endrift

My apologies to Christine Love, but the title was too perfect.

Back in late 2019, the FPGA-based hardware emulation company Analogue, known for their near-flawless clones of various retro video game consoles announced an exciting new product. This time around, instead of plugging into your TV and playing the games of one system (per device), the product called the Analogue Pocket would be a handheld device that could play many, many different portable game systems, provided you had the right cartridge adapters; a tantalizing product for retro game enthusiasts to be sure, especially given their track record. But with that many systems and a not-too-distant (in theory) release date, it seemed like a lot of work for the small team they had. You can imagine my surprise and excitement when, in January 2020, someone from the company reached out to me to see if I’d be interested in working on some software for it.

Specifically, they wanted me to work on an open-source replacement of the Game Boy Advance’s built-in ROM code, which is traditionally (though erroneously) referred to as the “BIOS”. This small block of code has a few functions: most visibly, it runs before the game starts and does things like validate that there’s a game cartridge inserted and show the boot splash screen; further, it also contains a handful of functionality that games can (and do) use for some basic tasks. But despite being small, this block of code is subject to copyright restrictions and not present on the game cartridges themselves, so for a fully accurate GBA clone to work it needs a clone of the BIOS too. And since I’d worked on mGBA for nearly 7 years at this point I had a pretty intricate understanding of how it worked and what would be necessary to do to make an accurate clone of it. Sounds like I would be a perfect fit, right? Well, I would have been had they given me reasonable terms. But they didn’t.

In mid-2017 I joined OpenAI to work on their Gym Retro project. It was a relatively small company, and like many small companies in the tech industry in San Francisco it had, tucked away in a corner of the office, a TV with some game systems plugged in. Usually companies have a modern system (or at least close to modern) like an Xbox 360 or a PS4. Instead, perhaps fittingly, instead I found plugged into this TV one of the AtGames Genesis clones and an original Super Nintendo Entertainment System. Those of you familiar with the AtGames clones will know that quality is not a word that anyone would use to describe them, so I mostly ignored that. But the SNES—well, it’s a SNES. I don’t think I’ll need to convince anyone reading this of how important and timeless the SNES is in its specific place in console history. This SNES had two controllers, a small handful of games including Donkey Kong Country and Legend of Zelda: A Link to the Past. It also didn’t turn on.

Well, it did turn on when I started there, but only a few months later, and for the following year and change, it didn’t turn on. No video, no sound, not even the power LED. Being the console tinkerer I was I decided to bring in a gamebit screwdriver and open up the thing to see if I could figure out why it wouldn’t turn on. A few screws later I opened the console and…oh. Maybe that was why it wouldn’t turn on anymore.

Apparently the SNES had gotten left on for who-knows-how-long and the power brick had been outputting 14 V instead of the nominal 10 V. This burnt out the entire power circuit and left an acrid odor of burnt plastic and silicon. I decided I should try to replace the power circuit, but it took me some time to get around to it.

This article was originally published in PoC||GTFO issue 14.

At the end of last year (following their usual three-year cycle), Nintendo released a new generation of Pokémon games for their latest portable console, the Nintendo 3DS. This time, their new entry in the series spectacularly destroyed several sales records, becoming the most pre-ordered game in Nintendo’s history. And of course, along with a new Pokémon title, there are always several things that follow suit, such as a new season of the long running anime, a flood of cheapo toys, and datamining the latest games into oblivion. This article is not about the anime or the datamining; rather, it’s about one of the cheapo toys.

The two new games, Pokémon Sun and Pokémon Moon, focus on a series of four islands known as Alola in the middle of the ocean. Alola is totally not Hawaiʻi. (Yes it is.) The game opens with a cutscene of a mysterious girl holding a bag and running away from several other mysterious figures. Near the beginning of the game, the player character runs into this mystery girl, known as Lillie, as she runs up to a bridge, and a rare Pokémon named Nebby pops out of the bag and refuses to go back in. It shudders in fear on the bridge as it’s harried by a pack of birds—sorry, Flying type—Pokémon. The player character runs up to protect the Pokémon, but instead gets pecked at mercilessly.

Nebby responds by blowing up the bridge. The player and Nebby fall to their certain doom, only to be saved by the Guardian Pokémon of the island, Tapu Koko, who grabs them right before they hit the bottom of the ravine. Tapu Koko flies up to where Lillie is watching in awe, and delivers the pair along with an ugly stone that happens to have a well-defined Z shape on it. This sparkling stone is crafted by the kahuna of the island (Did I mention that we’re not in Hawaiʻi? I was lying.) into what is known as a Z-Ring. So obviously there’s a toy of this.

In the game, the Z-Ring is an ugly, bulky stone bracelet given to random 11-year old children. You shove sparkling Z-Crystals onto it, and it lets you activate special Z-Powers on your Pokémon, unlocking super-special-ultimate Z-Moves to devastate an opponent. In real life, the Z-Ring is an ugly, bulky plastic bracelet given to random 11-year old children. You shove plastic Z-Crystals onto it, and it plays super-compressed audio as lights flash, and the ring vibrates a bit. More importantly, when you activate a Z-Power in-game, it somehow signals the physical Z-Ring to play the associated sound, regardless of which cheap plastic polyhedron you have inserted into it at the time. How does it communicate? Some people speculated about whether the interface was Bluetooth LE or a custom wireless communication protocol, but I have not seen anyone else reverse it. I decided to dig in myself.

For quite some time, I’ve been interested in the concept of a tool-assisted speedrun. Some of you may remember the 11 minute speedrun of Super Mario Bros. 3 by Morimoto (もりもと) back over ten years ago. Recorded well before the gaming community at large was familiar with the concept, its unerring perfection left most people watching with a sense of awe. Not long after the spread of the video, the website NESVideos was founded. This site eventually became TASVideos.org, a pre-eminent website on creating such tool-assisted superplays. (Presumably “s” was changed from “speedrun” to “superplay” to show that some TASes can be used to show off feats other than speedruns.)

Something special that the TASVideos people cooked up in one of their superplays was what is now known as a Total Control play. Demonstrated with the famous Super Mario World and Pokémon Yellow plays, these Total Control plays actually exploit bugs within the games themselves to upload a new program onto the game console using only input from the controllers. As amazing a feat as this would be on its own, they took it a step further: they removed the emulator from the equation and substituted in a real console!

Referred to as “console verification”, a thread popped up on the TASVideos forums about replaying the controller input from TAS recordings back to physical hardware. Over the past few years, several people have put together console verifiers for a handful of platforms. Recently, these “TASBots” have been brought to Games Done Quick charity gaming events to be demonstrated between live speedruns. To me, the pièce de résistance of these TASBot runs involved not only gaining control over the game, Pokémon Red, but taking over the Super Game Boy shell that the game was running in as well. Although the means by which breaking out of the Game Boy’s shell and into the Super Nintendo was well documented (and in fact, some commercial games did), it got me wondering.

After the Super Nintendo and the Game Boy, which could interact using the Super Game Boy, Nintendo made the GameCube and the Game Boy Advance. One of the add-ons created for the GameCube was called the Game Boy Player, which could play Game Boy and Game Boy Advance games on a television by using the GameCube as video-out. But the Game Boy Player is not nearly as well documented as the Super Game Boy, so I looked into what it might take to get console verification working for the Game Boy Player.