DOOM working on Nintendo game and watch


Today the new Nintendo Game & Watch can play DOOM. Of course, there are caveats… this is a watered-down version due to the constraints of the material itself. But the important thing is that it shows that the material was fully owned. This is code written to replace the firmware that came on the STM32, making it a wonderful little hardware platform that’s completely open to homebrew hacking.

Honestly, you had to assume this was going to happen quite quickly given the effort put into it. We first reported on Tuesday that the EEPROM that stores ROMs on the game and the watch has been decoded. Shortly after its publication, [stacksmashing] and [Konrad Beckmann] were showing test patterns on the screen and mentioning that the audio was working also. It turns out that they were able to dump the original firmware despite the chip’s security lock.

We’ll have to wait for more details on exactly how to dump the firmware, but [stacksmashing] drops enough mention in the video below to confirm the obvious. A common approach to dump code from a locked microcontroller is to find a vulnerability that allows custom code execution. Being able to run a few lines of your own code is enough to set up something as simple as going through all of the internal flash memory addresses and dumping them on a few GPIO pins. In this case, our two heroes discovered that an ARM code was loaded from the EEPROM on the STM32 and managed to inject their own directives to perform the dump. They promised all the details soon.

What we have today is a tricky enough hack not only to load code, but to get DOOM to work on meager hardware specs. Notably, 128 KB of SRAM and 1.3 MB of external RAM. There is also a bottleneck with the 1.1MB of FLASH for storing game files. The textures have been removed and the memory allocation has been rewritten, but the proof of concept is there and the game works. . Homebrew, here we are!

[Thanks @arturo182]

Leave A Reply

Your email address will not be published.