This is my Gameboy Advance SP, Classic NES Edition. Next to it is my EZ Flash Advance 256Mb flash card (the sticker fell off long ago). With this you can load arbitrary code and run it on the GBA. Code is loaded into the card using a USB cable that connects to the GBA's link port. Simple enough, right?
The main problems with this arrangement are:
- the loader software only runs in Windows
- the driver doesn't seem to work on post-XP operating systems (Vista/7)
- the loader software is extremely unreliable and touchy, often freezing during transfers.
So the goal is to figure out how the various components of the system function, then to write software and build hardware to try to rectify the three problems above.
What I Already Know
- the loader cable contains at the very least an FTDI USB->Serial bridge. This is obvious from inspecting the driver package included with the software. The actual PCB inside the cable has two IC's, but the markings have been filed off both. I am assuming that the second IC is a microcontroller of some kind. I could possibly go to the trouble of desoldering these chips and trying to read code off of them, but chances are if you are filing off chip markings, you are probably setting code protection flags.
- Other than the two ICs, the PCB has a 6 MHz crystal, a couple diodes, resistors and capacitors. It's a two-sided board, the FTDI chip is a TQFP32 and the assumed microcontroller is a TQFP48.
- This microcontroller is probably responsible for translating the TTL serial data from the FTDI chip and converting it to whatever the GBA expects to see. Possibly also does some checksumming or other functions.
- The loader operates by starting the GBA in "multiboot" mode, which allows it to receive an executable of up to 256Kb over the link port and run from RAM. This loader executable receives further data/commands over the link port to write to the flash cartridge. I'm trying to find details on how multiboot operates (SPI, or a modification thereof?).
Possible routes of exploration:
- Disassembly of the loader .exe file. I already determined that the .exe was compressed with ASPack 2.12, so I unpacked it and loaded it into a disassembler. I'm not yet quite familiar with x86 assembly or the inner workings of the Win32 environment, so I'm not sure how much luck I'll have here. I was hoping to at least find the multiboot executable but I haven't had luck yet.
- USB analyzer. I have tried Snoopy Pro and SniffUSB to log various transactions with the cable. Some interesting data was collected, this will be shared in a later post. May need to pull some FTDI documentation to see if some more details on how their chips communicate on the bus are available.
- Logic analyzer. I don't own one of these, but I might be able to build a rudimentary one. Maybe something like a Bus Pirate would be more appropriate. This would be used either on the serial pins going into the GBA directly, or the data stream from the FTDI chip to the microcontroller. Both may be interesting to determine what the microcontroller is doing.
No comments:
Post a Comment