Open Bus-Based Emulator Detection -- Draft

1.     di
2.     ld a, [rIE]
3.     push af
4.    
5.     ld a, $08 ; Enable Mode 0
6.     ld [rSTAT], a
7.     ld a, $02
8.     ld [rIE], a ; Enable STAT int
9.    
10.     ld c, LOW(rHDMA1)
11.     ld a, $E0
12.     ld [c], a
13.     inc c
14.     ld [c], a ; From $E0E0 (uh oh, Nintendo says not to do that)
15.     inc c
16.     ld a, $88
17.     ld [c], a
18.     inc c
19.     xor a
20.     ld [c], a ; To $8800 (really anything is fine)
21.     inc c ; Leave C pointing to HDMA length
22.    
23.     xor a ; We need IF = 0 when HALT is hit
24.     ld [rIF], a
25.     ; There's a 1-cycle flaw here, but I dunno how to do better...
26.     halt
27.     ; Alright, we're perfectly synced with the PPU, and in Mode 0. What could go wrong, Mr. Emulator ?
28.    
29.     ; Normally, this should copy only one tile, but apparently this copies an extra one if started during HBlank
30.     ; Thus, moar evulz edge-case behavior >:D
31.     ld a, $80
32.     ld [c], a
33.     ; Insert appropriate delay (TODO : figure it out exactly, yummy cycle counting)
34.     ld hl, $FF75 ; Only bits 4-6 are writable
35.     ld [hl], $30 ; Now, $FF75 = $30 | $8F = $BF
36.     inc [hl] ; Puts $C0 on the data bus, and $C0 | $8F = $CF in $FF75
37.     ; Assume HDMA triggers here
38.    
39.     ; Check what was copied
40.     ld hl, $8800
41.     ld de, EmuDetectionPattern
42.     ld c, 16 * 2
43. .compare
44.     ld a, [de]
45.     inc de
46.     cp [hl]
47.     jr nz, .fail
48.     inc hl
49.     dec c
50.     jr nz, .compare
51.    
52.     ld b, SUCCESS
53.     db $11
54. .fail
55.     ld b, FAILURE
56.    
57.     ; Restore state
58.     pop af
59.     ld [rIE], a
60.     xor a
61.     ld [rIF], a
62.     ei