We're using cookies to ensure you get the best experience on our website. More info
Understood
@danielpsRegistered November 20, 2014Active 4 years, 5 months ago
5 Replies made

An update on this.

I’ve added ESIL support for V810. ESIL is an intermediate language that can be easily generated, parsed and interpreted. There’s a more detailed explanation here but basically, it can decode instructions into a common language and then emulate them. For example, “add r2, r5” would be translated into “r1,r2,+=” and “movhi 0x701, r0, r1” would be “16,0×701,<<,r0,+,r1,=". The interesting part about this is that it can be used to emulate VB ROMs. It's not meant as a full-fledged emulator, but rather as a way to help with reverse engineering (it wont't do graphics, interrupts or system-specific stuff). It could also be used for code analysis and decompilation with stuff like radeco, although I haven’t gotten that to work.

Here’s a quick usage example. I’ve also recorded a demo here.

# Opens a ROM, maps it to 0x7000000, seeks to the end (in this case 0x71ffff0)
# and enables emulation
$> r2 -a v810 -F any -e asm.emu=true asm.emuwrite=true -m 0x7000000 -s 0x71ffff0 /path/to/rom.vb
# Allocates 0x10000 bytes and maps them to the VB RAM area (replace malloc... with
# /path/to/ramdump if you want to to work with a file)
[0x071ffff0]> o+ malloc://0x10000 0x5000000
[0x071ffff0]> af # Analyze and print the function
[0x071ffff0]> pdf
/ (fcn) fcn.071ffff0 16
|           0x071ffff0      20bc0007       movhi 0x700, r0, r1  ; r1=0x7000000 -> 0x501bc00
|           0x071ffff4      21a00000       movea 0x0, r1, r1    ; r1=0x7000000 -> 0x501bc00
|           0x071ffff8      0118           jmp [r1]             ; pc=0x7000000 -> 0x501bc00
|           0x071ffffa      0000           mov r0, r0           ; r0=0x0 
|           0x071ffffc      0000           mov r0, r0           ; r0=0x0 
\           0x071ffffe      0000           mov r0, r0           ; r0=0x0 
[0x071ffff0]> 3 aes # Steps 3 instructions
[0x07000000]> af
[0x07000000]> pdf
            ;-- r1:
/ (fcn) pc 168
|           0x07000000      60bc0105       movhi 0x501, r0, r3  ; r3=0x5010000 -> 0xffffff00
|           0x07000004      63a0c0ff       movea 0xffc0, r3, r3 ; r3=0x500ffc0 r3
|           0x07000008      80bc0105       movhi 0x501, r0, r4  ; r4=0x5010000 -> 0xffffff00
|           0x0700000c      84a00080       movea 0x8000, r4, r4 ; r4=0x5008000 r4
|           0x07000010      0570           ldsr PSW, r0
|           0x07000012      1870           ldsr CHCW, r0
|           0x07000014      c0a00020       movea 0x2000, r0, r6 ; r6=0x2000 -> 0xffffff00
|       .-> 0x07000018      df44           add -1, r6           ; r6=0x1fff -> 0xffffff00
|       `=< 0x0700001a      fe95           bne -2               ; pc=0x71ffff6 -> 0x18010000
|           0x0700001c      c0bc0607       movhi 0x706, r0, r6  ; r6=0x7060000 -> 0xffffff00
|           0x07000020      c6a0502d       movea 0x2d50, r6, r6 ; r6=0x7062d50 -> 0x2010000
# ...
[0x07000000]> aesu 0x700001c # Step until 0x700001c, right after the loop
ADDR BREAK
[0x07000000]> ar=
  r0 0x00000000      r1 0x07000000      r2 0x00000000      r3 0x0500ffc0
  r4 0x05008000      r5 0x00000000      r6 0x00000000      r7 0x00000000
  r8 0x00000000      r9 0x00000000     r10 0x00000000     r11 0x00000000
 r12 0x00000000     r13 0x00000000     r14 0x00000000     r15 0x00000000
 r16 0x00000000     r17 0x00000000     r18 0x00000000     r19 0x00000000
 r20 0x00000000     r21 0x00000000     r22 0x00000000     r23 0x00000000
 r24 0x00000000     r25 0x00000000     r26 0x00000000     r27 0x00000000
 r28 0x00000000     r29 0x00000000     r30 0x00000000     r31 0x00000000
  pc 0x0700001c     psw 0x00000000
[0x07000000]> V # Go into visual mode ('pp' to show the debug layout and 's' to step)

If anyone wants to give it a try, you’ll have to either build it from git or wait for the 0.10.1 stable release in about two weeks. If you find any issues, feel free to report them and I’ll try to fix them.

The pull request has been accepted, but it’s not yet on a stable release. You can either build it from source or wait for a nightly at bin.rada.re.
AFAIK it doesn’t use any special dependencies on linux and you just build it using some bash scripts at sys/. I haven’t tried on Windows but it seems to use MinGW, so it should be similar.

Anyway, I’m not by any means a radare wizard, but I’ll try to explain the basics:
To set the architecture you can pass the argument “-a v810”.
For example, if you want to disassemble an instruction:

$ rasm2 -a v810 -d 5f45

will disassemble 0x455f as “add -1, r10”
To disassemble a file (more in the screenshot below):

r2 -a v810 rom.vb

If you’re not too comfortable with having to learn cryptic commands, the visual mode is a great place to start. There’s an intro to that here.

Once you’ve annotated stuff, renamed functions or whatever, save it as a project with:

Ps prj_name

and the next time, you can open it with:

$ r2 -p prj_name

For more complex stuff you should read the book and watch radare.tv.

hildenbraugh wrote:
I was sent here from another VG Dev site. I’m curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG’s, graphical assets, histories, etc.

I’m not into romhacking myself, but I think that it might work for your purpose, although with a lot of effort. It’s probably easier to use an emulator to dump sound memory or something, but I’m just guessing.

There are actually two emulators working right now.

One of them is mednafen’s libretro core. It runs at ~8 fps as you can see here.
I don’t think there’s anyone working on it for the 3DS specifically, but it works because someone ported RetroArch.

The one I’m working on runs at ~20 fps, but it’s limited to a few homebrew ROMs. I’m really busy with class, but as soon as I have some free time, I’ll rewrite some stuff to (hopefully) get it to run at a reasonable speed.

Well, if anyone’s interested, I got Red Dragon working on a 3DS emulator (I couldn’t test it on actual hardware yet) and it runs at about 1 or 0.5 fps. It should be much better on a real 3DS, although it will probably need some optimizing for it to be close to playable.

If anyone wants to test it, the code’s on GitHub: https://github.com/mrdanielps/r3Ddragon
And here are some screenshots: https://github.com/mrdanielps/r3Ddragon/wiki/Screenshots

Guy Perfect wrote:
I’ve put a great deal of thought into the best way to have a Virtual Boy emulator on 3DS/ARM. I’ve got concepts drafted up for both an interpreter core and a recompiler core, and have just short of made one on an earlier ARM system as a proof of concept.

Depending on how feasible 3DS homebrew is, I’ll be all over it. I’ll even buy a new system if it means being unable to update the firmware ever again. (-:

I had read your posts a while back and it looked really interesting. I don’t know how much I can help, but count me in.