Reverse-Engineering a Game Boy Clone’s Boot ROM

[nitro2k01] got his hands on a Game Fighter, a clone of the original Game Boy. While there’s a ton of information about the boot ROM and operation of the original Game Boy, not much is known about these clones. [nitro2k01] wanted to learn more, so he used a clock-glitching technique to dump the device’s ROM and made some interesting discoveries about its copyright protection and boot process along the way.

Reading the contents of the Game Boy ROM is a bit challenging. The ROM is readable while booting, but afterwards the address space of the ROM is remapped for interrupt vectors and other uses. There are a couple of methods to get around this, but the simplest method involves glitching the crystal by grounding one of its leads. This causes the CPU to jump to random locations in memory. Eventually the CPU will jump to a location where the boot ROM is accessible (if you’re lucky!).

Although [nitro2k01]’s clone can run the same games as the Game Boy, it has a different boot ROM and also has some significant hardware differences. [nitro2k01] managed to use a modified version of the crystal-grounding technique to glitch his clock and dump the clone’s boot ROM. He found that the clone uses an unusual variation on the Game Boy’s copyright-checking technique, along with some other oddities. [nitro2k01] also posted a disassembly of the boot ROM, which he explains in detail.

Thanks for the tip, [Ove].

Programming a Game Boy while playing Pokemon

We hope our readers are familiar with the vast number of ROM hacks for the original 1st-gen Pokemon games. With certain sequences of button presses, it’s possible to duplicate items in the player’s inventory, get infinite money, or even catch a glimpse of the elusive MissingNo. [bortreb] is familiar with all these hacks, but his efforts to program a Game Boy from inside Pokemon is by far the greatest Pokemon glitch ever created.

This ‘total control’ ROM hack was inspired by [p4wn3r]’s extremely impressive 1 minute and 36 second long speed run for Pokemon Yellow. The technique used in [p4wn3r]’s run relies on the fact the warp points in Pokemon Yellow are right after the item list in the Game Boy’s memory. By corrupting the item list, [p4wn3r] figured out how to make the front door of his house warp directly to the end of the game resulting in the fastest Pokemon speed run ever.

Realizing this ROM hack is able to control the CPU with only the player’s inventory, [bortreb] wanted to see how far he could push this hack. He ended up writing a bootstrapping program by depositing and discarding items from the in-game PC, and was then able to reprogram the Game Boy with a number of button presses on the D-pad, select, start, A and B buttons.

The resulting hack means [bortreb] can actually make Pong, Pacman, a MIDI player, or even a copy of Pokemon Blue. In the video after the break, you can see all of [bortreb]’s speed run along with the finale of playing a MIDI file of the My Little Pony theme song. [bortreb] has a really amazing hack on his hands here that really pushes the definition of what can be done by tinkering around with a Pokemon ROM.

Continue reading “Programming a Game Boy while playing Pokemon”

Zelda is the princess, now Link is too

[Mike] is a huge fan of The Legend of Zelda: The Wind Waker and now that he has a daughter it’s a great time to pass this epic quest down to the next generation. There’s a problem with explaining the plot to her daughter, though: even though the player can name the character after themselves, there’s no way to change the gendered pronouns. Yes, it’s a problem that could have been solved by a cameo by Professor Oak asking, “Are you a boy or a girl?’ but [Mike] came up with a better solution: changing all the pronouns with a ROM hack.

There are a few ‘problems’ with altering the dialogue with a ROM hack. Most importantly, all the new pronouns need to be the same length as the words they replace. [Mike] is using the word ‘milady’ to replace ‘my lad’ and ‘master,’ but also had to take a page from critiques of modern epics and replace ‘swordsman’ with ‘swordmain.’

So far, everything is working as planned and the [Mike]’s daughter [Maya] is enjoying seeing herself sail her dragon ship and battle foes. It’s a great effort to bring some semblance of gender neutrality to a classic game, and an awesome project for a really great dad.

Thanks to [Guillaume] for sending this one in.