Hacking the Game Boy cartridge protection
Vložit
- čas přidán 27. 03. 2020
- In this video we hack the GameBoy cartridge protection by building our own GameBoy cartridge using an FPGA!
You can find the FPGA source-code on my Github here: github.com/ghidraninja/gamebo...
- ModernVintageGame on the CIC chips: • Secrets of the Nintend...
- The Gbdev wiki: gbdev.gg8.se/wiki/articles/Ma...
Equipment used in the video:
- FPGA Board: Digilent Arty 7
- Level shifters: TXS0108E
- A GameBoy...
Errata:
- I messed up the resolution - the logo is 48px by 8px, not 96px by 16px!
You can also find me on Twitter: / ghidraninja - Věda a technologie
amazing work and great video !
I was wondering why youtube would recommand me this channel but it is because of you !
Thanks for crediting Stack Smashing in your recent video on the GB's bootloader, MVG - another cool hardware channel to add to my subs! :)
Stacksmashing, mvg, and live overflow. The gang is all here
I always get a kick out of seeing that my favorite CZcams channels watch each other lol
Couldn't agree more!!
That awkward pause at the end to reach the advertisable video length ;)
*coughs*
CZcams is weird, Why put a minimum advisable length, it only encourages long and cringy videos while real gems like these are left behind.
No use, Nintendo will claim it / disable ads...
@@HA7DN
*Knock! Knock!*
Who's there?
😈 *NINTENDO* 😈
There aren’t any ads on the vid
This is wonderful. Thank you for posting it.
I'm really stunned with how far FPGA boards have progressed. I hope you release the GB cartridge soon! My son has been fascinated since I showed him how we can use my oscilloscope to sniff the datalines of the SNES controller bus in real time. This led into a discussion of different pin types and how we could sniff other types and how you might glitch them. This is perfect because I can setup a bread board to branch off from my Super Game boy.
I actually wondered back then, why they didn't develop that bootup logo with variations or animation from the game or "presented by Pepsi cola" etc
You can technically animate the screen by not clearing VRAM and instead doing something else with the screen the moment the BIOS gives control. Several demos do this. However, this was most likely prohibited by Nintendo's cert requirements; they probably wouldn't want someone doing this with their trademarks.
@SuperSmashDolls You would also need version detection for Game Boy, Super Game Boy, and Game Boy Colour and up or it'll look bizarre.
Because you would still distribute the Nintendo logo illegally, even when its not shown on boot.
you could just add 2 extra screens that say "produce" "gameboys" - then it's no longer a trademark violation but a statement of fact
@@finthegeek Nah, you still didn't have the right to recreate the logo
Gotta love it when you can't wait for a PCB to arrive, so you just go and make one... And then design the PCB anyway, and release it for others! Nice!
Whenever I receive a notification that you have uploaded a new video, I immediately stop whatever I was doing and sit to watch your video. What an awesome work. Keep up the good work! ✌❤
I am looking forward to more beginner Ghidra tutorials from you on your channel, they are very helpful!
Came here from the MVG video on the GB bootloader, this is awesome. I look forward to watching your other videos! :D
Quickly becoming one of my favorite youtube channels. This guy is going places!
Name dropping MVG? Instant subscribe. This was interesting too. I sort of knew this but didn't realize how simple it was.
I’ll be completely honest. I have no idea what any of this really means, but I’m just fascinated by the technical jargon and seeing how things work, and you actually have a pretty chill voice, too, so I’ve subscribed. ^_^
every video i watch just blows my mind. its like decades of thinking 'what if', what if i got into this stuff and was good at it, what would it look like...? your videos are like painting the experience to my imagionation. Very satisfying. To see all this stuff is just incredible. I notice all the places I would have probably got stuck (so many times) and it just blows my mind. not to mentioned the quality of your editing. you are epic bro
You are just amazing... You make it so much easier to understand how games and their consoles work together. Ive always had an interest in programming and hacking and with your knowledge and great explanations I'm able to move forward with my own projects.. Thanks and awsome videos.
Clever license protection, for its time.
aw man you profilepic is freakin cool
almost want to steal but that would be uncool
It's from the Super NES game, Super Metroid. It IS the Super Metroid. So I don't own it either :)
@@InsaneFirebat yeah yeah I know. But still It's not cool if theres more than 1 with that pic.
It sounds clever.
But Sega tried more or less the same thing, it got to court, and was ruled unenforceable.
The legal judgement was something to the effect that because you HAD to include this trademarked logo to get any software running, you had no choice in the matter, and thus couldn't be prosecuted for it...
These kind of things seem pretty clever, but they rarely seem to work in the company's favour in court, because courts seem to favour allowing people to write their own software for a given hardware platform over protecting the platform owner...
@@InsaneFirebat It's grown up Baby Metroid!
That was a clever way of copy protection! Really interesting video, well done!
They could've multiplexed the first 8 Address lines to behave as Data Lines sometimes, you'd only need an 8-bit latch to hold the address before a data read or write. That's how the old 8086 CPU worked, still a pretty cool workaround to having 8 extra pins.
I think the GBA did something like that. If I remember speaking to an engineer doing it at the time, he said the bus can auto-increment addresses too so you're not clocking in a new address every fetch.
You can multiplex all of them. Few different approaches exist here. They can also may write through section of map which controls address window.
I think they wanted to simplify and reduce costs for cartidges
N64 carts work in the same way. Once a high and low address is latched it just strobes the read pin and the ROM automatically adds 2 to the address for every edge (word aligned access)
Nintendo lawyers from the 90's enters chat. This is really fascinating haha, great vid!!
Sega sued Accolade for that exact thing and lost the Cort case. If the system requires the logo to be displayed. Then there is no copyright infringement
accolade vs sega "Accolade's acts of reverse engineering Sega Genesis software to learn about its security systems and subsequent publishing of unlicensed Sega Genesis games are protected under the fair use doctrine of copyright law. Sega is held responsible for using its security system to place its trademark on Accolade's games."
it will be perfect for gameboy's re-shells that has "game girl" on it.
I always wondered why the logo was blank if you didn't insert a cartridge.
It's not integrated into the system itself, as you now know.
Remarkably simple. This is an excellent entry point for anyone looking to get into hardware hacking. Great video! 👍
Sehr interessantes und informatives Video! Super cool wie solche Technik früher funktioniert hat
This guy has some serious engineer skills... I'm amazed!!!
That is pretty in-depth and awesome information. Great video!
Incredible, never knew they already made this technique inside the gameboy
That was very informative and a good presentation. Well done!
i dreamt about doing things like this since when i was a kid. this fueld my interest and carrer significantly. thanks, gameboy.
This is very awesome, would love to see something similar for the game boy advance
Nice work there! I was watching this with pleasure, thanx for that!
Glad you enjoyed it :)
That is really interesting. I always enjoy learning new things about old tech!
Also when Ghidra ninja teaches us.
Love the vid awesome work. Just binge watching all your vids
I would happily watch a few ads to help encourage you to make more videos of this type. Your skills are insane 👍
Excellent content as usual!
Great content man. Keep it up! 👍🏻
You are an inspiration, I'm a small tech youtuber doing some videos on the pi, IT career tops etc.. love your content man.
amazing job! thanks for sharing your findings
Mistakes Were Made - How the Gameboy copy protection was defeated
I don't get the joke.
@@bangerbangerbro Watch MVG
it's trademark protection, like Sega TMSS
"Mistakes were made." - Well, not for the time when it was invented. FPGAs were prohibitively expensive at the time, so were ASICs.
The breakout PCB looks useful, looking forward to the gerbers being released :)
With coronavirus floating around, you really want more things to be released into the public?
This was inspiring. This was fascinating.
Wow, that's really easy to extract a cartridge rom. Thought it would be more difficult than just a parallel read after seeing the Snes protection.
I want 1 video every day, I enjoy this more than all animes
Even though I wouldn’t take the time to do this, I love watching.
Nice Hackers reference with "Hack the planet" on the PCB at the end
Fantastic & inspiring video!
as always great video, thank you sir
This video is amazing! Good job!
Good channel, with great content. Keep up the great work.
Collaboration between two wonderful engineering channels, amazing. Shove a CodeBullet or CodeParade in there too!
This is the kind of content I crave.
glad to hear you bypass the nintendo logo !! ...
Such an amazing video! Instant subscribe.
Your Channel is just awesome!
Love these videos!
This was an amazing video!
Even If I don´t understand too much about this. It´s quite satisfaying to watch this videos.
Super cool video, thank you!
this knowlegde is awesome! congratulations and thank you for the video! ;-)
Imagine bringing one of these back to the 1990s
You presented this very well and kept it simple, tidy and interesting. Great job :)
Awesome work ninja you rock ,,,,,,
Nice work. You could simplify the FPGA code slightly by just replacing the logo address range during the first read, and otherwise just always return the original ROM data. After all, the ROM already contains the correct logo.
Dude you have earned my subscription
Every single concept of this video is pure gold... Yes, even the comments.
Excellent work. You are genius.
So much effort in this video.
Nice Hackers reference on the breakout cart ;)
Congratulations! 👏👏👏
That is the coolest thing I've ever seen!
Great video. Thanks
Very well explained!
Analyzing the video, I came up with another idea that would have been possible with technology of the day.
Since you mentioned the presence of a 1mhz clock signal, you could power a very small microcontroller that could just count cycles and since the boot process always takes the same amount of time , swap the hacked logo bank and the original one based on said counter.
And it could be a very small additional ROM just mapped to the address.
For the level shifting, it may be a better idea to use IMO level shifting chips with external direction control like SN74LVC16T245 for the address and signal lines. Those chips needs control signals, but thise can be derived from the CS, RD and WR pins using some 74LVC1Gxx logic. This means for the target board it can be directly connected without the need of level shifters, and since those SN74LVCxxT245 chips contains line redrivers, you can even run longer wires with little ill effects. Also you can include an op amp like LMV321 to buffer the audio line, basically also a redriver.
Pretty great work! Thanks
awesome work
A lawsuit in the early 90's removed the legal underpinnings for this sort of usage of trademarks as a form of copy protection. lookup Sega vs. Accolade for more info. Accolade published unlicensed games that used Sega's copy-protection code including the part that displayed the Sega logo. A court eventually ruled that the code usage was fair use and Sega's act of requiring display of a trademark for a game work was an "improper use" of trademark because it served to limit competition which is the function of patents and not trademarks.
Wow brilliant work these remarkable
You guys have a lot of spare time in your life
@ModernVintageGamer has a LOT of great videos on things. Watching his channel is undoubtedly why I was recommended yours (and subbed)
So the cartridge "protection" works just like in the Mega Drive? Interesting video by the way!
Li Cheng Industries-published Game Boy games has the Nintendo logo modified to read "Niutoude".
That doesn't use this exploit - AFAIK CGB just doesnt check the bottom half of the logo
It's a little harder for the user and more expensive, but it's possible to load one game's Nintendo logo by inserting its cartridge, turning on the console, and swapping it with the hack game. This also makes it possible to boot into worn down games to see what actually happens there. I tested it myself by inserting 007 Nightfire, turning on my DS, and swapping it with MKSC. I know it's GBA but all 3 consoles in the Game Boy family have the same boot screen function, but the graphic and sound effect are different for each model (minus the GBA's backwards compatibility).
should've replace "Hacked" text into "Hello World"
Reminds me of how the AIM protocol used to request a CRC of a random range of bytes from the official AOL client, making it very difficult for a third party client to use the protocol without bundling or referencing the copyrighted client exe.
It only took 31 years, but it has finally been done.
well, some bootleg cartridges did this back then
Interestingly, a similar hack was demonstrated by Argonaut Games to Nintendo. Normally this would've ended up in a lawsuit, but Ninty was reportedly impressed by it that Argonaut became one of their partners, eventually culminating in _Star Fox_ for the SNES.
Nice video. Thank you
Nice!
making a mechanism to be able to sue people more easily instead of actual copy protection is one of the most nintendo things nintendo has ever done
I have a Mega Memory cartridge (onto which you can backup game saves) and unless used on a Game Boy Advance, it says "Megamem" instead of Nintendo but it still runs fine! There's also a Smartcom personal organizer cartridge that says Smartcom instead of Nintendo but still boots fine (although I've heard it's not compatible with the Game Boy Advance) and Rocket Games' unlicensed Game Boy Color games say ROCKET instead of Nintendo but again they still run fine!
Bro You are genius. You know that right.
youtube out here guessing my interests again
knows I already watch, and like, liveoverflow and am interested in electronics
A project I may work on once I finish my senior design, would be to make a similar cartridge but build an FPGA onto it... may be a fun way to mess around with verilog and some game boy stuff.
Here from liveoverflow✌🏼
Very nice! subbed.
This was also leveraged by Sony on the PSOne, not the original Playstation that had the wobble track copy protection but the later version, the small one.
The original one displayed whatever logo the disc had, the PSOne checked against a ROM stored logo and if they didn't match, the console didn't boot the game.
I'm jealous of your knowledge, what is your academic background?
You can use an ice40 fpga or one of those chinese $5 fpgas for the cartridge. It's also possible to load the binaries of a game to the internal block ram of the fpga. Or if you're feeling adventurous, add a microsd card slot in which you can read from the fpga.
Yea the problem is getting an ICE40 board with enough IOs and enough RAM - I wanted to try it on one of my ECP5 boards though
Some days ago I bought the gamboy cartrdige breakout port and I want to build something similar to this. I am a newbie with this kind of projects and I have a doubt about the forwarder: do you synchronize in some shape or form the FPGA clock and GB one?
Thanks for these amazing videos!
Awesome video
Well done, awesome dude.
Keep hacking.