Pump It Up NX?

eissug

New member
Joined
Oct 31, 2016
Messages
27
Reaction score
2
Location
Anchorage, Alaska
I got a lead on a Pump It Up machine around 12AM, and like any good husband stayed up until 7AM trying to figure it out for the little lady. Korean dance machine for a Korean lady, sounds like something to soften the blow on buying my first arcade machine, a PC-10.

I was hoping it would have older stuff on it like Lee Junghyun finger mic. Without seeing it, it probably only has the 200 songs listed for a standard machine and that disappointed me... How are these things upgraded/new songs added? The upgrade is a $2k box? I really like the older kpop more than the newer stuff anyway. I think my kids can see a Baby VOX or even old 2ne1, but not the new CL, Big Bang, or Hyuna stuff...etc. I saw some teaser for PIU Prime 2 that had Black Pink. They aren't too bad yet. :)

Does anyone have any leads on an upgrade kit that might take us to 2009-2013 without spending 2x the whole cost of the game???? : )

Her Korean friends all have a new fancy import cars and I make her drive a good old 2004 trusty Dodge Grand Caravan with AWD. I told her the her car gets around town (ice) better than their BMW and Mercedes, but apparently American Yankee and Korea Big City Girls don't have the same understanding. Maybe if she has a dance machine she'll have something to show her friends to demonstrate I'm not so mean and hateful. ;) That minivan is so she comes back in one piece, not eat a semi bumper!

A really cool feature that seems to be in later versions is choosing the localization language? I'd love to be able to make the thing 100% Korean as far as the UI goes. 아직 조금 한글 아라요...

Thanks! 감사합니다람취!
 
I got a lead on a Pump It Up machine around 12AM, and like any good husband stayed up until 7AM trying to figure it out for the little lady. Korean dance machine for a Korean lady, sounds like something to soften the blow on buying my first arcade machine, a PC-10.

I was hoping it would have older stuff on it like Lee Junghyun finger mic. Without seeing it, it probably only has the 200 songs listed for a standard machine and that disappointed me... How are these things upgraded/new songs added? The upgrade is a $2k box? I really like the older kpop more than the newer stuff anyway. I think my kids can see a Baby VOX or even old 2ne1, but not the new CL, Big Bang, or Hyuna stuff...etc. I saw some teaser for PIU Prime 2 that had Black Pink. They aren't too bad yet. :)

Does anyone have any leads on an upgrade kit that might take us to 2009-2013 without spending 2x the whole cost of the game???? : )

Her Korean friends all have a new fancy import cars and I make her drive a good old 2004 trusty Dodge Grand Caravan with AWD. I told her the her car gets around town (ice) better than their BMW and Mercedes, but apparently American Yankee and Korea Big City Girls don't have the same understanding. Maybe if she has a dance machine she'll have something to show her friends to demonstrate I'm not so mean and hateful. ;) That minivan is so she comes back in one piece, not eat a semi bumper!

A really cool feature that seems to be in later versions is choosing the localization language? I'd love to be able to make the thing 100% Korean as far as the UI goes. 아직 조금 한글 아라요...

Thanks! 감사합니다람취!

Hello,

I have a Pump it Up Deluxe (DX) at home that I picked up dead and really cheap. I put it back together (sorta), and the kids love it.... I have done a few upgrades over the years as well. What version of the software is the machine you are looking at currently running? The reason I ask is that the main board for the system is a basic computer. In the older systems (like mine) there is a pseudo computer running a CD-ROM drive. The software is controlled by the CD and a security dongle. These old versions pop up from time to time on ebay and go for cheap <$100 (software only).

There are multiple series of main boards (designated with a MK-#) and accompanying software. The newer boards have larger numbers. I believe the current version is an MK-9. Depending on which version of the main board you have will determine which version of the software you can use.

My original system came with an MK-3 board and had the O.B.G. software with it. It had CD-Rom and security dongle. I later upgraded the software to Prex 2 I believe. Still running on the MK-3 and CD/security dongle.

From here I wanted to upgrade to something newer. I came across a Fiesta EX (2011) release on eBay for around $200 for the HD and security dongle. This system required an MK-6 hardware. I basically built a computer that had similar parts specs, bought a USB import board (from a game reseller) and tossed the Fiesta EX harddrive on it without issue. Most software seems to be about 3 years old before the price drops to something reasonable. A new upgrade kit (board and software) usually runs $1500-$2000.

My Fiesta EX is a Brazilian language pack that I can't change.

Thanks
Brian
 
Last edited:
I finally brought the thing home. I wanted to backup the NX hard drive and it appears that the software image is locked to the hard drive serial number as well as requiring the USB security key. Not for long! I think I'm close to figuring it out. I'm not trying to break their security key, just use a SSD since I've had too many hard drives fail to let this giant arcade become a brick if the drive dies!
 
So far I've noticed this:

Code:
 Sector 1 (Parent: L:/PIU NX - As received - SAMSUNG SP0842NBH900-51.dsk Record: 1)

      200:  50 75 6D 70 20 49 74 20 - 55 70 3A 20 4E 58 00 00  Pump It Up: NX..
      210:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      220:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      230:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      240:  26 38 05 75 F6 80 CD 80 - F7 D9 89 0E 42 24 B9 01  &8.uö.Í.÷Ù‰.B$¹.
      250:  00 D3 E3 83 C3 08 83 E3 - F8 89 1E 46 24 8C DA 2B  .ÓãƒÃ.ƒãø‰.F$ŒÚ+
      260:  EA 8B 3E B4 28 81 FF 00 - 02 73 07 BF 00 02 89 3E  ê‹>´(.ÿ..s.¿..‰>
      270:  B4 28 81 C7 D6 29 72 28 - 03 3E 56 28 72 22 B1 04  ´(.ÇÖ)r(.>V(r"±.
      280:  D3 EF 47 3B EF 72 19 83 - 3E B4 28 00 74 07 83 3E  ÓïG;ïr.ƒ>´(.t.ƒ>
      290:  56 28 00 75 0E BF 00 10 - 3B EF 77 07 8B FD EB 03  V(.u.¿..;ïw.‹ýë.
      2A0:  E9 E3 01 8B DF 03 DA 89 - 1E 58 24 89 1E 5C 24 A1  éã.‹ß.Ú‰.X$‰.\$¡
      2B0:  48 24 2B D8 8E C0 B4 4A - 57 CD 21 5F D3 E7 FA 8E  H$+ØŽÀ´JWÍ!_ÓçúŽ
      2C0:  D2 8B E7 FB 33 C0 2E 8E - 06 9B 02 BF 92 29 B9 D6  Ò‹çû3À.Ž.›.¿')¹Ö
      2D0:  29 2B CF FC F3 AA 83 3E - 2C 28 14 76 47 80 3E 4A  )+Ïüóªƒ>,(.vG.>J
      2E0:  24 03 72 40 77 07 80 3E - 4B 24 1E 72 37 B8 01 58  $.r@w..>K$.r7¸.X
      2F0:  BB 02 00 CD 21 72 2A B4 - 67 8B 1E 2C 28 CD 21 72  »..Í!r*´g‹.,(Í!r
      300:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
      310:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
      320:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
      330:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
      340:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      350:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      360:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      370:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      380:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      390:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3A0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3B0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3C0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3D0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3E0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
      3F0:  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

What! The hard drive serial number!?!
 
Code:
 Sector 21 (Parent: L:/PIU NX - As received - SAMSUNG SP0842NBH900-51.dsk Record: 21)

     2AE0:  3B 21 35 4D 32 3C 10 48 - 46 5D 29 52 41 4D 00 54  ;!5M2<.HF])RAM.T
     2AF0:  45 52 4D 49 4E 41 54 49 - 4F 4E 2D 2A 20 20 20 20  ERMINATION-*    
     2B00:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2B10:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2B20:  55 4E 8B 0C 9F 7C 30 38 - 34 32 4E 20 20 20 20 20  UN‹.Ÿ|0842N     
     2B30:  20 20 20 20 30 20 20 20 - 20 20 20 20 20 20 20 20      0           
     2B40:  53 30 44 59 4A 31 09 1B - 1B 3D 3E 30 71 7E 64 61  S0DYJ1...=>0q~da
     2B50:  6D 69 72 6F 62 18 70 65 - 10 65 71 75 73 03 22 3C  mirob.pe.equs."<
     2B60:  21                                                 !

Again?
 
Code:
 Sector 22 (Parent: L:/PIU NX - As received - SAMSUNG SP0842NBH900-51.dsk Record: 22)

     2C00:  37 59 2A 3E 64 1F 68 5D - 3F 30 7B 7B 1E 10 77 41  7Y*>d.h]?0{{..wA
     2C10:  49 54 00 41 62 25 56 5D - 55 43 41 1F 7D 6F 40 59  IT.Ab%V]UCA.}o@Y
     2C20:  55 6B 24 20 76 33 30 1D - 58 56 6E 42 59 54 45 53  Uk$ v30.XVnBYTES
     2C30:  00 2D 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20  .-              
     2C40:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2C50:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2C60:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2C70:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2C80:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2C90:  20 20 20 20 42 48 39 10 - 10 0D 15 11 73 61 6D 73      BH9.....sams
     2CA0:  74 6F 66 01 72 70 10 18 - 14 12 6E 00 00 00 00 00  tof.rp....n.....
     2CB0:  00 00 00 00 00 00 00 21 - 60 60 60 60 60 60 60 60  .......!````````
     2CC0:  13 70 04 19 0A 71 06 52 - 37 32 36 32 32 32 22 22  .p...q.R726222""
     2CD0:  22 60 60 60 02 08 79 70 - 24 39 21 25 47 55 49 57  "```..yp$9!%GUIW
     2CE0:  51 4A 43 24 57 54 34 3C - 30 36 4A 24 24 24 24 24  QJC$WT4<06J$$$$$
     2CF0:  24 24 60 60 60 60 60 60 - 38 38 38 38 38 38 28 28  $$``````888888((
     2D00:  5B 38 4C 51 42 39 4E 58 - 3D 38 3C 38 38 38 28 28  [8LQB9NX=8<888((
     2D10:  28 28 60 60 02 08 19 30 - 30 2D 35 31 53 41 4D 53  ((``...00-51SAMS
     2D20:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2D30:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2D40:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2D50:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2D60:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2D70:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2D80:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2D90:  20 20 20 20 42 48 39 30 - 3E 27 3B 3B 5D 4B 4D 53      BH90>';;]KMS
     2DA0:  5C 4C 47 20 53 50 30 38 - 34 32 4E 20 BE 09 20 20  \LG SP0842N ¾.  
     2DB0:  2A 22 21 20 20 20 20 20 - 20 20 20 20 8E 09 20 20  *"!         Ž.  
     2DC0:  51 32 46 59 4A 31 46 50 - 35 30 34 30 8E 19 20 20  Q2FYJ1FP5040Ž.  
     2DD0:  63 22 23 20 42 48 39 30 - 30 2D 35 31 9D 68 4D 53  c"# BH900-51.hMS
     2DE0:  17 4C 43 20 53 50 30 38 - 34 32 4E 20 FE 09 20 20  .LC SP0842N þ.  
     2DF0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  

 Sector 23 (Parent: L:/PIU NX - As received - SAMSUNG SP0842NBH900-51.dsk Record: 23)

     2E00:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2E10:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2E20:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2E30:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2E40:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2E50:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2E60:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2E70:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2E80:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2E90:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     2EA0:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     2EB0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2EC0:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     2ED0:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 59 53      BH900-51SAYS
     2EE0:  54 2E 45 40 51 30 34 98 - 36 92 4E 20 20 20 20 20  [email protected]'N     
     2EF0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     2F00:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 23 22 22  S0DYJ1FP50400#""
     2F10:  24 25 26 28 4A 40 2D 25 - 35 3E 3B 27 56 50 4F 4D  $%&(J@-%5>;'VPOM
     2F20:  7C 62 6F 08 7B 78 18 11 - 18 1A 66 08 25 25 09 37  |bo.{x....f.%%.7
     2F30:  37 2E 2E 2E 2E 2E 2E 2E - 2E 2E 2E 2E 2E 2E 2F 0C  7............./.
     2F40:  70 32 68 56 60 19 6E 78 - 26 2B 28 32 32 35 2F 22  p2hV`.nx&+(225/"
     2F50:  37 08 0A 33 68 46 37 3E - 3E 23 3B 3F 70 4F 51 7B  7..3hF7>>#;?pOQ{
     2F60:  42 6D 62 33 7B 50 30 28 - 1C 5C 3B 4C 4C 09 20 20  Bmb3{P0(.\;LL.  
     2F70:  34 34 21 34 35 34 34 34 - 34 22 20 34 23 24 34 29  44!454444" 4#$4)
     2F80:  56 35 41 5C 4F 34 43 55 - 30 24 20 24 24 24 34 34  V5A\O4CU0$ $$$44
     2F90:  34 34 34 34 4D 5F 36 38 - 24 39 21 36 47 57 59 47  4444M_68$9!6GWYG
     2FA0:  41 5A 53 34 47 44 24 35 - 20 26 5A 34 34 34 34 34  AZS4GD$5 &Z44444
     2FB0:  34 34 30 2A 2F 2F 2F 28 - 2A 34 34 26 34 32 2B 2E  440*///(*44&42+.
     2FC0:  47 24 55 4D 46 25 52 5D - 21 24 20 24 24 24 34 20  G$UMF%R]!$ $$$4 
     2FD0:  21 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53  !   BH900-51SAMS
     2FE0:  55 4F 47 63 1C 1D 60 79 - 65 32 3E 52 49 4E 54 00  UOGc..`ye2>RINT.
     2FF0:  53 43 41 4E 46 00 1A 00 - 46 4C 4F 41 54 49 4E 47  SCANF...FLOATING

 Sector 24 (Parent: L:/PIU NX - As received - SAMSUNG SP0842NBH900-51.dsk Record: 24)

     3000:  73 40 2B 30 24 45 66 36 - 5A 42 59 51 44 43 00 4E  s@+0$Ef6ZBYQDC.N
     3010:  4F 54 00 4C 2B 26 52 55 - 54 20 3F 31 01 48 4D 53  OT.L+&RUT ?1.HMS
     3020:  55 4E 47 20 53 50 30 38 - 34 32 4A 38 29 38 29 38  UNG SP0842J8)8)8
     3030:  29 38 20 22 B3 2D 20 20 - 20 30 BF 36 20 20 20 30  )8 "³-   0¿6   0
     3040:  6D 28 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  m(DYJ1FP504000  
     3050:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     3060:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     3070:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     3080:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     3090:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     30A0:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     30B0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     30C0:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     30D0:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     30E0:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     30F0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     3100:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     3110:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     3120:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     3130:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     3140:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     3150:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     3160:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     3170:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     3180:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     3190:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     31A0:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     31B0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20                  
     31C0:  53 30 44 59 4A 31 46 50 - 35 30 34 30 30 30 20 20  S0DYJ1FP504000  
     31D0:  20 20 20 20 42 48 39 30 - 30 2D 35 31 53 41 4D 53      BH900-51SAMS
     31E0:  55 4E 47 20 53 50 30 38 - 34 32 4E 20 20 20 20 20  UNG SP0842N     
     31F0:  20 20 20 20 20 20 20 20 - 20 20 20 20 20 20 20 20
Oh no... :( And it keeps going for a long time...Too long for a post. :)
 
As far as I can tell the hard drive that came with my NX had Windows installed on it before the pump stuff was put on. If I scan the entire drive and run recovery software on it there are pieces of Windows scattered all over. On the old? Brazil pump website other people have recognized this too. Later versions had cleaner hard drives. I think some people have recovered development environment files from the mangled windows/dos partitions.

The partition table looks like this:
Code:
$ fdisk nx_f*

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p
nx_full.dsk: 74.5 GiB, 80025280000 bytes, 156299375 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x4549bb7c

Device                                              Boot    Start      End  Sectors   Size Id Type
nx_full.dsk1       1590435 30909059 29318625    14G 83 Linux
nx_full.dsk2      32113935 34089929  1975995 964.9M 83 Linux

Only two filesystems on the drive. The 14G one has the audio, bgm, etc. The 1G one has a few kb of game save data. I bet the 14G one is never mounted read...considering the shutdown procedure!
 
Last edited:
I saved the first 350MB of the drive into a file called nx.img. It is my belief that I will be able to get the hidden CRAMFS image and maybe even find their kernel. I've never done anything like this, but I
ve got a lot of linux programming and embedded system experience...we'll see... I've already been searching the image with R-Studio and see some interesting things to support my previous statement.

$ file nx.img
nx.img: MS-MBR,DOS 2, disk signature 0x4549bb7c; partition 1 : ID=0x83, start-CHS (0x63,0,1), end-CHS (0x3ff,254,63), startsector 1590435, 29318625 sectors; partition 2 : ID=0x83, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 32113935, 1975995 sectors

They have a special bootloader. It boots silent and doesn't seem to respond to keystrokes.
 
Code:
$ binwalk nx.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
81364         0x13DD4         gzip compressed data, maximum compression, from Unix, last modified: Wed Dec 21 19:57:12 2005
1199104       0x124C00        CramFS filesystem, little endian size 12804096 version #2 sorted_dirs CRC 0xbcb243a3, edition 0, 7230 blocks, 338 files
14004310      0xD5B056        Zlib compressed data, best compression, uncompressed size >= 4096
14005672      0xD5B5A8        Zlib compressed data, best compression, uncompressed size >= 4096
14008001      0xD5BEC1        Zlib compressed data, best compression, uncompressed size >= 4096
14009932      0xD5C64C        Zlib compressed data, best compression, uncompressed size >= 4096

Hmmm... : )
 
My hope is that all this can help someone else some day. :)

The reason I saved the first 350MB of the hard drive was because of where I saw in the hard drive the CRAMFS could be located, and that the maximum CRAMFS filesystem is around 270MB.

Based on our earlier binwalk output:
$ dd if=nx.img bs=1 skip=1199104 of=nx_cramfs.img
365802496+0 records in
365802496+0 records out
365802496 bytes (366 MB) copied, 669.997 s, 546 kB/s
$ file nx_c*
nx_cramfs.img: Linux Compressed ROM File System data, little endian size 12804096 version #2 sorted_dirs CRC 0xbcb243a3, edition 0, 7230 blocks, 338 files
$ sudo mount -t cramfs -o loop nx_cramfs.img /mnt/nx

Code:
$ tree
.
├── bin
│   ├── ash -> busybox
│   ├── bash -> busybox
│   ├── busybox
│   ├── cat -> busybox
│   ├── chgrp -> busybox
│   ├── chmod -> busybox
│   ├── chown -> busybox
│   ├── cp -> busybox
│   ├── date -> busybox
│   ├── dd -> busybox
│   ├── devfsd
│   ├── df -> busybox
│   ├── dmesg -> busybox
│   ├── echo -> busybox
│   ├── false -> busybox
│   ├── grep -> busybox
│   ├── gunzip -> busybox
│   ├── gzip -> busybox
│   ├── halt -> busybox
│   ├── init -> busybox
│   ├── insmod -> busybox
│   ├── kill -> busybox
│   ├── klogd -> busybox
│   ├── ldconfig
│   ├── ln -> busybox
│   ├── losetup -> busybox
│   ├── ls -> busybox
│   ├── lsmod -> busybox
│   ├── mkdir -> busybox
│   ├── mknod -> busybox
│   ├── mkswap -> busybox
│   ├── modprobe -> busybox
│   ├── more -> busybox
│   ├── mount -> busybox
│   ├── mv -> busybox
│   ├── pidof -> busybox
│   ├── ping -> busybox
│   ├── pivot_root
│   ├── poweroff
│   ├── ps -> busybox
│   ├── pwd -> busybox
│   ├── reboot
│   ├── rm -> busybox
│   ├── rmdir -> busybox
│   ├── rmmod
│   ├── sed -> busybox
│   ├── sh -> busybox
│   ├── sleep -> busybox
│   ├── swapoff
│   ├── swapon
│   ├── sync -> busybox
│   ├── syslogd
│   ├── tar -> busybox
│   ├── touch -> busybox
│   ├── true -> busybox
│   ├── umount -> busybox
│   ├── uname -> busybox
│   ├── usleep -> busybox
│   └── zcat -> busybox
├── boot
├── dev
├── etc
│   ├── devfsd.conf
│   ├── init.d
│   │   ├── once
│   │   ├── rcS
│   │   └── run
│   ├── inittab
│   ├── ld.so.cache -> [Error reading symbolic link information]
│   ├── ld.so.cache_
│   ├── ld.so.conf
│   ├── modules.conf
│   ├── modules.devfs
│   └── X11
│       └── XF86Config
├── lib
│   ├── ld-2.3.2.so
│   ├── ld-linux.so.1 -> [Error reading symbolic link information]
│   ├── ld-linux.so.1.9.11
│   ├── ld-linux.so.2 -> [Error reading symbolic link information]
│   ├── ld.so
│   ├── ld.so.1.9.11
│   ├── libc-2.3.2.so
│   ├── libc.so.6 -> [Error reading symbolic link information]
│   ├── libdl-2.3.2.so
│   ├── libdl.so.1 -> [Error reading symbolic link information]
│   ├── libdl.so.1.9.11
│   ├── libdl.so.2 -> [Error reading symbolic link information]
│   ├── libgcc_s.so.1
│   ├── libm-2.3.2.so
│   ├── libm.so.6 -> [Error reading symbolic link information]
│   ├── libpthread-0.10.so
│   ├── libpthread.so.0 -> [Error reading symbolic link information]
│   ├── librt-2.3.2.so
│   ├── librt.so.1 -> [Error reading symbolic link information]
│   ├── libusb-0.1.so.4 -> [Error reading symbolic link information]
│   ├── libusb-0.1.so.4.4.0
│   └── modules
│       └── 2.4.27
│           ├── build -> [Error reading symbolic link information]
│           ├── kernel
│           │   ├── drivers
│           │   │   └── video
│           │   │       └── nvidia.o
│           │   └── sound
│           │       ├── acore
│           │       │   ├── oss
│           │       │   │   ├── snd-mixer-oss.o
│           │       │   │   └── snd-pcm-oss.o
│           │       │   ├── seq
│           │       │   │   ├── instr
│           │       │   │   │   ├── snd-ainstr-fm.o
│           │       │   │   │   ├── snd-ainstr-gf1.o
│           │       │   │   │   ├── snd-ainstr-iw.o
│           │       │   │   │   └── snd-ainstr-simple.o
│           │       │   │   ├── oss
│           │       │   │   │   └── snd-seq-oss.o
│           │       │   │   ├── snd-seq-device.o
│           │       │   │   ├── snd-seq-dummy.o
│           │       │   │   ├── snd-seq-instr.o
│           │       │   │   ├── snd-seq-midi-emul.o
│           │       │   │   ├── snd-seq-midi-event.o
│           │       │   │   ├── snd-seq-midi.o
│           │       │   │   ├── snd-seq.o
│           │       │   │   └── snd-seq-virmidi.o
│           │       │   ├── snd-hwdep.o
│           │       │   ├── snd.o
│           │       │   ├── snd-page-alloc.o
│           │       │   ├── snd-pcm.o
│           │       │   ├── snd-rawmidi.o
│           │       │   └── snd-timer.o
│           │       ├── drivers
│           │       │   ├── mpu401
│           │       │   │   ├── snd-mpu401.o
│           │       │   │   └── snd-mpu401-uart.o
│           │       │   ├── opl3
│           │       │   │   ├── snd-opl3-lib.o
│           │       │   │   └── snd-opl3-synth.o
│           │       │   ├── opl4
│           │       │   │   ├── snd-opl4-lib.o
│           │       │   │   └── snd-opl4-synth.o
│           │       │   ├── snd-aloop.o
│           │       │   ├── snd-dummy.o
│           │       │   ├── snd-mtpav.o
│           │       │   ├── snd-serialmidi.o
│           │       │   ├── snd-serial-u16550.o
│           │       │   ├── snd-virmidi.o
│           │       │   └── vx
│           │       │       └── snd-vx-lib.o
│           │       └── pci
│           │           ├── ac97
│           │           │   └── snd-ac97-codec.o
│           │           ├── snd-intel8x0.o
│           │           └── snd-maestro3.o
│           ├── modules.dep
│           ├── modules.generic_string
│           ├── modules.ieee1394map
│           ├── modules.isapnpmap
│           ├── modules.parportmap
│           ├── modules.pcimap
│           ├── modules.pnpbiosmap
│           └── modules.usbmap
├── linuxrc -> [Error reading symbolic link information]
├── mnt
│   ├── cdrom
│   └── hd
├── piu
├── proc
├── root
├── sbin
│   ├── devfsd
│   ├── halt -> [Error reading symbolic link information]
│   ├── init -> [Error reading symbolic link information]
│   ├── insmod -> [Error reading symbolic link information]
│   ├── klogd -> [Error reading symbolic link information]
│   ├── ldconfig
│   ├── losetup -> [Error reading symbolic link information]
│   ├── lsmod -> [Error reading symbolic link information]
│   ├── mkswap -> [Error reading symbolic link information]
│   ├── modprobe -> [Error reading symbolic link information]
│   ├── pivot_root -> [Error reading symbolic link information]
│   ├── poweroff -> [Error reading symbolic link information]
│   ├── reboot -> [Error reading symbolic link information]
│   ├── rmmod -> [Error reading symbolic link information]
│   ├── swapoff -> [Error reading symbolic link information]
│   ├── swapon -> [Error reading symbolic link information]
│   └── syslogd -> [Error reading symbolic link information]
├── SCRIPT
│   ├── SETUP_COMMON.LUA
│   ├── SETUP_EN.LUA
│   ├── SETUP_KR.LUA
│   ├── SETUP_T.LUA
│   ├── SFX_GLOBAL.LUA
│   └── UI
│       ├── DANCEGRADE.LUA
│       ├── SFX_DANCEGRADE.LUA
│       ├── SFX_NAMEINPUT.LUA
│       ├── SFX_NEXTSTAGE.LUA
│       ├── SFX_SELECT.LUA
│       ├── SFX_TITLE.LUA
│       └── WORLDGRADE.LUA
├── SETTINGS
├── tmp -> [Error reading symbolic link information]
├── usbdog.o
...
...
57 directories, 279 files

I can read the LUA file, but I'm not sure whey I am getting errors on almost every other file.

dmesg says:

Code:
[ 4557.031130] cramfs: bad compressed blocksize 2708089942
[ 4557.031562] cramfs: bad compressed blocksize 1850448048
[ 4581.427975] cramfs: bad compressed blocksize 2708089942
[ 4581.427988] cramfs: bad compressed blocksize 2708089942
[ 4581.428014] cramfs: bad compressed blocksize 1850448048
...
[ 4971.195328] cramfs: Error -3 while decompressing!
[ 4971.195329] cramfs: ffffffffc045ff82(2903)->ffff88005d4c4000(4096)
[ 4971.195330] cramfs: Error -3 while decompressing!
[ 4971.195330] cramfs: ffffffffc0460ad9(2679)->ffff88005e713000(4096)
[ 4971.195331] cramfs: Error -3 while decompressing!
[ 4971.195332] cramfs: ffffffffc0461550(2815)->ffff88005e712000(4096)
[ 4971.195367] cramfs: Error -3 while decompressing!
[ 4971.195368] cramfs: ffffffffc045ee84(2938)->ffff88005e670000(4096)
 
At this point I'm feeling like they munched on the kernel so that it would read/write a corrupted (or incorrectly formatted) cramfs. Just to cover my bases I'm installing Debian 3 in VMware which has the same kernel version, 2.4.27. Who knows?

I also couldn't ungz what I thought was the kernel. It gives me an error, but gunzip -c gave me something to look at. It looks like a kernel to me! I might try booting that kernel just for fun even though there may be an error at the end. binwalk found what it thought was 13k of a compressed file at the end. I may have a complete kernel.

Next step might be to boot NX in vmware and create a memory snapshot to look through. : )

Technically they should give everyone any modified GPL source. I doubt they would ever!

I am learning how to make an embedded system hard to break into!

Just so no one asks...I have tried a second monitor and tried common baud rates to look for a console. :) I may hook a scope up to the serial port and look for anything.
 
I wrote a post about giving up, but it is so hard to give up with this drive laughing in my face... : (

The partition table indicates:
1. Starting at 512bytes and 776.58MB long - Empty Space
2. Starting at 776.58MB and 13.98GB long - Ext2
3. Starting at 14.74GB and 588.32MB long - Empty Space
4. Starting at 15,31GB and 964.84MB long - Ext2
5. Starting at 16.26GB and 58.27GB long - Empty Space

Remains of partitions are detected:
1. Old EXT2 Starting at 31.5KB and 776.55MB long
2. Old FAT16 Starting at 113KB and 303.5MB long
3. Old FAT32 Starting at 156.24MB and 1GB long

My bet is that everything I should be looking for is in the first section of empty space. The problem is that they overwrote a 303MB FAT16 and 1GB FAT32GB partition so that I have to sift through hundreds of remains of Windows files.

I think the next thing I should do is zero out 5 and see if the game still works. Then zero out 3 and see if it works. Then, zero out 1 starting at the end 100MB at a time. When the thing stops working I will know I have overwritten something important...

The other idea I have is to boot the system in VMWare and take a snapshot of ram. If it is in fact running on a ram file system, I might be able to get the whole file system. I have no idea what I'm doing.

It is completely wrong to have to hack this much on something that has a USB security key. Like I said, I don't want to eliminate the key (even though that would be much easier!), but I'm not going to let a 5400RPM spinning death trap threaten a $1k investment!!!! Not to mention they are legally required to release source code for anything they have modified which was under GPL. I think their bootloader includes GPL code and the kernel been modified.

It is at this point I would normally feel compelled to say bad things about the country of manufacture...but Korea is my adopted motherland. :( The drive image is pretty sloppily made...which I hope was on purpose to make what I'm doing hard. If so, good job! :)
 
Wiped (nearly the same thing Hillary did) the 58.27GB chunk, still works!
Wiped the 588.32MB chunk, still works!
Wiped 756.58MB of the first chunk, still works!

There is only the two EXT2 partitions left and 14MB at the beginning of the drive. 1.5MB or so is supposed to be the kernel. There is some weird trickery going on... The data doesn't seem to be "corrupted", it is all zlib and decrypts just fine but it is not in order at all! I hate their bootloader.

I am going to give up for a week or so. I have an adapter coming in the mail that might help me. I'll try to boot it in a virtual machine and then take a snapshot of ram.
 
Still no good progress. I thought maybe the cramfs was a decoy and that they might have hid the files in unused space on the EXT2 partition. So I wiped the last 2MB of what I thought was the 12MB main file system. The game didn't boot anymore. Restored the 12MB of mushed data and it boots again now... I really hate giving up. I have one more idea and some toys from Amazon might help. :)
 
Back
Top Bottom