This is going to be a series of posts taking a deeper look at how the Pandora’s Box 6 works and investigating what may help us break it open and get past some of the limitations we currently have with it. I don’t know how much time I have to devote to this task and I’m not sure how deep I’ll be able to get into it, but let’s poke around to see what we can find out.
Just so that you are aware, I am no hardcore hacker but I’ll be doing the best that I can while showing you what I’ve found and how, so this may be interesting to some regardless.
Before we attempt our deep dive, let’s attempt to get some information about what we’ve got the simplest way possible – just looking at the disk drives and seeing what we can find out. Let’s first take a look at the udisk – the external USB drive that comes with the Pandora’s Box 6 that you will need to copy the games onto and where you will add games of your own.
The udisk is a 16GB external USB drive that is formatted in FAT32 and looks like this:
There’s not really all that much here for us. The movies and roms directories are where you will be copying the arcade ROMs and their accompanying videos when you receive the download links from 3A (as they will no longer give you preloaded games anymore). The romsp folder is for holding the default PS1 games that come with the unit (and pushed as if they were the original arcade versions). Inside, you’ll find a few games in .bin/.cue form, most of which are actually missing their soundtracks. You’ll find two identical copies of the PlayStation SCPH-1001 BIOS, both under the name bios.bin and scph1001.bin. A folder called mv contains movies that will play in the front end for these games specifically.
Back in the root directory, we’ve got three more subdirectories which the Pandora’s Box 6 uses to check for games the user has added.
- roms_fba – ROMs for the Final Burn Alpha emulator, version 0.2.97.36.
- roms_mame – ROMs for the MAME emulator, version 0.106.
- roms_playstation – ROMs for the currently unknown PlayStation emulator.
You’ll also find files that list what games the FBA and MAME emulators support… which isn’t entirely truthful as far as I can tell. The Final Burn Alpha game list shows all the various console emulators it normally supports as well as the standard arcade games, but so far, I’ve been unable to get any of the console games to load beyond just showing up in the Pandora’s Box 6 menu. There are also README files in both English and Chinese. That’s all that appears on the UDisk, so let’s create an image of the boot SD card and see what we’ve got there.
The Boot SD Card
I’m going to take the disk image I made of the SD card and I’m going to open it up in ISOBuster which is my tool of choice for poking around these backup image files.
First, we see that the SD card consists of two partitions, a partition containing a FAT16 partition and a partition containing a Linux EXT3 file system. This is pretty common for just about any sort of single board computer, like the Raspberry Pi, but unlike the Pi, it looks like the Fat16 partition does not contain the files you would normally expect to see that are required for booting up the board, such as a kernel. Instead, we see 9 files called boot and are numbered from 1 through 9.
Each file appears to contain data that we can’t easily read, perhaps even some encrypted archives. Unfortunately, there are no magic bytes that match these so there’s no easy way to tell what this data is. I’ve got a slightly educated guess after seeing some of the similar partitions on other Pandora’s Box 4 clones. Looking at the file sizes of them, we see a pattern emerge. Boot1, boot4 and boot7 all are the same size. And if we look at the other files, we do see the same pattern (boot2, boot5, boot8 and finally boot3, boot6 and boot9). I am guessing here that these groupings are based upon the three different resolutions that the Pandora’s Box 6 can boot up in, which matches up to what I’ve seen on other clones. It also appears that the Pandora’s Box 6 supports three different languages – English, Traditional Chinese and Simplified Chinese. So here’s what I think these files are for:
- boot1, boot4 and boot7 – likely files supporting booting in 1280×720 in English, Simplified Chinese and Traditional Chinese.
- boot2, boot5 and boot8 – likely files supporting booting in 1024×768 in English, Simplified Chinese and Traditional Chinese.
- boot3, boot6 and boot9 – likely files supporting booting in 640×480 in English, Simplified Chinese and Traditional Chinese.
When comparing files with the same size, they actually did have a lot of differences between them, so it’s not just 3 copies of the same file, which supports our language theory. If we take a look at the Pandora’s Box 5’s FAT partition, we see just two files present – boot1 and boot2, both of which have the same file size as the 1280×720 boot files. The Pandora’s Box 5 only supports 1280×720, however, and I’m not sure why there are two files here and not just one, but so far, I feel like we’re going down the right path here.
Taking a quick look at our EXT3 partition, we see what looks like a standard but stripped down version of the folder structure you would normally see on the main partition for any embedded Linux system.
One thing that I would like to point out is the Linux partition’s name which appears to show the UUID partition label as well as where it was mounted to during development, which reveals that the main person responsible for creating these SD card images at 3A is likely named Zhang.
Just for funsies, let’s take a look at the same system partition on a Pandora’s Box 4s 1299 game clone and…
…and clearly, the bootleggers are taking the piss, so to speak.
In The Next Episode…
Now that we have taken a bird’s eye view of the Pandora’s Box 6 file systems, we’re going to start diving down into it to see what we can discover about how it works, the boot process and what fun scripts we might be able to find. Hope that you’re enjoying this so far and I’m looking to put out the next post within a week.