Hack stuff with your Game Boy !
๐ฎ GBA Drive is a tool which runs on a Raspberry Pi Zero W connected to a Game Boy Advance.
Different wireless transceivers are connected to it in order to play with wireless protocols ๐ฎ
The beauty in the Game Boy Advance is that the console let you upload and run any code sent by the link cable. You can send a mini-game or data for multiplayer as intended, but you can also send any kind of code understandable by the GBA ๐ This feature let us upload code for streaming the Raspberry Pi screen on the GBA screen, and get the button hits in return.
Now we will use the ability of the Raspberry Pi Zero and the GBA screen and gamepad to play with wireless protocols, just like a handmade Flipper Zero !
::: warn The GBA Drive project is a gathering of many super cool projects. I did no produce much work but mainly configuration and tweaking. See below the different projects I took.
The code developed for the GBA Drive project is a clean interface whose purpose is to automate and make all these different projects work together =)
:::
The main goal is to gather the different following wireless features.
- WiFi - 2.4 GHz
- WiFi capture
- WiFi deauth and capture handshake
- WiFi password sniffer
- WiFi hotspot
- WiFi connect default AP
- Bluetooth - 2.4 GHz
- Bluetooth gamepad via GBA input
- Bluetooth standard and low energy recon
- Bluetooth capture
- Bluetooth hotspot
- Radio - 1-868 MHz
- Radio capture & replay (433 / 868 MHz)
- Radio FM hijack (1-250 MHz)
- Radio trafic announcement hijack (107.7 MHz)
- Infrared - 38 KHz
- IR capture and replay
- Shutdown TVs
- RFID - 13.56 MHz
- RFID scan
- RFID capture and replay
- Stealth mode
- Load multiboot GBA games
- Make a friend, Kitty
- Always here when you need it
- Level up while exploring the wireless world
- SSH into GBA Drive via multiple networks:
- Connected to a WiFi AP
- Generating WiFi hotspot
- Generating Bluetooth hotspot
- SMB sharing file server for exchanging musics to broadcast via radio, captures etc.
- No authentication at all, exception for SSH
- By default (at startup), WiFi [wlan0] is running
::: info Currently, the code is in bash and stream output to the GBA.
I hope one day, I will be able to develop the same software as a GBA ROM and sending orders to the Raspberry Pi via the link cable instead of streaming the screen.
:::
Here is the harware used for GBA Drive.
I choose to use independant sensors but it could be a good idea to "replace" most of them by a Nooelec SDR.
| Item | Link | Cost |
|---|---|---|
| Rasperry Pi Zero W v1.1 | see here | 5โฌ |
| USB WiFi dongle (and cables) | see here | 10โฌ |
| Radio 433 Mhz transmitter | see here | 10โฌ |
| Radio 868 Mhz transmitter | see here | 15โฌ |
| Infrared 38 Khz transmitter | see here | 5โฌ |
| RFID / NFC 13.56 Mhz transmitter | see here | 5โฌ |
| PiSugar battery kit | see here | 40โฌ |
| Total cost | N/A | 90โฌ |
A simple Game Boy with a GBC link cable is needed, but I wanted an ultimate Game Boy Advance for my project ! So I build one with the following hardware:
| Item | Link | Cost |
|---|---|---|
| Game Boy Advance black | N/A | 50โฌ |
| Link cable | see here | 10โฌ |
| IPS screen v2 with brightness levels | see here | 50โฌ |
| Retrosix cleanamp pro | see here | 20โฌ |
| Retrosix speaker 1W | see here | 10โฌ |
| Retrosix dehum dehiss (clean voltage) | see here | 20โฌ |
| Retrosix clicky triggers | see here | 5โฌ |
| Button and pad replacements (green) | see here | 15โฌ |
| Mineral glass replacement | see here | 15โฌ |
| Esthetic parts (stickers, battery case etc.) | see here | 5โฌ |
| Retrosix cleanjuice battery kit | see here | 30โฌ |
| GBA sleeve for attaching Raspberry Pi | see here | 8โฌ |
| Total cost | N/A | 238โฌ |
Installation of a new IPS screen with 3 wires soldered to the L, R and SELECT buttons. Pushing those buttons will decrease or increse screen luminosity.
Soldering of a new amp and a new speaker.
Set up of new pads and buttons. Also new clicky buttons (L and R) have been soldered for better clicks ๐
Soldering of a dehum dehiss kit (made of 2 main capa) for cleaning noise and tension of the motherboard.
Finally, fixing the Raspberry Pi to a piece of wood stuck on a GBA sleeve. Link cable and 1-250 MHz antenna are soldered to the GPIO.
Further steps:
- the slot case will handle 433 and 868 MHz transmitters;
- the space left on the piece of wood will handle RFID and IR transmitters;
- the WiFi dongle will be fixed on the sleeve.
How to setup GBA Drive?
[Work in progress] Get the GBA Drive image here.
SSH User: pi
SSH Password: gbadrive
- Get yourself a Game Boy Advance;
- Tweak your ultimage GBA as ou want. You can take ideas from the kit list above;
- Sold a Game Boy Color link cable to the Raspberry Pi via the SPI pins like described here;
- Get yourself a headless Raspberry Pi Zero W with an external WiFi adapter;
- Setup everything yourself on the Raspberry Pi by following the instructions in the INSTALL.md file.
GBA Drive uses different files:
- gbatools.sh: the entry point and display the menu on the GBA;
- assets: the directory for assets like configuration files, ascii arts or radio frequency lists;
- share: the directory which will be copied in $HOME for SMB access and storing default medias (pictures, musics etc.) and network captures;
- INSTALL.md: the process for installing GBA Drive project on Raspberry Pi + Game Boy Advance;
- README.md: seriously ?
Here are the differents tasks to do in the next steps of the project.
The main roadmap is:
- Design the menu with dialog
- Define and documente the network access use case
- Network configuration
- Documentation of the setup workflow
- Develop WiFi features
- WiFi deauth
- WiFi capture
- WiFi password sniffer
- WiFi hotspot
- WiFi connect
- [WIP] Develop Bluetooth features
- Bluetooth gamepad
- Bluetooth capture
- Bluetooth recon
- BLE recon
- Bluetooth hotspot
- Develop FM radio features
-
Radio Listening: impossible without additional hardware - Radio hijack simple frequency
- Radio hijack Traffic Announcement
- Radio hijack multiple frequencies
-
- Develop 400-900 MHz features
- Radio capture and replay 433 Mhz
- Radio capture and replay 868 Mhz
- [WIP] Develop infrared features
- Capture and replay
- Shutdown TVs โ not trivial (must adapt codes loaded for ESP32 in C)
- Develop RFID features
- Simple scan
- Capture and replay
- Develop stealth mode
- Load GBA ROM via multiboot upload
- Funny Kitty menu and little Kitty on screen as tamagotchi
- Help menu
- Level up your Kitty
Short terms tasks to complete:
- See how to display fun wave animation while running captures or hijacks
- Display codes / strings received by radio
With qjoypad, we can use the Gameboy buttons via /dev/input/js0 and the following layout
# QJoyPad 4.3 Layout File
# For GBA Drive
Joystick 1 {
Button 1: key 65 # --> B = Space
Button 2: key 36 # --> A = Return
Button 5: key 37 # --> L = Ctrl
Button 6: key 54 # --> R = C
Button 9: key 23 # --> SELECT = Tab
Button 10: key 36 # --> START = Return
Button 11: Key 111 # --> DOWN = Arrow down
Button 12: Key 116 # --> UP = Arrow up
Button 13: Key 113 # --> LEFT = Arrow left
Button 14: Key 114 # --> RIGHT = Arrow right
}
::: info This project is mainly a gathering of different fabulous works, including the following
:::
๐จ Main inspiring projects:
๐ป Useful links for development:
- Linux dialog
- Raspbrery pi documentation
- Capture Bluetooth with tcpdump
- Use blueoothctl with standard and BLE
- Raspberry Pi as Bluetooth HID
- Play with 433 radio signals
- Play with 868 Lora signals
- List of single pack gba games
๐ง Temporary links to test content:
- https://github.com/quangthanh010290/keyboard_mouse_emulate_on_raspberry
- https://gist.github.com/ukBaz/a47e71e7b87fbc851b27cde7d1c0fcf0
- https://github.com/007durgesh219/BTGamepad
- https://bbs.archlinux.org/viewtopic.php?id=201672
- https://github.com/gh4ck3r/hid2bt
- https://learn.adafruit.com/tv-b-gone-kit/design-notes