Adventures in creative engineering.

Monday, May 31, 2010

Further exploration

Unfortunately, in disassembling the GBA side of the cable as seen in the previous post, I inadvertently knocked two of the tiny (I think they are 603's) capacitors off the board. I'm working on fixing these. Looks like one is just a loading capacitor for the crystal oscillator, not sure what the other is for.

But today I'm going to detail some of my findings from yesterday with the USB sniffing software. According to some documentation found here, every GBA ROM contains a sequence of bytes containing the Nintendo logo. I searched through the USB dump to find these bytes and this is the first match:



00000000  2e 00 00 ea 24 ff ae 51  69 9a a2 21 3d 84 82 0a  |....$..Qi..!=...|
00000010  84 e4 09 ad 11 24 8b 98  c0 81 7f 21 a3 52 be 19  |.....$.....!.R..|
00000020  93 09 ce 20 10 46 4a 4a  f8 27 31 ec 58 c7 e8 33  |... .FJJ.'1.X..3|
00000030  82 e3 ce bf 85 f4 df 94  ce 4b 09 c1 94 56 8a c0  |.........K...V..|
00000040  13 72 a7 fc 9f 84 4d 73  a3 ca 9a 61 58 97 a3 27  |.r....Ms...aX..'|
00000050  fc 03 98 76 23 1d c7 61  03 04 ae 56 bf 38 84 00  |...v#..a...V.8..|
00000060  40 a7 0e fd ff 52 fe 03  6f 95 30 f1 97 fb c0 85  |@....R..o.0.....|
00000070  60 d6 80 25 a9 63 be 03  01 4e 38 e2 f9 a2 34 ff  |`..%.c...N8...4.|
00000080  bb 3e 03 44 78 00 90 cb  88 11 3a 94 65 c0 7c 63  |.>.Dx.....:.e.|c|
00000090  87 f0 3c af d6 25 e4 8b  38 0a ac 72 a5 d4 f8 07  |..<..%..8..r....|
000000a0  45 5a 46 41 30 30 33 00  00 00 00 00 00 00 00 00  |EZFA003.........|
000000b0  30 31 96 00 80 00 04 00  00 e0 01 00 00 d2 00 00  |01..............|



This is 192 bytes, which would make it the same length as a GBA ROM header. The next packet is received from the device and contains the following:


00000000  31 00 57 00 00 74 8a 75  ff 24 84 45 59 96 50 41  |1.W..t.u.$.EY.PA|
00000010  21 bc b5 90 27 21 19 d1  24 88 84 fe 81 03 98 7d  |!...'!..$......}|
00000020  4a c5 04 73 90 c9 52 52  62 08 37 8c e4 1f cc 17  |J..s..RRb.7.....|
00000030  e3 1a fd 73 c7 41 29 fb  2f a1 83 90 d2 73 03 51  |...s.A)./....s.Q|
00000040  31 00 6a 29 3f e5 4e c8  ce b2 21 f9 86 59 53 c5  |1.j)?.N...!..YS.|
00000050  e4 c5 e9 1a 6e 19 c0 3f  86 e3 b8 c4 6a 75 20 c0  |....n..?....ju .|
00000060  00 21 1c fd bf 70 e5 02  c0 7f 4a ff 8f 0c a9 f6  |.!...p....J.....|
00000070  a1 03 df e9 a4 01 6b 06  c0 7d c6 95 47 1c 72 80  |......k..}..G.r.|
00000080  31 00 ff 2c 45 9f 22 c0  7c dd d3 09 00 1e 29 5c  |1..,E.".|.....)\|
00000090  88 11 c6 3e 03 a6 96 4e  86 b2 ce 6e 04 f6 f6 22  |...>...N...n..."|
000000a0  04 74 9e a6 d6 76 76 f6  d2 04 22 ca 00 e6 00 00  |.t...vv...".....|
000000b0  00 d2 a2 ac b2 42 00 69  8c 0c f0 12 83 00 00 00  |.....B.i........|
000000c0  31 60 07 10 00 00 62 00                           |1`....b.|


This is 200 bytes of data. I'm not sure if this is object code or something else. I'm working on getting an ARM disassembler to see what comes out of this.

Beginning

Hello! I'm setting up this blog to chronicle my experiences in reverse engineering. I'm an electrical engineering student and I love video games, so I'm attempting to reverse engineer a Flash ROM cartridge and loader cable for my Gameboy Advance. This isn't state of the art stuff but nonetheless it's a learning exercise for my own benefit.


This is my Gameboy Advance SP, Classic NES Edition. Next to it is my EZ Flash Advance 256Mb flash card (the sticker fell off long ago). With this you can load arbitrary code and run it on the GBA. Code is loaded into the card using a USB cable that connects to the GBA's link port. Simple enough, right?

The main problems with this arrangement are:
  1. the loader software only runs in Windows
  2. the driver doesn't seem to work on post-XP operating systems (Vista/7)
  3. the loader software is extremely unreliable and touchy, often freezing during transfers.

So the goal is to figure out how the various components of the system function, then to write software and build hardware to try to rectify the three problems above.

What I Already Know

  • the loader cable contains at the very least an FTDI USB->Serial bridge. This is obvious from inspecting the driver package included with the software. The actual PCB inside the cable has two IC's, but the markings have been filed off both. I am assuming that the second IC is a microcontroller of some kind. I could possibly go to the trouble of desoldering these chips and trying to read code off of them, but chances are if you are filing off chip markings, you are probably setting code protection flags. 
  • Other than the two ICs, the PCB has a 6 MHz crystal, a couple diodes, resistors and capacitors. It's a two-sided board, the FTDI chip is a TQFP32 and the assumed microcontroller is a TQFP48.
  • This microcontroller is probably responsible for translating the TTL serial data from the FTDI chip and converting it to whatever the GBA expects to see. Possibly also does some checksumming or other functions.
  • The loader operates by starting the GBA in "multiboot" mode, which allows it to receive an executable of up to 256Kb over the link port and run from RAM. This loader executable receives further data/commands over the link port to write to the flash cartridge. I'm trying to find details on how multiboot operates (SPI, or a modification thereof?).
Possible routes of exploration:

  • Disassembly of the loader .exe file. I already determined that the .exe was compressed with ASPack 2.12, so I unpacked it and loaded it into a disassembler. I'm not yet quite familiar with x86 assembly or the inner workings of the Win32 environment, so I'm not sure how much luck I'll have here. I was hoping to at least find the multiboot executable but I haven't had luck yet.
  • USB analyzer. I have tried Snoopy Pro and SniffUSB to log various transactions with the cable. Some interesting data was collected, this will be shared in a later post. May need to pull some FTDI documentation to see if some more details on how their chips communicate on the bus are available.
  • Logic analyzer. I don't own one of these, but I might be able to build a rudimentary one. Maybe something like a Bus Pirate would be more appropriate. This would be used either on the serial pins going into the GBA directly, or the data stream from the FTDI chip to the microcontroller. Both may be interesting to determine what the microcontroller is doing.