Experiences in the GBA BIOGRAPHIES

Keep in mind: This is a post from my old dev blog. External web links have been updated, yet the text is otherwise reposted verbatim.

So, that tweet went a bit viral. Its the traditional Video game Kid Breakthrough boot-up display, with the text altered to the oh-so-relatable Im Gay . I can have produced this as a computer animation, but instead Id invested a number of days poring over documentation and disassembly to actually change the sprites in the systems BIOS data. I thought it could be interesting to share the technological details regarding that.At site bios gba download from Our Articles

For all of my screening I was utilizing the VisualBoyAdvance emulator. Its got some really great debug views to think of the state of the VRAM, a memory customer, and really helpfully the disassembly of the active program code, along with the capacity to step guidelines one-by-one.

My preliminary assumption was that the graphics data would certainly exist in an evident format in the BIOS, which Id be able to detect it just by discarding out the biography as a photo, mapping each byte to a pixel. Ive used this strategy on other reverse-engineering projects and its usually very handy. In this instance, nevertheless, I turned up nothing but degeneration – no noticeable formed information whatsoever.

I attempted zeroing out different parts of the BIOS information, seeing if I could deduce the area of the sprite information. This didnt work effectively – I took care of to break the audio chime and later managed to collapse the biography totally, so I ditched that concept pretty promptly.

I got to the conclusion that the information should be compressed in some form, and started browsing for resources regarding GBA information compression techniques. I came across a job called dsdecmp which consisted of code for compression and decompression with different algorithms used by the GBA and DS systems, and thought it might be helpful.

I attempted running dsdecmps LZ77 decompressor on the biographies, beginning at each factor in the biographies that could feasibly match the LZ77 data header, in the hopes that I could find the compressed sprite data by large brute force, yet this also turned up a dead end.

Eventually I realised I was mosting likely to have to get my hands filthy, and by tipping via the BIOS code one direction at once using VBAs disassembler, I had the ability to identify the following data circulation:

• Copy $ 370 bytes from $ 0000332C to $ 03000564
• Unwind $ 370 bytes from $ 03000564 right into $ 3C0 bytes at $ 03001564
• Decompress $ 3C0 bytes from $ 03001564 into $ 800 bytes at $ 03000564
• Increase $ 800 bytes of 2bit graphics data from $ 03000564 into $ 2000 bytes of 8bit graphics information at $ 06000040

A fast note regarding the GBA memory design. The biography is mapped at address range $ 00000000-$ 00003FFF, theres some general-purpose RAM beginning at $ 03000000, and VRAM starts at $ 06000000. There are various other parts of addressable memory yet theyre not relevant right here. ( source: GBATEK)

So its duplicating some compressed data from the biography into IRAM, decompressing it two times in IRAM, and then expanding it while replicating right into VRAM. After a bit checking out the GBATEK paperwork and comparing versus the compressed information, I had the ability to establish from the header bytes that the first compression pass is Huffman and the second pass is LZ77. So I assume the BIOS is actually carrying out the following steps using the biography decompression features:

MemCopy($ 0000332C, $03000564, $370);// most likely making use of CpuSet or CpuFastSet
HuffUnCompReadNormal($ 03000564, $03001564);.
LZ77UnCompReadNormalWrite8bit($ 03001564, $03000564);.
BitUnPack($ 03000564, $06000040, );.

I had the ability to bodge with each other some C# code to draw out the sprite data and discard it out to an image file. I after that bodged with each other some more code to check out the image data, cut it down to 2 little bits per pixel, and compress the information in the way the BIOS expects. I could after that just modify the photo file, run the code, and Id obtain a customized biography documents with the brand-new sprites.

This does not function constantly though. If the sprites have excessive entropy, the compression wont be able to maintain the information under $ 370 bytes, and I think the halfway-stage compressed information has an upper dimension limit as well. Luckily I managed to get the data I desired under the dimension restriction, however I did have a number of failed attempts while exploring.

While Im certain plenty of you want my tooling for this, I wont be launching it. Its a hacky and buggy mess Im not especially proud of, and I do not actually feel like cleaning it up or fielding assistance demands. This should have provided you enough information to construct a similar device on your own if youre really figured out though;-RRB- Oh, and there was a benefit GDPR joke tweet that exploded a little bit as well, made with the very same strategies.