Results 1 to 18 of 18

Thread: GoldenEye (N64) Spectrum Emulation Unlocked

  1. #1
    Foot Soldier
    Zoinkity's Avatar

    Join Date
    Feb 2012
    Posts
    286

    Logo Nintendo66 GoldenEye (N64) Spectrum Emulation Unlocked

    GoldenEye Spectrum Emulation Unlocked

    Little benownst to the world all this time, GoldenEye (N64) has a fully-functional ZX Spectrum 48x emulator built into it. By feeding it a proper Spectrum monitor program and calling menu 25 to load a snapshot, any Spectrum 48x program can be run.

    The emulator started life as a side project to see if Spectrum emulation was possible on N64 and was hooked into GE, the current game in development. It was supposed to be removed before release but was only made inaccessible and inoperable. All the registers, dependancies, and script required to run the emulator still reside in retail GoldenEye carts.

    The original list of games were previous Rare titles, then known as Ultimate Play the Game. The embedded filelist is, in order:
    em/data/sabre.seg.rz Sabre Wulf
    em/data/atic.seg.rz Atic Atac
    em/data/jetpac.seg.rz Jetpac
    em/data/jetman.seg.rz Lunar Jetman
    em/data/alien8.seg.rz Alien 8
    em/data/gunfright.seg.rz Gun Fright
    em/data/under.seg.rz Underwurlde
    em/data/knightlore.seg.rz Knight Lore
    em/data/pssst.seg.rz Pssst
    em/data/cookie.seg.rz Cookie
    em/data/spec_rom.seg.rz Spectrum 16k monitor program
    In actual fact, the emulator was supposed to run without the aid of the monitor program. Critical subroutines were copied out or hardcoded. In its current state, however, the monitor is required.

    Originally, the emulator was run much the same way that stages are run. Unlike stages which run by switching to menu 11, the emulator runs by switching to menu 25. When initialized, it reads what buttons are held on controller 3. Depending on the button held is which game would be loaded. From there, the monitor program and selected snapshot file are loaded from ROM, and if necessary these files are decompressed.
    Only controller 1 is detected. This is mapped as a Kempston joystick on port 31. Necessary buttons to start each game (usually keyboard '0') and any additional keys to play the game are mapped to the keyboard port 254 halfwords. These are set on a per-game basis, but general controls are A/B to start a game, Z for the 'action' button, and L to unload the emulator and return to gameplay.
    Each emulation cycle lasts 69888 Spectrum cycles. Each opcode consumes a certain amount of this cycle count. At the end, the screen is drawn to the Spectrum screen buffer, and this is displayed like an image using usual N64 microcode. Emulation continues as long as menu 25 is called.

    +_+

    Why a Patch Is Required

    In its pre-patched state the emulator has some peculiar issues, probably due to the different versions of included files used to compile the retail game.
    For instance, the ten games listed above were not all selectable. The initializer only has button masks for eight games, defaulting to SabreWulf. The snapshot loader restricts this list to only the first five. The controller mapping function, however, redirects buttons for all ten titles.

    Interestingly, the ROM file table leaves only ten spaces for the ten different snapshot files blank. These are completely blank, without any data or indicies until the final file placeholder. As previously mentioned, the monitor was not supposed to be included but is requested by the snapshot loader. Otherwise, the list would require eleven spaces.

    The 'unloader' does not, in fact, work properly. It copies NULLs over the program manager. This, obviously, will cause any number of fatal errors to the current game and make it impossible to return to normal gameplay. Also, there is no capacity to reset the screen registers to default.

    +_+

    The Patch

    The patch will reactivate full emulation support in GoldenEye.
    The patch should be applied only to an uneditted, unbyteswapped (big-endian) North American GoldenEye ROM (NGEE). The GoldenEye Setup Editor can apply and byteswap the ROM for you, as well as recalculate the checksum. (Yes, that was a shameless plug.) It should run properly on hardware. Probably ;*)

    You can download the patch via mediafire:
    http://www.mediafire.com/download.php?6bnashajw41n5p5

    Don't pirate ROMs! In most countries you can legally make a backup copy of a cartridge and apply the patch to that. No direct links to ROMs of any kind, patched or otherwise. Respect the Fuzz!

    Emulation can be triggered from the folder select screen after the Eye and title screens by pressing L+R on controller 3. To access each game, hold the button noted below on controller 3 as you press L+R. If no buttons are held or an invalid combination is used it will default to Cookie. For best results, hold the button for the game you want as you press L+R.
    c left Sabre Wulf
    c right Atic Atac
    c up Jetpac
    c down Luna Jetman
    + left Alien 8
    + right Gun Fright
    + up Underwurlde
    + down Knight Lore
    A button Pssst
    (default) Cookie

    To end emulation at any time, simply press L on controller 1. It should return you to the folder select screen and allow you to continue to play normally. This also conveniently allows you to select another Spectrum game if you wish.
    Here's a link to a video of the thing in action. Please keep in mind Nemu's running with some pretty shotty plugins to get the recording rate fairly high.
    http://www.youtube.com/watch?v=ONJtqf2lIIM


    Briefly, here's the basics to playing each game.

    Sabre Wulf L+R, c left
    Cut a swath through the jungle collecting loot in search of a legendary treasure.
    The game's title screen will clear automatically after a couple seconds.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Sabre: Z button

    Atic Atac
    L+R, c right
    Seek out the golden key and escape the castle!
    Collect food to regain health. Keys and other items can be collected with A/B and while carried offer some bonus effect. Keys matching the color of barred doors let you walk through them, items like the whiskey bottle let you walk through certain features like kegs, bookcases, clocks, skeletons, etc., and other items allow you to kill or scare certain kinds of enemies.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Attack: Z button
    • Collect: A or B button
    • Character Select on Main Menu:
      • + left Knight: passes through clocks
      • + down Wizard: passes through bookcases
      • + right Serf: has momentum and passes through kegs

    Jetpac
    L+R, c up
    Rebuild your rocket and refuel it while pillaging each planet. Touch each rocket segment or block of fuel to carry it back to the rocket. When the rocket is entirely purple touch it to take off to the next planet.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons; fly by pressing up, A, or B
    • Fire: Z button

    Lunar Jetman
    L+R, c down
    Drop the bomb on the alien bases before they launch their missiles to destroy your rover.
    Press B when in the middle of the rover to enter it. Inside the rover you are immune to the aliens outside. Press B again to exit. You can move the rover with left and right but can not move over craters in the ground. B also uses the teleporter.
    You fly by pressing up or automatically if you walk over a crater in the ground. This consumes fuel in the meter at the top of the screen. To refuel, stand in the middle of your rover.
    Pick up an item by moving over it and pressing A. You drop the item by pressing A again. You can also drop an item on the flat part of your rover to drive it to a location. Teleporting while holding an item also transports the item.
    You can repair craters. Stand in the middle of the rover and pressing A to pick up a piece of bridging. Drop the bridging while hovering over the crater by pressing A again. There is an infinite supply of bridges.
    To destroy an alien base carry a bomb and drop it from above onto the main building. Dropping a bomb anywhere else simply leaves a crater. Bombs always appear next to the rover and there is an infinite supply of them.
    When time is out the aliens fire two missiles, one of which is a dummy. The other will bee-line for the rover and destroy it. If it does the game is over. You can destroy the missile by firing at it or colliding with it. The time bar is at the top of the screen.
    In the upper left of the screen is an indicator for what direction your rover is in. The upper right indicates what direction the alien base will be.
    Press start to advance past the title screen.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons; fly by pressing up
    • Fire: Z button
    • Collect: A button
    • Enter/Exit: B button

    Alien 8
    L+R, + left
    Find and collect the power cores and return them to the cryo units to revive the crew.
    Start Game: Start, A, or B buttons
    • Controls
    • Forward: up on control stick, + pad, c buttons
    • Turn: left/right on control stick, + pad, c buttons
    • Collect: A or B button
    • Jump: Z button

    Gun Fright
    L+R, + right
    Track down each varmit and plug 'em full of lead to collect the bounty on their head.
    In the bonus and gunfight modes move the crosshairs and press Z to fire at the bags of money or the criminal.
    In town, avoid touching any of the townsfolk. Some of the townsfolk will be hopping up and down pointing in the general direction of the criminal. When you see a criminal, fire your gun with Z to start a gunfight with them.
    • Controls
    • Movement: control stick, + pad, c buttons
    • Fire: Z button

    Underwurlde
    L+R, + up
    Defeat the dark lord within the depths of the Underwurlde.
    Enemies do not kill you in Underwurlde. You only die if you fall too far to the ground. Collecting gems temporarily makes you blue and immune to death.
    You will not be able to attack enemies until you have collected a weapon. You should start with one just to your left. Move over it and press B to collect it. You may carry up to three items.
    Guardians are stationary monsters that can only be defeated using a particular item.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Jump: up on control stick, + pad, c buttons or press the A button
    • Collect: B button
    • Fire: Z button

    Knight Lore
    L+R, + down
    Feed the charms hidden within the castle to the cauldron to produce a potion to cure your lycanthropy.
    The day/night counter in the lower right indicates how long it will be before you transform. When you transform you'll be immobile and vulnerable for a few seconds. You should only enter the cauldron room as a human, but otherwise there is no actual difference between the human and wolf.
    • Controls
    • Start Game: Start, A, or B buttons
    • Forward: up on control stick, + pad, c buttons
    • Turn: left/right on control stick, + pad, c buttons
    • Collect: A or B button
    • Jump: Z button

    Pssst
    L+R, A
    Spray the blasted pests before they eat your prized Thyrgodian Megga Chrisanthodil.
    Each type of spray kills a different kind of pest. If you use the wrong one the pest stops for a second and then continues. If two or more pests latch onto the flower it will begin to wit and die.
    To grab an item or spraycan press against it. To drop off an item, press it into one of the nooks on the side of the screen.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Fire: Z button

    Cookie
    L+R
    Whap the ingredients into the pot with a well-timed blast of flour. Smack everything else into the wastebaskets.
    The flour will fire in the last direction you pressed.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Fire: Z button
    +_+

    For those interested in how much code the patch affected, here's a brief summary.
    1. To hook the emulator in, eight lines were added into menu 5's interface to test for controller three. Room was allocated by condensing the usual control stick tests.
    2. A 2-byte fix was used to allow access to ROM filelist entry 0x2DF. This bug was only present in NGEE and corrected in later versions.
    3. ROM filelist entries were added for each snapshot and the program monitor. Since the monitor is necessary in this iteration of the emulator but is commandeering a snapshot entry, the unused text file LwaxJ has been overwritten with cookie.seg.rz. All other entries fill blank, unused placeholders.
    4. As previously mentioned, the file loader was limitted to the first five titles. This test was changed into a simple invalidity test. Changes were made in-place (crudely) and affect a total of five lines.
    5. Menu 25's initializer, used to determine which of the games should be loaded by testing the held buttons on controller 3, has been completely rewritten. Games are no longer had-coded to masks but use a table. A final NULL entry indicates the end of the list and simultaneously the index of the default snapshot. The masks used are identical to those used by Rare, with the exception of the default entry being overridden with the unregistered game Cookie. One line was also added to stop the main menu music.
    6. Within the controller mappings, L's assigned function no longer nullifies the program manager. It now calls the title object, returning to the previously-loaded menu 05 (folder select). This consists of four lines, replacing a loop and shortening the code generally.
    7. Although unneccessary, the Start button was mapped to mirror the A/B start game option for all titles.
    Everything else is untouched, including all aspects of actual emulation. You are playing Rare's actual embedded Spectrum emulator and nothing else.

    +_+

    As always, disassemblies and disertations are always available. Comments, queries, and quirks can be reported either by email or at the Shooters Forever forums: http://www.shootersforever.com/forums_message_boards

    -Zoinkity

  2. #2
    Enlightenment ASSEMbler Soldier
    Druid II's Avatar

    Join Date
    Jun 2006
    Posts
    3,038
    I'd believe this if it wasn't posted 3 days from april 1st.

    1HCg6o6zJkxtjNfyzGHtwZbXgCC7Kdf231

  3. #3
    Foot Soldier
    Zoinkity's Avatar

    Join Date
    Feb 2012
    Posts
    286
    I was really tempted to post it April Fool's just to be a total jerk.

  4. #4
    Combat Soldier
    DarthCloud's Avatar

    Join Date
    Dec 2007
    Location
    Montréal, QC
    Posts
    873
    I was going to call this BS since 1st april is soon but since I'm curious I tried anyway with my 64drive and it work :O

    Awesome stuff!

    Tried with my real golden eye but it don't work, so that mean their is no way at all to access it without the patch???
    Last edited by DarthCloud; 03-28-2012 at 12:25 AM.

  5. #5
    Combat Soldier
    DarthCloud's Avatar

    Join Date
    Dec 2007
    Location
    Montréal, QC
    Posts
    873
    Did you made any research on Donkey Kong 64, is it the same version of that emulator that is use for jetpac???

    Maybe DK64 hold more game than only jetpac???
    Last edited by DarthCloud; 03-28-2012 at 12:27 AM.

  6. #6
    Adult Orientated Mahjong Connoisseur ASSEMbler Extreme
    Never Logs Out
    Jamtex's Avatar

    Join Date
    Feb 2007
    Location
    Stockholm, Sweden
    Posts
    5,458
    How come there is not sound? The Spectrum was not the most complicated of machines when it came to sound, you has a small speaker which you could turn on and off in a 1bit DAC...
    Like anyone reads the rubbish in the signature.

  7. #7
    Enlightenment ASSEMbler Soldier
    Druid II's Avatar

    Join Date
    Jun 2006
    Posts
    3,038
    Quote Originally Posted by DarthCloud View Post
    I was going to call this BS since 1st april is soon but since I'm curious I tried anyway with my 64drive and it work :O

    Awesome stuff!

    Tried with my real golden eye but it don't work, so that mean their is no way at all to access it without the patch???
    The patch could contain the entire emulator for all we know...

    1HCg6o6zJkxtjNfyzGHtwZbXgCC7Kdf231

  8. #8
    Combat Soldier
    Mystical's Avatar

    Join Date
    May 2011
    Posts
    882
    Quote Originally Posted by Druid II View Post
    The patch could contain the entire emulator for all we know...
    I agree, very cool even if it is an april fools

  9. #9
    Saturn > PS1+N64
    Tribuni Angusticlavii
    7Force's Avatar

    Join Date
    Mar 2009
    Posts
    4,073
    Blog Entries
    2
    Quote Originally Posted by Druid II View Post
    The patch could contain the entire emulator for all we know...
    Over 200 kilobytes? That is one pretty big patch...

  10. #10
    Foot Soldier
    Zoinkity's Avatar

    Join Date
    Feb 2012
    Posts
    286
    As far as anyone can tell DK64 used a compiled version of the game without emulation. Sub and I can't find any emulation code whatsoever. We were searching a completely decompressed copy of the game's files and at no point is there the bytecode string used to read controls. Concidering the same string tested positive in both snapshots and tape records of the game, it should have been found if it was being emulated.


    That patch size is small compared to the patches used to insert levels, characters, etc. A good chunk of that is the main compressed file at 21990-33590. Then all the stupid memory shifting to stick the blasted manager in there without breaking images. Also, had to hack all the games so joystick was selected. There wasn't a capacity to select it on each menu, so you'd be stuck without controls. The horror!

    The ASM in GE spans from 107410 - 117878, mapped to 7F0D28E0 - 7F0E2D48 ingame. There are dependancies within the file compressed at 21990 as well. Attached a partial disassembly. I was going to go through later and fully annotate it for the heck of it. Really only touched on some of the things needing tracing.

    So you know, basic register assignments within the actual emulation portion of this:
    S0 A
    S1 flags
    C, Z, P/V, N, H
    S2 B
    S3 C
    S4 D
    S5 E
    S6 H
    S7 L
    SP+28C cycle counter
    SP+298 PC

    Keyboard halfwords are mapped to 8004EC34, erroneously extending one too many bytes. The joystick is immediately after that.

    Crazy though. I was honestly really surprised to find it in there when going through memory allocations. I mean, sure, the game names were listed in a table at runtime but nobody really thought anything of it. Rare doesn't believe keyboards should have delete keys, so it was assumed to be just one more crazy thing rolled in from a previous title, like the Killer Instinct speed cheat names.

    Emulation credit goes to Steve Ellis. Amazing work!

    There's all sorts of crazy crap embedded in GE. For instance, a full 64DD initialization routine. Tests for it, if found tests that it's ready, has what looks like some drive IO maybe. Didn't make a whole lot of headway with it due to a complete lack of 64DD register reference. Sets up a thread for random testing and all, but doesn't seem to use it past that. I can post that stuff up some time if you like.
    Attached Files Attached Files
    Last edited by Zoinkity; 03-28-2012 at 08:52 AM.

  11. #11
    Hmm would it work for the nes emulator of Animal Crossing?

    Anyway fantastic work :)

  12. #12
    Foot Soldier
    Zoinkity's Avatar

    Join Date
    Feb 2012
    Posts
    286
    What do you mean? The NES/FDS emu in Animal Forest works fine on hardware but is unsupported in emulators. (or at least most of them)

    Actually, did a bunch of work with AF as part of a translation project. It is much, much pickier about the ROMs it accepts. Although it can load virtually anything it only allocates enough memory for PRG0 to work properly, and even then it can be hit or miss.

    The Famicom emulator is a funny one. The code for it and the GB emulation was apparently available on Warioworld (or whatever it was called at the time) but few projects ever touched it. Concidering that one 64DD feature never implemented was downloading old NES/GB games it isn't hard to reason out these could have started their life there.
    Strange, isn't it, how many N64 emulators use L to quit out?
    Last edited by Zoinkity; 03-28-2012 at 11:03 AM.

  13. #13
    Site Supporter 2013 Foot Soldier
    AleffCorrea's Avatar

    Join Date
    Aug 2011
    Location
    North Korea
    Posts
    494
    Please don't be an april's fool prank. Please...

  14. #14

    Tribuni Angusticlavii
    MottZilla's Avatar

    Join Date
    Feb 2006
    Location
    USA
    Posts
    4,464
    It's on RomHacking.net, I'm guessing it is real as I assume they would test the patch out before approving it.

  15. #15
    Site Supporter 2013
    Combat Soldier
    sonik's Avatar

    Join Date
    Mar 2004
    Location
    Brazil
    Posts
    547
    Blog Entries
    2
    Amazing!
    And I just figured out that Gun Fright is a game from Rare. I played it a lot on the MSX.

  16. #16
    Foot Soldier
    Zoinkity's Avatar

    Join Date
    Feb 2012
    Posts
    286
    Steve Ellis, who originally created the emulator, sent an email to clarify how the original Spectrum ROM was set up. Since it wasn't included and the copyright was lifted by Amstrad I've included the complete one with the patch.
    Here's the letter though, and be certain to check out Crash Lab. Really!
    Quote Originally Posted by Steve Ellis
    Hi,

    I see various posts about this on the web now. I thought I'd clarify the point about spec_rom.seg.rz - the contents of this file fill the bottom 16kb of the Spectrum's memory. On the original Spectrum, the bottom 16kb would have included the whole operating system (the BASIC programming language, functions for loading from and saving to cassettes, etc.). Since the ROM is copyrighted we weren't able to use it. However, some of the games that we were emulating wanted to call one or two Spectrum ROM functions. The solution to this was to create an empty ROM (99.9% filled with NOP's), but with newly-created (copyright-free) replacements for the few short functions that the games needed to call. The games should run with this minimal replacement ROM.

    BTW, if you'd like to send any people in the direction of @CrashLab or facebook.com/CrashLab, I'd be grateful. We're going to release something later this year that hopefully should appeal to fans of "old-school" games.

    Regards
    --
    Steve Ellis
    Crash Lab

    www.crashlab.co.uk
    www.facebook.com/CrashLab
    www.twitter.com/CrashLab
    +_+

    Here's confirmation that DK64 isn't running Jetpac under emulation.
    Grabbed a copy of ram via GameShark from the North American DK64 retail release. That's NDOE internally. Jetpac was run from the Bonus menu, and the ram dump was taken in-game.
    Firstly, there isn't Spectrum code or any semblance of a Speccy ROM. Even string conventions are wrong. In the Speccy:
    JETPAC GAME SELECTIOÎ1 1 PLAYER GAMÅ2 2 PLAYER GAMÅ3 KEYBOARÄ4 KEMPSTON JOYSTICË5 START GAMÅ
    Note the 0x80 END marker on each string. This is the comparable block within DK at 8002E9D0:
    1UP.%d!.2UP.HI..%06d....%06d....%06d....JETPAC GAME SELECTION...1@@@1@PLAYER@GAME...2@@@2@PLAYER@GAME. ..3@@@KEYBOARD....4@@@KEMPSTON@JOYSTICK...5 START GAME..%c1983 A.C.G. ALL RIGHTS RESERVED...RETURN..DELETE@HISCORE..EXIT@@JETPAC... .RAREWARE COIN COLLECTED.GAME OVER PLAYER %d
    The @ symbols really are @ symbols, by the way. This is used exclusively in ASM for normal string display.
    NDOE @ 80024478:
    //80024478:
    3C058003 LUI A1,8003
    AFA20010 SW V0,0010 (SP)
    00601025 OR V0,V1,R0
    24A5E9D0 ADDIU A1,A1,E9D0 ;A1=8002E9D0: b"1UP"
    02C02025 OR A0,S6,R0
    24060038 ADDIU A2,R0,0038
    24070018 ADDIU A3,R0,0018
    AFA30050 SW V1,0050 (SP)
    0C00ABBF JAL 80002AEF ;print string A1 at (A2,A3) in DL A0
    AFA3004C SW V1,004C (SP)
    //800244A0:
    3C118003 LUI S1,8003
    3C138003 LUI S3,8003
    2631EC4C ADDIU S1,S1,EC4C ;S1=8002EC4C: scores, high, 2pl, 1pl or something like that
    2673E9D4 ADDIU S3,S3,E9D4 ;S3=8002E9D4: b"%d!"
    00008025 OR S0,R0,R0
    27B50060 ADDIU S5,SP,0060
    24140002 ADDIU S4,R0,0002
    8E260008 LW A2,S1,0008 ;A2=1UP score
    02A02025 OR A0,S5,R0
    02602825 OR A1,S3,R0
    etc.
    Point here being that the scores and menus are all printed via N64 ASM and not under Spectrum emulation. For that matter, at no point will the input read routine from Jetpac be found.
    In the Spectrum version you'd have this:
    @6204
    3A.F35C LD A,(0x5CF3)
    57 LD D,A
    3E.F7 LD A,0xF7
    D3.FD OUT 0xFD,A
    DB.FE IN A,(0xFE)
    2F CPL
    CB47 BIT 0,A
    28.02 JR Z,+2
    CB82 RES 0,D
    Simple. Reads input and tests masks for pressed number keys, changing entries accordingly. At no point is this present in a DK64 snapshot.

    No emulation. They recompiled it as N64 code, for good reason. No reason for a whole emulator when you only need to run one game.
    Last edited by Zoinkity; 03-30-2012 at 10:32 AM. Reason: DK Debunkery

  17. #17
    Combat Soldier
    DarthCloud's Avatar

    Join Date
    Dec 2007
    Location
    Montréal, QC
    Posts
    873
    Thank for the info regarding DK64!!

  18. #18
    I post here on the toilet sometimes. ASSEMbler Soldier
    XxHennersXx's Avatar

    Join Date
    Mar 2007
    Location
    Washington
    Posts
    3,985
    The ORIGINAL on-disc DLC

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •