Rants from Vas https://rants.vastheman.com Take a hit with V-Real Tue, 20 Mar 2018 11:54:25 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.7 The Q Factor https://rants.vastheman.com/2018/03/20/qfactor/ https://rants.vastheman.com/2018/03/20/qfactor/#respond Tue, 20 Mar 2018 11:27:27 +0000 https://rants.vastheman.com/?p=315 QSound logo screenIf you spent much time in video game arcades ’90s, you’re sure to have seen the QSound logo proudly displayed during the attract loop of games running on Capcom’s CPS-2 and ZN-1/ZN-1 hardware platforms, and heard the distinctive jingle. But What exactly is QSound? What does it actually do? Capcom was definitely keen to promote its inclusion, but did it really give an edge in any area besides marketing? Was it worth the licensing fees they undoubtedly paid, and the precious attract loop time they spent announcing it?

As implemented in Capcom’s arcade systems, QSound technology is provided by a digital signal processor (DSP) running an internal program that implements a sixteen-channel sample player/mixer. It produces 16-bit stereo output at just over 24 kHz. It supports 16-bit samples, but Capcom only ever used it with 8-bit sample ROMs. In addition to playing and mixing the channels, it applies “spatialisation” effects, intended to give the impression of a more expansive virtual sound stage. I know what you’re thinking: everything I’ve said so far sounds like marketing material, but what do the effects actually do, and does it actually work?

The most prominent effect you’ll hear is the way the QSound DSP handles stereo panning. Conventionally, panning just reduces the volume on one channel or the other. If you pan a sound hard left, it’s sent to the left speaker at full volume and silenced on the right speaker. As you pan towards the centre, the volume on the right speaker increases until you reach the centre position where the volume is equal on left and right speakers. Panning past the centre to the right reduces the volume on the left speaker.

Rather than simply adjusting the level, the QSound produces two components for each stereo output: one sent directly to the speaker, and the other passed through a digital filter. Panning controls the volume ratio of the component sent directly to the speaker and the filtered component. For the left output, when a sound is centred, the sound is sent directly to the speaker only. As you pan to the centre, the amount sent through the filter increases until you reach the centre, where the filtered component is about 2 dB lower than the direct component. Panning further to the right continues to increase the volume of the filtered component, and reduces the volume of the component sent directly to the speaker. When panned hard, it’s sent through the filter only. For what happens with the right stereo output, just reverse the directions. The pan tables are illustrated in the graph below.

QSound pan

That’s all well and good, we know that panning controls the ratio of filtered to unfiltered output rather than just adjusting volume, but what do the filters themselves do? Let’s start by looking at the filter used for the left stereo output:

QSound right-to-left

It has a fairly flat passband up to about 1 kHz, falls to about -5 dB at 2 kHz, a small peak at 3 kHz, and falls off rapidly from 5 kHz to the stop band at 6 kHz. Can you guess what this is for yet? This filter is supposed to simulate the sound your left ear hears from a sound source to your right. Low frequencies tend to diffract around obstacles, so they don’t have much directionality, midrange frequencies pass through your head fairly effectively, and high frequencies are basically blocked by your head. This is designed to give a more realistic impression of the position of a source on the virtual sound stage than simple panning.

The filter for the right stereo output, simulating what your right ear heard from a sound source on your left, is similar but not quite the same (perhaps the asymmetry is supposed to increase the realism):

QSound left-to-right

This is not the only effect applied by the QSound DSP, it’s just the most prominently audible one. It leaves the question of whether it actually works as intended. In my opinion, it works reasonably well if used effectively, provided the speaker setup has reasonable stereo separation, and the listener is in the sweet spot – easily achievable with headphones or a home stereo, but not in a noisy arcade with poor cabinet acoustics, not so much. Maybe it would work OK with a something like a Sega Blast City cabinet, specifically designed for stereo output. Some of the other QSound effects are less dependent on stereo separation, so they work better in typical arcades.

https://rants.vastheman.com/2018/03/20/qfactor/feed/ 0
TPG FTTB Settings https://rants.vastheman.com/2018/01/24/settings/ https://rants.vastheman.com/2018/01/24/settings/#comments Wed, 24 Jan 2018 06:52:16 +0000 https://rants.vastheman.com/?p=306 In case anyone else wants to configure third-party equipment for a TPG fibre-to-the-building service, here are the details. Below the fold are screenshots of the settings entered in the web-based configuration UI of an AVM FRITZ!Box. Note that the SIP password is not the same as your account password, and you’ll need to obtain this somehow. TPG doesn’t make this easy, but it is possible.

Internet connection

Modulation: VDSL2 17a (ITU G.993.2)
VPI: 1
VCI: 32
Encapsulation: PPPoE
Authentication: PAP
Username: your TPG username optionally followed by “@tpg.com.au”
Password: doesn’t matter – it isn’t actually verified (you can use your account password)

Phone service connection

Connection type: PVC
802.1q PCP tag:
(PBit or 802.1p traffic class)
5 (VO, voice with < 10 ms latency/jitter)
VPI: 1
VCI: 32
Encapsulation: routed bridge encapsulation
IPv4 configuration: DHCP

SIP connection settings

Registrar server: uni-v1.tpg.com.au
Proxy server: uni-v1.tpg.com.au
STUN server: none (disabled)
Connection type: SIP trunk
Telephone number: your telephone number including area code (ten digits)
Username: your telephone number including area code (ten digits)
Password: your SIP password (16 characters including uppercase and lowercase letters and digits)
Voice codecs: G.711 and G.729

Internet account settings for AVM FRITZ!Box

DSL settings

Telephone line settings for AVM FRITZ!Box

Line settings

Telephone number settings for AVM FRITZ!Box

SIP settings

https://rants.vastheman.com/2018/01/24/settings/feed/ 4
TPG: Just Don’t https://rants.vastheman.com/2018/01/20/tpg/ https://rants.vastheman.com/2018/01/20/tpg/#respond Fri, 19 Jan 2018 15:38:21 +0000 https://rants.vastheman.com/?p=298 Due to persistent issues with line quality, I switched an Internet connection from Internode ADSL2+ to TPG fibre to the building (FTTB). Although the connection quality is better, just about everything else about TPG is worse. I strongly recommend avoiding TPG. Problems include:

  • Error-prone signup process
  • Supplied modem/router is heavily compromised
  • Phone service is tied to compromised modem/router
  • No IPv6 support
  • Support staff very inconsistent
  • Good support staff hobbled by policy

My Internode connection had become very slow and unstable in hot, dry weather. Strangely it was fine in the rain, and even during flooding. It almost seemed like something needed to be damp to maintain an electrical connection. There’s no way to actually get these kinds of issues resolved, as the ISP and last mile provider will blame each other and the in-building wiring, and charge extortionate rates for technicians to be called out without actually solving the issues. The only other option I have for last mile is TPG. I’d been switching to Telstra LTE on bad days, and to be fair it’s actually not too bad at the moment. It seems to be pretty fast and stable, but I imagine that will get worse as more people start to use the network. But using LTE comes with a number of imitations, and it’s supposed to be my backup, not my day-to-day Internet connection.

Sadly, it seems that Internode may be going downhill since being acquired by TPG. After iiNet acquired Internode, they were allowed to operate independently for the most part. The call centre in Adelaide remained open, Internode continued to offer the same kinds of perks as before, including Usenet servers, Steam content mirrors, native IPv6 connectivity, and more. However, TPG has consolidated iiNet and Internode support and seems to be phasing out Internode perks. They’ve even started selling TPG nbn™ HFC (DOCSIS cable) under the Internode brand name, providing the same IPv4-only connection and obfuscated SIP phone service.

With the consolidation in the Australian ISP sector, there’s a big reduction in competition. TPG has merged with or acquired Soul, AAPT, Chariot, iiNet, Internode, TransACT, WestNet, PIPE, Westnet, and more. There doesn’t seem to be a good alternative at the moment. There may be an opportunity for an upstart ISP that understands what made “premium” ISPs like Internode successful in the first place.

Sign-up process

I initially tried signing up for the service through the web site, converting an existing dial-up account I’ve had for over a decade. At the end of the process, it gave me a red error message telling me there was a problem and to call customer service. Despite this, it still charged me the setup fee, and not the correct setup fee for the options I’d chosen. Also, there’s no option to choose the delivery address for the supplied modem/router through the web interface: it will always be sent to the billing address, not the service address. This means you need to get it from the billing address to the service address if they aren’t the same.

It took multiple calls to customer service over several weeks to get the incorrect setup fee refunded and get back to where I started again. The telephone support staff seem to vary substantially. Many of them don’t seem to be interested in actually getting issues resolved, and just want to read from a script. I also had support staff promise to call back, and then never do so.

After this, I tried my luck signing up over the phone. The saleswoman insisted that I needed to create a new account, and couldn’t convert my existing dial-up account over. She assured me that my existing TPG e-mail address could be transferred to the new account without any period where mail would be lost. It’s possible to specify a delivery address for the modem/router when signing up over the phone. However, after completing the sign-up process, I was transferred to support who informed me that there was no need to sign up for a new account at all, and it seems to be impossible to transfer the existing e-mail account to the new account without a multi-day period where e-mails will be lost. The call was recorded, so it’s on record that the saleswoman promised me something that they can’t deliver. This issue still hasn’t been resolved.

Supplied modem/router

TPG supplied a Huawei HG659 modem/router. This device is rather lacking in functionality. It lacks DECT base station functionality, it can’t function as a SIP gateway for multiple IP phones, it doesn’t support incoming VPN connections, and numerous other useful features are absent. On top of this, TPG supplies the device with crippled firmware. The predefined “admin” user account is limited to changing basic settings, and it’s not possible to create an account with full access. It’s possible to access some hidden settings (including authentication, encapsulation and VLAN settings) with a JavaScript debugger attack, but trying to access other settings this way drops you back to the login page. It’s completely impossible to access bandwidth settings and telephony settings, or to back up/restore settings.

The modem/router is pre-configured and has TR-069 permanently enabled on VLAN 6. This allows TPG to push configuration or firmware updates to the device at any time. This is a huge problem for stability and security. There’s no way to control if/when updates may be pushed, allowing your connections to be interrupted at any time. A poorly considered or malicious update could cause denial of service, DNS hijacking, communication interception, or a host of other issues. Flaws in TR-069 are actively exploited by the Mirai botnet as well as other malware.

TPG’s justification for this is that it makes it easy to TPG to fix configuration problems, and they make vague claims about doing it for “security” reasons. It’s true that it makes support simpler if the ISP can push out default configuration. However it comes with a massive security risk. They should acknowledge the security risks involved, and give the customer the ability to choose between convenience and security. The real motivation seems to be an effort to hide the SIP settings to prevent customers from using other SIP clients or IP phones. I really don’t understand TPG’s obsession with preventing the customer from using a SIP client of their choice.

It’s possible to put the modem/router into firmware recovery mode by holding the reset button (with a straightened paperclip) for twenty seconds, and then to load a different firmware image. However, Huawei doesn’t seem to distribute a standard firmware image, so you’d need to use a firmware image from another ISP, with its own customisations and potential security issues. If you don’t enable TR-069 after loading a different firmware image, you won’t be able to obtain the SIP settings, so the phone service still won’t be usable. However, if you do enable TR-069, TPG will just push out their firmware image along with the configuration, and you’ll be back where you started.

In summary, it’s impossible to get the modem/router into a clean state where you can fully control it and still use TPG’s phone service. The modem/router supplied by TPG must be treated as a hostile device on your network. As the customer, you can’t prevent malicious configuration or firmware updates being applied, and you can’t verify or change the device’s configuration.

Phone service inflexibility

TPG’s SIP phone service for FTTB customers is limited and inflexible. Unlike other SIP phone services, it’s only accessible from TPG’s network. The server uses the DNS name uni-v1.tpg.com.au which resolves to three private IPv4 addresses –,, and – accessible via VLAN 6. TPG requires use of the narrowband 8 kbps G.729 voice codec, which provides poor call quality. TPG also actively works to prevent customers from using their own IP phones.

TPG refuses to supply customers with SIP connection details, only pushing them out via TR069. The SIP username and password are different from the username and password used to access e-mail and other TPG services. It seems somewhat strange and pointless to require authentication at all, since the SIP server is only accessible on a TPG connection via a specific VLAN. It would be trivial to identify the customer by the origin of the connection. It seems to be nothing more than a way to force the customer to use the compromised modem/router supplied by TPG. (TPG actually does provide SIP settings for some services on this page. The aphone1 to aphone6 servers resolve to public IP addresses, but they are only accessible from TPG connections. However, there’s nothing to indicate which customers can use these settings – it’s definitely not applicable to FTTB services.)

It was previously possible to use a JavaScript debugger attack on the supplied Huawei modem/router to back up settings, and extract the SIP settings, including the password, from the resulting file. However, new firmware made that impossible. It would be possible to buy a VDSL DSLAM, emulate the SIP server, and steal the credentials that way, but this is prohibitively expensive. It may be possible to connect to VLAN 6 with a different modem/router, use software to emulate the TR-069 client, and obtain the VoIP settings that way. It may also be possible to open the supplied modem router, solder in a serial or JTAG header, and dump the Flash filesystem. Desoldering the Flash chips and dumping the data directly is another option. All of these options are a lot of work just to be able to use a service that you pay for, without having to allow a compromised device on your network.

There’s no way to unbundle the phone service from the Internet service. So if you decide that the risk of using a compromised modem/router is too high and the workarounds are too impractical, you’re still forced to pay for a phone service you can’t use.

All this effort to prevent customers from using SIP clients other than the supplied modem/router seems rather strange. There doesn’t seem to be a technical reason for it, as the service seems to use standard protocols, and customers who’ve managed to extract the details from their modem/router haven’t had issues using other SIP clients. The lack of any plausible explanation almost seems like TPG wants to have devices they control on customers’ networks for some malicious purpose.

The decision to require G.729 seems odd as well. With ever-increasing line speeds, a 32 kbps codec like G.726 shouldn’t be a problem. In particular, G.726 would allow lossless forwarding to cordless DECT handsets. Only allowing access from TPG’s network is also artificially limiting. Packets are cheap to forward – there’s no real reason not to allow access from other networks. It can still be limited to one or two concurrent calls and/or concurrent registrations. Call quality will suffer if there’s unpredictable latency or packet loss in the path, but the customer can deal with that.

NodePhone SIP service, ironically owned by TPG, can be used from anywhere on the Internet. I’ve successfully used it from as far away as Hong Kong and Shanghai with good results. Right now I’m using a NodePhone service over my TPG FTTB connection as it’s a better option than using a compromised modem/router.

Lack of password verification

TPG requires your VDSL modem to be configured to use PAP authentication. However, the password is not verified. They assume that by being physically patched to the DSLAM port, you are authorised to use the service. This isn’t a safe assumption. In most apartment buildings, tradesmen and/or residents can easily access the main distribution frame (MDF) and change the patches. For services with the DSLAM located in a roadside cabinet or telephone exchange, there are further points along the path where a technician could unintentionally or maliciously patch the DSLAM port assigned to you to another line.

This appears to be to make support simpler. If the password is not verified, a dummy password can be used in settings pre-configured or pushed out to the customer’s modem/router via TR-069, and support staff can walk a customer through the process of setting up a modem/router without either of them having to know the password. However, it’s another security hole, and given the metadata retention laws and the aggressive behaviour of copyright holders, it’s unwise to make it in any way simpler for someone to impersonate the customer.

Lax e-mail security

TPG’s mail servers support explicit and opportunistic SSL/TLS encryption. However, as of the time of writing, TPG’s relevant support pages don’t make any mention of enabling encryption, and the step-by-step guides for Apple Mail and Android phones show settings that will result in usernames, passwords, and mail contents being transmitted in plain text.

This shows blatant disregard for customers’ security. A customer following TPG’s instructions for configuring Apple Mail or an Android phone will expose their account name and password to anyone with the ability to sniff packets between them and TPG’s mail servers. On a public WiFi network, this includes anyone in the vicinity who can use packet capture software.

No IPv6 support

TPG does not officially support IPv6 and has no timeline for IPv6 rollout. There are rumours that they’re testing IPv6 with selected customers, but there’s no way to voluntarily join the test group. IPv6 is not a new technology. RFC 2460 was published in late 1998, almost twenty years ago. Microsoft began requiring applications to work in a pure IPv6 environment (no IPv4) for logo certification beginning with Windows Vista in 2006, over ten years ago. All major operating systems and most network equipment provides IPv6 support.

TPG is really behind here. Internode (now owned by TPG) has provided dual stack IPv4/IPv6 since 2008 (ten years ago), assigning a static /56 subnet and a dynamic /64 subnet to each connection. Even Telstra, not known for being on the cutting edge, has rolled out IPv6 for NBN and ADSL customers. With iiNet, you at least have the option of using a 6rd service to provide IPv6 connectivity, although it suffers from some limitations compared to a true dual stack deployment.

Phone support

The quality of service provided by the phone support staff varies enormously. You often need to work your way through multiple people before you reach someone who seems to actually care or be interested in helping. Even then, the staff are hobbled by processes and policies, and may not be able to really do much. I’ve experienced this multiple times with the support and engineering teams. One time, the guy said something to the effect of, “Well, I understand what you’re saying, but I don’t set the policy. The call’s recorded, I’ll mark this as a complaint, hopefully someone in Sydney will actually hear it.”

There are definitely some people at TPG who seem to want to do the right thing by the customers. Ace and Joy from support, in the unlikely event that you’re reading this, I’d like you to know I think you’re great. You’ve both got back to me when you said you would, tried to understand the issues I raised, and tried to get things resolved as well as you can. It’s not your fault TPG’s policies are hostile to the customer, or some of the other people on the support team don’t seem to care.

Closing thoughts

I’ve had TPG Internet accounts for over twenty years now. Back in the dial-up days, TPG was the ISP to beat. They provided national service at competitive rates, and it just worked with no fuss. Now everything’s a nightmare. It seems TPG wants to sell to people who just use their Internet connection for Facebook and YouTube. There’s definitely a market for that, but the trouble is they’ve absorbed the ISPs who catered for people who wanted a little more, and soon there may not be any other options left. It’s sad to see the Australian ISP landscape go this way.

https://rants.vastheman.com/2018/01/20/tpg/feed/ 0
Going Old-School https://rants.vastheman.com/2017/07/08/oldschool/ https://rants.vastheman.com/2017/07/08/oldschool/#comments Fri, 07 Jul 2017 18:27:31 +0000 https://rants.vastheman.com/?p=290 For lulz, I decided to rewrite MAME’s Intel 4004 CPU core and add support for most 4040 features. The new CPU core operates at the bus cycle level, and exposes most useful signals. It also uses lots of address spaces for all the different kinds of memory and I/O it supports (thanks OG). Some CPU core bugs were fixed along the way – notably intra-page jumps on page boundaries were broken.

One nice benefit we get from this is being able to hook up the I/O for the Bally/Nutting solid-state Flicker pinball prototype (supposedly the first microprocessor-controlled pinball machine) how the hardware actually worked. I also hooked up the playfield lamp matrix as outputs and the operator adjustments as machine configuration while I was at it. We need a proper thermal model of a lamp with PWM dimming support before that part can be declared perfect. (It previously used a hack, pulling the low bits of RC out of the CPU using the state interface. This worked due to a quirk of the game program, and there was no way to implement it properly without the 4004 CM-RAM signals being exposed.)

Possibly more interestingly, we can now emulate the Intel INTELLEC® 4/MOD 40 development system. There seem to be very few surviving examples of this system, but fortunately we’ve got monitor PROM dumps, and there’s some information floating around the web. It has interesting debugging features on the front panel. There’s a scanned manual, but the schematics are very poor quality. However, with some idea of how it works, it’s possible to work out what all the chips are supposed to be. That’s the fun part. Turning it into MAME code isn’t as much fun, but it’s doable.

The front panel looks like this:

That requires clickable artwork for the switches and outputs for the LEDs to get a usable experience (writing the MAME XML layout really isn’t fun). There’s a simple monitor in PROM, designed to be used with an ASCII teleprinter with paper tape reader and punch (e.g. a Teletype Model 33 ASR). MAME’s RS-232 video terminal will have to do as a substitute for that.

If you get bleeding edge MAME (i.e. built from source no more than a day or so old), you can try it out in emulation. Did you ever wonder how developers may have debugged 4004 code in the mid to late ’70s? Well even if you didn’t, now you can find out.

The front panel looks like this in emulation (without the explanatory labels), and by default MAME shows the video terminal below this:

All those LEDs are functional, and all those switches are clickable and visually reflect their current state.

So how would you actually use it in practice? That’s where this brief instruction manual on the MAMEdev wiki comes in. It’s complete with examples of how some of the monitor commands and front panel debugging features can be used. It’s marked NOT_WORKING in MAME for now because you need to manually set up the terminal the first time you use it, and I haven’t finished implementing the universal slots and storage cards. But you can do all the things described on that page.

Does anyone care? Probably not. Will anyone actually even try this system out in MAME? Probably not (apart from Robbbbbbbert). But this is another example of something that you can only do in MAME, and how completely unrelated systems can both benefit from emulating the same chip properly. It also gets rid of one previously unavoidable hack, and gets us one step closer to feature parity with EmuAllSystems.

https://rants.vastheman.com/2017/07/08/oldschool/feed/ 1
Attacking the Weak https://rants.vastheman.com/2017/02/13/attacking/ https://rants.vastheman.com/2017/02/13/attacking/#comments Sun, 12 Feb 2017 23:37:19 +0000 https://rants.vastheman.com/?p=285 ShouTime dumped the incredibly rare game Omega (Nihon System). It’s a ball-and-paddle game running on similar hardware to Sega’s Gigas. These games use an NEC MC-8123 CPU module containing a Z80 core, decryption circuitry, and an 8 KiB encryption key in battery-backed RAM. When fetching a byte from ROM or RAM, the CPU chooses a byte from the encryption key based on twelve of the address bits and whether it’s an M1 (opcode fetch) cycle or not. This byte from the encryption key controls what permutation (if any) is applied to the byte the CPU fetches. This encryption scheme could have been brutal, requiring extensive analysis of a working CPU module to crack, if it weren’t for a fatal flaw: Sega used a simple linear congruential generator algorithm to create 8 KiB keys from 24-bit seeds. That means there are less than seventeen million encryption keys to test. Seventeen million might sound like a lot, but it’s far less than the total possible number of keys, and definitely small enough to apply a known plaintext attack in a reasonable amount of time.

So how do we go about attacking it? First we have to make an assumption about what the game program is going to be doing. Given that the hardware looks pretty similar to Gigas and Free Kick, I guessed that one of the first things the program would do is write a zero somewhere to disable the non-maskable interrupt generator disable maskable interrupts. So I wrote a program to find candidate seeds (no, I won’t show you the source code for this program – it’s embarrassingly ugly and hacky, not something I could ever be proud of):

  • Start with first possible 24-bit seed value
  • Generate 8 KiB key using algorithm known to be used by Sega
  • Decrypt first few bytes of program ROM using this key
  • If it looks like Z80 code to store zero somewhere and disable interrupts, log the seed
  • Repeat for next possible seed value until we run out of values to try

This ran in just a few minutes on an i7 notebook, and narrowed down the millions of possible seed values to just five candidates: 36DF3D, 6F45E0, 7909D0, 861226, and BE78C9 (in hexadecimal notation). Now I could have tried these in order, but it looked like Sega had made another misstep: besides using a predictable algorithm to generate the key, they also used a predictable seed value to feed this algorithm. The candidate seeds value 861226 looks like a date in year-month-day format. It turns out this seed generates the correct key to decrypt the game program, so I guess we know what someone at Sega was doing the day after Christmas in 1986.

Brian Troha hooked up the peripheral emulation, and the game will be playable in MAME 0.183 (due for release on 22 February). Colours aren’t quite right as we don’t have dumps of the palette PROMs yet, but we expect to resolve this in a future release. Thanks to ShouTime and everyone else involved in preserving this very rare piece of arcade history.

https://rants.vastheman.com/2017/02/13/attacking/feed/ 3
My PAL with the LASERs https://rants.vastheman.com/2015/12/15/lasers/ https://rants.vastheman.com/2015/12/15/lasers/#respond Tue, 15 Dec 2015 12:54:05 +0000 https://rants.vastheman.com/?p=250 Back in the distant past, MAME started cataloguing programmable logic devices (PLDs) in addition to ROMs. This was met with considerable hostility from certain segments of the community, as it was seen as forcing them to obtain files they saw as unnecessary for emulation in order to run their precious games. However PLDs are programmable devices, and it’s important to preserve them. So far though, the PLD dumps have mainly been used by PCB owners looking to repair their games. The haven’t been used by MAME for emulation. However, PLDs are key to the operation of many arcade games, performing functions like address decoding and video mixing.

One such arcade board is Zaccaria’s Laser Battle, also released under license by Midway as Lazarian. This board uses complex video circuitry that was poorly understood. It includes:

  • TTL logic for generating two symmetrical area effects, or one area effect and one point effect
  • TTL logic for for generating an 8-colour background tilemap
  • Three Signetics S2636 Programmable Video Interfaces (PVIs), drawing four 4×4 monochrome sprites each
  • TTL logic for generating a single 32×32 4-colour sprite
  • A Signetics 82S101 16×48×8 Programmable Logic Array (PLA) for mixing the video layers and mapping colours

On top of this, they decided it was a good idea to use some clever logic to divide the master clock by four when feeding the Signetics S2621 Universal Sync Generator (USG) that generates video timings, but to divide it by three to generate the pixel clock feeding the rest of the video hardware. This lets them get one third more horizontal resolution than the Signetics chips are designed to work with. They need additional logic to line up the pixel clock with the end of horizontal blanking, because the number of pixels in a line isn’t divisible by three, and some more logic for delaying the start of the visible portion of each frame and cutting it off early because they wanted less vertical resolution than the Signetics chips are designed for. It uses an GRBGRBGR colour scheme where the most significant bits are are in the middle of the byte and the missing least significant blue bit effectively always, so it can’t produce black, only a dark blue Was this design effort worth it? I guess they must’ve made some money off the Midway license at least.

Anyway, this game has never worked properly in MAME. It’s always been missing the area and point effects, the colours have always been completely wrong, and the mixing between layers hasn’t properly either. And that’s done inside the PLA. The PLA has 48 internal logic variables, each of which can be programmed to recognise an arbitrary combination of levels on the 16 input line. Each of the internal variables can drive any combination of the eight output lines. The outputs can be configured to be inverting or non-inverting.

In theory this sounds like a job for a ROM, so why use a PLA instead? Well a ROM with 16 input bits and eight output bits would need 64kB of space. Such a ROM would likely have been prohibitively expensive when this game was produced. I mean, its program ROMs are only 2kB each, so there’s no way they’d be sourcing a ROM 32 times that size just for video mixing. The PLA maps the same number of inputs to the same number of outputs with just 1,928 bit of storage, or a little less than one of the program ROMs. It can’t produce absolutely any arbitrary input to output mapping, but it’s more than enough for this application. In fact, it turns out they didn’t even need to use all the space in the PLA.

Read the rest of the post if you want to know more about the process of decoding the PLA bitstream and examining its contents.

The hookup

By examining the schematics, we can see that the PLA’s inputs are hooked up like this:

Bit Name Description
0 NAV0 Sprite bit 0
1 NAV1 Sprite bit 1
2 CLR0 Sprite colour bit 0
3 CLR1 Sprite colour bit 0
4 LUM Sprite luminance (brightness)
5 C1* Combined PVI colour bit 1 (red) gated with blanking (active low)
6 C2* Combined PVI colour bit 2 (green) gated with blanking (active low)
7 C3* Combined PVI colour bit 3 (blue) gated with blanking (active low)
8 BKR Background tilemap red
9 BKG Background tilemap green
10 BKB Background tilemap blue
11 SHELL Shell point
12 EFF1 Effect 1 area
13 EFF2 Effect 2 area
14 COLEFF0 Area effect colour bit 0
15 COLEFF1 Area effect colour bit 1

CLR0, CLR1, LUM, COLEFF1 and COLEFF2 are relatively static bits that the game program sets by writing to I/O ports. The rest of the bits are generated dynamically based on video register and RAM contents.

Streams of bits

The PLA bitstream consists of 48 sets of 40 bits for each of the internal logic variables, followed by a final eight bits specifying which of the outputs should be active low. Each internal variable has two bits controlling how it’s affected by each of the 16 inputs (32 bits total), followed by eight bits specifying which outputs it shouldn’t activate (32+8 makes for a total of 40). If a pair of input bits are both zero (00), it’s impossible for that logic variable to be activated. This is an easy way to spot unused variables, and it’s the default state in an unprogrammed chip. If only the first bit in a pair is set (10), the corresponding input line must be high in order for the variable to be activated. If only the second of the bits is set (01), the corresponding input line must be low in order for the variable to be activated. If both bits in a pair are set (11), the input may be activated irrespective of the state of the corresponding input line (often called a “don’t care” condition).

Finally, MAME expects the bitstream in a file containing a 32-bit integer specifying the total number bits, followed by the bits themselves, packed into bytes least-significant bit first. Armed with this knowledge, we can write a some code that transforms converts the bitstream to an intermediate representation and displays it as C code:

UINT8 const *bitstream = memregion("plds")->base() + 4;
UINT32 products[48];
UINT8 sums[48];
for (unsigned term = 0; 48 > term; term++)
    products[term] = 0;
    for (unsigned byte = 0; 4 > byte; byte++)
        UINT8 bits = *bitstream++;
        for (unsigned bit = 0; 4 > bit; bit++, bits >>= 2)
            products[term] >>= 1;
            if (bits & 0x01) products[term] |= 0x80000000;
            if (bits & 0x02) products[term] |= 0x00008000;
    sums[term] = ~*bitstream++;
    if (PLA_DEBUG)
        UINT32 const sensitive = ((products[term] >> 16) ^ products[term]) & 0x0000ffff;
        UINT32 const required = ~products[term] & sensitive & 0x0000ffff;
        UINT32 const inactive = ~((products[term] >> 16) | products[term]) & 0x0000ffff;
        printf("if (!0x%04x && ((x & 0x%04x) == 0x%04x)) y |= %02x; /* %u */\n", inactive, sensitive, required, sums[term]);
UINT8 const mask = *bitstream;
if (PLA_DEBUG) printf("y ^= %02x;\n", mask);


When we feed this the PLA bitstream dumped from a Lazarian board, we get the following output (blank lines added for readability:

if (!0x0000 && ((x & 0x001f) == 0x0001)) y |= 01; /* 0 */
if (!0x0000 && ((x & 0x001f) == 0x0002)) y |= 03; /* 1 */
if (!0x0000 && ((x & 0x001f) == 0x0003)) y |= 04; /* 2 */
if (!0x0000 && ((x & 0x001f) == 0x0011)) y |= 08; /* 3 */
if (!0x0000 && ((x & 0x001f) == 0x0012)) y |= 18; /* 4 */
if (!0x0000 && ((x & 0x001f) == 0x0013)) y |= 20; /* 5 */
if (!0x0000 && ((x & 0x001f) == 0x0005)) y |= 07; /* 6 */
if (!0x0000 && ((x & 0x001f) == 0x0006)) y |= 03; /* 7 */
if (!0x0000 && ((x & 0x001f) == 0x0007)) y |= 04; /* 8 */
if (!0x0000 && ((x & 0x001f) == 0x0015)) y |= 38; /* 9 */
if (!0x0000 && ((x & 0x001f) == 0x0016)) y |= 18; /* 10 */
if (!0x0000 && ((x & 0x001f) == 0x0017)) y |= 20; /* 11 */
if (!0x0000 && ((x & 0x001f) == 0x0009)) y |= 05; /* 12 */
if (!0x0000 && ((x & 0x001f) == 0x000a)) y |= 04; /* 13 */
if (!0x0000 && ((x & 0x001f) == 0x000b)) y |= 06; /* 14 */
if (!0x0000 && ((x & 0x001f) == 0x0019)) y |= 28; /* 15 */
if (!0x0000 && ((x & 0x001f) == 0x001a)) y |= 20; /* 16 */
if (!0x0000 && ((x & 0x001f) == 0x001b)) y |= 30; /* 17 */
if (!0x0000 && ((x & 0x001f) == 0x000d)) y |= 07; /* 18 */
if (!0x0000 && ((x & 0x001f) == 0x000e)) y |= 04; /* 19 */
if (!0x0000 && ((x & 0x001f) == 0x000f)) y |= 04; /* 20 */
if (!0x0000 && ((x & 0x001f) == 0x001d)) y |= 38; /* 21 */
if (!0x0000 && ((x & 0x001f) == 0x001e)) y |= 20; /* 22 */
if (!0x0000 && ((x & 0x001f) == 0x001f)) y |= 20; /* 23 */

if (!0x0000 && ((x & 0x0023) == 0x0000)) y |= 01; /* 24 */
if (!0x0000 && ((x & 0x0043) == 0x0000)) y |= 02; /* 25 */
if (!0x0000 && ((x & 0x0083) == 0x0000)) y |= 04; /* 26 */
if (!0x0000 && ((x & 0x29e3) == 0x01e0)) y |= 01; /* 27 */
if (!0x0000 && ((x & 0x2ae3) == 0x02e0)) y |= 02; /* 28 */
if (!0x0000 && ((x & 0x2ce3) == 0x04e0)) y |= 04; /* 29 */

if (!0x0000 && ((x & 0x08e3) == 0x08e0)) y |= 38; /* 30 */
if (!0x0000 && ((x & 0xffe3) == 0x10e0)) y |= 84; /* 31 */
if (!0x0000 && ((x & 0xffe3) == 0x50e0)) y |= 84; /* 32 */

if (!0x0000 && ((x & 0x0000) == 0x0000)) y |= 00; /* 33 */

if (!0x0000 && ((x & 0xffe3) == 0xd0e0)) y |= 04; /* 34 */
if (!0x0000 && ((x & 0xe0e3) == 0x20e0)) y |= 80; /* 35 */
if (!0x0000 && ((x & 0xe0e3) == 0x60e0)) y |= 40; /* 36 */
if (!0x0000 && ((x & 0xe0e3) == 0xa0e0)) y |= c0; /* 37 */
if (!0x0000 && ((x & 0xe0e3) == 0xe0e0)) y |= c0; /* 38 */
if (!0x0000 && ((x & 0xffe3) == 0x90e0)) y |= 40; /* 39 */

if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 40 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 41 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 42 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 43 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 44 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 45 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 46 */
if (!0xffff && ((x & 0x0000) == 0x0000)) y |= ff; /* 47 */

y ^= 00;

Fortunately this PLA seems to have been programmed manually and not using an automatic logic minimiser. Can you spot the patterns yet? The last eight terms (40–47) have been left in their virgin, unprogrammed states and hence can’t affect the output. Term 33 has been programmed to have no effect on the output, so they’ve used 81.25% of the chip. They could’ve gotten clever and added more logic if they really wanted to, but I guess with everything else they did on the board they were out of tricks by this point. But anyway, on to the equations.

Sprite mapping

The first 24 terms (0–23) only depend on the sprite-related bits, so it’s a good bet they control sprite colours. Let’s make a table of the mappings these terms produce. For convenience we’ll treat NAV0/NAV1 and CLR0/CLR1 as two-bit numbers:

NAV 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3
CLR 0 0 0 0 0 0 1 1 1 1 1 1 2 2 2 2 2 2 3 3 3 3 3 3
LUM 0 0 0 1 1 1 0 0 0 1 1 1 0 0 0 1 1 1 0 0 0 1 1 1
01 03 04 08 18 20 07 03 04 38 18 20 05 04 06 28 20 30 07 04 04 38 20 20

Now the pattern should be really clear. Sprite pixel value 0 produce no output (making it dark or transparent), while the other three values are each mapped to colour depending on the value of CLR. Setting LUM shifts the colour left by 3 bits into the most significant bits of the colour output. This can be summarised in a table with NAV in rows and CLR in columns:

0 1 2 3
0 00/00 00/00 00/00 00/00
1 01/08 07/38 05/28 07/38
2 03/18 03/18 04/20 04/20
3 04/20 04/20 06/30 04/20

Or we could even use human-readable colour names since we know the output format is GRBGRBGR (there’s a distinct lack of green in this palette):

0 1 2 3
0 dark dark dark dark
1 red white magenta white
2 yellow yellow blue blue
3 blue blue cyan blue

So they used half the PLA to handle sprite colour mapping.

Backgrounds and PVIs

The next set of six terms look straightforward enough, let’s make a table and see what they produce (once again we’re treating NAV0/NAV1 as a two-bit number):

NAV 0 0 0 0 0 0
C1* 0 1 1 1
C2* 0 1 1 1
C3* 0 1 1 1
SHELL 0 0 0
EFF2 0 0 0
01 02 04 01 02 04

This shows that the PVIs’ outputs are mapped directly onto the low red, green and blue bits of the output (not actually the LSBs, they’re at the top of the output byte). The TTL-generated sprite has priority over both the PVI outputs and the background tilemap; additionally, the PVIs, the shot point, and area effect 2 also have priority over the background tilemap (since the OBJ/SCR lines from the PVIs are not considered, the PVIs don’t take priority with black object pixels, only with coloured pixels).


The rest of the terms relate to effects. We can look at them all at once (NAV and COLEFF are two-bit numbers):

NAV 0 0 0 0 0 0 0 0 0
C1* 1 1 1 1 1 1 1 1 1
C2* 1 1 1 1 1 1 1 1 1
C3* 1 1 1 1 1 1 1 1 1
BKR 0 0 0 0
BKG 0 0 0 0
BKB 0 0 0 0
SHELL 1 0 0 0 0
EFF1 1 1 1 1
EFF2 0 0 0 1 1 1 1 0
COLEFF 0 1 3 0 1 2 3 2
38 84 84 04 80 40 c0 c0 40

So what does this tell us? Lots of things! You might notice that the second and third columns can easily be reduced to a single term, and so could the seventh and eighth columns, clearly an oversight but not important since there’s space to spare in the PLA. More seriously, we can work out priorities from the rows:

  • Sprite and PVI output always have priority over these effects
  • Background, shell and effect 2 have priority over effect 1
  • Remember that shell and effect 2 are mutually exclusive, so there’s no priority between them

Now we can look at the output each effect actually produces:

  • The first column says the shell sets the MSBs of all three colours, making it light grey or “dark white”.
  • Effect 1 sets the background colour (depending on COLEFF) to medium blue (3), dark magenta (2), or just on the cyan side of medium blue (1 or 0).
  • Effect 2 sets the background colour (depending on COLEFF) to dark cyan (0), dark magenta (1), or dark grey (2 or 3).


So how do we get this information into MAME? Well we could take what we’ve learned and write C++ code to draw the graphics in the appropriate sequence, but that would have several disadvantages. Firstly it’s not how the real machine works — the real machine works by composoing a 16-bit value and feeding it through the PLA to get the output colour. Secondly, implementing it in C++ wouldn’t allow someone to try a different PLA dump to see what effects is has on gameplay. Thirdly, someone couldn’t develop their own PLA program to drop into MAME to play with for homebrew purposes. Instead, we use some more code to turn our intermediate representation of the PLA terms into a 64kB mapping table:

for (UINT32 inp = 0x0000; 0xffff >= inp; inp++)
    m_mixing_table[inp] = 0;
    for (unsigned term = 0; 48 > term; term++)
        if (!~(inp | (~inp << 16) | products[term]))
            m_mixing_table[inp] |= sums[term];
    m_mixing_table[inp] ^= mask;

Then we render scanlines into a 16-bit bitmap and pass it through this table to convert it to colours for MAME’s video output. (Yes, it’s possible to run the PLA equations on the bitmap data directly from the compact intermediate representation. However it’s slower as it involves several logical operations, and 64kB is a small amount of memory these days for a cached lookup table. However, CPUs are getting pretty fast, and cache miss latency keeps getting worse, so perhaps sticking with the intermediate form wouldn’t be such a bad idea.)

https://rants.vastheman.com/2015/12/15/lasers/feed/ 0
Yet another reason to hate Google’s tentacles https://rants.vastheman.com/2015/09/05/tentacles/ https://rants.vastheman.com/2015/09/05/tentacles/#comments Fri, 04 Sep 2015 15:59:45 +0000 https://rants.vastheman.com/?p=248 It’s not secret I don’t like the way the web is succumbing to JavaScript bloat and sucking in scripts from third-party sites. But I now have another reason to hate it. A few sites are blocked from China, including most Google properties such as Google search, Google APIs and YouTube (and also Tagged, incidentally). If a site that isn’t blocked from China tries to load scripts from Google APIs, for example the minified jQuery script, I have to wait for the blocked request to time out before the page will display at all, and functionality may be broken if the page actually depends on jQuery for content display or navigation. Is it really that hard to host your own scripts? Do you really need to give Google even more data on our browsing habits? One good thing about China’s policies it they make it harder for fucking Google to track us over here.

https://rants.vastheman.com/2015/09/05/tentacles/feed/ 1
Make a real argument https://rants.vastheman.com/2014/09/22/argument/ https://rants.vastheman.com/2014/09/22/argument/#comments Mon, 22 Sep 2014 01:28:02 +0000 http://rants.vastheman.com/?p=246 The newspapers just love publishing stories about prostitution, because they know it sells. Amanda Goff aka Samantha X has been giving them plenty of fuel. Of course these stories all have comments left open, and it’s only a matter of time before a certain argument comes up in one form or another. Here’s an example of it, as found in a comment on a Fairfax newspaper site:

My argument against prostitution isn’t based on religion, conservative values or prudishness, but is more to do with the fact that, in essence, prostitutes are being bribed to have sex with someone they don’t actually want to have sex with. One wants sex and the other doesn’t. Some may protest that they do want the sex, but what if no money was involved? That’s right. The sex wouldn’t happen.

This “argument” is absolutely absurd. Do the people making it really not see the glaring flaw? How about we do a simple substitution:

My argument against garbage collection isn’t based on religion, conservative values or prudishness, but is more to do with the fact that, in essence, garbage collectors are being bribed to collect garbage they don’t actually want to collect. One wants garbage collected and the other doesn’t. Some may protest that they do want to collect garbage, but what if no money was involved? That’s right. The garbage wouldn’t be collected.

You can apply it to most occupations. If no money was involved, the roads wouldn’t be maintained, the supermarket shelves wouldn’t be stacked, the garbage wouldn’t be collected, nothing would be manufactured, and society as we know it wouldn’t exist. I’m not trying to make a case for or against prostitution, I’m just completely sick of seeing this absolutely stupid argument smugly parroted over and over again.

https://rants.vastheman.com/2014/09/22/argument/feed/ 1
Faking it https://rants.vastheman.com/2014/01/11/faking/ https://rants.vastheman.com/2014/01/11/faking/#respond Sat, 11 Jan 2014 11:57:53 +0000 http://rants.vastheman.com/?p=239 Melbourne on new year’s day is a weird place. All sorts of shops, restaurants and bars are were closed. The entire Royal Arcade was closed for some reason. It’s like Melbourne still wants to believe it’s a quiet country town. Despite the crappy weather, there was plenty of foot traffic in the CBD, so a lot of the places that had the sense to stay open seemed to be doing pretty well. Fortunately the prices are high enough at Passionflower that it wasn’t overcrowded, and we could easily get a table to enjoy some very overpriced, sugar-laden dessert. The Melbourne one (Bourke St) has friendlier staff, better service and gets the nicer presentation of the food than the one at Capitol Square in Sydney — the staff there act like customers are an unwanted nuisance.

Anyway, with my parents in town, my wife and I decided to take advantage of the possibility of free babysitting and go out for dinner. There were limited options, but most of the restaurants in the Crown complex at Southbank were open, so we ended up at Nobu. It’s immediately obvious that the floor staff don’t really speak Japanese. It makes no sense to (poorly) attempt to say “irasshaimase” as you show someone to their table; you should have said that as they approached the door, or the moment they walked in. (Something like “kochira e” works when showing a person to their table.) All the staff were doing this with everyone, which kept my wife giggling. I guess they could claim to provide free entertainment. You might get even more entertainment if you get a seat in the upper bar/lounge area with a view of the riverbank. For example we saw some really weird cougar thing going on. There was this woman of east Asian appearance with a far younger guy who looked like he was part European, part Asian. She had the bag, camera and everything, and was acting like she knew she was in charge. The also seemed to have a bit of trouble walking straight. All in all, they gave off a pretty weird vibe. I really hope it was a cougar thing, because if he was a family member, they were acting downright creepy.

Anyway, the main attraction of Nobu is supposed to be food and drink. Nobu exclusively serves Hokusetsu sake, and it was pretty clear that the waiters don’t know much about sake besides the scripted lines they’ve been given to describe each choice. We got a carafe of the Onigoroshi served cold. It was fairly dry, with a bit of a harsh, unrefined flavour. You could clearly taste the rice that went into it. Probably not for everyone, but we enjoyed it. We then proceeded to order some cocktails and eat our way through the interesting-looking parts of the tapas menu. The Godzilla is a great, refreshing cocktail that you could probably keep ordering all night. The champagne mojito lacked balance: the rum hit you, but didn’t really meld well with the lime and mint, and it was like the Veuve Clicquot didn’t know what it was doing in the mix.

The disappointment of the night was definitely the jalapeño fritters with dry miso. Seriously, don’t bother with this: the batter was oily, and there wasn’t anything interesting about it. On the other hand the baked scallops with creamy wasabi shiso were absolutely superb! The bold flavours and perfect texture left both of us wanting more. The biggest surprise came with the salmon anti-cucho and teriyaki skewers. We expected teriyaki flavour, but the sauce was almost an Indian curry. It wasn’t bad, just very surprising. The black cod with miso was definitely good, as was the wagyu tartar crispy rice butter lettuce (well apart from the live aphid on the flower garnish). The Blackmore wagyu intercostal was a bit of a let-down. It didn’t taste bad, but the texture wasn’t great. I don’t think the chef got this right.

The total damage was a bit over $200, which is pretty reasonable for this kind of restaurant. Not everything on the menu is excellent, and the staff are clearly faking it, but it still makes for a good night out. Interestingly, we noticed that despite even bars like E55 being closed KT Mart (a Korean supermarket/homewares/alcohol shop) was still open as we passed it on the tram home. I guess Koreans realise the importance of being able to get stuff like bokbunja or maehwasu on any day of the year (if only I could get it as easily in Bondi Junction).

https://rants.vastheman.com/2014/01/11/faking/feed/ 0
Welcome to the madhouse https://rants.vastheman.com/2013/05/07/madhous/ https://rants.vastheman.com/2013/05/07/madhous/#respond Mon, 06 May 2013 15:33:38 +0000 http://rants.vastheman.com/?p=236 I’m having serious doubts about my ability to survive the rest of the month in Hong Kong. The infamous heat and humidity haven’t caused me problems – that doesn’t seem much worse than Sydney in summer. It doesn’t seem to rain too heavily for too long at a time, so that aspect isn’t really any worse than Melbourne. I read online that Sheung Wan smells like fish, but in reality there are just a few shops selling dried fish – not very smelly, and not the whole suburb by any means. When I arrived on a Saturday, Sheung Wan was blanketed in the smog that sometimes blows across from the mainland. People say it can be hard to tell the difference between mist and pollution, but I know the smell of coal furnace exhaust and this was it. I really wasn’t looking forward to breathing this every day. It would just about rule out any chance of getting exercise by walking to our from work, as it would mean that what’s supposed to be good for my heart would just end up being bad for my lungs. Fortunately that cleared up when a storm blew in on the following Monday afternoon and it hasn’t come back yet (fingers crossed); unfortunately it proved to be the least of my issues.

Hong Kong is a city that ticks all the boxes but falls short on the implementation every time. Let’s start with the public transport. There’s a “fast” train from the airport to the city, but it has fixed seating (not reversible), and when it enters a tunnel the pressure change feels like someone slapping you over the ears. There’s a reason high-speed trains are often pressure-sealed, and it isn’t just for fun. The Octopus smart cards are actually pretty cool: you can buy lots of things besides just transportation with them (e.g. restaurants, cafés and convenience stores usually accept it), you really do just need to briefly tap it on a reader to complete a transaction (unlike Melbourne’s myki), and there are plenty of places where you can top up. But it’s very frustrating as a foreigner with limited cash to find out that the only way to top it up with a credit card is by making an automatic top-up agreement with a card issued by a local bank. Everyone else has to top up with cash. The maximum stored value of HK$1,000 is pretty low, too.

The metro train system is mystifying. Actually finding the train is your first challenge: you’ll typically have to walk up three steps, then down a winding flight of stairs, around through some twisty passages, down some more stairs, through the ticket turnstiles, through more twisty passages and down some escalators (never just one), and finally through a long tunnel that gets you to the platform. It’s like the designers wanted to maximise the time it takes to get from the entrances to the trains in the space they had available, and the three steps up at each entrance is just perverse. There are logical contradictions, like a sign telling you to keep left combined with a fence forcing you to keep right. The turnstiles are strange, too: they consume almost as much space as an automatic gate, but you can’t get through with any luggage at all. A station will usually have one wide gate, but it won’t be next to the assistant’s office, so good luck if you need a hand with a pram or something. Getting out is just as challenging. There are plenty of exit signs, but exits are only identified with letters – providing some indication of where it comes out would clearly be too expensive. There will be a couple of signs in the station that list where all the exits go, but good luck finding them. The train services are frequent but relatively slow and rough. Trains sometimes inexplicably stop for minutes in a tunnel; you’ll get a pre-recorded apology after a few minutes of this, but never any explanation. The trains have plenty of standing room, but few handholds. Maybe you’re just supposed to hope the person you fall into doesn’t fall over, too. Like Tokyo, there are markings on the platform showing you where to queue so you’ll be near the doors but not blocking them; unlike Tokyo, no one pays attention to them. People here are even worse for blocking people attempting to exit than Melbourners.

The trams feel old and unmaintained. I have no problem with the age – the narrow double-decker trams with pickup rollers are an iconic part of the city’s character. I just have a problem with how dilapidated they feel. Some bounce longitudinally like crazy, others suffer from severe bogie hunting, some even have alarms sounding and warning lights flashing every few blocks, and all of them have peeling paint everywhere. When they occasionally derail in the rain, people get them back on the track with massive crowbars. The trams are plagued with turnstiles too, so good luck if you’re travelling with baggage or a baby. But amazingly taking the old, slow trams are often faster than taking the subway because there’s no tunnel maze to negotiate on the way in and out – you’re right on the street. (I do recommend taking at least one tram trip even if you don’t need to. It’s cheap at just HK$2.30 for an adult no matter how far you go even if you stay on at the terminus and ride back the other way, you get to see plenty of Hong Kong out the big windows, and you can open them if you want to experience the smells too. Just make sure no one falls out from the upper deck. Choose an off-peak time if you want a good chance of getting a seat. It’s also a good place to sit and spend some time blogging.)

Oh yeah, the smells. Restaurants and open-air fruit markets often smell good, but plenty of places on the street smell really bad. Like sewage, decay or excrement. People don’t even clean up after their dogs on the footpaths. The whole city is dirty, and the frequent rain isn’t enough to clean it. Healthy Street feels anything but. There are signs telling you that all kinds of things are sterilised frequently (like elevator buttons and escalator handrails), but you get the feeling that it’s more a case of doing the bare minimum to avoid epidemics in the face of how dirty everything is than putting in extra effort to make sure everything’s clean and safe.

Being a pedestrian here is hard. Often you’ll come to an intersection or other logical place for crossing a road and be faced with an anti-jaywalking fence. There’s usually no alternative way of getting across (like an over- of underpass) so you just have to choose a direction and walk out of your way until you find somewhere deemed appropriate for crossing. This can happen several times in a row, making longer journeys than you plan for. When you actually cross at an intersection, it’s hard to know when it’s safe because so many drivers don’t indicate when turning left. Some anti-jaywalking fences have gaps, but there may not be a corresponding gap in the fence on the opposite side, so that’s a trap for the unwary, too. When there actually are pedestrian overpasses, they often make very confusing shapes and even have dead end paths to catch you out. Then there are the footpaths with occasional steps in them to trip up prams and wheelchairs. Apparently an incline is a bit too hard to engineer. But all this pales in comparison to the other pedestrians. First of all, some people seem to want to keep right at all costs (like China) while others want to keep left at all costs (like England). This alone leads to much confusion and chaos. People walk slowly, and randomly stop without getting out of the way. No matter how carefully you try to squeeze around them they get offended. But they definitely have no problem with pushing you: they’ll shove you, push you and walk into you, then insult you for your trouble. If you turn to face them in a way that says, “You just messed with the wrong guy,” they’ll become apologetic, but it always sounds insincere, like they’re just trying to avoid a fist to the face. I’m beginning to think that the best way to survive it is to pretend to be a total arsehole – angry facial expression, fists, push through people, don’t stand aside, and only be considerate of children, expecting mothers, the elderly, and the disabled. Trying to be better than that will just lead to insanity.

It’s clear that moving people efficiently isn’t Hong Kong’s strength. On top of the problems getting from place to place, you run into issues inside buildings. There are double-decker lifts where the deck spacing doesn’t match the floor spacing. This achieves the goal of reducing the number of people in each lift by having separate decks for odd and even floors, but you get twice the stops because it needs to stop at different positions to service each deck. There are buildings with separate call buttons for each lift, so you have to manually decide which lift to call rather than leaving it to a computer to choose efficiently (or you can be a bastard and call all of them so they’ll come one after another). Some buildings have escalators for lower floors and lifts for upper floors with no overlap, so even if you’re on the uppermost of the lower floors, you’ll still have to get all the way to ground floor by escalator before you can get a lift to an upper floor. People won’t even form orderly queues without being forced to, so buildings with popular restaurants have security guards policing the lift queues around lunch time.

Food here can be pretty bad. Most restaurant food is extremely greasy with poor quality meat. Beef is tough with bits of gristle around the edges, and chicken is a fatty mess. You occasionally find a place where the food isn’t so greasy, but they’re the exception, and there’s little correlation between price and quality. Don’t expect your food to look like the picture if the menu’s illustrated – they sometimes go so far as to add disclaimers like “photograph is for illustration purpose only”. Don’t eat at a franchise you recognise unless you want to be disappointed when you realise that it’s nothing like it is back home, and not in a good way. All the fruit is imported, and it’s not much good. The South African Packham pears have been particularly bad. What’s even harder to find than decent food is decent customer service. Most restaurants have rude waiters who make you feel unwanted from the moment you walk in, and they try to push you out the door the moment they have your money. A Thai restaurant on Jaffe Rd in Wan Chai even forgot to supply me with chopsticks or cutlery – they just don’t care. Supermarkets aren’t any better. At the Wellcome in Sheung Wan I told the cashier that my AmEx is ICC, but she still tried to process it by swiping, then when that inevitably failed she tried again with the chip but didn’t let me enter my PIN (just hit the green button) so it failed again. It took her three attempts to get a card payment to work! Isn’t it her job to be able to accept payments? I’m lucky my card didn’t get blocked for that. She was pretty rude the whole time, too. I’ve been to the street markets in Wan Chai. The quality is often poor, the prices vary from cheap to way overpriced, and most of the vendors treat customers as a nuisance. For the most part you get a vastly inferior product for a slightly lower price. It really isn’t worth the trouble of trying to force one’s way through the crowds for such a hit-and-miss experience.

I’ve been shocked at just how rude people generally are around here. Sydney locals generally at least try to help confused people from elsewhere when asked, and baka gaijin in Tokyo will be offered help at every turn whether they need it or not. In Hong Kong in general staff treat customers as a nuisance, strangers are rude on the street, and politely asking for help is likely to get you an angry response. But this all changes if you start throwing money around. The expensive, upmarket boutiques and restaurants in Causeway Bay will all treat you very well, and some of them have pretty good food, but you’ll be paying Sydney prices or more for the privilege. You’re also a king at a club as soon as you open a bar tab. This seems to tie in pretty well with people’s favourite pastime here: conspicuous spending. People seem to want to go out and shop at the most expensive place they can afford, or bet as much as they can on the horses, or to front-load at 7-Eleven and then buy just one of the most expensive drink at a club. Heaps of people come across from the mainland to show off how much they can spend, too. Times Square shopping centre is fat more full when it’s a public holiday in China. There are exceptions to this. Tom Lee Music in Causeway Bay has great staff and great prices. One of the 7-Elevens in Sheung Wan has a top bloke at the counter. The front desk staff at 60 West have been pretty cool and helpful, even when I got back drunk and unable to speak any language other than Japanese. Trusty Congee King in Wan Chai has friendly staff are (a waitress even helped me pick up some coins I dropped on the floor), the food is decent and the prices are low (but the portions are small, but I can’t complain about wonton soup and steamed choy sum for HK$52). Kimchi Garden on Jaffe Rd in Causeway Bay is run by a lovely Korean family and has good lunch sets for low prices. But these places are definitely out of the ordinary here.

Pretence is a big part of Hong Kong culture. Parsons sells over-priced second hand pianos in poor condition to people who really only want them as room ornaments. There’s a place called “American Restaurant” in Wan Chai, but in smaller letters underneath the main name it says “Shanghai Food”. Now it may just be me, but I would’ve thought an American restaurant would sell LA food, or Boston food, or food from some other city in the Americas – Shanghai food would be served at a Chinese restaurant in my reckoning. There are faux Japanese products, like Edo potato crisps. These really deserve elaboration. I saw someone with what looked like a Pringles tube that was branded Edo and had a couple of lines of Japanese text on it. I thought this was a bit odd, as I’ve never seen this snack in Japan. Later at a convenience store I had a look at a pack. There were about two lines of Japanese text that didn’t look like the work of a native speaker and, the rest of the text was Chinese. Turning the can around revealed that it’s made in Korea by a Korean company to sell to Hong Kong people. Implying that it’s somehow Japanese makes it more appealing to certain types of people. Lots of appliances from major Japanese brands are special Chinese market versions made in obscure corners of South-East Asia, too. They have Uniqlo stores here, but they’re more expensive than they are in Tokyo because it’s passed off as a desirable Japanese fashion brand. If you actually go to Japan you’ll see that there’s nothing exclusive about Uniqlo – it’s very much fashion on a budget. (I commented on this to a Frenchwoman working here, and she said she loves to shop at Uniqlo, because even though it may be at the budget end in Japan, the quality is so much higher than the local brands here that it feels like a high-end shopping experience.) Mannings sells the Japanese versions of Pantene shampoo, even though it’s a European brand, it’s made in Thailand, and they have to stick a label with product information and ingredients in Chinese on the back. The Japanese text on the front somehow makes it sell better. There are even more people driving cars that are completely impractical in the city here than there are in Australia.

Lots of little, niggling things are wrong too. None of them would be a huge issue alone, but they all add up. Use of English is just bizarre even though it’s an official language here. There are road signs that say “get in lane”, “blasting” and other seemingly incomprehensible fragments. The warning lights on the trams say “tram break down, please alarm”. To be fair, I don’t know if the Chinese on these signs makes any more sense, so it may not be use of English per se – Hong Kong signs may just be incomprehensible in general. The tap water here is pretty bad. It isn’t bad enough to make you sick if you drink a few glasses of it in a day, but it smells bad, tastes unpleasant, makes your hair dry, and messes with your skin. This creates a huge market for distilled water: every supermarket and convenience store has a big water section. (Claiming that this is a useful increase in productivity is a case of the broken window fallacy: if the tap water were better, people could spend the money freed up on other services, people employed by the distillers would be able to do something productive, and you wouldn’t have an underclass unable to afford decent water.) Beers here taste weaker than the same brand elsewhere – I’ve noticed this with Hoegaarden and Kirin in particular. Here at 60 West there are all sorts of little problems. Washing machines tokens are cheap, but the washing machine is small – a week’s worth of my clothes fills it completely. The washing machine has a scale showing you what temperature each program selection uses, but both hot and cold inlets are connected to the cold water supply, so it’s going to be cold no matter what. The dryer’s automatic cycle dried everything except my socks. There’s nowhere in the room to hang things that can’t be tumble-dried. There are only five coat hangers in the room, which isn’t really enough if you’re planning to stay a month. There’s no wired Internet and I get occasional stuttering on Australian VoIP over WiFi in my room. I couldn’t get WiFi to work in the common room while I waited for the laundry to finish. The toilet roll holder in my bathroom is located so as to be difficult to reach. The shower has a “massaging jet” setting, but the water pressure isn’t high enough for it to feel like much of a massage. If there’s a power outlet in the bathroom for use with the hair dryer or a shaver, I can’t find it. The room’s ironing board isn’t long enough to conveniently iron trousers, and it can’t be adjusted to be high enough for me to iron without bending my back. There’s a sink for washing dishes, but no drain board or rack where you can let them dry. Don’t get me wrong, over all it’s good place to stay. The room’s clean, the housekeeping staff do a good job, the front desk staff are always friendly and helpful, the location’s good, and the price isn’t bad considering how expensive accommodation is in Hong Kong in general. It’s just that like many things in Hong Kong, there are numerous little implementation issues that become irritating when added up.

There are definitely good things about Hong Kong. It’s so small that you’re never far from anything. Bus, tram and train fares are cheap, and taxis are easy to hail and just have a minimum fare rather than a flagfall. Electronic goods and musical instruments are cheap if you go to the right places. There are places where you can get good food cheap, but you’ll have to try a lot of bad and/or overpriced food while you’re searching for them. Alcohol is a lot cheaper than Australia, and Yanjing beer is pretty good (nice malty flavour with that extra alcoholic kick from the rice in the wort). Foreign domestic helpers (DHs) rock, and they party hard on their days off (Sundays and public holidays, and they usually start heading home around seven or eight to meet their curfews, so clubs and bars are open from early afternoon). There are nice locals here, even if they’re harder to notice than the arrogant ones. I’ve written this over the course of a week or so, and in retrospect I’ll really have no trouble surviving here for however long I end up working here. Lots of people like it here – I’ve heard people say they wouldn’t want to go back to places like London or Brisbane – but it’s definitely not the place for me and I don’t think I could ever call it “home”.

https://rants.vastheman.com/2013/05/07/madhous/feed/ 0