Archive for June, 2009

Commercial ROM ‘on the fly’ patching

Wednesday, June 24th, 2009

This morning on my train trip to work, I finally got the ‘on the fly’ patching of a commercial ROM. The Rom I’m using is the original Street Fighter II game. What I do is defining a breakpoint at 0×00812f and output a register dump with BSnes. Here are the 2 log files.

Internal BSnes log file :

devkit::power() : On
Patcher::power() On
Patcher::isBreakpoint() On
Patcher::isBreakpoint() PC Backup : 00812F
Patcher::isLifePatchingDone() addr : 81BE baseAddr : 812F size : 008E
Patcher::isLifePatchingDone() New addr : 812F
Patcher::isBreakpoint() Reset lifePatchingDisableOnce
Patcher::isBreakpoint() On
Patcher::isBreakpoint() PC Backup : 00812F
Patcher::isLifePatchingDone() addr : 81BE baseAddr : 812F size : 008E
Patcher::isLifePatchingDone() New addr : 812F
Patcher::isBreakpoint() Reset lifePatchingDisableOnce
Patcher::isBreakpoint() On
Patcher::isBreakpoint() PC Backup : 00812F
Patcher::isLifePatchingDone() addr : 81BE baseAddr : 812F size : 008E
Patcher::isLifePatchingDone() New addr : 812F
Patcher::isBreakpoint() Reset lifePatchingDisableOnce
Patcher::isBreakpoint() On
Patcher::isBreakpoint() PC Backup : 00812F
Patcher::isLifePatchingDone() addr : 81BE baseAddr : 812F size : 008E
Patcher::isLifePatchingDone() New addr : 812F
Patcher::isBreakpoint() Reset lifePatchingDisableOnc

External log outputting register Dump :

Debug Command : 0x01

*************************
*** Register Dump. ******
*************************
A : 0x0000
X : 0x0001
Y : 0x000E
Direct Page      : 0x0000
Data Bank        : 0x31
Processor Status : 0x07
*************************

Debug Command : 0x01

*************************
*** Register Dump. ******
*************************
A : 0x20C2
X : 0x3101
Y : 0x20C2
Direct Page      : 0x0000
Data Bank        : 0x31
Processor Status : 0x07
*************************

Debug Command : 0x01

*************************
*** Register Dump. ******
*************************
A : 0x101F
X : 0xB101
Y : 0x101F
Direct Page      : 0x0000
Data Bank        : 0x31
Processor Status : 0x07
*************************

Debug Command : 0x01

*************************
*** Register Dump. ******
*************************
A : 0x0416
X : 0x3101
Y : 0x2016
Direct Page      : 0x0000
Data Bank        : 0x31
Processor Status : 0x07
*************************

I stopped Bsnes at the main screen of Street Fighter II. That means that address 0×00812f is executed 4 times.

Next step is … ‘Step by Step’ debugging. I would like to get an interactive console to set/remove breakpoint, dump register with a command and execute next instruction. The problem is that I don’t know how to implement that within Bsnes. If someone got any ideas, just post a comment with them. I really would avoid to made a GUI with that inside Bsnes. The ideal solution would be to have an external program that can send data to Bsnes with instruction encoded in a binary format.

See ya, lint

Website discovery : usb reader for snes game carts

Monday, June 22nd, 2009

My good friend Icekiller just pasted me this link yesterday :

http://hackaday.com/2009/06/19/usb-reader-for-snes-game-carts/

A very nice project, the author have since open a dedicated website : http://www.snega2usb.com/wordpress/

See ya , lint

VRAM Dumping and ‘on the fly’ ROM patching

Tuesday, June 16th, 2009

I finished this morning the code to dump the whole VRAM. It’s been a few days that I was working on it. One of the issue that I got with it is that the NMI got triggered in the middle of the transfer and that it was fucking up the VRAM registers of the snes. So when I was comming back from the NMI the transfert wasn’t done properly anymore.

That’s why I implemented the ‘on the fly’ Rom patching functionnality. This allow me to redirec tthe NMI Handler to a place where the NMI does nothing while I’m transfering the VRAM. Here is a little log of what is happening when I patch the ROM.

debugDump launched.
NMI Handler ...
NMI Handler ...
ROM PATCH :: Set Offset 0 : 0xEA
ROM PATCH :: Set Offset 1 : 0xFF
ROM PATCH :: Set Offset 2 : 0x00
ROM PATCH :: Read ROM [0000FFEA] => 0xEA
ROM PATCH :: Write ROM [0000FFEA] => 0x04
ROM PATCH :: Set Offset 0 : 0xEB
ROM PATCH :: Set Offset 1 : 0xFF
ROM PATCH :: Set Offset 2 : 0x00
ROM PATCH :: Read ROM [0000FFEB] => 0x85
ROM PATCH :: Write ROM [0000FFEB] => 0x86
Patched NMI Handler ...
Patched NMI Handler ...
Patched NMI Handler ...
Patched NMI Handler ...
Patched NMI Handler ...

The code to make this happen in snes side is :

offset = (word) &emptyNMI;
oldNMI[0] = _1UP_ROMPatch((dword) 0x0000FFEA, (byte) offset);
oldNMI[1] = _1UP_ROMPatch((dword) 0x0000FFEB, (byte) (offset>>8));
byte _1UP_ROMPatch(dword offset, byte data) {
    byte oldValue;

    // Set address to patch
    *(byte*) REG(_1UP_ROM_PATCH_ADDR0) = (byte) offset;
    *(byte*) REG(_1UP_ROM_PATCH_ADDR1) = (byte) (offset>>8);
    *(byte*) REG(_1UP_ROM_PATCH_ADDR2) = (byte) (offset>>16);

    // Read actual value
    oldValue = *(byte*) REG(_1UP_ROM_PATCH_DATA);

    // Write new value
    *(byte*) REG(_1UP_ROM_PATCH_DATA) = (byte) data;

    return oldValue;
}

I still use a patched version of BSnes to emulate the future hardware that is dev by Scott.

Next stuff is OAM Dump (sprite tables) …

See ya, Lint

I would like to win a G2 HTC Magic

Friday, June 12th, 2009

You can help me getting that smartphone by clicking here :

http://www.androidparty.be/lint

Thanks in advance, ++ Lint

PS: Message for spam bots … please be welcome to follow this link :p

SDCardReader : file read and seek done.

Monday, June 8th, 2009

I just finished porting the functions to actually read a file and seek into it. Next step is to make a function that allow me to read the ROM information.

Scott seems to be ready to work again on the hardware part. I hope everything will be ok when going on the actual hardware.

See ya, Lint