Mon Jul 14 19:02:18 EDT 2014

WonderHax, part 2

Figured I might as well start dumping some information since it's pointless for me to just sorta hoard it for no reason. Probably useful for whenever I decide I'm tired of WS and don't even care to write anything more up.

Firstly, let me explain how the WonderWitch firmware files work. If you hold the B button while booting the WonderWitch, instead of proceeding to the launcher, you are dropped into what's known as Freya Monitor. This is a minimal bootstrapping program that is usable for recovery in the case that the main firmware is corrupted, and is located in a section of the Flash ROM that the various flashing functions on the WonderWitch BIOS don't support writing to. This lockout is simple and intentional; if you set the destination page to the page that this program is located, the function will just abort. If you additionally hold A, all on-screen text will be forwarded through the serial port, and you can use your keyboard to control the Freya Monitor cursor.

From Freya Monitor you can download the firmware (System) currently on the cart, upload System, as well as download/upload a program (Soft). Soft actually gets to run in essentially the same context as Freya Monitor, and it will run instead of the main launcher. The only way to restore access to the actual launcher after uploading Soft is to upload System, since the uploading procedure for Soft will overwrite the main firmware, and sets a few bytes differently to pick between the two.

Note however, both System and Soft images are not in plain text. They are encrypted, but the encryption is very very simple and is nearly symmetrical -- changing from encryption to decryption and vice-versa only requires flipping two operations. Here's a quick program written in C that can encrypt and decrypt these files (just compile the source file, no libraries necessary): http://daifukkat.su/blog/files/ww_codec.c, and here's pseudo-code for encrypting a binary (if you want to implement it yourself):

index = 0
foreach byte in buffer {
	if index == 0, last_byte = 0xFF // reset last byte to 0xFF on every XMODEM sector

	byte ^= last_byte // \_Swap these two operations to decrypt instead
	buf = byte        // /
	last = byte

	write(byte)

	index = (index + 1) & 0x7F
}

Hopefully someone finds this information useful. Right now I'm taking a bit of a break from WonderSwan, but soon I intend to bust open the protection on WonderSwan Color (and some interesting WonderSwan original) carts. I've also been working on a definitive WonderSwan hardware documentation, which I will probably start publicly uploading soon, since it's almost in a presentable state (though nowhere near finished).

See you space cowboy...


Posted by trap15 | Permanent link | File under: reverse_engineering, wonderswan