Hi. I run that GB dev wiki. I'd recommend using BGB for debugging work, which has a nice graphical debugger. It's for Windows, but its author explicitly supports running it under Wine. If you're interested in pointers on how to use it, I might be able to help you. I also remember that I once coded a Gameboy crackme for someone who needed something for a multi-part CTF. I could send it to you if you want to go deeper into GB reversing. Might make a good video.
This is awesome. I’m a CS student, last semester took a computer security course. Our professor had us do a project hack the hex code of an old DOS game called Ultima 5, we had to create a python script we could run to give us infinite health, mana, items, buff our stats, rename our characters, and so on. It was really hard to learn what we were at first but once we figured it out it was really fun and cool to have done it
As a kid, I remember thinking my Pokémon game’s map was created from the physical layout of the cartridge. The circuits on the PCB must’ve been the roads and the capacitors and VRMs were the buildings and towns. Different times haha. Great video.
That would kinda be a cool idea for a game I think. Tell the players that thy are already holding the map and the silkscreen would show town names and such in the cartridge that you could see through the plastic of
If you used multi-layer boards you could get all the connections you'd need for it to work and then use the topmost layer to lay out some traces that would be the map. They could still be functional too if you worked it out right
When I was dabbling with my Pokemon saves, I didn't spend the time to doctor the checksum properly. Instead, I found the easiest way was to use the emulator's built in hex editor to modify the RAM values during runtime (with the game paused). These then saved as normal.
This is really cool. For anyone wanting to keep their save and not do all this hassle, there’s a trick I’ve known and done myself. Turn on the game and just have it running. Open the cart first so you have access. While it running away out the batteries and after the new one is soldered on just save again. And boom everything is fine
oh shit, finally an liveoverflow video that i knew everything about cause i worked on a GBC/A rom & ram dumper myself few years ago (which i obviously used to look at pokemon red/blue & gold/silver xD ) however, i agree. the way the gameboy works and how it bypasses all of its limitations is soooo interresting! it , imo, clearly shows that back in the day they had to be very inventive to get something done! as for the ram being enabled and disabled, iirc it was deu to how the memory bank controller and sram were designed. for some games (depending on the cart type) if ram is enabled and the cartridge is powered off, the ram can get corrupt or wiped. at least thats what i noticed with super mario land 2 (MBC2, not 3)
So let me get this straight...you’re telling me that “Bill’s PC” is a real place and not just a weird guy in a Kabuto costume that keeps your extra Pokémon?! Mind blown!
Haha pretty easy to see why game shark codes were everywhere back in the day when they only had to contend with an 8 bit checksum. But I guess a checksum was implemented less for security, and more to prevent random bit flips from going undetected.
Checksums exist to detect unexpected flips in storage data, not unexpected flips in active memory. The GameShark family worked by hijacking the communication between the game cartridge and the console and patching the game's ROM on the fly. While Action Replay and other more modern cheat mechanisms work by hooking a small piece of code to be run every frame, locking specific RAM values to what the cheatcodes have set. PC game cheating software works in exactly the same way, implementing the same memory lock mechanism by taking advantage of the OS's native multitasking support and timers, and using special functions in the OS intended for debuggers, to gain access to the game processes' private memory. Either that or hooking custom code into the game that changes its behavior in more advanced ways. After all, nobody really cares about stopping you from cheating singleplayer games. If you want to cheat in your own singleplayer experience that's just for you and you alone anyway, that's your decision to make. In fact, there's also many online game servers that trust in the game client's logic, and will only react to desynchronization of the game instances across players. Thus, if hackers make a private lobby where their games are all running with the exact same modifications, their games will stay synchronized, and those servers will let these uniformly hacked lobbies play with no issues. This is my personal favorite approach to online play, since if me and my buddies are all hacking privately with the same rule changes applying to all of us equally, then it's not cheating anymore. We're basically just playing a new game. It's a less reliable server design though, and things can slip through the cracks... Unfortunately, there's also selecting normally unselectable characters, items and maps (if the devs don't account for it). Since they exist in every copy of the game, and those are technically valid object IDs, if those IDs end up on the network for any reason, many games will load those resources and allow those components to spawn online. That is cheating though, since hacking your game to select unselectable things doesn't usually allow other players to select them too.
@@3lH4ck3rC0mf0r7 Ah there was something back in the Black Ops 2 days where there was a camo for a weapon that you could only get if you pre-ordered the game. If you set the right item ID in memory it would show it, but as soon as you went into an online game the server would realise and it would be removed from your weapons. Interestingly though, there was a second set of IDs with one of them pointing to the same camo. That ID didn't get checked by the server - so you could essentially hack your account to be able to use it. (Although you needed to have bought another specific DLC camo for it to stick properly). I wouldn't call that cheating though - it was only a visual thing.
@@ChaosHillZone It is cheating if it affects gameplay in a way that puts the hacking player in unequal grounds compared to the other players. Super Smash Bros. Ultimate has a valid character ID for Giga Bowser in its code. Hack your game to select it, and you'll be playing as an overpowered boss character online. You can also select story-mode maps or special maps that are not designed to have Vs. matches playing on them, where their death boundaries do not conform to Vs. Match standards. I'd say selecting a hidden character is cheating, but selecting a hidden map may or may not be. A hidden map is weird for everybody, not just you, and it is just as likely to benefit any given player as it is to play against them, not just the hacker. Of course, the hacker is likely to pick maps that they'll know will favor them, but this also relies on the hacking player being granted their turn to pick a map. If it is another player's turn to pick the stage, this doesn't happen in the first place.
@@3lH4ck3rC0mf0r7 I get that, but a gun camo in call of duty doesn't give you any advantage whatsoever. Never have I not noticed an enemy because their gun was camouflaged. ...or maybe I have 😂
@@ChaosHillZone Yeah, I know. I wanted to put that example out there though, because I actually saw it in action (ZeRo made a video when a hacker entered one of his public arenas and this stuff is exactly what ensued) I know Nintendo pulls a lot of telemetry and uploads crash information of the games to the servers because I also use a modded Switch and had to turn off all that stuff (although I'm not subscribed to the online service, so I can't go online even if I was not modding), and given the game did crash for these guys several times in one of the hacked stages, I assume Nintendo had more than enough data sent to them to ban RareKirby's console on the next audit. But I can't know that for sure... And then there's the mess that is Fallout '76. Fallout '76 is special, because its servers completely trust all the game clients at an entity/engine level. That game just sends all the entity state changes caused by their players to the servers, and no sanitization of those state changes takes place. Meaning any silly scripthook will trigger state changes, get them processed by the game engine, and then the engine automatically just uploads those changes into the servers online, and into other people's games. This is insane, almost any mod shy of custom assets that would typically only work in a singleplayer game works online there. This went as far as freely spawning NPCs and entities left lingering in the game's code from older Fallout games, and outright _stealing inventory items from other players._ Yes, as in, you're in my render distance, and I get your inventory, while you look and find that all your items have disappeared. And let me say, that is not how any online mode should work.
About flash memory. It had only been affordable in the last ~25 years. Before that it would have been to expensive. Flash wouldn’t save you though. It’s far more complex to write to and also retains data for
I have not held one of these kind of cartridges for a quarter of a century yet that thumbnail immediately reminded me of what it felt like to rest my thumb in that oval groove while I held these as a kid. The brain is crazy 😲
Flash wasn't feasible back then for this, the biggest reason was the Gameboy deals with writing individual bytes. Flash Memory has pages of data. You can read individual bytes but you must erase a "whole page" of data which is a huge chunk of data and then re-write all that data back including the changes you want to make. This wasn't feasable at all for the Gameboy. It needed to be able to read and write individual bytes. SRAM was actually somewhat expensive but worth it because you get the fined-grained control and it's really fast.
So to make sure I understand how the memory banks work, since all the player data etc could not fit in a single 8KB chunk mapped by the memory map, there was actually more than 8KB of RAM on the cartridge and by changing the bank you changed which 8KB chunk of the cartridge RAM you can see when accessing A000-BFFF? Amazing video by the way!!
Pretty much, it's one reason why I love writing homebrew games for the GB because I'm fascinated with the idea of bank switching and custom PCB designs. The creativity is endless.
It feels kinda wrong to use external tools on Pokémon Red, a game so broken that it lead to arbitrary code execution on not only the GameBoy line, but also the Nintendo 64!
"Broken" is a bit unfair in this context. They simply did not have storage for more checks.This can easily be verified by the fact that the Pokemon games are among the biggest few game boy roms in existence. It's more of a display of: Nothing is free. Not even the "magical performance gain" some people attribute to assembly. You mostly cut corners like checks. Higher level languages just went off in an entirely different direction. Just to have data types you need to allocate tons of storage just for metadata that tells the system how to treat the actual value. While on the GameBoy you just wrote the values and prayed nothing tries to mess with them in an uncontrolled fashion like god forbid overflow something. That's why a modern 32bit integer will never just use 4bytes. because 4 bytes would be just the payload. Then you have nothing that tells the program stuff like: How big is this? What type of data is it? So assuming just 1 bytes for each those 2 questions would be 6 bytes of total storage need. 5 if you say the data type is the first one and assign int32 its own number, but then you are limited to 256 data types of which signed and unsigned int32 already take up 2. But assuming IBM sort of standard the first few bytes usually indicate the length. And even then we haven't even touched on the additional code requirements to actually use this additional information. (And even then the computing cycles top check em.)
The gen 1 games did a hack and spillover extra vram buffering into the upper part of bank 0. It spills over frequently from the moment you turn on the game, the reason the sram is enabled when you open your trainer card is likely because it's using the extra vram buffer space while it's open. I've determined that the data isn't important at all to actual save data and you can safely wipe it out so in the Bulbapedia page I added that it was just garbage data leftover from vram buffering and that was safe to clean if desired.
Believe it or not, I thought about exactly this the last weeks. I started playing my old Pokémon games on my GBC during corona quarantine. While using these well known glitches to catch every Pokémon without trading etc, I thought about how it works (must be some buffer overflow obviously). Then I thought that it would be a great topic for a Live Overflow Video and... well... here it is :) Good job
Some of the data that changed in the .sav that wasn't the checksum could be rng progression, since ik when the rng starts from the same seed rng can be abused (like pokemon emerald or ruby/sapphire with dead batteries) It would make sense that these things would not be the same between files because taking the same actions at the same time in each file would be very difficult
First gen had trainer IDs, random number generated to tell if you got the pokemon in a trade. That is what the first difference other than names was. The next was play time, nothing at all to do with RNG.
2:39 it only existed for 2 years though it wasn't until the year 2000 that it found its way into flash drives. The drives weren't immediately popular for the simple reason that they were expensive. At the end of 2004, the magazine Computerworld had one flash drive listed for over $400. Considering these prices way later it made sense.
I made a Link's Awakening save file editor back in the very early 2000s. Apparently I didn't need to fix the checksum. Back then I was testing my modified saves with a real Game Boy. I had the Bung GB Xchanger and Doctor GB Card 64M (8MB) flash / backup device. It's kind of amusing to see someone come to the realization that a .sav is just a dump of the SRAM contents. I always thought that was obvious. My perspective was as someone who would freely move SRAM data between emulators and real hardware using backup devices for SNES, Game Boy, N64, etc.
You will also find these memory banks in your laptop's embedded controller. :-) When I was a kid, I used to hack Pokémon and other ROMs. The "encoding" is a reference to an index in a sprite map, and what we did was editing the characters (using a tool named TileLayer) and writing new translations for the Japanese games by editing the occurences of the "text" in a hex editor. That was a lot of fun and easy once you knew it. :)
I remember that whenever a box is changed in the Gen 1 games, that the game must be saved. Is it due to an internal RAM limitation that the one box limit is imposed?
So the game save has 4 banks. Bank 0 is mostly garbage but contains HOF data. Bank 1 is pretty much 99% of the game. Bank 2 and 3 are identical and they contain boxes 1-6 and 7-12. The way the game is designed, only 1 box is active at a time and that's to simplify code and memory usage. The game has a "cached box" or a "fake box" in bank 1. The box you are currently using is actually the fake box. When you change boxes it has to copy the fake box in bank 1 over the real box in bank 2 or 3 overwriting it. Then it has to copy the box you want to switch to from bank 2 or 3 to the fake box in bank 1 overwriting it. This is why the tedious save mechanism for bank switches. They didn't have to have this complicated system but they did it for performance since they gamble you won't change boxes too often.
If you havent heard of it before I'd recommend checking out 010 Editor, imo its one of- if not the best Hex editor with a ton of features. If you do a lot of Hex stuff its probably worth it. Bought a 2nd hand pkmn red game back in the day and my Save kept getting corrupted and I had no idea why :(
@vlnux I've only tried the trial of 010 but the templates work great. It's really helpful when reversing some unknown file format www.sweetscape.com/010editor/templates.html
@@4g3v I made an 010 template covering every single variable across the entire save file github.com/junebug12851/pokered-save-editor/blob/master/non-app-assets/savefile-structure.bt ---- Personally I love the editor although it's designed for very complex modern binary files so it can sometimes be overkill for just an old GB Sav file. The templating system was worth the money though.
that's why I wish RUclips still had the star rating! that's a solid 3.5 out of 5 video, it's very basic, yet explains the fundamentals of "hacking" ideology. I found this video kinda disappointing since its mostly what most of us "tech" people do while debugging or troubleshooting, but for people getting into "hacking" its a very good video! I'm not boasting about being a super hacker, since that's literally how I started my career in computers, figuring out how games and software works made me understand how "electronics" work (the general logic). I wouldn't call it hacking though, that's just understanding how shit works, so a strong 3.5 out of 5, it's better then the avrage "hacking how to" video, but not very informative to anybody that already knows the very basics.
I tried a similar approach with an old DOS game, but it seemed to change very many things even after just opening and resaving the file, so the technique isn't always appropriate.
Yep, found my Pokemon silver Cartridge a year ago and the save was gone. Childhood gone. I guess the real time clock made it drain faster than other games.
My copies of Red and Blue still hold their saves, 22 years later. I wonder what the difference is. Gold died, but I know those games' batteries died more quickly due to the in-game clock feature. Didn't realize Red and Blue batteries could die too. Backing everything up onto Pokemon Stadium for now... a quick google search indicates that Stadium should be able to hold its save indefinitely.
@@thiscateatspancakes2451 I think there's a run where they give the player a specific name to manipulate certain RNG. But that's probably unrelated to the random player ID.
@@bsharpmajorscale The player id is a separate thing all-together and doesn't have anything to do with the name. It's just extra security defense so that if you trade Pokemon with someone who has the same name, the game can differentiate which is a trade Pokemon and which isn't.
It some time ago i played around with my game boy but if i remember correctly there are multiple cartridge types wich varie in how the banks and memory is orgeniced. The type of the Cartridge is stored some where at the beginning near the Nintendo Logo.
Nice stuff ! Do you think it's possible to replace the RAM by flash memory on cartridges ? Should the code of the game be rewritten to fit such changes ? In some, make a new version of cartridges to expend memory and cpu/gpu to have optimized newer version of old games ? x)
i will give you another challenge and i dont know if it is possible. The challenge is to Mod the starter level, lets say you want to make a custom area or one easier challenge would be to remove one blocking tile from the level so you can leave the playable area from the start level... that would be cool
There is a thing called ROM-hacks, modifying the original game or even complete reworks and new levels. The SuperMario and Zelda ROM-hack scene was very active in the past few years. look up "kaizo" and be amazed what is possible with rom-hacks. (together with smb or swm; kaizo means rearraged but it's current meaning is more like "in the spirit of the oririnal kaizo levels" = very hard; so you will also find a lot of smm kaizo) while you are at it, look for speed runs in general. the exploits they use are often really crazy. my favorite speedruns are still smw, only 45 seconds from intro to credits :D
11:33 "It is recommended to disable external RAM after accessing it, in order to protect its contents from damage during power down of the gameboy." --I'd bet the NES doesn't have this RAM enable function, and it's why manuals for NES games that have save files instructed players to hold in the reset button while turning off the console, while Gameboy games only caution players not to turn off while saving. This also makes me wonder if there's any danger of errant writes from low-voltage-glitched instructions destroying your save if you shut off the Gameboy while viewing the player profile screen.
Flash memory didn't exist as we know it till 2000 and the first thumb drive came out around 2001 so the Gameboy pokemon games didn't have access to Flash memory till the GBA era.
When I was growing up playing Red & Blue I had no idea of the concept of saved game data only being held in place by a trickle of battery current. I turned Red on one day to find the save data gone. I was disappointed & confused to say the least.
Why didn't they use rechargeable batteries in these cartridges? Such cartridge could be recharged while playing which would solve the problem. But they probably thought noone would need the state of the game after 15 years...
Man you really need to take a look at the Arbitrary Code Executions the first 3 generations allow. Gen3 is really cool, a solid 650.000 "glitch moves" from an underflow in the HP. It would also corrupt other parts of you ram, a few item slots, pokemon in box ofc etc. Gen 1 has an item called "8F" which more or less allows writing code directly to your ram if you use it from your inventory. Fun stuff. Edit: glitchcity has instructions for most of those glitches.. It'll also lead you to people that seem like they spent the last 20 years exploiting pokemon games.. TheZZZAZGlitch(or something like that) is a good example
Hi. I run that GB dev wiki. I'd recommend using BGB for debugging work, which has a nice graphical debugger. It's for Windows, but its author explicitly supports running it under Wine. If you're interested in pointers on how to use it, I might be able to help you. I also remember that I once coded a Gameboy crackme for someone who needed something for a multi-part CTF. I could send it to you if you want to go deeper into GB reversing. Might make a good video.
.
Username checks out
would love to see that video
Can't wait.
Maybe you need to provide your twitter
This is awesome. I’m a CS student, last semester took a computer security course. Our professor had us do a project hack the hex code of an old DOS game called Ultima 5, we had to create a python script we could run to give us infinite health, mana, items, buff our stats, rename our characters, and so on. It was really hard to learn what we were at first but once we figured it out it was really fun and cool to have done it
That's so friggin cool. What a fun, interesting, practical way to learn!
As a kid, I remember thinking my Pokémon game’s map was created from the physical layout of the cartridge. The circuits on the PCB must’ve been the roads and the capacitors and VRMs were the buildings and towns. Different times haha. Great video.
That would kinda be a cool idea for a game I think. Tell the players that thy are already holding the map and the silkscreen would show town names and such in the cartridge that you could see through the plastic of
If you used multi-layer boards you could get all the connections you'd need for it to work and then use the topmost layer to lay out some traces that would be the map. They could still be functional too if you worked it out right
As an embedded system engineer and gamer I really love detailed videos like this.
Greetings from another German
Pokemon 1st Gen really made my childhood
When I was dabbling with my Pokemon saves, I didn't spend the time to doctor the checksum properly. Instead, I found the easiest way was to use the emulator's built in hex editor to modify the RAM values during runtime (with the game paused). These then saved as normal.
Cheesed it!
This is really cool. For anyone wanting to keep their save and not do all this hassle, there’s a trick I’ve known and done myself. Turn on the game and just have it running. Open the cart first so you have access. While it running away out the batteries and after the new one is soldered on just save again. And boom everything is fine
oh shit, finally an liveoverflow video that i knew everything about cause i worked on a GBC/A rom & ram dumper myself few years ago (which i obviously used to look at pokemon red/blue & gold/silver xD )
however, i agree. the way the gameboy works and how it bypasses all of its limitations is soooo interresting!
it , imo, clearly shows that back in the day they had to be very inventive to get something done!
as for the ram being enabled and disabled, iirc it was deu to how the memory bank controller and sram were designed. for some games (depending on the cart type) if ram is enabled and the cartridge is powered off, the ram can get corrupt or wiped. at least thats what i noticed with super mario land 2 (MBC2, not 3)
So let me get this straight...you’re telling me that “Bill’s PC” is a real place and not just a weird guy in a Kabuto costume that keeps your extra Pokémon?! Mind blown!
Haha pretty easy to see why game shark codes were everywhere back in the day when they only had to contend with an 8 bit checksum. But I guess a checksum was implemented less for security, and more to prevent random bit flips from going undetected.
Checksums exist to detect unexpected flips in storage data, not unexpected flips in active memory.
The GameShark family worked by hijacking the communication between the game cartridge and the console and patching the game's ROM on the fly. While Action Replay and other more modern cheat mechanisms work by hooking a small piece of code to be run every frame, locking specific RAM values to what the cheatcodes have set.
PC game cheating software works in exactly the same way, implementing the same memory lock mechanism by taking advantage of the OS's native multitasking support and timers, and using special functions in the OS intended for debuggers, to gain access to the game processes' private memory. Either that or hooking custom code into the game that changes its behavior in more advanced ways.
After all, nobody really cares about stopping you from cheating singleplayer games. If you want to cheat in your own singleplayer experience that's just for you and you alone anyway, that's your decision to make.
In fact, there's also many online game servers that trust in the game client's logic, and will only react to desynchronization of the game instances across players. Thus, if hackers make a private lobby where their games are all running with the exact same modifications, their games will stay synchronized, and those servers will let these uniformly hacked lobbies play with no issues. This is my personal favorite approach to online play, since if me and my buddies are all hacking privately with the same rule changes applying to all of us equally, then it's not cheating anymore. We're basically just playing a new game. It's a less reliable server design though, and things can slip through the cracks...
Unfortunately, there's also selecting normally unselectable characters, items and maps (if the devs don't account for it). Since they exist in every copy of the game, and those are technically valid object IDs, if those IDs end up on the network for any reason, many games will load those resources and allow those components to spawn online. That is cheating though, since hacking your game to select unselectable things doesn't usually allow other players to select them too.
@@3lH4ck3rC0mf0r7 Ah there was something back in the Black Ops 2 days where there was a camo for a weapon that you could only get if you pre-ordered the game. If you set the right item ID in memory it would show it, but as soon as you went into an online game the server would realise and it would be removed from your weapons.
Interestingly though, there was a second set of IDs with one of them pointing to the same camo. That ID didn't get checked by the server - so you could essentially hack your account to be able to use it. (Although you needed to have bought another specific DLC camo for it to stick properly).
I wouldn't call that cheating though - it was only a visual thing.
@@ChaosHillZone It is cheating if it affects gameplay in a way that puts the hacking player in unequal grounds compared to the other players. Super Smash Bros. Ultimate has a valid character ID for Giga Bowser in its code. Hack your game to select it, and you'll be playing as an overpowered boss character online. You can also select story-mode maps or special maps that are not designed to have Vs. matches playing on them, where their death boundaries do not conform to Vs. Match standards.
I'd say selecting a hidden character is cheating, but selecting a hidden map may or may not be. A hidden map is weird for everybody, not just you, and it is just as likely to benefit any given player as it is to play against them, not just the hacker. Of course, the hacker is likely to pick maps that they'll know will favor them, but this also relies on the hacking player being granted their turn to pick a map. If it is another player's turn to pick the stage, this doesn't happen in the first place.
@@3lH4ck3rC0mf0r7 I get that, but a gun camo in call of duty doesn't give you any advantage whatsoever. Never have I not noticed an enemy because their gun was camouflaged.
...or maybe I have 😂
@@ChaosHillZone Yeah, I know. I wanted to put that example out there though, because I actually saw it in action (ZeRo made a video when a hacker entered one of his public arenas and this stuff is exactly what ensued)
I know Nintendo pulls a lot of telemetry and uploads crash information of the games to the servers because I also use a modded Switch and had to turn off all that stuff (although I'm not subscribed to the online service, so I can't go online even if I was not modding), and given the game did crash for these guys several times in one of the hacked stages, I assume Nintendo had more than enough data sent to them to ban RareKirby's console on the next audit. But I can't know that for sure...
And then there's the mess that is Fallout '76. Fallout '76 is special, because its servers completely trust all the game clients at an entity/engine level.
That game just sends all the entity state changes caused by their players to the servers, and no sanitization of those state changes takes place. Meaning any silly scripthook will trigger state changes, get them processed by the game engine, and then the engine automatically just uploads those changes into the servers online, and into other people's games. This is insane, almost any mod shy of custom assets that would typically only work in a singleplayer game works online there. This went as far as freely spawning NPCs and entities left lingering in the game's code from older Fallout games, and outright _stealing inventory items from other players._ Yes, as in, you're in my render distance, and I get your inventory, while you look and find that all your items have disappeared. And let me say, that is not how any online mode should work.
About flash memory. It had only been affordable in the last ~25 years. Before that it would have been to expensive.
Flash wouldn’t save you though. It’s far more complex to write to and also retains data for
I have not held one of these kind of cartridges for a quarter of a century yet that thumbnail immediately reminded me of what it felt like to rest my thumb in that oval groove while I held these as a kid. The brain is crazy 😲
Flash wasn't feasible back then for this, the biggest reason was the Gameboy deals with writing individual bytes. Flash Memory has pages of data. You can read individual bytes but you must erase a "whole page" of data which is a huge chunk of data and then re-write all that data back including the changes you want to make. This wasn't feasable at all for the Gameboy. It needed to be able to read and write individual bytes. SRAM was actually somewhat expensive but worth it because you get the fined-grained control and it's really fast.
I also like to rename my personal backup ROMs following No-Intro guidelines ;3
(SGB Enhanced)
I was looking to see if someone pointed this out before I commented LOL
So to make sure I understand how the memory banks work, since all the player data etc could not fit in a single 8KB chunk mapped by the memory map, there was actually more than 8KB of RAM on the cartridge and by changing the bank you changed which 8KB chunk of the cartridge RAM you can see when accessing A000-BFFF? Amazing video by the way!!
Yes
Pretty much, it's one reason why I love writing homebrew games for the GB because I'm fascinated with the idea of bank switching and custom PCB designs. The creativity is endless.
It feels kinda wrong to use external tools on Pokémon Red, a game so broken that it lead to arbitrary code execution on not only the GameBoy line, but also the Nintendo 64!
"Broken" is a bit unfair in this context. They simply did not have storage for more checks.This can easily be verified by the fact that the Pokemon games are among the biggest few game boy roms in existence.
It's more of a display of: Nothing is free.
Not even the "magical performance gain" some people attribute to assembly. You mostly cut corners like checks.
Higher level languages just went off in an entirely different direction. Just to have data types you need to allocate tons of storage just for metadata that tells the system how to treat the actual value.
While on the GameBoy you just wrote the values and prayed nothing tries to mess with them in an uncontrolled fashion like god forbid overflow something.
That's why a modern 32bit integer will never just use 4bytes. because 4 bytes would be just the payload. Then you have nothing that tells the program stuff like:
How big is this? What type of data is it?
So assuming just 1 bytes for each those 2 questions would be 6 bytes of total storage need.
5 if you say the data type is the first one and assign int32 its own number, but then you are limited to 256 data types of which signed and unsigned int32 already take up 2.
But assuming IBM sort of standard the first few bytes usually indicate the length.
And even then we haven't even touched on the additional code requirements to actually use this additional information. (And even then the computing cycles top check em.)
@@fgregerfeaxcwfeffece I didn't say they could have easily done better, just that the game's broken
@@Qbe_Root So how often did you execute arbitrary code on accident?
The gen 1 games did a hack and spillover extra vram buffering into the upper part of bank 0. It spills over frequently from the moment you turn on the game, the reason the sram is enabled when you open your trainer card is likely because it's using the extra vram buffer space while it's open. I've determined that the data isn't important at all to actual save data and you can safely wipe it out so in the Bulbapedia page I added that it was just garbage data leftover from vram buffering and that was safe to clean if desired.
10:29 Had a good chuckle at the redstarOSX haha
Believe it or not, I thought about exactly this the last weeks.
I started playing my old Pokémon games on my GBC during corona quarantine. While using these well known glitches to catch every Pokémon without trading etc, I thought about how it works (must be some buffer overflow obviously). Then I thought that it would be a great topic for a Live Overflow Video and... well... here it is :) Good job
TheZZAZZGlitch has some useful info about these games, I recommend checking that channel out
HOW DO I SAY ZZAZZ? WTF
@@bonkmaykr Just "zazz", I think.
Some of the data that changed in the .sav that wasn't the checksum could be rng progression, since ik when the rng starts from the same seed rng can be abused (like pokemon emerald or ruby/sapphire with dead batteries) It would make sense that these things would not be the same between files because taking the same actions at the same time in each file would be very difficult
First gen had trainer IDs, random number generated to tell if you got the pokemon in a trade. That is what the first difference other than names was. The next was play time, nothing at all to do with RNG.
2:39 it only existed for 2 years though it wasn't until the year 2000 that it found its way into flash drives. The drives weren't immediately popular for the simple reason that they were expensive. At the end of 2004, the magazine Computerworld had one flash drive listed for over $400. Considering these prices way later it made sense.
Save data hacking have also been used to trigger a buffer overflow in Zelda Twilight Princess, it was the entry point of twilight hack :)
I made a Link's Awakening save file editor back in the very early 2000s. Apparently I didn't need to fix the checksum. Back then I was testing my modified saves with a real Game Boy. I had the Bung GB Xchanger and Doctor GB Card 64M (8MB) flash / backup device. It's kind of amusing to see someone come to the realization that a .sav is just a dump of the SRAM contents. I always thought that was obvious. My perspective was as someone who would freely move SRAM data between emulators and real hardware using backup devices for SNES, Game Boy, N64, etc.
1:05 Plot twist: that's Pokémon Blue.
You will also find these memory banks in your laptop's embedded controller. :-)
When I was a kid, I used to hack Pokémon and other ROMs. The "encoding" is a reference to an index in a sprite map, and what we did was editing the characters (using a tool named TileLayer) and writing new translations for the Japanese games by editing the occurences of the "text" in a hex editor. That was a lot of fun and easy once you knew it. :)
"Oh, mein nostalgia is kicking in"
Awesome, something really close to my heart!
I remember that whenever a box is changed in the Gen 1 games, that the game must be saved. Is it due to an internal RAM limitation that the one box limit is imposed?
Yes.
So the game save has 4 banks. Bank 0 is mostly garbage but contains HOF data. Bank 1 is pretty much 99% of the game. Bank 2 and 3 are identical and they contain boxes 1-6 and 7-12. The way the game is designed, only 1 box is active at a time and that's to simplify code and memory usage. The game has a "cached box" or a "fake box" in bank 1. The box you are currently using is actually the fake box. When you change boxes it has to copy the fake box in bank 1 over the real box in bank 2 or 3 overwriting it. Then it has to copy the box you want to switch to from bank 2 or 3 to the fake box in bank 1 overwriting it. This is why the tedious save mechanism for bank switches. They didn't have to have this complicated system but they did it for performance since they gamble you won't change boxes too often.
If you havent heard of it before I'd recommend checking out 010 Editor, imo its one of- if not the best Hex editor with a ton of features. If you do a lot of Hex stuff its probably worth it.
Bought a 2nd hand pkmn red game back in the day and my Save kept getting corrupted and I had no idea why :(
@vlnux I've only tried the trial of 010 but the templates work great. It's really helpful when reversing some unknown file format www.sweetscape.com/010editor/templates.html
Oh yes. I love 010 Hex Editor. It's great!
@@4g3v I made an 010 template covering every single variable across the entire save file github.com/junebug12851/pokered-save-editor/blob/master/non-app-assets/savefile-structure.bt ---- Personally I love the editor although it's designed for very complex modern binary files so it can sometimes be overkill for just an old GB Sav file. The templating system was worth the money though.
that's why I wish RUclips still had the star rating!
that's a solid 3.5 out of 5 video, it's very basic, yet explains the fundamentals of "hacking" ideology.
I found this video kinda disappointing since its mostly what most of us "tech" people do while debugging or troubleshooting, but for people getting into "hacking" its a very good video!
I'm not boasting about being a super hacker, since that's literally how I started my career in computers, figuring out how games and software works made me understand how "electronics" work (the general logic).
I wouldn't call it hacking though, that's just understanding how shit works, so a strong 3.5 out of 5, it's better then the avrage "hacking how to" video, but not very informative to anybody that already knows the very basics.
The name comparison trick is actually how I start any new translation project, although my go-to names are usually DAD and DAN
@8:19 at least part of it could be the trainer id as that's supposed to be unique for every new save game
There's also the play timer.
I tried a similar approach with an old DOS game, but it seemed to change very many things even after just opening and resaving the file, so the technique isn't always appropriate.
Does anyone know why he did checksum&0xff at line 11 in his script at 9:58
To mask the output to just be a single byte
@@LiveOverflow Ah, thank you
Yep, found my Pokemon silver Cartridge a year ago and the save was gone. Childhood gone. I guess the real time clock made it drain faster than other games.
What a blast from the past. I was a Pokemon Blue kinda guy but this is still an awesome walk down memory lane, plus hacking lol
Nice video! Much better than reading text to research.
afaik that wasn't 8'000 bytes, but 32KiB! At least that's one of the common save sizes I see in emulators.
0x8000 = 32768
My copies of Red and Blue still hold their saves, 22 years later. I wonder what the difference is. Gold died, but I know those games' batteries died more quickly due to the in-game clock feature. Didn't realize Red and Blue batteries could die too. Backing everything up onto Pokemon Stadium for now... a quick google search indicates that Stadium should be able to hold its save indefinitely.
This is the hacker version of a magician revealing how a trick is done. Humbling, but cool.
The other data that changed between AAAAAAA and BBBBBBB is most likely the elapsed time in seconds/milliseconds.
Deine Videos sind einfach extrem nice! Tausend Dank dafür und auf dass du 3Mio. Abos mehr bekommst!
I have been waiting for this video for a long time . Good work !
Thanks for the awesome video! Certainly brings back some awesome memories. :)
Never expected this collab
8:18 this data contains player ID, which is generated randomly when starting a new game
Oh, I thought that was an RNG thing that generated based on your player name.
@@bsharpmajorscale I am not sure about the other data, I am just sure one is the ID player
@@thiscateatspancakes2451 I think there's a run where they give the player a specific name to manipulate certain RNG. But that's probably unrelated to the random player ID.
@@bsharpmajorscale The player id is a separate thing all-together and doesn't have anything to do with the name. It's just extra security defense so that if you trade Pokemon with someone who has the same name, the game can differentiate which is a trade Pokemon and which isn't.
@@junehanabi1756 Got it.
It some time ago i played around with my game boy but if i remember correctly there are multiple cartridge types wich varie in how the banks and memory is orgeniced. The type of the Cartridge is stored some where at the beginning near the Nintendo Logo.
This is so cool! Please make more videos on this topic!
Nice stuff !
Do you think it's possible to replace the RAM by flash memory on cartridges ?
Should the code of the game be rewritten to fit such changes ?
In some, make a new version of cartridges to expend memory and cpu/gpu to have optimized newer version of old games ? x)
Damn, this brought back so much memories =)
I still have my Gameboy advance and the pokemon blue cardridge =)
I love this series! Can't wait for more videos.
Omg, if I could have asked for a video of you, it would have been this. ❤️
My Favourite 2 Guys in 1 video. This is a masterpiece !!!!
Is this a "STOP WASTING YOUR TIME" project? :) Really amazing content because probably 80%+ can relate to this nostalgia.
what a legend and great introduction, thanks for sharing this
i will give you another challenge and i dont know if it is possible. The challenge is to Mod the starter level, lets say you want to make a custom area or one easier challenge would be to remove one blocking tile from the level so you can leave the playable area from the start level... that would be cool
There is a thing called ROM-hacks, modifying the original game or even complete reworks and new levels. The SuperMario and Zelda ROM-hack scene was very active in the past few years. look up "kaizo" and be amazed what is possible with rom-hacks. (together with smb or swm; kaizo means rearraged but it's current meaning is more like "in the spirit of the oririnal kaizo levels" = very hard; so you will also find a lot of smm kaizo)
while you are at it, look for speed runs in general. the exploits they use are often really crazy. my favorite speedruns are still smw, only 45 seconds from intro to credits :D
11:33 "It is recommended to disable external RAM after accessing it, in order to protect its contents from damage during power down of the gameboy." --I'd bet the NES doesn't have this RAM enable function, and it's why manuals for NES games that have save files instructed players to hold in the reset button while turning off the console, while Gameboy games only caution players not to turn off while saving.
This also makes me wonder if there's any danger of errant writes from low-voltage-glitched instructions destroying your save if you shut off the Gameboy while viewing the player profile screen.
Diffing is how trainers are made, is good to know.
8:18 this might be the RNG, the game calculates based on how long the game is running etc
Or also trainer ID
Flash memory didn't exist as we know it till 2000 and the first thumb drive came out around 2001 so the Gameboy pokemon games didn't have access to Flash memory till the GBA era.
With my jailbroken ps vita i hacked so many save files, its a really cool hobby, the easiest game to hack was Dead or Alive Xtreme volleyball
Great video, so much to learn.
So basically gamesharks modifies addresses of ram adding items, spawning pokemon etc.. cool stuff !
Would be nice if you continue this. I'd like to know hot the missingno bug happens.
I understand nothing but its impressive me.
That pokemon blue cartridge looks like a counterfit one
This kinda reminds me of the video MattKC made on recovering a corrupt PlayStation 2 save file.
Thanks! I really needed it!
Very good job!!
When I was growing up playing Red & Blue I had no idea of the concept of saved game data only being held in place by a trickle of battery current. I turned Red on one day to find the save data gone. I was disappointed & confused to say the least.
You are a "guter Junge" and I love your videos. Keep it up :)
Awesome video
At the first sentence I knew: this is definitely a German guy 😂
Same thing, I'm German and immediately I searched for comments like yours. Great video though
Reverse engineering save files is fun, reversing the checksum on the other hand can be really annoying
woah thank you this was a very interesting video sir :)
Video was fun.
If the whole save data (or bank 0) was checksummed, encountering Missingno would wipe the save file!
Bring back the bunny introduction!
Why didn't they use rechargeable batteries in these cartridges? Such cartridge could be recharged while playing which would solve the problem. But they probably thought noone would need the state of the game after 15 years...
I love this video, do more gameboy stuff ^^
This is that 3am rabbit hole video
Here i have my personal backup of pokemon red
SGB Enhanced xD
What usage has the enable and disable RAM function?
It protects the save data from being corrupted.
Great Video!
Man you really need to take a look at the Arbitrary Code Executions the first 3 generations allow.
Gen3 is really cool, a solid 650.000 "glitch moves" from an underflow in the HP.
It would also corrupt other parts of you ram, a few item slots, pokemon in box ofc etc.
Gen 1 has an item called "8F" which more or less allows writing code directly to your ram if you use it from your inventory. Fun stuff.
Edit: glitchcity has instructions for most of those glitches.. It'll also lead you to people that seem like they spent the last 20 years exploiting pokemon games.. TheZZZAZGlitch(or something like that) is a good example
Nice hostname, btw.
I was getting worried something happened to you. Will you continue with windows hacking and pwnadventure?
Lov ur Stuff
This is a very cool project
Thats so cool
Super cool!!!
Dissecting Pokemon Red Savegame While Pokemon Blue Watches
Было очень интересно!!!👍👍👍
Побольше таких видео!
The other data, that was changed could be the games RNG, since it changes based on different circumstances
1:04 oh boo
I remember doing that, I think it also worked on ps2 with a memory card😃
holy shit, this was awesome! :D
Nice. Maybe we finally can get magicarp to do something helpful
I've never owned a gameboy but damn this is kinda interesting