If you’ve got a SEGA Dreamcast kicking around in a closet somewhere, and you still have the underutilized add-on Visual Memory Unit (VMU), you’re in for a treat today. If not, but you enjoy incredibly detailed hacks into the depths of slightly aged silicon, you’ll be even more excited. Because [Dmitry Grinberg] has a VMU hack that will awe you with its completeness. With all the bits in place, the hacking tally is a new MAME emulator, an IDA plugin, a never-before ROM dump, and an emulator for an ARM chip that doesn’t exist, running Flappy Bird. All in a month’s work!
The VMU was a Dreamcast add-on that primarily stored game data in its flash memory, but it also had a small LCD display, a D-pad, and inter-VMU communications functions. It also had room for a standalone game which could interact with the main Dreamcast games in limited ways. [Dmitry] wanted to see what else he could do with it. Basically everything.
We can’t do this hack justice in a short write-up, but the outline is that he starts out with the datasheet for the VMU’s CPU, and goes looking for interesting instructions. Then he started reverse engineering the ROM that comes with the SDK, which was only trivially obfuscated. Along the way, he wrote his own IDA plugin for the chip. Discovery of two ROP gadgets allowed him to dump the ROM to flash, where it could be easily read out. Those of you in the VMU community will appreciate the first-ever ROM dump.
On to doing something useful with the device! [Dmitry]’s definition of useful is to have it emulate a modern CPU so that it’s a lot easier to program for. Of course, nobody writes an emulator for modern hardware directly on obsolete hardware — you emulate the obsolete hardware on your laptop to get a debug environment first. So [Dmitry] ported the emulator for the VMU’s CPU that he found in MAME from C++ to C (for reasons that we understand) and customized it for the VMU’s hardware.
Within the emulated VMU, [Dmitry] then wrote the ARM Cortex emulator that it would soon run. But what ARM Cortex to emulate? The Cortex-M0 would have been good enough, but it lacked some instructions that [Dmitry] liked, so he ended up writing an emulator of the not-available-in-silicon Cortex-M23, which had the features he wanted. Load up the Cortex emulator in the VMU, and you can write games for it in C. [Dmitry] provides two demos, naturally: a Mandlebrot set grapher, and Flappy Bird.
Amazed? Yeah, we were as well. But then this is the same guy emulated an ARM chip on the AVR architecture, just to run Linux on an ATMega1284p.
Emulation:==turtles all the way down.
Yes, amazed :0
Amazing work, I have a few VMU lying around after buying into the dreamcast. The whole set is collecting dust now. Time to fire it up, worse case scenario I spend a week playing Skies of Arcadia.
INB4 just play the NGC version on Dolphin.
Man, i LOVED Skies of Arcadia. Always felt it was tragic that the game never got a true prequel or sequel like it deserved.
First thought, looks like a Tamagotchi.
Second thought, timing is right. I’m going to guess that is what Sega intended to do with it. A Tamagotchi that when you are home interacts with a console game.
Yeah, that’s sort of it.
Certain games had add-on games that could be played on the VMU, for example, the Chao raising in the Sonic Adventure games (which worked very much like tamagotchi…). Your progress raising the Chao could then be loaded back into the game. There were other games as well but I can’t remember them. The connector was designed as such that you could plug in one VMU to another and play multiplayer.
But there were several problems with the VMU:
– It was small – even for my small hands it was difficult to use
– Used CR2032 batteries, which aren’t cheap
– Was late 90s tech, so it ate those CR2032s very quickly
– Not many games made use of it, and those that did weren’t that entertaining
It was still neat tech to have for its day.
I still have quite a few VMUs myself.
I only had two Dreamcast games that could load up minigames into the VMU (Mainly Soulcalibur, but I think Seaman could do so too), but did have many more games that used the thing as an in-controller display similar in style to an early low-res WiiU type of system.
But for most of my friends the killer feature was sharing game saves when connecting two VMUs together.
I think most of us (myself certainly) had quite a few of the cheaper normal flash versions to store our saves at home, but we always copied our interesting ones to a VMU before heading to whomevers house for a gaming weekend almost entirely to swap saves without tying up a Dreamcast to do it.
I still believe Sega was too ahead of its time with the Dreamcast.
PowerVR was ahead of it’s time.
The battery issue was bad, especially because the VMU had an RTC inside and so it would eat batteries while “off”. Nobody ever replaced them. They would beep when plugged in and starting the Dreamcast if the batteries were bad… quite noisy with 4x controllers, 2x slots each!
Skies of Arcadia had a fairly decent mini-RPG game for the VMU where you could get things in the VMU that would carry over into your game on the Dreamcast
Being late 90s you would expect it to be efficient. CR2032s aren’t that expensive if you get them in packs but if you are always replacing them then I suppose it would add up and they are not rechargeable either unfortunately. At least it used 2032s instead of one of the others that nothing uses.
Although it is not really in the lines you are speaking of, one of my favorite things the VMU did was actually giving you privacy when choosing plays in football games. I am not a big sports person, but that alone was pretty cool because it gave your buddy no clue what formation or play you were choosing :)
Excellent! I purchased one of these at my local music/ game resale store last summer meaning to something to this same effect but it went the way of most of my projects: into the “later” box. This will give me motivation to crack mine open and do a little work of my own!
Dmitry is amazing as always :) Great work-you are a genius.
Here’s to hoping that the new Seaman will actually be released this time :)
What’cha running in that thing? A potato chip? :P
For those confused, the internal name for the CPU in the VMU was a cusom version of the Sanyo LC8670, codename “Potato”
http://www.ign.com/boards/threads/sega-dreamcasts-vmu-ran-on-potato.454369126/
Dmitry could we have a DNA test please? I think you might not be human.
“You know what my days used to be like? I just tested. Nobody murdered me. Or put me in a potato. Or fed me to birds. I had a pretty good life.”
The most impressive thing to me is the STM32 maple implementation. The rest isn’t much beyond what we had in 2003-2004 timeframe. Several of us had dumped the VMU ROMs but chose to not speak of it for fear of litigation by SEGA.
Almost entirely certain you did not have a Cortex-M23 emulator ;)
I’m glad the emulation scene is becoming more open.
Cool beans!
I have a a VMU that I’ve been meaning to replace the guts of with an ESP32 running an NES emulator http://hackaday.com/2016/10/10/porting-nes-to-the-esp32/
Can’t find it for $3 on ebay, more like $10
I owe you $7.
Not sure what your reply means. Just to explain – the original Dmitry’s article mentioned $3 ebay price. When searching now lowest new VMU is $12 and you can get used scratched ones for a bit less. I did not mean it as complain just was interested if anyone else perhaps found better offer. While this is indeed very cool project, for $3 it would be really super cool. For $12 it is still very cool but there can be had ton of other stuff to repurpose for that price so it is not instant buy anymore.
Pulling Dreamcast out of closet now.
Why was ROP necessary? Doesn’t the VMU run unsigned code by design?
What is up with the title? Everyone who has a Dreamcast surely has a VM. It’s the normal memory card and and the controllers are designed around it. It’s not some obscure accessory like the Pocketstation. Practically every piece of DC software at least shows a splash screen on the VMs whilst they are inserted. Also people have been VMU programming for almodt two decades have they not? Considering there are emulators I’m sure ROM dumps have been done before. It does sound like this guy must have spent quite a lot of time though what with porting the emulator and writing an emulator for a modern ARM for it that still has enough memory left to have that emulator run actual proper programs.
If you were to read the article, you’d see that the leaked SDK has an early-version japanese ROM for the VMU. The released american one had never been published.dumped as far as I know.