Nintendo Is Making Copyright Claims on Videos of Game & Watch Hacking

Despite its retro charms, for $50 the Nintendo Game & Watch: Super Mario Bros. handheld felt like it could benefit from a few more games: an upgrade some talented hackers made possible before the device was even released. But Nintendo doesn’t like consumers messing with its hardware, and today it appears it started using copyright claims to take down G&W YouTube hacking videos.

Twitter user ‘stacksmashing’ was one of the first to start experimenting with the Nintendo Game & Watch hardware; cracking open the device to see how customizable its hardware and software was. Not surprisingly, given how simple the device is (there’s no expandable memory, the USB-C port is for power only, and it can’t connect to the internet) it didn’t take long for stacksmashing to find a way to swap the included Super Mario Bros. ROM file with other games including The Legend of Zelda and the original Game Boy Pokémons.

Work on hacking and customizing the new Nintendo Game & Watch has progressed quite a bit since mid-November, but this morning ‘stacksmashing’ woke up to a notice from YouTube that Nintendo had made copyright claims on two of his G&W hacking videos and as a result, they were no longer viewable on YouTube:


According to ‘stacksmashing’ who spoke with Gizmodo this morning, one of the videos features only in-game footage of the version of Super Mario Bros. included with the new Nintendo Game & Watch—footage that countless YouTube reviewers have also included in their reviews and hands-ons of the device—as well as a video featuring the handheld modified to play the NES version of The Legend of Zelda. Prior to these claims, Nintendo hadn’t reached out to ‘stacksmashing’ in any way about their YouTube videos or the G&W hacking content they share via their Twitter account.

In response to the claims ‘stacksmashing’ has edited both of the videos in question and is filing disputes in an attempt to have them allowed back on YouTube again. Gizmodo has reached out to Nintendo for comment on why copyright claims were made for these two specific videos when the gameplay footage they both include has also been featured on countless other gaming-focused channels on the site. One of the videos taken down does include instructions on how users can backup the G&W’s included firmware (allowing them to revert back to it at any time) including guides to using a couple of scripts, but no ROM files are shared. The copyright claims made by Nintendo specifically refer to the use of the game footage featured in both videos.

Nintendo has long taken a strong stance against hacking its hardware and consoles to circumvent security features and facilitate game piracy (or accessing games that have been region-locked) but it’s not like the new Game & Watch has the processing power to allow gamers to enjoy the latest and greatest Switch titles. And in these videos ‘stacksmashing’ is in no way advocating that anyone interested in hacking the G&W and expanding its capabilities should also download ROM files for titles they don’t already own. Hacking the new Nintendo Game & Watch also doesn’t in any way hinder sales of the hardware. If anything, more people will be encouraged to buy it knowing it could potentially play more than a disappointing roster of just three included games.

Combining Mario Kart Live With Lego Super Mario Creates the Ultimate IRL Video Game Experience

Assuming everyone was getting tired of spending every waking hour playing video games while socially distancing at home, Nintendo released two IRL video game experiences last year that, it turns out, can be unofficially combined to create an even better real-life Mario experience.


Although a little pricy ($100 for one car, plus the cost of a Nintendo Switch console for each vehicle) we found Mario Kart Live, which turns your home into a real-life Mario Kart track, to be almost as satisfying and enjoyable to play as the popular racing game, while Lego Super Mario was a great alternative for those wanting the Mario experience but lacking the hand-eye coordination to master a controller.


Both experiences rely on image recognition to bring their respective games to life, with Mario Kart Live using an on-car camera to recognize track markers like corners and starting gates while Lego Super Mario features a scanner to read special bar codes printed on other characters and obstacles. Both have been reverse-engineered allowing anyone to create their own track markers (using Lego bricks in this case) and bar codes (using a regular household printer) which is what allowed the folks behind the YouTube channel Playfool to create this mashup which works so well you’d be tempted to believe that Nintendo planned it this way.

To allow the Lego Super Mario figure to ride along with the RC Mario Kart you’ll need to print and fold a custom paper saddle Playfool created (the template can be downloaded here) which has the figure hanging off the back of the vehicle so that the scanner underneath it can read any barcodes it drives over. The most complicated part might be adding a piece of tape so that the saddle doesn’t come undone during a particularly exciting lap.

You’ll also need to incorporate the special Lego Super Mario barcode elements into your Mario Kart Live race track, including start and finish markers that activate the timer on the Lego Mario figure, power-ups, and even bad guys to drive over. But that’s also just as easy as downloading, printing, and cutting out a collection of course elements that Playfool has already gone to the trouble of creating, and laying them out on your track.


Just keep in mind that the score-keeping and achievements you can collect and unlock in Mario Kart Live and Lego Super Mario remain completely separate; the Lego Mario figure still can’t connect to your Nintendo Switch and influence your race scores, and vice-versa. The hack doesn’t do much to enhance the Mario Kart Live experience, but if you’ve gotten bored of manually guiding Lego Super Mario around a Lego version of the Mushroom Kingdom you’ve built, this mashup should breathe some life back into that toy.

An Exposed Username and Password Leaves Over 100,000 Zyxel Firewalls and VPN Gateways Open to Severe Attacks

Illustration for article titled An Exposed Username and Password Leaves Over 100,000 Zyxel Firewalls and VPN Gateways Open to Severe Attacks

Photo: Nicolas Asfouri / AFP (Getty Images)

A critical vulnerability discovered by a Dutch security specialist at EYE allows hackers to “completely compromise the confidentiality, integrity and availability” of more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers.


Spotted by ZDNet, the underreported vulnerability was created by an exposed username and password with administrator privileges, which is essentially a hardcoded backdoor to the devices. The backdoor allows hackers to gain root access, or complete control, to the devices through both the SSH and web administration interface panel, the outlet reported. Firewalls affected, which are running firmware ZLD V4.60, include the ATP series, USG series, USG FLEX series, and VPN series. The NXC2500 and NXC5500 AP controllers have also been compromised.


A full list of affected devices and their patches is available here.

Niels Teusink, the senior cybersecurity specialist at EYE who discovered the exposed username and password, said that the vulnerability could be devastating to small and medium-sized businesses when combined with others. The specialist explained that the plaintext password was visible in one of the binaries on the system.

“An attacker could completely compromise the confidentiality, integrity and availability of the device,” Teusink wrote in a report about the vulnerability. “Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device.”

Teusink highlighted that Zyxel— which provides network products to a variety of clients, from personal to enterprise—is a popular firewall brand for small and medium-sized businesses. Given that a lot of people are working from home, VPN-capable devices, such as Zyxel’s USG product line which is often used as a firewall or VPN gateway, have been selling well lately, he said.


Zyxel said that the exposed account was designed to deliver automatic firmware updates to connected access points through FTP. In an advisory about the incident, the company affirmed that it urged users to install the applicable updates.

EYE reported the backdoor to Zyxel at the end of November and said the company responded promptly and proceeded to address the issue. Zyxel published its advisory about the incident in late December and has issued patches for some, but not all, of the affected devices. The patch for some of its AP controllers, for instance, will be released in April.


Vulnerabilities like these have become increasingly more common in recent years. In the case of VPNs, the Cybersecurity and Infrastructure Security Agency warns that since they are 24/7, organizations are less likely to keep them updated with the latest security updates and patches. This was echoed by Teusink, who stated that in EYE’s experience, most users of the affected devices do not update the firmware very often.


We already have enough to worry about without thinking about getting hacked, so do your best to avoid it.

Amateur Batman Builds His Own Wrist Mounted Grappling Gun

A childhood spent obsessing over Batman’s wonderful toys eventually transitions to a disappointing adulthood where you realize those gadgets just can’t exist in real life, even with a billion-dollar budget. That hasn’t stopped many from trying, and JT from YouTube’s Built IRL has come closer than most at recreating Batman’s grappling gun.


The project actually started over a year ago while JT was interning on another popular YouTube channel known for its impressive builds of fictional superhero gadgets: Hacksmith Industries. Building a working grappling gun isn’t easy, and it’s made all the harder when it’s supposed to perform the same way Batman’s does with enough torque and power to physically lift a fully grown person off the ground as the cable attached to the hook is slowly retracted. It’s such a demanding creation that JT has actually dedicated five entire videos over the past year to the build and all the unique challenges and problems that had to be overcome with clever engineering.

The results might not be as pretty or as sleek as what Batman carries on his utility belt, but it definitely works as you can see in this final test video.

Starting with a custom aluminum chassis JT added a powerful electric motor designed for electric skateboards that’s used to reel in 46 feet of paracord with a 550 lb. breaking point, a custom grappling hook launcher that’s powered by 12-gram CO2 cartridges, almost 50 volts of rechargeable lithium polymer batteries, an analog throttle wheel to control his ascent and descent, and even a custom-design PCB controller that controls everything, wired up with heavily shielded cables since the electric motor produces a lot of electromagnetic interference.


Does the successful tests mean JT can finally spend his nights fighting crime? Probably not. In its current form, the grappling hook isn’t the most reliable getaway tool, and while the paracord it uses is strong, it can still be easily severed if wrapped around an object—like a metal beam—with sharp edges. But maybe five more videos from now the Dark Knight will finally have some real-life competition.

The World’s Smallest Portable Nintendo 64 Is Barely Larger Than a Cartridge

There’s a niche arms race among hardware hackers to create ultra compact versions of video game consoles, and YouTube’s GmanModz appears to have successfully miniaturized an entire Nintendo 64 into a portable that’s not much bigger than an N64 game cart—making it possibly the world’s smallest to date.


The last time we featured one of GmanModz creations they had turned an N64 into a super-sized GBA SP complete with a folding screen, but as impressive as it was, the hacked console was still a bit on the chunky side as far as portable gaming systems go. Trying to squeeze it into a pocket would have been an uncomfortable endeavor.


If you’re asking yourself, “what’s the big deal? you can now just buy tiny handheld emulators that can play most N64 games,” you’re missing the point of GmanModz’ accomplishment. The world’s smallest portable N64 actually features the original guts of a stock Nintendo 64 console that’s been expertly trimmed down, re-organized, re-wired, and re-soldered. (Yes, a lot of N64s have to die for this pursuit.) The resulting miniaturized console doesn’t rely on emulation or ROMs to play N64 games, the goal is to play these titles right off the original carts.

Not every part of the world’s smallest Nintendo 64 portable uses parts from the original console, however. A battery’s been added, as well as a 3.5-inch 320×240 screen, a speaker and a custom PCB to drive it, and a new cartridge slot that allows games to be securely held in place without a locking mechanism. The housing is a custom 3D-printed creation using heat-resistant plastics that won’t melt and warp as the hardware inside gets warm during gameplay, and instead of cannibalizing an original N64 controller, this portable features custom buttons and a pair of Switch Joy-Con joysticks that have a much smaller footprint.

Is the tiny N64 ideal for playing on the go? Not really. The battery life tops out at around an hour and a half, the ergonomics are far from optimized, and both the N64’s D-pad and left shoulder button have been replaced with custom button and joystick combinations to replicate their behaviours. (In reality, very few N64 games used the D-pad or the left shoulder button, so it’s a minor sacrifice.) There’s a good reason Nintendo didn’t prioritize pocket-ability with the Switch, but that doesn’t make GmanModz’ accomplishment here any less impressive.

I Desperately Need This Lego Machine That Measures Presents and Perfectly Cuts Wrapping Paper to Size

Toys and CollectiblesAction figures, statues, exclusives, and other merchandise. Beware: if you look here, you’re probably going to spend some money afterwards.

As enjoyable as the holidays are, there are parts that you’re happy to be done with—like wrapping presents. It’s a process that seems overly complicated, especially when your hard work is going to just be torn to shreds, which is why I desperately want this giant Lego machine as my gift-wrapping assistant.


This machine measures in at around 45 inches long, which makes it large enough to hold a standard sized roll of wrapping paper. Even more noteworthy, this thing is almost entirely built from Lego pieces, including gears, pulleys, electric motors, various sensors, and a Lego Mindstorms EV3 programming brick that controls it all. The only things not made from Lego are the cutting head, some of the cabling (there’s a lot of wires on this one), and the custom software it runs on, which was coded in Python.

Presents—at least those inside a box—are placed on a separate area, also made from Lego, where two optical sensors analyze and calculate its dimensions. From there the custom code calculates the total volume of the box, and then the amount of wrapping paper needed to completely cover it with enough slack on the ends to make some fancy decorative folds.


The machine then automatically unravels a role of wrapping paper to the desired length, where a cutting head on a sliding track makes a series of slices to remove any excess length. A perfectly proportioned piece of parchment then rolls out of the machine ready to be wrapped around your gift. Unfortunately, at least in its current form, the machine isn’t able to do all the wrapping for you. That’s an upgrade we’ll hopefully see arrive in 2021. In 2022, maybe it will even handle all your online holiday shopping, too.

Baby Yoda Robot Uses AI to Follow You Around Like a Creepy Toddler

If there’s one thing stores are now well stocked with, it’s Baby Yoda toys. And while you can shell out hundreds of dollars for a startlingly lifelike replica of Grogu, this DIY does what all the others can’t: automatically follow you everywhere you go like a curious 50-year-old toddler.


Creator Manuel Ahumada wanted his Baby Yoda replica to be smarter than all the rest, so he designed and 3D-printed a custom robotic frame with moving arms, a head that inquisitively looks up and down, and a set of wheels so his Grogu could get around faster than the tiny-legged character in The Mandalorian could. The creation was stuffed inside a gutted off-the-shelf Baby Yoda toy, while electronics, including a Raspberry Pi, servos, and electric motors were added to bring the recreation to life.

Like many of the toy versions of Baby Yoda, Ahumada’s version can be controlled remotely using a PlayStation 4 controller talking to the onboard Raspberry Pi over Bluetooth, but for more autonomy, a series of movements can also be performed, recorded, and played back making Grogu appear more lifelike all on his own.


Things get even more interesting when the Child is given his own smartphone that he holds in front of him. It may look like he’s checking social media, but the smartphone is actually running Intel’s OpenBot app, which uses machine learning models to process a live feed from the device’s camera. In this case, the app scans the video for the presence of a human, identifies them, tracks their location and movements, and then automatically controls Baby Yoda’s wheeled platform to follow the person wherever they go.

It’s impressive to see just how quickly a surprisingly capable robot can be thrown together today using off-the-shelf parts like a Raspberry Pi and a smartphone. Earlier this year, Mattel released its own robotic Baby Yoda toy that follows you around like a needy dependent, but it also requires you to carry around a remote control. It’s cuter than Ahumada’s creation which, we’ll be the first to admit, is kind of creepy, but kudos to him for totally one-upping all the big toy companies.

Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

Illustration for article titled Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

Photo: KIRILL KUDRYAVTSEV / Staff (Getty Images)

A new theoretical exploit called Air-Fi can turn a secure, air-gapped computer into a wifi transmitter that can help a hacker exfiltrate secure data.


An air-gapped computer is a computer that is completely disconnected from any network. Many air-gapped machines have every possible network feature removed, from wifi to Bluetooth, but this exploit shows that hackers can use DDR SDRAM buses “to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it,” according to the researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel.

“This technique required high levels of skills from the attacker, in both design and implementation,” said Guri in an email. “However, there are simpler covert exfiltration channels for conventional IT environments in the wild. This one is focusing on leaking data from air-gapped computers where the traditional network-based covert channels fail.”


“Using the Wi-Fi medium in such a non-conventional way is something that I’ve been examining during the last year,” he said.

The transmissions are invisible to other devices and only the hacker can only pick them up with specially-prepared software and hardware.

He writes:

As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.

Guri is well-known in security circles for figuring out how to attack air-gapped machines. In 2019 he used screen brightness and power lines to transmit data from secure computers and in 2018 he was also able to transmit data via ultrasonic audio files using a simple computer speaker.


In this exploit, Guri was able to force the DDR SDRAM busses to transmit to compromised wifi-capable devices like laptops and smartphones. He hacked four workstations with the exploit, each outfitted with similar 4GB DIMM DDR4 or DDR3 RAM sticks installed. The rest of the hardware was bog-standard and ran the Ubuntu operating system.

The exploit does require the hacker to have access to the computer’s operating system which means you’d have to infect the machine before you could start sending out data. Further, once the computer is transmitting via its memory bus the hacker must have a receiver no more than a few feet away from the machine to capture the wifi signals, thereby making this exploit more interesting than dangerous.


“Interestingly, in the past, we have successfully demonstrated exfiltration via covert FM radio signals generated from the monitor, then we introduced how attackers can produce cellular frequencies from the computer to leak data. It was natural that the next candidate will be Wi-Fi. This one was also the most challenging one,” said Guri.

Superhuman Hack Brings Real-Time 3D Ray Tracing to the SNES

With the help of an extra graphics processing chip inside the cartridge, Star Fox did the impossible by bringing 3D graphics to the 16-bit Super Nintendo. The decision to engineer the SNES’ hardware to allow for this upgrade was a clever one on Nintendo’s part, and 29 years after its debut, Ben Carter has used a similar trick to bring real-time ray tracing to the now antiquated console.


The Super FX chip, as it was known, wasn’t just a term cooked up by Nintendo’s marketing team to sell hardware like Sega’s claimed “blast processing” was. The chip, included in cartridges like Star Fox and lesser known games like Dirt Racer, was a coprocessor designed to boost the Super Nintendo’s rendering capabilities. The console would essentially provide a description of what was happening in a given frame, and the Super FX chip would render the visuals and pass them back to the console to display on a TV. That’s a gross simplification of the process, but unlike games like Donkey Kong Country that faked a 3D effect with pre-rendered sprites, Star Fox was the real deal.

As impressive as seeing 3D polygonal graphics in the era of 16-bit gaming was, looking back, Star Fox isn’t exactly easy on the eyes. The textures used on the 3D models were essentially solid colors, shadows were minimal, lighting effects were non-existent, and models didn’t visually interact with each other through reflections. These are all tricks modern 3D games use to look so hyper-realistic, but even the Super FX chip wasn’t capable of all that.


This is why Ben Carter, a “freelance game developer/software engineer based in Japan,” wondered if he could take inspiration from the Super FX and design his own graphics co-processing chip that worked alongside the Super Nintendo’s own hardware to create realtime 3D graphics with an advanced effect known as ray tracing. In the real world, as light particles bounce around a room and off objects they create shadows, reflections, and other visual interactions. Place your hand next to a red ball in a bright room and you’ll notice your hand looks a bit red too. Ray tracing can recreate this effect by tracing the path of light in a given scene and calculating the effects it has as it interacts with, and bounces off, simulated objects.

It’s a very processor-intensive process, which is why even older 3D consoles like the Sony PlayStation and Nintendo 64 lacked the feature, and why their graphics look so dated. Getting it to happen at all on the Super Nintendo sounds like an impossible task, but Carter managed to get it to work.

The demo he shared on YouTube can’t even begin to compare to the visuals of a game like Cyberpunk 2077 running on a PC with an Nvidia RTX 3080 under the hood. The graphics run at a resolution of 200 x 160 (slightly below the SNES’ native resolution of 256 x 224) and the ray tracing effects are limited to single-bounce reflections and directional light shadows, but compared to Star Fox, the 3D animations look like they’re running on a completely different console.

To pull it off Carter had to crack open a Super Famicom console (the Japanese version of the Super Nintendo) and sacrifice a bad Pachinko game cartridge. The game’s ROM hardware was removed and the cartridge was wired into a DE10-Nano FPGA dev board that was paired with a Cyclone V FPGA. If you’ve heard that term before it’s probably because the Cyclone V can also be found in the upcoming Analogue Pocket handheld.

Carter has shared photos of the wiring needed to pull this off on his website, and needless to say, it’s a rat’s nest that will scare away all but the most determined of hardware hackers. In its current form the real-time ray tracing demos only run at around 20 frames per second, but Carter’s optimistic this can be improved, although for what purpose exactly isn’t known. Even if they were able to upgrade the graphics on a game like Star Fox, Carter would be the only one able to enjoy it unless he found a way to create a mod chip for the original game carts—another herculean undertaking. But as it stands, and as console upgrades go, this is an impressive trick taught to a very old dog.


Feds Still Trying to Determine How Screwed They Are After Massive SolarWinds Hack

The DHS building in Washington, DC in July 2019.

The DHS building in Washington, DC in July 2019.
Photo: Alastair Pike/AFP (Getty Images)


A cyberattack that began by targeting an IT firm used by numerous federal government agencies, Fortune 500 companies, and other high-value targets is shaping up to be a historic event.

The U.S. government is still reeling after the detection of a massive foreign intrusion into federal computer systems at agencies including—at a minimum—the Department of Homeland Security, the Treasury, and the Commerce Department; As one employee at the DHS’s Cybersecurity and Infrastructure Security Agency, the primary cybersecurity agency of the federal government, told Politico, many government agencies, “don’t know how on fire they are yet.” Another U.S. government official told the site this was “going to be one of the most consequential cyberattacks in U.S. history,” and the feds suspect “the news is going to get worse.”


The extent of the breach is still unclear—beyond that malware may have been spreading on affected systems for months. It also comes shortly after Donald Trump fired the chief of CISA, Chris Krebs, in mid-November for questioning the White House’s hoax claims of voter fraud during the 2020 elections.

This couldn’t have come at a worse time, as CISA’s resources are under strain and the government official quoted by Politico said there is “massive frustration with CISA on a sluggish response to agency breaches” and the agency appears to be “overwhelmed.” The good news, according to that source, is that investigators have yet to see “any evidence that any classified systems have been compromised.” Some members of Congress have already proposed granting additional resources to CISA, though it may come too late to aid in this situation.

Every indication so far is that the hackers involved have the backing of a nation-state, with the White House viewing the most obvious suspect as Russian intelligence agencies. Those responsible built a backdoor into Orion, an IT management software produced by SolarWinds, possibly by breaking into Microsoft email accounts and other systems, according to the Wall Street Journal. They then used it to contaminate software updates provided by the company with malware in March and June 2020. In addition to U.S. government agencies, the attackers also hit security firm FireEye; senior vice president and chief technical officer, Charles Carmakal, told Bloomberg the firm was subsequently able to trace the intrusion back to SolarWinds before it notified authorities.

SolarWinds filed documents with the Securities and Exchange Commission on Monday stating the Orion product is used by 33,000 entities, about 18,000 of which may have installed infected versions 2019.4 through 2020.2.1 from March to June 2020. Once inside the targeted systems, the hackers could then gain a foothold from which to install other malware which can’t be removed simply by disconnecting Orion. Politico reported that the attackers may also compromised Microsoft email servers used by institutions that downloaded the infected updates in order to steal authentication tokens that gave them broader access.


Two people “familiar with the wave of corporate cybersecurity investigations being launched Monday morning” told Reuters that the hackers appeared to have been selective about which compromised systems they actually broke into, indicating they had specific intelligence targets in mind when they launched the attack.

“They could have just compromised SolarWinds, but they did more,” Vincent Liu, the CEO of cybersecurity firm Bishop Fox, told the Journal. “They turned that one compromise into who knows how many other compromises that we’re going to be learning about for weeks. We may never know the full impact.”


“A supply chain attack like this is an incredibly expensive operation—the more you make use of it, the higher the likelihood you get caught or burned,” FireEye threat director John Hultquist, told the New York Times. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.”

Another U.S. official who spoke with Politico blamed Cozy Bear, a hacking group the U.S. government believes is associated with or run by Russia’s Foreign Intelligence Service. This assessment was backed by sources that spoke with the Washington Post. Cozy Bear, along with a different unit called Fancy Bear, were among the suspected Russian intelligence assets security firm CrowdStrike determined gained access to Democratic National Committee servers during the 2016 elections.


According to the Verge, SolarWinds appears to have removed a client list from its website, “including more than 425 of the companies listed on the Fortune 500 as well as the top 10 telecom operators in the United States.” SolarWinds clients also include Los Alamos National Laboratory and defense contractor Boeing, per the Times.