Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
December 1, 2018
NES Classic Mini Hacking

I gave a talk at 0xcon and BSides Cape Town (with my friend Dale) on Hacking and Weaponizing the NES Classic Mini. Slides are available here.

Along with looking at the popular "Hakchi" mod and ways it can be used to add Wifi functionality to the NES Classic Mini, we also discussed how to add custom binaries and hack the (emulated) NES games using "bash" and "dd" provided by "busybox" on the device. The scripts written and described are provided below - for use at your own risk!

  • dump-heap.sh - allows you to dump the memory of the emulator (and all game state)

  • find-offset.sh - will scan a bunch of dumped heap files for memory addresses that changes the most between the files... you should create a new dump every time a value you're looking for (eg: number of lives) changes and name the file accordingly (eg: 03 lives = 03.bin filename) - note that the actual value in memory might be 1 more or less than the displayed value (such is the case for lives in Super Mario Bros 1)

  • read-offset.sh - reads a byte from memory at the given offset (in hex), used by many of the other scripts

  • write-offset.sh - writes a byte to memory at the given offset (in hex), used by many of the other scripts

  • is-crt-mode.sh - returns true or false, the "crt" video mode affects emulator offsets so this is used to determine which set of offsets to use

  • get-rom-offset.sh - attempts to find the "NES" (string) header of the rom format in memory to calculate offsets from as working backwards (from the rom in memory) seems to provide more stable offsets that working from the beginning of the emulator's memory

  • get-mario-info.sh - extracts info from the active Super Mario Bros 1 game and outputs to terminal

  • game-genie-offset.sh - calculates the correct system memory offset for a game genie's offset address, for memory patching

  • gamegenie.sh - uses HaseeB Mir's Game Genie Decoder to convert a game genie code to offset + byte to write and patches the memory accordingly

  • video-on-mushroom.sh - shows how normal execution can be interrupted, and a video played (if/when you have the static ARMHF ffmpeg binary) during Super Mario Bros 1 when a mushroom or flower is collected

Additionally I hacked up a simple "slideshow" app, using some joystick event reading code, which listens for controller button presses and outputs the corresponding video (using "ffmpeg" from the link above) or image (using "decodepng"). Videos are shown first and you're better off having a video and image with the same filename to avoid the video ending on a black screen. Using the left and right arrow keys ignores videos - making it easier to move back or forward through slides quickly while the A and B buttons navigate and play videos. Pressing "select" twice on the controller exits the slideshow app (presumably back to the main menu). The slideshow code is available here: https://github.com/hypn/nes-classic-scripts/tree/master/slideshow.