Gameboy Color Boot ROM Dumped After 10 Years

An anonymous reader writes "Costis was able to dump the elusive boot ROM from the Gameboy Color by using various voltage and clock glitching tricks. The boot ROM is what initializes the Gameboy hardware, displays the 'GAMEBOY' logo and animation, and makes the trademarked 'cling!' sound effect. Even decapping the CPU had failed previously, but now the boot image and specifics on how it was dumped (along with many photos) are available for download."

Re:Cool

[Xeon3D]

I really love reading about the lengths enthusiasts go to when trying to do this kind of thing. For some reason I had assumed that this had been done already since there is already emulation for gameboy color, right? Can someone explain the significance of this development?

The gameboy bios was also "emulated" before, so this makes the emulation more "realistic". It happens the same with the GBA. While you can emulate games for the GBA without the need for a BIOS file, if you have one, they'll run better \ more accurately (or in some cases, they run instead of not running).

What the ROM does

[BadAnalogyGuy]

So I took a stroll through the binary and here is what it does in a nutshell.

- Catch the wake interrupt
- Resent the CPU
- Power on the LED
- Power on the LCD
- Power on the audio codec
- Copy the Nintendo graphic to VRAM
- Play the Clang WAV
- Initialize the buttons
- Copy game binary to memory
- Jump to game image

Re:Cool

[noidentity]

This allows Game Boy Color emulators to display an authentic intro before running the game, including the palette selection available when running a non-color game. There's otherwise no benefit that I can see. This includes initial register values, since those could already be determined via software. Some of the other initial state, like sound registers set by the boot ROM, is more difficult to determine, so this helped there.

When reverse-engineering hardware, it's nice to figure out every detail, and this was one of the much harder ones to figure out. Decapping usually reveals all, but even that failed here.

Re:Smells Like Primer...

[mpoulton]

Why a few seconds, why not an exact time?

Because that's the degree of precision necessary when working with analog electronics that aren't intended to function as timing devices. Anything more precise would be unnecessary, anything less would be insufficient.

Re:Very short summary of how ROM was dumped

[tangent3]

I believe he also had to short the 3.3V rail to ground during the time the clock is stopped, to randomize the registers values.

Original GB Boot ROM

[NorQue]

Great, been waiting for that for ages. So now we might finally get those original GBC colors for GB games in emulators (and especially the coloring for Metroid 2!). For reference, if anyone is interested, here's the story how the original GB ROM got dumped by decapping the chip holding it and reading out the values with a Microscope: http://www.cherryroms.com/forums/copier-and-hardware-forum/manually-extracting-rom.html?page=2 [cherryroms.com] (two thirds down the pge, the post by nevikisti from Wed, 05/18/2005 - 10:26). Thread itself deals with how they tried to dump the SNES DSP1 chip, but ultimately failed to do so. Currently there's some effort underway by the creator of bsnes to do the same thing: http://byuu.org/ [byuu.org]

Re:Why can you not just read the rom??

[eclectro]

I am not familiar with the specifics of gameboy hardware. But increasingly (like with cellphones) the rom is melded with the cpu and has no external bus exposed. This method worked with the gameboy because it read an external cartridge at some point. Nonetheless, it certainly is an interesting method that certainly would have use elsewhere. He should get some kind of award.

Re:Why can you not just read the rom??

[noidentity]

Why can't you just take the rom chip out of the gameboy, put it in a socket on a computer and just read the rom 1 byte at a time?

Because the boot ROM is built into the custom CPU. The data bus to this ROM isn't exposed on any of the pins; when enabled, it bypasses whatever is being sent to the external data bus pins on the CPU, so that its contents are never seen by the outside world.

A close comparison is the L1 cache inside a modern CPU. When the CPU is reading from it, you can't know what is in it, since the data isn't output to the bus.

Re:I smell double standards

[daid303]

Copyright lasts 70 years, not 10. And you don't need to add a copyright notice to get copyright. If you made it it's yours, under your copyright. If something has no notice/license at all, then it's copyrighted. And then you shouldn't go and copy it.

http://inventors.about.com/od/copyrights101basicsfaq/f/secure_copyrigh.htm [about.com]

Re:What the ROM does

[Dwedit]

NO! There is no "Copy game binary to memory" Stage! These are ROM cartridges which code is executed directly off of, it's not a RAM system which loads games like the NDS.

Re:Why can you not just read the rom??

[Nobo]

The ROM is not on a chip, it's burned into the CPU die itself. There are no memory access lines which reach it. It's only able to be read from within the CPU itself, and there is a CPU register which permanently disables that data path, once that specific register is written to. The last instruction in the boot ROM writes to that register, the boot ROM eats the poison pill, and the next instruction is the start instruction of your cartridge ROM.

The ROM was read out by beating the hell out of the processor electrically, during the exact clock cycle that the poison pill register is written, such that the write gets lost or scrambled, therefore the boot ROM remains accessible for readout.

Next time, RTFA before you ask stupid questions. "+4, Interesting"? Give me a break. Lazy idiot.

Re:Smells Like Primer...

[marcansoft]

Basically, costis attempted the precise method (clock glitching during ROM disable), which didn't work. So he pulled out the sledgehammer (massive clock and power glitching to randomize CPU state). You don't need much accuracy with a sledgehammer.

Re:What the ROM does

[Goaway]

I like how this is modded +5 Informative when it is entirely made up.

Re:I smell double standards

[Mr Z]

I assume you refer to the United States. The US was actually late to the party. The Berne Convention [wikipedia.org] got the ridiculous-copyright-term ball rolling... Disney just gave it an extra push. In particular:

The Berne Convention states that all works except photographic and cinematographic shall be copyrighted for at least 50 years after the author's death

The Berne Convention is also what gives us the rule that daid303 stated, that you don't need to add a copyright notice to get copyright:

Under the Convention, copyrights for creative works are automatically in force upon their creation without being asserted or declared. An author need not "register" or "apply for" a copyright in countries adhering to the Convention. As soon as a work is "fixed", that is, written or recorded on some physical medium, its author is automatically entitled to all copyrights in the work and to any derivative works, unless and until the author explicitly disclaims them or until the copyright expires. Foreign authors are given the same rights and privileges to copyrighted material as domestic authors in any country that signed the Convention.

The US didn't sign on to Berne until 1988. The EU's been on board for awhile, as have many, many other countries. [wikipedia.org] So, yes, you're technically correct that there are some people that are unaffected by the US's copyright protections (or in the case of Nintendo's IP, Japan's). But, a great many places have similar restrictions.

Re:I smell double standards

[JSBiff]

This article is a classic example of why you shouldn't take legal advice from slashdot posts.

Note, I am not a lawyer, but that doesn't mean I can't find credible sources/links which show this guys doesn't know jack nor shit about what he's talking about.

First, yes, as someone pointed out, copyright laws vary somewhat from country to country. However, thanks to treaties, like the Berne Convention [wikipedia.org], which has been signed by most of the world's countries (although, not all the countries necessarily enforce it vigorously) they have become fairly standardized.

For the following statements, I've referenced wikipedia articles (which, I suppose might be wrong, but I have a fair amount of confidence in the accuracy), as well as the US Copyright Office website:

• 
       
• Japanese Copyright [wikipedia.org]
       
• European Copyright [wikipedia.org]
       
• US Copyright [copyright.gov]

1) Copyright is longer than 10 years in most countries, and particularly, in the US, Europe and Japan (50 years for Japan, 70 years for US and Europe). So there is no way this is public domain (note: I am, personally of the opinion that copyright on software *should* be about 10 years, maybe renewable for another 10, but want you or I want, and what is law, are two separate things, and you'd do well to remember that).

2) You don't have to bother to copyright something. In all Berne Convention copyright regimes, copyright is *automatic* at the moment a work is put in a fixed form. So,

"But technically, is it even copyrighted if he didn't submit it to the Copyright Office, or is it just a banner he put there to scare people?"

Yes, to the extent that something he claims copyright on is actually his original work, it *is* copyrighted. Whether he'll enforce the copyright or not, is a different question, which I cannot answer.

Re:Cool

[DuoDreamer]

The gameboy color decapping attempts in 2005 (after the mono was successfully decapped) was a failure because the decapping was done by a student with little experience. I sacrificed a couple gbc units for that effort and one unit for a professional decap/bit stain which cost too much so it never happened. This glitching hack was discussed for many years before someone got the right idea.
This RE effort has rewarded us with info about hidden hardware registers that only the boot ROM uses.

Re:Super Gameboy Support and Emulators.

[DuoDreamer]

There is a hashtable of GameBoy Mono games which are recognized by the GameBoy Color, and it applies a preset color scheme that Nintendo chose to make the game stand out better. Metroid II is a perfect example of this coloring. All of these GBC colored B&W games are run in plain B&W mode, even if they have Super GameBoy features, as the GBC is not a Super GameBoy and doesn't have the same features. There is a disassembled source file to the GBC Boot ROM linked on the dumper's website, with most of it commented and disassembled. (Except the game recognition hashing part, which is still being analyzed)

Re:I smell double standards

[bushing]

There's no well-defined line of what software is expressive (and eligible for copyright) and what software is merely functional. I would argue that this software is merely functional -- there's not all that much code, and there are only a few ways you can write code that performs the same function. It's largely mechanical.

On the other hand, the Nintendo logo is actually contained in the ROM, as part of the protection mechanism. This was probably done as a "copyright/trademark trick" -- the logo is certainly expressive (and eligible for copyright), so in order to make a clone cartridge, you would have to copy this logo.

Unfortunately for Nintendo, Sega tried this trick in court and lost [sonicretro.org] a couple of years later. That court case actually established the precedent I'm alluding to above... a few choice quotes from the decision [digital-law-online.info]:

In some circumstances, even the exact set of commands used by the programmer is deemed functional rather than creative for purposes of copyright. "[W]hen specific instructions, even though previously copyrighted, are the only and essential means of accomplishing a given task, their later use by another will not amount to infringement."

[...]

Sega's trademark security system (TMSS) initialization code not only enables video game programs to operate on the Genesis III console, but also prompts a screen display of the SEGA trademark and message. As a result, Accolade's inclusion of the TMSS initialization code in its video game programs has an effect ultimately beneficial neither to Sega nor to Accolade. A Genesis III owner who purchases a video game made by Accolade sees Sega's trademark associated with Accolade's product each time he inserts the game cartridge into the console. Sega claims that Accolade's inclusion of the TMSS initialization code in its games constitutes trademark infringement and false designation of origin in violation of [...] the Lanham Trademark Act. Accolade counterclaims that Sega's use of the TMSS to prompt a screen display of its trademark constitutes false designation of origin under Lanham Act section 43(a), 15 U.S.C. Section 1125(a). Because the TMSS has the effect of regulating access to the Genesis III console, and because there is no indication in the record of any public or industry awareness of any feasible alternate method of gaining access to the Genesis III, we hold that Sega is primarily responsible for any resultant confusion. Thus, it has not demonstrated a likelihood of success on the merits of its Lanham Act claims.

This legal issue was later revisited in a slightly different form (with mixed results) in Lexmark V. Static Control Components [eff.org] -- however, in that case, there was a lot more code involved than the boot ROM we're talking about here, so much more room for claims of expressive code.