GoldenEye (N64) Spectrum Emulation Unlocked

Discussion in 'General Gaming' started by Zoinkity, Mar 27, 2012.

  1. Zoinkity

    Zoinkity Peppy Member

    Joined:
    Feb 18, 2012
    Messages:
    394
    Likes Received:
    11
    GoldenEye Spectrum Emulation Unlocked

    Little benownst to the world all this time, GoldenEye (N64) has a fully-functional ZX Spectrum 48x emulator built into it. By feeding it a proper Spectrum monitor program and calling menu 25 to load a snapshot, any Spectrum 48x program can be run.

    The emulator started life as a side project to see if Spectrum emulation was possible on N64 and was hooked into GE, the current game in development. It was supposed to be removed before release but was only made inaccessible and inoperable. All the registers, dependancies, and script required to run the emulator still reside in retail GoldenEye carts.

    The original list of games were previous Rare titles, then known as Ultimate Play the Game. The embedded filelist is, in order:
    em/data/sabre.seg.rz Sabre Wulf
    em/data/atic.seg.rz Atic Atac
    em/data/jetpac.seg.rz Jetpac
    em/data/jetman.seg.rz Lunar Jetman
    em/data/alien8.seg.rz Alien 8
    em/data/gunfright.seg.rz Gun Fright
    em/data/under.seg.rz Underwurlde
    em/data/knightlore.seg.rz Knight Lore
    em/data/pssst.seg.rz Pssst
    em/data/cookie.seg.rz Cookie
    em/data/spec_rom.seg.rz Spectrum 16k monitor program​
    In actual fact, the emulator was supposed to run without the aid of the monitor program. Critical subroutines were copied out or hardcoded. In its current state, however, the monitor is required.

    Originally, the emulator was run much the same way that stages are run. Unlike stages which run by switching to menu 11, the emulator runs by switching to menu 25. When initialized, it reads what buttons are held on controller 3. Depending on the button held is which game would be loaded. From there, the monitor program and selected snapshot file are loaded from ROM, and if necessary these files are decompressed.
    Only controller 1 is detected. This is mapped as a Kempston joystick on port 31. Necessary buttons to start each game (usually keyboard '0') and any additional keys to play the game are mapped to the keyboard port 254 halfwords. These are set on a per-game basis, but general controls are A/B to start a game, Z for the 'action' button, and L to unload the emulator and return to gameplay.
    Each emulation cycle lasts 69888 Spectrum cycles. Each opcode consumes a certain amount of this cycle count. At the end, the screen is drawn to the Spectrum screen buffer, and this is displayed like an image using usual N64 microcode. Emulation continues as long as menu 25 is called.

    +_+

    Why a Patch Is Required

    In its pre-patched state the emulator has some peculiar issues, probably due to the different versions of included files used to compile the retail game.
    For instance, the ten games listed above were not all selectable. The initializer only has button masks for eight games, defaulting to SabreWulf. The snapshot loader restricts this list to only the first five. The controller mapping function, however, redirects buttons for all ten titles.

    Interestingly, the ROM file table leaves only ten spaces for the ten different snapshot files blank. These are completely blank, without any data or indicies until the final file placeholder. As previously mentioned, the monitor was not supposed to be included but is requested by the snapshot loader. Otherwise, the list would require eleven spaces.

    The 'unloader' does not, in fact, work properly. It copies NULLs over the program manager. This, obviously, will cause any number of fatal errors to the current game and make it impossible to return to normal gameplay. Also, there is no capacity to reset the screen registers to default.

    +_+

    The Patch

    The patch will reactivate full emulation support in GoldenEye.
    The patch should be applied only to an uneditted, unbyteswapped (big-endian) North American GoldenEye ROM (NGEE). The GoldenEye Setup Editor can apply and byteswap the ROM for you, as well as recalculate the checksum. (Yes, that was a shameless plug.) It should run properly on hardware. Probably ;*)

    You can download the patch via mediafire:
    http://www.mediafire.com/download.php?6bnashajw41n5p5

    Don't pirate ROMs! In most countries you can legally make a backup copy of a cartridge and apply the patch to that. No direct links to ROMs of any kind, patched or otherwise. Respect the Fuzz!

    Emulation can be triggered from the folder select screen after the Eye and title screens by pressing L+R on controller 3. To access each game, hold the button noted below on controller 3 as you press L+R. If no buttons are held or an invalid combination is used it will default to Cookie. For best results, hold the button for the game you want as you press L+R.
    c left Sabre Wulf
    c right Atic Atac
    c up Jetpac
    c down Luna Jetman
    + left Alien 8
    + right Gun Fright
    + up Underwurlde
    + down Knight Lore
    A button Pssst
    (default) Cookie​

    To end emulation at any time, simply press L on controller 1. It should return you to the folder select screen and allow you to continue to play normally. This also conveniently allows you to select another Spectrum game if you wish.
    Here's a link to a video of the thing in action. Please keep in mind Nemu's running with some pretty shotty plugins to get the recording rate fairly high.
    http://www.youtube.com/watch?v=ONJtqf2lIIM


    Briefly, here's the basics to playing each game.

    Sabre Wulf L+R, c left
    Cut a swath through the jungle collecting loot in search of a legendary treasure.
    The game's title screen will clear automatically after a couple seconds.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Sabre: Z button

    Atic Atac
    L+R, c right
    Seek out the golden key and escape the castle!
    Collect food to regain health. Keys and other items can be collected with A/B and while carried offer some bonus effect. Keys matching the color of barred doors let you walk through them, items like the whiskey bottle let you walk through certain features like kegs, bookcases, clocks, skeletons, etc., and other items allow you to kill or scare certain kinds of enemies.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Attack: Z button
    • Collect: A or B button
    • Character Select on Main Menu:
      • + left Knight: passes through clocks
      • + down Wizard: passes through bookcases
      • + right Serf: has momentum and passes through kegs

    Jetpac
    L+R, c up
    Rebuild your rocket and refuel it while pillaging each planet. Touch each rocket segment or block of fuel to carry it back to the rocket. When the rocket is entirely purple touch it to take off to the next planet.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons; fly by pressing up, A, or B
    • Fire: Z button

    Lunar Jetman
    L+R, c down
    Drop the bomb on the alien bases before they launch their missiles to destroy your rover.
    Press B when in the middle of the rover to enter it. Inside the rover you are immune to the aliens outside. Press B again to exit. You can move the rover with left and right but can not move over craters in the ground. B also uses the teleporter.
    You fly by pressing up or automatically if you walk over a crater in the ground. This consumes fuel in the meter at the top of the screen. To refuel, stand in the middle of your rover.
    Pick up an item by moving over it and pressing A. You drop the item by pressing A again. You can also drop an item on the flat part of your rover to drive it to a location. Teleporting while holding an item also transports the item.
    You can repair craters. Stand in the middle of the rover and pressing A to pick up a piece of bridging. Drop the bridging while hovering over the crater by pressing A again. There is an infinite supply of bridges.
    To destroy an alien base carry a bomb and drop it from above onto the main building. Dropping a bomb anywhere else simply leaves a crater. Bombs always appear next to the rover and there is an infinite supply of them.
    When time is out the aliens fire two missiles, one of which is a dummy. The other will bee-line for the rover and destroy it. If it does the game is over. You can destroy the missile by firing at it or colliding with it. The time bar is at the top of the screen.
    In the upper left of the screen is an indicator for what direction your rover is in. The upper right indicates what direction the alien base will be.
    Press start to advance past the title screen.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons; fly by pressing up
    • Fire: Z button
    • Collect: A button
    • Enter/Exit: B button

    Alien 8
    L+R, + left
    Find and collect the power cores and return them to the cryo units to revive the crew.
    Start Game: Start, A, or B buttons
    • Controls
    • Forward: up on control stick, + pad, c buttons
    • Turn: left/right on control stick, + pad, c buttons
    • Collect: A or B button
    • Jump: Z button

    Gun Fright
    L+R, + right
    Track down each varmit and plug 'em full of lead to collect the bounty on their head.
    In the bonus and gunfight modes move the crosshairs and press Z to fire at the bags of money or the criminal.
    In town, avoid touching any of the townsfolk. Some of the townsfolk will be hopping up and down pointing in the general direction of the criminal. When you see a criminal, fire your gun with Z to start a gunfight with them.
    • Controls
    • Movement: control stick, + pad, c buttons
    • Fire: Z button

    Underwurlde
    L+R, + up
    Defeat the dark lord within the depths of the Underwurlde.
    Enemies do not kill you in Underwurlde. You only die if you fall too far to the ground. Collecting gems temporarily makes you blue and immune to death.
    You will not be able to attack enemies until you have collected a weapon. You should start with one just to your left. Move over it and press B to collect it. You may carry up to three items.
    Guardians are stationary monsters that can only be defeated using a particular item.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Jump: up on control stick, + pad, c buttons or press the A button
    • Collect: B button
    • Fire: Z button

    Knight Lore
    L+R, + down
    Feed the charms hidden within the castle to the cauldron to produce a potion to cure your lycanthropy.
    The day/night counter in the lower right indicates how long it will be before you transform. When you transform you'll be immobile and vulnerable for a few seconds. You should only enter the cauldron room as a human, but otherwise there is no actual difference between the human and wolf.
    • Controls
    • Start Game: Start, A, or B buttons
    • Forward: up on control stick, + pad, c buttons
    • Turn: left/right on control stick, + pad, c buttons
    • Collect: A or B button
    • Jump: Z button

    Pssst
    L+R, A
    Spray the blasted pests before they eat your prized Thyrgodian Megga Chrisanthodil.
    Each type of spray kills a different kind of pest. If you use the wrong one the pest stops for a second and then continues. If two or more pests latch onto the flower it will begin to wit and die.
    To grab an item or spraycan press against it. To drop off an item, press it into one of the nooks on the side of the screen.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Fire: Z button

    Cookie
    L+R
    Whap the ingredients into the pot with a well-timed blast of flour. Smack everything else into the wastebaskets.
    The flour will fire in the last direction you pressed.
    • Controls
    • Start Game: Start, A, or B buttons
    • Movement: control stick, + pad, c buttons
    • Fire: Z button
    +_+

    For those interested in how much code the patch affected, here's a brief summary.
    1. To hook the emulator in, eight lines were added into menu 5's interface to test for controller three. Room was allocated by condensing the usual control stick tests.
    2. A 2-byte fix was used to allow access to ROM filelist entry 0x2DF. This bug was only present in NGEE and corrected in later versions.
    3. ROM filelist entries were added for each snapshot and the program monitor. Since the monitor is necessary in this iteration of the emulator but is commandeering a snapshot entry, the unused text file LwaxJ has been overwritten with cookie.seg.rz. All other entries fill blank, unused placeholders.
    4. As previously mentioned, the file loader was limitted to the first five titles. This test was changed into a simple invalidity test. Changes were made in-place (crudely) and affect a total of five lines.
    5. Menu 25's initializer, used to determine which of the games should be loaded by testing the held buttons on controller 3, has been completely rewritten. Games are no longer had-coded to masks but use a table. A final NULL entry indicates the end of the list and simultaneously the index of the default snapshot. The masks used are identical to those used by Rare, with the exception of the default entry being overridden with the unregistered game Cookie. One line was also added to stop the main menu music.
    6. Within the controller mappings, L's assigned function no longer nullifies the program manager. It now calls the title object, returning to the previously-loaded menu 05 (folder select). This consists of four lines, replacing a loop and shortening the code generally.
    7. Although unneccessary, the Start button was mapped to mirror the A/B start game option for all titles.
    Everything else is untouched, including all aspects of actual emulation. You are playing Rare's actual embedded Spectrum emulator and nothing else.

    +_+

    As always, disassemblies and disertations are always available. Comments, queries, and quirks can be reported either by email or at the Shooters Forever forums: http://www.shootersforever.com/forums_message_boards

    -Zoinkity
     
    Last edited by a moderator: May 25, 2015
    DarthCloud likes this.
  2. Druid II

    Druid II Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,322
    Likes Received:
    26
    I'd believe this if it wasn't posted 3 days from april 1st.
     
  3. Zoinkity

    Zoinkity Peppy Member

    Joined:
    Feb 18, 2012
    Messages:
    394
    Likes Received:
    11
    I was really tempted to post it April Fool's just to be a total jerk.
     
  4. DarthCloud

    DarthCloud Fiery Member

    Joined:
    Dec 26, 2007
    Messages:
    869
    Likes Received:
    7
    Location:
    Montréal, QC
    I was going to call this BS since 1st april is soon but since I'm curious I tried anyway with my 64drive and it work :O

    Awesome stuff!

    Tried with my real golden eye but it don't work, so that mean their is no way at all to access it without the patch???
     
    Last edited: Mar 28, 2012
  5. DarthCloud

    DarthCloud Fiery Member

    Joined:
    Dec 26, 2007
    Messages:
    869
    Likes Received:
    7
    Location:
    Montréal, QC
    Did you made any research on Donkey Kong 64, is it the same version of that emulator that is use for jetpac???

    Maybe DK64 hold more game than only jetpac???
     
    Last edited: Mar 28, 2012
  6. Jamtex

    Jamtex Adult Orientated Mahjong Connoisseur

    Joined:
    Feb 21, 2007
    Messages:
    5,454
    Likes Received:
    7
    Location:
    Stockholm, Sweden
    How come there is not sound? The Spectrum was not the most complicated of machines when it came to sound, you has a small speaker which you could turn on and off in a 1bit DAC...
     
  7. Druid II

    Druid II Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,322
    Likes Received:
    26
    The patch could contain the entire emulator for all we know...
     
  8. Mystical

    Mystical Fiery Member

    Joined:
    May 3, 2011
    Messages:
    873
    Likes Received:
    10
    I agree, very cool even if it is an april fools
     
  9. 7Force

    7Force Saturn > PS1+N64

    Joined:
    Mar 6, 2009
    Messages:
    4,364
    Likes Received:
    29
    Over 200 kilobytes? That is one pretty big patch...
     
  10. Zoinkity

    Zoinkity Peppy Member

    Joined:
    Feb 18, 2012
    Messages:
    394
    Likes Received:
    11
    As far as anyone can tell DK64 used a compiled version of the game without emulation. Sub and I can't find any emulation code whatsoever. We were searching a completely decompressed copy of the game's files and at no point is there the bytecode string used to read controls. Concidering the same string tested positive in both snapshots and tape records of the game, it should have been found if it was being emulated.


    That patch size is small compared to the patches used to insert levels, characters, etc. A good chunk of that is the main compressed file at 21990-33590. Then all the stupid memory shifting to stick the blasted manager in there without breaking images. Also, had to hack all the games so joystick was selected. There wasn't a capacity to select it on each menu, so you'd be stuck without controls. The horror!

    The ASM in GE spans from 107410 - 117878, mapped to 7F0D28E0 - 7F0E2D48 ingame. There are dependancies within the file compressed at 21990 as well. Attached a partial disassembly. I was going to go through later and fully annotate it for the heck of it. Really only touched on some of the things needing tracing.

    So you know, basic register assignments within the actual emulation portion of this:
    S0 A
    S1 flags
    C, Z, P/V, N, H
    S2 B
    S3 C
    S4 D
    S5 E
    S6 H
    S7 L
    SP+28C cycle counter
    SP+298 PC

    Keyboard halfwords are mapped to 8004EC34, erroneously extending one too many bytes. The joystick is immediately after that.

    Crazy though. I was honestly really surprised to find it in there when going through memory allocations. I mean, sure, the game names were listed in a table at runtime but nobody really thought anything of it. Rare doesn't believe keyboards should have delete keys, so it was assumed to be just one more crazy thing rolled in from a previous title, like the Killer Instinct speed cheat names.

    Emulation credit goes to Steve Ellis. Amazing work!

    There's all sorts of crazy crap embedded in GE. For instance, a full 64DD initialization routine. Tests for it, if found tests that it's ready, has what looks like some drive IO maybe. Didn't make a whole lot of headway with it due to a complete lack of 64DD register reference. Sets up a thread for random testing and all, but doesn't seem to use it past that. I can post that stuff up some time if you like.
     

    Attached Files:

    Last edited: Mar 28, 2012
  11. olivieryuyu

    olivieryuyu Robust Member

    Joined:
    Apr 9, 2005
    Messages:
    230
    Likes Received:
    1
    Hmm would it work for the nes emulator of Animal Crossing?

    Anyway fantastic work :)
     
  12. Zoinkity

    Zoinkity Peppy Member

    Joined:
    Feb 18, 2012
    Messages:
    394
    Likes Received:
    11
    What do you mean? The NES/FDS emu in Animal Forest works fine on hardware but is unsupported in emulators. (or at least most of them)

    Actually, did a bunch of work with AF as part of a translation project. It is much, much pickier about the ROMs it accepts. Although it can load virtually anything it only allocates enough memory for PRG0 to work properly, and even then it can be hit or miss.

    The Famicom emulator is a funny one. The code for it and the GB emulation was apparently available on Warioworld (or whatever it was called at the time) but few projects ever touched it. Concidering that one 64DD feature never implemented was downloading old NES/GB games it isn't hard to reason out these could have started their life there.
    Strange, isn't it, how many N64 emulators use L to quit out?
     
    Last edited: Mar 28, 2012
  13. AleffCorrea

    AleffCorrea <B>Site Supporter 2013</B>

    Joined:
    Aug 21, 2011
    Messages:
    540
    Likes Received:
    4
    Location:
    조선민주주의인민공화국
    Please don't be an april's fool prank. Please...
     
  14. MottZilla

    MottZilla Guardian of the Forum

    Joined:
    Feb 1, 2006
    Messages:
    4,648
    Likes Received:
    14
    Location:
    USA
    It's on RomHacking.net, I'm guessing it is real as I assume they would test the patch out before approving it.
     
  15. sonik

    sonik <B>Site Supporter 2013</B><BR>

    Joined:
    Mar 15, 2004
    Messages:
    563
    Likes Received:
    1
    Location:
    Brazil
    Amazing!
    And I just figured out that Gun Fright is a game from Rare. I played it a lot on the MSX.
     
  16. Zoinkity

    Zoinkity Peppy Member

    Joined:
    Feb 18, 2012
    Messages:
    394
    Likes Received:
    11
    Steve Ellis, who originally created the emulator, sent an email to clarify how the original Spectrum ROM was set up. Since it wasn't included and the copyright was lifted by Amstrad I've included the complete one with the patch.
    Here's the letter though, and be certain to check out Crash Lab. Really!
    +_+

    Here's confirmation that DK64 isn't running Jetpac under emulation.
    Grabbed a copy of ram via GameShark from the North American DK64 retail release. That's NDOE internally. Jetpac was run from the Bonus menu, and the ram dump was taken in-game.
    Firstly, there isn't Spectrum code or any semblance of a Speccy ROM. Even string conventions are wrong. In the Speccy:
    JETPAC GAME SELECTIOÎ1 1 PLAYER GAMÅ2 2 PLAYER GAMÅ3 KEYBOARÄ4 KEMPSTON JOYSTICË5 START GAMÅ
    Note the 0x80 END marker on each string. This is the comparable block within DK at 8002E9D0:
    1UP.%d!.2UP.HI..%06d....%06d....%06d....JETPAC GAME SELECTION...1@@@1@PLAYER@GAME...2@@@2@PLAYER@GAME...3@@@KEYBOARD....4@@@KEMPSTON@JOYSTICK...5 START GAME..%c1983 A.C.G. ALL RIGHTS RESERVED...RETURN..DELETE@HISCORE..EXIT@@JETPAC....RAREWARE COIN COLLECTED.GAME OVER PLAYER %d
    The @ symbols really are @ symbols, by the way. This is used exclusively in ASM for normal string display.
    NDOE @ 80024478:
    //80024478:
    3C058003 LUI A1,8003
    AFA20010 SW V0,0010 (SP)
    00601025 OR V0,V1,R0
    24A5E9D0 ADDIU A1,A1,E9D0 ;A1=8002E9D0: b"1UP"
    02C02025 OR A0,S6,R0
    24060038 ADDIU A2,R0,0038
    24070018 ADDIU A3,R0,0018
    AFA30050 SW V1,0050 (SP)
    0C00ABBF JAL 80002AEF ;print string A1 at (A2,A3) in DL A0
    AFA3004C SW V1,004C (SP)
    //800244A0:
    3C118003 LUI S1,8003
    3C138003 LUI S3,8003
    2631EC4C ADDIU S1,S1,EC4C ;S1=8002EC4C: scores, high, 2pl, 1pl or something like that
    2673E9D4 ADDIU S3,S3,E9D4 ;S3=8002E9D4: b"%d!"
    00008025 OR S0,R0,R0
    27B50060 ADDIU S5,SP,0060
    24140002 ADDIU S4,R0,0002
    8E260008 LW A2,S1,0008 ;A2=1UP score
    02A02025 OR A0,S5,R0
    02602825 OR A1,S3,R0
    etc.
    Point here being that the scores and menus are all printed via N64 ASM and not under Spectrum emulation. For that matter, at no point will the input read routine from Jetpac be found.
    In the Spectrum version you'd have this:
    @6204
    3A.F35C LD A,(0x5CF3)
    57 LD D,A
    3E.F7 LD A,0xF7
    D3.FD OUT 0xFD,A
    DB.FE IN A,(0xFE)
    2F CPL
    CB47 BIT 0,A
    28.02 JR Z,+2
    CB82 RES 0,D
    Simple. Reads input and tests masks for pressed number keys, changing entries accordingly. At no point is this present in a DK64 snapshot.

    No emulation. They recompiled it as N64 code, for good reason. No reason for a whole emulator when you only need to run one game.
     
    Last edited: Mar 30, 2012
  17. DarthCloud

    DarthCloud Fiery Member

    Joined:
    Dec 26, 2007
    Messages:
    869
    Likes Received:
    7
    Location:
    Montréal, QC
    Thank for the info regarding DK64!!
     
  18. XxHennersXx

    XxHennersXx I post here on the toilet sometimes.

    Joined:
    Mar 12, 2007
    Messages:
    4,083
    Likes Received:
    13
    Location:
    Washington
    The ORIGINAL on-disc DLC
     

Share This Page