Breaking Eggs And Making Omelettes

Topics On Multimedia Technology and Reverse Engineering


Archives:

The 11th Hour RoQ Variation

April 11th, 2012 by Multimedia Mike

I have been looking at the RoQ file format almost as long as I have been doing practical multimedia hacking. However, I have never figured out how the RoQ format works on The 11th Hour, which was the game for which the RoQ format was initially developed. When I procured the game years ago, I remember finding what appeared to be RoQ files and shoving them through the open source decoders but not getting the right images out.

I decided to dust off that old copy of The 11th Hour and have another go at it.



Baseline
The game consists of 4 CD-ROMs. Each disc has a media/ directory that has a series of files bearing the extension .gjd, likely the initials of one Graeme J. Devine. These are resource files which are merely headerless concatenations of other files. Thus, at first glance, one file might appear to be a single RoQ file. So that’s the source of some of the difficulty: Sending an apparent RoQ .gjd file through a RoQ player will often cause the program to complain when it encounters the header of another RoQ file.

I have uploaded some samples to the usual place.

However, even the frames that a player can decode (before encountering a file boundary within the resource file) look wrong.

Investigating Codebooks Using dreamroq
I wrote dreamroq last year– an independent RoQ playback library targeted towards embedded systems. I aimed it at a gjd file and quickly hit a codebook error.

RoQ is a vector quantizer video codec that maintains a codebook of 256 2×2 pixel vectors. In the Quake III and later RoQ files, these are transported using a YUV 4:2:0 colorspace– 4 Y samples, a U sample, and a V sample to represent 4 pixels. This totals 6 bytes per vector. A RoQ codebook chunk contains a field that indicates the number of 2×2 vectors as well as the number of 4×4 vectors. The latter vectors are each comprised of 4 2×2 vectors.

Thus, the total size of a codebook chunk ought to be (# of 2×2 vectors) * 6 + (# of 4×4 vectors) * 4.

However, this is not the case with The 11th Hour RoQ files.

Longer Codebooks And Mystery Colorspace
Juggling the numbers for a few of the codebook chunks, I empirically determined that the 2×2 vectors are represented by 10 bytes instead of 6. Now I need to determine what exactly these 10 bytes represent.

I should note that I suspect that everything else about these files lines up with successive generations of the format. For example if a file has 640×320 resolution, that amounts to 40×20 macroblocks. dreamroq iterates through 40×20 8×8 blocks and precisely exhausts the VQ bitstream. So that all looks valid. I’m just puzzled on the codebook format.

Here is an example codebook dump:

ID 0x1002, len = 0x0000014C, args = 0x1C0D
  0: 00 00 00 00 00 00 00 00 80 80
  1: 08 07 00 00 1F 5B 00 00 7E 81
  2: 00 00 15 0F 00 00 40 3B 7F 84
  3: 00 00 00 00 3A 5F 18 13 7E 84
  4: 00 00 00 00 3B 63 1B 17 7E 85
  5: 18 13 00 00 3C 63 00 00 7E 88
  6: 00 00 00 00 00 00 59 3B 7F 81
  7: 00 00 56 23 00 00 61 2B 80 80
  8: 00 00 2F 13 00 00 79 63 81 83
  9: 00 00 00 00 5E 3F AC 9B 7E 81
  10: 1B 17 00 00 B6 EF 77 AB 7E 85
  11: 2E 43 00 00 C1 F7 75 AF 7D 88
  12: 6A AB 28 5F B6 B3 8C B3 80 8A
  13: 86 BF 0A 03 D5 FF 3A 5F 7C 8C
  14: 00 00 9E 6B AB 97 F5 EF 7F 80
  15: 86 73 C8 CB B6 B7 B7 B7 85 8B
  16: 31 17 84 6B E7 EF FF FF 7E 81
  17: 79 AF 3B 5F FC FF E2 FF 7D 87
  18: DC FF AE EF B3 B3 B8 B3 85 8B
  19: EF FF F5 FF BA B7 B6 B7 88 8B
  20: F8 FF F7 FF B3 B7 B7 B7 88 8B
  21: FB FF FB FF B8 B3 B4 B3 85 88
  22: F7 FF F7 FF B7 B7 B9 B7 87 8B
  23: FD FF FE FF B9 B7 BB B7 85 8A
  24: E4 FF B7 EF FF FF FF FF 7F 83
  25: FF FF AC EB FF FF FC FF 7F 83
  26: CC C7 F7 FF FF FF FF FF 7F 81
  27: FF FF FE FF FF FF FF FF 80 80

Note that 0x14C (the chunk size) = 332, 0x1C and 0x0D (the chunk arguments — count of 2×2 and 4×4 vectors, respectively) are 28 and 13. 28 * 10 + 13 * 4 = 332, so the numbers check out.

Do you see any patterns in the codebook? Here are some things I tried:

  • Treating the last 2 bytes as U & V and treating the first 4 as the 4 Y samples:


  • Treating the last 2 bytes as U & V and treating the first 8 as 4 16-bit little-endian Y samples:


  • Disregarding the final 2 bytes and treating the first 8 bytes as 4 RGB565 pixels (both little- and big-endian, respectively, shown here):


  • Based on the type of data I’m seeing in these movies (which appears to be intended as overlays), I figured that some of these bits might indicate transparency; here is 15-bit big-endian RGB which disregards the top bit of each pixel:


These images are taken from the uploaded sample bdpuz.gjd, apparently a component of the puzzle represented in this screenshot.

Unseen Types
It has long been rumored that early RoQ files could contain JPEG images. I finally found one such specimen. One of the files bundled early in the uploaded fhpuz.gjd sample contains a JPEG frame. It’s a standard JFIF file and can easily be decoded after separating the bytes from the resource using ‘dd’. JPEGs serve as intraframes in the coding scheme, with successive RoQ frames moving objects on top.

However, a new chunk type showed up as well, one identified by 0×1030. I have never encountered this type. Where could I possibly find data about this? Fortunately, iD Games recently posted all of their open sourced games at Github. Reading through the code for their official RoQ decoder, I see that this is called a RoQ_PACKET. The name and the code behind it are both supremely unhelpful. The code is basically a no-op. The payloads of the various RoQ_PACKETs from one sample are observed to be either 8784, 14752, or 14760 bytes in length. It’s very likely that this serves the same purpose as the JPEG intraframes.

Other Tidbits
I read through the readme.txt on the first game disc and found this nugget:

        g)      Animations displayed normally or in SPOOKY MODE

                SPOOKY MODE is blue-tinted grayscale with color cursors, puzzle
                and game pieces.  It is the preferred display setting of the
                developers at Trilobyte.  Just for fun, try out the SPOOKY
                MODE.

The MobyGames screenshot page has a number of screenshots labeled as being captured in spooky mode. Color tricks?

Meanwhile, another twist arose as I kept tweaking dreamroq to deal with more RoQ weirdness: After modifying my dreamroq code to handle these 10-byte vectors, it eventually chokes on another codebook. These codebooks happen to have 6-byte vectors again! Fortunately, I was already working on a scheme to automatically detect which codebook is in play (plugging the numbers into a formula and seeing which vector size checks out).

Posted in Game Hacking | 5 Comments »

5 Responses

  1. Vitor Says:

    Did you have a look at the scummvm RoQ decoder: https://github.com/scummvm/scummvm/blob/master/engines/groovie/roq.cpp ?

  2. clone2727 Says:

    You’re missing the alpha parameter part of the video info chunk.

  3. Mr_Alert Says:

    Perhaps try treating the 10-byte vectors as 4 Y/A samples and the last two bytes as U/V.

  4. Multimedia Mike Says:

    @Vitor, @clone2727, @Mr_Alert: Thanks for the tips! I didn’t realize that ScummVM had this format sorted out. And I didn’t consider that the format would be using a full byte for alpha.

    As for the mystery 0×1030 chunk, the ScummVM code thinks it’s some sort of audio data (labeling it as “audio container”), but does not process it in any way.

    Also, the fact that the codebooks carry alpha information appears to be encoded in the header, obviating the need to do any extra math to determine this.

  5. ST Says:

    Regarding the 0×1030 chunk… from memory the chunk arg happens to correspond to the number of following audio chunks (or something similar – it’s been a while since I looked into its purpose).