GameBoy Advance BIOS Logo Check

Yes, it checks every byte

Introduction

Some homebrew developers and publishers are interested in bypassing the logo protection used on the GBA, for obvious legal reasons [the logo is copyright Nintendo so it cannot be included on a cartridge without their permission, although this is debatable].

One company offered $200 for a software or hardware "crack".

Using my homebrew GBA Link Cable I dumped the BIOS ROM using a method due to Jeff Frohwein, which is to call a small piece of known BIOS code at address &0468:

0468 LDMIA R13!,{R4} 046C BX R14

This method is required since the BIOS can only be read when PC also points into the BIOS.

It had been determined already that the Nintendo logo data was in the BIOS at &3290, so the challenge was to find the logo check code.

It turns out that this code is at &06E8. It is reproduced here with annotations:

06E8 STMFD R13!,{R4-R6,R14} ;; e.g. R0 = &08000004 06EA LDR R1,&0AC4 ;; &0AC4 holds &3290 06EC MOVS R6,#&00 06EE MOVS R4,#&FF ;; check all bits by default 06F0 CMP R6,#&98 ;; +98 only check bits &7B 06F2 BNE &06F6 06F4 MOVS R4,#&7B 06F6 CMP R6,#&9A ;; +9A only check bits &FC 06F8 BNE &06FC 06FA MOVS R4,#&FC 06FC CMP R6,#&9C ;; +9C skip to &070E 06FE BGE &070E 0700 LDRB R2,[R0,R6] ;; load byte from header 0702 LDRB R3,[R1,R6] ;; load byte from BIOS 0704 ANDS R2,R2,R4 ;; mask ROM bits according 0706 ADDS R6,R6,#1 ;; to the above masks 0708 CMP R2,R3 070A BEQ &06EE ;; loop 070C B &0722 ;; WRONG - return fail ;; comes here if the first &9C bytes check out OK 070E MOVS R4,#&19 ;; load &19 0710 LDRB R2,[R0,R6] ;; load byte from ROM 0712 ADDS R4,R4,R2 ;; add to R4 0714 ADDS R6,R6,#1 0716 CMP R6,#&BA 0718 BLT &0710 ;; loop over 30 bytes 071A MOVS R0,R4,LSL #24 071C BNE &0722 ;; if sum is not zero, fail 071E MOVS R0,#&00 0720 B &0724 ;; success 0722 MOVS R0,#&01 0724 LDMFD R13!,{R4-R6,PC}

The conclusion is that the BIOS code checks every byte of the logo, so there is no way to create a different piece of data which will stand in for the logo.