Hi everybody,
I'm currently in the process of reverse engineering some of the chinese bootleg cartridge ROMS.
As some of you may know, recently at least all Pokemon Repros are coming with batteryless save.
After some digging around in these ROMS it came to my attention, that they are using the additional SRAM (up to 1024K) that is on board of those repros.
Affected repros are:
- GE28F128W30
- 36L0R
and probably many others.
Things I discovered:
- At startup, the GBA loads a defined area of ROM into SRAM
- After half of it (64KByte), it writes 0x1 to 0x9000000 which seems to switch the Bank from 0->1
- After everything is in SRAM 0x0 is sent to 0x9000000 which seems to switch the bank back from 1->0
- Then ROM continues to start up normally
To make this useable with SRAM patches like those applied through gbata, the bank switching needs to be added accordingly.
For FLASH1M_v103 (Pokemon FireRed), the following could be done:
==================================
Block 1 (Bank switching):
054B AA21 1970 054A 5521 1170 B021 1970 E021 0905 0870 7047
==>
0549 0000 0000 0000 0000 0000 0000 0000 0000 0000 0870 0747
Block 2 (Chip Ident Start):
064A AA20 1070 0549 5520 0870 9020 1070 10A9 034A 101C 08E0
==>
064A AA20 0000 0549 5520 0000 9020 0000 10A9 034A 101C 08E0
Block 3 (Chip Ident End) (Basically this also can be nooped completely):
0749 AA20 0870 074A 5520 1070 F020 0870 0870
==>
0749 AA20 0000 074A 5520 0000 F020 0000 0000
Block 4 (Erase whole Chip):
1449 AA24 0C70 134B 5522 1A70 8020 0870 0C70 1A70 1020 0870
==>
0E21 0906 FF24 8022 134B 5202 013A 8C54 FCD1 0000 0000 0000
Block 5 (Erase 4K sector):
1449 AA25 0D70 144B 5522 1A70 8020 0870 0D70 1A70 3020 2070
==>
0000 FF25 0822 0000 5202 013A A554 FCD1 0000 0000 0000 A554
Block 6 (Store 1 Byte):
0C4A AA20 1070 0B49 5520 0870 A020 1070 2770
==>
0000 0000 0000 0000 0000 0000 0000 0000 2770
Block 7 (Copy 1 Byte from one place in SRAM to another):
0A4C AA22 2270 094B 5522 1A70 A022 2270 0278 0A70
==>
0000 0000 0000 0000 0000 0000 0000 0000 0278 0A70
==================================
Additionally, gbata adds the following patch between Block 1 and 2:
480C ldr r0,=#0xE000001
F005F999 bl #0x81E3C2C --> branch to label???? ==> PATCH: 00000000
0600 lsl r0,r0,#0x18
0C04 lsr r4,r0,#0x10
20E0 mov r0,#0xE0
0500 lsl r0,r0,#0x14
F005F993 bl #0x81E3C2C --> branch to label???? ==> PATCH: 00000000
Is there anybody who can explain to me why this last patch could be needed? It may have something to do with the chip identification, but I'm not sure about this.
Regards,
bbsan
I'm currently in the process of reverse engineering some of the chinese bootleg cartridge ROMS.
As some of you may know, recently at least all Pokemon Repros are coming with batteryless save.
After some digging around in these ROMS it came to my attention, that they are using the additional SRAM (up to 1024K) that is on board of those repros.
Affected repros are:
- GE28F128W30
- 36L0R
and probably many others.
Things I discovered:
- At startup, the GBA loads a defined area of ROM into SRAM
- After half of it (64KByte), it writes 0x1 to 0x9000000 which seems to switch the Bank from 0->1
- After everything is in SRAM 0x0 is sent to 0x9000000 which seems to switch the bank back from 1->0
- Then ROM continues to start up normally
To make this useable with SRAM patches like those applied through gbata, the bank switching needs to be added accordingly.
For FLASH1M_v103 (Pokemon FireRed), the following could be done:
==================================
Block 1 (Bank switching):
054B AA21 1970 054A 5521 1170 B021 1970 E021 0905 0870 7047
==>
0549 0000 0000 0000 0000 0000 0000 0000 0000 0000 0870 0747
Block 2 (Chip Ident Start):
064A AA20 1070 0549 5520 0870 9020 1070 10A9 034A 101C 08E0
==>
064A AA20 0000 0549 5520 0000 9020 0000 10A9 034A 101C 08E0
Block 3 (Chip Ident End) (Basically this also can be nooped completely):
0749 AA20 0870 074A 5520 1070 F020 0870 0870
==>
0749 AA20 0000 074A 5520 0000 F020 0000 0000
Block 4 (Erase whole Chip):
1449 AA24 0C70 134B 5522 1A70 8020 0870 0C70 1A70 1020 0870
==>
0E21 0906 FF24 8022 134B 5202 013A 8C54 FCD1 0000 0000 0000
Block 5 (Erase 4K sector):
1449 AA25 0D70 144B 5522 1A70 8020 0870 0D70 1A70 3020 2070
==>
0000 FF25 0822 0000 5202 013A A554 FCD1 0000 0000 0000 A554
Block 6 (Store 1 Byte):
0C4A AA20 1070 0B49 5520 0870 A020 1070 2770
==>
0000 0000 0000 0000 0000 0000 0000 0000 2770
Block 7 (Copy 1 Byte from one place in SRAM to another):
0A4C AA22 2270 094B 5522 1A70 A022 2270 0278 0A70
==>
0000 0000 0000 0000 0000 0000 0000 0000 0278 0A70
==================================
Additionally, gbata adds the following patch between Block 1 and 2:
480C ldr r0,=#0xE000001
F005F999 bl #0x81E3C2C --> branch to label???? ==> PATCH: 00000000
0600 lsl r0,r0,#0x18
0C04 lsr r4,r0,#0x10
20E0 mov r0,#0xE0
0500 lsl r0,r0,#0x14
F005F993 bl #0x81E3C2C --> branch to label???? ==> PATCH: 00000000
Is there anybody who can explain to me why this last patch could be needed? It may have something to do with the chip identification, but I'm not sure about this.
Regards,
bbsan
Last edited by bbsan2k,