Hardware WODE CFW?

gudenau

Largely ignored
Member
GBAtemp Patron
Joined
Jul 7, 2010
Messages
3,738
Trophies
0
Location
/dev/random
Website
www.gudenau.net
XP
3,436
Country
United States
Wasn't the Wode open source? I could have sworn it was.
The code that ran on the Wii was, but as far as I remember (and could dig up) the GCN portion, custom ARM stuff and FPGA sources where never released.

I did find a DFU blob for it, so it might be possible to use that to "get my foot in the door".
 
  • Like
Reactions: The Real Jdbye
Joined
Mar 17, 2010
Messages
21,095
Trophies
0
Location
Alola
XP
11,914
Country
Norway
The code that ran on the Wii was, but as far as I remember (and could dig up) the GCN portion, custom ARM stuff and FPGA sources where never released.

I did find a DFU blob for it, so it might be possible to use that to "get my foot in the door".
Since the official forum seems to be gone and I don't remember the URL to check it on Wayback Machine, I can't be 100% sure, but I'm pretty sure there were talks about open source and that people could write their own functionality for it. Maybe they just never went through with that.

IIRC, it runs Linux, so if you can manage to get shell access through a debugging port, root should also be possible (given that it likely uses an ancient Linux kernel I'm assuming there are exploits)
I'm guessing they would have had to have some sort of debugging port to use during testing, especially when testing new firmware updates before release, but there might not be test pads left for it on the board, and it's possible the firmware released to the public has debugging disabled.
If you could somehow have a look at the rootfs it might go a long way in figuring out how to interface with the FPGA. Either through shell access or by decrypting/decompressing the firmware update blob.
 

gudenau

Largely ignored
Member
GBAtemp Patron
Joined
Jul 7, 2010
Messages
3,738
Trophies
0
Location
/dev/random
Website
www.gudenau.net
XP
3,436
Country
United States
Since the official forum seems to be gone and I don't remember the URL to check it on Wayback Machine, I can't be 100% sure, but I'm pretty sure there were talks about open source and that people could write their own functionality for it. Maybe they just never went through with that.

IIRC, it runs Linux, so if you can manage to get shell access through a debugging port, root should also be possible (given that it likely uses an ancient Linux kernel I'm assuming there are exploits)
I'm guessing they would have had to have some sort of debugging port to use during testing, especially when testing new firmware updates before release, but there might not be test pads left for it on the board, and it's possible the firmware released to the public has debugging disabled.
If you could somehow have a look at the rootfs it might go a long way in figuring out how to interface with the FPGA. Either through shell access or by decrypting/decompressing the firmware update blob.
The updates don't immediately look like anything so I'm pretty sure they are encrypted. And according to the DFU documents they snuck the debugging port into a ribbon cable so that's not really practical.

I'm thinking figuring out the DFU blob and disassembling that is the best bet. The NXP software used to flash it has to be able to read it somehow.

Here's the DFU thing, turns out I missed the open WODE thing. Too bad it's not archived.https://web.archive.org/web/*/http://www.wodejukebox.com/download/openwode.rar
 
Joined
Mar 17, 2010
Messages
21,095
Trophies
0
Location
Alola
XP
11,914
Country
Norway
The updates don't immediately look like anything so I'm pretty sure they are encrypted. And according to the DFU documents they snuck the debugging port into a ribbon cable so that's not really practical.

I'm thinking figuring out the DFU blob and disassembling that is the best bet. The NXP software used to flash it has to be able to read it somehow.

Here's the DFU thing, turns out I missed the open WODE thing. Too bad it's not archived.
Might be fiddly but soldering to the pins on the ZIF socket should at least be doable.

Currently running a scan, already found something.
Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
917084        0xDFE5C         ARM instructions, function prologue
3217793       0x311981        ARMEB instructions, function prologue
3585371       0x36B55B        ARMEB instructions, function prologue
6423409       0x620371        ARM instructions, function prologue


Scan Time:     2020-08-18 16:57:06
Target File:   /mnt/d/Temp/wode/wode.dfu
MD5 Checksum:  50919a3e8c2a603c4939a6ec3e499806
The .bin files look like they might be an entirely custom format, and I'm guessing the .dfu just contains the code to flash install.bin and bootstrap it judging by how small it is. Might have to reverse engineer that code to get any further.
 
Last edited by The Real Jdbye,

gudenau

Largely ignored
Member
GBAtemp Patron
Joined
Jul 7, 2010
Messages
3,738
Trophies
0
Location
/dev/random
Website
www.gudenau.net
XP
3,436
Country
United States
Might be fiddly but soldering to the pins on the ZIF socket should at least be doable.

Currently running a scan, already found something.
Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
917084        0xDFE5C         ARM instructions, function prologue
3217793       0x311981        ARMEB instructions, function prologue
3585371       0x36B55B        ARMEB instructions, function prologue
6423409       0x620371        ARM instructions, function prologue


Scan Time:     2020-08-18 16:57:06
Target File:   /mnt/d/Temp/wode/wode.dfu
MD5 Checksum:  50919a3e8c2a603c4939a6ec3e499806
The .bin files look like they might be an entirely custom format, and I'm guessing the .dfu just contains the code to flash install.bin and bootstrap it judging by how small it is. Might have to reverse engineer that code to get any further.

I did look at the file in a hex editor and it looks almost like there's an exception table at the beginning, but I've got no idea. I'm sure I'll be able to find the NXP documentation for the format when I look.
 
Joined
Mar 17, 2010
Messages
21,095
Trophies
0
Location
Alola
XP
11,914
Country
Norway
I did look at the file in a hex editor and it looks almost like there's an exception table at the beginning, but I've got no idea. I'm sure I'll be able to find the NXP documentation for the format when I look.
I got a lot of this
Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2174          0x87E           Raw deflate compression stream
2192          0x890           Raw deflate compression stream
2684          0xA7C           Raw deflate compression stream
2996          0xBB4           Raw deflate compression stream
3001          0xBB9           Raw deflate compression stream
3031          0xBD7           Raw deflate compression stream
3033          0xBD9           Raw deflate compression stream
3093          0xC15           Raw deflate compression stream
And it just keeps going on. It's taking a very long time to scan though. Using binwalk.
All of this is still in wode.dfu. And it's extracting/decompressing the data as it goes.
Takes a very long time to scan through the entire file though. So far it's just looking like garbage data.
 
Last edited by The Real Jdbye,

gudenau

Largely ignored
Member
GBAtemp Patron
Joined
Jul 7, 2010
Messages
3,738
Trophies
0
Location
/dev/random
Website
www.gudenau.net
XP
3,436
Country
United States
I got a lot of this
Code:
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2174          0x87E           Raw deflate compression stream
2192          0x890           Raw deflate compression stream
2684          0xA7C           Raw deflate compression stream
2996          0xBB4           Raw deflate compression stream
3001          0xBB9           Raw deflate compression stream
3031          0xBD7           Raw deflate compression stream
3033          0xBD9           Raw deflate compression stream
3093          0xC15           Raw deflate compression stream
And it just keeps going on. It's taking a very long time to scan though. Using binwalk.
All of this is still in wode.dfu. And it's extracting/decompressing the data as it goes.
Takes a very long time to scan through the entire file though. So far it's just looking like garbage data.
I think I am on to something, and if I am reading this right they key to decrypt the code is just 91EC6C69EACEE0D06972503AF69228BF.

upload_2020-8-18_20-35-5.png
 

Site & Scene News

General chit-chat
Help Users
  • RichardTheKing @ RichardTheKing:
    I played LoZ: Oracle of Ages and Seasons not too long ago; does that count?
    +1
  • kenenthk @ kenenthk:
    I don't see why anyone on gbatemp would like gba games
    +1
  • KimKong @ KimKong:
    Want to test out my GBColor game?
  • Costello @ Costello:
    creating a game boy homebrew at this day and age sounds incredible. Props to you!
    +2
  • CPG @ CPG:
  • RichardTheKing @ RichardTheKing:
    What key is "Select" hooked to?
  • RichardTheKing @ RichardTheKing:
    Or, y'know, B?
  • kenenthk @ kenenthk:
    lol I see no blue mods on the staff page guessing it's getting updated
  • tsao @ tsao:
    did they remove the option for custom profile banner for non-patrons or am i being too stupid to find it?
  • KimKong @ KimKong:
    Oh sorry, I should write up some key explanations
    huh?
  • KimKong @ KimKong:
    Select is "HIFT"
  • KimKong @ KimKong:
    Start is "ENTER"
  • KimKong @ KimKong:
    B is "Z"
    A is "X"
  • KimKong @ KimKong:
    Thanks for the props @Costello
  • kenenthk @ kenenthk:
    I think theirs a section in the forum for gba home few games could share it their
  • kenenthk @ kenenthk:
    Homebrew*
  • kenenthk @ kenenthk:
    Oh looks like you have already
  • KimKong @ KimKong:
    Yup! Now that I think about - I'm n
    ot sure if it's in the right section tho...?
  • kenenthk @ kenenthk:
    Eh they'll just tell you or move it no biggie
    +1
  • banjo2 @ banjo2:
    @CPG SO true
  • Costello @ Costello:
    @kenenthk : there are no longer blue mods. They're all global mods now :)
  • kenenthk @ kenenthk:
    Can't always know where to park
  • kenenthk @ kenenthk:
    @ Costello thinking of adding a new generation I noticed most are green
  • Xzi @ Xzi:
    Well-executed concept in your game, @KimKong . Music's pretty great too!
    Xzi @ Xzi: Well-executed concept in your game, @KimKong . Music's pretty great too!