Elvis Cartridge has been hacked (updated: Article is on the way)

361 posts / 0 new
Last post
sevik
sevik's picture

check fat type and cluster size on original and new cartridge

RetroPlayer
RetroPlayer's picture

I have a raw byte-for-byte image of the original cartridge, yes. I made sure of that before touching anything on the cart.

I am positive that it is just noise issues. Access was really really slow when I had it, and now it is not working on my modified card reader. I am going to have to seriously shorten my wires, add some caps at the sockets, etc..

But, I need to do it under a microscope. That's my biggest problem of working on this. The pins are so tiny and my eyes aren't as good as they used to be. My wires are way too long and are splattered all over the board right now.

So, I am going to bring the reader and the modded cartridge with me to work. Once I know for sure that an xD card will work in the Elvis, I will do my animation decoding and then write up an article using the xD to smart media adapter. Unless people have some really good tools, the xD in the cart mod is just going to be way too difficult to do at home.

RetroPlayer
RetroPlayer's picture

Sevik,

I got the logic analyzer software setup for 19 bits of address, 8 bits data, and clocking on CE. I have one clock/qualifier left over and 5 more acquisition lines.

I'll have my cartridge and reader fixed by tomorrow morning and will start mapping out the rest of CPU. Then, I will grab some captures by the end of the weekend. The other nice thing about this logic analyzer is that it has a 40 pin header which matches an IDE cable, so I could use a HDD ribbon cable and just install a couple of headers permanently on the target board and plug them in as needed. But, I need to finish mapping out the CPU first and separating the signals into groups. I was planning to do this anyway to figure out the motor control, as well, with the goal of eventually replacing the CPU.

RetroPlayer
RetroPlayer's picture

Oh, I should point out that the WP switch on the card reader should be connected to a physical switch. I think I corrupted my other cartridge today when I was testing it.

I just ordered a tsop48 ZIF socket to put on the frankenstein board so that I can pull and insert the main flash as needed during experimentation. I do not recommend installing and removing this IC more than a couple of times or the pads will start ripping up. Hopefully we discover a way to program it in-circuit so it doesn't need to be removed by anyone after I am done.

sevik
sevik's picture

Heh, seems a busy weekend coming :))

I have put a new robopanda related thread for first real cartridge ideas http://www.robocommunity.com/forum/thread/13817/Script-writer-for-RoboPa...

Will see what come out of it too :))

RetroPlayer
RetroPlayer's picture

Sevik,

I have finished redoing the cartridge. The wires are as short as I can possibly make them, they are laying flat and parallel to each other, with only a few crossing out of neccessity. I have connected all VCC and GND lines as close to the capacitors as possible and will install another capacitor across the socket.

Hopefully, this will be enough to get the cartridge going. I am going to have a hard time recommending this to anyone. I did it under a 20x microscope with 32 ga. wire and it still took nearly an hour to get it as tight as possible with no shorts.

If I didn't have so much other stuff I want to do with Elvis, I would create the custom Eagle layout parts to make a cartridge PCB. That would be much easier to handle for most. Later, perhaps. I will end up recommending putting the xD to smartmedia adapter in the Elvis directly. It actually fits pretty nicely where the old cart slot is and only sticks out about as much as a cartridge does. And it can be epoxied very easily into the slot. But, there will be noise issues again to deal with, I am sure.

RetroPlayer
RetroPlayer's picture

Sevik,

Also, I do have the robopanda as well to mess with when I am done with Elvis. My vote is on Teddy from Speilberg's A.I. as well. No time to do the actual recordings and such myself though. If you get no takers, go rent the movie and just snag some audio clips from there.

sevik
sevik's picture

For LA setup - data lines from flash is not needed really - elvis not going to write data to flash so you always known which data it gets from cartridge image.

So we can use 8 more lines for full NAND logging

RetroPlayer
RetroPlayer's picture

So, the idea you have in mind is to monitor the cartridge port and the main flash addresses, hopefully to determine if the code on the flash tries to find something on the cart? And if so, where there instruction is on the flash?

Is that the general idea?

RetroPlayer
RetroPlayer's picture

Sevik, do you have chat and time to chat this weekend when I go to set this all up, maybe Sunday morning? It is 7:10am my time right now.

I think I could learn alot from what you have done with the robopanda. This is my first "real" reverse engineering project. Usually, I build the stuff from scratch or repair it.

PM me if you will be able to.

sevik
sevik's picture

general idea - to get all possible info on interaction of main programm with flash and cartridge :))

The first interesting thing - is just a speed of access to flash. If it's in MHz range - it's native code with big probability, if it in repeated kHz range - it's possible byte code, if it's rare accesses - it's table based :))

Based on this we can take further steps :))

And correlating flash and NAND access we can do some other guesses. But this is further step - it si very depended on flash content nature.

About chat - we can chat in ICQ, PMs or just in this thread to attract some and distract some other people :))

sevik
sevik's picture

I'm relatively free now, so we can talk.

It's 14:50 localtime now, so we have at least 9 hours to play :))

RetroPlayer
RetroPlayer's picture

Well, right this minute, I am still trying to get the cartridge working. It is definitely noise issues. The card reader is very intermittent and keeps resetting like I just put a card in. When it seemed relatively stable, I tried to burn the original cartridge image back to the stock cartridge. It got hung up half way through, but finished. Before, Elvis wouldn't recognize it. Now he does, but the audio and animation files are all screwed up and he acts all crazy in the middle of a song.

sevik
sevik's picture

With robopanda cartridge I have put small capacitors on serial in line to get stable working. So in your case slight delay on CS line can help too...

May be there is need for some pull ups (this problem has milw with it's custom robopanda cartridge)...

RetroPlayer
RetroPlayer's picture

I considered that. Hmm.. It is actually reading very quickly now in my modified reader, but the original cartridge isn't even recognized anymore.

RetroPlayer
RetroPlayer's picture

I am noticing some differences in file format, too, though. I changed the serial number of the xD to match the original cartridge. I am copying files over again and am going to make an image of the xD card to compare.

RetroPlayer
RetroPlayer's picture

xD modified cartridge in the modified card reader (I installed the cartridge slot on it) I am getting about 2.5MB/s average write speed.

RetroPlayer
RetroPlayer's picture

SUCCESS!!! Changing the serial number was it

RetroPlayer
RetroPlayer's picture

I may add that capacitor to the CE line, but for now, it is working and I am not messing with the hardware until I get through the animation scripts.

sevik
sevik's picture

So you have working custom xD-card based cartridge?

Heh, it's a really big step forward

sevik
sevik's picture

If you get all working without caps - they are not needed

RetroPlayer
RetroPlayer's picture

Yes, custom xD cartridge is working. Only has original files on it right now. All modes work, all files are playing.

sevik
sevik's picture

hehe :)) for animation scripts I think simple script like:

00000000 00 00 61 00 40 00 31 00
00000010 01 00 61 00 41 00 31 00
00000018 02 00 61 00 42 00 31 00
00000020 03 00 61 00 43 00 31 00
00000021 04 00 61 00 44 00 31 00
...

must work and move 1 motor

RetroPlayer
RetroPlayer's picture

Your code moved his eyes down. Very subtly. I am going to try changing 31 to 38

sevik
sevik's picture

some stats for existing animations:

first value - motor number
other values: existing values

====================== Values =======================

61: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
62: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
63: 49 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
64: 49 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
65: 51
66: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
67: 51
68: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
69: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
6A: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
6B: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
6C: 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61
====================== Speeds =======================

61: 31 32
62: 32
63: 34
64: 34
65: 32 33
66: 30 33 34
67: 30
68: 33 35
69: 30 32 33 34 35 36 38
6A: 30 35 38 39
6B: 33 34 35 38
6C: 33 36 38

sevik
sevik's picture

65 and 67 motor looks strange...

RetroPlayer
RetroPlayer's picture

Looks like our theory was correct, at least so far.

RetroPlayer
RetroPlayer's picture

65 and 67 are probably the mouth... I'll try them

sevik
sevik's picture

better change sequence 40-41-... to 40-48-50-58-60 :)) this must be much more visible :))

RetroPlayer
RetroPlayer's picture

65 and 67 did nothing with the range of values given in your list

Pages