Gameboy Genius

How to patch LSDj to use an inverted palette

This article was originally posted on September 19th, 2009 and has now been revised to use BGB instead no$gmb as a debugger. However, the things described here are mostly irrelevant now, because the standard method of installing a backlight these days is with a biversion, i.e. a hardware inversion. It may still be interesting for educational purposes.

Yesterday Three years ago axolotl asked on 8bc whether it is possible to invert the monochrome palette in LSDj, for use with backlit screens with an inverted polarizing foil. And it’s very much possible to do, and it’s even possible to modify an existing ROM image. So, I’ll show you how I did it using a copy of the LSDj ROM, BGB, and optionally a hex editor. I’m using XVI32, but any hex editor would do.

The palette value is change by a hardware register, which is a place in memory that a Gameboy program can be write to, to change things. So I look it up in the Pan Docs, which is a manual to the Gameboy hardware. Let’s look in the section LCD Monochrome Palettes. There we see that the address is $ff47 in hexadecimal and how the value is constructed.

For this tutorial, right click the BGB window and choose options (or press F11), go to system and choose the Gameboy option. This will run the ROM in DMG mode, which is needed to find where the palette change happens. Open the ROM image, press esc to go to the debugger and open Debug>Access breakpoints and enter FF47 and make sure “on write” is checked. This tells the BGB to track any writes to that address so we can find the place where the palette is initialized and change it.

Click ok and press F9 to begin execution. (Or reset the emulator)

BGB stops and show a bunch of machine instructions. The interesting part is the instructions at 019C and 019E. The instruction at 019C takes the hexadecimal value $E4, stores it in the CPU register A then writes it to the hardware register $FF47. This is the code we’re looking for. The value $E4 is the standard palette. Go back to pan docs and check again how the value is constructed.
Then let’s split the value into its individual colours.

$E4 = 11 10 01 00

11 is the lightest palette value and 00 is the darkest. Since want to invert the palette we’ll reverse the order.

      00 01 10 11 = $1B

Great. You may now right click the line at 019C, choose modify code and enter ld a,1B. The line that said ld a,E4 should now say ld a,1B. Choose run, reset to confirm that the palette is inverted and that LSDj doesn’t crash or anything. You may now go to file, save ROM as and save the file anywhere you want, preferably with a new file name.

Alternatively, you can use a hex editor to edit this value. This part of the tutorial was left unchanged from the first version, because no$gmb can’t save changes made to a ROM and thus needed a hex editor to modify the file.
Open the hex editor and replace the $E4 at position 019D with the value $1B. This address will vary depending on LSDj version.

Lastly, open the ROM in an emulator to confirm that the modification worked.

Posted in LSDj, gameboy | 11 Comments »

Korg monotribe Firmware 2.0 analysis

As has already been established, Korg monotribe is MIDI capable. Howver, it is still limited with regard to certain things, such as being able to use more than 8 seqeuncer steps for the synth part or using a filter envelope separately from and LFO. All things that should be very much technically possible on the microcontroller device in the unit. One thing I’ve considered is to modify or even rewrite the firmware of the ‘tribe. Apart from the obvious work of actually rewriting the firmware, you need a way of flashing it onto the device. And preferably a copy of the original firmware, so the ‘tribe won’t be a useless brick until development is done. The microcontroller in the monotribe does support JTAG, a protocol for reading and writing firmware data, among other things, but this function may be locked down for security reasons.

Korg recently announced the 2.0 firmware for the monotribe, which actually gives you 16 step, velocity control and a few other new features. More full information and download available on Korg’s homepage.

But what’s interesting about this upgrade is how you install it. You hold a secret key combo of three buttons on startup to go into upgrade mode, and then play a special audio file into the sync jack to perform the actual upgrade. This is potentially an easy way to hack the firmware of the monotribe (although with the same risk of bricking.)

Below, I’m posting the first step towards that goal, to extract the firmware image from the audio file. First, a big thanks to Th0mas for doing the initial groundwork of figuring out how the data is encoded. In fact, my code below below relies on having a transformed and cleaned up version of the audio data.
Read on…

Posted in Uncategorized | 6 Comments »

Untitled installation featuring Shitwave

An untitled collaboration between Simon Mattisson and Marcus Olsson. A Gameboy in a dark room is overclocked until it crashes. I’m almost getting Saw vibes from this. The Gameboy is modded by NeX and is actually being overclocked. The sound is produced by Shitwave.

Untitled from _-_- on Vimeo.

Posted in Uncategorized | No Comments »

Wireless monotribe MIDI

Made by a Japanese person using the name air_variable. He’s using an XBee for wireless serial communication. This just gives you a serial line, which can be interfaced over USB. This is not real MIDI, but you can use a serial to MIDI converter for this. For example, BlipBox MIDI serial or Spikenzie Labs Serial MIDI. Or why not Korg’s (!) PCIF-NT driver, as suggested in Lady Ada’s MIDI Zigbee tutorial. There are even more serial MIDI converters if you use Google.

Source: air_variable posts tagged monotribe (Japanese)

Posted in monotribe | No Comments »

500 infernal terror!

My webhost recently started moving their customers to their new generation of servers, running LiteSpeed. This has caused me some grief the last few hours. One of my sites consistently showed a “403 access denied” error, seemingly no matter what I tried to do to remedy the problem. With some hard trying, I managed to make it display a “404 not found” instead, still seemingly randomly.

It turns out there were two problems, both most likely caused by buggy interpretation of .htaccess files by LiteSpeed. The first problem came from these two lines:
Allow From All
Order Allow,Deny
As it turns out by experiment, LiteSpeed handles these statements differently from Apache. Apache will start off by making a list of all the applicable rules, and then evaluating them in the order specified in the Order statement. In this example, first all Allow rules will be evaluated, then all deny rules. If there are any matches, Deny will take precedence since it’s last in order. If there are no matches, Deny will also take precedence since it’s the second argument. Of course, in this case everyone will be allowed since there’s an Allow From All statement, unless there are matching Deny rules. This is well documented in the Apache manual and (hopefully) well understood by web developers.

LiteSpeed on the other hand is dependent on where statements are placed in the source code. In the above example, the Allow From all statement is ignored, or possibly overridden by some implicit form of Deny From all. Not really sure… Moving Allow From all to after the Order statement will make it work. Also, changing the Allow statement to something more specific, like Allow From 1.2.3.4 but still placing it before Order will suddenly make it trigger. Not sure what’s up with that. Perhaps the LiteSpeed authors are trying to make it work how they think people think it will work. Or maybe they’re trying to do some optimizations by trying to abort the evaluation of the file as early as possible. Or maybe they just don’t know how these rules are interpreted by Apache. In any case, fact of the matter is that it doesn’t work as it is supposed to.

The next problem is how LiteSpeed handles errors in .htaccess files. It seems like whatever you do, you can’t get a 500 internal error from LiteSpeed if your .htaccess rules are incorrect. Completely invalid rules will be ignored, whereas as they would give a 500 internal on Apache. Malformed rules will give you a 404 not found instead of a 500 internal error, making it difficult to pinpoint the exact error. I’m not sure if this is a “feature” of LiteSpeed so they can say that their server will never have internal errors, or if it’s a secondary error similar to the “Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request” errors that you sometimes see on badly configured Apache servers.

The culprit this time was the following rule:
RewriteRule ^(.*)$ wiki/index.php?title=$1 [PT,L,QSA,B]
LiteSpeed apparently doesn’t support the B modifier (escape characters like & when building the query string) which caused the server to barf. However, since what I got was a 404 error, and not a 500, I thought the rule somehow rewrote the URI to something that didn’t exist. It was not until I replaced the B with a bunch of random characters that I understood what was going on.

All in all, all of this may not seem like a very tough nut to crack, but there’s more. For some reason, an index.html file had its permission mask set to 400, or r——–, which in UNIX persmission terms means that the file will only be readable by its owner, and not by users in the same group, or “anyone”. This was a placeholder page that the web host had put their, but I’m not sure how it got that permission mask.

When the rule works as it should, the root URL http://packetsofknowledge.se/ should be rewritten to the MediaWiki index.php. However, when I tried simply deleting/renaming my .htaccess, I still got a 403 because of the permissions of the index.html. However, since I hadn’t noticed that, I assumed at that point that the issue maybe wasn’t .htaccess related.

To summarize, when you have different error sources, the number of ways something can fail increases exponentially.

Posted in Uncategorized | No Comments »