Fringe of Emulation: Glucoboy
Fringe of Emulation: Glucoboy
. . . . . . . . . . .
A Poor Prognosis
The Recreation Boy handheld platform served as many issues over time, due to a wide selection of equipment. It was a digicam. It was a printer. It was a sonar. It was a barcode reader. It was a music participant. It was a film participant. It linked to cellphones, videophones, stitching machines, TV remotes, PC modems, toys, and racetracks. Recreation Boys had been seemingly able to doing every little thing and something conceivable, particularly when accounting for unlicensed third-party {hardware}. Nonetheless, there was one space that it by no means actually explored: the medical area. Some could level out the PediSedate because the earliest instance of a Recreation Boy medical gadget, nonetheless, it has been sensationalized over time on numerous blogs and articles. In actuality, there was nothing Recreation Boy-specific concerning the PediSedate in any respect, and it was marketed as working with something with a 3.5mm jack, together with CD gamers.
The primary true medical gadget for the Recreation Boy did not seem till very late within the GBA’s lifetime. On November 14, 2007, an Australian firm known as Steering Interactive launched the Glucoboy. This specialised recreation cartridge doubled as a glucose meter. By inserting testing strips on the prime, its {hardware} would analyze the blood pattern and report the outcomes to the person. The Glucoboy was meant to help diabetic kids, utilizing video video games as an incentive to recurrently check themselves and hold their glucose inside wholesome limits. Paul Wessel invented the Glucoboy after observing his personal diabetic son, noting how he at all times carried round his Recreation Boy. From there, Wessel got here up with the concept of integrating a glucose meter right into a cartridge and utilizing software program to reward children when taking part in video games. After designing and patenting his work, the Glucoboy was born.
Effectively, nearly born. Wessel tried for years to get Nintendo’s approval and make it an formally licensed product. The Japanese firm initially balked. A part of the explanation could have been Nintendo’s unwillingness to open themselves as much as any potential liabilities if the Glucoboy didn’t work or had been misused. They could have additionally been delicate to the optics of a malfunctioning Glucoboy resulting in somebody’s harm or sickness. Compounding all of this was the truth that juevenile diabetes could be very uncommon in Japan, making a type of cultural barrier. Ultimately although, Wessel lastly managed to persuade Nintendo to provide their blessings to the mission. The delay was fairly excessive. Information of the Glucoboy’s plans date again to late 2004, nearly 3 full years earlier than it hit the market! By that point, the Nintendo DS was already dominating cell gaming, and the GBA was on its means out.
When it launched, the Glucoboy was unique to Australia. In response to Wessel, some 70,000 items had been bought. The German pharmaceutical large Bayer took be aware of what was occurring and sought to purchase Steering Interactive. Their aim was to convey a more moderen worldwide model of the Glucoboy to the DS. They did simply that and launched the Bayer Digit in April 2009. Sadly, Bayer seized and destroyed any unsold inventory for the Glucoboy. It was a tragic mistake by way of online game preservation, however a logical captialistic manuever for the corporate. They doubtless did not need the older Glucoboy to remove from any future gross sales of the Bayer Digit. Additionally they in all probability needed to keep away from any shopper “confusion” about two comparable units.
Because of its restricted launch in Australia and the next annihilation of some copies, the Glucoboy turned an extremely uncommon Recreation Boy accent. Over the course of a decade-plus, the {hardware} proved extraordinarily elusive. Nobody appeared to have any photographs of it. Nobody appeared to even have come throughout any present or previous auctions. The ROM had by no means been dumped, so far as the web at massive was involved. Proof of the Glucoboy’s existence turned so onerous to come back by that a number of recreation collectors thought it had by no means hit retail cabinets in any respect. It was successfully deemed “misplaced media” by the group, as any data associated to the {hardware} was wrapped in pure thriller. It wasn’t till 2018 that recreation historian Kelsey Lewin managed to contact Wessel and acquire gameplay footage for a quick documentary on the Glucoboy. Even so, the sport and cartridge remained inaccessible. For a time, it seemed as if this distinctive a part of the Recreation Boy’s historical past would by no means be recovered…
A Panacea Arrives
The Glucoboy’s scenario introduced a reasonably difficult dilemma. My final aim is to emulate each formally licensed piece of {hardware} for the Recreation Boy platforms. The query right here is how does one emulate one thing nobody appears in a position to get their fingers on? It is one factor to solely have entry to the ROM. The software program alone sometimes acts like a blueprint for the way the {hardware} ought to operate. For instance, LIJI32, creator of the SameBoy Recreation Boy emulator managed to assist the unreleased WorkBoy, regardless of not gaining access to precise {hardware}. All that was vital was a peek on the ROM right here and there. Nonetheless, with the Glucoboy, not even that a lot could possibly be performed. As talked about above, at this level, the Glucoboy’s ROM merely wasn’t accessible to anybody. Simply gaining access to that knowledge would have been sufficient for me to determine how the {hardware} works. I even said this explicitly on Reddit some years ago:
If I may get my fingers on it, it would be emulated, I assure it. … Theoretically, I would not even have to bodily have the Glucoboy. Quite a bit could possibly be reverse-engineered if we simply had a ROM dump of the cart and an image of the within elements.
I used to be adamant about holding my phrase. Give me the ROM and the Glucoboy was nearly as good as emulated, easy as that. However, I did not get that probability, at the very least not immediately. Slowly over time, small bits of information on the Glucoboy started to emerge. After Lewin’s video, a streamer often known as TheKBLife played some of the Glucoboy’s games as a part of the Further Life 2018 charity occasion. Evidently, that they had labored on the recreation studio chargeable for creating the software program, so it made sense that that they had entry to the ROM. Sadly that knowledge wasn’t extensively shared or leaked. In early 2022, I acquired a number of high-resolution photographs from somebody acquainted with Lewin that confirmed the Glucoboy’s PCB. Apparently the Video Recreation Historical past Basis (VGHF) had contacted somebody with an precise Glucoboy. They’d tracked down this particular person and had been within the lengthy strategy of verifying issues. Right here was absolute proof that the {hardware} did exist; opposite to what some believed, folks had their fingers on items Bayer had not eradicated.
I assumed the VGHF would launch the outcomes of their work when it was prepared, so for many of 2022 I targeted on dealing with {hardware} I at the moment had entry to: the Advance Film Adapter, the GBA Jukebox, the Magical Watch, and another odds and ends. As 2023 rolled round, I used to be starting to get a bit nervous, nonetheless. My notorious Triforce of Terror was mainly all that was left when it got here to emulating every little thing on the GBA. Each the Play-Yan and the Campho Advance had been being reverse-engineered and documented fairly completely. The Glucoboy remained the one one left behind by way of analysis, since I had nothing to work with. Reality be informed, the Glucoboy was one of many hardest chapters to jot down in my ebook, Peripheral Imaginative and prescient, given the relative lack of supplies. I began to marvel if we might ever see any significant progress on digitally preserving one of many oddest Recreation Boy cartridges ever made.
Fortunately, proper on the finish of Could that 12 months, the VGHF shared the fruits of their labor. As I perceive it, that they had an analysis unit of the Glucoboy of their possession, they usually needed to find out whether or not or not it was the identical as what was bought in shops. That’s to say, every little thing needed to be checked out and authenticated. Actual preservation work requires some quantity of investigation, in spite of everything. Whereas the wait was a bit worrisome on my finish, I do admire being thorough and meticulous. At any charge, in the end, a totally purposeful ROM for the Glucoboy was accessible. Somebody had helpfully uploaded it to the Web Archive for all to entry, and now I may hold my promise and get this factor emulated.
Earlier than moving into the method of dissecting and analyzing the ROM, I would wish to take a second to speak a couple of critical topic regarding online game preservation. For each single Fringe of Emulation article thus far, I’ve at all times had the required supplies available. Regardless of how uncommon or unique, I managed to seize a replica myself, and in some instances I have been in a position to depend on cooperation from others on-line. The Glucoboy was a completely completely different case. Procuring it for any type of testing was doubtless past me, so I could not simply go on and make my very own dump. I would must depend on *gasp* downloading a ROM from the web. Now, personally, I do not discover something morally flawed about doing that. It isn’t like I am attempting to promote a bundle of ROMs on some low-cost Android TV stick or one thing to make a fast buck. There is a legitimate instructional and tutorial function right here: to doc how the Glucoboy works and guarantee emulators can protect that have lengthy after the {hardware} disappears.
Sadly, copyright and mental property legal guidelines (at the very least within the U.S.) are fairly rigid on the matter. Whereas it appears clear to these of us concerned with online game preservation that individuals ought to have entry to older works for analysis, downloading ROMs in such instances has not been confirmed Honest Use in any courtroom over right here. Ideally, we might have one thing like a digital library the place validated customers are granted entry to preserved recreation knowledge. After I was in faculty, I keep in mind getting blanket authorization to tons of pay-walled papers and databases just by being a college pupil, so I see no purpose why one thing comparable should not exist for different revealed media. Why even cease at video video games too? Let films and music in there as properly.
In fact, that is not the world we reside in. Far too many corporations are preoccupied with wringing each final (largely imaginary) greenback and cent out of their stock, even when their stuff was revealed 10, 25, or 50 years in the past. The very considered dropping any “potential revenue” sends each bean-counting swimsuit with an MBA into a chilly sweat, in all probability. It is an industry-wide perspective that favors most cash above all else, even frequent sense. There is not any indication that giving researchers entry to older video video games would imply corporations would see a sudden drop in income. Most of those video games can be found secondhand, that means no cash would get transferred to Big Media Corps anyway. And within the case {that a} recreation is uncommon and costly on the used market, researchers have been in a position to flip to “unauthorized copies” of video games since, properly, perpetually. Even so, teams just like the Digital Software program Affiliation have fought against DMCA exemptions for remote access to archived games.
With the Glucoboy, we have now a scenario the place somebody is attempting to review the {hardware} and software program to maintain its historical past alive. There is not any means I would be capable of get my fingers on this factor any time quickly, so distant entry, resembling getting a replica by means of the Web Archive or another repository, could be a good way to realize this. Regrettably, the legislation would not enable for that, and a few of us with the ESA suppose that may result in undue piracy (ignoring the truth that undue piracy occurs elsewhere on a regular basis). It will be nice to have a legit technique of probing the Glucoboy, however copyright, notably the DMCA, is inflexible over right here, and firms at all times acquired cash on their thoughts. However, I am merely not keen to let the Glucoboy fade away into obscurity, so for me there was just one factor to do. I am certain everybody can guess what that was.
A Routine Proceedure
Shifting on, with the Glucoboy software program available, I began digging into the mysteries contained inside. The primary order of enterprise was to simply see what occurred when my emulator tried to run it. A lot to my aid, the Glucoboy booted with no points. There’s at all times the prospect that such units could require emulation of huge parts of the {hardware} so as to show any graphical output. The Advance Film Adapter was maybe probably the most infamous instance of that type of conduct. Fortunately, that was not the case this time. Finally after a number of firm logos, the Glucoboy got here to a display screen ready for person enter. Upon urgent the Begin button, the Glucoboy tried to retrieve one thing known as Glucose Reward Factors or extra merely often known as GRPs. These factors got to kids once they recurrently examined their glucose ranges and stayed inside acceptable ranges. GRPs acted as a type of in-game forex that would solely be gained by means of a wholesome way of life.
By some unknown means, the Glucoboy was attempting to entry some type of knowledge. At this stage of the reverse-engineering course of, I had no thought what it was doing. At any charge, the Glucoboy returned an error after a number of moments, as nothing was correctly emulated. Even so, the software program let me entry the principle menu the place I may create a personality and begin exploring the precise recreation. Gamers would discover themselves in a bed room with an arcade machine, a recreation console, and a poster of a clown. These contained 5 video games in all. Misplaced Star Saga was a full-fledged sci-fi RPG, whereas Knock’em Downs was a top-down carnival-themed motion recreation; these 2 comprised the majority of the Glucoboy’s leisure. The opposite 3 had been shorter minigames. Photo voltaic Wing was a horizontal shooter, Plexus was much like Breakout, and Raccoon Rancher was a puzzle the place gamers needed to separate raccoons with a controllable fence. Yeah, that final one is… it is undoubtedly completely different, and surprisingly difficult.
When beginning a contemporary new recreation, solely Knock’em Downs was initially unlocked. The opposite 4 required gamers to build up and spend GRPs. Sadly, GRPs weren’t instantly accessible with out emulating the {hardware}. At first look, it could look like these video games are misplaced to us until we all know how the Glucoboy actually works. Nonetheless, the save knowledge in EEPROM can simply be hacked to provide gamers free GRPs. Moreover, modifying values in RAM through cheat codes can obtain an analogous impact. Final however not least, there’s a legit technique to earn GRPs with out emulating the Glucoboy or utilizing hacks. From time to time, if the participant idles within the bed room for some time, a quick 3-choice quiz will pop up. These are at all times associated to diabetes, resembling greatest practices for sustaining good glucose ranges to trivia resembling which pop stars and film celebs (circa 2007 anyway) had been diabetic. Every quiz nets the person a small quantity of factors. Utilizing an emulator’s turbo/unlocked pace mode and save states, anybody can collect factors in an affordable timeframe.
Given all of that, the Glucoboy’s video games had been readily accessible. Nonetheless, emulating the Glucoboy would be sure that nobody wanted to resort to such measures. It was time to take a more in-depth have a look at how the software program interfaced with the {hardware} to acquire GRPs. Going again to the display screen the place the Glucoboy tried to learn GRPs, I used my emulator, GBE+, to scan for any suspicious addresses learn from or written to. There solely appeared to be one positioned at 0xE000000
. At first it wrote the worth 0x00 to this location, maybe as a way of resetting a few of the Glucoboy’s {hardware}. Then it wrote the worth 0x20 and… did completely nothing else. This sort of set off a number of alarms in my head. Some type of I/O was being written, however nothing was being learn. The Glucoboy could not get any GRPs if it wasn’t studying something. My fast speculation was that the Glucoboy was ready for one thing, some type of sign, perhaps an interrupt… generated by the cartridge…
At first I did not wish to consider it. This was the work of my most feared enemy: the Recreation Pak Interrupt. As I defined beforehand in my final article concerning the Play-Yan, Recreation Pak interrupts mainly give the cartridge free license to do all types of issues. The situations for triggering that interrupt could possibly be something. The cartridge may anticipate numerous bits of information earlier than or after a Recreation Pak interrupt fires. It is only one large headache should you’re attempting to determine how a chunk of {hardware} works, particularly when there’s zero documentation available. I manually confirmed that the Glucoboy used Recreation Pak interrupts by taking a look at what interrupts the software program had enabled, and certain sufficient there it was. To say the least, I used to be ready for a protracted, onerous combat.
Luckily, that combat by no means got here! The Glucoboy makes use of Recreation Pak interrupts in a quite simple means. Basically, any time the software program reads or write to 0xE000000
, it waits for a Recreation Pak interrupt. The interrupt itself appears to alert the sport code when the cartridge is able to ship or obtain knowledge. It is utterly completely different from the Play-Yan, and it is about as primary as you may make one thing like this. I used to be in a position to breathe a sigh of aid and reclaim a small fraction of my remaining sanity.
With the Recreation Pak interrupt out of the best way, I shortly hacked collectively some code in GBE+ that may enable it to course of these IRQs at any time when. After this, I let the Glucoboy run by itself to see what sorts of reads and writes it made. Altogether, the software program accessed 0xE000000
over 120 instances, however no different reminiscence location was ever touched. It appeared that each one knowledge getting into or popping out of the Glucoboy was restricted to a single I/O register. Usually I might have anticipated extra, however typically it is simply simpler to design and develop {hardware} like this. In any case, it vastly simplfied emulation as properly. I made a decision to call this register GLUCO_CNT, brief for Glucoboy Management.
There was an instantaneous and apparent sample to the reads/writes to GLUCO_CNT. The Glucoboy would at all times write an 8-bit quantity, then it might learn both 4 instances or simply as soon as. These 8-bit numbers appeared to be some type of index, a price that the Glucoboy would obtain when it was speculated to lookup particular knowledge. For instance, if the software program needed to learn again the participant’s present GRPs, it might use one index. Different knowledge, such because the participant’s present streak of days with wholesome glucose stage, would use a special index. The info saved in every index was evidently both 32-bit or 8-bit, which defined why the Glucoboy did 4 reads or 1 learn. In any case of those reads and writes, the principle recreation by no means touched GLUCO_CNT in any respect. No matter knowledge the Glucoboy needed, it was grabbed shortly after boot. The query now was what did every index signify?
Medical Trial and Error
It was time to interrupt out considered one of my favourite instruments when working with software program: the outdated spray and pray methodology! The thought right here was to alter values randomly and see how that affected the sport. For this operation, I solely needed to deal with every index. When the Glucoboy requested an index’s knowledge, I returned no matter quantity I may smash on a keyboard, then noticed how that modified something when working the software program. The primary 3 indices I attempted manipulating did not appear to do something in any respect, it doesn’t matter what I modified them to learn. Unusually, I tracked the place these values had been saved in RAM, and the Glucoboy appeared to disregard them solely. They weren’t used or referenced in any capability.
This was fairly curious conduct, however I reasoned that it was in all probability studying knowledge from the Glucoboy that wasn’t related to any precise gameplay. It was probably studying knowledge just like the real-time clock, which the Glucoboy solely used internally to verify blood testing was performed continuously. The sport itself solely wanted to know if GRPs had been rewarded, and if that’s the case how a lot. There was additionally the chance that it was studying outdated debug info that was vital throughout improvement, however for a retail launch it was non-essential knowledge. In any case, I had no thought what these mysterious indices did as a result of that they had no seen affect on the software program.
Luckily, the subsequent collection of indices had been utilized by the sport. Altogether, there have been solely 4 indices that the Glucoboy actually cared about. Every day GRPs Earned represented the quantity of GRPs earned for a given day after the participant had examined themselves. Bonus GRPs Earned was an additional quantity of GRPs earned for consecutive days of sustaining good glucose ranges. Present Variety of Good Days was the variety of days the participant had maintained this good streak. Variety of Good Days Till Bonus Rewarded was the remaining days gamers wanted to keep up a streak till they acquired a bonus. These values may all be checked in-game when the participant moved to a piggy financial institution of their digital bed room. When testing numerous values, this characteristic made it clear which indices managed which properties.
All of those indices had been 32-bit, so they might comprise some pretty massive numbers. The Glucoboy’s software program handled them as signed values, and it solely registered optimistic values. The utmost allowed for every class was 2147483647. Think about taking part in with the Glucoboy for therefore lengthy that you just managed to keep up a streak of… 5.8 million years of wholesome glucose ranges! Cannot wait to see somebody do a “Let’s Play” of that! These 8-bit indices, nonetheless, appeared to have a totally completely different function. So far as I may inform, they acted as binary flags. Any non-zero worth triggered the Glucoboy to freeze when studying GLUCO_CNT and ultimately return an error after timing out. No matter they had been, these indices needed to maintain a price of zero, in any other case it might abort studying GRPs altogether.
The final index was additionally a little bit of a puzzle. Not like the others, the Glucoboy truly wrote knowledge to it as a substitute of studying from it. The Glucoboy wrote 6 bytes each time, and all in all, it accessed this index 10 instances. I had no clue what the Glucoboy would want with all of that enter. However, the Glucoboy by no means truly learn knowledge from that index, so it mainly had no impact on the software program. It felt as if half of the Glucoboy’s indices weren’t getting used in any respect. I questioned simply how a lot knowledge actually wasn’t helpful for the principle recreation, or how a lot debug info had been dropped. I could not do a lot about it as I did not have the {hardware} in entrance of me.
Nonetheless, I had lastly found precisely how the Glucoboy learn and used GRPs. This was a very powerful info, in spite of everything. With that, an emulator may artificially generate as many GRPs because the participant needs. It may dole out factors like sweet and immediately unlock each recreation in a single fell swoop. With 2 billion GRPs available, gamers may additionally purchase as many in-game gadgets as they needed. Now, all of this seems to be like dishonest (and, properly, it’s), however it’s additionally breaking down boundaries so folks can simply expertise the Glucoboy’s video games. The important thing factor right here is that the glucose testing {hardware} is not required, so present and future avid gamers can perceive what it was like taking part in masterpieces like Raccoon Rancher. For preservationists and online game historians, the Glucoboy turns into way more accessible to review, analyze, and touch upon. And final however not least, everybody features a bit extra perception on the {hardware} itself.
Realizing how the GRPs labored, I shortly applied a means for GBE+ to insert its personal values from the person. By studying knowledge from its .ini configuration file, GBE+ may put any worth it needed within the 4 indices talked about above. In doing so, the Glucoboy was now technically emulated! Gamers had full management of their GRPs and will discover every little thing the Glucoboy needed to supply. General, the entire course of was extremely simple so far as reverse-engineering goes. There weren’t many surprises. It solely took me a few hours over the course of three days to get every little thing in GBE+ setup. It was one of many best and quickest tasks I would labored on. Even so, it was type of enormous aid. Cartridges with particular {hardware} can usually be absolute nightmares. I anticipated a protracted, onerous battle with the Glucoboy, however every little thing went very properly. To see one of many final undocumented GBA cartridges fall so shortly and easily felt nice. Generally you simply do not wish to take care of overly difficult units and take a pleasant, fulfilling win.
Remission and Relapse
Regardless that the fundamentals of the Glucoboy had been now emulated, I nonetheless could not assist however really feel there ought to have been extra to its story. For one thing that had proved so elusive, I figured it might at the very least have some extra secrets and techniques left inside. As one of many notorious members of the Triforce of Terror, I anticipated a bit extra intrigue. It was fairly anticlimatic, actually. There simply needed to be one thing extra…
In fact, there have been loads of unknown indices. Their function remained obscure and inscrutable. The Glucoboy’s software program handled them as in the event that they did not exist in any respect after accessing them. Not figuring out what they had been speculated to do bothered me. It meant that, although the peripheral labored through emulation, there have been nonetheless parts of its {hardware} that we merely did not perceive, particulars which may disappear if all of the world’s Glucoboys ever stopped working. To me, it had been as if the job was solely half-finished. However how precisely would I be capable of probe these unknown indices with out having a Glucoboy myself? The software program was my solely information, and it revealed nothing, or so it appeared at first.
Some months after I had added assist for the Glucoboy in GBE+, I returned to my analysis and determined to take a peek on the ROM. Out of curiosity, I ran the strings
Linux command on the Glucoboy’s ROM. This command pulled each identifiable ASCII string from the file; I redirected its output to a textual content file for additional evaluation. Trying by means of a binary file’s strings is usually a great way at piecing collectively a bunch of clues concerning the software program which may in any other case stay hidden. On many occassions, strings can be labels for textual content and menus, and even messages used for debugging. It may expose a number of inside naming schemes which will go unused or unnoticed when truly working the sport. When searching for tips on how sure software program capabilities, its an excellent first step.
Now, pulling ASCII strings is not excellent. The method would not distinguish what’s an actual phrase versus random bytes that occur to map out to readable ASCII characters. So whereas it may discover strings like “GLUCOBOY”, it additionally finds rubbish knowledge like “Mhyhp(y(phzhq(z(qi{ir({(r”. All the strings require guide evaluation to find out what’s nonsense and what’s truly noteworthy. There is not any assure that something helpful will flip up, however until that knowledge is checked, nobody will ever know. I began skimming over dozens and dozens of traces within the textual content file holding the strings. Most of it was ineffective noise, however I quickly discovered one thing that basically captured my eye.
There was a gaggle of readable strings with values resembling “CLEAR REG”, “WRITE REG”, and “READ REG”. I assumed they had been all in reference to memory-mapped registers or one thing alongside these traces. It appeared to trace at some type of {hardware} conduct, and by the seems to be of all of the printf sort fields like %d
, %s
, and %x
, I guessed these strings had been used for debugging. Extra importantly, nonetheless, I stumbled upon the next record:
DATE
FLAGS
SERIAL
DAILY POINT
BONUS POINT
GOOD DAYS
DAYS LEFT
LD THRESH
GAME STATS
Now, those like “DAILY POINT” and “BONUS POINT” referenced the identical indices I had beforehand studied, those the Glucoboy used to learn GRPs, bonuses, and calculate when to reward bonuses. The remainder of the stuff, nonetheless, I had no thought what they had been. My first ideas had been that they corresponded with the unused indices from the Glucoboy’s boot course of. These identical strings appeared collectively once more within the Glucoboy’s ROM, additional reinforcing this concept.
System Date
{Hardware} Flags
Serial Quantity
Every day Factors
Bonus Factors
Good Days
Days Left
LD Threshold
Recreation Stats
So, it appeared that these different indices had been reserved for info such because the Glucoboy’s RTC, some flags indicating the standing of varied bits of the Glucoboy’s {hardware}, a serial quantity, some type of threshold, and one thing else associated to gameplay statistics. Whereas it was good to have some labels to connect to those beforehand unnamed indices, there was no info on what these values did or what kind of format they had been anticipated to have. For instance, the System Date was a easy 32-bit quantity, however how did that translate into an precise measurement of time? Was it a Unix timestamp, or one thing else solely? What was the legitimate vary of years (2000 to 2099, or 2000 to 3000, or 2000 to 2030)? Did it take only a calendar date, or did it additionally embody particulars like hours, minutes, and seconds? And which bits affected which classes?
As soon as once more, most of these questions could be readily answered by probing the {hardware} itself. Since that is not an choice, the software program has to behave as a blueprint. Nonetheless, it wasn’t clear that the software program made use of those indices in any capability. With the presence of those strings although, I suspected that there needed to be some debugging code left behind by the builders. It was doable that the strings merely hadn’t been deleted however the precise code was lengthy eliminated. The one technique to know for certain was to dive into the ROM and have a look at the place the strings had been positioned.
Because of Ghidra, a device able to selecting aside all method of binary blobs and analyzing their programming, I used to be in a position to observe down the precise spot the place the strings occurred in addition to the code that used them. After briefly skimming by means of a number of directions, I noticed that my assumptions had been appropriate. The code right here was used for debugging! This a part of the Glucoboy’s ROM would write to GLUCO_CNT to entry a selected index, then learn/show the 32-bit contents of that index. For an index just like the System Date, it appeared to deal with changing that worth right into a calendar date as properly.
This progress proved most welcome, as I now technically had all the data concerning how every index was used. Even so, I needed to go even additional. The debug menu appeared utterly intact contained in the Glucoboy’s ROM. Sadly, there did not seem like any simple technique to entry it. If I may attain the debug menu, I would have a technique to truly check and confirm these indices as soon as emulated in GBE+. It will keep away from the awkward scenario of attempting to implement one thing however having no means to make sure its correctness. Plus, as a fan of internet sites like The Cutting Room Floor, I’ve at all times needed to uncover one thing buried away in a recreation.
Though the debug menu did not look accessible underneath regular situations, there needed to be a technique to trick or pressure the ROM to begin executing its code. For this job, Ghidra offered a number of assist. Step one was to search out out if the debug menu was utterly remoted or if it was linked to different sections of code. If the previous case had been true, that meant that the debug menu had mainly been stripped from the principle program and it was simply hanging out in ROM by itself. Accessing the menu could be fairly troublesome then, as all of the variables it wanted to run must be hacked into place one way or the other. If the latter case had been true, I simply needed to discover some current codepath that ultimately executed the debug menu, and hopefully the remainder of the Glucoboy’s code would deal with any variables as anticipated.
Fortunately, the debug menu was linked to a different operate inside the Glucoboy. Higher but, this operate was linked to a different one, and one other one, and one other one. I adopted this chain till I reached an space of code that the Glucoboy ran periodically, as soon as per body. So, the debug menu was reachable underneath the fitting situations. The subsequent step was determining the way to go from the Glucoboy’s major loop all the best way all the way down to the debug menu. As soon as once more, Ghidra made this work possible, because it allowed me to leap throughout sections of code with a single click on. I had hoped that I would want solely change a single variable at startup to allow the debug menu, however I could not discover such a mechanism. As a substitute, it seemed like I needed to alter a complete of 4 variables someday after boot. So long as they held the proper values, the debug menu ought to have popped up. Under is a chart of the reminiscence places in RAM together with the anticipated 8-bit knowledge:
0x200015E = 0x09
0x200015F = 0x04
0x2000160 = 0x02
0x2000161 = 0x01
GBE+ has a built-in debugger that enables the person to arbitrarily change any worth in reminiscence. After a little bit of fidgeting with that, I managed to make some textual content seem on-screen. The remainder of the Glucoboy froze, however there it was undoubtedly displaying at the very least the primary bits of the debug menu. I attempted altering these 4 variables at completely different instances through the startup course of. In the event that they had been modified too quickly, the Glucoboy solely confirmed a black display screen. In the event that they had been modified too late, typically fragments of textual content would seem, and typically nothing in any respect would present up. In all instances, the Glucoboy appeared to come back to a halt. There was just one state of affairs the place issues truly labored: the temporary interval the place the Glucoboy accessed GLUCO_CNT to learn GRPs. Setting the 4 variables at that second lastly triggered the debug menu to disclose itself, and this time nothing froze.
As I had hoped, the menu had the strings I had positioned earlier. Maybe probably the most hanging factor concerning the debug menu was that it referred to GLUCO_CNT as one thing else, MAGIC PORT. This was almost definitely the interior identify utilized by the event group. The language is smart, in {that a} single MMIO register is mainly the place all of the “magic” occurs on the Glucoboy. Though this tidbit had no actual bearing on something technical, it did supply some beforehand misplaced perception into the Glucoboy’s historical past. Nonetheless, the true treasure trove was the debug menu itself.
Sadly, the menu was not instantly usable. It was designed to learn/write sure indices, however it acquired caught in an infinite loop when attempting to do both. As a result of I had bascially compelled the menu to look as a substitute of taking its correct codepath, some issues did not fairly act proper. The problem right here was associated to one of many GBA’s timer interrupts. After studying or writing to GLUCO_CNT, the Glucoboy was programmed to delay very briefly earlier than transferring on. This delay was measured exactly by the GBA’s {hardware} timers. Interrupts from the timer alerted the CPU when a specific amount of cycles had handed. Nonetheless, when executing my hack, all interrupts for the GBA’s timers had been disabled. When the Glucoboy ran code for the debug menu, it saved ready for an occasion that by no means got here.
Quite than allow interrupts, I truly patched the ROM to keep away from all timer-related code. Solely a dozen 16-bit THUMB directions had to get replaced. GBE+’s debugger can edit ROM values as properly, so the patch was performed in real-time. After eliminating timers from the debug menu, I gained full entry to the Glucoboy’s indices. Consequently, I quickly examined every one to determine how they labored.
Medical Mysteries
There have been a number of unknowns to analyze. I started on the prime and made my means down. First was the System Date. This index was by no means utilized by the Glucoboy in-game, however the GBA may nonetheless learn its worth. The debug menu lets customers decide a date, then it writes the equal 32-bit worth to GLUCO_CNT. By taking part in round with some dates, I used to be in a position to see the minimal/most ranges for days, months, and years, and I may see which bits of the index had been affected when altering the time. Because it seems, the Glucoboy handles minutes, hours, days, months, and years, however it doesn’t present an interface to learn seconds. That is much like the HuC-3 cartridge on the DMG/GBC. That stage of granularity simply is not helpful, I suppose.
Subsequent, I took a have a look at “{Hardware} Flags”. This index used solely a single byte’s value of information, regardless of being 32-bit in measurement. The debug menu displayed a complete of seven distinctive flags, all of which presumably held the standing of varied elements inside the Glucoboy. {Hardware} Flags introduced a few of the most fascinating and vital particulars concerning the Glucoboy, displaying a aspect of the gadget that may have in any other case gone unnoticed. Every bit represented a special standing utilizing a 0
or a 1
. The record of flags was as follows:
BIT 0 :: GMEM FAULT
BIT 1 :: PMEM FAULT
BIT 2 :: INCENTIVE
BIT 3 :: PNEW STATS
BIT 4 :: MEASUREMENT
BIT 5 :: GMETER FAULT
BIT 6 :: PMETER FAULT
Most of it seems to be fairly obscure till one considers what kind of duties a glucose meter wants so as to do its job. GMEM FAULT and PMEM FAULT appeared to be flags about some type of reminiscence error. In response to revealed articles when the Glucoboy was launched, the cartridge was in a position to save someplace between 400 to 500 blood testing outcomes (the precise quantity varies based mostly on the supply). It is smart that the Glucoboy would have the power to examine on it, because it looks like a reasonably large error. However what do the “G” and “P” stand for? Almost certainly, they consult with reminiscence used to save lots of common glucose and postprandial glucose outcomes. The latter are glucose outcomes taken after a meal.
The INCENTIVE flag appeared to reference the Glucoboy’s proprietary technique of figuring out the way to greatest reward and encourage gamers to reside as healthily as doable and hold their glucose ranges in examine. Paul Wessel did a number of work tuning the Glucoboy’s algorithms for handing out GRPs. Whereas that precise formulation just isn’t discovered wherever within the ROM, so far as I may inform, this flag appeared to point whether or not or not the participant was fulfilling the Glucoboy’s expectations. This flag would in all probability have modified relying on when gamers examined themselves.
PNEW STATS conceivably marked any time new postpandrial check outcomes had occurred, thereby signaling to the Glucoboy to replace any statistics regarding the person’s efficiency by way of wholesome glucose ranges. Mainly, this flag in all probability informed the Glucoboy to examine to verify the person was on observe when new knowledge was accessible. MEASUREMENT appeared way more simple; it merely informed the Glucoboy whether or not or not a brand new measurement for blood glucose had been made, or one thing to that impact. GMETER FAULT and PMETER FAULT indicated whether or not or not there was some type of error with the precise testing meters.
Apparently sufficient, though a lot of the System Flags concerned critical {hardware} failures, the Glucoboy fortunately ignores them. Whether or not or not these flags are set, the Glucoboy goes in-game with out a lot as a warning to the person. As I discussed earlier, the System Flags are solely used within the debug menu. Whereas a few of the flags are under no circumstances related for gamers to know, it looks like an oversight to not inform them about points which may make the Glucoboy unusable. In any case, a lot of the interpretations of the System Flags are at greatest an informed guess. Regardless of being susceptible to diabetes myself resulting from heredity, I am not precisely knowledgable concerning the illness and positively not an skilled on glucose meters. I could possibly be utterly off-target, however at the very least we have now some new clues about what is going on on contained in the Glucoboy.
As soon as completed with the System Flags, I turned to the “Serial Quantity” index. This seemed simple sufficient to understand. Each Glucoboy could have had its personal identifiable serial quantity. It is onerous to say precisely what the serial quantity seemed like or the way it was made. Maybe it labored just like the Recreation Boy Digital camera, which had 8-digit IDs randomly generated and saved to SRAM. Maybe it was one way or the other hardcoded right into a small element, much like the 128-bit IDs utilized in SmartMedia playing cards. With out figuring out extra about how the Glucoboy was made, I can not present a definitive reply. Given the debug menu’s potential to jot down a brand new serial quantity, I would say it is in all probability nearer to the primary state of affairs. What I did discover out, nonetheless, was that the serial quantity was written in Base 10 as a substitute of hexadecimal and had a spread of 00000000
by means of 99999999
. Apparently sufficient, the Glucoboy the VGHF obtained was an analysis unit, and on the again it has a serial quantity that is additionally 8-digits lengthy.
“LD Threshold” was more difficult to parse. Just like the Serial Quantity, this index labored on Base 10 numbers and had the identical minimal/most vary for values. Its function was puzzling. As greatest as I may inform, one doable studying was “Low-Knowledge Threshold”, a quantity that represents the smallest quantity of information that is helpful for a given device/system/course of. It is like a cutoff worth at which level the information is simply too small to be useful and signifies it ought to in all probability be ignored. That is used continuously in areas like sampling. Now, the Glucoboy may get correct check outcomes from a surprisingly low quantity of blood, however even it had limits. It stands to purpose that LD Threshold was that type of worth.
Lastly, there was “Recreation Stats”, which clearly stood for… Recreation Statistics. However what did that basically imply? When accessing the Glucoboy’s debug menu, choosing Recreation Stats introduced up a listing with numerous values displayed. Not like the opposite indices within the debug menu, Recreation Stats may solely be learn, not written. Listed here are the gadgets it displayed:
VCSECS
VCHIGH
KDSECS
KDHIGH
SWSECS
SWHIGH
PLSECS
PLHIGH
RRSECS
RRHIGH
As soon as once more, it is all very obscure at first look. Nonetheless, taking a second to actually have a look at the record, break it down, and suppose a bit of about it actually makes issues clearer. Contemplate that the primary two characters of every string within the record is a reference to the Glucoboy’s video games. “KD” refers to Okaynock’em Downs, “RR” refers to Raccoon Rancher, “PL” refers to Plexus, and “SW” refers to Solar Wing. The one odd one is “VC” which appears to don’t have any relation to Misplaced Star Saga. My wager is that VC is perhaps the initials of the sport’s earlier working title that acquired modified sooner or later in improvement, or maybe it was an inside codename.
At any charge, the values appear fairly self-explanatory. Every recreation has a excessive rating and tracks the play time in seconds. This is identical index that I noticed being written 10 instances when the Glucoboy booted. Unsurprisingly, there are 10 items of information the index can retrieve. As greatest as I may inform, the sport information this info as a part of a save knowledge file, saved on the cartridge’s EEPROM. It is up to date because the participant progresses by means of their video games. When turning on the Glucoboy, it grabs knowledge from EEPROM and sends it again to the Glucoboy. Basically, a replica of the latest Recreation Stats is transferred to the Glucoboy each time it begins up. Precisely why the Glucoboy wants Recreation Stats in any respect is not sure. It may have very properly been used as enter knowledge for the Glucoboy when calculating what number of GRPs to rewards gamers.
Every entry in Recreation Stats was simply an unsigned 32-bit quantity. For no matter purpose, when writing to this index, a particular 16-bit quantity must be despatched first earlier than 32-bit contents. There is not any proof of what that 16-bit quantity does, however it was a relentless worth of 0x3000
. Maybe a special quantity would have an effect on another operation? Moreover, it appeared that studying and writing had been performed sequentially. That’s to say, to alter the worth of RRSECS
, the opposite earlier 8 entries needed to be written first. Unusually, the debug menu not solely would not write to Recreation Stats, it simply reads the present values from EEPROM.
That just about covers every little thing I managed to study from the debug menu. The final helpful info I gleaned was that technically studying knowledge used one set of indices, whereas writing used a totally completely different. For instance, when the Glucoboy needed to learn the System Date, it used the 8-bit index 0x20
. When the Glucoboy needed to jot down the System Date, it might use the index 0x60
as a substitute. All in all, the debug menu offered a glimpse into the Glucoboy that nobody (except for the unique builders) beforehand had earlier than. Thanks to some bytes of code and a pile of strings, we had been in a position to unmask a lot of its innermost secrets and techniques.
Highway to Restoration
General, I discovered my time with the Glucoboy each thrilling and satisfying. Regardless that it was simple to emulate at first, I used to be truly fairly blissful to search out on the market was extra to the gadget. With its debug menu, I used to be in a position to emulate elements of the Glucoboy few had ever recognized about. GBE+, for instance, makes use of the host PC’s clock when studying the System Date. These do not have an effect on the precise gaming aspect of the Glucoboy, however it’s very good for the sake of completeness. I used to be additionally thrilled that lastly, after many, many lengthy years, the Glucoboy had been digitally preserved. It at all times appeared like such a monumental job, given how scarce the {hardware} was. Now, nonetheless, the job is completed.
The Glucoboy was a really intriguing chapter for Nintendo. It formally marked the final time any Recreation Boy acquired specialty {hardware} licensed or authorised by the corporate. No extra loopy cartridges, no extra freaky peripherals, and no extra unique equipment. By late 2007, the DS was dominating the cell online game market. Builders had been turning their consideration to this platform, and in doing in order that they started making model new merchandise. Pianos, guitars, wi-fi keyboards, pedometers, movement controls, video cameras, TV tuners, rumble paks, card scanners, and way more. Whereas the Glucoboy was the top of the Recreation Boy’s spectacular 18 years of innovation, that very same spirit persevered, extending into the subsequent era of handhelds. What began in 1989 with the unique DMG-01 and its humble Hyperlink Cable continued properly into 2010 and past.
So far as I am involved, that is case-closed for the Glucoboy. Possibly in the future we’ll be capable of emulate your entire gadget on a low-level and require precise blood samples from the person! For now, I feel it is properly sufficient to generate the GRPs through high-level emulation. We additionally got here away with some fairly stable {hardware} documentation, which is at all times nice. One other foe from the Triforce of Terror has fallen. The Play-Yan is usually a performed deal, with solely audio/video output wanted. Its cousin, the Nintendo MP3 Participant, is slowly however absolutely cracking as properly. The Glucoboy, presumably probably the most evasive of the trio, has been vanquished. Just one villain but stays undispatched: the conniving Campho Advance. With a seemingly undumpable ROM, a particularly uncommon cartridge, and a posh structure able to video transmissions over landlines, the Campho Advance poses some of the difficult obstacles to totally preserving your entire Recreation Boy Advance library. Will the heroes succeed of their mission, or will the Campho Advance show an excessive amount of for them? Discover out within the subsequent episode of Fringe of Emulation!