Dumping A N64 Development Cartridge Safely

Retro gaming enthusiasts have always had great interest in rarities outside the usual commercial titles. Whether they be early betas, review copies, or even near-complete versions of games that never made it to release, these finds can be inordinately valuable. [Modern Vintage Gamer] recently came across a pre-release version of Turok 3 for the Nintendo 64, and set about dumping and preserving the find. (Video, embedded below.)

With one-off cartridges like these, it’s important to take the utmost care in order to preserve the data onboard. Simply slapping it into a regular console might boot up the game, but carries with it a non-zero chance of damaging the cart. Instead, the first step taken was to dump the cart for archival purposes. When working with a prototype cart, commodity dumpers like the Retrode aren’t sufficient to do the job. [Modern Vintage Gamer] notes that a Doctor V64 or Gameshark with a parallel port could work, but elects to use a more modern solution in the form of the Ultrasave and 64drive.

With the cartridge backed up and duplicated onto the 64drive, the code can be run on a real console without risk of damage to the original. At first glance, the game appears similar to the final retail version. Analysis of the dump using a file comparison tool suggests that the only differences between the “80% Complete” ROM and the retail edition are headers, leading [Modern Vintage Gamer] to surmise that the game may have been rushed to release.

While in this case the dump didn’t net an amazing rare version of a retro game, [Modern Vintage Gamer] does a great job of explaining the how and why of the process of preserving a vintage cartridge. We look forward to the next rare drop that shakes up the retro world; we’ve seen efforts on Capcom arcade boards net great results. Video after the break.

Continue reading “Dumping A N64 Development Cartridge Safely”

Snakes And Ladders: Game Boy Emulator In Python

If a Game Boy was a part of your childhood, you were probably more than once dreaming of spending your entire school day with it. Well, they had to wait a few more years for that, but eventually in 2015, [Asger], [baekalfen], and [troelsy] made that dream reality when they created a Game Boy emulator in Python for a university project. However, it didn’t stop there, and the emulator has since grown into a full-blown open source project, PyBoy, which just reached the version 1.0 release.

Since it started out as an academic project, the three of them had to do their research accordingly, so the background and theory about the Game Boy’s internal functionality and the emulator they wrote is summarized in a report published along with the source code. There is still some work to be done, and sadly there is no sound support implemented yet, but for the most part it’s fully functional and let’s you successfully play your own extracted cartridges, or any ROM file you happen to have in your possession.

Being an emulator, you can also inspect its inner life when run in debug mode, and watch the sprites, tiles, and data as you play, plus do cool things like play the emulation in reverse as shown in the clip below. Even more so, you can just load the instance in your own Python scripts, and start writing your own bots for your games — something’s we’ve seen in action for the NES before. And if you want to dive really deep into the world of the Game Boy, you should definitely watch the 33c3 talk about it.

Continue reading “Snakes And Ladders: Game Boy Emulator In Python”

Dumping Arcade ROMs The Hard Way

Nostalgia is a funny thing. That desire we all get to relive past memories can make you do things that in any other scenario would be out of the question. The effect seems even stronger when it comes to old video games. How else can you explain buying the same games over and over every time they get “remastered” for the next generation of consoles? But what if those remasters aren’t good enough?

If you have a burning desire to play a 100% accurate version of certain old arcade games, you might have your work cut out for you. Getting precise ROMs from some of these machines is exceptionally difficult, and as explained on the [CAPS0ff] blog, sometimes requires nearly superhuman feats of engineering.

As explained in the blog post, less invasive methods of getting inside the Taito C-Chip had already been examined and come up lacking. Despite best efforts, sending the unlock command to the chip didn’t yield the desired effect. If you can’t read the ROM the usual way, you need to get a little creative.

The process starts by milling down the case of the chip until the integrated circuit is just starting to become visible. Then acid is used to fully expose the traces. The traces are then tinned, and some very fine soldering is done to get the chip wired up to the reader. All told it takes about three hours from start to finish to pull a ROM using this method. But it’s all worth it in the end when you can play that 100% accurate version of Rainbow Islands. Or so we’ve been told.

If you couldn’t tell, this isn’t the first time a chip has been flayed open like this on the [CAPS0ff] blog.

Extracting A Vector Font From A Vintage Plotter

There is a huge variety of hardware out there with a font of some form or other baked into the ROM. If it’s got a display it needs a font, and invariably that font is stored as a raster. Finding these fonts is trivial – dump the ROM, render it as a bitmap, and voilà – there’s your font. However, what if you’re trying to dump the font from a vintage Apple 410 Color Plotter? It’s stored in a vector format, and your job just got a whole lot harder.

The problem with a vector font is that the letters aren’t stored as individual images, but as a series of instructions that, when parsed correctly, draw the character. This has many benefits for generating characters in all manner of different sizes, but makes the font itself much harder to find in a ROM dump. You’re looking for both the instructions that generate the characters, as well as the code used to draw them, if you want a full representation of the font.

The project begins by looking at what’s known about the plotter. The first part of any such job is always knowing where to look, of course. It’s quickly determined that the font is definitely stored in the main ROM, and that there is no other special vector drawing chip or ROMs on board. The article then steps through the search process, beginning with plaintext searches of the binary dump, before progressing to a full disassembly of the plotter firmware. After testing out various assumptions and working methodically, the vector data is found and eventually converted into a modern TrueType font.

In the end, the project is successful, and it’s a great guide on how to approach similar projects. The key is to lay out everything you know at the start, and use that to guide your search step by step, testing and discarding assumptions until you hit paydirt. We’ve seen similar works before, like this project to dump the voice from an ancient Chrysler Electronic Voice Alert.

Completely Owning The Dreamcast Add-on You Never Had

If you’ve got a SEGA Dreamcast kicking around in a closet somewhere, and you still have the underutilized add-on Visual Memory Unit (VMU), you’re in for a treat today. If not, but you enjoy incredibly detailed hacks into the depths of slightly aged silicon, you’ll be even more excited. Because [Dmitry Grinberg] has a VMU hack that will awe you with its completeness. With all the bits in place, the hacking tally is a new MAME emulator, an IDA plugin, a never-before ROM dump, and an emulator for an ARM chip that doesn’t exist, running Flappy Bird. All in a month’s work!

The VMU was a Dreamcast add-on that primarily stored game data in its flash memory, but it also had a small LCD display, a D-pad, and inter-VMU communications functions. It also had room for a standalone game which could interact with the main Dreamcast games in limited ways. [Dmitry] wanted to see what else he could do with it. Basically everything.

We can’t do this hack justice in a short write-up, but the outline is that he starts out with the datasheet for the VMU’s CPU, and goes looking for interesting instructions. Then he started reverse engineering the ROM that comes with the SDK, which was only trivially obfuscated. Along the way, he wrote his own IDA plugin for the chip. Discovery of two ROP gadgets allowed him to dump the ROM to flash, where it could be easily read out. Those of you in the VMU community will appreciate the first-ever ROM dump.

On to doing something useful with the device! [Dmitry]’s definition of useful is to have it emulate a modern CPU so that it’s a lot easier to program for. Of course, nobody writes an emulator for modern hardware directly on obsolete hardware — you emulate the obsolete hardware on your laptop to get a debug environment first. So [Dmitry] ported the emulator for the VMU’s CPU that he found in MAME from C++ to C (for reasons that we understand) and customized it for the VMU’s hardware.

Within the emulated VMU, [Dmitry] then wrote the ARM Cortex emulator that it would soon run. But what ARM Cortex to emulate? The Cortex-M0 would have been good enough, but it lacked some instructions that [Dmitry] liked, so he ended up writing an emulator of the not-available-in-silicon Cortex-M23, which had the features he wanted. Load up the Cortex emulator in the VMU, and you can write games for it in C. [Dmitry] provides two demos, naturally: a Mandlebrot set grapher, and Flappy Bird.

Amazed? Yeah, we were as well. But then this is the same guy emulated an ARM chip on the AVR architecture, just to run Linux on an ATMega1284p.

Rebonding An IC To Save Tatakae! Big Fighter

Preserving old arcade games is a niche pastime that can involve some pretty serious hacking skills. If the story here were just that someone pulled the chip from a game, took it apart, and figured out the ROM contents, that’d be pretty good. But the real story is way stranger than that.

Apparently, a bunch of devices were sent to a lab to be reverse engineered and were somehow lost. Nearly ten years later, the devices reappeared, and another group has taken the initiative to recover their contents. The chip in question was part of a 1989 arcade game called Tatakae! Big Fighter, and it had been hacked. Literally hacked. Like with an ax or something worse.

You can read the story of how the contents were recovered. You shouldn’t try this at home without a vent hood and other safety gear. However, they did rebond wires to the device using a clever trick and no exotic equipment (assuming you have some fairly good optical microscopes and a microprobe on a lens positioner).

Continue reading “Rebonding An IC To Save Tatakae! Big Fighter”

Glitching USB Firmware For Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun”