Bridging Emulation and

the Real World with the

Nintendo Game Boy

Or Pinchasof – BlueHat IL

6.2.2019

Link port

Research background

• Emulation – VisualBoyAdvance, no$gba, and others

• Specifications – GBATEK, CowBite

• Homebrew – devkitPro, XBOO, carts

Emulation

GBA specifications

Goals

1. Understand physical layer and be able to send and receive data

2. Reverse engineer the multiboot protocol

3. Run testing code on the Game Boy to characterize sending procedures in software

4. Implement link handling in the emulator

5. Trade!

Link port

http://www.mksmks.de/technical/gbmtocube.htm

Multiboot demo

Multiboot

SCSD

SOSI

1 1 1 1 SS

0x6202 0x7202

Layer 1 protocol – Master send

Master

Set SC, SD LOW

Send data(start, data, stop)

Set SO LOW

Slave

Wait SD LOW

Receive data

Receive SI LOW

Layer 1 protocol – Slave send

Master

Receive data

Wait for timeout

Set SC HIGH

Slave

Send data(start, data, stop)

Set SO HIGH

End transfer

Getting the multiboot protocol

Reversing

Sniffing

Arduino sniffer

Multiboot dump

Master Slave Master Slave Master Slave

6202 7202 0700 0202 65ed 4a46

6202 7202 0000 0102 7e4d 4a48

6202 7202 6202 0002 f147 4a4a

6102 7202 63f7 7202 75f4 4a4c

002e 6002 63f7 73b1 699f 4a4e

ea00 5f02 64c0 73b1 0065 4a50

ff24 5e02 1230 73fc 0065 0074

51ae 5d02 ffdf 00c0 0065 0074

9a69 5c02 0d15 00c2 0065 0075

21a2 5b02 f3d0 00c4 0066 0075

843d 5a02 1ecd 00c6 87e0 87e0

Reversing

IO registers map

Let’s read some assembly!

BIOS START

SWI table

BIOS MB

handler

Game MB

handler

Multiboot protocol

Master Slave

Probe 0x6202 Answer 0x7202

Send 0xc0 bytes of

headerAnswer write index

Ask encryption keyReturn encryption

key

Send main data Answer write index

Signal send end

0x0065Return 0x0075

Send CRC Send CRC

Execute

Multiboot dump explained

Master Slave Master Slave Master Slave

Init + Header Encryption Key + Main Data Finalization + Checksum Check

6202 7202 … …

6202 7202 0000 0102 75f4 4a4c

6102 7202 6202 0002 699f 4a4e

002e 6002 63f7 7202 0065 4a50

ea00 5f02 63f7 73b1 0065 0074

ff24 5e02 64c0 73b1 0065 0075

51ae 5d02 1230 73fc 0066 0075

9a69 5c02 ffdf 00c0 87e0 87e0

… … Checksum match!

Layer 1 adapter

• while True:• Get 2 bytes from serial

• Transfer with GBA

• Send 2 bytes on serial

setbit(PORTB, PIN2_SD);

clrbit(PORTB, PIN2_SD);

The original

NOPPP

PC Multiboot demo

Multiboot

Data GBA serialized

Back to emulation

Main code in VBA

GBA.cpp:

CPULoop(ticks)

CPU

Memory

IO registers

Timers

Sound

Video

Link code

CPULoop(ticks)

CPU

Memory

IO registers

Link initiation/status

Timers

Link update

Characterizing the hardware

• Using custom testing software:

• Compare emulator and Game Boy behavior

• Register state

• Send timings

Let’s try some games!

How latency worsens over time

• Arduino uses serial over USB for communication with the PC

• USB architecture, coupled with serial transfer rates, buffering, packaging, etc.

• Introduces a significant delay, which is in the order of several ms

• Real time communication with the Gameboy fails

• Parallel port used to work well!

Raspberry Pi

Implementation on Raspberry Pi

• Adapt Arduino code

• Implement multiboot testing code

• Integrate link code with the emulator

• Compile VBA

• Delay dropped to virtually non-existing!

More optimizations

• taskset

• Improved timing

• Frame skip

• Throttling

taskset 0x8 src/sdl/VisualBoyAdvance -T 110

~/Rayman.gba -b ../../GBA.BIOS -2 -s 6

Let’s trade!

Takeaways

• Wide view of an embedded system

• Low level hardware to software development

• Full communication stack

• Different problems at different times

Thank you!