Security engineer solstICE, also known as Ice, has ported the password-cracking tool hashcat to the Game Boy Advance, turning a 2000s handheld into a deliberately terrible cracking box.
The project, published as gba-hashcat, runs on original Game Boy Advance hardware. According to Ice, the handheld manages 727 SHA-256 hashes per second. Ice said on X that this is about 30 million times slower than a contemporary GPU-accelerated cracking rig, and estimated that a full year of work on the handheld would equal roughly one second on modern cracking hardware.
That number is the point. Password cracking normally rewards parallelism, memory bandwidth, and high-end GPUs. The Game Boy Advance brings the opposite: an ARM7TDMI processor running at 16.78 MHz, a 32-bit RISC core tied to much of the system through 16-bit buses. The machine has 288 KB of RAM and 98 KB of VRAM. It is charming hardware. It is not a password recovery workstation.
A tiny cracker for a tiny machine
Hashcat is widely used for testing password hashes against candidate passwords. On a modern setup, that usually means feeding GPUs large batches of guesses and letting them chew through hashes at high speed. On the Game Boy Advance, gba-hashcat instead runs a much smaller exercise: test SHA-256 hashes against a local word list and show progress on the handheld screen.
The storage constraints shape the project as much as the CPU does. Password-cracking workflows can use precomputed data such as rainbow tables, but the Game Boy Advance cartridge limit cited for the project is 32 MB. Ice included the ignis-1M word list, a one-million-entry file that takes about 8 MB.
The software itself stays small by using Butano, a C++ engine for writing Game Boy Advance software. The interface is correspondingly plain. It shows an intro screen, progress information, and the password candidate currently being tried.
The joke has a working binary
Ice described gba-hashcat in a GitHub commit as their “dumbest app of all time.” That is a fair characterization in performance terms, though the port still demonstrates the usual engineering lesson buried inside novelty projects: constraints make the mechanism visible. On this machine, there is nowhere for the cost of hashing, memory limits, and input lists to hide.
Commenters on X responded by asking for networking support, with the apparent goal of linking multiple Game Boy Advance units into a cracking cluster. Ice has not presented that as a working feature in the material published so far.
For anyone trying to recover a serious password, gba-hashcat is more artifact than tool. For anyone trying to understand what password cracking actually asks hardware to do, a handheld producing 727 SHA-256 attempts per second is a blunt demonstration.
This story draws on original reporting from Tom's Hardware.