Hacking Reflashing GBA Bootlegs, can't save!?

kidpoker · Sep 8, 2017

The Real Jdbye said:
You should probably remove that link, it's not allowed here.
It's certainly possible to make a patch like that, the question is whether it's worth the effort.

Link removed, sorry about that.

Well, that depends on one how many GBA bootlegs use these boards and two is there a demand for it.

Edit: I had a look at it, but it looks like this version of Shiny Gold is based on Ruby whereas the one I already have is based on Fire Red. There's probably many different versions of Shiny Gold that makes comparing them hard. Do you have one that's not a romhack?

Well the Chinese don't really care if the ROMs are up to date they just want sales.
They may not even have access to the ROMs due to the great firewall of China.

What do you mean just a unhacked Pokemon ROM? Yeah sure.

FAST6191 · Sep 8, 2017

That is a bizarre ROM.

I too see ruby in the header. Now various hackers over the years have altered headers (it is not something the game cares all that much about) but I have not seen it in many years. That said I don't make a habit of pulling apart pokemon hacks.

I did a search for Flash in the hacked game. Two locations appeared 006FBF14 and 00719326 which itself is unusual. Compared to three copies of Ruby I grabbed and in the original those areas have absolutely nothing (plain space, just padding) save for the Japanese one which has nothing at all related to Flash at those locations. After the serial in the header is lower case ASCII saying about pokemon red which should not be there.

Pokemon hackers seem to like to "protect" their work on occasion (it seems the irony is lost on them) so it could be that red like Jdbye has was altered to appear as Ruby to any tools that might just check the header first and go from there. I probably should check against a version of red but I lack the desire at this point. The two things, and some parts of the header being scattered around, is odd too.

Chinese not have access to ROMs? Hahaha. They have some of the finest ROM sites in the world.

Anyway we don't tend to see games have two values for the same save type. It could be that it is the second one that is the real deal and that confused the patcher. You could try altering the first one (should not matter as long the result is the same length and does not say EEPROM or SRAM) and then patching with a patcher.

kidpoker · Sep 8, 2017

FAST6191 said:
That is a bizarre ROM.

I too see ruby in the header. Now various hackers over the years have altered headers (it is not something the game cares all that much about) but I have not seen it in many years. That said I don't make a habit of pulling apart Pokemon hacks.

I did a search for Flash in the hacked game. Two locations appeared 006FBF14 and 00719326 which itself is unusual. Compared to three copies of Ruby I grabbed and in the original those areas have absolutely nothing (plain space, just padding) save for the Japanese one which has nothing at all related to Flash at those locations. After the serial in the header is lower case ASCII saying about pokemon red which should not be there.

Pokemon hackers seem to like to "protect" their work on occasion (it seems the irony is lost on them) so it could be that red like Jdbye has was altered to appear as Ruby to any tools that might just check the header first and go from there. I probably should check against a version of red but I lack the desire at this point. The two things, and some parts of the header being scattered around, is odd too.

Chinese not have access to ROMs? Hahaha. They have some of the finest ROM sites in the world.

Anyway we don't tend to see games have two values for the same save type. It could be that it is the second one that is the real deal and that confused the patcher. You could try altering the first one (should not matter as long the result is the same length and does not say EEPROM or SRAM) and then patching with a patcher.

That's the ROM pulled from the bootleg, I don't know what to tell you.

Yeah I check the header also and it's Ruby for sure but why would a hacker change the header to Ruby.
If they were going to change it would they not put in Shiny Gold or something along the lines?

As I said I am not great with code what these two codes suggest?

I don't know last time I was in the mainland the great fire wall was one pain in the ass!

Sorry, my friend you're going to have to spell this out for me. Go into a HEX editor and change which values?

FAST6191 · Sep 8, 2017

The firewall prevents you from going outside. Inside is a whole different game.

I did a search for flash and the addresses 006FBF14 and 00719326 both returned what look like a flash marker*, only one should be in a game and if the second is where the it actually happens the patcher only changing the first will not have any effect. As most searches will be start at 0 and go until you find it then it might have missed the second.
Your would be check/fix would be take the ROM as dumped. Open it in a hex editor and go to address 006FBF14 (in most editors this will be the left hand column that says what address you are at in the file, said left hand column might say 006FBF10 as many count up 10h each time but that is easy enough to work with). In the rightmost column of most editors will be what the hex (the middle column) decodes as if you treat it as ASCII. You will see something like FLASHv103 there. Click on that and your job is to overwrite that with basically anything else. Just overwrite it, don't delete it or add new stuff in or you will shift everything else after it forward or backward and break the game. Once done save it as something else. Open that new one up in the save patcher (again use GBATA) and let it do what it has to do, hopefully it will ignore the stuff at 006FBF14 and instead patch at 00719326. Try flashing that and seeing if it saves. You could also try the opposite (overwrite the Flash stuff at 00719326) if the first does not work.

*GBA saving, the ultra quick version. There is no indicator in the header or any cute tricks you can do to determine save type on the GBA side. If you are on a PC if you do a text search of a ROM for ASCII, Flash and EEPROM you will return one of those (or if none then it is a no save game). After said initial ASCII is a number indicating the sub type. Every emulator, flash cart with autopatching or patching program is just searching for those strings and reacting accordingly, in the case of patching it is just a couple of premade patches a set distance from where you found the ASCII values that depend upon the version. It is also why in older versions of VBA you might have had to set the save type for pokemon as VBA did not do more than the initial checks for the save type and did nothing for the sub type.

Reasons the header might be different. Some hackers don't like others to come fiddle with their work. As pokemon hacking 99% revolves around using premade tools that work for all the games of a given generation, or even console, they need a way to check which version and language you are feeding it. The simplest option for this is the serial that the game has as it will differ between versions. A hacker seeking to protect their work might then change it so the tools try to load the location lists and formats for another game entirely and thus prevent the tool users from editing their hack.
Why the save type appears twice I have no idea. It might also be to prevent things from going on flash carts or certain emulators.

kidpoker · Sep 9, 2017

FAST6191 said:
The firewall prevents you from going outside. Inside is a whole different game.

I did a search for flash and the addresses 006FBF14 and 00719326 both returned what look like a flash marker*, only one should be in a game and if the second is where the it actually happens the patcher only changing the first will not have any effect. As most searches will be start at 0 and go until you find it then it might have missed the second.
Your would be check/fix would be take the ROM as dumped. Open it in a hex editor and go to address 006FBF14 (in most editors this will be the left hand column that says what address you are at in the file, said left hand column might say 006FBF10 as many count up 10h each time but that is easy enough to work with). In the rightmost column of most editors will be what the hex (the middle column) decodes as if you treat it as ASCII. You will see something like FLASHv103 there. Click on that and your job is to overwrite that with basically anything else. Just overwrite it, don't delete it or add new stuff in or you will shift everything else after it forward or backward and break the game. Once done save it as something else. Open that new one up in the save patcher (again use GBATA) and let it do what it has to do, hopefully it will ignore the stuff at 006FBF14 and instead patch at 00719326. Try flashing that and seeing if it saves. You could also try the opposite (overwrite the Flash stuff at 00719326) if the first does not work.

*GBA saving, the ultra quick version. There is no indicator in the header or any cute tricks you can do to determine save type on the GBA side. If you are on a PC if you do a text search of a ROM for ASCII, Flash and EEPROM you will return one of those (or if none then it is a no save game). After said initial ASCII is a number indicating the sub type. Every emulator, flash cart with autopatching or patching program is just searching for those strings and reacting accordingly, in the case of patching it is just a couple of premade patches a set distance from where you found the ASCII values that depend upon the version. It is also why in older versions of VBA you might have had to set the save type for pokemon as VBA did not do more than the initial checks for the save type and did nothing for the sub type.

Reasons the header might be different. Some hackers don't like others to come fiddle with their work. As pokemon hacking 99% revolves around using premade tools that work for all the games of a given generation, or even console, they need a way to check which version and language you are feeding it. The simplest option for this is the serial that the game has as it will differ between versions. A hacker seeking to protect their work might then change it so the tools try to load the location lists and formats for another game entirely and thus prevent the tool users from editing their hack.
Why the save type appears twice I have no idea. It might also be to prevent things from going on flash carts or certain emulators.

Ok so I opened it up in my hex editer and found the address. 006FBF14 was 'FLASH1M_V103' and 00719326 was ''FLASH.1M_V103'
I wrote 00 in the HEX until 'FLASH1M_V103' until was gone. 00 is just padding right?

So I then saved two copies of the rom one where I edited 006FBF14 and another where I another where I edited 00719326.
Both boot in VBA so I then went to try and patch one or the other with the SRAM patch on GBATA and it was not clickable?
Is there a way to manually do the SRAM patch?

Or shall I just edit the patched copy of the ROM as there will only be one of these flash markers?

FAST6191 · Sep 9, 2017

Hmm, must have missed the . in my haste.

I imagine it was the one with . that was unpatchable. That also means I am back to the drawing board on a save fix.

kidpoker · Sep 9, 2017

FAST6191 said:
Hmm, must have missed the . in my haste.

I imagine it was the one with . that was unpatchable. That also means I am back to the drawing board on a save fix.

No hold on I just load the dump unedited into GBATA and the SRAM patch isn't clicked able anyway?

I just dumped Pokemon Snakewood and found FLASH1M_V103 at 006b0790.
Only the one flash marker, Why would there be two in the other?

Snakewood can't be patched either. I wonder why that is.

Is there a manual way to patch them?

Ok so I was thinking flashing an unhack Pokemon might be easier so I used a ROM of fire red.
I patched it in GBATA and then had a look at it in the HEX editor and I still found FLASH1M_V103, in fact, it's in there twice.
I searched SRAM and nothing? Is the patcher even working? :/

Ok so I am a bit of an idiot, the reason I can't use the SRAM patch on as they were sill open on notepad++ (I use the HEX plugin).
I need to get some sleep I think! lol.

Let try this again shall we. Still no joy, can't patch either edited versions of shiny gold.

It's late and I am just making silly mistakes at this point so I will have another crack at it tomorrow.

cearp · Sep 9, 2017

Keep at it, I have a joey joebags coming and I'm interested in what repro carts I can use with it too!

I think bennvenn said make sure the cart has a battery. I'm not sure if that has changed now, but I guess he said it for a reason.

Deleted User · Sep 9, 2017

ummm stupid question, but why not buy a normal GBA flashcart?

cearp · Sep 9, 2017

natanelho said:
ummm stupid question, but why not buy a normal GBA flashcart?

i already have one, two actually

but i don't want to buy a separate flash cart when we can get reflashable fakes for like $5.

Shadow#1 · Sep 9, 2017

kidpoker said:
Ok so here is three boards. The one marked 4400 is Pokemon Dark Cry, the board marked 4000 is ash gray and the last board is Pokemon adventures red chapter.

How can these hold saves with out any power?

Pokemon DarkCry is a hacked version of Pokemon FireRed version no battery

Pokemon Ash Gray is a hacked version of Pokemon FireRed version no battery

Pokemon adventures red chapter is a hacked version of Pokemon FireRed version no battery

kidpoker · Sep 9, 2017

cearp said:
Keep at it, I have a joey joebags coming and I'm interested in what repro carts I can use with it too!

I think bennvenn said make sure the cart has a battery. I'm not sure if that has changed now, but I guess he said it for a reason.

The Joey is great Ben must have put a lot of work into it!

Yeah, if the bootlegs had battery's already I think there would be no problem.

I just got these off a seller with good feedback on aliexpress. I have been reading up and it seems they are the new gen of fakes.
Has anyone else come across them?

natanelho said:
ummm stupid question, but why not buy a normal GBA flashcart?

Simple, I don't like flash carts. I like having dedicated cartages for each game.
I don't know flash card just don't feel the same to me.

cearp said:
i already have one, two actually

but i don't want to buy a separate flash cart when we can get reflashable fakes for like $5.

If were to do a group buy that price could go down as low $3 a cart!

Shadow#1 said:
Pokemon DarkCry is a hacked version of Pokemon FireRed version no battery

Pokemon Ash Gray is a hacked version of Pokemon FireRed version no battery

Pokemon adventures red chapter is a hacked version of Pokemon FireRed version no battery

Sorry, I don't understand your point? These aren't legit so there not using flash save chips like normal Pokemon games.
There for in order to reflash them I have to find out how the Chinese have programmed the SRAM writing the save to the flash or get the SRAM working on its own.

I am going to do some more work trying to get the SRAM working today anyway.

Ok, so I am just looking at the data sheet for the KM68U1000ELTGI-10L SRAM and says the power input needs to be in between 2.7v - 3.3v.
Given that the CR1616 out puts 3V that should be fine right?

kidpoker · Sep 9, 2017

Ok I am out of ideas here.

I got a rom of Pokemon light platinum patched it and flashed it.
Saved the game and turned off the console and then on again immediately and the save was there so the SRAM can hold the file.

I then turned it off left it for a few minutes and again was met with your save file has been corrupted.

Does anyone have any other ideas as this is starting to get under my skin?

I feel like this can be done but I think it will take a programmer to work it out.

Does anyone one any seller of bootlegs GBA games that have the battery installed already.

Shadow#1 · Sep 9, 2017

kidpoker said:
The Joey is great Ben must have put a lot of work into it!

Yeah, if the bootlegs had battery's already I think there would be no problem.

I just got these off a seller with good feedback on aliexpress. I have been reading up and it seems they are the new gen of fakes.
Has anyone else come across them?

Simple, I don't like flash carts. I like having dedicated cartages for each game.
I don't know flash card just don't feel the same to me.

If were to do a group buy that price could go down as low $3 a cart!

Sorry, I don't understand your point? These aren't legit so there not using flash save chips like normal Pokemon games.
There for in order to reflash them I have to find out how the Chinese have programmed the SRAM writing the save to the flash or get the SRAM working on its own.

I am going to do some more work trying to get the SRAM working today anyway.

Ok, so I am just looking at the data sheet for the KM68U1000ELTGI-10L SRAM and says the power input needs to be in between 2.7v - 3.3v.
Given that the CR1616 out puts 3V that should be fine right?

My point is Pokemon Fire Red never had a battery so the 3 rom hacks u have whould not either that's why they don't have one in any of them

FAST6191 · Sep 10, 2017

I would have to wonder if the epoxy chip is primed to look for a certain value in the SRAM and not just any old thing. I would not do it this way were I making such things but it is seen in many types of electronics and would get the job done.

Alternatively the hacked ROM on there might be further hacked to see the save read off when something happens-- read off an odd location, a technically illegal command, just something not commonly done... The game is likely already primed for it (the game may want to read back the save to confirm it works so it will have an end of save/save complete routine and you can stick something on that easily enough) so when the epoxy blob (which looking at the traces probably governs most of the interactions/acts almost as a flash cart) gets that command it knows what to do internally. Depending upon the timing you might be able to confirm this by turning the original hacked game dump off either just as saving finishes or very shortly after (I don't know how fast it will be to copy) and then waiting for the SRAM to die before loading it again.

You could try debugging it if you are really bored (this more of a curio for most here as we have perfectly functional flash carts available and that would be a fair amount of time invested), and if you are even more bored you might even run scope lines to one (assuming you have such toys which may not be all that likely) but the "easy" start would be to try to replicate the ROM.
From earlier stuff done in this thread I imagine it is not Japanese ruby used as a base but that is OK as the hack is for fire red so get the relevant copy of that + patch (hopefully there are not hundreds of versions) and patch it.
You can run a compare between the dump you made and what the fire red + patch if you want.
The repro makers might have fiddled with a lot though so I would first look to anything just after the locations we saw the Flash ASCII marker in earlier.
If you want to try save patching the patched game you can, however I don't know what patching program the repro makers would have used (there are way more than just GBATA, and even more if you go looking at past ones which would probably still work, I also don't know what was popular in China for this sort of thing either) and there could be some subtle differences, said differences could see you chasing ghosts if you are looking for that one command that might trigger a copy.

junn · Sep 10, 2017

kidpoker said:
Ok so here is three boards. The one marked 4400 is Pokemon Dark Cry, the board marked 4000 is ash gray and the last board is Pokemon adventures red chapter.

How can these hold saves with out any power?

The bootleg Pokemon my ass cart has the same pcb as the one on the right. It's reflashable using BV Joeyjoebags. Sram or eeprom patched game might stop the save file errors but once the power is turned off, the save is gone.

I can't find my Bennvenn 128M gba flashcart to compare but it has a coin battery and an extra board on top of the pcb.

kidpoker · Sep 15, 2017

FAST6191 said:
I would have to wonder if the epoxy chip is primed to look for a certain value in the SRAM and not just any old thing. I would not do it this way were I making such things but it is seen in many types of electronics and would get the job done.

Alternatively the hacked ROM on there might be further hacked to see the save read off when something happens-- read off an odd location, a technically illegal command, just something not commonly done... The game is likely already primed for it (the game may want to read back the save to confirm it works so it will have an end of save/save complete routine and you can stick something on that easily enough) so when the epoxy blob (which looking at the traces probably governs most of the interactions/acts almost as a flash cart) gets that command it knows what to do internally. Depending upon the timing you might be able to confirm this by turning the original hacked game dump off either just as saving finishes or very shortly after (I don't know how fast it will be to copy) and then waiting for the SRAM to die before loading it again.

You could try debugging it if you are really bored (this more of a curio for most here as we have perfectly functional flash carts available and that would be a fair amount of time invested), and if you are even more bored you might even run scope lines to one (assuming you have such toys which may not be all that likely) but the "easy" start would be to try to replicate the ROM.
From earlier stuff done in this thread I imagine it is not Japanese ruby used as a base but that is OK as the hack is for fire red so get the relevant copy of that + patch (hopefully there are not hundreds of versions) and patch it.
You can run a compare between the dump you made and what the fire red + patch if you want.
The repro makers might have fiddled with a lot though so I would first look to anything just after the locations we saw the Flash ASCII marker in earlier.
If you want to try save patching the patched game you can, however I don't know what patching program the repro makers would have used (there are way more than just GBATA, and even more if you go looking at past ones which would probably still work, I also don't know what was popular in China for this sort of thing either) and there could be some subtle differences, said differences could see you chasing ghosts if you are looking for that one command that might trigger a copy.

I simply do not have the skill to do this. So I have asked a friend to have a look and we will see if he can come up with anything.
If anyone else is interested in having a look at these roms PM as I think these are the next GEN of boots coming out of China.

Does anyone know a bootleg seller on aliexpress that contains the battery already and are flashable??

junn · Sep 17, 2017

Here's my BV cart and another reflashable bootleg cart with battery.
Both can't hold a save unless flashed with another compatible bootleg dump and it'll save.

Hacking Reflashing GBA Bootlegs, can't save!?

Member

Techromancer

Member

Techromancer

Member

Techromancer

Member

瓜老外

Deleted User

Guest

瓜老外

Wii, 3DS Softmod & Dumpster Diving Expert

Member

Member

Wii, 3DS Softmod & Dumpster Diving Expert

Techromancer

.

Member

.

Similar threads

Popular threads in this forum