PalmOS on FisherPrice Pixter Toy

Posted by dmitrygr 4 days ago

Counter194Comment29OpenOriginal

Comments

Comment by emddudley 4 days ago

I was an intern at Fisher Price when they introduced the Pixter Color. I did QA on some of the games, the Dora one comes to mind. You can imagine the torture playing a level over and over.

The games were developed overseas (India I think?). I would send them bug reports in Mantis and overnight they would send a new build. Sometimes they would even fix the bugs. I would burn the builds on to EEPROMs and verify them the next day. The EEPROMS had a little round window so they could be erased in a UV box before programming.

Fisher Price used a video codec from Actimagine to fit video clips onto the game cartridges. That's how I learned about Virtualdub. I remember editing clips from a show called Winx.

The big competition was the Leapster LeapPad and they were trouncing us.

One fun thing the engineers did periodically was a toy teardown to see how competitors saved on cost. Cost was critical. They told me how Walmart basically dictates toy cost because they controlled the shelf space.

Comment by yjftsjthsd-h 4 days ago

> The EEPROMS had a little round window so they could be erased in a UV box before programming.

Nitpick: That'd be a EPROM ("erasable programmable read-only memory"), not EEPROM ("electrically erasable programmable read-only memory"), right?

(But also thanks for the insight; I did wonder a bit as I was reading dmitrygr's article what the other side was of building these)

Comment by dmitrygr 4 days ago

I have an upcoming article on Pixter itself which includes giving them a LOT of credit for cost cutting. There are some quite clever things there. I also worked out how to dump games (not easy with those damn melody chips, or what did you call them?) and will release an archive of all games and working emulators.

Comment by enoent 4 days ago

Nice work Dmitry, looking forward to read your next article.

The later model Pixter Multimedia had the full memory space accessible via JTAG, which is how some carts and even boot ROM got dumped a while ago [1], is it the same deal with Pixter Color?

That OpenOCD script was a bit flaky, and sometimes the boot ROM would be already unloaded before reading, maybe you have some insights in how to make it more robust.

btw, have you looked into the original Pixter? The cart connector seems to have a very narrow bus, so it doesn't look like those carts have code, and probably can only be dumped with a decap.

[1]: https://qufb.gitlab.io/writeups/pixter

Comment by dmitrygr 3 days ago

That only dumps the data. That’s the easy part. None of that dumps the melodies.

The pin outs that page links to are also not quite accurate. I need to finish editing my other article on this.

I have indeed looked into the original Pixter. Deeply: I have decoded the bus, documented the device, dumped games, and produced a working emulator.

The cartridges do contain memory. Most of them are about 1 MB in size, split between code (the maximum for which is 32 kB) and audio effects + images which occupy the rest of the space. If you are very, very curious and don’t want to wait for me to finish my editing, email me and I can explain how it works.

Comment by seg_lol 3 days ago

When are you going to teach a Masterclass? Reverse engineering hardware is how you get the best internship money can't buy.

Comment by dmitrygr 3 days ago

I do once every few months as articles on https://dmitry.gr

Comment by echelon_musk 3 days ago

> Virtualdub

There's a blast from the past.

I remember using it to remux and join 2CD XviD movies into a single avi. Making sure to identify any duplicated key frames and delete them.

I still have a YouTube video I encoded with virtual dub ~20yrs ago.

Comment by steve_adams_86 3 days ago

> I would send them bug reports in Mantis and overnight they would send a new build. Sometimes they would even fix the bugs.

Haha, this brought me back to working on a project with some people overseas. So much 'work' done, so little progress made.

Comment by oatmealcookie 4 days ago

> They told me how Walmart basically dictates toy cost because they controlled the shelf space.

I wonder if that is still true due to online shopping.

Comment by TheNewsIsHere 2 days ago

At least as of a few years ago, it was indeed still true.

Walmart is huge in online shopping as well. They use this position to essentially tell vendors what they can charge if they want the shelf space. If you don’t say “ok”, and they can reproduce your good, then they absolutely will if there’s enough demand to bother. This is one fantastic reason to hold a patent on your goods (if patentable).

Comment by 3 days ago

Comment by yjftsjthsd-h 4 days ago

Hats off; this kind of mad genius is the best of what I hope to read on Hacker™ News.

Comment by zubiaur 4 days ago

Dmitry is a mad genius. He has been doing stuff like this for 20 years, he was fixing palm’s issues for years. All his hardware projects are phenomenal, and so is his writing.

Comment by ACCount37 3 days ago

I aspire to be half the mad genius reverse engineer he is.

Comment by zubiaur 1 day ago

I've found myself reading a bit of the rePalm posts for the last few night. Funny thing is that I find myself to have read and re-read that stuff for hours now, a bit at a time, re-reading some of the most interesting bits, and doing cursory research on the (many) things that are over my head.

That is hours reading. D must have spent so much more time writing, and doing it so very clearly and in such an organized, and even entertaining way.

And then there is the time figuring this crap out and making it work. I just... D is on league of his own, he is like a one-man hardware company. Having that level of skill must be so gratifying. He is a virtuoso of his craft.

Dude casually mentions stuff like... (paraphrasing) Palm OS expect this and that behavior that most kernels don't implement. So I wrote my own.

Comment by dpedu 3 days ago

> when it came time to run my favourite PalmOS game - Warfare, Inc..

Also one of my favorite PalmOS games! It is worth noting that this game has been open sourced under a new name, Hostile Takeover.

https://github.com/spiffcode/hostile-takeover

Comment by dmitrygr 3 days ago

Noted. Thank you!

Comment by mwexler 3 days ago

It's fascinating to see the mergers of 2 dead tech. This isn't emulation or archiving; it's something that only a few hundred people can even experience. Yet it's a fascinating journey. I'm not quite sure why I like it. The excessive detail? The passion and drive? I didn't expect to enjoy it, and those kinds of surprises are nice to stumble on.

Comment by dmitrygr 3 days ago

The short of it is: I always wanted to have kids. I don’t. So I dump my excesses energy and enthusiasm into my projects.

Comment by dmitrygr 4 days ago

Possible user-space DoS on Linux when running on an ARM7 CPU in just two instructions. Would that be a record? If the kernel was configured to support OABI (exclusively or together with EABI), I think the following two-ARM-instr binary will simply crash the kernel if the core has alignment checking: SUB PC, PC, #2; SWI 0. I am not sure how common such configs are, but someone should maybe fix that? The fix would be only one extra instruction.

Comment by zozbot234 3 days ago

https://lkml.org/lkml/2024/12/4/503 states that OABI support is quite obscure these days and will probably be outright unbuildable at some time in the future, but what you've found still qualifies as a (likely minor) security issue that should be properly reported as such. The kernel page on security reporting is https://docs.kernel.org/process/security-bugs.html

Comment by dmitrygr 3 days ago

I can just imagine the report:

Hai there, kernel guys. Now... assuming you first rob a museum for a working ARM7TDMI-based board, then find a way to flash it with a kernel and a rootfs to boot it, and if your kernel has an obscure and not-used-anymore ABI enabled, and you then somehow give an untrusted party ability to run code on it, they could crash the kernel using this 8-byte userspace binary.

:)

It is academically cool, no more. Quite possibly some old industrial control stuff is still running on old ARM7 boards with OABI enabled, but (i hope) they are not exposed to third party code. I guess I could send in the one line patch, if i find the time. The fix is quite trivial, funnily enough. You simply mask off the bottom 2 bits instead of assuming that LR in ARM mode is 4-byte-aligned, since on ARM7 it might not be

Comment by zeta0134 4 days ago

6502 can do it in one. 12 opcodes are glitched in a way that permanently halts the CPU, by causing it to never reset the internal tick counter (...sortof) that starts the next instruction. Recovery is only possible with a power cycle.

Comment by dmitrygr 4 days ago

6502 doesn’t host Linux :)

Being able to crash a Linux kernel from unprivileged user code is more fun.

Comment by retrac 3 days ago

Very impressive hack. Looking at this I now think I may have overpaid for my Palm Pilot back in the day!

For the Pixter Color in 2003 I found a price of $80 US at release. The specs aren't directly comparable (less RAM and I bet less battery life too). But still! That's less than half the cost of a black-and-white Palm m105 around the same time.

I wonder how cheap PDAs might have been if mass market forces had been applied to them. Handheld computers didn't really get the cost reduce it like a mass market kid's toy treatment until the smartphone era.

Comment by dmitrygr 3 days ago

Do note that I had to add RAM to make Pixter color boot PalmOS. Pixter multimedia CAN do it standalone though.

Comment by wasmainiac 4 days ago

I love posts like this. Amazing work!

Comment by theblazehen 4 days ago

I love your work, it's always very fascinating. Been reading your posts for years

Comment by scottlu2 3 days ago

Very impressive. Nice work.

Comment by arschficknigger 3 days ago

[flagged]