Wow, really ? I've been using BGB logic to lock everything, I will analyze it a little and fix it.
I wonder how the anti emulator protection works for "airaki" with this logic, since it's supposed to do a DMA and then jump to bank 0. this changes everything.
Thanks for your time, and your awesome tests, I will test the next one =D
I should answer that. Airaki doesn't actually have emulator detection originally. I added that in the dump I offer for download, for trolling purposes. (Look at the page background from a shallow angle and you might see an easter egg.) Iirc, my check is more advanced than Furrtek's original check in Super Connard, since it jumps to inaccessible memory instead of just reading it and confirming the value.
The protection works by initiating a OAM DMA from $3Fxx and then loading the data at address 3270. If it matches the actual value at that address, $CD, the test is marked as a failure.
If the value isn't $CD, a call to $3E04 is done. Now, one of two things can happen.
If bus conflicts are emulated accurately, the CPU will read a bunch of $00 bytes from the OAM data stream. (You could do something more interesting here to enforce absolute correctness of timings if you wanted.) Eventually it will reach a ret instruction at $3FFF and return to HRAM and do... some fun stuff meant to give people disassembling the code a headache (but that's outside the scope of this post) and eventually it will return with a success.
If you do sloppy emulation and just return $FF for memory that is inaccessible due to DMA, the call to $3E04 will read $FF, the instruction rst $38, a shorthand for call $0038. $0038 in turn will then also read $FF and will call itself recursively for the duration of the DMA. It will eventually run the ld [bc],a when the memory becomes accessible, which should be harmless, then run the ret at $0039 which winds down the stack from the recursive call. Eventually, the CPU returns to $3E05 and takes the same path to the ret at $3FFF and returns a success of the test.
The other check is based on writing to DIV ($FF04) which resets the master divider which is used for various stuff. The test is done by triggering a note on sound channel 1 with a length set. DIV causes the length counter to not expire, which is checked with the NR52 "on" bit for channel 1. Just like the DMA test, this is a low granularity test which doesn't test exact timings, but rather the general presence or non-presence of the quirk in question.