This is the short story of the Shark MX Game cart
Introduced in 2000, the Shark MX Email device by Interact allowed the 8bit Gameboy Classic, Pocket and Colour to connect to the outside world and send/receive emails. At this time, only the most advanced smart phones and PDA's could communicate via email and this was a huge step forward towards online gaming on a mobile device. Why hadn't I heard of the SharkMX before now, 14years too late!?
My brother told me of the Shark MX for sale on Ebay. For under $10 I could have one of the coolest devices to own, way back in 2000. After a quick Google, turns out there is not much on this device. I did find an image of the internals which shows of a stand-alone 2400bps modem IC, a 256kb Flash EEPROM IC and a custom Memory Bank Controller to swap banks to allow access to more than the GB bus was designed. This alone was enough for me to Buy it Now!
With hopes of converting it to a re programmable flash cart (again something I would have loved 15years ago) I downloaded the ROM to see what it could do in its current form. During my search, my brother showed me a link to a forum that said an Electronic Serial Number (ESN) was needed to enable the cart. That combined with the fact that Interact went under many years ago, and that the modem was only released in USA/Canada meant there was no way to get the ESN, and if managed to get hold of one, there would be no way to connect to a non-existant server...
So I Reverse Engineered the software to generate my own ESN
After a few hours of disassembling the many routines I've found how the software parses the user entered key, verifies its authenticity and extracts the user account number. Considering this encryption had to be secure enough to prevent unauthorised users to access email accounts other than their own, as well as the not so cheap 'credits', it was quite rewarding generating a working ESN.
The Algorithm uses a series of coding techniques like Crypt lookup tables, rotate + shifts, checksumming, Bit stuffing, Bit splitting, applying non linear formula's and a clever little byte jumbling routine. The crypt tables are generated when the routine is called and is not stored directly in Flash which makes it tricky to catch it before the limited resources are re-allocated.
And the result? This program will generate a random 24 digit number, generate and apply a valid checksum, jumble the 24 numbers in a preset pattern, assemble the numbers in groups, pack, shift and split the groups, pass the result through a crypt table, generating a limited 16 character ASCII set. Easy!
Interested in how it was Reverse Engineered? Click Here