Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Before the internet, the Super Nintendo (SNES) had an online gaming community via the XBAND Video Game Modem. The goal of the author was to create complete emulation support for XBAND.

XBAND networks was designed to send controller inputs between connected clients with the network and the mode. The XBAND OS would patch the ROM of the game to add its own instructions to inject controller inputs. The engineers who built the implants for the games had to reverse engineer the games in order to write custom patches, which is pretty neat.

To accurately emulate this, the most important thing is getting it to boot. This required setting up the memory mappings correctly. Additionally, the Rockwell Modem, used to send the wireless packets, was communicated with via MMIO. So, to accurately emulate this, the read and write had to be properly implemented. From reading specifications and old school docs, they were able to get this working in a few months.

The protocol used for the XBAND network was the Apple Data Streaming Protocol (ADSP). This was used because it provided basic sessions between two hosts. The XBAND would consume these packets via the modem, which would de-frame and push the information to the XBAND OS for consumption. To test out this functionality, the author created a way to injection arbitrary ADSP packets into the network layer.

The XBAND network has two types of calls: ServerTalk and GameTalk. ServerTalk was the server to client communication while the GameTalk was for client to client communication. The XBAND OS used the message dispatch pattern in order to execute OS function calls for ServerTalk packets. Each one of the message id corresponded to a piece of functionality.

While reverse engineering the dispatch codes, the author found one called msExecuteCode. What does this function do? It runs arbitrary code specified by the modem! To test this, the author used the packet injection feature and hit the corresponding location in the code on the game.

From there, the author wrote a short snippet of self-contained assembler that would reset the state of important registers and change the color of the screen to green. The author even got this to run on real hardware by setting up the modem and the SNES game locally.

From there, the author found a few other bugs. One allowed for a re-write of a char 244 OOB. Additionally, they found an unbounded write to SRAM for X-mail messages. Overall, this was an awesome post on emulation, games in the 80s and hacking. Thanks for writing this!