Dumping Arcade ROMs the Hard Way

Nostalgia is a funny thing. That desire we all get to relive past memories can make you do things that in any other scenario would be out of the question. The effect seems even stronger when it comes to old video games. How else can you explain buying the same games over and over every time they get “remastered” for the next generation of consoles? But what if those remasters aren’t good enough?

If you have a burning desire to play a 100% accurate version of certain old arcade games, you might have your work cut out for you. Getting precise ROMs from some of these machines is exceptionally difficult, and as explained on the [CAPS0ff] blog, sometimes requires nearly superhuman feats of engineering.

As explained in the blog post, less invasive methods of getting inside the Taito C-Chip had already been examined and come up lacking. Despite best efforts, sending the unlock command to the chip didn’t yield the desired effect. If you can’t read the ROM the usual way, you need to get a little creative.

The process starts by milling down the case of the chip until the integrated circuit is just starting to become visible. Then acid is used to fully expose the traces. The traces are then tinned, and some very fine soldering is done to get the chip wired up to the reader. All told it takes about three hours from start to finish to pull a ROM using this method. But it’s all worth it in the end when you can play that 100% accurate version of Rainbow Islands. Or so we’ve been told.

If you couldn’t tell, this isn’t the first time a chip has been flayed open like this on the [CAPS0ff] blog.

Extracting A Vector Font From A Vintage Plotter

There is a huge variety of hardware out there with a font of some form or other baked into the ROM. If it’s got a display it needs a font, and invariably that font is stored as a raster. Finding these fonts is trivial – dump the ROM, render it as a bitmap, and voilà – there’s your font. However, what if you’re trying to dump the font from a vintage Apple 410 Color Plotter? It’s stored in a vector format, and your job just got a whole lot harder.

The problem with a vector font is that the letters aren’t stored as individual images, but as a series of instructions that, when parsed correctly, draw the character. This has many benefits for generating characters in all manner of different sizes, but makes the font itself much harder to find in a ROM dump. You’re looking for both the instructions that generate the characters, as well as the code used to draw them, if you want a full representation of the font.

The project begins by looking at what’s known about the plotter. The first part of any such job is always knowing where to look, of course. It’s quickly determined that the font is definitely stored in the main ROM, and that there is no other special vector drawing chip or ROMs on board. The article then steps through the search process, beginning with plaintext searches of the binary dump, before progressing to a full disassembly of the plotter firmware. After testing out various assumptions and working methodically, the vector data is found and eventually converted into a modern TrueType font.

In the end, the project is successful, and it’s a great guide on how to approach similar projects. The key is to lay out everything you know at the start, and use that to guide your search step by step, testing and discarding assumptions until you hit paydirt. We’ve seen similar works before, like this project to dump the voice from an ancient Chrysler Electronic Voice Alert.

Completely Owning the Dreamcast Add-on You Never Had

If you’ve got a SEGA Dreamcast kicking around in a closet somewhere, and you still have the underutilized add-on Visual Memory Unit (VMU), you’re in for a treat today. If not, but you enjoy incredibly detailed hacks into the depths of slightly aged silicon, you’ll be even more excited. Because [Dmitry Grinberg] has a VMU hack that will awe you with its completeness. With all the bits in place, the hacking tally is a new MAME emulator, an IDA plugin, a never-before ROM dump, and an emulator for an ARM chip that doesn’t exist, running Flappy Bird. All in a month’s work!

The VMU was a Dreamcast add-on that primarily stored game data in its flash memory, but it also had a small LCD display, a D-pad, and inter-VMU communications functions. It also had room for a standalone game which could interact with the main Dreamcast games in limited ways. [Dmitry] wanted to see what else he could do with it. Basically everything.

We can’t do this hack justice in a short write-up, but the outline is that he starts out with the datasheet for the VMU’s CPU, and goes looking for interesting instructions. Then he started reverse engineering the ROM that comes with the SDK, which was only trivially obfuscated. Along the way, he wrote his own IDA plugin for the chip. Discovery of two ROP gadgets allowed him to dump the ROM to flash, where it could be easily read out. Those of you in the VMU community will appreciate the first-ever ROM dump.

On to doing something useful with the device! [Dmitry]’s definition of useful is to have it emulate a modern CPU so that it’s a lot easier to program for. Of course, nobody writes an emulator for modern hardware directly on obsolete hardware — you emulate the obsolete hardware on your laptop to get a debug environment first. So [Dmitry] ported the emulator for the VMU’s CPU that he found in MAME from C++ to C (for reasons that we understand) and customized it for the VMU’s hardware.

Within the emulated VMU, [Dmitry] then wrote the ARM Cortex emulator that it would soon run. But what ARM Cortex to emulate? The Cortex-M0 would have been good enough, but it lacked some instructions that [Dmitry] liked, so he ended up writing an emulator of the not-available-in-silicon Cortex-M23, which had the features he wanted. Load up the Cortex emulator in the VMU, and you can write games for it in C. [Dmitry] provides two demos, naturally: a Mandlebrot set grapher, and Flappy Bird.

Amazed? Yeah, we were as well. But then this is the same guy emulated an ARM chip on the AVR architecture, just to run Linux on an ATMega1284p.

Rebonding an IC to Save Tatakae! Big Fighter

Preserving old arcade games is a niche pastime that can involve some pretty serious hacking skills. If the story here were just that someone pulled the chip from a game, took it apart, and figured out the ROM contents, that’d be pretty good. But the real story is way stranger than that.

Apparently, a bunch of devices were sent to a lab to be reverse engineered and were somehow lost. Nearly ten years later, the devices reappeared, and another group has taken the initiative to recover their contents. The chip in question was part of a 1989 arcade game called Tatakae! Big Fighter, and it had been hacked. Literally hacked. Like with an ax or something worse.

You can read the story of how the contents were recovered. You shouldn’t try this at home without a vent hood and other safety gear. However, they did rebond wires to the device using a clever trick and no exotic equipment (assuming you have some fairly good optical microscopes and a microprobe on a lens positioner).

Continue reading “Rebonding an IC to Save Tatakae! Big Fighter”

Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”