Principles of Software Emulation Joe Bertolami www.bertolami.com [email protected] Part I: Part II: Part III: Part I Emulation Basics What is an emulator? A software application written for a host system that mimics the behavior of a target system. This enables software originally written for the target system to be executed on the host. Q: Why bother to write an emulator? 1 Preservation: Protect our ability to use legacy platforms long after their extinction. 2 Education: Learn about platform development through a fun technical challenge. 3 Software Piracy: Play your favorite games without having to buy them or the console. PIRACY PIRACY HURTS HURTS KITTENS! KITTENS! 4 Commercial: Meet a business need, such as supporting backwards compatibility or pre-hardware development. non-gaming use cases Development Testing Legacy hardware emulation != simulation Precise reconstruction of target hardware and software. Emulation Provides ability to directly execute programs compiled for the target platform. ✂ Approximate reconstruction of target software (only). Simulation Generally produces similar behavior, but is compiled for the host platform. Emulation Pattern Compiled for the target platform Compiled for the host platform, but emulates the target hardware Simulation Pattern Compiled for the host platform Emulation vs. Simulation Application source code Compiled for target platform Compiled for host platform Runs on Runs under Runs under Runs on target platform emulation simulation host platform Emulation vs. Simulation Emulators Simulators Emulation vs. Simulation simulator… ● typically more efficient ○ ○ ● may be less complex ○ Emulation vs. Simulation emulator… ● typically a more precise ○ ○ ○ ● may be the only practical way ○ ○ Q: Why is emulation so difficult? Emulation of 1 target instruction usually requires >1 host instruction Translating instructions or data isn’t always straightforward Target software may exercise obscure, faulty, and undocumented parts of the hardware Some platforms don’t want to be emulated Emulation in Practice Most emulators are approximations Emulation in Practice Precise emulation (e.g. cycle-level timing accuracy) requires significantly more horsepower (See: Why Perfect Hardware SNES Emulation Requires a 3 GHz CPU) CPU Transistor Count Host / Target Initial Target First Host Transistor ϕ release transistors Emulated transistors Multiplier Atari 375x 2600 Nintendo 68x NES Nintendo 7.2x Super NES Sony 11.2x Playstation Sega 8x Dreamcast Microsoft 7.85x Xbox Φ Determined by date of first stable release that reasonably mimics original functionality. CPU Transistor Count Host / Target Initial Target First Host Transistor ϕ release transistors Emulated transistors Multiplier Atari 375x 2600 Nintendo 68x NES Nintendo 7.2x Super NES Emulation scene took off in the 1990s as consumer grade hardware became Sony capable of emulating early game systems, and the Internet provided: 11.2x Playstation ● Access to a community of developers and enthusiasts ● Access to platform information and tools for reverse engineering Sega 8x Dreamcast ● Distribution channel for emulators and applications Microsoft 7.85x Xbox Φ Determined by date of first stable release that reasonably mimics original functionality. CPU Transistor Count Host / Target Initial Target First Host Transistor ϕ release transistors Emulated transistors Multiplier Atari 375x 2600 Nintendo 68x NES Nintendo 7.2x Super NES Rule of thumb: Ignoring outliers, it generally takes about 8-10x the horsepower in the host to emulate a target system Sony 11.2x Playstation Sega 8x Dreamcast Microsoft 7.85x Xbox Φ Determined by date of first stable release that reasonably mimics original functionality. CPU Transistor Count Host / Target Initial Target First Host Transistor ϕ release transistors Emulated transistors Multiplier Atari 375x 2600 Nintendo 68x NES The Original Xbox emulator was built by Microsoft with the aid of full documentation. Even with this advantage, the emulator was never able to Nintendo support the entire Xbox game catalog. 7.2x Super NES The original Xbox (target) and Xbox 360 (host) were significantly different Sony platforms in almost every way, and asymmetries in their CPU 11.2x Playstation architectures made this an extremely challenging project. Sega 8x Dreamcast Microsoft 7.85x Xbox Φ Determined by date of first stable release that reasonably mimics original functionality. Emulation in Practice greatly slow emulator development ● ● ● ● Example Part II Emulator Architecture Building an Emulator Research: Reverse engineer or obtain detailed specs that describe every part of the system. This likely includes: CPU, GPU, APU, DSPs, input, memory, storage, media, and network. Build: Write the logic for each component, including their interconnections, boot processes, and interrupt handlers. Test: Experiment with target software to find bugs and performance traps.↻ Make adjustments as needed. low level emulation high level emulation Emulation Levels Low level emulation High level emulation Imitate a low level hardware interface Intercept application calls to target hardware implementing virtual and route them to high level host APIs Advantages: Advantages: Emulation Levels Low level emulation def render_frame() ASL $43, X Pseudo-snippet: Clear the screen using target platform API ROL $F8, X 13 AND ($43, X) 14 def render_frame(): JSR 15 clear_screen(BLACK_COLOR) 16 … some logic that renders the frame … ... def clear_screen() 33 def clear_screen(color): AND $11F8, Y 34 … some logic that controls hardware … EOR $(F8, X) 35 SED ADC ($03, X) Emulation Levels High level emulation def render_frame() ASL $43, X Pseudo-snippet: Clear the screen using target platform API ROL $F8, X 13 AND ($43, X) 14 def render_frame(): JSR 15 clear_screen(BLACK_COLOR) 16 … some logic that renders the frame … ... Intercept and route to a native host routine 33 def clear_screen(color): 34 … some logic that controls hardware … 35 Emulation Architecture CPU Virtual CPU GPU Virtual display unit APU Virtual audio unit Memory Allocated memory buffers Physical storage Data files Controllers USB device managers Network controllers Socket manager Host Input APIs Host Output APIs SO, LET’S BUILD AN EMULATOR Nintendo Family Computer ● Released 10/15/1985 ● ○ ○ ● Sold 62M units $7B total revenue by 1992 ○ ○ ● ● ● A Nintendo product, but also a partnership Nintendo Famicom: System Overview Nintendo Famicom: System Overview Controller Ports Expansion Slot PPU Power Switch CPU + APU Lockout Chip 2x2KB RAM Cartridge Slot Display Output Nintendo Famicom: System Overview Controller Ports PPU CPU 2x2KB RAM Minimum viable emulator (interactive images on screen) Nintendo Famicom: System Overview Lockout Chip Nintendo Famicom: Copy Protection lockout chip System Components We’ll Emulate CPU: Ricoh 6502 (inside an 2A03 package) ● ● ● ● PPU: Ricoh 2C02 ● ● ● Input: 2 Controller Ports ● ● Nintendo Famicom: Controller (NES) Nintendo Famicom: Game Cartridge ● Memory cartridges ● remarkably flaky Did you have a special workaround to fix a bad connection? Nope. The only thing that helped was removing the cartridge and reinserting (source). Nintendo Famicom: Cartridge Overview Nintendo Famicom: Cartridge Overview Battery Mapper / MMC WRAM Lockout Key (CIC) CHR ROM PRG ROM Nintendo Famicom: Cartridge Overview CHR ROM PRG ROM Minimum viable emulator (images on screen) Cartridge Components We’ll Emulate Cartridge ● only accessible by the CPU ● Cartridge ● only accessible by the PPU ● Nintendo Famicom: Cartridge Overview ● Multiple variations exist ○ Metal Slader Glory ○ ○ ○ Metal Slader Glory is the largest officially licensed NES game ever ● Sophistication generally correlates with release year created. It required a whopping 1 MB of storage, split between a 512 KB PRG ROM and a 512 KB CHR ROM. ● WRAM is used for save games System Coordination mimic the architecture Our Emulator Design CPU: Input: PPU: Game Cartridge Memory Layout Memory Overview ● CPU has access to: ○ ○ Typically 32 KB. ○ ● PPU has access to: ○ ○ Typically 8 KB. ○ ● CPU and PPU both: ○ ○ easily fit all system and cartridge data in host memory extremely simple *The NES does support bank switching, but we won’t need it for our purposes. Memory Map — CPU PPU RAM CART 0x8000 — 0xFFFF Cartridge PRG ROM (32 KB) 16-bit addresses 0x6000 — 0x7FFF Cartridge WRAM (8 KB) 8 bit word size 0x4000 — 0x5FFF APU and Controller registers 0x2000 — 0x3FFF PPU Registers (8 KB) 64K total address range, but (8 mirrored registers) only ~50KB usable memory 0x1800 — 0x1FFF due to address mirroring 0x1000 — 0x17FF Mirrors of CPU RAM (6 KB) We can easily fit all of this in 0x0800 — 0x0FFF RAM on a modern system! 0x0000 — 0x07FF CPU RAM (2 KB) Memory Map — CPU 32 KB Cartridge PRG ROM 16-bit addresses 8 bit word size 8 KB PPU Registers 64K total address range, but (8 mirrored registers) only ~50KB usable memory due to address mirroring We can easily fit all of this in RAM on a modern system! 2 KB CPU RAM Memory Map — CPU Game code 32 KB Cartridge PRG ROM How the CPU talks to the PPU 8 KB PPU Registers (8 mirrored registers) CPU working memory 2 KB CPU RAM uint8 read_cpu_byte(uint16 address) SNIPPET 1 — READ CPU MEMORY 87 88 uint8 system_bus::read_cpu_byte(uint16 address) { 89 if (address >= 0x8000) { 90 return game_cart->program_rom[address - 0x8000]; 91 } else if (address >= 0x6000) { 92 return game_cart->save_ram[address - 0x6000]; 93 } else if (address == 0x4016 || address == 0x4017) { 94 uint8 controller_idx = address - 0x4016; 95 return keypads[controller_idx]->read() 96 } else