Elvis Cartridge has been hacked (updated: Article is on the way)

361 posts / 0 new
Last post
sevik
sevik's picture

I think flash really mapped in main cpu address space at 0x30000 - so by not to big messing with index we can get main firmware streamed to mp3 decoder :))

RetroPlayer
RetroPlayer's picture

Not easily. I have to rip Elvis apart and he is big and makes alot of noise moving him around. He is on a stand so that he is level with my desk (when I start posting videos, you'll see my setup in bedroom and workshop, I'm sure.) I would also have to solder a couple of look wires, which means fumbling in my workshop. No soldering iron in my bedroom. I will be doing the captures in here, though. Workshop is too uncomfortable for extensive computer work.

The main person I am worried about waking up should be getting up soon.

What would we gain from the CS alone?

RetroPlayer
RetroPlayer's picture

Did you install a keylogger on my comp when I FTP'd? :) How'd you know I was writing to ask that?

But, could you explain that better?

RetroPlayer
RetroPlayer's picture

and their alarm is going off... they will be up soon and I can start making noise.

RetroPlayer
RetroPlayer's picture

You know, it would insteresting to find out if there are actually remote codes directly for the motors. I bet there is. :)

sevik
sevik's picture

:)))) I'm not a windows hacker :)))

CS as is just give as general pattern of access to flash (frequency of bursts and burst size)

And for different conten we will get very different patterns:

for native code (some routines called from main code) we will have repeated pattern of relatively long reads

for bytecodes we will have short reads repeated at similar intervals

for table we will get very short and infrequent reads

sevik
sevik's picture

for main firmware - we can make index entry with start 0x000 and and 0x10000 for example for some known mp3. And when this mp3 will play main cpu will send bytes from this region to mp3 decoder. Where it can be logged by LA (You can log interface between cpu and mp3 codec chip).

You said that you found datasheets for mp3 decoder...

sevik
sevik's picture

but in any case interface between cpu and decoder must be not to hard to hack :)) We can log known mp3 playback for which we exactly know byte sequence and find this sequence in cpu<->decoder interactions.

RetroPlayer
RetroPlayer's picture

Do you have something to view CSV files? I'd like to send you the captures once I have them.

RetroPlayer
RetroPlayer's picture

Good point. I hadn't thought of that. Sounds easy enough, if the MP3 decoder doesn't choke and through a non-maskable interrupt to the CPU (doubtful)

sevik
sevik's picture

Yes, I have :)) CSV really is just text with values separated by commas :))

So it very simple to parse and process :))

RetroPlayer
RetroPlayer's picture

BTW, the MP3 decoder is connected with SPI interface.

RetroPlayer
RetroPlayer's picture

I know, that was another reason I liked this LA. I can export to CSV and then write a program to convert it to assembly (assume that I know the opcodes and mnemonics.

RetroPlayer
RetroPlayer's picture

My problem is that writing programs for OS, it takes me a week to do what you can do in a few minutes. :)

sevik
sevik's picture

And you have decoder in LA :)) So it must be simple enought :))

Of course there can be problems but it worth trying in any case :))

sevik
sevik's picture

Learn python :)) it's really simple and powerfull :))

RetroPlayer
RetroPlayer's picture

I agree, and I wouldn't have thought to try it!

RetroPlayer
RetroPlayer's picture

I am installing and registering ICQ so we can take the chat off the forum. No need to burn through another page in the next couple of hours...

RetroPlayer
RetroPlayer's picture

Arghh... I have two monitors, but I need 4! :)

Nocturnal
Nocturnal's picture

RetroPlayer said:
HxD appears to have all the features required for a hex editor; it opens drives, RAM, and of course files. It also has a "wipe securely" feature which might work on the card.
There, is of course, the DOS format utility with the /U switch for unconditional formatting.
Any Linux or Mac users should pipe in with equivalent tools for their OS, so that I can list them as well.

cat /dev/zero > /dev/??? would zero out the drive under linux.
not sure on the suitable switches for mkfs to recreate the fat filesystem though.

sevik said:
seems that prefix codes exhausted and roboquad and elvis share the same prefix...
heh :)) and all device prefixes start with 0 :))

All device prefixes start with 0 because they are going in order, If you look at this page, you will note the the prefix's are going in order of release. Several of the devices will also respond to their codes prefixed with 0xF. The RoboReptiles remote, for instance, actually has a jumper that can be used to trigger it to use the 0xF prefix (Nobody has figured out how to get the RoboReptile to respond to the 0xF prefix though).

WowWee has in the past used remotes from previous models during the developement of a new model, this could be a hold over from that. Elvis also doesn't really need a huge chuck of IR codes all to itself, so reusing an unused part of an existing address space makes sense.

The address space is not yet exhausted.

sevik said:
This can be checked by someone with universal roboremote and elvis or roboquad.
They can check using roboquad codes on elvis or reverse...

I suggest asking GWJax as he has an Elvis, a RoboQuad and a RoboRemote.

RetroPlayer
RetroPlayer's picture

Where we are at:

Attempts to probe the Elvis mainboard with the Logic Analyzer were not very successful this weekend. We could see accesses into the animations and MP3s, but the whole data was suspect. I believe this is due to the fact that it required some very unstable wiring, and the need to work in cramped spaces inside the Elvis head. In fact, the look-wires that I attached had pull up a trace from the stress and had to be repaired.

I will rectify this by finishing the pinout of the CPU as much as possible and then building a "bed of nails" in the base where the battery box is. This will gently connect all pins from the CPU while remaining inside the Elvis. The space inside the battery box will be used to house the logic analyzer and any other electronics that I might add. More details on this when I get to it.
==========================================================================

While I am modifying the base, I will also attempt to put in the xD to smartmedia adapter where the cartridge port would go.
===========================================================================

I took apart the remote and will be putting it into a different enclosure. Partly because if it isn't going to be Elvis anymore, then a mic for a remote looks kinda silly. Secondly because I am attempting to discover any secret remote codes (or modes.) GWJax is going to be helping out with this as well.
============================================================================

Now, mostly the easy stuff is done. Creating custom animations with a hex editor is not going to be very realistic, so I am trying to work out a program to create them.

And of course, I am also working on the article....

sevik
sevik's picture

real animation scripts editor (for elvis and for robopanda too :)) ) have to be some opengl/directx visual app...

This is a lot of work and good enought 3D models of robots will be needed for this...

In case of robopanda inverse kinematics and some physical modelling (for center of mass and balance) will be needed too. (it's going to be 3D game with some save as script buttons :)) )

RetroPlayer
RetroPlayer's picture

Three articles have been submitted. The first is just an introduction to what we are doing and some general information. Second is the construction of the custom xD cartridge. The third article details the animation script format.

I have at least three more articles lined up regarding the dumping of the original contents of the cartridge, the remote codes, and modifying the files on the main flash to hack the autonomous mode.

There will also be an article about adding the smartmedia converter socket instead of the custom cartridge. I have to finish some other tasks before I can get to that project.

RetroPlayer
RetroPlayer's picture

Hopefully, several more articles leading up to realtime computer control and software to create the animations.

Rudolph
Rudolph's picture

Congrats, you're on Hack-a-day!

RetroPlayer
RetroPlayer's picture

Exciting! :) I will have to work quicker to get the "bed of nails" going. Those guys over there are hardcore and will eat me alive if I don't get to it first. :)

RetroPlayer
RetroPlayer's picture

I ordered more pogo pins (I only have 40 ATM) and guide pins to do it and am working on the template right now to drill in acrylic and insert the pins.

roschler
roschler's picture

Did anyone ever get the either the Alive Chimp or Elvis face motors to be controllable from a PC or micro-chip? I can't find the thread, but I remember someone announcing here that they were working on the Chimp but they never published any successful results (that I know of); they even had bust-out pictures of the face and internal wiring. I just picked up an Elvis bust last week. I had one friend who is an engineer tear apart the chimp and said that WowWee integrated the circuitry so deeply that it just wasn't reasonable to expect to control it that way.

Nocturnal
Nocturnal's picture

The chimp was hacked. A guy worked on replaced the brain, I think he used used stamps to do it. Unfortunately all the important posts and images seem to have disappeared off the parallax forum.

I think I have located the original author, I've contacted him to see if he still has the details.

roschler
roschler's picture

Thanks nocturnal. I wonder why the stuff was taken down?

Pages