Super Nt Console review

[Tanooki]

An interesting prospect, but I don't know if they'd be really motivated to stop that. They don't care about other flash kit makers, but they would care if someone jailbroke it and it allowed them to sell 30% more units for those running roms as that's just more money in the bank. They get away free and clear as it's a jailbreak that someone else did not under their employ.

[Keatah]

Gotta say, I'm really impressed! Emulation is so good, it even knows when to artificially simulate the SNES's infamous slowdown!

Joking aside, the video output looks amazing. This is the first I'm hearing of the console. Everything looks top notch, right down to the packaging.

It's what happens when the game is played and synthesized entirely in the digital domain. No expensive & tedious middlemen converters, no analog losses or interference. And it's as accurate as Higan - the reference software emulator.

[Keatah]

About as bad as buying the SuperNT in price, but wouldn't an OSSC get you the similar output and some of the other little perks too?

Nope.

[Keatah]

My Analogue Super NT finally came after spending days in Osaka. Nice unboxing video for anyone interested.

https://www.youtube.com/watch?v=gF74hibBRfs&feature=youtu.be

Yes. Finally a real unboxing video that hasn't been staged or "pre-unboxed" prior to filming! Thanks for capturing the essence of the experience. I could almost smell the plastics.

[Kismet]

 

Although I do wonder... Maybe the Super NT's SD reader was setup to prevent the piracy for this very case?

 

 

Nah.

 

My speculative theory is that whoever did the JB disassembled the firmware, found the "Load from SD Card" menu and unlocked it, but the feature isn't complete, or parts of it are missing.

 

For games that are actually on the Super NT, that's basically "load from flash storage" so obviously the ability to play without a cart has to exist for that reason, but those menu items are simply fixed locations, and thus their save games are stored in a fixed location. Because there's obviously support for SD2SNES/ED style layouts, this means there's multiple locations where that save game can go, and if you recall the issue with the MSU-1 on the SD2SNES, is that you can't save to the SD card while the MSU-1 is enabled because it requires an exclusive lock to the SD-card.

 

So the same can be true here, is that when the game is loaded from the SD card, it might be exclusively locked, and the save game is only written when unlocked (eg changing games), and perhaps that unlock mechanism is not working as expected.

 

 

Like having that feature in the firmware was not required, so kevtris probably just no-oped it from the menu, the same way other debug menus are found in other products. He could just as easily removed it entirely if he compiled it from C, but if he did it in assembly, addresses move if you add/remove chunks of code, so it's often just faster/easier to change a JMP to a NOOP than it is to refactor the code to get rid of a feature.

[Andromeda Stardust]

Nah.

 

My speculative theory is that whoever did the JB disassembled the firmware, found the "Load from SD Card" menu and unlocked it, but the feature isn't complete, or parts of it are missing.

Interesting theory. I guess no less plausible than mine where an unnamed individual behind the current project just recompiled from source firmware and released it in secret.

 

One issue with your theory is one might have to recompile the firmware in order to make edits to it. This would require access to the source. Otherwise you simply flip a couple bits and the checksum fails. So I feel simply hacking it in the manner one would open a hex editor to make changes to a game ROM, without access to source code, may not work. After all, the firmware is basically like a program (hardware program not s software program) that runs on the fpga device.

 

So arguably, whomever cracked the firmware has the source code. Who has access, besides Kevtris or other Analogue employee?

[Andromeda Stardust]

I mean... It works with flash carts, but with the jailbreak firmware, it can essentially be its own flashcart. It kinda ruins the business for actual flashcarts as you could buy this for the cost of the SD2SNES and already have it built in. (I realize the current jailbreak is closer in terms of capability to the Super EverDrive though.)

 

An interesting prospect, but I don't know if they'd be really motivated to stop that. They don't care about other flash kit makers, but they would care if someone jailbroke it and it allowed them to sell 30% more units for those running roms as that's just more money in the bank. They get away free and clear as it's a jailbreak that someone else did not under their employ.

I don't think Analogue / Kevtris directly compete with Krikzz /Everdrive / SD2SNES. RetroUSB however manufactured both the AVS and the Powerpak. The AVS cannot load ROMs (nevermind the fpga isn't big enough to support ROM loading or cores) but runs RetroUSB Powerpak. So Brian Parker of RetroUSB had a financial incentive not to allow ROM loading. Kevtris / Analogue does not. Food for though.

[Andromeda Stardust]

Anybody try running Retrobit's custom GBA "core?" No jailbreak firmware required!

[Kismet]

So arguably, whomever cracked the firmware has the source code. Who has access, besides Kevtris or other Analogue employee?

 

You don't need the source code to RE anything. Just look at JB firmware for pretty much anything. There is a JTAG header on the PCB.

 

Edited February 22, 2018 by Kismet

[Flojomojo]

Anybody try running Retrobit's custom GBA "core?" No jailbreak firmware required!

 

Explain how!

Though I'd find you more credible if you could post your video right side up ....

[phoenixdownita]

 

Nah.

 

My speculative theory is that whoever did the JB disassembled the firmware, found the "Load from SD Card" menu and unlocked it, but the feature isn't complete, or parts of it are missing.

....

Not really.

I took a look at the binary and I didn't find much in common (euphemism) so this is not just a bit flip here and there.

 

Also I couldn't find any "string" and I would think that the menu options are ASCII text somewhere (it would not make sense to invent another encoding just for that, I took a look at Krikzz BIOS for N64,MD,PCE and they all have some ASCII in them). I suspect that the files are somewhat encrypted/obfuscated.

 

I don't have a SuperNt but if I did I'd try to change a couple of bytes here and there on the various firmwares and see if the unit refuses to flash, that would mean there's some checks and only the original author would have the tools to make a file that passes them (unless they are god trivial but....).

To be fair even the Nt Mini firmware contains no cleartext ASCII but then again I still think kevtris wouldn't want just anyone to hack into his creation so my money is on it being encrypted/mangled somewhat, as that would give the chinese cloners a head scratcher as even if they can repro the PCB and all components they would still miss something (decapping may reveal that part too if they are so motivated)

[Andromeda Stardust]

Explain how!

Though I'd find you more credible if you could post your video right side up ....

It's a GBA system-on-a-chip clone with it's own analog video output (trrs composite a/v cable). It only uses the SNES cart slot for power supply and controller input. Some snes clone systems, it can bypass the gpu to output analog video directly to the av output.

 

In the case of the Super NT, the hdmi frame blacks out as soon as it runs the cart, and the super Retro Advance sends the game video output immediately over composite. Audio in my recording is sourced from my stereo, split off from the hdmi port, and the audio portion of the av cable is disconnected. If I sourced audio from the analog av cable instead, you would not hear the boot sequence.

 

I turned my Nikon Coolpix sideways because how my displays are stacked. Unlike smart phones there's no gyro sensors in the camera so it couldn't auto-rotate the video.

[Kismet]

Not really.

I took a look at the binary and I didn't find much in common (euphemism) so this is not just a bit flip here and there.

 

Also I couldn't find any "string" and I would think that the menu options are ASCII text somewhere (it would not make sense to invent another encoding just for that, I took a look at Krikzz BIOS for N64,MD,PCE and they all have some ASCII in them). I suspect that the files are somewhat encrypted/obfuscated.

 

I don't have a SuperNt but if I did I'd try to change a couple of bytes here and there on the various firmwares and see if the unit refuses to flash, that would mean there's some checks and only the original author would have the tools to make a file that passes them (unless they are god trivial but....).

To be fair even the Nt Mini firmware contains no cleartext ASCII but then again I still think kevtris wouldn't want just anyone to hack into his creation so my money is on it being encrypted/mangled somewhat, as that would give the chinese cloners a head scratcher as even if they can repro the PCB and all components they would still miss something (decapping may reveal that part too if they are so motivated)

 

Please. Virtually every jailbreak ever that didn't involve finding an explotable game has involved accessing the JTAG on the board, dumping the firmware from the ram, and disassembling it from there. More to the point, one could probably dump the FPGA firmware directly from the cartridge slot if they were so inclined to do so.

 

If the firmware is encrypted or obfuscated, it doesn't take long for someone to dump the keys to it among people who routinely do this thing. We're talking about a device meant to play retro games here using off-the-shelf parts, not an iPhone with custom produced chips.

 

I'm not going to even suggest that kevtris passed it to smokemonster. It would be the easiest and obvious way to obtain it that way, but it would also be jeopardizing the project and any future project from Analogue. So as far as we are concerned smokemonster got it the same way he got everything else for the smokemonster packs. Someone handed it to him.

 

If you've noticed so far, there hasn't been any "fixed" JB firmware either, which just adds more credence to the fact that whoever RE'd the firmware can't actually fix things in the FPGA code and has to wait for the fixes to show up in the official firmware.

[phoenixdownita]

 

Please. Virtually every jailbreak ever that didn't involve finding an explotable game has involved accessing the JTAG on the board, dumping the firmware from the ram, and disassembling it from there. More to the point, one could probably dump the FPGA firmware directly from the cartridge slot if they were so inclined to do so.

 

If the firmware is encrypted or obfuscated, it doesn't take long for someone to dump the keys to it among people who routinely do this thing. We're talking about a device meant to play retro games here using off-the-shelf parts, not an iPhone with custom produced chips.

 

I'm not going to even suggest that kevtris passed it to smokemonster. It would be the easiest and obvious way to obtain it that way, but it would also be jeopardizing the project and any future project from Analogue. So as far as we are concerned smokemonster got it the same way he got everything else for the smokemonster packs. Someone handed it to him.

 

If you've noticed so far, there hasn't been any "fixed" JB firmware either, which just adds more credence to the fact that whoever RE'd the firmware can't actually fix things in the FPGA code and has to wait for the fixes to show up in the official firmware.

Assuming we are talking PKI encryption, even if you can descrypt you can't re-encrypt as you need both keys to complete the cycle and the second is never on the device (it can leak ... sure) ... maybe it is not encrypted at all when it is memory and kevtris used a symmetric key that as you say is "trivial" to recover for off-the-self component (that must be why the microcode update on Intel and AMD chips has not been yet cracked and afterall they have been doing it only for 20Y ... well the AMD "old" microcode itself was RE via decapping as reported in https://www.syssec.rub.de/media/emma/veroeffentlichungen/2017/08/16/usenix17-microcode.pdf but you probably already know all that )

 

Finally this "prince charming" what purpose does it have releasing JB FW for the SNt ... philanthropy? OK.

If it is that easy RE the whole cabbodle I expect SNt clones appearing anytime soon afterall ~20K unit sold/presold at 200US$ each is around a 4M$ business.

[Kismet]

Finally this "prince charming" what purpose does it have releasing JB FW for the SNt ... philanthropy? OK.

If it is that easy RE the whole cabbodle I expect SNt clones appearing anytime soon afterall ~20K unit sold/presold at 200US$ each is around a 4M$ business.

 

It's probably not "easy" to RE, it's just unlikely, given the timing, the brokenness, and the source. If I were kevtris, and I was under contract to provide firmware updates to Analogue, and not to make it possible to run games from the SD card, then I would take the bare minimum required to do that, while not making it painfully difficult to troubleshoot problems. You're not going to keep making parallel versions of firmware, no you simply change your build pipeline so things like extra cores aren't included, but that doesn't mean the firmware didn't have "run from sd card" in it already, just hidden. Which is easier to do? Maintain two versions of code, one with all this other stuff in it, or maintain one version of the code, and just have the optimizer or pre-processor "no-op" the functions out.

 

I don't actually know if someone could pull the compiled FPGA core out of the firmware and produce their own clone with it, that would require producing a clone of the hardware that is exactly the same as the Super Nt, and thus would cost about the same. Even if someone produced their own firmware and removed the cartridge slot to save a few pennies.

 

To that end, we're just going to keep speculating who, and why. Sure, it's entirely possible it could be kevtris, who slipped the source code on a usb drive under smokemonster's door anonoymously, and all he had to do was hit compile. But that's pretty stupid. It's more likely that the firmware was downloaded via the JTAG, and the decryption key/algorithm was pulled directly off the device. It's been done. http://www.zdnet.com/article/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/

 

It's also possible that someone just desoldered the RAM and the flash from the board and dumped it that way. We don't know, and that's an awful lot of effort. But someone who got an early release of the Super NT certainly could have done that. kevtris mentioned before that the Super NT won't allow the Mini NT's firmware to be flashed onto it, so there's clearly it does some kind of check, but it could also just allow arbitrary firmware blobs where it identifies itself as SuperNT firmware. In other hardware, they usually prevent you from downgrading. The Super NT doesn't. So the bootloader isn't dumb.

[phoenixdownita]

 

It's probably not "easy" to RE, it's just unlikely, given the timing, the brokenness, and the source. If I were kevtris, and I was under contract to provide firmware updates to Analogue, and not to make it possible to run games from the SD card, then I would take the bare minimum required to do that, while not making it painfully difficult to troubleshoot problems. You're not going to keep making parallel versions of firmware, no you simply change your build pipeline so things like extra cores aren't included, but that doesn't mean the firmware didn't have "run from sd card" in it already, just hidden. Which is easier to do? Maintain two versions of code, one with all this other stuff in it, or maintain one version of the code, and just have the optimizer or pre-processor "no-op" the functions out.

 

I don't actually know if someone could pull the compiled FPGA core out of the firmware and produce their own clone with it, that would require producing a clone of the hardware that is exactly the same as the Super Nt, and thus would cost about the same. Even if someone produced their own firmware and removed the cartridge slot to save a few pennies.

 

To that end, we're just going to keep speculating who, and why. Sure, it's entirely possible it could be kevtris, who slipped the source code on a usb drive under smokemonster's door anonoymously, and all he had to do was hit compile. But that's pretty stupid. It's more likely that the firmware was downloaded via the JTAG, and the decryption key/algorithm was pulled directly off the device. It's been done. http://www.zdnet.com/article/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/

 

It's also possible that someone just desoldered the RAM and the flash from the board and dumped it that way. We don't know, and that's an awful lot of effort. But someone who got an early release of the Super NT certainly could have done that. kevtris mentioned before that the Super NT won't allow the Mini NT's firmware to be flashed onto it, so there's clearly it does some kind of check, but it could also just allow arbitrary firmware blobs where it identifies itself as SuperNT firmware. In other hardware, they usually prevent you from downgrading. The Super NT doesn't. So the bootloader isn't dumb.

NOT running stuff from the SD card was never on the stars, it was always planned to allow to do it or how else would you justify the amount of memory (RAM) present in the SuperNt (and NtMini)?

There is really no need for all of that if you only want to run original carts.

 

Wrt the firmware no-one would RE and add checks about special chips and add a nice message telling you "not supported" .... that would entail adding a SHA/Header database unless it is already there

 

Wrt encrypt/decrypt extraction from physical hardware that is only true with symmetric encryption, with asymmetric the encryption key is kept secret at Analogue HQ while only the decryption key is on the device, as that is all that is needed to verify, validate and decrypt the firmware, so without the other half you could decrypt but not re-encrypt.

 

Granted we don't even know if encryption is used.

 

BTW there are multiple FW pieces here at play, there's the bitstream for the FPGA and whatever else for the PIC32 (the file is an odd size 8.34MB or whereabouts, the Nt Mini was 4.32 or something) maybe only the PIC32 had to be "patched" but then I would have been able to randomly find chunks of hex from one FW in the other (didn't do full search obviously just tried 15/20 6 bytes long hex sequence from random places in the files with 0 matches).

 

I personally cannot believe this was not there all along, who "leaked" it specifically is not important as my take is it was done with all the blessings needed.

[leods]

Is it this thread I use to shamelessly plug my Super NT review?

 

 

I also have a video on the video options with footage and a couple explanations:

 

 

The only thing worth mentioning for the people who don't want to go watch the videos is: The 1:1 option for screen size isn't pixel perfect, it scales the screen to a perfect square. Like 1200x1200 if you have 5x height selected for vertical.

[Andromeda Stardust]

I'm not going to even suggest that kevtris passed it to smokemonster. It would be the easiest and obvious way to obtain it that way, but it would also be jeopardizing the project and any future project from Analogue. So as far as we are concerned smokemonster got it the same way he got everything else for the smokemonster packs.

 

Someone handed it to him.

Someone handed it to him.

Someone handed it to him.

Someone handed it to him.

Someone handed it to him.

Someone handed it to him.

Someone handed it to him.

 

Yes.

 

"Someone handed it to him."

 

As you so eloquently put it. The original firmware author handed it to him. This person chose to remain anonymous due to NDA agreements, and cannot comment on "unofficial builds" due to this fact.

 

To that end, we're just going to keep speculating who, and why. Sure, it's entirely possible it could be kevtris, who slipped the source code on a usb drive under smokemonster's door anonoymously, and all he had to do was hit compile. But that's pretty stupid.

It's not stupid. It's genius. When Kevtris gets all the remaining bugs out and we start seeing new "cores" being added, and passed over to Smokemonster for distribution, please continue this charade that they were "hacked in" by an anonymous 3rd party.

 

And there's more than enough muscle inside the Super NT console to do it.

[Kismet]

Yes.

 

"Someone handed it to him."

 

As you so eloquently put it. The original firmware author handed it to him. This person chose to remain anonymous due to NDA agreements, and cannot comment on "unofficial builds" due to this fact.

 

It's not stupid. It's genius. When Kevtris gets all the remaining bugs out and we start seeing new "cores" being added, and passed over to Smokemonster for distribution, please continue this charade that they were "hacked in" by an anonymous 3rd party.

 

And there's more than enough muscle inside the Super NT console to do it.

 

You're not getting it.

 

If it was kevtris, that would likely put him in some breech of contract. NDA means NDA, and since the amount of people who know the design of the Super NT is exactly one, that would be a problem.

 

You're not going to see additional cores "hacked into" it, because they don't exist in the firmware. All the evidence needed to suggest someone else dumped the firmware is there. There is a JTAG port, there is a USB port, even the cartridge port. However given the time frame, it had to be someone with a review unit.

 

If kevtris actually was the one who handed it to smokemonster, I'm pretty darn sure he wouldn't hand a broken firmware to him. Broken features is the trademark of someone who hasn't actually tested it. Seeing as no "fixed' firmware came out, that also tells us that whoever released it, does not have the skill to fix it.

[Flojomojo]

That's circumstantial evidence, and a guess. You're smarter than that. :-)

 

I'll bet there will be an update to the Valentine's Day jailbreak before there's an update to the official firmware. This is a guess, too.

 

I hope we see other cores added, though I can wait for it. How long was the time gap before the "core store" came out for the last FPGA console?

[Andromeda Stardust]

That's circumstantial evidence, and a guess. You're smarter than that. :-)

 

I'll bet there will be an update to the Valentine's Day jailbreak before there's an update to the official firmware. This is a guess, too.

 

I hope we see other cores added, though I can wait for it. How long was the time gap before the "core store" came out for the last FPGA console?

Well version 4.3 is live on the website now. No updated JB firmware but that doesn't prove anything.

 

Current (initial Valentine's Day) JB release:

https://github.com/SmokeMonsterPacks/Super-NT-Jailbreak

 

Current official firmware release (4.3)

https://support.analogue.co/hc/en-us/articles/360000557452-Super-Nt-Firmware-Update-v4-3

 

I'm gonna upgrade to 4.3 and ditch the JB firmware in lieu of my Super Everdrive. Maybe when we start getting new cores in the JB firmware, things will get interesting.

[Flojomojo]

Yup. I've gone back to stock firmware and cartridges until the saving thing is resolved.

[cacophony]

If kevtris actually was the one who handed it to smokemonster, I'm pretty darn sure he wouldn't hand a broken firmware to him. Broken features is the trademark of someone who hasn't actually tested it.

Well it could have been rushed because of lots of competing priorities. Other than the two glaring bugs (save bug and settings persistence bug) it's actually quite polished.

 

Seeing as no "fixed' firmware came out, that also tells us that whoever released it, does not have the skill to fix it.

Or it's that whoever wrote it was waiting until the release of 4.3 so that the next jailbreak would get the benefit of the other official fixes as well. Plus it has given more time to fix some of the 22 different issues that currently exist on github.

Edited February 26, 2018 by cacophony

[Tanooki]

And here we still sit with the damn thing grayed out on the SNES and SFC style color choices It's nice to see good time put into improving it as this is not quite even two weeks out from that hacked firmware a nice new fix for the legit appears.

[cybercylon]

And here we still sit with the damn thing grayed out on the SNES and SFC style color choices It's nice to see good time put into improving it as this is not quite even two weeks out from that hacked firmware a nice new fix for the legit appears.

 

They are not grayed out now. Looks like the others are back in stock. Of course, this is after I placed an order for a black one. Only had a modest preference for the SNES style. I don't care for the transparent stuff.