GoldenEye Spectrum Emulation Unlocked

[spoondiddly]

GoldenEye Spectrum Emulation Unlocked

Little benownst to the world all this time, GoldenEye (N64) has a fully-functional ZX Spectrum 48x emulator built into it. By feeding it a proper Spectrum monitor program and calling menu 25 to load a snapshot, any Spectrum 48x program can be run.

The emulator started life as a side project to see if Spectrum emulation was possible on N64 and was hooked into GE, the current game in development. It was supposed to be removed before release but was only made inaccessible and inoperable. All the registers, dependancies, and script required to run the emulator still reside in retail GoldenEye carts.

The original list of games were previous Rare titles, then known as Ultimate Play the Game. The embedded filelist is, in order:

Code:

em/data/sabre.seg.rz		Sabre Wulf
em/data/atic.seg.rz		Atic Atac
em/data/jetpac.seg.rz	Jetpac
em/data/jetman.seg.rz	Lunar Jetman
em/data/alien8.seg.rz	Alien 8
em/data/gunfright.seg.rz	Gun Fright
em/data/under.seg.rz		Underwurlde
em/data/knightlore.seg.rz	Knight Lore
em/data/pssst.seg.rz		Pssst
em/data/cookie.seg.rz	Cookie
em/data/spec_rom.seg.rz	Spectrum 16k monitor program

In actual fact, the emulator was supposed to run without the aid of the monitor program. Critical subroutines were copied out or hardcoded. In its current state, however, the monitor is required.

Originally, the emulator was run much the same way that stages are run. Unlike stages which run by switching to menu 11, the emulator runs by switching to menu 25. When initialized, it reads what buttons are held on controller 3. Depending on the button held is which game would be loaded. From there, the monitor program and selected snapshot file are loaded from ROM, and if necessary these files are decompressed.
Only controller 1 is detected. This is mapped as a Kempston joystick on port 31. Necessary buttons to start each game (usually keyboard '0') and any additional keys to play the game are mapped to the keyboard port 254 halfwords. These are set on a per-game basis, but general controls are A/B to start a game, Z for the 'action' button, and L to unload the emulator and return to gameplay.
Each emulation cycle lasts 69888 Spectrum cycles. Each opcode consumes a certain amount of this cycle count. At the end, the screen is drawn to the Spectrum screen buffer, and this is displayed like an image using usual N64 microcode. Emulation continues as long as menu 25 is called.

+_+

Why a Patch Is Required

In its pre-patched state the emulator has some peculiar issues, probably due to the different versions of included files used to compile the retail game.
For instance, the ten games listed above were not all selectable. The initializer only has button masks for eight games, defaulting to SabreWulf. The snapshot loader restricts this list to only the first five. The controller mapping function, however, redirects buttons for all ten titles.

Interestingly, the ROM file table leaves only ten spaces for the ten different snapshot files blank. These are completely blank, without any data or indicies until the final file placeholder. As previously mentioned, the monitor was not supposed to be included but is requested by the snapshot loader. Otherwise, the list would require eleven spaces.

The 'unloader' does not, in fact, work properly. It copies NULLs over the program manager. This, obviously, will cause any number of fatal errors to the current game and make it impossible to return to normal gameplay. Also, there is no capacity to reset the screen registers to default.

+_+

The Patch

The patch will reactivate full emulation support in GoldenEye.
The patch should be applied only to an uneditted, unbyteswapped (big-endian) North American GoldenEye ROM (NGEE). The GoldenEye Setup Editor can apply and byteswap the ROM for you, as well as recalculate the checksum. (Yes, that was a shameless plug.) It should run properly on hardware. Probably ;*)

You can download the patch via mediafire:
http://www.mediafire.com/download.php?6bnashajw41n5p5

Don't pirate ROMs! In most countries you can legally make a backup copy of a cartridge and apply the patch to that. No direct links to ROMs of any kind, patched or otherwise. Respect the Fuzz!

Emulation can be triggered from the folder select screen after the Eye and title screens by pressing L+R on controller 3. To access each game, hold the button noted below on controller 3 as you press L+R. If no buttons are held or an invalid combination is used it will default to Cookie. For best results, hold the button for the game you want as you press L+R.

Code:

c left		Sabre Wulf
c right	Atic Atac
c up		Jetpac
c down		Luna Jetman
+ left		Alien 8
+ right	Gun Fright
+ up		Underwurlde
+ down		Knight Lore
A button	Pssst
(default)	Cookie

To end emulation at any time, simply press L on controller 1. It should return you to the folder select screen and allow you to continue to play normally. This also conveniently allows you to select another Spectrum game if you wish.

Here's a link to a video of the thing in action. Please keep in mind Nemu's running with some pretty shotty plugins to get the recording rate fairly high.
http://www.youtube.com/watch?v=ONJtqf2lIIM

+_+

For those interested in how much code the patch affected, here's a brief summary.

1. To hook the emulator in, eight lines were added into menu 5's interface to test for controller three. Room was allocated by condensing the usual control stick tests.
2. A 2-byte fix was used to allow access to ROM filelist entry 0x2DF. This bug was only present in NGEE and corrected in later versions.
3. ROM filelist entries were added for each snapshot and the program monitor. Since the monitor is necessary in this iteration of the emulator but is commandeering a snapshot entry, the unused text file LwaxJ has been overwritten with cookie.seg.rz. All other entries fill blank, unused placeholders.
4. As previously mentioned, the file loader was limitted to the first five titles. This test was changed into a simple invalidity test. Changes were made in-place (crudely) and affect a total of five lines.
5. Menu 25's initializer, used to determine which of the games should be loaded by testing the held buttons on controller 3, has been completely rewritten. Games are no longer had-coded to masks but use a table. A final NULL entry indicates the end of the list and simultaneously the index of the default snapshot. The masks used are identical to those used by Rare, with the exception of the default entry being overridden with the unregistered game Cookie. One line was also added to stop the main menu music.
6. Within the controller mappings, L's assigned function no longer nullifies the program manager. It now calls the title object, returning to the previously-loaded menu 05 (folder select). This consists of four lines, replacing a loop and shortening the code generally.
7. Although unneccessary, the Start button was mapped to mirror the A/B start game option for all titles.

Everything else is untouched, including all aspects of actual emulation. You are playing Rare's actual embedded Spectrum emulator and nothing else.

+_+

As always, disassemblies and disertations are always available. Comments, queries, and quirks can be reported either by email or at the Shooters Forever forums: http://www.shootersforever.com/forums_message_boards

-Zoinkity

[Nayib]

This is brilliant.

/me applauds.

[hcs]

That's fantastic, thanks for uncovering this!

[Whyme123]

Amazing.. Still finding new stuff...

[Shimrod]

Awesome!!
Biggest thing since the discovery of Stop 'n Swop in Rare land!
Thanks for sharing. It works like a charm and now I can re-play Sabrewulf without crappy keyboard controls

I just have one (small) problem: no sound in the emulation. Just me? No biggie though, the sound was just beeps and peeps anyway. I wonder if they later made use of this for Jetpak in DK64?

[spoondiddly]

Sub and I tried to find any kind of emulation code in DK64 but it was a no-go. The big search was for a slice of bytecode used as the in-game controller routine within the game. It tested positive in both the snapshot and tape, so if they used the original game it should have turned positive.

We're guessing the game itself was compiled and dropped in. Makes sense though, with only one title full emulation would be a bit impractical. Granted, you could severely shorten-up GE's emu code (eats 0x10468 bytes before dependancies)

Emu doesn't have sound. To be perfectly honest, I'm not certain if the games originally had sound.
Emulation credit goes to Steve Ellis. Kudos!

[Zeek]

Saw this over on ASSEMbler.

If this isn't some April Fools, then, fantastic work!

[spoondiddly]

Yes! None can decide if this is an amazing piece of fraudulent code or an amazing piece of disassembly work. My work is complete!

[Nayib]

Considering I applied the patch and tried it myself... This isn't a prank.

Unless I'm stupid and am not understanding the joke.

[spoondiddly]

Steve Ellis, who originally created the emulator, sent an email to clarify how the original Spectrum ROM was set up. Since it wasn't included and the copyright was lifted by Amstrad I've included the complete one with the patch.
Here's the letter though, and be certain to check out Crash Lab. Really!

Quote:

Originally Posted by Steve Ellis

Hi,


I see various posts about this on the web now. I thought I'd clarify the point about spec_rom.seg.rz - the contents of this file fill the bottom 16kb of the Spectrum's memory. On the original Spectrum, the bottom 16kb would have included the whole operating system (the BASIC programming language, functions for loading from and saving to cassettes, etc.). Since the ROM is copyrighted we weren't able to use it. However, some of the games that we were emulating wanted to call one or two Spectrum ROM functions. The solution to this was to create an empty ROM (99.9% filled with NOP's), but with newly-created (copyright-free) replacements for the few short functions that the games needed to call. The games should run with this minimal replacement ROM.


BTW, if you'd like to send any people in the direction of @CrashLab or facebook.com/CrashLab, I'd be grateful. We're going to release something later this year that hopefully should appeal to fans of "old-school" games.


Regards

--
Steve Ellis
Crash Lab


www.crashlab.co.uk
www.facebook.com/CrashLab
www.twitter.com/CrashLab

[Shimrod]

Thanks for sharing this Spoondiddly!
Crash Lab - another ex-Rare games company to keep an eye on, I guess

[spoondiddly]

Here's confirmation that DK64 isn't running Jetpac under emulation.

Grabbed a copy of ram via GameShark from the North American DK64 retail release. That's NDOE internally. Jetpac was run from the Bonus menu, and the ram dump was taken in-game.
Firstly, there isn't Spectrum code or any semblance of a Speccy ROM. Even string conventions are wrong. In the Speccy:

Code:

JETPAC GAME SELECTIOÎ1   1 PLAYER GAMÅ2   2 PLAYER GAMÅ3   KEYBOARÄ4   KEMPSTON JOYSTICË5   START GAMÅ

Note the 0x80 END marker on each string. This is the comparable block within DK at 8002E9D0:

Code:

1UP.%d!.2UP.HI..%06d....%06d....%06d....JETPAC GAME SELECTION...1@@@1@PLAYER@GAME...2@@@2@PLAYER@GAME...3@@@KEYBOARD....4@@@KEMPSTON@JOYSTICK...5   START GAME..%c1983 A.C.G. ALL RIGHTS RESERVED...RETURN..DELETE@HISCORE..EXIT@@JETPAC....RAREWARE COIN COLLECTED.GAME OVER PLAYER %d

The @ symbols really are @ symbols, by the way. This is used exclusively in ASM for normal string display.

NDOE @ 80024478:

Code:

//80024478:
3C058003	LUI	A1,8003
AFA20010	SW	V0,0010 (SP)
00601025	OR	V0,V1,R0
24A5E9D0	ADDIU	A1,A1,E9D0	;A1=8002E9D0: b"1UP"
02C02025	OR	A0,S6,R0
24060038	ADDIU	A2,R0,0038
24070018	ADDIU	A3,R0,0018
AFA30050	SW	V1,0050 (SP)
0C00ABBF	JAL	80002AEF	;print string A1 at (A2,A3) in DL A0
AFA3004C	SW	V1,004C (SP)
//800244A0:
3C118003	LUI	S1,8003
3C138003	LUI	S3,8003
2631EC4C	ADDIU	S1,S1,EC4C	;S1=8002EC4C: scores, high, 2pl, 1pl or something like that
2673E9D4	ADDIU	S3,S3,E9D4	;S3=8002E9D4: b"%d!"
00008025	OR	S0,R0,R0
27B50060	ADDIU	S5,SP,0060
24140002	ADDIU	S4,R0,0002
8E260008	LW	A2,S1,0008	;A2=1UP score
02A02025	OR	A0,S5,R0
02602825	OR	A1,S3,R0
etc.

Point here being that the scores and menus are all printed via N64 ASM and not under Spectrum emulation. For that matter, at no point will the input read routine from Jetpac be found.
In the Spectrum version you'd have this:

Code:

@6204
3A.F35C	LD A,(0x5CF3)
57	LD D,A
3E.F7	LD A,0xF7
D3.FD	OUT 0xFD,A
DB.FE	IN A,(0xFE)
2F	CPL
CB47	BIT 0,A
28.02	JR Z,+2
CB82	RES 0,D

Simple. Reads input and tests masks for pressed number keys, changing entries accordingly. At no point is this present in a DK64 snapshot.

No emulation. They recompiled it as N64 code, for good reason. No reason for a whole emulator when you only need to run one game.

[BanjoPL]

AF 2012...

[Zeek]

You've been Kotaku'd.

[qwertykins76]

There are hundreds (more or less) of people viewing this thread, and our "most users ever online" record has been broken. Umm... Hi!