Head over to his site, horriblefanfare.com, to read the article.

There actually aren’t many strings in these cartridge images; mostly some library ID strings like “TVSYS TVLCD1.0″ (apparently the internal name for this product), “OursLib V1.2.25 generated by TV3, 2005-05-24″ and build dates. This makes the few strings that do exist jump right out. One of the games (Elmo’s World – Elmo’s Big Discoveries) has a list of “bad words”, which presumably is in there to keep you from entering them in as your character name. (The Wii’s System Menu had a similar list, if I recall correctly, but we never actually found a place where it was used.) It’s a fairly short list of 101 4-letter words (in alphabetical order), and many of them are quite appropriately forbidden for a toddler’s video game. Some are pretty tame — here’s all the ones that begin with the letter ‘b’:

b.s. bare barf boff bong bonk boob bras brat bums burp bust butt

Well, whatever, it’s just some silly game, right? It might just be part of some standard library they use. (Nevermind the fact that there’s nothing like it in 9 of the other games that I looked at.)

However, the game that is included for free when you buy the system — Alphabet Park Adventure — is special. It has some strange strings at the beginning:
**! 80092000201101
078800 V.Smile\084080 Wall-E Save the World\info.xml
078800 V.Smile\084080 Wall-E Save the World\info.xml
078800
80-92000-201-001
2008-08-26 V1 M04
000000-1FFFFF
200000-3FFFFF
0123456789ABCDEF
crack
violate
TV 1.0
TVSYS TVLCD1.0


(I guess they cut-and-pasted a template from a Wall-E game, and maybe there’s some checksumming routine — there are 0×400000 words in the cartridge. Your guess is as good as mine as far as “crack” and “violate” go.)

From there, it just gets surreal. There’s a list of 1,023 “bad words”, varying from the tame to the bizarre. They’re in order first by word length, and then by alphabetical sort order within that length. This means that the longest words (well, phrases) are at the end of the list. I’ll provide a link to the full version of the full list below (warning — NSFW, by definition), but I’ll except some of the funnier ones here.

As far as I can tell, the list has a few straightforward categories:

• Obscene words
• Vulgar slang
• Drug references
• Racist epithets

All of those seem fairly reasonable. Then it gets strange:

• Medical terms for anatomy, etc
• Political terms that the Chinese don’t like
• Words that I had to go look up in the dictionary
• Phrases that have no real bad meaning in English, but might have some obscene connotation in Chinese

Here are some of the last group here that seem most strange. The oddest part is, I can’t even find a single place in the game (and it’s not a very big or complicated game) where you can enter any strings in at all — it’s mainly picking between 2 or 3 possible letters to fill in a blank. It’s also only in my US version of the game, and not in bmx’s French version.


bra bum gin god god gun hag hex jig jun pip pox s&m sod std war wog won

bandit chieftain
marxism-leninism
sexual inadquacy
sovereign rights
chinese civil war
sexual perversion
white supremacism
white supremacist
concentration camp
cotius intermammas
mao zedong thought
the xi'an incident
white man's burden
knee-chest position
nocturnal pollution
the communist party
the return of macao
the eight route army
the republic of china
chinese-british street
the return of hongkong
great-nation chauvinism
nationalist party (kmt)
the communist gangsters
tibet autonomous region
national autonomous area
tiananmen square massacre
big-nationality chauvinism
the communist youth league
national self-determination
national liberation movement
subversion and anti-subversion


Anyone know how I can get paid for making up word lists like this? The full (NSFW!) list is available here.

I can’t really give a great justification as to why this thing was so damned interesting to me, but it seemed weird and quirky and nobody really knew much about it. I thought it might be fun to try to emulate awesome games such as “Fry Egg” on the real Wii, but didn’t really know where to begin — aside from getting my hands on one. When it finally arrived in the mail from China, I opened it up to find myself faced with a couple of epoxy blobs:


This was a bit depressing; there’s not much you can do with these, absent any sort of descriptive markings. Fortunately for us, the makers of this “console” decided to add a cartridge port and a 9-pin joystick controller, and then include a “VC-1″ cartridge full of crappy games (“Virtual Console”, I suppose). It was here that we got lucky; the cartridge contained a standard NOR flash chip, which I was able to read out with a standard chip programmer.

Browsing through the contents of the flash chip, there was no recognizable text or known instruction set — but fortunately, we found this header:
0000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
*
0000c00: 6368 6b73 756d 3a32 3441 3842 4339 4220 chksum:24A8BC9B
0000c10: 7665 723a 2275 276e 5350 2049 4445 5665 ver:"u'nSP IDEVe
0000c20: 7220 312e 362e 3222 2075 7365 723a 2273 r 1.6.2" user:"s
0000c30: 756e 706c 7573 2220 626f 6479 3a22 5350 unplus" body:"SP
0000c40: 4732 3433 2200 0000 0000 0000 0000 0000 G243"...........


u’nSP? sunplus? What is this crap? Searching on Google didn’t find much (at the time — there’s a lot more now, partially by coincidence and partially as a consequence of the work we’ve done which we’ll get to shortly). We started digging, and, well, to make a long story shorter — it turns out that there is one Chinese company with several names that makes chips that you could probably find in devices you already own.

SPG

The SPG2xx series use a custom instruction set (“u’nSP”), and are designed for something like the TV Plug-n-Play games; they are used in most (if not all) of those, as well as the Vii and the V.smile (if nothing else). Segher took our dumped ROM and scant documentation and built a disassembler, and then a mostly-working emulator for this architecture (more on this below). The top of the line SPG290 uses a different “s+core” architecture, and is used in the Mattel Hyperscan.

SPMP

The SPMP series chips are ARM-based SoCs that are used in cheap Chinese “Personal Media Players” that also generally come bundled with NES or GameBoy emulators; see Marcan’s work on these.

I/O interfaces

I’ve seen a lot of use of these chips in random USB I/O applications. The external hard drive I use to back up my laptop has a SunPlus USB-SATA bridge. They make USB-to-CCD interfaces (aka webcams!).

Everything else

They make chips that go into digital picture frames and portable DVD players, too. In China, they’re used for more general control applications — they make general MCUs under the “GeneralPlus” name, and it was actually here where we found the most info. Although the datasheets for the SunPlus chips are pretty hard to find, the general-purpose chips have freely-available documentation, and many of them use the same instruction set. On the GeneralplusSunplus MCU site (this all gets very confusing), you can find datasheets for other chips that use the u’nSP instruction set, and even an IDE based on an old, hacked up, GPL-violating version of GCC that supports u’nSP!

Based on the ROMs we extracted from the Vii and some experiments, Segher was able to write a disassembler and then eventually an SPG emulator:

I can now play Vii games on my computer, woohoo! Sadly, sound and “Viimote” support have yet to be implemented. Further research showed that most (all?) of the Jakks Pacific TV Plug’n'Play games also use SPG chips, so after some hardware hacking, we were able to play a couple of them, too:

Work lately has focused mostly on the V.tech V.smile, which has the advantage of being cheaply and widely available, and it takes cartridges which are just simple ROMs (or occasionally NOR flash chips) on a PCB … with any luck, we will soon have a SPG development kit for the masses, a need that I’m sure everyone will agree went unfulfilled for quite some time.

Not everything has to be cutting-edge to be fun.

The N64 chips are different, and I haven’t seen a ROM dump of those yet, so all of the following is NES/SNES only.

There is one chip inside the console, and one in every cartridge; the code inside the chip decides what to do based on a pin strap (the console one will be the “lock”, and the cartridge one will be the “key”). The two chips run off the same clock, and they run the same code, so they run in lockstep (sometimes they execute different codepaths, but the code is careful to take the same number of cycles on both paths in these cases). The chips communicate over two wires, one from key to lock, one from lock to key. Both chips calculate what bits they will send, and what the other guy should send; if what they receive is not the same as what they should have received, they panic, and the lock chip resets the console.

Here is the pinout of the CIC:

              +------------------+
 DATA_OUT <-- | 1 P0.0    +5V 16 |
  DATA_IN --> | 2 P0.1        15 |  ?
     SEED --> | 3 P0.2        14 |  ?
LOCK/-KEY --> | 4 P0.3        13 |  ?
              | 5 Xout   P1.3 12 | <-- RESET_SPEED_B
              | 6 Xin    P1.2 11 | <-- RESET_SPEED_A
              | 7 RESET  P1.1 10 | --> SLAVE_CIC_RESET
              | 8 GND    P1.0  9 | --> -HOST_RESET
              +------------------+

The LOCK/-KEY pin is the strap pin I talked about above. The SEED pin has a capacitor connected to it; the discharge time of that is supposedly somewhat random, the lock chip times it and uses that as a random generator, to decide which of 16 possible streams to generate. It tells the key chip which one it chose.

The lock chip can reset the key chip (pin 10 on the lock is wired to pin 7 on the key), and it can reset the console. The RESET_SPEED pins are used on the 3195 to decide at what speed to “blink” the reset line (it’s connected to a LED as well): about 0.4s, 0.6s, 0.8s, 1.0s each of on/off.

There are dumps of the ROMs here, here, and here. All credits for doing these go to neviksti; thanks!

All the bits in those dumps are inverted (0 vs. 1); if you want to play along with the disassembler I’ll give a link to in a second, you’ll need to fix that; also, that third ROM is 768 bytes, which I don’t handle in my little conversion script, so you’ll need to remove the extra columns (they are empty anyway). Or enhance the script if you want to.

Okay then, here is that disassembler. Usage should be self-explanatory.

This ancient CPU looks mighty strange to modern eyes. Let me try to explain the architecture:

First, it is a 4-bit CPU. Yessir. It has an accumulator register, A, and a secondary register, X, both 4 bits. All RAM accesses are done via a single pointer register B, which is 6 bits; the CIC chip only has 32 nybbles of RAM though. There is also a carry flag, C.

Then, there is the process counter, PC. It is 10 bits, but there are only 512 bytes of ROM (except on the 3195, it has 768). The ROM is divided into banks of 128 bytes. When the CPU increments PC, it never touches the bank number.

Well, “increments”. To save chip area, they didn’t use a binary counter, but a polynomial counter; “incrementing” works by shifting the PC by one bit to the right, and setting the the top bit to 1 if and only if the bottom two bits were the same.

There are no conditional branch instructions; instead, various instructions can skip the next instruction if some condition is true (the instruction still takes time, it just doesn’t do anything). Oh, all instructions take one cycle; except for the two byte instructions, which take two cycles.

Finally, there is a four entry stack for the PC; it’s not in RAM, it is separate.

Now the instruction set:

"skip" means "do not execute next instruction"
"M" means "the RAM nybble addressed by B"
"BL" means "the low four bits of B"
"BM" means "the high two bits of B"
"PN" means "I/O port number BL"
"x.y" means "bit y of x"

00+N  adi N     "add immediate", A := A + N, skip if overflow   (00 is nop)
10+N  skai N    "skip acc immediate", skip if A = N
20+N  lbli N    "load B low immediate", BL := N
30+N  ldi N     "load immediate", A := N

40    l         "load", A := M
41    x         "exchange", swap A with M
42    xi        "exchange and increment", swap A with M, increment BL, skip if overflow
43    xd        "exchange and decrement", swap A with M, decrement BL, skip if underflow
44    nega      "negate acc", A := -A (two's complement)
46    out       "output", PN := A
47    out0      "output zero", PN := 0
48    sc        "set carry", C := 1
49    rc        "reset carry", C := 0
4a    s         "store", M := A
4c    rit       "return", pop PC from stack
4d    ritsk     "return and skip", pop PC from stack, skip
52    li        "load and increment", A := M, increment BL, skip if overflow
54    coma      "complement acc", A := ~A (ones' complement)
55    in        "input", A := PN
57    xal       "exchange acc and low", swap A with BL
5c    lxa       "load X with acc", X := A
5d    xax       "exchange X and acc", swap X with A
5e     ?        SPECIAL MYSTERY INSTRUCTION

60+N  skm N     "skip memory", skip if M.N = 1
64+N  ska N     "skip acc", skip if A.N = 1
68+N  rm N      "reset memory", M.N := 0
6c+N  sm N      "set memory", M.N := 1

70    ad        "add", A := A + M
72    adc       "add with carry", A := A + M + C
73    adcsk     "add with carry and skip", A := A + M + C, skip if overflow

74+N  lbmi N    "load B high immediate", BM := N

78+N NN  tl NNN    "transfer long", PC := NNN
7c+N NN  tml NNN   "transfer module long", push PC+2, PC := NNN
80+NN    t NN      "transfer", low bits of PC := NN

It would seem that on the 3195, the sc and rc instructions are swapped, as are the coma and nega instructions.

If you look at the code in the ROMs, you’ll notice something strange with the ldi instructions: sometimes it runs two in a row. Descriptions for similar CPUs say that if you have two or more ldi instructions in a row, all but the first are skipped. The code still doesn’t make sense then; I suspect that this CPU does this skip only if some condition that I do not know yet is true.

This architecture is quite different from what we are used to today, and so it requires quite different programs; I’ll leave it to you to discover all the intricacies yourself though, it’s more fun that way!

I put a commented disassembly of these ROMs here. Some of that is a work in progress.

I hope you all find this as fascinating as I did!

[edit: fixed op 52 "li" description]