Over in Russia there are a few people doing extremely in-depth technical teardowns, and the latest is one of the most ambitious ever seen. The PSXDEV team is tearing into the heart of the original PlayStation (Google translatrix), looking at 300,000 transistors, and re-implementing the entire console in a logic level simulator.
While the CPU in the PSX is unique to that specific piece of hardware, a lot of this custom silicon can be found in other places. The core – a RISC LSI LR33300 – is documented in a few rare tomes that are somehow available for free on the Internet. Other parts of this chip are a little stranger. There is a bizarre register that isn’t documented anywhere, a Bus Unit that handles the access between various devices and peripherals, and a motion picture decompressor.
The reverse engineering process begins by de-encapsulating the CPU, GPU, sound processing unit, and CD-ROM controller, taking very high magnification photos of the dies, and slowly mapping out the semiconductors and metals to figure out what cells do what function, how they’re connected, and what the big picture is. It’s a painstaking process that requires combing through gigabytes of die shots and apparently highlight gates, wires, and busses with MS Paint.
The end result of all this squinting at a monitor is turning tracings of chips into logic elements with Logisim. From there, the function of the CPU can be understood, studied, and yes, eventually emulated down to the gate level. It’s an astonishing undertaking, really.
If this sort of thing sounds familiar, you’re right: the same team behind PSXDEV is also responsible for a similar effort focused on the Nintendo Entertainment System. There, the CPU inside the NES – the Ricoh 2A03 – was torn down, revealing the 6502 core, APU, DMA, and all the extra bits that made this a custom chip.
Thanks [Rasz] for the tip.
Why?
Why not?
Because there are so many other things that level of engineering effort could be applied to. Great learning exercise, but that could be done on 300 transistors.
It’s not about the learning experience it’s about the prospect 100% correct emulation of legacy hardware. Emulation enthusiasts are serious about their hobby.
It’s also about the ability to market shady clone consoles!
Still, I feel that if you have a passion for it, why not run with it? If I had more time and knowledge, I would love to work on something like this, as the PSOne was my first console and still one of my favorites. I could have spent a lot of my time and effort learning to become a chemical engineer, but I chose to become a biochemist because it is more fun to me.
For many people, a learning exercise for education’s sake feels like work. Reverse engineering secrets of one of the most revolutionary game consoles sounds like a rewarding challenge.
The tools and processes they engineer to succeed at this might enable them to take on more ambitious projects in the the future. I can imagine someone using their BKMs to tear into consumer devices with DRM or other stuff to see how it works and enable fair use and new technologies… :D
@Rich
Do you live in a world where there are no hobbies or idle pass-times, where fun is an alien concept and everything must have practical purpose?
Yeah? Give some examples then! This is about recreating physical machines/hardware in software. Getting it to work, and work well, is a serious technical achievement. The PS1 is good as any other outlying console yet to be dominated by software wizardry. There’s still the Saturn, N64, Dreamcast, and Xbox. The best thing we got is either ePSXe or XEBRA and both are closed source, one is Japanese and highly experimental, and the other is severely neglected.
Why not?
Looks like Jon beat me to it…
Lol, my bad. I got lucky. Love the name by the way.
Because Sony isn’t going to help us make better PSX emulators.
Asking that question means you’re on the wrong site.
“Because it’s there”
Because contrary to people like you who assume that just because an emulator can run Super Mario World it’s inherently “perfect”, emulator developers are well aware that emulating a console at anything less than the most fine-grained level can never truly replicate the hardware.
byuu has a heck of an attitude problem, but as far as his cycle-accurate SNES emulator – BSNES – is concerned, the world finally has accurate preservation of the hardware going forward for historical purposes. While you or many other people might not give half a shit about things like Speedy Gonzalez having an unavoidable hang on any emulator other than BSNES due to inaccurate timing, the fact is that through BSNES the game will remain playable long after every last working SNES has bit-rotten into dust.
SNES emulation aside, the Playstation emulation scene is even more lacking in that it currently has no emulators on the order of BSNES’s accuracy. MESS strives for accuracy but lacks in certain areas. pSX strives for accuracy but some games still fail to work due to undocumented or unexpected hardware access patterns. Don’t even get me started on PCSX or ePSXe and their pages of game-specific hacks with names that explicitly state that they’re a suck-it-and-see “fix” for an overall broken core.
Moreover, the lack of any sort of hardware-accurate emulator means that certain home-brew titles or ROM hacks that purportedly work in an inaccurate emulator stand a very good chance of not actually working on real hardware. At that point you’re no longer developing a SNES or Playstation game, you’re developing some software for a VM that runs on PCs, nothing more. The N64 ROM hack scene suffers the most from the lack of any sort of hardware-accurate emulator, there are scads of Super Mario 64 hacks out there made with Toad’s Tool 64 – a ROM editing software for Super Mario 64 – that don’t stand a chance of running on real hardware, for reasons ranging to blowing out the texture cache budget to shoving way more polygons through the machine than the real hardware would have the remotest chance of processing in time for a frame.
So, why? Because a century from now when we’re old and buried, our grandchildren will still be able to experience the *full* library of games for these consoles. THAT’S why.
“byuu has a heck of an attitude problem”
It comes with the territory. Do you really expect someone that spends ten years emulating a single video game system, despite all the grief that comes with it, to be perfectly normal and polite? But without people like that, these emulators wouldn’t ever get made.
Yeah, I kinda do. If people are allowed to shit all over me for being critical of idiot newbies after having spent 15 years working on arcade emulation, I’m allowed to criticize byuu for being a wet blanket.
@Yarr
Yeah. I have mad respect for him for what he accomplished despite the endless grief he got from the peanut gallery–lord knows the internet has some nasty, toxic communities–but he also seems to have the kind of personality that’s so detail-obsessed it loses the forest for the trees. I’m thinking specifically of how he refused to allow bsnes to open roms with the extension *.smu. He made a whole bunch of legit points about not wanting to support messed-up headers, but then tried to play up that one letter difference like it was a huge deal by itself, like he was taking a stand on principle.
As PCDEV leader said:
“There two answers:
1. Not yet drink vodka.
2. Bookstores raised the price of collections of Japanese crosswords and we decided to find alternative methods for getting it.”
They want to upload brains later, so they have to start with something simple.
Thank you, this is what HaD should write about.
/me seconds
so basically byuu levels of emulation accuracy?
Yes, with the benefit that you could cram the whole thing in an FPGA if you wanted.
Far beyond that. However, none of these transistor-level simulations have ever advanced to actually running any real games. They usually end up placed into webpage Javascript apps that show you thousands of internal state flags as you watch it spend ten minutes simulating a single instruction. The information obtained is still very useful, though.
this is a complete lie. the MAME team has been decapping PCBs for 100% accurate emulation for a decade, at least. Get your facts straight before spouting nonsense.
http://members.iinet.net.au/~lantra9jp1/gurudumps/decap/index.html
Man. If you think those ‘transistor-level simulations’ are meant to run games, you are severely misguided. These guys are digital archaeologists. They go straight to the microscopic source to derive the circuitry itself that makes up the chip. They’re trying to simulate it as closely as possible, even if it means that it won’t ever run at real-time or even output sound or an image.
If you make an emulator, you’d basically be stuck with manufacturer documentation and other technical data. In reality, this kind of material is closer to a recipe than having the the ingredients. When people designed these chips, they had blueprints, they had schematics down the the metal that would be used to mass produce the physical chips.
If all you had was a hardware specification PDF, you’d have a hard time trying to fabricate the chip from scratch. Inaccurate emulators exist because of non-existent documentation or lack of interest. Accurate emulators exist because people have documentation, and do huge amounts of hardware tests and experimentation (or also use die scans etc to understand more!).
If you have high resolution die scans, or these virtual simulations, you are already a step ahead of the people that only have documentation. The best way to preserve something is it’s original blueprint, but this is the next best thing.
Of course, nothing is perfect – even the original systems had flaws. When emulating physical hardware, it’s easy to forget that they are physical things and obey physical laws. A lot of factors can affect the operation of the machine – temperature, humidity, and there can be interference, propagation etc.
Even byuu doesn’t emulate at the gate level, he emulates at the per-clock-tick level. And a good thing, too – any emulator based on an actual gate-level simulation of the Playstation’s chipset is going to be orders of magnitude slower than real-time on any hardware for the forseeable future now that Moore’s Law has ostensibly bit the dust.
Psst… Raspberry PI’s GPU.
Hahaha, that’s a lot of work to get at a locked-down driver.
…still… :}
First the Sidewinder and now the PlayStation, those Russians are amazing.
Not only these. They were studying and reapplying many more chips. I wonder if in the era of secret functions embedded in hardware (ex. Israeli missiles not obeying orders in Georgia a.d. 2008) such efforts aren’t limited to Russia alone, for obvious security reasons.
No one ever figured out out do so self-boot discs for the PSX, did they?
Yes they did.
http://baetzler.de/vidgames/psx_cd_faq.html
This is so cool.
If anyone is interested about how this is done professionally, take a look at Chipworks: They reverse engineer entire devices, including processors (if you pay them enough). Their public teardowns are worth reading:
http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/inside-the-iphone-6-and-iphone-6-plus/
http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/inside-the-a7/
http://www.chipworks.com/en/technical-competitive-analysis/reverse-engineering-services/ic-circuit-extraction/2-static-content/technical-competitive-analysis/137-icworks-browser
pretty cool stuff imo
You could claim it’s for educational purposes and you’d be right but as pointed out lets be honest this is mainly for the emulation.Have no problem with emulator if its not for profit and its to preserve legacy hardware/sofware for future generations
Either way nice work!
This is pretty awesome but the troll in me just wants to stand over the guy’s shoulder going “npn pnp 1,3,5,9” just to mess up the count nyuck nyuck. Best of luck to the team and keep on tinkerin’.