As somebody who likes to reverse engineer and hack {hardware} of all descriptions, Aaron Christophel has bought lots of uncommon devices mendacity round his workshop. These days he has been digging into the operation of a cheap-yet-super-cool video walkie-talkie toy. This walkie-talkie naturally has a show, so it is simple to see the place that is headed. That’s proper: Christophel bought it to run Doom.
The walkie-talkie could also be a toy, however below the plastic shell Christophel discovered some fairly succesful {hardware} constructed round a mysterious multimedia chip known as the TXW818. In keeping with his reverse engineering work, the processor is roughly akin to an ESP32 in functionality, however makes use of a special 32-bit structure extra generally present in ultra-cheap Chinese language IoT merchandise.
A have a look at the interior {hardware} (📷: Aaron Christophel)
Two {hardware} variations of the walkie-talkie had been examined. The cheaper mannequin got here geared up with 2 MB of exterior SPI flash storage and a 650 mAh battery, whereas the upgraded variant doubled the flash reminiscence to 4 MB and elevated battery capability to 800 mAh. Each variations additionally embrace a small LCD show, a digital camera, microphone, speaker, and customized wi-fi {hardware} for peer-to-peer communication over 2.4 GHz frequencies.
On the extra superior mannequin, the producer had bodily laser-etched away figuring out marks from the chips to make reverse engineering more durable. The firmware additionally employed hardware-level scrambling on the SPI flash bus, inflicting extracted information dumps to seem as meaningless rubbish until decoded by the SoC in actual time.
Christophel bypassed these protections with a mix of {hardware} probing, firmware evaluation, and fault injection strategies. After finding hidden debug pads behind the LCD connector, he related a customized programmer primarily based on an affordable STM32 “Blue Capsule” growth board. The largest drawback at this level was the inventory bootloader, which instantly disabled the debugging interface throughout startup.
To defeat that safety, Christophel deliberately corrupted the boot course of by shorting the SPI flash strains with tweezers whereas powering on the gadget. The glitch prevented the firmware from executing accurately, leaving the processor stalled in a secure state with the debug interface nonetheless lively. From there, he was capable of flash his personal customized firmware straight onto the gadget.
Operating Doom on this constrained platform nonetheless took some work, nonetheless. The whole sport and engine required roughly 1.4 MB of space for storing, which barely match on the cheaper {hardware} variant. Christophel solved the difficulty by compressing the sport property right into a 500 KB bundle saved in flash reminiscence, then decompressing every part into the chip’s 4 MB of onboard PSRAM throughout boot.
In case you’re going to hack one thing, it’s possible you’ll as effectively go all out. Christophel definitely did by hacking the firmware to switch Doomguy’s basic status-bar face with a reside feed from the gadget’s built-in digital camera. Meaning gamers can watch their very own facial expressions whereas combating demons on their toy walkie-talkie.