Elvis Cartridge has been hacked (updated: Article is on the way)

361 posts / 0 new
Last post
RetroPlayer
RetroPlayer's picture

Nope... serial number was not the problem.

RetroPlayer
RetroPlayer's picture

Must have had a corrupted format or something. I zeroed the entire card and then reformatted it, just before I changed the serial.

sevik
sevik's picture

it can assume fully defraged disk - so it can ignore FAT...

RetroPlayer
RetroPlayer's picture

It was probably because I was messing with it in the modified card reader. As I mentioned, it corrupted my original cartridge. I haven't been able to restore it fully, yet.

sevik
sevik's picture

or it can compare copies of FAT or something else...

But if it works with reformatted card and copied over files - it's ok :))

sevik
sevik's picture

YES, I THINK WE HAVE MORE INTERESTING THINGS TO DO :)))

RetroPlayer
RetroPlayer's picture

Oh, and BTW, kids... it appears that xD don't like being removed "hot", you have to eject it first.

I guess that makes sense. All pins are the same length. Usually flash card have the ground pins longer then the rest to ensure the signals are stable

RetroPlayer
RetroPlayer's picture

Well, actually, I need to get to sleep. I have been awake since 8pm yesterday.

RetroPlayer
RetroPlayer's picture

And I have to work tonight, unfortunately.

sevik
sevik's picture

buuuu :))

Ok, I will wait :))

RetroPlayer
RetroPlayer's picture

I will work on the article tonight to get everyone up to speed, and then the logic analyzer captures in the morning. There is quite a bit of work for me to do to prepare for the captures.

sevik
sevik's picture

I have spent almost month on cartridge emulator really :))

So it's expected, np :))

RetroPlayer
RetroPlayer's picture

I added a picture of the wiring inside my working xD cartridge. I added a capacitor across VCC and ground at the connector pins after taking this picture, other than that, it is complete. I will probably "pot" the board in plastic (that I can remove with solvent if needed) so nothing moves or breaks off inside. I doubt that I will document this process, since it requires tools and materials that few hobbyists keep around, lots of setup steps, and it has nothing specific to do with the Elvis animatronic. It's mostly my paranoia. I don't want to have to mess with this again. :) If people REALLY want to see it, let me know before I do it so that I can take pictures; probably by next weekend.

Here's the recipe that lead to success:

The way I have the cart on the board, the pins line up almost 1:1. The VCC, GND, and WP* pin on the xD socket were the only oddballs. I connected those first. I made them as short as possible by scraping the solder mask off the cartridge close to the top and near the capacitors. This, I think, helped to reduce noise issues as well as giving me a little more room at the card edge to solder.

I used Kapton tape, which is heat resistant tape used in electronics, to mask off the part of the card edge that was going to be in the socket. The cartridge socket is meant to be tight and solder bumps would wear it down over time. There is about 2mm of contact at the top that is inside the cartridge housing itself. So, I just slapped on the kaptop tape on the bottom of the contacts to prevent solder from flowing down the contact.

I ended up using the wire from an 80pin IDE hard drive cable. This about 32ga wire, I believe and is a little more flexible than wire-wrap wire. The red striped wire came in handy to mark all the VCC points.

After soldering the third wire, I discovered a neat trick with this type of wire:

The insulation is very stretchy and loose. So, I would start with a full length piece of the wire and strip just one end a little longer than I wanted and solder that to the xD connector. Then I would arrange the wire how I wanted it and pulled it tight over the cart edge connector that I am going solder to and cut it to length with an exacto knife. Then with my tweezers, I simply slid the insulation up snug with the xD pin and the other end of the wire exposed itself. Then I just soldered that to the card edge pin. In most cases, the insulation then stretched back out and all that was left exposed was the solder joints. I didn't get it right every time as you'll see in the pics, but man, did that make my job that much easier. It still took me almost an hour under a 20x microscope. That included creating a little jig to hold the board, masking off the card edge with Kapton tape where I didn't want solder to flow, etc... You can still see a piece of thin masking tape under the wires that I used to hold the board down. I just trimmed it instead of risking breaking a wire by trying to remove it. I made the jig out of wooden cotton swab handles that we use at work. They were just the right thickness to keep the board level so it didn't rock while soldering.

Oh, the other nice thing about th 80pin IDE wire is that you can carefully pinch the insulation and it will lay flat against the board.

Personally, I don't think I will do it this way again. Too much trouble. It does look nice, is convenient, and doesn't require opening your Elvis, but there is alot of room for errors, things shorting out, etc... I am keeping the pictures in the gallery anyway in case anyone wants to attempt it themselves. This xD cart will be my main method, but if I ever do another head, I won't be building another one, I don't think. My frankenstein head is going to get the xD to smartmedia adapter mod and that is what I will end up putting in an article.

RetroPlayer
RetroPlayer's picture

I need some help finding some freeware utilities:

1. Something to zero out the xD card before formatting (or in the case of a corruption.) Simple reformatting didn't work in my case. It wasn't until I zeroed the entire drive in a hex editor that I was able to format it and get it to work.
2. MP3 encoder and tag editor
3. Sound editor (trimming and cutting the audio clips is probably the most important)
4. Freeware hex editor (Actually, HxD is pretty good)
5. Any other freeware tools that would be helpful or essential to this project.

I have tried to find freeware tools throughout this entire process, even when I already had some commercial tools to do the job or knew how to do it manually.

Also, someone willing to code up an animation utility would be really helpful. I am going to attempt to create a barebones app in VB, but my programming skills are such that it might be months before it is done. I have started sketching out what is needed.

RetroPlayer
RetroPlayer's picture

DOH, forgot about this great open-source sound utility:

Audacity: http://audacity.sourceforge.net/
You will want to grab the Lame MP3 plugins as well

RetroPlayer
RetroPlayer's picture

HxD appears to have all the features required for a hex editor; it opens drives, RAM, and of course files. It also has a "wipe securely" feature which might work on the card.

There, is of course, the DOS format utility with the /U switch for unconditional formatting.

Any Linux or Mac users should pipe in with equivalent tools for their OS, so that I can list them as well.

RetroPlayer
RetroPlayer's picture

Knowing that we are going to want the remote codes, I hooked up my logic analyzer and captured the remote commands. Basing the general timing on the robosapien and other wowwee products, here's what I have:

===================================================
Button         Binary            hex
Mode        || 0110 1000 0000 || $680
Prev        || 0110 1000 0001 || $681
Next        || 0110 1000 0010 || $682
Voice       || 0110 1000 0011 || $683

Volume Down || 0110 0001 0000 || $610
Mic Up      || 0110 0001 0011 || $613
Volume Up   || 0110 0001 0101 || $615
Mic Down    || 0110 0001 0111 || $617

Alive       || 0110 0101 0010 || $652
Play/Pause  || 0110 1001 0000 || $690

First nibble always 0110
Second nibble looks like a command group, maybe?
Third nibble unique for every command, so likely just "the command"
====================================================================

From what I understand, the robosapien only uses 8 bit codes, and this one has 12. The most significant nibble is always the same, though. I grouped the commands by what I see as a "command" group, meaning the second nibble is the same. Some of them have gaps in them, as you can see and Play/Pause and Alive don't fit in a group, so I am not sure if this is a correct assumption or not.

If someone has the equipment and software for the robosapien, this should be enough information to try all different combinations to find any secret modes. I don't have anything built to mess around with this right now, so some help would be greatly appreciated.

RetroPlayer
RetroPlayer's picture

The tracking IR system is separate from the remote sensor. On each front side of the jacket, in the pockets, there is an IR LED, an IR phototransistor, and an IR receiver (under the button snap.) The plate these are mounted to is glued to the fabric inside the pocket with high-temp hot glue. I ended up cutting the jacket up to get them out because there was just too much glue. The clips for the actual parts, though, pop out with some effort.

sevik
sevik's picture

good (slightly early) morning :))

first nibble is device distinguisher may be.

It's compatible with robosapien since it has just "1" as device :)) all other devices must have "0..." codes.

sevik
sevik's picture

http://www.aibohack.com/robosap/ir_codes_quad.htm
http://www.aibohack.com/robosap/ir_codes_v2.htm

seems that prefix codes exhausted and roboquad and elvis share the same prefix...

heh :)) and all device prefixes start with 0 :))

RetroPlayer
RetroPlayer's picture

You think so? Wouldn't the number of bits mess it all up? The actual timing conditions are accurate as far as what I have read about the robosapien codes. I have not messed with the robosapien, so I am out of the loop on this aspect.

I put the unmodifed binary in there, in case I am getting the endians wrong. These are exactly how it appears on the logic analyzer.

RetroPlayer
RetroPlayer's picture

Ahh...RSV2 and the newer stuff is 12bit codes, Ok...

RetroPlayer
RetroPlayer's picture

I added a screenshot of the logic analyzer output, just in case I am tired and screwing up the bit order.

RetroPlayer
RetroPlayer's picture

Seems odd that Elvis would share a device code with something else. But, then the commands maybe are so different that there is no conflict?

sevik
sevik's picture

Seems elvis and roboquad targeted to different user-groups :))

Codes clearly conflict with roboquad RED level codes

sevik
sevik's picture

This can be checked by someone with universal roboremote and elvis or roboquad.

They can check using roboquad codes on elvis or reverse...

RetroPlayer
RetroPlayer's picture

Well, that cuts me out. I have the Elvis, Chimp, Robopanda, and original Robosapien. That's it.

RetroPlayer
RetroPlayer's picture

Sevik,
I am waiting for people to start waking up before I start fumbling around in my workshop making noise to build the risers and connect all the look wires for the logic analyzer. So, I am here on the thread early, but not quite ready for that yet. I am going to be pinning out the CPU while I wait.

sevik
sevik's picture

Can you check just CS line of flash?

sevik
sevik's picture

Posted question to roboremote topic, will see :))

http://www.robocommunity.com/forum/thread/13606/RoboRemote-Review-or...-...

Pages