Close
0%
0%

Reversing The 8Bitdo Retro Receiver

A small study on the internals of 8Bitdo's Retro Receiver for SNES Classic. Tear Down and BOM

Public Chat
Similar projects worth following
The Retro Receiver uses I2C protocol to talk to the SNES Classic i in the same way (and with the same port) as a wiimote nunchuck talks to a wiimote. Its main function is to translate one of the many bluetooth wiimote compatible controllers (and PS3/PS4 controllers) to the I2C interface on the SNES Classic. It also functions as a PC receiver (via USB port), allowing compatible controllers to show up as an XBOX 360 Controller when paired.

What a great little piece of tech built with the GD32F103, a widely available and inexpensive SoC.

x-zip-compressed - 9.22 MB - 09/25/2018 at 08:29

Download

Adobe Portable Document Format - 1.26 MB - 09/25/2018 at 08:28

Preview
Download

x-zip-compressed - 959.95 kB - 09/25/2018 at 08:28

Download

x-zip-compressed - 407.74 kB - 09/25/2018 at 08:28

Download

x-zip-compressed - 405.62 kB - 09/25/2018 at 08:28

Download

View all 8 files

  • 1 × GB32F103 GB32F103CBT6 SOC
  • 1 × RDA5876

  • Poking around.

    zvodd09/25/2018 at 16:55 0 comments

    first look at firmware `.bin`s:

    • appears to be compressed or encrypted with >0.9 entropy almost all over in binwalk.
    • ~42KB each - are loaded into SRAM when flashing?
    • 42012 Jun  2  2017 8Bitdo_NesMini_RR_Firmware_V1.06.dat
      42012 Sep 30  2017 8Bitdo_NesMini_RR_Firmware_V1.07.dat
      42524 Dec  5  2017 8Bitdo_NesMini_RR_Firmware_V1.08.dat
      44572 Mar 15  2018 8Bitdo_NesMini_RR_Firmware_V1.11.dat
      42012 Mar  6  2017 8Bitdo_NesMini_RR_Firmware_V105_beta3.dat 

    Unsure of the format, should search around for a possible standard format before... 

    Radare2 into ~updatesTools~/MacOS/8Bitdo_Retro_Receiver_Tools_For_Update. ( literally first time running radare)

    • Symbols seem to be complete, fairly concise 200kb elf executable - seem like lower hanging fruit than 2mb win32 exe.
    • Interesting  symbols might shed light on format
    0x1000055d0 : sym._SendFirmwareHeader
    0x1000045c0 : sym._SendFirmwarePacket
    0x1000051d0 : sym._Send_FirmwareDataPacket
    0x1000054e0 : sym._Set_ApplicationEncodeID
    0x1000044b0 : sym._VerificationId
    0x100005290 : sym._WriteFlash_Packet
    0x1000049a0 : sym._WriteHid
    0x100006690 : sym.___hex_dump
    0x100000000 : sym.__mh_execute_header
    0x100007090 : sym._add_callback
    0x10001c1a0 : sym._app_key_index
    0x10001c34c : sym._cur_devVersion
    0x10001c340 : sym._data_status
    0x10001c350 : sym._firmware_type
    0x10001c354 : sym._g_firmware_update_state
    0x10001c190 : sym._gamepad_type
    0x100006940 : sym._getCurrentPath
    0x10001c1e8 : sym._help_text
    0x1000067a0 : sym._hex_dump_log
    0x100006670 : sym._input_callback
    0x10001c338 : sym._m_FilePathName
    0x10001c358 : sym._m_firmwareHeader
    0x10001c378 : sym._m_handleFirmeWare
     __hex_dump: takes a string, checks length? prints things? might just be for dev debuging (possibly for dumping hex :P ).
               | mov qword [local_8h], rdi                          |           
               | ; arg2                                             |           
               | mov qword [local_10h], rsi                         |           
               | ; arg3                                             |           
               | mov dword [local_14h], edx                         |           
               | mov dword [local_18h], 0                           |           
               | cmp qword [local_8h], 0                            |           
               | je 0x1000066d5;[ga]                                |           
               `----------------------------------------------------'           
                       | |                                                      
                       | '----------------------.                               
          .------------'                        |                               
          |                                     |                               
          |                                     |                               
      .--------------------------------.    .--------------------------------.  
      |  0x1000066b8 [ge]              |    |  0x1000066d5 [ga]              |  
      | ; 0x100012f0e                  |    | ; 0x100012f1b                  |  
      | ; "\n%s size=%d\n"             |    | ; "\nsize=%d\n"                |  
      | lea rdi, str.s_size__d         |    | lea rdi, str.size__d           |  
      | mov rsi, qword [local_8h]      |    | mov esi, dword [local_14h]     |  
      | mov edx, dword [local_14h]     |    | mov al, 0                      |  
      | mov al, 0                      |    | call sym.imp.printf;[gc]       |  
      | call sym.imp.printf;[gc]       |    | mov dword [local_20h], eax     |  
      | mov dword [local_1ch], eax     |    `--------------------------------'  
      | jmp 0x1000066e9;[gd]           |        |                               
      `--------------------------------'        |                               
          |                                     |                               
          '------------.                        |                               
                       | .----------------------'                               
                       | |                                                      
                       | |                                                      
                 .------------------------------------------------.             
                 |  0x1000066e9 [gd]                              |             
                 | ; CODE XREF from 0x1000066d0 (sym.___hex_dump) |             
                 | mov dword [local_18h], 0                       |             
                 `------------------------------------------------'             
    We should try and start with the start of the bin files in more relevant functions:  `_m_firmwareHeader` `_firmware_type` ...later.
    fw `.bin` headers:
    v105:
    0x00000000  6900 0000 0034 0008 00a4 0000 0000 0000  i....4..........
    0x00000010  0000 0000 0000 0000 0000 0000 4375 28d4  ............Cu(.
    
    v106:
    0x00000000  6a00 0000 0034 0008 00a4 0000 0000 0000  j....4..........
    0x00000010  0000 0000 0000 0000 0000 0000 a374 28d4  .............t(.
    
    v107:
    0x00000000  6b00 0000 0034 0008 00a4 0000 0000 0000  k....4..........
    0x00000010  0000 0000 0000 0000 0000 0000 a374 28d4  .............t(.
    
    v108:
    0x00000000  6c00 0000 0034 0008 00a6 0000 0000 0000  l....4..........
    0x00000010  0000 0000 0000 0000 0000 0000 ab74 28d4  .............t(.
    
    v111:
    0x00000000  6f00 0000 0034 0008 00ae 0000 0000 0000  o....4..........
    0x00000010  0000 0000 0000 0000 0000 0000 8b76 28d4  .............v(.

     Well i guess we know what the first byte is.

    Checks for a vendor ID for the Retro Receiver

    # sym._IOHIDDevice_GetVendorID (int arg1);
    # 0x100006908 ...
    Read more »

View project log

Enjoy this project?

Share

Discussions

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates