Keep in mind: This is a write-up from my old dev blog site. Outside links have been upgraded, yet the message is otherwise reposted verbatim.
So, that tweet went a little viral. Its the timeless Game Young boy Advance boot-up screen, with the message transformed to the oh-so-relatable Im Gay . I might have developed this as a computer animation, yet instead Id invested a number of days reading documents and disassembly to actually modify the sprites in the systems biography file. I believed it may be interesting to share the technological details regarding that.Read about gba bios bin At website
For every one of my screening I was utilizing the VisualBoyAdvance emulator. Its got some very good debug sights to visualise the state of the VRAM, a memory visitor, and really favorably the disassembly of the energetic program code, together with the capacity to tip directions one-by-one.
My first presumption was that the graphics data would certainly exist in a noticeable format in the biographies, which Id have the ability to spot it just by unloading out the BIOS as a photo, mapping each byte to a pixel. Ive utilized this technique on various other reverse-engineering tasks and its generally really valuable. In this situation, however, I showed up just decline – no noticeable patterned data whatsoever.
I attempted zeroing out different parts of the BIOS data, seeing if I might reason the place of the sprite data. This didnt job very well – I handled to break the audio chime and later on took care of to crash the biography totally, so I junked that idea rather swiftly.
I reached the verdict that the information need to be compressed in some type, and started looking around for sources concerning GBA data compression strategies. I came across a project called dsdecmp which consisted of code for compression and decompression with numerous formulas utilized by the GBA and DS systems, and thought it could be useful.
I tried running dsdecmps LZ77 decompressor on the BIOS, starting at each point in the biographies that might probably match the LZ77 data header, in the hopes that I might discover the pressed sprite information by sheer brute force, yet this also shown up a stumbling block.
Eventually I knew I was going to have to get my hands filthy, and by stepping with the BIOS code one instruction at a time using VBAs disassembler, I had the ability to identify the following information circulation:
- Duplicate $ 370 bytes from $ 0000332C to $ 03000564
- Unwind $ 370 bytes from $ 03000564 right into $ 3C0 bytes at $ 03001564
- Unwind $ 3C0 bytes from $ 03001564 right into $ 800 bytes at $ 03000564
- Increase $ 800 bytes of 2bit graphics data from $ 03000564 into $ 2000 bytes of 8bit graphics data at $ 06000040
A fast note concerning the GBA memory format. The biography is mapped at address variety $ 00000000-$ 00003FFF, theres some general-purpose RAM starting at $ 03000000, and VRAM begins at $ 06000000. There are various other parts of addressable memory but theyre not relevant here. ( source: GBATEK)
So its duplicating some compressed information from the BIOS right into IRAM, decompressing it twice in IRAM, and after that increasing it while duplicating into VRAM. After a bit checking out the GBATEK documentation and contrasting against the compressed information, I had the ability to identify from the header bytes that the very first compression pass is Huffman and the 2nd pass is LZ77. So I assume the biography is really carrying out the following actions using the BIOS decompression features:
MemCopy($ 0000332C, $03000564, $370);// likely making use of CpuSet or CpuFastSet HuffUnCompReadNormal($ 03000564, $03001564);. LZ77UnCompReadNormalWrite8bit($ 03001564, $03000564);. BitUnPack($ 03000564, $06000040, );.
I was able to bodge together some C# code to remove the sprite data and unload it out to an image documents. I then bodged together some even more code to review the picture file, sufficed to 2 bits per pixel, and press the information in the way the BIOS expects. I could after that simply change the photo file, run the code, and Id get a customized BIOS data with the new sprites.
This doesn’t function all the time though. If the sprites have excessive decline, the compression wont be able to keep the information under $ 370 bytes, and I believe the halfway-stage compressed information has an upper dimension restriction also. Thankfully I procured the information I desired under the dimension limit, but I did have a number of failed efforts while trying out.
While Im certain lots of you want my tooling for this, I wont be launching it. Its a hacky and buggy mess Im not especially happy with, and I do not truly feel like cleaning it up or fielding support demands. This must have offered you adequate information to build a similar tool on your own if youre truly established though;-RRB- Oh, and there was a incentive GDPR joke tweet that blew up a little bit also, made with the very same strategies.