My Nintendo Game and Watch arrived a day early! Let’s tear it down and see how it works - and how easy it is to hack it!
My Nintendo Game and Watch arrived a day early! Let’s tear it down and see how it works - and how easy it is to hack it!
My Nintendo Game and Watch arrived a day early! Let’s tear it down and see how it works - and how easy it is to hack it!
For opening it up you unfortunately need some Y-style screwdrivers - let’s see what’s underneath!
Interesting, an STM32H7B0VBT6 is the main processor! Cortex-M7, 128 KBytes Flash, 1024 KBytes of RAM. Also some unpopulated headers close by that expose SWD (the Arm Cortex-M debug interface)!
Next to it is a Macronix 25U8035 8Mb flash - definitely a candidate to be dumped!
Found the SWD pinout! Will check later whether it's enabled or locked!
Let’s see whether SWD is enabled!
SWD is enabled, but the device is secure unfortunately, so we can't simply dump the firmware via SWD!
SWD is enabled, but the device is secure unfortunately, so we can't simply dump the firmware via SWD!
SWD is enabled, but the device is secure unfortunately, so we can't simply dump the firmware via SWD!
Thought I bricked it for a second, but removing the battery (the connector lifts UP!) fixed it *phew* - time to dump the flash!
Dumped the flash using a Minipro and a SOIC8 clip - works in system! (Though I had the battery unplugged)
Checksums for those playing along at home:
MD5: 1f5a35ca9b4e6439639c70a01a113620
SHA256: e3a59ee061cd730957b17a34cde5575e49ef24168188b602ca317e8e1f3403fe
Checking the entropy of the dump it seems like it might be encrypted or compressed - no strings, no knows compression headers. Have to keep digging!
I figure before I continue (and possibly break it!) I should try to play the actual game first! 😀
Soo.. Should I try to use a fault injection attack to gain access to SWD, which will risk bricking it?
In the meantime: Found that the frame-buffer is readable from memory via SWD!
Awesome, seems like it loads a Super Mario Bros. NES ROM into RAM (device RAM contents left, original Super Mario Bros. ROM right)
The desk is slowly getting messy - but definitely having fuh!😀
Tried some simple stuff such as AES ECB with every possible key from the RAM contents, but no luck yet!
Some somewhat good news: I flipped some bits in the flash image and the device still boots. So no strong flash validation!
SUCCESS!! YESSSSS
So, eventually managed to bypass the Game & Watch ROM encryption 1 day before the official release 😁 Will try to release a video on it in the next few days with details on how that works!
You can follow @ghidraninja.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.