Richard Aplin (Game Genie Developer)

April 16th, 2009
Ace: I read your everything2.com message about making the GameBoy Game Genie, care to elaborate further on its creation?

Richard Aplin: Lots of wires!
(All the following relates to cartridge-based consoles from 1985-1996 or so, e.g. Gameboy, Genesis, NES, SNES, GameGear, etc)

We had no way to get any info on the hardware or software of the consoles (and we had a very litigious relatonship w/Nintendo) , so we did it "the hard way" by reverse-engineering them - by literally going to a store, buying a few systems, tearing them apart, and attaching a logic analyser to them.
A logic analyser is basically like a digital oscilloscope (shows you what high-speed signals are doing in real time) but typically has lots of separate channels (32-48). You connect each channel to signals/chip pins that look "interesting" inside your console, run the analyzer, then spend some time figuring out what all the signals are doing and what the hell is going on.

Once you've got the basic signals figured out (typically you want to figure out the pinout of the cartridge connector) - found the address and data bus of the CPU and the basic control lines (Read, Write, etc) then you've got to the point where you can typically build a 'dev board'.
We'd build a PCB (with suitable cartridge edge connector on it) that contained an EPROM, an FPGA, a bunch of SRAM, a high-speed parallel port, and typically for fun a 2-line LCD display and some lights. The eprom contained whatever boot code was required to get the console booted, then it entered a monitor program where you could remotely view/change the console memory using the parallel port on the board.
The parallel port always used the ubiquitous "PDS" style interface (PDS= Programmers Development System, at the time a very widely used - and very fast - PC-based cross-assembling system by Andrew Glaister and others) so everything was fairly standard.

-- Cartridge protection systems
To get a dev board going typically you have to discover and bypass any "rights enforcement" mechanisms on the console - for the NES and SNES this was the famous 'lock chip' (we just used a passthru or modified the console to disable the lock chip), on the Gameboy it was an interesting trademake-based protection (in theory you couldn't write a Gameboy game that DIDN'T display a "Nintendo(TM)" bitmap logo on startup. There was a boot rom in the gameboy that read a block at start of the GB cart and displayed it on the screen as a bitmap. It also checked to ensure that this logo was byte-for-byte the same as a copy stored in teh boot ROM. Basically, they forced you to commit trademark and copyright infringement - you couldn't make a GB cart that actually booted that didn't also contain their bitmap image (copyright data) that was also displayed onscreen before the cart started (trademark infringement). Neat!
However, they made a fairly elementary mistake in the implementation... they read the logo twice - once to display it and again later on to check that it exactly matched the boot rom version. This means you could swap the logo data out (using hardware switching) and at least get your own logo on the boot screen, bypassing the Trademark part... ;-)

Once you have a dev board going, and can download and run code, alter memory etc on your console (usually with nothing but a black screen), then 'all' you have to do is work out what all the custom chip registers do (!), and you can eventually write a complete game.

So Codemasters was interested in both releasing games for these consoles (usually "Unlicensed", e.g. the Codemasters "Camerica" NES Games) - with the Sega Megadrive/Genesis we did the same thing (Codemasters were about to release unlicensed Genesis cartridges on the market, and won a legal battle meaning that at the 11th hour Sega cut a deal with us to avoid the whole thing blowing wide open)

Ok so that's reverse engineering.

When I turned up at Codies (they hired me when I showed them a home-made Genesis dev-board I'd built), they had already done a couple of years of hard work and successfully launched the NES Game Genie (including legal battle) and were making good money.

They had teams of people making codes (a guy called Graham Rigby was the main Codemeister - he lived in a room full of nothing but shelves and racks of NES games - he had every NES game in every territory I think)

They wanted other formats, so I turned up and 'did' the Gameboy (reverse engineered it, built a gameboy dev board. built a prototype game genie, etc), then the Sega GameGear dev board+Game Genie, a Genesis development board ('Rachel'), then the SNES Genie 2 (the first SNES Genie was made by our partners in the US, it was a very dull thing, but they got it out quick).

The Genie2 was really a labor of love with lots of nice features (triggering/switching cheats from the controller was sweet) but alas it was stillborn. (see later)


Ace: In your everything2 posting you said you've got one of only 5 SNES Game Genie II's in existance. Care to take some pictures of it and any other unreleased Game Genie/Codemasters related things you may have?


Richard Aplin: Sure I still have the SNES GG2 prototype..


    


It had lots of fun features...
32K battery-backed SRAM, 5 buttons and 4 LEDs
It had a lot of clever technical things inside - unlike older Genies which only did "byte replacement" in hardware, the GG2 also could intercept the game's interrupts on the fly and hence injected code into the running game.
This gave us huge flexibility.

a) turn codes on+off dynamically while playing (with the buttons on the GG2 or you could program 'soft keys' on the controllers - the was awesome; you could essentially add cheats to buttons on the controller - eg. press L2 at any time to become flying mario!)
b) find your own codes (really sweet automatic system, you just played the game and pushed one of the buttons when you died or whatever; after doing this a couple of times it usually magically found you a cheat code)
c) RAM and ROM based codes
d) stealth ROM codes ('cloaking' - the ability to make a ROM code only activate if a specific sequence of bus activity preceeded it - It made it possible to have a ROM cheat code that easily evaded almost any cartridge self-checksum routine)
c) slow down/pause games
d) the GG2 would actually pull your game scores out of the console RAM and store them in battery-backed memory for you - when you powered up the GG2 with a cart plugged in it recognized the game and showed you your high-score table, stored cheats, etc. Was lovely...
e) errrmm what else.. it did literally everything we could think of putting in there. ;-)

A really nice SNES user interface for it was written (and I think completed!) by a team at Big Red software (R 'Fred' Williams did the SG2 I think) and the whole thing was probably 80% towards being a shipping product before it got axed. :-(
Not Codemasters' fault, it was more market timing. We were a little too late with it, and Galoob had stacks of the first version in warehouses, so.. them's the breaks.

It was a shame Codies sort of abandoned the Game Genie line after doing a marvellous job of inventing, producing & fighting tooth and nail in the courts to get it out there.
It made them a good bit of money at the time, but after the SG2 was cancelled Codies mostly lost interest in it all.

I think Datel carried on profitably for years and years afterward with variations on the Game Genie. I don't know why Codies didn't act more aggressively against Datel to defend their invention; I know for a fact that we had a good patent infringement case against them (I researched it), but hey, whatever, I was the "mad inventor" not the biz guy.


Ace: What's your opinion on the Game Enhancer/Cheat Device industry of today? Where do you see it going?

Richard Aplin: Don't really follow it, but everything went "software only" years ago. Finding cheats for consoles is a lot easier if you have the ability to make snapshot copies of the console's RAM. In the 90's we could do that easily, nowadays it's virtually impossible unless you want to dump the RAM out via ethernet to a waiting PC. Virtualization/emulation of course changes the rules again. ;-)


Ace: Why did the NES Game Genie have the limitation of writing to the later part of the game basically the ROM and not include the RAM.

Richard Aplin:
a) The NES genie was very simple device, only allowed 3 ROM locations to be substituted. RAM modification generally requires patching an IRQ vector and providing some code to run there.
b) I don't think they thought of it when they designed the first one (before I arrived).
c) K.I.S.S! Launching the Game Genie took years of work and legal hassle, I think they had their hands full.

I added it to the Genie's I did later.


Ace: What type of tools were used in the creation of Game Genie Codes for NES before the advent of emulators?

Richard Aplin: We usually used a custom PCB that had (typically) a parallel port, a passthru connector for the original cart, and basic byte-replacement hardware. Also a few simple tools running (I think) on a Commodore 64.