You are not logged in.
Lost Password?

All Posts (danielps)




#1
Re: radare2 Virtual Boy support
Posted on: 2016/2/16 19:41
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
An update on this.

I've added ESIL support for V810. ESIL is an intermediate language that can be easily generated, parsed and interpreted. There's a more detailed explanation here but basically, it can decode instructions into a common language and then emulate them. For example, "add r2, r5" would be translated into "r1,r2,+=" and "movhi 0x701, r0, r1" would be "16,0x701,<<,r0,+,r1,=".

The interesting part about this is that it can be used to emulate VB ROMs. It's not meant as a full-fledged emulator, but rather as a way to help with reverse engineering (it wont't do graphics, interrupts or system-specific stuff).
It could also be used for code analysis and decompilation with stuff like radeco, although I haven't gotten that to work.

Here's a quick usage example. I've also recorded a demo here.

# Opens a ROM, maps it to 0x7000000, seeks to the end (in this case 0x71ffff0)
# and enables emulation
$> r2 -a v810 -F any -e asm.emu=true asm.emuwrite=true -m 0x7000000 -s 0x71ffff0 /path/to/rom.vb
# Allocates 0x10000 bytes and maps them to the VB RAM area (replace malloc... with
# /path/to/ramdump if you want to to work with a file)
[0x071ffff0]> omalloc://0x10000 0x5000000
[0x071ffff0]> af # Analyze and print the function
[0x071ffff0]> pdf
/ (fcnfcn.071ffff0 16
|           0x071ffff0      20bc0007       movhi 0x700r0r1  r1=0x7000000 -> 0x501bc00
|           0x071ffff4      21a00000       movea 0x0r1r1    r1=0x7000000 -> 0x501bc00
|           0x071ffff8      0118           jmp [r1]             ; pc=0x7000000 -> 0x501bc00
|           0x071ffffa      0000           mov r0r0           r0=0x0 
|           0x071ffffc      0000           mov r0r0           r0=0x0 
           0x071ffffe      0000           mov r0
r0           r0=0x0 
[0x071ffff0]> 3 aes # Steps 3 instructions
[0x07000000]> af
[0x07000000]> pdf
            
;-- r1:
/ (
fcnpc 168
|           0x07000000      60bc0105       movhi 0x501r0r3  r3=0x5010000 -> 0xffffff00
|           0x07000004      63a0c0ff       movea 0xffc0r3r3 r3=0x500ffc0 r3
|           0x07000008      80bc0105       movhi 0x501r0r4  r4=0x5010000 -> 0xffffff00
|           0x0700000c      84a00080       movea 0x8000r4r4 r4=0x5008000 r4
|           0x07000010      0570           ldsr PSWr0
|           0x07000012      1870           ldsr CHCWr0
|           0x07000014      c0a00020       movea 0x2000r0r6 r6=0x2000 -> 0xffffff00
|       .-> 0x07000018      df44           add -1r6           r6=0x1fff -> 0xffffff00
|       `=< 0x0700001a      fe95           bne -2               ; pc=0x71ffff6 -> 0x18010000
|           0x0700001c      c0bc0607       movhi 0x706, r0, r6  ; r6=0x7060000 -> 0xffffff00
|           0x07000020      c6a0502d       movea 0x2d50, r6, r6 ; r6=0x7062d50 -> 0x2010000
# ...
[0x07000000]> aesu 0x700001c # Step until 0x700001c, right after the loop
ADDR BREAK
[0x07000000]> ar=
  r0 0x00000000      r1 0x07000000      r2 0x00000000      r3 0x0500ffc0
  r4 0x05008000      r5 0x00000000      r6 0x00000000      r7 0x00000000
  r8 0x00000000      r9 0x00000000     r10 0x00000000     r11 0x00000000
 r12 0x00000000     r13 0x00000000     r14 0x00000000     r15 0x00000000
 r16 0x00000000     r17 0x00000000     r18 0x00000000     r19 0x00000000
 r20 0x00000000     r21 0x00000000     r22 0x00000000     r23 0x00000000
 r24 0x00000000     r25 0x00000000     r26 0x00000000     r27 0x00000000
 r28 0x00000000     r29 0x00000000     r30 0x00000000     r31 0x00000000
  pc 0x0700001c     psw 0x00000000
[0x07000000]> V # Go into visual mode ('pp' to show the debug layout and 's' to step)


If anyone wants to give it a try, you'll have to either build it from git or wait for the 0.10.1 stable release in about two weeks. If you find any issues, feel free to report them and I'll try to fix them.
Top

Topic | Forum


#2
Re: radare2 Virtual Boy support
Posted on: 2015/7/10 22:33
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
The pull request has been accepted, but it's not yet on a stable release. You can either build it from source or wait for a nightly at bin.rada.re.
AFAIK it doesn't use any special dependencies on linux and you just build it using some bash scripts at sys/. I haven't tried on Windows but it seems to use MinGW, so it should be similar.

Anyway, I'm not by any means a radare wizard, but I'll try to explain the basics:
To set the architecture you can pass the argument "-a v810".
For example, if you want to disassemble an instruction:

rasm2 -a v810 -d 5f45
will disassemble 0x455f as "add -1, r10"
To disassemble a file (more in the screenshot below):

r2 
-a v810 rom.vb

If you're not too comfortable with having to learn cryptic commands, the visual mode is a great place to start. There's an intro to that here.

Once you've annotated stuff, renamed functions or whatever, save it as a project with:

Ps prj_name
and the next time, you can open it with:

r2 -p prj_name


For more complex stuff you should read the book and watch radare.tv.

Attach file:



png  snatcher_disasm.png (132.03 KB)
4404_55a0277825c03.png 812X758 px
Top

Topic | Forum


#3
Re: radare2 Virtual Boy support
Posted on: 2015/7/10 2:22
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
Quote:

hildenbraugh wrote:
I was sent here from another VG Dev site. I'm curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG's, graphical assets, histories, etc.

I'm not into romhacking myself, but I think that it might work for your purpose, although with a lot of effort. It's probably easier to use an emulator to dump sound memory or something, but I'm just guessing.
Top

Topic | Forum


#4
radare2 Virtual Boy support
Posted on: 2015/7/9 0:19
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
For those of you who don't know, radare2 is a reverse engineering framework. It comes with a nice set of tools to help you visualize and document disassembled code. Read more about it here.

I recently implemented support for the V810 architecture, which means you can now use it to disassemble and analyse VB ROMs.
The assembler isn't implemented though, so the code patching capabilities aren't there. I could do it if there's enough interest, but I have no plans at the moment.

Anyway, I thought I'd mention it here because someone might find it useful.

Attach file:



png  vbradare2_1.png (30.96 KB)
4404_559d9cb5ddb01.png 821X488 px

png  vbradare2_2.png (101.29 KB)
4404_559d9cca16cf5.png 893X524 px

png  vbradare2_3.png (90.97 KB)
4404_559d9cd2bdea2.png 893X524 px
Top

Topic | Forum


#5
Re: No VB Emulator for 3DS yet
Posted on: 2015/4/13 22:38
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
There are actually two emulators working right now.

One of them is mednafen's libretro core. It runs at ~8 fps as you can see here.
I don't think there's anyone working on it for the 3DS specifically, but it works because someone ported RetroArch.

The one I'm working on runs at ~20 fps, but it's limited to a few homebrew ROMs. I'm really busy with class, but as soon as I have some free time, I'll rewrite some stuff to (hopefully) get it to run at a reasonable speed.
Top

Topic | Forum


#6
Re: Some exciting news for this community
Posted on: 2014/11/20 17:50
Newbie
Joined 2014/11/20
Spain
6 Posts
Long Time User (4 Years)
Well, if anyone's interested, I got Red Dragon working on a 3DS emulator (I couldn't test it on actual hardware yet) and it runs at about 1 or 0.5 fps. It should be much better on a real 3DS, although it will probably need some optimizing for it to be close to playable.

If anyone wants to test it, the code's on GitHub: https://github.com/mrdanielps/r3Ddragon
And here are some screenshots: https://github.com/mrdanielps/r3Ddragon/wiki/Screenshots

Quote:

Guy Perfect wrote:
I've put a great deal of thought into the best way to have a Virtual Boy emulator on 3DS/ARM. I've got concepts drafted up for both an interpreter core and a recompiler core, and have just short of made one on an earlier ARM system as a proof of concept.

Depending on how feasible 3DS homebrew is, I'll be all over it. I'll even buy a new system if it means being unable to update the firmware ever again. (-:


I had read your posts a while back and it looked really interesting. I don't know how much I can help, but count me in.
Top

Topic | Forum