Dmg Gameboy Rom
Copy DMG & GBC cartridge ROMs onto your HD, use a device like the EZ-Flash Omega to play your collection Burn ROMs onto Flash memory equipped cartridges like the official Flash Boy cartridges Read & write game saves (RAM) on supporting game cartridges (like Pokemon series).
[nitro2k01] got his hands on a Game Fighter, a clone of the original Game Boy. While there’s a ton of information about the boot ROM and operation of the original Game Boy, not much is known about these clones. [nitro2k01] wanted to learn more, so he used a clock-glitching technique to dump the device’s ROM and made some interesting discoveries about its copyright protection and boot process along the way.
Reading the contents of the Game Boy ROM is a bit challenging. The ROM is readable while booting, but afterwards the address space of the ROM is remapped for interrupt vectors and other uses. There are a couple of methods to get around this, but the simplest method involves glitching the crystal by grounding one of its leads. This causes the CPU to jump to random locations in memory. Eventually the CPU will jump to a location where the boot ROM is accessible (if you’re lucky!).
Although [nitro2k01]’s clone can run the same games as the Game Boy, it has a different boot ROM and also has some significant hardware differences. [nitro2k01] managed to use a modified version of the crystal-grounding technique to glitch his clock and dump the clone’s boot ROM. He found that the clone uses an unusual variation on the Game Boy’s copyright-checking technique, along with some other oddities. [nitro2k01] also posted a disassembly of the boot ROM, which he explains in detail.
Thanks for the tip, [Ove].
If you don't want to do that.This is how you do it.1 Fire up browser that supports network monitoring (Chrome/FF)2 Sign into Facebook or the lesser-known3 Open EverWing4 Open Developer Tools & Switch it to Network5 Type '/purchase' in the filter6 Deliberately fail, or play. As long as the game ends7 A request would have popped up, right click it and press open in new tab.8 In the URL, find 'coin=' and set the value anywhere from 0 to 99,999 (99999). Dmg cheat everwing 2018.
Since the release of the Gameboy there have been shady companies producing flash carts, ROM duplication systems, ‘transferrers’ and cloned carts of the more popular game titles. The history of such companies and Nintendo’s response is an entertaining read which I recommend if you have a lazy afternoon spare.
30 years on, a lot of these old devices occasionally surface on online auction sites, gaming forums or through word of mouth. When I stumble upon such items I typically try to snap one up not just for my collection but to pull it apart, see how it works and see how they tried to circumvent copyright laws of the day. Much of these carts can be re-purposed or hacked. This series will show how I go about reversing the hardware + software inside the ‘GeNiUs GB Pocket Station’
Some time post 1993 (latest date stamp on the IC’s within) Genius marketed this unique game ‘backup’ system. This self contained unit was designed to backup or clone your existing GB/C cart ROM and save file to its internal Flash ROM and SRAM allowing you to play your game without your original cart. This in itself would be useful and to take the functionality a step further, it has the option to store multiple ROM’s and Save files, even to switch saves between ROM’s. With no direct connection to a PC, ‘piracy’ in the sense of online downloading is avoided though illegal copying of a licensed Nintendo cart is still possible.
Dmg Gameboy Rom Pc
To the GB hacker this means 2 things:
- The Flash ROM can be written by the Gameboy during use, and therefore by an external cart flasher
- There is programmable logic within the cart to manage bank switching, ROM mapping, SRAM management and Cart Passthrough.
Where do we begin? We can take two approaches, the first being hardware based. This would involve reversing the PCB to generate a schematic or at the minimum a block diagram to see which lines are controlled by what. We still don’t know how the CPLD works and would need look into the code.
The second and somewhat simpler method is to reverse the software (BootROM) to identify which registers the programmable logic responds to and exactly what they do. I’ll be taking the second approach.
Dumping the Boot ROM
All GB carts must have the first bank accessible to the GB regardless of which mapper if any is used. The Gameboy begins executing this code after its own internal copyright check and this is where we begin the disassembly of the code.
Reading the header from the cart suggest a ROM size of 512kbytes so this is what we dump with Joey. Upon viewing in a hex editor we see that the entire ROM is repeated every $2800 bytes (10,240 bytes) Very unusual for a GB ROM. Likely an artifact of the mapper.
We load up our 512k ROM in our emulator/disassembler and step through the code. We see the code checking the GB type, DMG/Colour/Super-gameboy then it goes on to copy a block of code to RAM where it then passes control to. This is an indicator that bank switching or ROM writing is about to take place. You cannot run code from a Flash ROM that is being erased, remapped or written so it is instead run from the GB’s internal RAM.
Looking at the code we find the mapping registers at address:
- $0000 – Typically a SRAM enable/disable register found in MBC5 based carts
- $1100 – Although this address is also valid as an enable/disable address in MBC5 carts, this is not the purpose here.
- $4100 – Again, can be used for bank switching in an MBC5 but the $100 offset indicates it has another purpose
- $3100 – And again, can be used for MBC5 purposes but the offset $100 suggests otherwise.
The code starts by first initialising all these registers to $00 then setting them to a default state.
- $0000 < $0A – This is the stock SRAM Enable command
- $1100 < $80 – Not a standard MBC value/address
- $4100 < $90 – Not a standard MBC value/address
The emulator is expecting to see valid data in the ROM region which is not there so we can’t trace much further without it. We have a good start on the mapper registers and we’ll pursue these.
Where my Joey really performs above the rest is how versatile it is. You can inject custom address writes and therefore play around with mapper registers and see the effect in real time. This is exactly what we’ll do.
We do as the code does, clear all registers then set the above values and this is what we get when we dump bank0:
The first 2 bytes are important, we don't yet know what for. A bit more playing around we find this:
Dmg Gameboy Rom Games
The carts's ROM + SRAM list and their address on the cart
We go further and zero $1100 and $0000 and we’re back at the boot ROM ‘GB SMART CARD’
Interesting…
Meanwhile, back in the emulator, we convince the ROM the cart is attached and the mystery bytes we found earlier are there. We now get access to the default boot screen as seen on the GB. This is a perfect opportunity to get to the basics, cart pass through mode. We select ‘Play Card’ and see what gets written to the CPLD:
- $1100 < $08
- $3100 < $C0
- Wait a few cycles
- $3100 < $C0 again
- Then jump to $0100. This is the code start point in the GB.
We confirm this with the Joey:
We have another go at the menu, this time selecting to boot Rom#3 & SRAM#1
- $1100 < $02
- $3100 < $DB
- Wait 2 cycles
- $3100 < $DB
We have another go at the menu, this time selecting to boot Rom#1 & SRAM#1
- $1100 < $00
- $3100 < $DB
- Wait 2 cycles
- $3100 < $DB
We have another go at the menu, this time selecting to boot Rom#2 & SRAM#2
- $1100 < $11
- $3100 < $DB
- Wait 2 cycles
- $3100 < $DB
We have another go at the menu, this time selecting to boot Rom#4& SRAM#3
Gameboy Dmg Roms
- $1100 < $23
- $3100 < $DB
- Wait 2 cycles
- $3100 < $DB
Can you spot the pattern?
The high nibble of $1100 selects the 32k SRAM Block to activate
The low nibble of $1100 Selects the 512k ROM Block to activate.
We still don’t know what $3100 does or exactly how the other registers work. We also don't have the flash erase or write protocol, Mapper type selection if it can even support more than MBC5, Maximum SRAM access to a single ROM (LSDJ requires 128k). Once we get all this identified we can write a script in my Joey software to add Flash cart support for the 'GB Pocket Station'
Dmg Gameboy Rom Download
In Parts 2&3 we are going to use a logic analyser to monitor the CPLD activity. We'll write values to it via Joey to fully reverse all the mapper registers. We'll go through the Flash IC datasheet and take a look at the erase+write protocols and we'll learn how to add support for this cart in Joey's script.
Gameboy Rom Emulator
Thanks for visiting and don't forget to subscribe to my FB page for alerts on the next part of the series! If you would like more information on the tools/programs I use, or a more in depth explanation of how I do something, comment in FB. I'll get back to you ASAP.