Gameboy Reverse Engineering & Hacking

Part1:

Since the release of the Gameboy there have been shady companies producing flash carts, ROM duplication systems, ‘transferrers’ and cloned carts of the more popular game titles. The history of such companies and Nintendo’s response is an entertaining read which I recommend if you have a lazy afternoon spare.

30 years on, a lot of these old devices occasionally surface on online auction sites, gaming forums or through word of mouth. When I stumble upon such items I typically try to snap one up not just for my collection but to pull it apart, see how it works and see how they tried to circumvent copyright laws of the day. Much of these carts can be re-purposed or hacked. This series will show how I go about reversing the hardware + software inside the ‘GeNiUs GB Pocket Station

 

Some time post 1993 (latest date stamp on the IC’s within) Genius marketed this unique game ‘backup’ system. This self contained unit was designed to backup or clone your existing GB/C cart ROM and save file to its internal Flash ROM and SRAM allowing you to play your game without your original cart. This in itself would be useful and to take the functionality a step further, it has the option to store multiple ROM’s and Save files, even to switch saves between ROM’s. With no direct connection to a PC, ‘piracy’ in the sense of online downloading is avoided though illegal copying of a licensed Nintendo cart is still possible.

 To the GB hacker this means 2 things:

  • The Flash ROM can be written by the Gameboy during use, and therefore by an external cart flasher
  • There is programmable logic within the cart to manage bank switching, ROM mapping, SRAM management and Cart Passthrough.

Where do we begin? We can take two approaches, the first being hardware based. This would involve reversing the PCB to generate a schematic or at the minimum a block diagram to see which lines are controlled by what. We still don’t know how the CPLD works and would need look into the code.

The second and somewhat simpler method is to reverse the software (BootROM) to identify which registers the programmable logic responds to and exactly what they do. I’ll be taking the second approach.

Dumping the Boot ROM

All GB carts must have the first bank accessible to the GB regardless of which mapper if any is used. The Gameboy begins executing this code after its own internal copyright check and this is where we begin the disassembly of the code.

Reading the header from the cart suggest a ROM size of 512kbytes so this is what we dump with Joey. Upon viewing in a hex editor we see that the entire ROM is repeated every $2800 bytes (10,240 bytes) Very unusual for a GB ROM. Likely an artifact of the mapper.

We load up our 512k ROM in our emulator/disassembler and step through the code. We see the code checking the GB type, DMG/Colour/Super-gameboy then it goes on to copy a block of code to RAM where it then passes control to. This is an indicator that bank switching or ROM writing is about to take place. You cannot run code from a Flash ROM that is being erased, remapped or written so it is instead run from the GB’s internal RAM.

 

Looking at the code we find the mapping registers at address:

  • $0000 – Typically a SRAM enable/disable register found in MBC5 based carts
  • $1100 – Although this address is also valid as an enable/disable address in MBC5 carts, this is not the purpose here.
  • $4100 – Again, can be used for bank switching in an MBC5 but the $100 offset indicates it has another purpose
  • $3100 – And again, can be used for MBC5 purposes but the offset $100 suggests otherwise.

The code starts by first initialising all these registers to $00 then setting them to a default state.

  • $0000 < $0A – This is the stock SRAM Enable command
  • $1100 < $80 – Not a standard MBC value/address
  • $4100 < $90 – Not a standard MBC value/address

The emulator is expecting to see valid data in the ROM region which is not there so we can’t trace much further without it. We have a good start on the mapper registers and we’ll pursue these.

Where my Joey really performs above the rest is how versatile it is. You can inject custom address writes and therefore play around with mapper registers and see the effect in real time. This is exactly what we’ll do.

We do as the code does, clear all registers then set the above values and this is what we get when we dump bank0:

 

The first 2 bytes are important, we don't yet know what for. A bit more playing around we find this:

The carts's ROM + SRAM list and their address on the cart

We go further and zero $1100 and $0000 and we’re back at the boot ROM ‘GB SMART CARD’

Interesting…

Meanwhile, back in the emulator, we convince the ROM the cart is attached and the mystery bytes we found earlier are there. We now get access to the default boot screen as seen on the GB. This is a perfect opportunity to get to the basics, cart pass through mode. We select ‘Play Card’ and see what gets written to the CPLD:

  • $1100 < $08
  • $3100 < $C0
  • Wait a few cycles
  • $3100 < $C0 again
  • Then jump to $0100. This is the code start point in the GB.

We confirm this with the Joey:

 

We have another go at the menu, this time selecting to boot Rom#3 & SRAM#1

  • $1100 < $02
  • $3100 < $DB
  • Wait 2 cycles
  • $3100 < $DB

We have another go at the menu, this time selecting to boot Rom#1 & SRAM#1

  • $1100 < $00
  • $3100 < $DB
  • Wait 2 cycles
  • $3100 < $DB

We have another go at the menu, this time selecting to boot Rom#2 & SRAM#2

  • $1100 < $11
  • $3100 < $DB
  • Wait 2 cycles
  • $3100 < $DB

We have another go at the menu, this time selecting to boot Rom#4& SRAM#3

  • $1100 < $23
  • $3100 < $DB
  • Wait 2 cycles
  • $3100 < $DB

Can you spot the pattern?

The high nibble of $1100 selects the 32k SRAM Block to activate

The low nibble of $1100 Selects the 512k ROM Block to activate.

We still don’t know what $3100 does or exactly how the other registers work. We also don't have the flash erase or write protocol, Mapper type selection if it can even support more than MBC5, Maximum SRAM access to a single ROM (LSDJ requires 128k). Once we get all this identified we can write a script in my Joey software to add Flash cart support for the 'GB Pocket Station' 

In Parts 2&3 we are going to use a logic analyser to monitor the CPLD activity. We'll write values to it via Joey to fully reverse all the mapper registers. We'll go through the Flash IC datasheet and take a look at the erase+write protocols and we'll learn how to add support for this cart in Joey's script.

Thanks for visiting and don't forget to subscribe to my FB page for alerts on the next part of the series! If you would like more information on the tools/programs I use, or a more in depth explanation of how I do something, comment in FB. I'll get back to you ASAP.