For quite a while now I wanted to look into a method of dumping gameboy carts without needing any special device for it, just a plain old gameboy. I pretty much had that idea since I wrote my gameboy advance link cable dumper:
https://github.com/FIX94/gba-link-cable-dumper
That project takes the gamecube link cable and a gameboy advance/gameboy advance sp and allows you to dump carts directly to a gamecube or wii sd card.
The issue with that is, it does not work with gameboy carts. Why? Because it uses a different processor and operating voltage, when you plug in a gameboy cart into a gameboy advance it actually presses down on a physical switch inside the slot on the left, that switches the CPU core from the ARM based gba one to the gameboy CPU and also changes the operating voltage from 3.3 volts to 5 volts. In that gameboy mode, you cannot use the link cable anymore.
So, what can you do now? Well my idea was to use a game exploit to execute my own code in a gameboy and then go from there. I dont really know how many exploits there are exactly but I did know that pokemon was very, very glitchy and I just so happen to have a german copy of pokemon yellow.
Now, any of those glitches that allow code execution require quite a bit of setup and are pretty time consuming, but this particular video gave me hope that maybe, just maybe this idea may work.
Back when that video came out though I really did not have any idea on how to perform any of those crazy glitches myself so I just left it at that for now, an idea.
This year, gameboy interface, a homebrew software for the gamecube gameboy player, got an update that allows playback of any set of inputs you give it via a text file, and there was even a TAS of pokemon yellow that was made in an emulator and then verified on console using this method:
http://tasvideos.org/6023S.html
and the person who made it, TiKevin83, even included his script to convert inputs from emulator over to gameboy interface! This led me to grab the latest version of BizHawk, the emulator that script was made for, and started making some test inputs in its integrated tool TAStudio, which basically lets you set every input pressed per frame.
So I just made a quick test up to fighting your rival in the beginning and then exported it and tested it on my actual cart:
If you want to see it you have to put this below into your browser and remove the space from it, gbatemp seems to try and auto convert this to a broken stream page every time:
twitch.tv/ videos/311669270
And that most certainly worked just fine!
So now that I saw that yes, this may just be possible now, I had to get to a point where I can execute some code from, so I looked at the current pokemon speedruns as those use lots of these glitches in a very short time so it should be ideal for my plan. That led me to this particular route:
https://www.speedrun.com/pkmnyellow/guide/o5q3p
Now I started implementing this route slowly in an emulator, and some points I did not really understand or they were a bit different in the current speedruns and those differences were not mentioned in that route, so I improvised a LOT, walking in strange ways to manipulate the memory just right in one particular house for example, moving the sprites in the required places.
Also in the end it said something about dropping a specific amount of a glitch item and for some reason I had to drop less, I assume that has something to do with me doing this on a german cart but honestly I dont quite know considering how messy this was. All that said though, it DID end up working and I was able to scroll past the normal item menu into game memory, and to demonstrate I can manipulate memory I should not be able to manipulate I warped to the end of the game! Of course this was all still done in an emulator so it was time to again let that script convert it to inputs for gameboy interface and give it a shot on console:
Again if you want to see that put it into your browser and remove the space:
twitch.tv/ videos/309563869
Again everything worked out perfectly fine!
Now that I had a consistent method of getting to a point in the game where I can manipulate a small portion of RAM I had to think of methods to make use of all that space of course to actually get some code into the game.
And at this point I will for now cut this part, the next part is basically a work in progress still on what I did from this point on, consider this more of an introduction I guess
https://github.com/FIX94/gba-link-cable-dumper
That project takes the gamecube link cable and a gameboy advance/gameboy advance sp and allows you to dump carts directly to a gamecube or wii sd card.
The issue with that is, it does not work with gameboy carts. Why? Because it uses a different processor and operating voltage, when you plug in a gameboy cart into a gameboy advance it actually presses down on a physical switch inside the slot on the left, that switches the CPU core from the ARM based gba one to the gameboy CPU and also changes the operating voltage from 3.3 volts to 5 volts. In that gameboy mode, you cannot use the link cable anymore.
So, what can you do now? Well my idea was to use a game exploit to execute my own code in a gameboy and then go from there. I dont really know how many exploits there are exactly but I did know that pokemon was very, very glitchy and I just so happen to have a german copy of pokemon yellow.
Now, any of those glitches that allow code execution require quite a bit of setup and are pretty time consuming, but this particular video gave me hope that maybe, just maybe this idea may work.
Back when that video came out though I really did not have any idea on how to perform any of those crazy glitches myself so I just left it at that for now, an idea.
This year, gameboy interface, a homebrew software for the gamecube gameboy player, got an update that allows playback of any set of inputs you give it via a text file, and there was even a TAS of pokemon yellow that was made in an emulator and then verified on console using this method:
http://tasvideos.org/6023S.html
and the person who made it, TiKevin83, even included his script to convert inputs from emulator over to gameboy interface! This led me to grab the latest version of BizHawk, the emulator that script was made for, and started making some test inputs in its integrated tool TAStudio, which basically lets you set every input pressed per frame.
So I just made a quick test up to fighting your rival in the beginning and then exported it and tested it on my actual cart:
If you want to see it you have to put this below into your browser and remove the space from it, gbatemp seems to try and auto convert this to a broken stream page every time:
twitch.tv/ videos/311669270
And that most certainly worked just fine!
So now that I saw that yes, this may just be possible now, I had to get to a point where I can execute some code from, so I looked at the current pokemon speedruns as those use lots of these glitches in a very short time so it should be ideal for my plan. That led me to this particular route:
https://www.speedrun.com/pkmnyellow/guide/o5q3p
Now I started implementing this route slowly in an emulator, and some points I did not really understand or they were a bit different in the current speedruns and those differences were not mentioned in that route, so I improvised a LOT, walking in strange ways to manipulate the memory just right in one particular house for example, moving the sprites in the required places.
Also in the end it said something about dropping a specific amount of a glitch item and for some reason I had to drop less, I assume that has something to do with me doing this on a german cart but honestly I dont quite know considering how messy this was. All that said though, it DID end up working and I was able to scroll past the normal item menu into game memory, and to demonstrate I can manipulate memory I should not be able to manipulate I warped to the end of the game! Of course this was all still done in an emulator so it was time to again let that script convert it to inputs for gameboy interface and give it a shot on console:
Again if you want to see that put it into your browser and remove the space:
twitch.tv/ videos/309563869
Again everything worked out perfectly fine!
Now that I had a consistent method of getting to a point in the game where I can manipulate a small portion of RAM I had to think of methods to make use of all that space of course to actually get some code into the game.
And at this point I will for now cut this part, the next part is basically a work in progress still on what I did from this point on, consider this more of an introduction I guess
