blog.jmp.no

Electronics, coding and hacking. And ADD.

Three quick tips for improving your Arcade1UP

2019
7
March

I feel I've had my share of luck with the arcade lately, so I thought hey, why not push it a bit further? It's not over until the box is bricked and I'm all tears and regret. All of these tips require that you have root access on it already.

Boot faster!

The boot process is actually very fast, but the arcade has a few built-in splash screens, which not only takes time to play out, but is also followed by seconds of doing nothing - scripted delays. This happens in /etc/init.d/S99game, and can be removed by adding the # symbol to comment out the lines. By disabling the following lines you will shave a solid 13 seconds off the boot time:

#./mplayer -af volume=-19 -softvol -softvol-max 100 arcade1up.avi
#sleep 1
#cat /root/565/legal.565 > /dev/fb0
#sleep 5

..and the device now boots in less than 6 seconds - that's not too shabby!


Overclock it!

The Linux installation supports frequency scaling, and the current speed can be read with

# cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq

If your arcade is like mine, it should output 1008000. As you can see it's currently set to 1GHz, but the CPU is capable of so much more. I used a stick-on heat sink to assist the cooling a little bit.


Heatsink installed

You can list the supported frequencies with the following command:

# cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies

30000 48000 60000 72000 84000 96000 108000 120000 132000 144000
156000 168000 180000 192000 204000 216000 240000 264000 288000
300000 336000 360000 384000 408000 432000 480000 528000 576000
600000 648000 672000 696000 720000 744000 768000 816000 864000
912000 960000 1008000 1056000 1104000 1152000 1200000 1248000
1296000 1344000 1392000 1440000 1488000

..but that doesn't mean you can pick from the top shelf. I found that my arcade runs stable at 1.248 GHz. Any higher and it will crash immediately.

# echo 1248000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

Add this to one of the startup files if you want it permanently. For me, I'm still just playing around with it to see what it's capable of.

Low on disk space? Use a memory stick.

Some games are demanding in terms of disk space. If you added the USB port, you can use an USB stick for extra storage. You can mount it as

# mount /dev/uba1 /mnt/udisk

..provided that you have the same partition scheming as I do. You can symlink the games from /root/roms or reconfigure the roms directory in mame.ini.


Reassembled with USB hub and memory stick

As you can see, there's also no problem introducing a USB hub to the equation, in case you want the keyboard and the USB stick connected simultaneously.

Arcade1UP USB, buttons working

2019
4
March

Today I added the USB connector, as described on this Imgur gallery. I'm going to find a more elegant solution to some issues, but it does the job for now.

I used a female USB plug and soldered it to the PCB points using a four wires. They are currently unshielded, but that's not a problem for a low-speed device like a keyboard. Maybe I will find a more elegant solution in the future. The USB plug was then hotglued to the back of the case and will hopefully stay there for a while.


Once connected I could access the MAME menu by pressing the [TAB] key. The arcade buttons was accessible from there, and configurations automatically saved.

Below is the finished solution. That'll do for now. I removed the UART wires as they will be replaced by a BTLE wireless UART module later. The USB keyboard was left inside the arcade in case I need to reconfigure some keys on a later occasion.


Super Mario Bros works perfectly, and I'm looking forward to spending hours of fun with this arcade!

Exploring the Arcade1UP

2019
4
March

About two weeks ago our local Toys'R'Us had a final closing sale with 90% off on all items. Knowing they had a few arcades in the store, I showed up early to get Street Fighter, but since they were all sold out I bought the Asteroids edition instead.

Assembling the game


Beer can for scale

This is the one I bought. Unassembled, flat-packed, IKEA style. Unfortunately I did not take any pictures of the build process, but the manuals were easy to follow, and I spent about half an hour setting it up. Got a little help from my 8 year old daughter, too.


After powering up the device, a menu popped up with a list of four games: Asteroids, Tempest, Major Havoc, and Lunar Lander. All games from the vector era, i.e. graphics composed of just lines.

Not quite my cup of tea to be honest, but it was a calculated risk. If it was too boring, I could do a switcheroo with a Raspberry Pi, or maybe one of those 60-in-1 boards. Either way, I wanted to explore the insides, so last night I decided to pop the lid and see how hackable it is. Spoiler alert: Oh, it is. Very much so.

Finding a serial console

I removed the game PCB, which is located behind the LCD screen. The first thing that caught my eye were the ICs: their surfaces has been etched away to hide the model numbering. This made me question my naïve approach, but I kept going and blindly probed around with the oscilloscope. After foolishly looking for some interesting test points, I stumbled across something interesting: right next to the flat flex cable, where it says "CON4", there's a 4-pin port. The signals were easily identified as: 3V3, TX, RX and GND. Yes, we have a UART.


I soldered a pin header and started looking around for USB-UART modules. Of course, all were gone and the ones I've ordered had not arrived yet. I settled using an Arduino as a temporary substitute. I simply set up a SoftwareSerial and monitored the activity using putty. The UART runs at 115200,8,N,1 and keeping an eye on it at power up shows a long boot log, and reveals that this arcade is running BuildRoot Linux!


Logging in, looking around

After the boot I was dumped at a login prompt. A user named "default" has no password, and spawns a BusyBox shell. The baudrate of 115200 caused a lot of errors, but slowing it down to a baudrate of 19200 (by issuing a stty -F /dev/ttyS0 19200) fixed that. This would not be a problem with a proper UART-USB adapter.

After exploring the file system, the essentials boils down to:

  • The arcade runs MAME. Basically all the files required by the emulator are located in /root.
  • A directory called 565 contains all the menu graphics, which is dumped directly to the framebuffer on demand.
  • Despite the menu only listing four available games, there are a total of seven games installed. The extra game ROMs are Gravitar, Asteroid Deluxe and Street Fighter!
  • The /root directory contains a couple of scripts for mounting and unmounting external storage. I suspect there's a USB port on the board somewhere.
  • A script called "mameload.sh" executes /root/mame with parameters from a file in /tmp.
  • Without root privileges, the adventure appears to end here.
  • Getting root privileges

    I started looking for BuildRoot exploits but couldn't find any easily accessible. The password file /etc/shadow was not readable by me at this point, so I couldn't crack the root password either.

    But wait, hang on - look at that mameload.sh script again, and check out the file mode bits:

    -rwxrwxrwx 2 root root 72 Jan 1  00:01 mameload.sh

    This file belongs to root and all users have write privileges to it! The menu process is also run by root, could this be a loophole to gain root access? Another spoiler alert: Yes it is.

    I added a few commands to the script which took a copy of /etc/shadow in /tmp. Starting a game confirmed that this worked, I had a readable copy in /tmp! Instead of cracking the password, which would probably be trivial, I removed it entirely. I then modified the mameload.sh script once again, this time to take a copy of /tmp/shadow back to /etc.

    And now root no longer needs a password and we have full access!

    Street Fighter!

    "What, this ol' thing? Just my Asteroids arcade running Street Fighter, nothing special."


    Importing a new game

    Importing a game from the "outside" was a bit of a challenge through a serial connection. After some impatient finger drumming, I noticed that uudecode was a part of the BusyBox. This means I can transfer a file as 7-bit text over the serial terminal, and turn it back to 8-bit binary on the arcade side.

    And that worked too! Welcome to your new home, Mario.


    Plans ahead

    I have to admit there's one thing left, and that's configuring the buttons to the new games. I need to read up a little on MAME cfg files, but I think this should be a pretty painless.

    Also, while writing this blog entry, I found that someone has already found the USB port I was talking about earlier. I will attempt to solder a connector to it later today and see how it works out. This will make file transfer much easier.

    Patching the live Amiga ROM

    2019
    27
    February

    As I'm adressing the previous issue with the APECAT board, I'm trying my best to simultaneously plan ahead and clear the road for future obstacles.

    One of the issues I want out of the way is patching the Amiga system ROM, commonly known as the Kickstart.

    As implied, the Kickstart is stored in Read-Only Memory. Physically reprogramming it in situ is pretty much impossible, but thankfully the Amiga developers thought ahead and made a shadow copy of the address vector table in RAM. This table can easily be updated using the exec.library's SetFunction(), which is what I'll be attempting today.

    In the example below I'll be overloading the dos.library's Open() function. To prove it's doing its job, I'll be flashing the screen every time it's called, followed by jumping to the native, original Open() code afterwards.

    For those of you not fluent in 68k assembly, I've included some comments to outline the basics.

    ; exec.library:
    MEMF_PUBLIC=1
    _LVOAllocMem=-198
    _LVOForbid=-132
    _LVOPermit=-138
    _LVOOpenLibrary=-408
    _LVOCloseLibrary=-414
    _LVOSetFunction=-420
    
    ; dos.library:
    _LVOOpen=-30
    
    start:
    	*************************************************
    	* Open dos.library
    	*************************************************
    
    	move.l 4.w,a6
    	lea dosname(pc),a1
    	moveq #0,d0
    	jsr _LVOOpenLibrary(a6)
    
    	lea dosbase(pc),a0
    	move.l d0,(a0)
    
    	*************************************************
    	* Store original function address
    	*************************************************
    
    	move.l d0,a6
    	lea _LVOOpen(a6),a0
    	lea jump(pc),a1
    	move.l 2(a0),2(a1)
    
    	*************************************************
    	* Prohibit multitasking and allocate memory
    	*************************************************
    
    	move.l 4.w,a6
    	jsr _LVOForbid(a6)
    
    	moveq #new_open_function_length,d0
    	moveq #MEMF_PUBLIC,d1
    	jsr _LVOAllocMem(a6)
    	bne.b .memOK
    	moveq #2,d1
    	bra.b .closeDos
    
    .memOK:
    	*************************************************
    	* Copy code to allocated memory
    	*************************************************
    
    	move.l d0,a1
    	lea new_open_function(pc),a0
    	moveq #[new_open_function_length/2]-1,d1
    .copy:	move.w (a0)+,(a1)+
    	dbra d1,.copy
    
    	*************************************************
    	* SetFunction and permit multitasking
    	*************************************************
    
    	lea (_LVOOpen).w,a0
    	move.l 4.w,a6
    	move.l dosbase(pc),a1
    	jsr _LVOSetFunction(a6)
    	jsr _LVOPermit(a6)
    
    	*************************************************
    	* Close lib and exit
    	*************************************************
    
    .closeDos:
    	move.l dosbase(pc),a1
    	jsr _LVOCloseLibrary(a6)
    	moveq #0,d0
    	rts
    
    	*************************************************
    	* My fake custom function
    	*************************************************
    
    new_open_function:
    	move.l #5000,d0
    .s:	move.w d0,$dff180
    	dbra d0,.s
    jump:	jmp $0
    new_open_function_length=*-new_open_function
    
    dosbase:dc.l 0
    dosname:dc.b 'dos.library',0
    

    ...and that's it. We've successfully patched the ROM, and here it is in action to prove that it works. I'm running the program, and then loading a file, which consequentally triggers the Open() function in dos.library. As you can see, the screen flashes in many colors before loading the file.


    This is also an accidental step-by-step tutorial in case you want to write a virus for the Amiga. Just make it survive a reset and let Hell break loose. Or not. Please don't.

    But why do I want to patch the Kickstart in the first place? And why would I patch it before anything has been loaded or is running? Make a guess and wait for the next post. Bonus points if you get it right.

    Work in progress: APECAT

    2019
    30
    January

    Since I foolishly announced a minimum of one post per month, I'll do my best to keep my promise. This is why I'm lifting the curtains on my latest project: the APECAT.

    APECAT is short for Amiga Processor Expansion Card for Application Transfer, and yes, I totally made that acronym up. Apekatt in Norwegian, translated word-by-word, means ape and cat. But for some reason it means monkey, and monkeys are fun. That's basically as deep as it goes.

    This is work in progress as I'm still battling with a few minor bugs, but feel confident it will work eventually. I'll dig into the problems I'm experiencing further down this article.

    The APECAT is a small, minimalist board you sandwich between the Amiga's 68000 CPU and motherboard. Its purpose is to allow the user to send data from an external host, for example a PC or a Raspberry Pi, and have it uploaded directly into the Amiga's memory. It is in many ways similar to the C64FC, only for the Amiga 500.

    The goal is to be able to run software on an original Amiga, without using a floppy drive or hard drive at all. In fact, the Amiga I'm testing this on is just the motherboard. It doesn't even have a keyboard or a mouse attached.

    How will it run anything without any software in the first place?

    I have designed a hack for booting custom code from RAM, without the use of a floppy or hard drive. In short, it involves using the APECAT to stackbomb and interrupt the system ROM, followed by setting a reset-resident routine. This process takes less than a second. My custom code is then executed, which monitors the memory looking for flags set externally by the APECAT board. The basic principle has been tested and is confirmed working in the WinUAE Amiga emulator, but technical challenges has prevented me from running this on read hardware yet.

    So what's not working?

    The challenge is writing the data to RAM. I know this sounds like a deal breaker, but I strongly believe it's a minor issue and a consequence of not getting something right. I can freeze the CPU, point to a certain address in memory and write a value to it, but the value written is.. wrong. It seems almost random. I suspect this is due to one (or more) of these reasons:

    • The timing is wrong. My code is either too fast or too slow.
    • The order of write events are wrong. I'm doing things right, but not in the right order.
    • I've missed something, like toggling a line or gate. What have I overlooked?
    • The microcontroller I'm using is doing stuff I'm not aware of. Is the ICSP or something else disturbing things?
    • I'm lost in my own code. The code is quite complex and confusing at the moment.
    • I'm on a wild goose chase and this is whole project is impossible

    Have you ever done something similar? Have you experienced similar write bugs on the 68000, or another system? Any ideas what I might have left out, based on what you've read so far? Leave a comment, I'd love to hear from you if you have. Let's discuss this in detail and figure out what's wrong.

    I'm pretty close, though. As you can see from the image below, I'm bombarding the custom chipset at address $dff102, which is the horizontal scroll register. The addressing works, but the values written does not line up with what's expected. This obviously also works for other addresses, such as the background color, foreground color, bitplane pointers, etc. but this is the most convenient register to play with for visual confirmation.


    This is the state of the current board, as it almost works. Bodge wires to /BGACK and /AS was added, as they were left out in the design process. The damage on the board you see is the VCC trace from the CPU that has been cut, as it was redundant and caused problems.


    Wait, don't too carried away!

    This is no miracle device, it is nothing revolutionary. It cannot be used to real-time debug the Amiga. It cannot read anything from the CPU. It can upload shit to RAM, and at the time being, that's all it'll ever do.

    That doesn't make it any less exciting though, so stay tuned for updates. This will work soon, I know it.

    Add to Google