Read on Twitter
So someone wanted to know about how the interactive Super Mario Lego figure worked, so... they gave me the money to buy one!
He's got brick and color recognition, music and sound, and many fun reactions.
You just put some batteries in and put a few pieces together.
I know it requires a smart app but I definitely don't like this idea of putting the instructions in the app, not the manual.
Lego has been around a long while and hopefully will be around for a long while more, but what if they go away?
Lego has been around a long while and hopefully will be around for a long while more, but what if they go away?
And here's the mario! With batteries, but not put together otherwise.
He's got eyes that blink, a mouth, and a red belly.
He's got eyes that blink, a mouth, and a red belly.
Blinky
He has a very bright ass.
So let's put him together.
His pants have a hole in the bottom so his ass-light can shine out.
So he can show things based on which colors you put him on. Like if you put him on this green block, you see some donut-plains style graphics.
On a blue block, you get underwater
And on a red block he burns up
Then there's some special labeled blocks that trigger other reactions.
Like a coin.
Presumably this will do more if you sync him up to your smartphone/tablet.
Presumably this will do more if you sync him up to your smartphone/tablet.
But why play with it when you could TAKE IT APART?
Skinless Mario wants to hug you
Skinless Mario wants to hug you
Most of the front is one piece, which just comes off together.
Annoyingly this is mostly glued together so this teardown is not terribly reversible
Annoyingly this is mostly glued together so this teardown is not terribly reversible
And here's the big trick for how it works: Instead of 3 small LCDs/OLEDs, they just use one big one!
It looks slightly weird when you power it on in this state
Here's that LCD.
I don't know why this is but every time I have a fucking LCD like this, there's a lot of numbers on it which give you NOTHING when googled.
LM1819A01-1D
WCA220052641G30165
GPM1819A0
2050AKH-K
I don't know why this is but every time I have a fucking LCD like this, there's a lot of numbers on it which give you NOTHING when googled.
LM1819A01-1D
WCA220052641G30165
GPM1819A0
2050AKH-K
Here's the main PCB.
We've got a big CPU in the middle, a tiny chip next to it, an eeprom/flash looking chip above, and a big speaker on the right.
(The metal bits on the left are buttons)
We've got a big CPU in the middle, a tiny chip next to it, an eeprom/flash looking chip above, and a big speaker on the right.
(The metal bits on the left are buttons)
So the big question: What chip is that?
Well, it's a CC2642R. That's a TI SimpleLink, a 32bit ARM chip with built in bluetooth.
Well, it's a CC2642R. That's a TI SimpleLink, a 32bit ARM chip with built in bluetooth.
It runs at 48mhz, it's got 352 kilobytes of programmable flash memory, plus 88 kilobytes of on-chip RAM.
This chip over here is a Winbond 25Q64JVS1Q.
It's an 8 megabyte SPI Flash chip. So this probably contains all the pictures and sound effects.
It's an 8 megabyte SPI Flash chip. So this probably contains all the pictures and sound effects.
I'm not sure what this is.
It's an SE 015? I may need to get out my microscope to read that 2D barcode.
It's an SE 015? I may need to get out my microscope to read that 2D barcode.
This is a J13, and... it's a got conway's game of life on it?
huh.
huh.
Here's the other side.
It's got two buttons, the connector for the LED/camera bit, and a copyright! 2019. (though I think this thing only came out this year)
PCB 10049281K
SCH 10049282J
It's got two buttons, the connector for the LED/camera bit, and a copyright! 2019. (though I think this thing only came out this year)
PCB 10049281K
SCH 10049282J
That looks like it might be a JTAG or something similar
Another chip that's FUCKING TINY and I'm gonna need to get out my microscope to have any chance of reading it
also I apparently I broke the speaker cable when opening it. Shame!
Here's the LED/camera assembly. Two LEDs and some kind of optical sensor in the middle. I suspect it's only a few pixels, it doesn't need to be many for what it does.
The back of the camera PCB has a sticker saying c01821 203kap, but naturally there's no results for that.
Here's an example of one of the labels that mario's ass can sense.
SO now the next question is:
how do we attack it and make it do things Lego/Nintendo didn't intend?
There's a few possibilities:
1. Hack the app to send different bluetooth commands at it. Maybe it has a remote firmware update? maybe we can just bluetooth some new code to it.
how do we attack it and make it do things Lego/Nintendo didn't intend?
There's a few possibilities:
1. Hack the app to send different bluetooth commands at it. Maybe it has a remote firmware update? maybe we can just bluetooth some new code to it.
2. Read the SPI flash chip, get the data off there.
It may be just images & sounds, or may contain code.
if it contains code, we could write our own code back over it.
It may be just images & sounds, or may contain code.
if it contains code, we could write our own code back over it.
3. Reprogram the flash memory inside the CPU itself.
Presumably there's some code in there? maybe that JTAG-looking breakout is an in-circuit programming header, and we can just reflash it.
Presumably there's some code in there? maybe that JTAG-looking breakout is an in-circuit programming header, and we can just reflash it.
Hacking the app and using bluetooth probably makes the most sense, because then you'd be able to do it to other ones without tearing them apart.
So let's grab the app.
Oh look, it's written in Unity.
Oh look, it's written in Unity.
The code for the app has the interesting name embedded in it of "lego. dk.legodevicesdk".
I want a lego SDK!
I want a lego SDK!
It looks like all meat of the bluetooth handling is done inside unity. wow.
there must really be a lego SDK because this is pulling up all kinds of lego stuff that clearly isn't used with this toy
I'm not seeing any specific mario-related stuff in the various files here, so maybe part of the app is just downloaded at runtime?
ahh, no, it's mentioned in global-metadata.dat, because they used il2cpp to compile the .net bytecode to native arm code.
now where's that tablet I set up for bluetooth logging...
BTW it looks like someone else has already decoded the bluetooth protocol, and used it to turn this into an input device: https://twitter.com/r1ckp/status/1301074026975162368
sadly it doesn't seem they've released the protocol or code
Connected!
what? it needs an update? I just downloaded it!
oh wait, it doesn't mean Lego Mario the app, it means Lego Mario the device!
It's doing a firmware update!
Awesome. That sounds exploitable to me.
It's doing a firmware update!
Awesome. That sounds exploitable to me.
huh. it can tell how much battery I have left. Fancy.
wow. the "for grown-ups" section has an age gate. Leisure Suit Larry this aint.
it turns out the downloaded-later file (700mb of it) is called "main.6519 .com.lego.supermario.obb" and it's actually a zip file.
ehh, partially a zip file.
when extracted it only makes up like 88mb, it seems the rest is raw data or something.
when extracted it only makes up like 88mb, it seems the rest is raw data or something.
and now I'm back in the nightmare where I'm trying to pull a bluetooth log.
this is a samsung device, and they moved it to a different location, because they hate you
this is a samsung device, and they moved it to a different location, because they hate you
hopefully it's not in /data/log/bt/ because I'm not allowed to see what's in there on my own device
oh, I think I remember what it is. you need to trigger a bug report, and that'll generate and download a zip file of stuff, including a btsnoop_hci.log somewhere inside that zip
yep!
adb bugreport foobar,
then check http://foobar.zip under FS\\data\\log\\bt\\ and surprise, there's a btsnoop_hci.log file.
adb bugreport foobar,
then check http://foobar.zip under FS\\data\\log\\bt\\ and surprise, there's a btsnoop_hci.log file.
and Wireshark can load up the log file
ok I found the message "LPF2-Boot" in the bluetooth logs.
google that, and this comes up:
https://lego.github.io/lego-ble-wireless-protocol-docs/
google that, and this comes up:
https://lego.github.io/lego-ble-wireless-protocol-docs/
so like someone suggested before, it looks like this is built on top of the existing documented lego BLE wireless protocol, which is used by other lego systems.
but yeah, that'll help get some of the protocol info here.
it seems it's shortly afterwards sending over a full firmware update, which is (don't ask how I know this) about 250k.
So it nicely fits into that internal flash memory.
I should be able to extract that out of the BLE
it seems it's shortly afterwards sending over a full firmware update, which is (don't ask how I know this) about 250k.
So it nicely fits into that internal flash memory.
I should be able to extract that out of the BLE
although an easier route might be to get it out of the app.
presumably it's located here somewhere... unless it gets downloaded at runtime? I may have to sniff the network, too.
presumably it's located here somewhere... unless it gets downloaded at runtime? I may have to sniff the network, too.
I'm downloading the SDK for the TI chip now, but first I had to promise to TI that I wasn't gonna use it for building nukes for iran
oh hey, I was able to talk to it with some questionably-run python.
F8:8A:5E:FA:66:92: LEGO Mario_k_b
interesting name. I wonder what _k_b means?
F8:8A:5E:FA:66:92: LEGO Mario_k_b
interesting name. I wonder what _k_b means?
there's an existing library for doing python scripts that talk to the other bluetooth-based lego devices, hopefully it can be convinced to talk to the Mario device with some minor changes: https://github.com/virantha/bricknil
There's also a node.js module called PoweredUp that talks to these devices, and they already have an issue on their bug tracker for adding in the Mario figure: https://github.com/nathankellenicki/node-poweredup/issues/103
which links to this other repo that's got more reverse engineering stuff: https://github.com/bricklife/LEGO-Mario-Reveng
Mario has 5 ports, and one of them is PANTS
There's also some info on how the barcodes are decoded.
Apparently each one decodes to a single number:
Apparently each one decodes to a single number:
this also explains the 6 buttons.
These are pants sensors:
These are pants sensors:
and the reason those exist is that you can buy add-ons for the game, which come in the form of NEW PANTS.
Mario can detect which pants you've put on him, and he gets new abilities based on the pants
Mario can detect which pants you've put on him, and he gets new abilities based on the pants
All the existing decoding seems to be about what Mario can send to the device. I'm not seeing anything going back the other way.
also I do like the idea that mario can detect if he is nude
"brr, putsa pants on me!"
"brr, putsa pants on me!"
maybe I'll make a keyboard of barcodes, one for each letter, then to press enter you pull Mario's pants down?
blarg. my favorite thing is finding an new library with nice docs, nice API, nice examples, and then the examples don't work and there's zero results for the errors you get.
oh it's because the examples are for an unreleased version (the github version), and I can't just easily switch to the github version because it depends on a native component that has a whole section in the docs explaining how to build it, which are, and I quote, "TBD"
COMPUTERS ARE STUPID
