I have been scammed on eBay with my GBA cartridges!!....about 15 years ago ;)

The short version:
Bought some GBA games on eBay about 15 years ago and just found out TODAY they are actually not original legit Nintendo carts! Found out that most original carts use FLASH or EEPROM to store saves but the bootleg's use SRAM and have patched the ROM's to make it work. The downside of SRAM battery backed savegames is when the battery runs out...it's bye bye savegame! And you can not save with that cart anymore unless you replace that battery.

As usual I started having crazy ideas again and plan on writing a simple NDS homebrew tool to detect these fakes!! Because they are patched versions of the original ROM their hash should not match those known for that game. As a bonus this utility will allow you to backup and restore GBA savegames and possibly make a backup of the ROM too! Just need a name for it better than "nds-gba-checker" as my work-in-progress version is called now, hahaha.

Enjoy the long version if you want, but the above pretty much summarizes what it's about.:D


The long and hopefully entertaining version: :D
I think it was around 2005 that I bought my Gameboy Advance SP in the classic NES edition with of course: NES classics Mario bros to go with it. Since most other games were kind of expensive for me back then (don't remember the prices though) I was looking on eBay to what was there. Only buying from local sellers I was assuming people finished those games or just did not like them or something so I bought at least: Supermario Advance, Supermario Advance 2, Zelda: A Link To The Past and Tony hawk's underground after testing them on my flashcard if I liked them or not :shy:...for me that was the reason flash carts were made. Right?:D:lol:

Anyway....buying them on ebay from local sellers I was assuming the games were original and not copies / fakes / counterfeit / bootleg or whatever which they so obviously are! But in my ignorance of my 15 years younger self I had no idea those existed or just did not see the signs. The games played just fine for years so I had no reason to suspect anything was wrong....until a few days ago when I popped in my Zelda and find my 100% completed savegame to be GONE!!! I have never loaned them to anyone who might have erased them as far as I know, so just to see if it might have been the save battery I played a little and created a save. Turned of the system. Back on...and GONE was my save I had just created! Tested it on my SP, NDS, and NDS Lite same results! Taking the cart apart...this is what I found inside:

View attachment 211706

I have opened it a couple of times now and the first time I did not even notice the bad soldering and the epoxy blob. Just to confirm my suspicion of the empty battery which I saw was enough to just accept it won't be saving anymore, until I get replacement batteries. Then I noticed the exact same on Supermario Advance that it would not hold the save anymore. Since I only had about 6 games anyway I just opened them ALL up to check which of them had the ticking timebomb battery inside of them:

View attachment 211704

Looking at them like this it's just so obvious to spot the fakes, isn't it :blush:...I feel so stupid. And upset!!! So what is the actual problem with these carts aside from being illegal ofcourse?? They have the game inside that's on the label and at least for a few years saving worked fine. But since original legit Nintendo carts with a very small list of exceptions ALL use either EEPROM or FLASH storage for the savegames, these copies are patched/hacked to save to the SRAM (with battery backup) instead! And from what I have read about these fakes those saving patches are not very stable or reliable. Or if they are the battery they put in might be empty before being send out!! And as you can see on the pictures...the soldering is TERRIBLE on almost all of them! I am surprised they worked at all! Or this long actually. If I had knowingly bought these as "copies" for a cheap price it would have been a different story. I am actually looking into getting some from aliexpress since I have read that you can reprogram some of these with your own GBA homebrew!!! Thinking Batterycheck GBA here :D:lol:...although it would be a private cart only. No selling allowed and multiple copyright issues in the way of that ;)

Well, at least my newest addition to my GBA collection: Zelda Minish Cap is a legit original Nintendo game cartridge:D

I was already looking into making backups of my carts and their saves to use on the 3DS with mGBA. Multiple options are possible these days from unbearingly slow (using GBA Gamecube cable) to lighting fast with the Retrode 2 and an adapter. I have a retrode 2 and GB/GBA adapter but I read it does not support the savestate dumping/restore so that sucks. Plus I need to find the retrode in my storage box first ^_^. So looking at the GBA cable and the sourcecode of that dumper utility, which I know FIX94 only wrote as a proof-of-concept for those that kept asking if it was possible. And it actually is but it's about a 45min wait to get the data over the stupid cable from the GBA over to the gamecube or wii!! The protocol and electronics in the cable are very inefficient and from what I have seen in the code...FIX94 did a fine job considering the point of his utility:). Only with specialized hardware directly on the GBA expansion port...like the wireless adapter. A higher speed "might" be possible according to the docs I found, which defeat the purpose of the "simple and cheap" method of using the cable.

Then I started thinking...and thinking...and thinking.....about the NDS! It has a GBA port with direct access and a way to transfer the data over wifi or store it on the SD card of a slot-1 flashcard. Looking around I noticed there is already a tool for this NDS GBA backup tool...but that was the only one and it does not look like it's open source. Then I found this amusing story about how someone transferred a savegame from a bootleg cart (which he got by accident like me) and transfer it back into an original. Let's sumize his story by saying it's not just copy-paste and he had to go through a few hoops, but he succeeded and sharing his efforts on github. Looking through it he really only made an SRAM savegame dumper for his game, but it shows how to access the cart and read the SRAM holding the savegame. Combining this with the headers of devkitpro NDS I figured out most of the stuff he did...and it's AWESOME. Knowing a tool that worked to dump a cart already existed is one thing...but having an example that mostly does what I need already is even better!

After some more thinking ( I do that to much sometimes :rofl:) instead of a pure GBA dumper it might be usefull to have a utility that could detect these fakes by placing them into an NDS and have it verify the GBA ROM in the cart! I have downloaded a list from the no-intro site that lists all known releases and their ROM hashes in CRC32, MD5 and SHA1 to verify the cart with. To do this my utility will read the GBA header to identify the game with it's 4 letter serial code to lookup these hashes and know the size of the ROM to read. Then read in all the bytes from the GBA cart and push the data through the hashing functions and at the end verify them to indicate if it's real or not! I have no idea how reliable this method will be, but if the fakes with SRAM savegames are patched their hash will NOT match the original release. As a side effect of the ROM validation I might as well include a dump feature right? Unless someone has strong arguments to not do this of course. But at least savegame backup/restore is what I want to include in it. :D

The best advice when buying used GBA carts is, check the average value of the game and if it's way to low...assume it's not an original cart. To help out others I might do another post later to point out what I know about the fakes and how to spot them with detailed pictures of my own. The pictures above I took quickly just to show the insides in this post ;)

Wow, this one got long but hopefully it was interesting to read and have a laugh at me. Either for buying fakes or my crazy ideas and project 10.001 :rofl2:

That's all for now.


EDIT: After a quick copy-paste and edit I have a little demo that already looks good in an emulator:
View attachment 211816
This is from DeSmuME with a Zelda ROM loaded in slot-2 :D


EDIT-2: For those interested in following the NDS app part of this story I have just created a thread for it: https://gbatemp.net/threads/yet-another-way-to-make-gba-backups-with-an-nds.566771/
  • Like
Reactions: 7 people

Comments

Archerite
I am not laughing yet, it's not even been 12 hours since I found out about it ;). But at least it makes a nice story to blog about and warn others that might not be aware of these imitations. I did plan on expanding my GBA library a bit after some research of what games are good and worth to get. And even looking at GBC or GB games. But the imitation and battery issue made me worry a bit though.

I do think the store I got Minish Cap from is trustworthy. Not that it was cheap for a "cart only" but I bought a lot there over the years. Nearly all my wii's and 3DS consoles come from there. They buy and sell a lot of used retro Nintendo games and consoles so they must be aware of these issues. Prices for some games are really high though so I am not in a big hurry to get more right now. Hooked on Minish Cap and that music is stuck in my ears all day, hahahaa:lol:
 
  • Like
Reactions: 1 person
DS1
My friend’s copy of Emerald was a fake. It erased his save after he beat the elite 4 :O
 
  • Like
Reactions: 1 person
K
I understand your disappointment, but you know there are already many easy ways of identifying a pirate cart, right?

In this case it is immediately obvious that your cart is missing the "Nintendo" logo and AGB number above the cartridge connector.
 
  • Like
Reactions: 1 person
Archerite
Damn, that is even more nasty if that was on purpose they erased that save!:O Of these four fakes I have only played through Zelda 100% and from what I remember everything worked and I collected all items.

I guess I should open a thread about my ROM checking tool later. It seems devkitpro does not include the same goodies like zlib or easy to use hashing functions for the NDS, meaning it's not going to be as easy to verify the ROM's with the list of hashes I have downloaded. This just means it's a little more effort but not impossible ;)
 
  • Like
Reactions: 2 people
RivenMain
huh interesting. for gameboy games that was the case none of mine save anymore until i change/ charge the battery. I got them from target though. My gba's I got from gamestop way back It seems to hold a save still, but it can't detect the time anymore.
 
FAST6191
Been a while since I saw fakes/repros from that timeframe. Might have to note them in the relevant threads. Decent, though by no means good, labels as well which is a shocker. Pity they are not flash carts you could maybe repurpose.

Also for the record out of the 2700 or so games 566 use SRAM. SRAM was also a bit larger than EEPROM at the time so among those are a few notable games. Now after the first few years, including some later editions/reprints, that would have gone to FeRAM which is still SRAM but no battery needed.

"And from what I have read about these fakes those saving patches are not very stable or reliable."
Flash cart ones and general scene/tool ones are -- it is really not a complicated or troublesome procedure. The batteries on the other hand...
Equally some of the more recent stuff seems to go way out there with the patches done so maybe. Don't know what vintage stuff was though.

"CRC32, MD5 and SHA1 to verify the cart with. To do this my utility will read the GBA header to identify the game with it's 4 letter serial code to lookup these hashes"
Ignoring the unknown version thing (though no-intro do good stuff) and some carts being able to get away with unpatched games then I should note some scene groups while the GBA was still active managed to fake the CRC32 of the ROM
MD5 and SHA1 on say 32 megs (though 16 is more likely) on a DS... ouch. It is nicer than having to do it on the GBA but you do only have 4 megs of memory plus a blisteringly fast 66MHz ARM9 to play with.
I would sooner get a ROM collection, note the offset of all the save type locations in that and then look those up for the quick comparison, maybe add a few random checks elsewhere and then go from that. If the save is patched (or the serial for another game used -- see some of the pokemon fakes discussed around here a while back, and a few scene groups did twiddle headers way back in the day).

As far as dumping GBA games then it is easy enough -- they are held in 08000000 through 09FFFFFF of the DS memory (same location as the GBA, though missing a few mirrors) so can be copied accordingly. There is no particularly complicated/crazy protocol like DS ROMs or later devices have saving for the shrek videos https://mgba.io/2015/10/20/dumping-the-undumped/ which I doubt anybody is in a hurry to make a repro of (I am not even aware of any flash carts with support for them).

Bonus feature. Many fakes/repros of the middle stages will be using flash carts of various forms (GBA size version of the EZFlash 3 in 1). Today some of those are maybe not the most desirable things, and a bit later into that people started to clip the write enable pin, but if detection is easy enough then yeah.
 
  • Like
Reactions: 1 person
Archerite
@Kwyjor I have only recently discovered I even had pirated carts myself, so only learning the tricks to spot them since a few days. With the PCB's exposed it's indeed clear they miss the iconic nintendo logo in the silkscreen and a few other signs as well. I noticed you can even read that partially without opening the carts at all. :D And thank you for giving me a better word to identify these carts, other than fakes. Pirated carts is the perfect name for them ^_^

@FAST6191 Now I really know I need to create a normal thread for this, hahaha. Thanks for your reply and explanations. These pirated carts I have are indeed decently done with their labels but the signs are there if you look for it. The nintendo seal is more oval than round, A massive error in "LICFHSED BY" above the logo. I did not post a picture of the backsides but Zelda LTTP even has "NIntondo" molded into the plastic!! Like I said...I feel so stupid! :shy:

I found multiple sources saying GBA games don't use SRAM saves except the pokemon series and a few others. I found a list and it was maybe 20-30 games tops, I had no idea there were over 500 of them! :O Either way, an offical cart using SRAM should look like it comes from Nintendo and not like the fakes I have. I mean on the inside of them. I read or heard in a video Nintendo even produced ALL worldwide GBA carts them self to guarantee the quality. Not sure if that was true though.

Thanks for the link to mgba's story and the code he links to as well. Some nice repositories are listed there that might come in handy.:) I know the DS is not a powerhouse to calculate hashes but if an arduino can do it with much lower specs....it should not really be a problem. I am really curious how fast the entire ROM space can be read without doing anything with the data. Just read them into a buffer in Loop and discarding it to continue. In linux terms doing something like "dd if=/dev/gba0 of=/dev/null bs=128" this gives the raw reading speed of the SLOT-2 interface. Then I expect something like multiplying that number by 10 as an indication of how long it might take to calculate the hashes on that data. While the math of hashing is beyond me I do not think a lot of memory is required since they are stream based. So you initilize it, send blocks of data into it while keeping the state somewhere. Then when done you ask it the result. Might be slow but get's the job done. I do hope the entire process takes less than 30 seconds. So the DS could be use to verify a cart just before purchasing it when in doubt :D

About reflashing my pirated carts, I don't know if it will be possible since they are really old. I did look up the part number of my Zelda LTTP cart and it is in fact FLASH memory of 4Mx16. Could be fun to experiment with some time but no plans for that yet. To many crazy projects already, hahaa. But my biggest reasen for making a DS app to check this is just for fun mostly. And to give my anger and frustration a way to come out or something:lol:

I have to dig up my DS stuff from storage first before I can do anything on the hardware though. Already have an empty DS lite now from playing Minish Cap...and hoping my Regular DS hold out until I find the charger. Hahahaha. That screen is unexpectedly good for GBA games btw and almost in a form factor like the original GBA.:D
 
Ferris1000
That's why i started open up every single Cartridge i buy, to make sure it's a legit copy
 
FAST6191
Yeah memory is somewhat overrated in hashing (or at least viable hashes for this) but it is still a limit where a PC would probably stick it all in the RAM.
Likewise I would possibly bet on the slow DS wifi (limited to 2 megs, can't recall bit or byte right now) being able to upload to a hashing website and get results back more quickly. Or if you prefer then while it is a bit more time sensitive DS flash carts started kicking a basic CRC to the flash cart CPLD, FPGA or the like when hashing things it wrote which speaks to both hashing and speed of the DS slot. If we are having fun then http://adshomebrewersdiary.blogspot.com/2012/02/unequivocal-answer.html might also be worth linking.

List wise I don't know what the various No-Intro dats have right now (many of the tools they support note saves so it might be in there too) but the advanced search button of http://www.advanscene.com/ should get you a nice list.
Equally the ones for offline list will have things.
Indeed that might be another way -- if you note what save type is what you might get a save list you can tie back to serial. If the game responds to your own SRAM read/write commands (be careful not to mess up saves as some games your users might be buying can be sold as with completed save or challenge save) then you have just reinvented/implemented a certain type of anti piracy (mgba dev blog also has some nice articles on that) but not an ineffective one.


I should also note pokemon uses Flash memory, indeed issues with the save troubled flash carts and emulators at times (though in the case of emulators it was weak detection). The battery is there to power a clock which was not onboard for the GBA.
 
Archerite
On a PC or even the first raspberry pi which had 256mb RAM the default for calculating sha1 is indeed to do it all in RAM since that's quicker. But when a multi-gigabyte file needs to be checked it's done in smaller blocks and I have seen the functions to use for this. But never used them so that will be fun! But the difficult part is getting those functions in a selfcontained sha1.c/sha1.h file that does not require much else from some libraries or hardware. As for relying on a specific flashcart that might have "hardware" support for hashing I don't think I want to do that. It will lock out a lot of potential users that don't have that card, or a firmware update might remove or change the way it works. I checked libogc and it uses IOS for sha1 which makes sense, and my batterycheck installer uses crc32 to do a simple check borrows the function from zlib. And since the NDS libraries in devkitpro does not have either it's a nice challenge but I am sure it's out there. :lol:

From experience I know the orignal 3DS does NOT go over 1.5MB/s during transfers. And I am still curious if that's a WiFi limit or the combo of WiFi and writing to the SD card or just the CPU power. So I am asuming it's 2Mbit than which sound really slow and I hope it's at least a little faster. I could not find a realiable (or any) source about the wifi chip to get some specs of the hardware, but considering the time the NDS was released I am expecting it to be 802.11b....and thus 11Mbit/s. Which is divided by two for wifi so 5Mbit in very optimal conditions...acounting for overhead and other interference and slownes of the DS....I think 2Mbit might sound about right. ^_^
Something to actually test raw transfer speed is something I had planned for the wii and gamecube but now also for nds...and later 3DS if I am doing it anyway.:D

That post you linked to is great but the downloads don't work anymore. I only read it quickly but he seems to have the same idea as I have. When deciding what is the fastest way to copy memory it depends a lot on what your goal is. The sreenshot's do help giving me an idea on what might be possible, but I have no way of knowing what units are meant. I want to know the bitrate in KB/s and I think his tool uses clock cycles at 33Mhz from the ARM7 core.

I will most definitely be careful with writing to the savegame memory and by default do a read-only of the cart. Maybe include protections like the luma3DS installer uses with some button combo's to enable NAND writing. Or just a REALLY clear notice that writing is on the users own risk and I can not be blamed, the usual disclamer ^_^

A do have a sort of demo that works already in DeSmuME with the zelda ROM loaded into slot-2 (see blog post above since I can't attach it here^_^)
 
Archerite
I need to cleanup the code of my simply put together app...but it's mostly done already! I have found a project on github that implements sha1 in a single file like I wanted and testing in the emulator showed it was working correctly. About an hour later and fixing bugs with byte alignment and other fun stuff...it totally works!! I will create a thread about it later but still unsure if this should go in the DS or GBA section ;)

I borrowed the "game size detection" from the gba-link-cable-dumper which does a magic trick that does not work on an emulator but is fine on hardware. With this size I loop through the bytes in 8KB blocks and push it into the sha1 routines and it's quite fast actually! An 8MB cart is hashed in 10 seconds, 4MB in 5-7 seconds, and 16MB took like 20 seconds.

So reading the cart and hashing the bytes is done at about 800KB/s which is not to bad I think. :D Without hashing and writing anything to the screen or waiting for vblank...reading the entire cart is nearly instant!

And I have checked, my savegames are still intact :D
 

Blog entry information

Author
Archerite
Views
248
Comments
26
Last update

More entries in Personal Blogs

More entries from Archerite

Share this entry

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/watch?v=EIoANBgzYkQ