!!Con West 2020 - Lito Nicolai: ba-ding!

Well, hello! You all hear me all right? Okay. This is ba-ding! I am Lito. I go by litonico_ on Twitter, I work for Destroy All Software. I help run a conference called Deconstruct. If you like !!Con, you might like that one. So hope to see you all in Seattle. This is a story on what happens when you turn on a Game Boy.

00:49 - So this involves a clever and litigious company, trademark law, a microscope, nitric acid, and a very dedicated materials science student. This is a Game Boy. Have you all seen one of these before? They’re a good time. Right? You can play Pokemon Red on them, and also Pokemon Blue, and also probably some other games. And when you turn a Game Boy on, this happens. I think we have audio, I think? We might. The Nintendo logo scrolls down the screen and when it hits the middle, it goes ba-ding. That’s what this talk is about. So what is going on here? Like how does this process work? All of that happens in the boot ROM. Drawing the Nintendo logo on the screen, the scroll – all of that happens in the bootrom which is read-only memory that lives inside the Game Boy’s CPU. CPU does other things, like calculations, and that’s what your game programs to run. So that thing up in the middle, the large chip, it says CPU on it. It’s the CPU.

01:51 - Inside that, there is some read-only memory that is running when you turn on the game. The weird thing is the bootrom has a copy of the Nintendo logo and doesn’t use it. Instead, it reads from the game. It issues a read to the game to get a copy of the Nintendo logo that it then draws on screen and scrolls down. So why is it like that? Well… Turns out this Nintendo logo is a registered trademark. You can tell, because it has a little R in the circle in the corner.

02:24 - And once the Nintendo logo hits the middle of the screen, the bootrom compares: Did you draw the correct Nintendo logo on the screen? So if you did not – it doesn’t even stop or halt using the correct instruction. It’ll just loop forever. If you did draw the correct logo, your Game Boy will go on to play Pokemon Red after it’s compared every pixel in that logo correctly. The reason you do that is so you have a copy of the Nintendo logo in your game, so if they didn’t like your game they could sue you for trademark infringement. Which is a really really clever form of copy protection. They didn’t need to give you a secret key or something.

03:01 - They say: Put the Nintendo logo in your game and if we hate this, we won’t let you release the game. So that’s clever and kind of icky, in a way. That’s the kind of solution you come up with if you have a legal department. But… that’s neat. But that’s not the thing I would like to tell you about. The actual thing I would like to tell you about is: How did someone figure out what the boomrom was? Games are meant to be read from.

03:33 - You can take the game out of the Game Boy and put it in a thing that has the correct pins and issue some reads and it will tell you, all right, that’s a 1, that’s a 0, and you can get the whole Game Boy’s ROM. But the bootrom exists inside the CPU. The CPU’s inputs and outputs are not the bootrom’s inputs and outputs. So what is going on there? In general, not too many people cared. By 2005, this was a minor mystery. If you’re writing an emulator, you’re fine with the whole situation because you write your bootrom to jump right into the game. You don’t need to scroll the Nintendo logo.

04:08 - Besides, it makes it less likely for you to get sued. The Game Boy by 2005 had become the Game Boy Color and then the Game Boy Advance and Game Boy Advance SP and Nintendo DS, and no one was paying attention until someone goes online by the name neviksti, who was a materials science student at the University of Illinois, Urbana Champain and got access in his materials science lab to a scanning electron microscope. He immediately thought: I know what I want to do with this. I want to look at video games. It’s a great thought process. He first started with SuperNintendo chips and he needed to get the resin off the CPU because the silicon was encased with resin. He was going at it with a file, which he quickly learned it destroys the whole thing, not just the resin.

05:01 - So he asked a friend in the chemistry department. Could I get some acid? Some strong acid? In fact, he asked: Could I get some hydrofluoric acid to dissolve the chip in? Hydrofluoric acid is a thing that is so corrosive that if you get it on your skin, it will dissolve your bones. His friend told him… No sorry, absolutely not. in fact, the friend probably used stronger language than that, because chemists know to respect fluorinated compounds. But the chemist friend did give him nitric acid. Nitric acid is not great either. If you get it on your lab gloves as you’re working, your gloves will catch on fire. So people tend to work without gloves.

05:45 - neviksti just took a sample vial of nitric acid out onto the university lawn on a sunny day in May put it in a pot of boiling water I guess just on a burner, and dropped a Game Boy chip, a Game Boy CPU, that someone had sent him. And the nitric acid reacts with the resin and makes a horrible smoke. Probably smelled awful. But he got a beautiful chip decapsulation out of that. This is the actual picture. It’s still up online. This is a Game Boy CPU. neviksti helpfully labeled it with many question marks. The green things are logic units, processors, the red is SRAM, the yellow are question marks, and the blue, the blue is what we’re interested in looking at. Which is the Game Boy’s boot ROM itself. This is masked ROM.

06:39 - Masked ROM is, you start out with a grid of dots of solder, all of which represent 1s and you burn off the places you want to be 0s for the bits. You can make this quickly because you can make a mask of what you want to keep, so it was used in early electronics, often. It looks like this. And you can count out the bits by eye, if you happen to have a scanning electron microscope. So you can see you read it bottom to top, left to right. You can see the first bit at the very bottom is an empty space. That’s a zero. And above that is a one. And it keeps going. I find this really hard to see. This one does not look like a one.

07:19 - It’s like a shadow on the dot of solder that prevents you from seeing it. So neviksti did that by eye, carefully error checking, carefully going through, bead of solder by bead of solder, to read out all of the data on this chip. First of all, that’s not a Z80 instruction. Game Boy Z80 CPU. Or, it’s not a sensical one. It’s a load from a register that isn’t initialized yet to another register that isn’t initialized yet. So something is going on here. I was trying to figure out what the code was running.

07:49 - I was in fact trying to read this whole thing by eye. And you get out a bunch of garbage. It probably means that data is interleaved in some way. I spent a solid couple of days trying to figure out… Is it every other one? Every other row? Eventually I gave up and wrote to someone online: Luna, lunaSorcery on Twitter. Go follow her for good tweets about computers. And she figured it out within an hour. Wow. Good job. Stan Luna. Here’s what Luna figured out.

08:20 - So we read this all – the entire chip – from bottom to top, left to right. And I’ll just show you the data. Each block after each block. You can kind of see across the top there delineations there, which is one block of data. This whole thing is 256 bytes. Here’s the first block. And Luna discovered that you read the top right bit of every other block, and then for the next byte, you take the ones that you didn’t read the last time, and moving left from there. So we’ll read it out. Here’s a zero on the top right. Then skip a block. A zero. Skip a block. One. One. Zero. Zero. Zero. One. Skip one. And that is a z80 instruction. That’s hexadecimal 31, which is ‘load the stack pointer’, to a 2-byte value, which is exactly what you want to be doing when you start a computer. You want a stack to work with. And neviksti figured this out just by looking at pictures that look like this. Looking through a microscope. It looks like this.

09:26 - Now, there’s a section in the Game Boy emulator developer’s wiki about this. And the impact section starts: “Apart from amazement…” I love that. I hope someday I do something so neat that in the end, impact section of Wikipedia goes… Well, first, it was cool. And then goes on to say: That feature is now included in several emulators. Unfortunately, doing this is probably too hard now. Devices no longer use masked ROM, because it’s very big. People use nand ROM, which… You could look at it, but it would take a really long time, and ROM is much larger now. But the moral of the story is you can learn a lot from a computer by looking at it. And there are still researchers who take this approach! There are still security researchers who are able to read data from chips by looking at them under a microscope. It’s a very invasive form of penetration testing. You need to take the computer apart. But people still take this approach.

10:30 - Also, if you’re interested, the original Cherry ROMs thread about this is extremely funny, because it’s a mix of people who really know what they were doing and really don’t know what they’re doing in the same time in the same person. People correctly identifying… Man, we could get this if we had a scanning electron microscope. Do you think we could buy one from eBay? Thank you! That’s all I got. I’m Lito. .