Post on 18-Oct-2020
Bridging Emulation and
the Real World with the
Nintendo Game Boy
Or Pinchasof – BlueHat IL
6.2.2019
Link port
Research background
• Emulation – VisualBoyAdvance, no$gba, and others
• Specifications – GBATEK, CowBite
• Homebrew – devkitPro, XBOO, carts
Emulation
GBA specifications
Goals
1. Understand physical layer and be able to send and receive data
2. Reverse engineer the multiboot protocol
3. Run testing code on the Game Boy to characterize sending procedures in software
4. Implement link handling in the emulator
5. Trade!
Link port
http://www.mksmks.de/technical/gbmtocube.htm
Multiboot demo
Multiboot
SCSD
SOSI
1 1 1 1 SS
0x6202 0x7202
Layer 1 protocol – Master send
Master
Set SC, SD LOW
Send data(start, data, stop)
Set SO LOW
Slave
Wait SD LOW
Receive data
Receive SI LOW
Layer 1 protocol – Slave send
Master
Receive data
Wait for timeout
Set SC HIGH
Slave
Send data(start, data, stop)
Set SO HIGH
End transfer
Getting the multiboot protocol
Reversing
Sniffing
Arduino sniffer
Multiboot dump
Master Slave Master Slave Master Slave
6202 7202 0700 0202 65ed 4a46
6202 7202 0000 0102 7e4d 4a48
6202 7202 6202 0002 f147 4a4a
6102 7202 63f7 7202 75f4 4a4c
002e 6002 63f7 73b1 699f 4a4e
ea00 5f02 64c0 73b1 0065 4a50
ff24 5e02 1230 73fc 0065 0074
51ae 5d02 ffdf 00c0 0065 0074
9a69 5c02 0d15 00c2 0065 0075
21a2 5b02 f3d0 00c4 0066 0075
843d 5a02 1ecd 00c6 87e0 87e0
Reversing
IO registers map
Let’s read some assembly!
BIOS START
SWI table
BIOS MB
handler
Game MB
handler
Multiboot protocol
Master Slave
Probe 0x6202 Answer 0x7202
Send 0xc0 bytes of
headerAnswer write index
Ask encryption keyReturn encryption
key
Send main data Answer write index
Signal send end
0x0065Return 0x0075
Send CRC Send CRC
Execute
Multiboot dump explained
Master Slave Master Slave Master Slave
Init + Header Encryption Key + Main Data Finalization + Checksum Check
6202 7202 … …
6202 7202 0000 0102 75f4 4a4c
6102 7202 6202 0002 699f 4a4e
002e 6002 63f7 7202 0065 4a50
ea00 5f02 63f7 73b1 0065 0074
ff24 5e02 64c0 73b1 0065 0075
51ae 5d02 1230 73fc 0066 0075
9a69 5c02 ffdf 00c0 87e0 87e0
… … Checksum match!
Layer 1 adapter
• while True:• Get 2 bytes from serial
• Transfer with GBA
• Send 2 bytes on serial
setbit(PORTB, PIN2_SD);
clrbit(PORTB, PIN2_SD);
The original
NOPPP
PC Multiboot demo
Multiboot
Data GBA serialized
Back to emulation
Main code in VBA
GBA.cpp:
CPULoop(ticks)
CPU
Memory
IO registers
Timers
Sound
Video
Link code
CPULoop(ticks)
CPU
Memory
IO registers
Link initiation/status
Timers
Link update
Characterizing the hardware
• Using custom testing software:
• Compare emulator and Game Boy behavior
• Register state
• Send timings
Let’s try some games!
How latency worsens over time
• Arduino uses serial over USB for communication with the PC
• USB architecture, coupled with serial transfer rates, buffering, packaging, etc.
• Introduces a significant delay, which is in the order of several ms
• Real time communication with the Gameboy fails
• Parallel port used to work well!
Raspberry Pi
Implementation on Raspberry Pi
• Adapt Arduino code
• Implement multiboot testing code
• Integrate link code with the emulator
• Compile VBA
• Delay dropped to virtually non-existing!
More optimizations
• taskset
• Improved timing
• Frame skip
• Throttling
taskset 0x8 src/sdl/VisualBoyAdvance -T 110
~/Rayman.gba -b ../../GBA.BIOS -2 -s 6
Let’s trade!
Takeaways
• Wide view of an embedded system
• Low level hardware to software development
• Full communication stack
• Different problems at different times
Thank you!