[Enddrift] had a real problem trying to run a classic game, Hello Kitty Collection: Miracle Fashion Maker, into a GBA (Gameboy Advance) emulator. During startup, the game would hit an endless loop waiting for a read from a non-existent memory location and thus wouldn’t start under the emulator. The problem is, the game works on real hardware even though that memory doesn’t exist there, either.
To further complicate things, a similar bug exists when loading a saved game under Sonic Pinball Party. Then a hack for Pokemon Emerald surfaced that helped break the case. The story is pretty interesting.
You can read the details in the original post, but the upshot was that reading an invalid address on a GBA just reads the open bus because the device doesn’t have a memory management unit to throw a page fault — known in that world as a data abort. Turns out, you’d expect an open bus to read the last value you’d read or written — either some data or the last instruction fetch. But it is more complicated than that.
The code was reading ghost values not from the last CPU memory read and write, but from the last DMA cycle! The workaround is clever, too, since it compares the expected end of the DMA time with the current instruction and forces it to read the right value.
A great piece of detective work. We aren’t sure we are lining up to play Hello Kitty, but it is nice to know that we could. Especially if we had an emulator inside our real device. If your hacking desires run more to real hardware, we would suggest this FPGA project.
This is just beautiful!
Now we know where Mel went after Royal McBee.
And do you think it’s any wonder nobody ever found a bug in Hello Kitty Collection: Miracle Fashion Maker before?
Reminds me of old Apple memory ghosting on a fast reboot.
Typo on name. endrift not enddrift.
You might be surprised by the amount of bugs found in all code, past and present, which are never caught, since it works most of the time.
At first glance I’d say in the real hardware case: the memory access aliased to an existing memory location, supported the function, and was later used by the firmware without impact. And emulator wouldn’t succeed in the same case.