Possible Pandora’s Box 6 New Revision?

While talking to someone on the Facebook group for the Pandora’s Box 6, I noticed someone posted an image of their settings menu, reproduced below:

At the bottom, there is an added “PS1 GAME TIME” option which decides how much time a player gets to play a PS1 game for with each coin inserted. Try as I might, I can’t make this option appear on my PB6.

It is currently unknown if there are any other changes to this version of the software at this time.

If you have this on your Pandora’s Box 6, please contact me as I would like to get a backup of your SD card, please!

EDIT: I received an image from someone and it does indeed look like a slightly changed version of the Pandora’s Box 6 software. Looking at the disc image, the partition number matches the old one, however the last modified date of the emulotar file is now October 20th, 2018. A quick glance at it shows that there are a lot of differences in the binary but what they are exactly, I couldn’t say. I’m going to write this image to an SD card and see if it works in my Pandora’s Box 6.

EDIT 2: It appears that the software is locked to the newest hardware revision of the PB6 box. When I wrote the disc image to my SD card, it did exactly what it did when I attempted to use a hacked sd card image – played the PB6 splash screen and went to a black screen. The red light inside the PB6 box started flashing and it never progressed. So it’s my theory that it is checking for something in the hardware and refusing to boot because mine is an older revision.

EDIT 3: There is indeed a new revision of the board and this SD card image is likely locked to newer revisions of the card. The older original board that I have shows the following info:

Original: 3RX_V22b REV 2018.06.30 K5860 – works with first SD card version.
New: 3RX_V23 REV 2018.08.15 K5900 – works with this new SD card version.

So why would they do this sort of thing? Perhaps to not allow people to just swap SD cards to get updated features, much like they did with the Pandora’s Box 5 so they can’t use Pandora’s Box 6 SD cards. It’s also very possible that there’s a difference in the hardware that makes the original software somehow unusable.

Until we are able to crack open the box’s encryption, we won’t be able to tell for sure so all of this is conjecture at this point.

EDIT 4: The PS TIME OPTION allows to select from 1 to 10 minutes of time.
EDIT 5: Looks like the number goes from 1-60, actually. Maybe it’s just the arcade version that has that range, however.

Pandora’s Box – Discord Chat

I just opened up a Discord server for discussion about the Pandora’s Boxes and similar devices that anyone can join. Just started so not much going on yet but if you read this blog, I think it may be helpful for you. I’m hoping that it can be a central place for people to get help if they need it, talk about games they’ve added to their PB6 and talk about what we might like in the future, that sort of thing.

Feel free to join up: https://discord.gg/ZM2b2zd

Pandora’s Box 6 – Deep Dive, Part 3

Okay, when we last left off, we found what looked to be our emulator frontend, /usr/emu/emulotar. It appeared to be the program that the Pandora’s Box 6 wanted to keep running at all costs and it looked like some scripting set up the use of the Linux framebuffer for the QT graphical toolkit for embedded Linux. Let’s try to verify our assumptions by taking a look at emulotar with a hexeditor.

Personally, I am using HxD, a freeware hexeditor for Windows that should work fine for most cases, including this one.

Do We Know What We Think We Know?

Let’s start off by verifying a few of our previous assumptions. We’re going to rip open /usr/emu/emulotar and take a look at what we might find inside. When looking at a file with HxD, we will see the hexidecimal representation of the file on the left and a translation to ASCII on the right. This helps us visually look for strings of text within the file easily. So, let’s open ‘er up.

Lots of ELFs around this time of year.

The very first thing we see when opening up the file is “.ELF”. This is a tell-tale sign that we’re looking at an .ELF file, which is an executable built for ARM processors. This is exactly what we’re expecting to see as the Pandora’s Box is built on the ARM architecture.

I know what you’re probably thinking right now.

“Jay, that’s… not very interesting.”

And you’d be right. However, there actually IS a lot in this file that IS actually interesting. Starting at offset 0x00005C40, we have what appears to be a block of strings. These appear to be commands that the emulator frontend is running which will give us some insight into what’s going on.

A small sample of what we can find here.

Instead of just giving you screenshots, I’m going to list what I find here and explain what they mean/do and take a guess at how things are working. Here are my little notes on what I think I’m looking at and I’ll take a final guess as to what is going on afterwards. This is a little information-dense, so feel free to skip this.

  • /dev/spidev1.0 – I believe this is a device file for the SPI bus and it’s likely that controls are accessed by reading GPIO pins through the SPI bus. I would have expected a /dev/spidev0.0 rather than a 1.0, but who knows…
  • /dev/mem – The normal device file that all the RAM is mapped to, normal in Linux land.
  • /dev/fb0 – The framebuffer device. Also to be expected in Linux.
  • echo volume – A command that would write “volume” to the screen. Odd.
  • %d – Usually used as a token for another variable. Impossible to tell what this is here for alone. The 00’s show that this isn’t just a part of the next line as they would be spaces (20) instead but they aren’t.
  • 1 > /tmp/mfile & – This appears to be a fragment of a command. The intent appears to be to write the contents or output of a file into /tmp/mfile. The “&” here tells Linux to do this in the background. It appears that the file being copied to /tmp/mfile is a video file, likely the Pandora’s Box 6 intro video that you see on bootup.
  • /bin/vp -slave -input file=/tmp/mfile -quiet -volume – This appears to be our video player application. A quick look at vp using our hexeditor shows that it appears to be a version of mplayer, the popular Linux video player. So it looks like vp is mplayer in disguise and is told to play the file found at /tmp/mfile.
  • /bin/vp -slave -input file=/tmp/mfile -quiet -zoom -x 384 -y 226 -volume – Exactly the same as above except we can see that it appears to be playing at a small resolution. This is likely the command used when the Pandora’s Box 6 is used through a JAMMA connection to a low resolution arcade machine.
  • /tmp/libboot.so & – This tells Linux to run the file as an executable in the background. This is slightly odd as usually any file that ends in .so is a shared object, similar to Windows DLLs… but in Linux, you can name anything whatever you want so it’s not a hard and fast rule. This appears to be common on the pirate versions of the Pandora’s Box at least.
  • rb – Unsure. Too small to speculate. See wb below.
  • /dev/mmcblk0 – This is the device file for the first SD card that Linux finds. This would be where the Pandora’s Box would find the SD card it uses to boot from.
  • app1, app2, app3, app4, app5, app6, app7, app8 – I believe that – much like the previous boot1, boot2 files we found previously – this is potentially the emulator application set up for different languages/resolutions.
  • wb – When seeing wb and rb somewhat close together, it is possible that this is a flag for opening files as writable (wb) or read-only (rb). Until we can dig into everything ourselves, this is just a guess.
  • /tmp/app – Later on, it appears that this is the path to the main emulator executable used by the Pandora’s Box 6. I believe it is a combination of MAME, FBA and PCSX Reloaded in a single executable but this is currently unknown.
  • We now have what looks like 4 different sets of mplayer executables copied to /tmp/vdt as well as 4 different sets of .so files:
  • cp /bin/mplayer /tmp/vdt – Copies /bin/mplayer to /tmp/vdt. Also has the following files listed: /tmp/libboot.so, libbootc.so, /tmp/liblogo.so, liblogoc.so. libbootf.so, liblogof.so, libboote.so, liblogoe.so. Very likely that the files that end in c are Chinese, those ending in e are English. Very possible that these are the logos shown on the screen during boot up before the video is played and when a game is launched.
  • But we also have cp /bin/mplayer1 /tmp/vdt with the following files: libbootc1.so, liblogoc1.so, libbootf1.so, liblogof1.so, libboote1.so, liblogoe1.so
  • Same cp and files mentioned for numbers 2 and 3 as well. Very likely meant for different resolutions. On closer inspection, the mplayer3 version does not appear to have any files ending in f as the others do. Perhaps this is the one for the JAMMA version?
  • Much like the repeating blocks of files and commands for 4 different versions of mplayer, we have something similar with libcfg.so files, but also the Pandora’s Box 6 allows players to change the background of the menus by copying a file on the Udisk. If the number scheme holds up, it appears that we’ve figured out what the numbers mean. No number = 1280×720, 1 = 1024×768, 2 = 640×480, 3 = 384×224.
To give you a better idea, I’ve separated them by line, cropped to fit here.
You get the idea.
  • tar -xf /tmp/libcfg.so -C /tmp – This extracts the files from within /tmp/libcfg.so directly into /tmp. Most likely what happens here is that the version of libcfg.so taken from above is copied to /tmp/libcfg.so before being decompressed. So I think this is going to be a set of configuration files for MAME that is setup for the different resolutions.
  • rm /tmp/libcfg.so – Delete the /tmp/libcfg.so file after decompression.
  • cp /tmp/config/xmame/nvram/* /tmp/ – Almost 100% certain that these are premade NVRAM files for different games with preselected settings. Likely something like this also with save states for the PlayStation games allowing them to skip all the intros and loading at the start. So this means that they have an archive of NVRAM files dumped into /tmp. This is where we would need to put in a fixed joust.nv so that Joust would be playable.
  • We appear to have a list of filetypes that this emulator frontend supports showing – bin, cue, img, mdf, pbp, toc and cbn for the PlayStation emulator and zip for MAME/FBA.
  • /tmp/imagesc.so – Unknown, perhaps Chinese only due to this being the only version of the file mentioned? Haven’t found references to this elsewhere yet.
  • /tmp/mfile, mkfifo /tmp/mfile – It looks like the /tmp/mfile that is used for playing a video through mplayer is a named pipe. Basically, the video file is piped through /tmp/mfile for mplayer to play it. It’s okay to not know what that means, just think /tmp/mfile = start up video and you’re good.
  • mkdir /tmp/udisk, mount -a, mdev -s, /dev/sda1, mount -t vfat /dev/sda /tmp/udisk – It looks like we have the emulator frontend setting up the mounting of the udisk, which we expected to find in /etc/fstab but didn’t. What is very interesting about this here is that it doesn’t look like the udisk is mounted as read only, so it’s very possible that maybe we can output some logs or something out to the udisk for analysing.
  • killall -9 vp – Forcably kill the video player when everything’s mounted and ready?
  • rm /tmp/libboot.so – Delete /tmp/libboot.so when done with it.
  • 4 calls of mplayer0 playing /tmp/liblogo.so in all four resolutions the PB6 supports… except that the horizontal resolution is 2 pixels wider for… whatever reason. So 1280×722 instead of 1280×720, for instance. Odd that they only use mplayer0 for this and not mplayer1/2/3 as we see elsewhere.
  • /tmp/udisk/roms_fba, /tmp/udisk/roms_mame, /tmp/udisk/roms_playstation – These are the three different folders that users can drop their ROMs into to get added to the PB6 and their mount points.
  • killall -9 mplayer0 – Kill the video player when we’re done loading up user roms?
  • rm /tmp/liblogo.so – Delete the logo when we’re done?
  • /tmp – Seems to be where most of the work is being done here, the temporary RAM disk.
  • chmod 777 app – Set the permissions to allow read/write and execute on app. I believe this app program is our actual emulator.
  • /app -qws 54 54 20, /app -qws 54 52 20, /app -qws 52 54 20, /app -qws 52 52 20, /app -qws 54 54 30, /app -qws 54 52 30 – Pretty sure that this runs our emulator at different resolutions. Likely that qws has to do with the QT toolkit.
  • rm app – Delete the emulator when we’re done? Why?
  • /app tankfrce, /app btime, /app 54, /app 52 – I believe this is how the emulator to run for each ROM is selected as it mirrors something I remember seeing in a pirate Pandora’s Box. As far as I remember, while tankfrce (Tank Force) and btime (Burger Time) are legit MAME roms, I believe the emulator looks specifically for these games being called to know to switch to either the FBA or MAME emulators. It’s… an odd way of doing things, that’s for sure.
  • Just a few more device file names, and some error text after that, nothing special.
  • /dev/dsp – Likely the device file for audio output.

That’s about all the interesting text we’ve got here, so let’s take a look at everything we’ve got so far and take a guess at how this whole thing is functioning.

It’s getting late though and I’m tired. So I’ll write up a full guess into how the Pandora’s Box 6 boots up and runs, how it does things and when. I’ll also mention a few potential attack vectors for breaking into the box.

Pandora’s Box 6 – Deep Dive, Part 2

Now that we have a general idea of what we’re looking at on the Pandora’s Box 6 file systems, it’s time to start poking around. As this is a Linux-based single board computer, some Linux knowledge is useful. I’ll do my best to explain things as I see them so that those of you who are less technically inclined can follow along and understand a bit about how the box functions.

Start Me Up

Since the Pandora’s Box 6 is built to basically be a simple appliance that turns on and does one thing, we should start our journey into it by taking a look at how it would go through starting up. Generally speaking, a bootloader would be the first thing that would run and would then load up a Linux kernel and mount a file system. Once that is done, control is normally handed off to the Linux kernel and it finishes the boot up process by mounting the other file systems needed, running various daemons (or services in the Windows world) on start up before finally handing control over to the user. Well, in our case, we have a bit of a problem here as there is no obvious Linux kernel anywhere on either the EXT3 or FAT16 file systems.

Educated guess time: I think the various boot1 through boot9 files in the FAT16 file systems are encrypted/compressed archives that likely contain either the Linux kernel itself and additional files needed or it is somehow loaded up from elsewhere. The one thing that we can easily throw out is that the Linux kernel being loaded is from the UDisk as you are very capable of booting up the Pandora’s Box 6 without it and getting a completely empty game list. (This may be something to remember in the future as it might mean that all ROMs are read from the file system and not just those in the three folders meant for users to add games to. Perhaps something we can exploit here?)

Let’s continue onward with the Linux bootup process. Linux has what it calls runlevels. Basically these runlevels are numbered from 0 to 6 and represent different states. Most Linux boxes will set runlevel to 5 which represents network up and running, graphical interface running, everything ready for users. Runlevel 6 is usually the reboot state and Runlevel 0 is when the system is halted and can be safely shutdown. There are scripts that can be run automatically when certain runlevels are hit, so let’s take a look and see if we’ve got something like that happening here.

A Simplified Look at Our EXT3 File System

Just before we start poking around, let’s take a quick tour of our EXT3 file system so you can get an idea of what you’re looking at.

This is a fairly typical file system for most embedded Linux systems here.

Starting from the top, here’s what we’ve got:

  • /bin – Binaries that are common for the system and available for most to use.
  • /dev – Files representing all the machine’s devices are stored here. (Linux treats all devices as if they were virtual files which allows for some interesting ways of doing things.)
  • /etc – Configuration files used by the system, some applications and daemons (services).
  • /home – This is where your own user files are stored, much like My Documents on Windows but more tightly controlled and secured.
  • /lib – Where you will normally find Linux kernel modules and libraries (much like Windows DLLs).
  • /lost+found – A directory where Linux will attempt to place any files it recovers upon checking the system at startup.
  • /proc – A virtual filesystem that contains information about the running system, no actual files exist here.
  • /sbin – Binaries that are needed for running the Linux system and maintaining it.
  • /sys – Similar to /proc, it is a virtual filesystem containing information about the running system.
  • /tmp – A temporary filesystem that is created in RAM and can be used by processes for temporarily storing data. Disappears when system reboots.
  • /usr – Contains binaries meant for users to run and use as well as libraries and additional files needed by those binaries.
  • We will ignore the linuxrc symlink (or shortcut) for the moment.

We’re going to take a quick look at the /etc directory to see what we can find there. Typically, it is where you would find scripts that would run when runlevel hits 5 as well as other information such as filesystems to mount on boot.

As spartan as you’ll almost ever find an /etc directory.

Poking Around Some More

So what do we have here?

  • /etc/init.d/ – A directory that normally holds scripts to run on startup.
  • /etc/fstab – A file used by Linux for mounting filesystems.
  • /etc/hostname – A filename that tells Linux what hostname the machine should use.
  • /etc/profile – A default profile for all users on the machine.

Okay, so taking a look at profile shows absolutely nothing of interest, just something for setting the default terminal prompt, which we cannot see anyways. The hostname file just tells the machine to set the hostname to “hhh”, nothing too exciting here.

Now fstab is very interesting for us as it is where you would normally find filesystems getting mounted. We would expect to find our udisk listed here among the filesystems and…

…we don’t.

Instead, what we see here are the various virtual filesystems that are needed soon after booting. /proc and /sys are created during boot up and /tmp and /dev are created soon after. Well, that would normally be the case except none of the file systems are marked “auto”, so they need to be mounted manually, likely from a script. The use of tmpfs means “this filesystem exists only in RAM”, essentially. Alrighty, so a swing and a miss. Let’s move on to the init.d directory, where we find a file called rcS that I have good feelings about. Let’s open it up, shall we?

And here’s where we start seeing something.

This small shell script is run on bootup. It tells the machine to set the hostname using the “hhh” value found in /etc/hostname. It then sets the default directories that Linux will use as its PATH variable, searching the directories listed for any executables the user will attempt to type into the console. Nothing unusual about either command here at all. But what do we have here? A command attempting to run /usr/myinit which definitely isn’t something you would find on a normal Linux box. Let’s check that out.

Finally, a little meat to chew on.

Okay, so the first two lines here set up the PATH for Linux to look for executables and the PATH to load libraries (like Windows DLLs) from. Both of these are 100% standard for Linux, so nothing odd there. But the next line… that’s… that’s something new to me. A quick Google search for QWS_DISPLAY shows that it is a variable used by QT for Embedded Linux, which is a graphical toolkit. So it is more than likely that our emulator frontend uses the QT toolkit for all its graphics.

Google is endlessly helpful when it comes to things like this.

After reading that and looking at the line in our /usr/myinit file, we can see now that it is setting a variable to tell a QT application to use the Linux framebuffer device for writing graphics to the screen using the /dev/fb0 device.

Remember when I mentioned how it was odd that /etc/fstab showed filesystems but none of them were flagged as “auto” and therefore wouldn’t be automatically mounted at boot time? Well, the reason for that appears to be that they would rather have this script do it instead. The use of “mount -a” tells Linux to mount all the filesystems listed in /etc/fstab right now, so it is at this point that those virutal file systems are mounted and active. “mdev -s” is responsible for creating all the virtual files for each of your devices in /dev. This is where, for example, the /dev/fb0 framebuffer device will be created.

Finally, we see a while loop that will loop infinitely running what looks like our frontend executable. This is exactly the kind of thing you do when you want a program to always be running because if it terminates at any point, this loop will start it back up again automatically. This is a great stopping point for now.

Summary

So, let’s take a look at what we now know about our Pandora’s Box 6 so far.

  • The udisk is formatted FAT16 and contains all of our default games and directories for adding more games.
  • The boot SD card is split into two partitions, a FAT partition that contains what looks like different archives depending on what settings you use and an EXT3 file system that houses the rest of the system.
  • The emulators used by the Pandora’s Box are MAME 0.106, Final Burn Alpha
    0.2.97.36 and an unknown PlayStation emulator (likely PCSX ReARMed, but haven’t found evidence yet).
  • The emulator frontend appears to load games up on-the-fly.
  • The emulator frontend appears to use the QT graphical toolkit for embedded Linux devices.
  • The boot sequence once we are past loading the Linux Kernel is /etc/init.d/rcS -> /usr/myinit -> /usr/emu/emulotar
  • We learned a bit about how the Linux filesystem looks and what the structure means.
  • We learned that sometimes, looking up stuff on Google can bring us some knowledge that we would have needed otherwise.
  • The Linux kernel isn’t on the UDisk as the PB6 can be booted up without it attached just fine.

In the next blog post, we will continue to pull on the thread to see what falls out as we examine the emulator frontend application itself and see what else we can find to help us.

Hope that you’ve learned something from this post. If you have questions, feel free to ask in the comments below.

Pandora’s Box 6 – Deep Dive, Part 1

This is going to be a series of posts taking a deeper look at how the Pandora’s Box 6 works and investigating what may help us break it open and get past some of the limitations we currently have with it. I don’t know how much time I have to devote to this task and I’m not sure how deep I’ll be able to get into it, but let’s poke around to see what we can find out.

Just so that you are aware, I am no hardcore hacker but I’ll be doing the best that I can while showing you what I’ve found and how, so this may be interesting to some regardless.

Superficial Looks

Before we attempt our deep dive, let’s attempt to get some information about what we’ve got the simplest way possible – just looking at the disk drives and seeing what we can find out. Let’s first take a look at the udisk – the external USB drive that comes with the Pandora’s Box 6 that you will need to copy the games onto and where you will add games of your own.

The UDisk

The udisk is a 16GB external USB drive that is formatted in FAT32 and looks like this:

Root directory of the Pandora’s Box 6 udisk. Pretty straightforward.

There’s not really all that much here for us. The movies and roms directories are where you will be copying the arcade ROMs and their accompanying videos when you receive the download links from 3A (as they will no longer give you preloaded games anymore). The romsp folder is for holding the default PS1 games that come with the unit (and pushed as if they were the original arcade versions). Inside, you’ll find a few games in .bin/.cue form, most of which are actually missing their soundtracks. You’ll find two identical copies of the PlayStation SCPH-1001 BIOS, both under the name bios.bin and scph1001.bin. A folder called mv contains movies that will play in the front end for these games specifically.

The list of PlayStation games included on the UDisk. Nothing too exciting.

Back in the root directory, we’ve got three more subdirectories which the Pandora’s Box 6 uses to check for games the user has added.

  • roms_fba – ROMs for the Final Burn Alpha emulator, version 0.2.97.36.
  • roms_mame – ROMs for the MAME emulator, version 0.106.
  • roms_playstation – ROMs for the currently unknown PlayStation emulator.

You’ll also find files that list what games the FBA and MAME emulators support… which isn’t entirely truthful as far as I can tell. The Final Burn Alpha game list shows all the various console emulators it normally supports as well as the standard arcade games, but so far, I’ve been unable to get any of the console games to load beyond just showing up in the Pandora’s Box 6 menu. There are also README files in both English and Chinese. That’s all that appears on the UDisk, so let’s create an image of the boot SD card and see what we’ve got there.

The Boot SD Card

I’m going to take the disk image I made of the SD card and I’m going to open it up in ISOBuster which is my tool of choice for poking around these backup image files.

First, we see that the SD card consists of two partitions, a partition containing a FAT16 partition and a partition containing a Linux EXT3 file system. This is pretty common for just about any sort of single board computer, like the Raspberry Pi, but unlike the Pi, it looks like the Fat16 partition does not contain the files you would normally expect to see that are required for booting up the board, such as a kernel. Instead, we see 9 files called boot and are numbered from 1 through 9.

Notice something odd here?

Each file appears to contain data that we can’t easily read, perhaps even some encrypted archives. Unfortunately, there are no magic bytes that match these so there’s no easy way to tell what this data is. I’ve got a slightly educated guess after seeing some of the similar partitions on other Pandora’s Box 4 clones. Looking at the file sizes of them, we see a pattern emerge. Boot1, boot4 and boot7 all are the same size. And if we look at the other files, we do see the same pattern (boot2, boot5, boot8 and finally boot3, boot6 and boot9). I am guessing here that these groupings are based upon the three different resolutions that the Pandora’s Box 6 can boot up in, which matches up to what I’ve seen on other clones. It also appears that the Pandora’s Box 6 supports three different languages – English, Traditional Chinese and Simplified Chinese. So here’s what I think these files are for:

  • boot1, boot4 and boot7 – likely files supporting booting in 1280×720 in English, Simplified Chinese and Traditional Chinese.
  • boot2, boot5 and boot8 – likely files supporting booting in 1024×768 in English, Simplified Chinese and Traditional Chinese.
  • boot3, boot6 and boot9 – likely files supporting booting in 640×480 in English, Simplified Chinese and Traditional Chinese.

When comparing files with the same size, they actually did have a lot of differences between them, so it’s not just 3 copies of the same file, which supports our language theory. If we take a look at the Pandora’s Box 5’s FAT partition, we see just two files present – boot1 and boot2, both of which have the same file size as the 1280×720 boot files. The Pandora’s Box 5 only supports 1280×720, however, and I’m not sure why there are two files here and not just one, but so far, I feel like we’re going down the right path here.

Taking a quick look at our EXT3 partition, we see what looks like a standard but stripped down version of the folder structure you would normally see on the main partition for any embedded Linux system.

Pretty standard set of files on the main Linux file system.

One thing that I would like to point out is the Linux partition’s name which appears to show the UUID partition label as well as where it was mounted to during development, which reveals that the main person responsible for creating these SD card images at 3A is likely named Zhang.

The Pandora’s Box 6 main partition UUID, apparently made by “zhang”.
The mysterious zhang appears again on the Pandora’s Box 5’s main partition name.

Just for funsies, let’s take a look at the same system partition on a Pandora’s Box 4s 1299 game clone and…

Uh… Mr. John Smith?

…and clearly, the bootleggers are taking the piss, so to speak.

In The Next Episode…

Now that we have taken a bird’s eye view of the Pandora’s Box 6 file systems, we’re going to start diving down into it to see what we can discover about how it works, the boot process and what fun scripts we might be able to find. Hope that you’re enjoying this so far and I’m looking to put out the next post within a week.

Pandora’s Box 9 – Feature Comparison against PB5 and PB6

So, the Pandora’s Box 9 clone is getting more widely sold and as such, there is more information about it than we had when we previously discovered it a few months ago. For those of you wondering if you should take the plunge on a Pandora’s Box 9, I’ve recreated a table of information that is found on some Chinese AliExpress pages and adding more detail and a better translation.

Feature Set3A Official Pandora’s Box 53A Official Pandora’s Box 6Clone Pandora’s Box 9
Game Quantity960 games1300 games + 3000 custom added1500 games
3D Game SupportNoYESNo
Game CustomizationNoCan add your own gamesNo
Screen Resolution1280×7201280×720
1024×768
640×480
1280×720
1024×768
640×480
Game Pause FuntionYES, during free playYES, during coin or free playYES, during free play
Game Sorting FunctionNoYESNo
Autofire FunctionNoYES, for games classified as shooting games.No

Hopefully, this will help anyone looking to decide on which Pandora’s Box to pick up.

Pandora’s Box 6 – (Unverified) Workaround for PlayStation Crashes

We’ve previously noted here on the blog that there were several PlayStation games that didn’t function properly and would crash when run through the Pandora’s Box 6. At the time, I didn’t think too much of it but I kept a log of where crashes seemed to be occuring. It looks like someone else – whose name I’ve forgotten – has figured out the issue as well as a workaround.

Rumble in the Jungle

Looking at the list of games that crashed consistently (linked above), someone appears to have noticed a pattern. It seems like the crashes are apparently caused by games using the controller rumble support. When we look at the list, we see a crash caused by the first jump in Tony Hawk’s Pro Skater 2, a crash caused by hitting the first jump in Hydro Thunder… these are both instances where you would expect a rumble in the controller to happen. But because the Pandora’s Box does not support controller rumble whatsoever, it appears to just crash the emulator entirely when a rumble is triggered.

So it looks like the real solution is to enter the game’s settings/options screens and disabling rumble support. Once rumble has been disabled, games no longer crash according to some people in the community. Unfortunately, disabling rumble usually doesn’t get saved so players will have to remember to kill rumble each time they play.

I’m going to be going back to the games in my compatibility list to see if disabling rumble gets them to stop crashing. Once I’ve verified that this fix is legitimate, I’ll go back to my compatibility pages and update the list with my findings.

Pandora’s Box 6 – Removing Junk, Compatibility Lists…

So, one of the annoyances caused by getting these all-in-one arcade boards is that it often seems like the people making them don’t know enough about the games being added to realize that there are some games that have problems. Perhaps there are duplicates that are unneeded, perhaps there are issues with controller set up that make games unplayable, etc…

I’m creating several lists to help people when they first pick up a Pandora’s Box 6 to very quickly get set up and have as many unique, known working games as possible.

  • Default Games to Remove
  • Compatible Added MAME ROMs
  • Compatible Added FBA ROMs
  • Compatible Added PlayStation disc images

I’ve only just started working on these lists now so it is a work-in-progress but you can find the start of this over here or by selecting the compatibility lists from the Pandora’s Box 6 menu at the top.

Feel free to leave a comment on that page with some changes you’ve made or games you’d added!

Stupid Pandora Tricks – Running NES games on your Pandora’s Box 6

I’m sure some of you are seeing the title of this post and are wondering the same thing – Why? The obvious answer is, of course, because you can. You might be thinking that we’re talking about running NES games through something like the Vs. or PlayChoice 10 systems. Well…

Thanks, XSplit, for the downgrade to 30fps and somehow making the audio so quiet.

…It Might Be Dynamic Recompilation

One of the best things about the Pandora’s Box 6 is that it includes PlayStation support. Obviously, it was one of the ways that the original creators of the box used to cover gaps in the Pandora’s Box’s MAME playing abilities. Too weak to play Tekken 3? Include the PlayStation version!

I am not 100% sure as I haven’t been able to look at the files on the Pandora’s Box 6 SD card too deeply yet, but I am almost certain that the ability to play PlayStation games on PB6 is down to the use of PCSX-ReARMed. PCSX-R is a port of the PlayStation emulator that uses dynamic recompilation to achieve high performance emulation of the PlayStation 1. This is why Raspberry Pis are able to play PlayStation games so well and the same goes for the hardware in the Pandora’s Box. So I’m pretty sure you see how we’re going to do this now.

…It Might Be NES

I decided to experiment with a NES emulator that was made to run on the original PlayStation itself called IMBNES. Back in the day, I remembered burning a CD-R that had a bunch of NES games on it along with the software and was able to boot it up with one of the hardware mods that you would plug into the serial port on the back of the original PlayStation. In those days, NES emulation wasn’t so far along and the emulator had its own faults but it was playable enough so I was quite happy.

So the end goal here is to create a disc image that contains both the emulator executable as well as all the games you wish to play. Once done, you would transfer the .ISO over to the Pandora’s Box and you should be able to play it!

…It Might Be Guide

Okay, so here’s a little step-by-step guide for getting this all up and running without too much trouble.

Step 1: Download IMBNES and Extract It

First, you will need to download the latest version of IMBNES from the website. I’ve mirrored the latest version below just in case the original site goes away.

Extract it anywhere on your hard drive, it shouldn’t matter where.

Step 2: Create PS1 Disc Image with rombank.exe
  1. From the extracted imbnes folder, run rombank.exe.
  2. Click on one of the two Add ROMs buttons at the top left and find the NES ROMs you wish to add to your disc image.
  3. Use the Tag removal button to remove unneeded parts of file names as we only have a certain amount of characters per filename seen in the NES emulator anyways.
  4. Click on the unsupported mapper removal button to remove ROMs that use mappers unsupported by the emulator.
  5. Adjust other options as you choose.
  6. Click on Build IMBNES ISO button to build and output a proper PS1 disc image with the emulator and ROMs selected. (If any file name conflicts come up, adjust them so that they won’t conflict and try again.)
Just about ready to create our IMBNES PS1 Disc Image with ROM Bank.
Step 3: Copy IMBNES Disc Image to Pandora’s Box 6 Flash Drive
  1. Remove U-Disk from Pandora’s Box 6 and insert it into your PC.
  2. Copy your newly created *.cue and *.bin files to the roms_playstation directory found at the root of your Pandora’s Box 6 U-Disk.
  3. If you decide to rename the *.bin and *.cue files, make sure to also edit the *.cue file to point to your new *.bin file name, otherwise the emulator will not start up properly.

Limitations to Know About

So, there are a few things you will need to remember when using this emulator. Not everything’s perfect:

  • It will screen tear like crazy on any game that has a lot of scrolling such as Super Mario Bros. 3, but will always be playable.
  • This emulator is very old and as such there are some strange emulation issues with some games such as occasionally scrambled graphics (the earned stars in Mike Tyson’s Punch-Out!!), audio not quite sounding right, that sort of thing. Most games should still be very playable.
  • Because the Pandora’s Box 6 does not have writable partitions, just like with the arcade games on it, you are unable to save your game in NES games. This includes anything like save states (which I don’t think the emulator supports anyways). So don’t bother playing any long RPGs unless you intend on completing them in one sitting.
  • I have not found a way to return to the menu to select another NES game other than using the Pause button to return to the Pandora’s Box 6 main game menu again and loading up the emulator. Small but annoying price to pay, I suppose.
  • Aspect ratio is incorrect and there does not appear to be a way to adjust it without adjusting the resolution of the Pandora’s Box itself.

Have fun!

The Pandora’s Box of Copyright

There’s been a really recent new development in the world of Chinese Pandora’s Box maker 3A Game. If you’ve made any attempt to purchase a Pandora’s Box 5 or 6 recently – say, in the last 2-3 months – you may have noticed something unexpected.

NOTE:Dear friends, due to the copyright reasons of the game, from now on, our Pandora Box 5 and Pandora Box 6 Arcade Version and Family Version (including console) series of U-disks no longer contain game files. If you purchased it and found no game files, You can contact the customer service staff to help you.
We feel sorry for any inconvenience caused to you. Thank you!

-3A Game Store ad on their Aliexpress store page.

This is… kind of odd and unexpected. China’s basically seen in the West as a lawless place where copyright is laughed at openly. Indeed, one of the biggest reasons why Pandora’s Box and their clones have been popular is because of it being a complete plug-and-play experience. There’s no need to dick around with not being sure if you have the proper version of ROMs when they are all provided by the company on it’s “U-Disk” USB sticks. Odder still is that all the Chinese companies creating clones and fakes don’t seem to be having any trouble and are throwing ROMs around with impunity, as you might expect.

It appears that 3A Game believes it can avoid any sort of legal liability by simply not putting the ROMs on the USB stick, but by sending customers a link to Google Drive that contains all the ROMs needed. Indeed, even their official YouTube channel features the above quote along with the link to the ROMs on Google Drive *directly* after it. I don’t know how they think that this is any better for them from a legal standpoint but at least it’s not *that* much more painful for the customers, I suppose.

The copyright warning as seen on 3A Game’s Aliexpress store page.

A Personal Theory

I’m going to preface this by saying that I know absolutely nothing at all about Chinese copyright law so this is a complete shot in the dark here.

I think that this is happening now partially because of the Chinese finally¬† lifting the ban on video game home consoles in 2015. I would not be shocked or surprised at all if 3A Game’s sudden change of heart was caused by those game companies now coming into the Chinese marketplace in the last few years and starting to exercise their newfound legal muscle. Why would anyone want to pay top dollar for the true original console and games when they can get them far cheaper on the black market? With Nintendo being the most traditionally litigious, I can easily see them arriving into the Chinese market with the WiiU or Switch and then going after these companies for including Vs. Super Mario Bros and Donkey Kong on all their pirated multi-game arcade PCBs and game consoles.

It just seems odd to start doing it during Summer 2018.