
0005 CBFC 597F8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 11
0005 D520 5AA40 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 AE
0005 DB50 5B6A0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 79
0005 EC54 5D8A8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 4A
0005 F3C8 5E790 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 06
0006 0A24 61448 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 07
0006 199C 63338 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 44
0006 229C 64538 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 01
0006 2938 65270 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 04
0006 3040 66080 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 D1
0006 3E08 67C10 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 8D
0006 4510 68A20 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 52
0006 4A8C 69518 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 26
0006 5050 6A0A0 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 20
0006 5998 6B330 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 09
0006 5E3C 6BC78 | 49 44 33 03 00 00 00 00 1F 76 50 52 49 56 00 00
0006 6C1C 6D838 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 25
0006 73FC 6E7F8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 4E
0006 7A74 6F4E8 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 04
0006 82C0 70580 | FF F2 34 C0 2D 7D 00 00 00 02 5C 00 00 00 00 00
0006 8BC0 71780 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0006 9418 72830 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00
0006 A0CC 74198 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 A4ED 749DA | 00 00 61 00 51 00 31 00 00 00 62 00 52 00 32 00
0006 A8CE 7519C | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 AC47 7588E | 00 00 61 00 51 00 31 00 00 00 62 00 52 00 32 00
0006 B0D0 761A0 | 00 00 61 00 4F 00 31 00 00 00 62 00 51 00 32 00
0006 B341 76682 | 00 00 61 00 51 00 31 00 00 00 62 00 50 00 32 00
0006 B882 77104 | 00 00 61 00 51 00 31 00 00 00 62 00 5B 00 32 00
0006 BCA3 77946 | 00 00 61 00 55 00 31 00 00 00 62 00 4B 00 32 00
0006 BE84 77D08 | 00 00 61 00 51 00 31 00 00 00 62 00 61 00 32 00
0006 C305 7860A | 00 00 61 00 51 00 31 00 00 00 62 00 55 00 32 00
0006 C486 7890C | 00 00 61 00 51 00 31 00 00 00 62 00 52 00 32 00
0006 C6C7 78D8E | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 CA88 79510 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 CE79 79CF2 | 00 00 61 00 51 00 31 00 00 00 62 00 47 00 32 00
0006 D2FA 7A5F4 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 D50B 7AA16 | 00 00 61 00 52 00 31 00 00 00 62 00 41 00 32 00
0006 D6BC 7AD78 | 00 00 61 00 51 00 31 00 00 00 62 00 52 00 32 00
0006 DAA5 7B54A | 00 00 61 00 55 00 31 00 00 00 62 00 51 00 32 00
0006 DBF6 7B7EC | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 DD17 7BA2E | 00 00 61 00 4F 00 31 00 00 00 62 00 61 00 32 00
0006 DE98 7BD30 | 00 00 61 00 41 00 31 00 00 00 62 00 61 00 32 00
0006 DFB9 7BF72 | 00 00 61 00 51 00 31 00 00 00 62 00 50 00 32 00
0006 E07A 7C0F4 | 00 00 61 00 51 00 31 00 00 00 62 00 41 00 32 00
0006 E19B 7C336 | 00 00 61 00 61 00 31 00 00 00 62 00 47 00 32 00
0006 E32C 7C658 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 E65D 7CCBA | 00 00 61 00 51 00 31 00 00 00 62 00 53 00 32 00
0006 E7AE 7CF5C | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 E89F 7D13E | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 EB40 7D680 | 00 00 61 00 53 00 31 00 00 00 62 00 50 00 32 00
0006 EC61 7D8C2 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 EFF2 7DFE4 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 F263 7E4C6 | 00 00 61 00 52 00 31 00 00 00 62 00 50 00 32 00
0006 F3B4 7E768 | 00 00 61 00 61 00 31 00 00 00 62 00 52 00 32 00
0006 F4D5 7E9AA | 00 00 61 00 53 00 31 00 00 00 62 00 53 00 32 00
0006 F596 7EB2C | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 F687 7ED0E | 00 00 61 00 52 00 31 00 00 00 62 00 51 00 32 00
0006 F7D8 7EFB0 | 00 00 61 00 51 00 31 00 00 00 62 00 59 00 32 00
0006 F869 7F0D2 | 00 00 61 00 52 00 31 00 00 00 62 00 59 00 32 00
0006 F95A 7F2B4 | 00 00 61 00 51 00 31 00 00 00 62 00 52 00 32 00
0006 FA7B 7F4F6 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00
0006 FB6C 7F6D8 | 00 00 61 00 53 00 31 00 00 00 62 00 41 00 32 00
0006 FCBD 7F97A | 00 00 61 00 52 00 31 00 00 00 62 00 61 00 32 00
0006 FE0E 7FC1C | 00 00 6A 00 51 00 32 00 00 00 6B 00 51 00 32 00
0006 FE47 7FC8E | 00 00 61 00 5C 00 31 00 00 00 62 00 5C 00 32 00
0006 FF38 7FE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Used code (lets start learning python :)) )

[seva@sevasoft][/home/seva/src/elvis] cat a.py 
#!/usr/local/bin/python

import struct 
img = open('main_flash.bin','r').read()
offset = 0x1A11A

while 1:
    a,b = struct.unpack("<HH",img[offset:offset+4])
    addr = (b-3)*0x20000 + a*2
    dump = " ".join(["%02X" % ord(v) for v in img[addr:addr + 16] ])

    print "%04X %04X %05X | %s" % (b, a, addr, dump)
    offset += 4
    if offset > 0x1A4E9:
        break

RetroPlayer
RetroPlayer's picture

I am at work, so I won't be responding often. Just wanted to say that I am glad you are helping. I might not have ever figured out the indexes.

I'll do some captures on my LA using your suggestions. I have 34 channels at 200MHz synchronous mode, 500MHz asynchronous.

This is what I have: http://www.pctestinstruments.com/

sevik
sevik's picture

Heh, almost each address encountered 2 times:

00000 00720 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 94
00720 005B8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 95 96
00CD8 00720 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 97 98
013F8 006D8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 99 100
01AD0 006D8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 101 102
021A8 00720 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 103 104
028C8 00570 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 105 106
02E38 00528 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 107 108
03360 00570 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 109 110
038D0 006D8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 111 112
03FA8 00570 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 113 114
04518 012C8 | FF E2 43 44 B2 4E 00 11 90 ED 48 7F A0 BC 00 04 | 115 116
057E0 01448 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 117 118
06C28 01448 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 119 120
08070 01448 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 121 122
094B8 00062 | 00 00 6A 00 49 00 32 00 00 00 6B 00 51 00 32 00 | 123 232
0951A 00242 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00 | 214 233
0975C 003C2 | 00 00 61 00 52 00 31 00 00 00 62 00 51 00 32 00 | 215 216
09B1E 00242 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00 | 190 217
09D60 00422 | 00 00 61 00 51 00 31 00 00 00 62 00 50 00 32 00 | 191 192
0A182 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00 | 193 218
0AB44 009C2 | 00 00 61 00 51 00 31 00 00 00 62 00 51 00 32 00 | 219 220
0B506 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 51 00 32 00 | 221 222
0BEC8 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00 | 223 224
0C88A 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 46 00 32 00 | 225 226
0D24C 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 54 00 32 00 | 227 228
0DC0E 009C2 | 00 00 61 00 54 00 31 00 00 00 62 00 46 00 32 00 | 229 230
0E5D0 00182 | 00 00 61 00 61 00 31 00 00 00 62 00 51 00 32 00 | 231 236
0E752 00062 | 00 00 6A 00 49 00 34 00 00 00 6B 00 51 00 39 00 | 237 240
0E7B4 00062 | 00 00 6A 00 49 00 34 00 00 00 6B 00 41 00 39 00 | 238 241
0E816 00062 | 00 00 6A 00 49 00 34 00 00 00 6B 00 61 00 39 00 | 239 242
0E878 11788 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 243
20000 03540 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 0
23540 033D8 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 1 2
26918 02E80 | 49 44 33 03 00 00 00 00 01 76 50 52 49 56 00 00 | 3 4
....

So seems its start and end address of each chunk

#!/usr/local/bin/python

import struct 
img = open('main_flash.bin','r').read()
offset = 0x1A11A

xrefs = {}

n = 0
while 1:
    a,b = struct.unpack("<HH",img[offset:offset+4])
    addr = (b-3)*0x20000 + a*2
    if not addr in xrefs:
        xrefs[addr] = []

    xrefs[addr].append(n)

    offset += 4
    n += 1
    if offset > 0x1A4E9:
        break

addrs = xrefs.keys()
addrs.sort()

addrs.append(0x80000)
for i in range(len(addrs)-1):
    addr = addrs[i]
    length = addrs[i+1] - addr
    dump = " ".join(["%02X" % ord(v) for v in img[addr:addr + 16] ])
    xrf = " ".join(["%d" % a for a in xrefs[addr]])

    print "%05X %05X | %s | %s" % (addr, length, dump, xrf)

sevik
sevik's picture

Heh, awesome device...

sevik
sevik's picture

splitted image according to index

files available at [you-know-where]/split

122 files total:
0-61 - mp3s
62-121 - scripts

#!/usr/local/bin/python

import struct 
img = open('main_flash.bin','r').read()
offset = 0x1A11A

n = 0
while 1:
    a,b,c,d = struct.unpack("<HHHH",img[offset:offset+8])
    addr = (b-3)*0x20000 + a*2
    addr2 = (d-3)*0x20000 + c*2
    length = addr2 - addr
    dump = " ".join(["%02X" % ord(v) for v in img[addr:addr + 16] ])
    print "%03d %05X %05X | %s " % (n, addr, length, dump)

    open("%03d.dat" % n, "wb").write(img[addr:addr2])

    offset += 8
    n += 1
    if offset > 0x1A4E9:
        break

sevik
sevik's picture

heh, all extracted mp3s plays ok :))

I think 0x10000 chunk is really some code, but will wait until you hook up LA :))

It will be much simpler then :))

It does not looks like robopanda bytecode :)) Too many 0xF040 and too little 0x2DXX :))

But in distinction from robopanda this code is directly accessible by cpu - so this can be native instruction set of sunplus cpu.

RetroPlayer
RetroPlayer's picture

Heh, you beat me too it, Sevik. I was coming back to the PC to beg you to write an extractor. We are going to need that and a "cooker" to compile a modified ROM image with index.

I am planning to map the ROM as is to see if there is any correlation to the order that these play and the order that they are in the index.

Also, we should be able to replace the flash with up to 2MB as long as the two jumpers (J79 and J80) are bridged. I am pretty sure that I have some 2MB or 4MB flash chips that I could try out once we are able to cook these. Not extremely important, but it would be good to do it and document it for completeness.

If you could (if you didn't already) also have your program extract the index and the unknown chunks (and maybe even make the filenames after their offset) then I think we can tackle this even more quickly. I need to finish the cartridge mod and animation script decoding before I get myself too far sidetracked with this. This part is the most interesting to me, but I think the cart mod is what most people are really waiting for. Then I can play to my hearts content with the rest of the hardware. I am going to start planning the riser and the rest of the jigs I am going to need to dig into the hardware easier. If the top of the bust is not plugged in, Elvis doesn't start up. So, I need to keep everything connected while I work on reverse engineering.

Awesome work (and speed), Sevik.

I'll have to grab those files in the morning, I cannot access them from work.

sevik
sevik's picture

:))

Yes, I have extracted files but named it according to position in index.
I think replacing existing files and rebuilding index leaving all other content of 0x10000 block as is will work, but it's not very interesting :))

Ok :)) I'll wait for LA hook up :))

I have other work to do with making-bucks and robopanda :))

RetroPlayer
RetroPlayer's picture

Sevik,

True. We will need to see how much space is useable in that sector to grow an index. I definitely agree with you that the rest of the info at 0x10000 must be figured out. The good bits are probably in there.

I am glad to hear that you think it looks like code, that's promising. I know I will get impatient to mess with the hardware, so my goal is to have the cart finished, animation scripts decoded, and article up by this weekend. And then, as I said, I will be free to play with the rest of the hardware. Already what we have discovered makes it possible to fully convert him to another character. But real-time PC control and the ability to add more hardware is my ultimate goal.

If I thought I could handle writing the program to do all of this (FAT handling, flashfs, motors, sensors, MP3 streaming, etc...) I would probably just scrap the CPU at this point and just build a replacement with a more hobbyist friendly controller. There should be enough information about the hardware already to do this. It's clear how the hardware is connected to the CPU from the available datasheets for the parts. With a full CPU board pinout, we just need to slap a new micro in place and write our own code. I just don't know if I am a good enough programmer to write all new custom code from scratch. But, hey, maybe by providing the hardware information, someone will step up that can run with it, or I'll figure it all out in the next two years :)

In the end, I am sure that I will decide to do this. If we cannot figure out how to get the real program out of the CPU, it will be necessary for puppet control. Eh, I'm getting ahead of myself. Maybe there is enough in the 0x10000 section to get over this stump. The LA captures will certainly help determine that.

RetroPlayer
RetroPlayer's picture

Well, first attempt at the xD cartridge is a failure. I don't see any shorts, and I double and triple checked the pinouts, but he just says I need to plug a cartridge in. Hopefully (and this would seem silly to me) they didn't lock it to a particular chip ID. My wires are a little longer than I'd like, so there could just be a lot of noise issues.

I am going to bring it to work with me tonight and rework it under the scopes during break to be sure, I am going to quadruple check my pinouts, as well.

I am putting a picture in the gallery of what I intend to be the "better way."

sevik
sevik's picture

Reading of chip ID can be seen on traces too...

I'm not forcing you to anything.... :)))

RetroPlayer
RetroPlayer's picture

Sevik,

I probably will have no choice. I just plugged my custom cartridge into my modded smartmedia reader and everything is fine. It was a little slow being recognized, but up popped the drive with all the files on it.

So, my custom cartridge works fine. But why doesn't Elvis see it?

sevik
sevik's picture

May be it's slow because of noise/errors really...

Try to read files from it or run elvis.exe several times and compare checksums

Remove and reinsert cartridge between runs so it will really read data from cartridge and not from file cache

Or run elvis.exe on backed up version of data and compare with cartridge run

sevik
sevik's picture

Have you written raw image of cartridge to cart or just copied files to proviously formatted media?

Possible elvis has some restrictions on filesystem parameters...

or has some hidden data on cartridge...

Pages