Crash Course in Hacking Arcades via MRA (Patreon)

MRA files are now the standard way of loading ROM files into FPGA cores. Originally developed for the MiSTer platform, we have taken them to other platforms too via the command line mra tool.

The MRA defines a list of files to be transferred to the FPGA. The order in which the files are transferred and even the byte order inside them can be set. But you can also alter information inside the files before transferring to the FPGA via the patch element in the MRA file.

patch allows you to replace bytes in the final data stream so you can alter anything in the game: from graphics to CPU code. But how do you create a patch? I'll show you an example: let us remove the lengthy self test of Ghouls'n Ghosts.

You do need to understand a minimum of assembler to do this, but you don't need to be an expert. Just go and type mame ghouls -debug and get a MAME debug session. Don't get overwhelmed by the window, it is very simple: on the left you have the CPU registers, on the right the game code. You can press F10/F11 to advance through the code, we need little more but here is a good reference of the MAME debugger.

Just take a second to look at the code. I don't know M68000 assembler but I can guess what it does. See all those bra (branch) instructions. It is jumping somewhere. Note that it doesn't use a subroutine branch but a direct branch. A subroutine branch would require the memory stack to store the return address. If you are running a selftest program it shouldn't depend on RAM. So as long as the code uses those bra instructions one after the other we are probably in the self test part of the ROM. 

Scroll down and notice the last bra at 061994. Click on it with the mouse and press F4 (go to line). Mmm, that only advanced the game by two frames (look at the left hand side). So we need to run more. Scroll down and try 061AD4 with F4 again. Ok! That took us to frame 1189 and the whole memory test done. That was lucky.

The instruction at 061AD8 is a jump to 61C54. Let us try to jump there directly skipping the whole test. Press F3 for reset. The cursor should be at 6190A. Now type PC=61AD4 at the bottom of the MAME window. Press F5 (go) and watch... there you go, the game skipped the test for the RAM. But not for the ROM! We need to skip the ROM test or the game will detect the patch and fail to boot. Let's look further following the same approach until we arrive to the conclusion that PC=400 is the real starting point after the self test.

Now we know what we need. But how to convert this to a patch?

You can either alter the reset starting position, which some CPUs let you do or you can introduce a branch at the current reset point. Let's do the first. The original reset address was 6190A. Let's look for it in the code. Generate the rom file for the Ghouls'n Ghost MRA using the mra tool. Now open the file with your favourite hex editor (even xxd in linux is enough). Search for 6190A but bear in mind that byte order might be swapped. I looked for 0A19 and got it right after 0600. If you swap the byte order you get 0006190A: bingo. Note the address in the rom file for this: 44.

Now open the MRA file and write a patch to replace those bytes:

<patch offset="0x44"> 00 00 00 04</patch>

Note how we reverse the byte order of the 00000400 new starting address. Save your new MRA file -with a different name- and test it. If all goes well you will have done your first successful patch.

Patches can be used to include cheat codes too, translate games or pretty much anything!

I hope you enjoyed this article and please share your patch creations with the community.