Glitch City Laboratories Forums

Lab δ: Tech => Emulation & ROM Hacking => Topic started by: Háčky on June 13, 2016, 11:46:06 pm

Title: Emulating the Mobile Adapter GB
Post by: Háčky on June 13, 2016, 11:46:06 pm
It’s been over fifteen years and no one has done this yet?

(This post is necessarily going to be filled with technical minutiae, so if that’s not your thing, you may want to skip the entire first half of it and skim through the rest. If that is your thing, then you don’t need me to tell you what to do.)

I’ve documented most of the protocol that Game Boy Color games use to communicate with the Mobile Adapter GB, and written a proof-of-concept implementation that links with BGB and enables Mobile Trainer’s initial setup and Pokémon Crystal’s Trade Corner to work. Because I’ve been working with BGB, I’ve not yet tested anything with Game Boy Advance games, but I would expect that the protocol is the same and it should be possible to create an implementation compatible with VBA-M in the future.

As all of this information has been determined solely from analysis of Mobile Trainer and Pokémon Crystal, I can’t say whether this documentation represents how the Mobile Adapter GB hardware actually behaves, but it at least represents how these games seem to expect it to behave.


Protocol description
The Game Boy Color communicates with the Mobile Adapter GB at a clock speed of 512 KiHz (bits 0 and 1 of the SC register are set and the GBC is in double-speed mode). The protocol closely resembles the one used by the Game Boy Printer, but it has been modified for two-way communication.

A communication session consists of a series of commands sent by the Game Boy Color, each followed by a response from the Mobile Adapter GB, generally using the same command ID as the command it is responding to. A session begins with the Game Boy Color sending command $10 with the body "NINTENDO", and the Mobile Adapter GB replying with the same. The session ends when the Game Boy Color sends command $11, and the Mobile Adapter GB responds in kind.

When either device sends a packet, it begins by sending the preamble bytes $99 $66, followed by the packet data. After the packet is finished, both the sender and receiver transmit a byte containing their device ID xor $80. (The Game Boy Color’s device ID is $00. Any device ID from $08 to $0F is recognized as a Mobile Adapter GB: $08 is the PDC model, $09 is the CDMA model, $0A is the unreleased DoCoMo PHS model, and $0B is the DDI PHS model. $0C–0F were presumably reserved for future use.)

After the device ID, the sender sends $00 while the receiver confirms successful receipt of the packet by sending the packet’s command ID xor $80. If the packet checksum fails, the recipient sends $F1 instead, which instructs the other device to resend the packet. ($EE, $F0, and $F2 also appear to be error codes, but I don’t know how they’re used.)

The packet itself consists of a four-byte header, followed by the body, followed by a two-byte big-endian checksum, which is the sum of each preceding byte (not including the $99 $66 preamble). The first byte of the header is the command ID, and the fourth is the length of the packet body. The second and third bytes are unused, as far as I know, and are set to $00. While a packet is being received, the recipient continuously transmits the byte $4B.


Command listing
This list covers all of the commands supported by the standard library found in Pokémon Crystal. There is also at least one command, $1A (write configuration data), that is exclusively used by Mobile Trainer. It’s possible that some of the missing numbers are commands that exist in the hardware but were never used by any software; for instance, I would expect that there are commands for opening and closing UDP connections.

The command numbers appear to be organized such that commands numbered $1x relate to the basic operation of the Mobile Adapter GB and its attached telephone, while commands numbered $2x are network operations.

$10: Begin session
Sent to the adapter at the start of a session. The packet body is the ASCII string "NINTENDO". The adapter replies with an identical packet.

$11: End session
Sent to the adapter at the end of a session. The packet body is empty. The adapter replies with an identical empty packet.

$12: Dial telephone
Instructs the adapter to dial a telephone number. The packet body contains one byte of unknown significance, followed by the telephone number written in ASCII. The adapter’s response has an empty body.

$13: Hang up telephone
Instructs the adapter to hang up a telephone connection. The packet body is empty. The adapter replies with an identical empty packet.

$14: Wait for telephone call
Instructs the adapter to wait for a telephone call to be received. The packet body is empty. The adapter replies with an identical empty packet (only when the call is received?).

$15: Transfer data
This command is used either to send data over a TCP connection opened with command $23, or directly to another Mobile Adapter GB. While a connection is open, the Game Boy sends this packet containing one byte of unknown significance followed by zero or more bytes of data to be transmitted. The adapter replies with one byte of unknown significance followed by zero or more bytes that it has received from the other end. This is repeated until the connection is closed. The adapter sets bit 7 of the command ID while it is connected to a server, so the reply’s command ID appears as $95. When the remote server has closed the connection (e.g., at the end of an HTTP response), the reply sets the command ID byte to $9F instead.

$17: Telephone status
Sent to the adapter before attempting to dial. The packet body is empty. The adapter’s reply has one byte: $00 means that the telephone is ready to make a call, $04 or $05 means that the line is busy (I’m not sure what the difference between these values is?), and any other value seems to be an error. Some features of Mobile Trainer actually check this after dialing to make sure the line is active, but Pokémon Crystal doesn’t bother.

$19: Read configuration data
Requests a portion of the adapter’s 192-byte configuration memory. The packet body consists of two bytes; the first is an offset and the second is the number of bytes to be read. The adapter replies with a body containing one byte of unknown significance (possibly the offset, although that would be redundant?) followed by the requested data. In practice, the configuration data is read in two chunks of 96 bytes; it should be technically possible to read the full 192 bytes at once, but reading in smaller chunks is probably more reliable.

$1A: Write configuration data
Writes to a portion of the adapter’s 192-byte configuration memory. The packet body consists of one byte, which is an offset, followed by the bytes to be written. The adapter’s reply has an empty body (or, at least, Mobile Trainer doesn’t seem to care what the response is). As with the read command, Mobile Trainer chooses to write the data in two separate chunks (of 128 and 64 bytes).

$21: ISP login
Logs in to the DION service (which will then be used to connect to an Internet server). The packet body begins with the login ID and password, each prefixed by a byte denoting its length. The last eight bytes are the IPv4 addresses of two DNS servers. The adapter’s reply has a four-byte body, which might be an IPv4 address assigned to the adapter, although that doesn’t seem to be needed for anything in-game.

$22: ISP logout
Logs out of the DION service. The packet body is empty. The adapter replies with an identical packet.

$23: Open TCP connection
Opens a TCP connection to an Internet server. The packet body consists of an IPv4 address (four bytes) and a port number (two bytes, big-endian). The adapter replies with one byte of unknown significance. The adapter sets bit 7 of the command ID while it is connected to a server, so the reply’s command ID appears as $A3.

$24: Close TCP connection
Closes a TCP connection to an Internet server. The packet body contains one byte of unknown significance. The adapter replies with one byte of unknown significance.

$28: DNS query
Looks up the IP address for a domain name, presumably using the DNS server addresses sent in command $21. The packet body is the domain name. The adapter’s reply has a four-byte body containing the corresponding IPv4 address.


Configuration memory
The Mobile Adapter GB has 192 bytes of memory in which to store configuration data. This memory can be read with command $19 and written with command $1A. It is structured as follows:

Code: [Select]
$00  "MA"
$02  Set to $01 during Mobile Trainer registration
     Set to $81 when registration is successfully completed
$04  Primary DNS server (210.196.3.183)
$08  Secondary DNS server (210.141.112.163)
$0C  Login ID ("g_________")
$2C  E-mail address ("________@____.dion.ne.jp")
$4A  SMTP server ("mail.____.dion.ne.jp")
$5E  POP server ("pop.____.dion.ne.jp")
$76  Configuration slot 1
$8E  Configuration slot 2
$A6  Configuration slot 3
$BE  Checksum (big-endian)

Strings are null-terminated if shorter than the fields which contain them.

Each configuration slot may contain a telephone number to be used to connect to the ISP (eight bytes) and an identifying string (sixteen bytes). The telephone number is stored in a variant of binary-coded decimal, where $A represents the # key, $B represents the * key, and $F marks the end of the telephone number.

If the device ID is $08 (PDC) or $09 (CDMA), Mobile Trainer will configure it to use the telephone number #9677 and identifying string "DION PDC/CDMAONE". If the device ID is $0A (DoCoMo PHS) or $0B (DDI PHS), it will be configured with the telephone number 0077487751 and identifying string "DION DDI-POCKET".

These are always written to the first configuration slot; the other two slots are always empty (filled with $FF and $00), and it’s unclear how they would have been used. (I’m guessing they’re there in case Nintendo wanted to support an ISP other than DION in the future?) Pokémon Crystal has an option within the Mobile menu, titled 「モバイルセンターを えらぶ」 Choose a Mobile Center, for selecting which of these three configuration slots it will use.

If the device ID is one of the unused values $0C–0F, Mobile Trainer will fill the entire configuration memory with garbage data, because bounds checking is for sissies.

The checksum, like the packet checksum, is simply the sum of the preceding 190 bytes.


Mobile Trainer
Initial setup
When the Mobile Trainer cartridge is first loaded with the Mobile Adapter GB connected, a setup wizard prompts the user to enter their DION login ID, e-mail address, and password. (According to instructions published by the Nintendo Online Magazine (http://www.nintendo.co.jp/nom/0101/provider/), these credentials were provided on the 「DIONモバイルGBコース登録書」 DION Mobile GB Plan Registration Form included in the Mobile Adapter GB box. The account would expire after 15 days unless the Registration Form was filled out and mailed to KDDI.)

(Straying further from the topic, this site has some photographs of the printed matter supplied with the Mobile Adapter GB (http://www.geocities.jp/rikkyjp/ope/msgbphoto.html), which bizarrely includes a promotion offering baseballs signed by Kazuhiro Sasaki, then a pitcher for the Nintendo of America–owned Seattle Mariners.)

The login ID and e-mail address are stored in the adapter’s configuration memory, and the user is asked to choose whether or not the password will be saved on the Mobile Trainer cartridge. After that, Mobile Trainer attempts to log in to the DION POP e-mail server (pop.____.dion.ne.jp, where the subdomain is filled in from the entered e-mail address). If the login is successful, then a welcome message is displayed, followed by the Mobile Trainer title screen.

After setup has been completed, Mobile Trainer will boot to the title screen even when the Mobile Adapter GB is not connected. (If an adapter is connected, Mobile Trainer will still check whether it has been configured, and launch the setup wizard if needed.)

[youtube]https://youtu.be/oE7J1UFYO4M[/youtube]


Other features
I haven’t put much effort into getting any other features of Mobile Trainer working, but they all appear to be fairly straightforward: the e-mail uses DION’s POP and SMTP servers, the account management options use a simple HTTP interface, and Nintendo’s mobile homepage would have used some subset of HTML (though there probably aren’t any complete surviving copies of the pages, there are a few screenshots in this Nintendo Online Magazine article (http://www.nintendo.co.jp/nom/0107/05/index.html)).

However, there may be significant unused content in the Mobile Trainer ROM. The most obvious instance is some text for a debug menu that’s helpfully titled 「== DEBUG MODE ==」. I also found this peculiar run of text:

Quote
こんど、またあそぼう
マリオ
またあそぼうね
mario@mario.ne.jp

7がつのさいしょのにちようびに、やきゅうをするからこいよ
クッパだいおう
やきゅうやるぞ
kuppa@mario.ne.jp

ついにポケモンのさいしんさくがとうじょうするぞ!「ポケットモンスター苔」くわしくはにんてんどうのホームページへGO!
メールマガジンGB
GAMER's Life
grave01@natird.ad.jp

メールセンターのメンテナンスのため、7/14~7/20までのきかん、メールをチェックできなくなります
あらかじめごりょうしょうください
GBセンター
だいじなおしらせ
ieve@makopi.ne.jp

くくく・・・
むだい
p@p.ne.jp

To my knowledge, Bowser didn’t play baseball until 2005 on the GameCube, and I still haven’t heard any news about this Pocket Monsters Moss

One more thing I noticed is that after completing the initial setup, there are four options in the 「モバイルせってい」 Mobile Settings menu, but when Torchickens used a GameShark code to skip the initial setup (https://www.youtube.com/watch?v=tY8CdSJCez8), a fifth option, 「電話番号の変更」 Change telephone number, appeared. By erasing my Mobile Trainer save file and using that GameShark code, I was able to replicate this and attempted to use this option. It read the configuration data from the adapter, then started executing from WRAM and choked on opcode $FD. I’m guessing that’s not the intended behavior.


Pokémon Crystal
Initial connection
On startup, before the copyright screen, Pokémon Crystal tries to connect to the Mobile Adapter GB and check the telephone status with command $17. If this connection is successful (which does not require that the adapter even be configured), all of the game’s mobile features are unlocked except for Mobile Stadium.

(The telephone status check has no purpose: the game will recognize the adapter as connected regardless of what value it sends in response to command $17. It appears that the result of this check is used to set or clear the “unlimited battle mobile adapter” flag, but the flag is always cleared regardless of what value is sent by the adapter. I’m guessing the debug build behaved differently.)

After the successful connection, the 「モバイル プロフィール」 “Mobile Profile” screen will be presented the first time Continue is selected from the main menu, or whenever a new game is started.


Egg Ticket
When the Egg Ticket is redeemed at the PokéCom Center Trade Corner, the game makes an HTTP GET request for http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/tamago/index.txt. ("CGB-BXTJ" is the product code for the Japanese version of Pokémon Crystal; "01" denotes the game’s publisher, Nintendo.) This text file should have two lines, with CRLF line endings.

The first line is the HTTP URI that will be used to download the Odd Egg data. This URI contains a sequence of up to four capital "X"s, which the game will replace with a hexadecimal value.

(If the filename—i.e., the part of the URI after the last "/", even if it’s part of the query string—starts with a decimal digit, the game reads up to three digits from the start of the filename, interprets this as the service fee [in yen] charged for downloading this file, and prompts the user to confirm before downloading it. Since it is known that there was no service fee for the Egg Ticket event, the filename should not start with a digit, or an "X" that will be replaced by a digit.)

The second line is a series of 16-bit values written in hexadecimal (with lowercase "a""f"). These represent the cumulative probabilities of each Odd Egg being obtained. The game generates a random 16-bit number, compares it to each of these values, and downloads the Odd Egg corresponding to the first value that is greater than or equal to the random number, by filling in the "X"s in the URI with "0000" for the first Odd Egg, "0001" for the second, and so on in hexadecimal. Leading digits will be omitted if there are fewer than four "X"s to replace.

If the second line of the file is blank, the Trade Corner attendant will say 「もうしわけ ございません! ただいま タマゴけんの サービスは ちゅうし しています」 “I’m awfully sorry. The EGG TICKET exchange service isn’t running now.” Reportedly the Egg Ticket exchange service ran for the entire time that the Mobile System GB was in operation, so this text would never have been used. If the Egg Ticket service was shut down, it would have made it impossible for someone who had the Egg Ticket in their Bag to use the Trade Corner until they deposited it in their PC, which could have been confusing.

The downloaded Odd Egg file is 54 bytes, containing the 48-byte Pokémon data structure followed by the nickname, which should be 「タマゴ」 “EGG”. The OT name 「なぞ」 “ODD” is added by the game, though it goes unseen since an Egg’s OT is always shown as “?????” until it hatches.

For my implementation, I’ve copied the Odd Egg data from the English version. But according to legend, the Odd Egg received from the mobile event had a 50% chance to be Shiny, higher than the 14% chance for the in-game event in the Western versions. Does anyone know where this information came from? The only way to verify it would have been to download index.txt and read the probability values, and I’ve seen no evidence that anyone would have known how to do that at the time.

[youtube]https://youtu.be/Er0gbOvHY5k[/youtube]


PokéCom Center Trade Corner
When a Pokémon is deposited at the Trade Corner, the game sends an HTTP GET request for http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/exchange/index.txt. The first line of this file is a URI that will be used to log in before uploading the Pokémon data. Since the service fee for the Trade Corner was ¥10, the filename in that URI should start with "10".

As far as I can tell, the server is supposed to send an HTTP 401 Unauthorized response with a WWW-Authenticate header, to which the game will respond by retrying with an Authorization header. Then the server will respond with a Gb-Auth-ID header. I can’t seem to get this process to work, so instead I’ve bypassed it by having the server send the Gb-Auth-ID on the first try.

The game POSTs a 143-byte file with the following contents:

Code: [Select]
$00  DION e-mail address (null-terminated ASCII)
$1E  Trainer ID
$20  Secret ID
$22  Offered Pokémon’s gender
$23  Offered Pokémon’s species
$24  Requested Pokémon’s gender
$25  Requested Pokémon’s species
$26  Trainer name
$2B  Offered Pokémon’s 48-byte data structure
$5B  Offered Pokémon’s OT name
$60  Offered Pokémon’s nickname
$65  Mail data (filled with 00 if not holding Mail):
$65    Message
$86    Sender’s name
$8B    Sender’s Trainer ID
$8D    Pokémon species
$8E    Item index

The genders of the offered and requested Pokémon are encoded as: $00 = gender unknown, $01 = male, $02 = female, and (for the requested Pokémon) $03 = either male or female.

After a Pokémon is deposited in the Trade Corner, the game enforces a two-hour waiting period before the status of the trade may be checked. To check if a trade has been made, the game logs in to the DION POP e-mail server and searches for an e-mail with the header X-Game-code: CGB-BXTJ-00. If it finds one, it will read the X-Game-result header, which is in the format 1 ttttssss oooo rrrr x, where tttt and ssss are the Trainer ID and Secret ID, oooo is the gender and species of the offered Pokémon, and rrrr is the gender and species of the requested Pokémon, all written in lowercase hexadecimal. The last character x is either "1" or "2", with "1" indicating that a trade partner has been found and "2" indicating that the server has given up on finding one. If a trade partner has been found, the body of the e-mail will contain the last 105 bytes of the above data structure (starting from the Trainer name) for the received Pokémon, encoded in Base64.

If no e-mail with a matching X-Game-code and X-Game-result is found, the Trade Corner attendant will give you the option to retrieve your Pokémon. If you choose to retrieve it, the game reads a URI from the second line of exchange/index.txt and POSTs a 38-byte file to it, which contains the first 38 bytes of the above data structure (up to the requested Pokémon’s species). This cancels the trade.

[youtube]https://youtu.be/0ZerrH7rYZU[/youtube]


Cable Trade Center
I wasn’t planning to work on the multiplayer features at this point; I just wanted to see what commands they use so I could add them to the command listing.

I wrote my program so that when it received a command it didn’t recognize, it would echo that command verbatim in response. This turned out to be entirely sufficient to make the Mobile Trade screen open and let me trade with myself!

[youtube]https://youtu.be/4Uh4sgtmDMQ[/youtube]

One notable feature of the mobile trade animations is that the Mobile Adapter GB is depicted using a palette chosen according to the device ID—the PDC adapter is shown as blue, the CDMA adapter is shown as yellow, the unreleased DoCoMo PHS adapter is shown as green, and the DDI PHS adapter is shown as red. There are also assigned palettes for the unused device IDs $0C–0F: purple for $0C, black for $0D, pink for $0E, and gray/violet for $0F.

(http://i.imgur.com/emwzq58.png)(http://i.imgur.com/2jt6fmU.png)(http://i.imgur.com/qB3DTCH.png)(http://i.imgur.com/cwr6A5W.png)


Cable Club Colosseum
I was also able to get into a battle with myself in the Colosseum, though it inevitably unraveled when the opposing Pokémon fainted and it tried to send out the fainted Pokémon as a replacement for itself (since it wasn’t “my” Pokémon that fainted, I hadn’t made a selection).

I did, however, find out what an “unlimited battle mobile adapter” does: it removes the 10 minute per day limit on Colosseum battles. When entering the Colosseum without the “unlimited battle” flag, the attendant will ask: 「きょうの のこり じかんは あと 10 ふんです[。] たいせん しますか?」 “Today’s remaining time is 10 min. Would you like to battle?” (or one of a few other messages if less time is left). With the “unlimited battle” flag, she asks instead: 「モバイル たいせん では ポケモンを 3たい えらんで たいせん します[。] よろしいですか?」 “To enter a mobile battle, you must pick a team of three POKéMON. Is that OK?”


Implementation

http://pastebin.com/igq4SuVd

I pilfered the BGB linking code from TheZZAZZGlitch’s implementation of the Game Boy Printer protocol (https://www.youtube.com/watch?v=h_j0w7r6xSk) and wrote a script that does just enough to make these features work. Rather than connecting to a proper server, it fabricates the responses that the server should give for a limited set of commands. It completely ignores the DION login ID and password, so you can enter whatever you want in Mobile Trainer’s setup. The e-mail server is hard-coded to contain an e-mail matching the Pidgey-for-Pidgey trade that I made in the video; if you want to use the Trade Corner, you’ll have to edit that e-mail to match your Trainer ID, Secret ID, and the trade you’ve made.

I think the next step will be to set up a server that can run a fully functioning Trade Corner, and write a client that can connect to that server or make direct “calls” to other clients. There’s still the matter of getting Pokémon Crystal’s Pokémon News, Battle Tower, and Mobile Stadium features running, and after that, it might be interesting to get a couple of the other Mobile Adapter GB compatible games working. Eventually, it would be fun to build a ROM hack of the English version of Pokémon Crystal that restores all of its mobile functionality.
Title: Re: Emulating the Mobile Adapter GB
Post by: Wack0 on June 14, 2016, 03:54:44 am
I can help work on the server-side aspect.

I wonder if that download script on the webserver was vulnerable to local file disclosure at the time.

This is something I meant to do myself, by the way: I just tried to go about it a different way, via static analysis, and I'm not sure how the GB serial hardware works.

I did notice the pop3/smtp text in the Mobile Adaptor library though: and I did wonder if any game used it.
Title: Re: Emulating the Mobile Adapter GB
Post by: Wack0 on June 14, 2016, 10:51:09 am
OK. I modified the emulator to dump to file the data of any unknown packet.

I then went into the Cable Trade Center, and canceled, and now I have several files to look through.

Haven't discovered much yet, naturally, however, it seems to use specifically 0x15 packets.

Seems the "byte of unknown significance" is the length of the sent/received data.

The first sent packet is 0x15 bytes in length, and starts with "\x19\x73\x09\x13trade_crystal" (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3832). There follows two big-endian int16s 0x1 and 0x1a06, which are unknown to me at this time.

Most of the packets sent are empty.

Here's a dump of the packets if anyone else wants to look: http://lucasm.cf/?yzrlz

edit: And here's a dump of the Mobile Colosseum packets: http://lucasm.cf/?yzjim
This one starts with "\x19\x67\x10\x01limit_crystal" (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3842).

There's a similar string near both of them, "\x19\x67\x10\x01free__crystal" (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3837). Guessing this one is used with the Unlimited Battle Adapter, given this code (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3800)?
Title: Re: Emulating the Mobile Adapter GB
Post by: Háčky on June 14, 2016, 11:48:49 am
This is something I meant to do myself, by the way: I just tried to go about it a different way, via static analysis, and I'm not sure how the GB serial hardware works.

That sounds painful ;D I started by setting a read breakpoint on $FF01 (serial data) and trying to find what bytes I could put there to make something different happen.

OK. I modified the emulator to dump to file the data of any unknown packet.

I then went into the Cable Trade Center, and canceled, and now I have several files to look through.

Haven't discovered much yet, naturally, however, it seems to use specifically 0x15 packets.

Seems the "byte of unknown significance" is the length of the sent/received data.

The first byte of a $15 packet is, as far as I’ve seen, always $FF (though my implementation sends $00 and it doesn’t seem to matter). Your dumps are starting from the second byte, which is the first byte of the actual data sent by the Trade Center/Colosseum. These features apparently have their own redundant packet structure, which starts with the length and ends with a little-endian checksum.

There's a similar string near both of them, "\x19\x67\x10\x01free__crystal" (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3837). Guessing this one is used with the Unlimited Battle Adapter, given this code (https://github.com/pret/pokecrystal/blob/master/misc/mobile_40.asm#L3800)?

Yes, "free__crystal" is sent in “unlimited battle” mode.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on July 17, 2016, 03:20:34 am
I think the next step will be to set up a server that can run a fully functioning Trade Corner, and write a client that can connect to that server or make direct “calls” to other clients. There’s still the matter of getting Pokémon Crystal’s Pokémon News, Battle Tower, and Mobile Stadium features running, and after that, it might be interesting to get a couple of the other Mobile Adapter GB compatible games working. Eventually, it would be fun to build a ROM hack of the English version of Pokémon Crystal that restores all of its mobile functionality.

I'd love to help you on this. I am a Gen 2 romhacker. A small community for the online capabilities of Pokemon Crystal. Real neat. I PM'd you my Skype.  :)
Title: Re: Emulating the Mobile Adapter GB
Post by: Yeniaul on July 21, 2016, 09:40:07 pm
It'd be kinda odd if, after this was complete (the server and clients bit), someone ported it to Android or *shudder* iOS. In a way, it would have come full-circle... which is always nice... I guess...
Title: Re: Emulating the Mobile Adapter GB
Post by: Yeniaul on July 22, 2016, 05:57:40 pm
If I could figure out raw byte manipulation in Python 2 it'd be piss easy to make a program for custom Mobile Adapter GB "trading" generation, down to user-input for the trade specifics.
Title: Re: Emulating the Mobile Adapter GB
Post by: IIMarckus on July 28, 2016, 01:19:41 am
It’s been over fifteen years and no one has done this yet?
No, but it’s about time someone did. Great post.
Title: Re: Emulating the Mobile Adapter GB
Post by: Papa Doc on November 07, 2016, 10:39:31 pm
Wow this is really something else. Great work Hacky!
I would definitely donate to you if you can get this completed
and fully functional. I've always been interested in all the beta aspects of
G/S/C and it's been one of my main desires to use the mobile adapter
features and possibly get the legit Celebi event in Crystal.
Title: Re: Emulating the Mobile Adapter GB
Post by: SatoMew on November 21, 2016, 03:20:21 pm
I've just stumbled upon a Tumblr post where a person known as PepsimanGB shares their scans of all the printed material related to the Mobile Adapter GB. (http://www.demoban.net/post/148027715179/release-mobile-adapter-gb-manual-scan-archive)

Download link: https://mega.nz/#!EYYi0ZJQ!zRac8umNCVuf61TbmxsV03cmjNKS52gKllkd0rJX8Js (https://mega.nz/#!EYYi0ZJQ!zRac8umNCVuf61TbmxsV03cmjNKS52gKllkd0rJX8Js)

I haven't thoroughly checked the archive yet but it looks promising! :)
Title: Re: Emulating the Mobile Adapter GB
Post by: PokeAcer on December 28, 2016, 03:12:54 pm
For this, instead of it running as Python, perhaps it'd make more sense to be PHP for the web scripts with a Python/C handler on the client end so the client connects to the Internet but then uses the server you define?

It'd also be cool if we made a GBC to USB link cable (using some serial adapter perhaps?) so we could connect REAL hardware :D
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on July 19, 2017, 10:51:55 pm
This thread has been dead for some time and I would like to remind Hacky and possibly other people working on this that I would pay LOADS of money to the person kickstarting this back to life. I am fascinated with the Mobile GB and I would love to see it emulated.
Title: Re: Emulating the Mobile Adapter GB
Post by: TheSixthItem on July 20, 2017, 07:57:12 am

[youtube]https://youtu.be/0ZerrH7rYZU[/youtube]
Pretty sure that needs to be
Code: [Select]
[MEDIA=youtube]4Uh4sgtmDMQ[/MEDIA]But anyways, this is a really good concept. We really need it emulated.
Title: Re: Emulating the Mobile Adapter GB
Post by: Evie ✿ on July 20, 2017, 10:28:38 am

[youtube]https://youtu.be/0ZerrH7rYZU[/youtube]
Pretty sure that needs to be
Code: [Select]
[MEDIA=youtube]4Uh4sgtmDMQ[/MEDIA]But anyways, this is a really good concept. We really need it emulated.

I think relatively recently we had working [youtube] tags that would embed YouTube videos, but for whatever reason they sadly no longer work.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on July 20, 2017, 11:52:17 am
I've been looking into this recently but I'm unsure if Hacky's python script actually connects to the internet or not. If it could attempt a connection to the internet, then we can just replace the POP server with our own, right? I am able to host such a thing however I am un-aware if this attempts to connect to DION.

I understand the script is effectively acting like a server, but what if we made our server act like the script? Would that work too?
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on July 23, 2017, 07:18:00 am
I know that GCF has such a reputation for having an excellent and eagerly helpful community when it comes to this kind of stuff, but I would like to see if anybody can/help me in making a legitimate emulator that connects to DION or any homebrew server we chose.

It shouldn't be so difficult right? The Dolphin team emulated the SP1 Broadband board quite successfully iirc.

Also, does the mobile phone adapter still work in 2017? As in, if I edited the rom of Crystal and the Mobile Trainer to not connect to gameboy.datacenter.ne.jp but instead to our own server, would it work?
Title: Re: Emulating the Mobile Adapter GB
Post by: MissingNo on July 23, 2017, 06:30:13 pm
Thoughts I wanna throw out there from my limited Japanese phone system knowledge:

AFAIK, the PHS network allowed for the use of "personal" cells that interconnected to the Japanese PTSN (eg, to use your PHS phone as a cordless home phone). PHS phone + DDI PHS adapter + PHS base station + Asterisk magic(?)/dial up server/email system for comms = "real life" Mobile Adapter GB emulation?
Title: Re: Emulating the Mobile Adapter GB
Post by: SatoMew on July 31, 2017, 08:23:03 am
There is already an emulator that supports the Mobile Adapter GB.

https://github.com/shonumi/gbe-plus (https://github.com/shonumi/gbe-plus)
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on August 05, 2017, 07:33:19 pm
There is already an emulator that supports the Mobile Adapter GB.

https://github.com/shonumi/gbe-plus (https://github.com/shonumi/gbe-plus)

I can't find any documentation on that.
Title: Re: Emulating the Mobile Adapter GB
Post by: Evie ✿ on August 06, 2017, 06:57:12 am
There is already an emulator that supports the Mobile Adapter GB.

https://github.com/shonumi/gbe-plus (https://github.com/shonumi/gbe-plus)

There is already an emulator that supports the Mobile Adapter GB.

https://github.com/shonumi/gbe-plus (https://github.com/shonumi/gbe-plus)

I can't find any documentation on that.

Wow that's news to me too. How do you use it on Windows and get Pokémon Mobile System GB to work with it?
Title: Re: Emulating the Mobile Adapter GB
Post by: Wack0 on August 06, 2017, 08:44:12 am
I looked at the code, the emulation there is incomplete, and seems only there to get Mobile Trainer to work.
Title: Re: Emulating the Mobile Adapter GB
Post by: Evie ✿ on August 06, 2017, 08:47:54 am
I looked at the code, the emulation there is incomplete, and seems only there to get Mobile Trainer to work.

I see, thanks.  :) That's a shame. :/

A little later I found a Windows download link on the Emu Gen wiki, but I still don't know how to get Mobile Trainer to work on it.

http://emulation.gametechwiki.com/index.php/GBE%2B
Title: Re: Emulating the Mobile Adapter GB
Post by: XOlifreX on August 10, 2017, 04:27:04 pm
Fantastic that this is being worked on!
I would love to see the Mobile Adapter GB being fully emulated, not only for Pokémon, but for other games aswell!

I, myself, would love to see the GBA game Mario Kart Super Circuit work with the Mobile Adapter. The game only used the platform for time trail rankings & exchanging ghosts.
Title: Re: Emulating the Mobile Adapter GB
Post by: PokeAcer549 on August 11, 2017, 06:23:13 am
It'd be cool to see the actual web servers this used brought back; a null-modem cable could be constructed using the real Mobile Adapter GB, which could then plug into a PC for actual Internet connection.
(Or, find a way to make one that works with newer phones using USB-OTG on Android devices)
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on August 12, 2017, 09:25:10 pm
I am going to begin working on this to connect to the actual internet. I would like someone like Hacky who has an actual mobile gb adapter too.

I made a discord for people who would like to help!

https://discord.gg/DFkW5KU
Title: Re: Emulating the Mobile Adapter GB
Post by: Háčky on August 13, 2017, 01:59:33 am
I have actually been working on this occasionally over the past several months, but never found the time to compile my notes into something coherent.

I’ve figured out how the HTTP authentication scheme is supposed to work (an essential prerequisite for creating a server), and have also mostly documented the Pokémon News system. I need to put together a video to show that off, which I should do tomorrow.

I have some design plans for a server and client, but haven’t implemented anything. I might start on that this week, although I’m torn on whether to do that first or decipher the Battle Tower system.

Also, does the mobile phone adapter still work in 2017? As in, if I edited the rom of Crystal and the Mobile Trainer to not connect to gameboy.datacenter.ne.jp but instead to our own server, would it work?

The adapter still works for peer-to-peer communication (Pokémon Cable Club) as long as the handsets are able to receive service. The last PDC network shut down in March 2012, and the original frequency allocation for CDMA service in Japan was changed in July 2012, so it is likely that only DDI Pocket handsets still work, as their service continues under the Y!mobile brand.

To allow the adapter to connect to the Internet, an alternative to the DION dial-up service would need to be provided. Assuming that were possible, the adapter would need to be reconfigured to dial that service instead of DION; this could be achieved by running a specially-prepared ROM off a flash cartridge, or perhaps through an elaborate arbitrary code execution exploit. But if you could connect to your own dial-up ISP, you wouldn’t need to edit the domain names in the ROM; you could just intercept requests at the ISP end and redirect them to the server of your choice.

If the goal is just to connect a real Pokémon Crystal (or other compatible game) cartridge to a reconstructed server, then a much simpler way to achieve that would be to plug a device directly into the link port and emulate the Mobile Adapter GB in exactly the same way that a PC-based emulator would. (Can a Raspberry Pi bit-bang at 256 Kib/s?)

It'd be cool to see the actual web servers this used brought back; a null-modem cable could be constructed using the real Mobile Adapter GB, which could then plug into a PC for actual Internet connection.

That’s another possibility, but would require knowing the protocol the adapter uses to control the handset (surely it’s documented somewhere?). Also, I doubt the requisite connectors are still manufactured, so some disassembly may be required… :)

Eventually I’ll want to do something like that anyway, in order to test the actual behavior of the adapter and find out what those missing numbers in the command list are for.
Title: Re: Emulating the Mobile Adapter GB
Post by: Evie ✿ on August 13, 2017, 06:06:05 am
I have some design plans for a server and client, but haven’t implemented anything. I might start on that this week, although I’m torn on whether to do that first or decipher the Battle Tower system.

I'd personally love to see a server and client even if it doesn't support the Battle Tower first. :) Though it may be a good idea to make sure the Battle Tower system works first, if online battles/trades work sooner rather than later then it's really exciting and doing a few test battles could be fun, you could release it in a video for people to use, and you could always incorporate the Battle Tower functionality later for a later release.

On the other hand it may be fun to learn how the Battle Tower works.

Up to you of course though, I would feel torn as well.
Title: Re: Emulating the Mobile Adapter GB
Post by: Parzival on August 13, 2017, 07:16:44 pm
Question: If we connect to a server from a client, but it's over Dial-Up, is it still technically considered to be running on an actual adapter and therefore valid in TAS?
Title: Re: Emulating the Mobile Adapter GB
Post by: Háčky on August 15, 2017, 09:38:22 pm
Okay, “tomorrow” was two days ago, but I have this silly, old-fashioned obsession with factual accuracy and needed to recheck a bunch of things. I guess it would be easier if I posted more often… :)

Question: If we connect to a server from a client, but it's over Dial-Up, is it still technically considered to be running on an actual adapter and therefore valid in TAS?

I think more research is needed to determine accurate timings for the adapter ;D




HTTP authentication scheme
Nintendo’s mobile library will attempt to authenticate the user with the Mobile System GB server only when a POST request is made for http://gameboy.datacenter.ne.jp/cgb/upload or http://gameboy.datacenter.ne.jp/cgb/ranking, and only if the filename at the end of the URI begins with a number indicating a service fee (even if it’s ¥0).

Even when those conditions are met, the library has a bug that can cause it to fail to detect whether authentication is required:

Code: [Select]
; Find the string terminator at the end of the URI
.asm_1112a0
ld a, [hli]
or a
jr nz, .asm_1112a0

; Now back up and find the last slash
; Right now, hl points to the byte *after* the string terminator!
; If that byte happens to be a slash ($2F), this code may
; fail to properly detect whether this is a paid upload.
; There ought to be a “dec hl” here.
.asm_1112a4
ld a, [hld]
cp $2f
jr nz, .asm_1112a4

Since Pokémon Crystal does not erase the last URI in memory before writing the next in a series of requests, it is possible that the residual byte after the string terminator could be a slash if a previous URI was longer than the current one. A careful choice of URIs avoids this issue.

An authentication attempt begins by sending an HTTP GET request, to which the server responds with 401 Unauthorized and a WWW-Authenticate: GB00 name="…" header, where the name is an arbitrary 36-byte value encoded in Base64.

The game then sends another GET request, this time with the header Authorization: GB00 name="…", where the name is a concatenation of two separate Base64-encoded values: the first is the first 32 bytes from the WWW-Authenticate name, and the second is a 36-byte value determined by a byzantine procedure:
The first step necessitates that the server retains users’ plaintext passwords in order to calculate arbitrary MD5 hashes from them—unless the value in the WWW-Authenticate header is predetermined, which would allow the hash to be precalculated, but would make the rest of this shell game even more pointless as a successful authentication attempt could be replayed.

If the Authorization header is valid, the server responds with 200 OK and a Gb-Auth-ID header which contains an arbitrary string. The game then sends its POST request and includes the same Gb-Auth-ID header.


Pokémon News
A Pokémon News download begins by accessing http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/news/index.txt, a text file containing four URIs which are used to:
The cost of Pokémon News was ¥100 per issue. The fourth URI should be tagged with that cost so that it is displayed by the game; the two upload URIs should be tagged with a cost of ¥0 so that the game will authenticate and upload the data.


Metadata
The metadata file is an unstructured hodgepodge of variable-length fields, the boundaries of which can only be determined by parsing each field in its own unique way. In typical Game Freak style, the game makes no effort to validate the data received from the server or protect against buffer overflows. A malformed metadata file can certainly crash the game and corrupt the save file (I’ve done it more than once), and could probably execute arbitrary code.

Unique ID: This is a fixed-width field which, inexplicably, is 12 bytes long. If this ID is the same as the last News that was downloaded, then the download is aborted with the message 「あたらしい ニュースは ありません でした」 There was no new News.

Description: A text string, terminated with $50, that is displayed in the lower text box when the player is asked to confirm whether he or she wants to upload the save data and proceed with the News download.

Rankings save address: This 2-byte field contains the address where the rankings data will be stored in SRAM bank 6. Since the main News data will be written starting at 6:A000, the rankings data should be placed somewhere around 6:B000, such that the News does not overwrite the rankings.

Rankings metadata: This field begins with a 16-bit value denoting the length of the data that follows. The data is a series of 16-bit values, one for each rankings table that will be sent, indicating the width of a record in each rankings table. (For example, if there are 9 different rankings tables and each table contains 26-byte records, this field would be 12 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00.)

Save data selection: This is a list of the regions of save data that will be sent to the server. Each region is specified by four bytes: the first byte is an SRAM bank, the second and third are an address, and the fourth is the number of bytes to send. The end of the list is marked with $FF. The requested data is concatenated and uploaded as a binary file.

Rankings data selection: This specifies the data that will be submitted for the rankings. The rankings data is submitted as key–value pairs in the manner of an HTML form submission, with the values encoded in ASCII hexadecimal. Each key is a string literal (in ASCII?) terminated with $50 (ASCII "P"‽). Each value is specified with a bank number, address, and length in the same manner as the save data upload. The list of key–value pairs is terminated with $50 (i.e., an empty string where the name of the next key would be expected).

Although data can technically be read from anywhere in SRAM, there is a block of data at 5:A001–A082 which exists specifically for use in the rankings. With the exception of 5:A016–A017, which doesn’t seem to be referenced at all, this block comprises 2-, 3-, or 4-byte big-endian values which are managed by a series of functions in bank $41. (Except for the Battle Tower win counter, these functions are still called in the English version in the relevant situations, but they’ve been dummied out, and wouldn’t work anyway since SRAM bank 5 doesn’t exist.)

AddressLengthDescription
A0014Play time when last entered the Hall of Fame (2 bytes hours, 1 byte minutes, 1 byte seconds)
A0054Step count when last entered the Hall of Fame
A0093Number of times the party was healed when last entered the Hall of Fame
A00C1Extraneous byte copied from 5:A03C when last entered the Hall of Fame
A00D3Number of battles when last entered the Hall of Fame
A0104Step count
A0142Number of Battle Tower wins
A0183Number of times TMs and HMs have been taught
A01B3Number of battles
A01E3Number of wild Pokémon battles
A0213Number of Trainer battles
A0243Unused
A0273Number of Hall of Fame inductions
A02A3Number of wild Pokémon caught
A02D3Number of hooked Pokémon encounters
A0303Number of Eggs hatched
A0333Number of Pokémon evolved
A0363Number of Berries and Apricorns picked
A0393Number of times the party is healed
A03C3Number of times Mystery Gift is used
A03F3Number of trades
A0423Number of uses of field move Fly
A0453Number of uses of field move Surf
A0483Number of uses of field move Waterfall
A04B3Number of times the player whited out
A04E3Number of Lucky Number Show prizes won
A0513Number of Phone calls made and received
A0543Unused
A0573Number of Colosseum battles
A05A3Number of times player’s Pokémon used Splash
A05D3Number of tree Pokémon encounters
A0603Unused
A0633Number of Colosseum wins
A0663Number of Colosseum losses
A0693Number of Colosseum ties
A06C3Number of times player’s Pokémon used SelfDestruct or Explosion
A06F2Current streak of consecutive slot machine wins
A0712Longest streak of consecutive slot machine wins
A0734Total coins won from slot machines
A0774Total money earned from battles (including Pay Day)
A07B2Largest Magikarp measured
A07D2Smallest Magikarp measured
A07F2Bug-Catching Contest high score
A0812Bytewise checksum of A001–A080

There are functions which would increment the three-byte values at 5:A024, 5:A054, and 5:A060, but these functions don’t appear to be referenced even in the Japanese version.

5:A039 is incremented when the party is healed at a Pokémon Center, by the machine in Elm’s Lab, by Mr. Pokémon after giving the Mystery Egg, by Lance in the Rocket Hideout, by the old woman on Route 26, by resting in the bed on the S.S. Aqua, or before a Battle Tower or mobile Colosseum battle. It is not incremented when the party is healed after whiting out, by using a Sacred Ash, after winning or losing the first rival battle in Cherrygrove City, or after defeating the last Rocket Grunt in Slowpoke Well, Sailor Stanly on the S.S. Aqua, Lance at the Pokémon League, or Red at Mt. Silver.

The value from 5:A039 is then copied into 5:A009 when entering the Hall of Fame, but 4 bytes are copied rather than 3, so the high byte of the number of times Mystery Gift was used is copied into 5:A00C. (That byte will still always be $00, because Mystery Gift can’t be used more than 65535 times before the SRAM battery runs out. ;))

5:A05A and 5:A06C are incremented when the effect of the move is executed during the player’s turn, regardless of whether it was chosen by the player, chosen by a disobedient Pokémon, or called through Metronome, Mirror Move, or Sleep Talk.

Save data upload
The game uploads the save data as specified in the metadata file. The body of the server’s response is of no consequence.

Rankings upload
The game uploads the rankings data as specified in the metadata file. The server responds with the updated rankings tables. The game saves that data to the address specified in the metadata file. Each table begins with a 12-byte header:

OffsetLengthDescription
$04Number of ranked players (big-endian)
$42Unknown
$64Player’s rank (big-endian; will be treated as unranked if this value is greater than the number of ranked players)
$A2Number of entries in the table (big-endian)

The number of ranked players may be greater than the number of entries in the table; e.g., 1000 players might be given ranks (shown only to themselves) even though the table only lists the top 10 (shown to everyone).

Each entry in the table is of the length specified in the metadata file. The first 24 bytes follow a fixed format and the remaining bytes (up to 4?) are the score value.

OffsetLengthDescription
$007Trainer name
$071Prefecture (values assigned in gojūon order from $01 = Aichi-ken to $2F = Wakayama-ken)
$082Unknown
$0A1Age
$0B1Gender ($00 = male, $01 = female)
$0C12Message (six two-byte little-endian easy chat words)
$18?Score (big-endian)

News download
The game downloads the News issue, stores it at 6:A000, and then executes it.

Based on the historical accounts of Pokémon News (particularly Kakeru’s transcripts of the last seven issues (http://www2u.biglobe.ne.jp/~kakeru/pokemon2/mobile/)), which describe various quizzes, minigames, and rewards (including, of course, the GS Ball), it can be surmised that the News involves a scripting language with many different commands. Without access to any of the original News downloads, it could be quite a challenge to determine how the data is packaged and what the available commands are, and then reconstruct something resembling a News issue.



Good news, everyone! Game Freak left us some samples in ROM bank $7D.

There are three unused functions in that bank which each copy a different block of data to 6:A000. If a News issue has already been downloaded, these functions overwrite it with data from the ROM. (If no News had been downloaded, the game will say 「まえの ニュースが ありません!」 “There is no old NEWS…” when attempting to view it. This can be manually overridden by setting 5:AA72 to $01.)

This data in the ROM does not include any of the metadata or rankings tables, only the main News download. (This means we don’t know what data from the save file would be requested by the server, or what message would be displayed before downloading the News.) Also, dispointingly, none of the text of these News issues was translated in Vietnamese Crystal.

Here’s a video showing each of the News issues found in the ROM. (https://www.youtube.com/watch?v=CmvFT4PLAMQ)


Trainer Rankings
A News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:5C6B in the Japanese ROM and at 7D:5DB4 in the localized ROMs. The function to copy this data into SRAM is at 7D:5C56 in the Japanese ROM and at 7D:5D9F in the localized ROMs.

This is the simplest News issue found in the ROM, having no features other than the rankings. It matches the screenshots on pages 25–26 of the Pocket Monsters: Crystal Version: Mobile Guide (ポケットモンスター クリスタルバージョン モバイルのてびき) packaged with the Mobile Adapter GB.

The main menu has four options:
NameDescription
ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の せつめい
Rankings Description
ランキングの せつめいです
A description of the rankings.
ランキング の こうしん
Update Rankings
さいしんの ランキングを ダウンロード します
Download the latest rankings.
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

The background music for these menus is “Elm Pokémon Lab”.

Quit (or pressing B) returns to the News Machine menu. Update Rankings downloads the News metadata from the server, and then proceeds to submit the save data and rankings again only if the unique ID of the News issue has not changed. The description of the rankings says:

Quote
3つの テーマで ランキング!
いま おくった レポート からも
なにかが ランキングに はいって
いるかも しれません!

Rankings in three categories!
Now something from the save file you sent could be in the rankings!

View Rankings brings up a submenu to select from three ranking categories:
In each category, there are three rankings:
The latter two rankings would depend on the prefecture and the three-digit prefix of the postal code entered in the Mobile Profile. If the player has opted not to enter a postal code, it’s treated as 000 (no actual Japanese postal code starts with 000).

The first of the downloaded rankings tables is expected to contain the national ranking for Colosseum wins, the second one the prefectural ranking for the same, the fourth one the national ranking for the Bug-Catching Contest, et cetera.

Selecting any ranking shows the top 10 entries; for each entry, the trainer name, score, gender, age, prefecture can be seen, as well as the message they set in the Mobile menu. At the bottom of each top-10 ranking, the player can see their own current score (read from the corresponding address in SRAM: 5:A063 for the Colosseum, 5:A07F for the Bug-Catching Contest, and 5:A07B for the largest Magikarp) and ranking (as of the last rankings download, so not necessarily consistent with the score read from SRAM). If the player is not ranked, their score is followed by the message 「ランクイン しなかった… ざんねん…」 You were not ranked… Sorry…

The message 「ランキングデータが ありません[。] ランキングの こうしんを するば みることが できます」 There is no rankings data. You can see it by updating the rankings. appears in this News data (and all the other ones, too), but I don’t know what circumstances would cause it to appear.

In the Japanese ROM only, there is a near-identical copy of this News data at 7E:4000. (In the localized ROMs, bank $7E instead contains data for the offline Battle Tower and Odd Egg event.) The only difference is that the copy at 7E:4000 is missing four bytes at offset $002. Two of these missing bytes represent the length of the remaining data and the other two bytes are a bytewise checksum of that data. Since the checksum fails, the game refuses to load this version of the data, saying 「ニュースの データが こわれています[。] よみこみ なおして ください」 “The NEWS data is corrupted. Please download the NEWS again.”


Trainer Rankings (bis)
Another News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:4015 in the Japanese ROM and 7D:4018 in the localized ROMs. The corresponding function to copy this data into SRAM is at 7D:4000 in the Japanese ROM and 7D:4003 in the localized ROMs.

The most obvious difference between this News issue and the other one is that the main menu has an additional option called 「ポケモンなきごえクイズ」 Pokémon Cries Quiz, with the description 「ポケモンの なきごえを あててね!」 Guess the Pokémon cries!. The quiz has ten Pokémon to choose from: Suicune, Clefairy, Spearow, Gastly, Togepi, Zubat, Jynx, Espeon, Mewtwo, and Dunsparce. For each one, the player can listen to three different cries and guess which one is the correct cry for that Pokémon. There’s no scoring and no reward for guessing correctly. The background music for the quiz is “Hurry Along 2”.

The rankings menus have several changes:

The Update Rankings option has been…updated…to give some feedback after the download: If successful, 「ランキングの こうしんを しました!」 Rankings update done! If the news ID has changed, 「ランキングの こうしんに しっぱい… あたらしい ニュースを よみこんで ください」 Rankings update failed… Please load the new News. If cancelled by the user (or an error occurs?), 「ランキングの こうしんを やめました」 Rankings update cancelled.

The category Number of Colosseum wins has been replaced by 「バトルタワーで かった かいすう」 Number of Battle Tower wins. Notably, this ranking tries to read the player’s score from the unused location 5:A016, rather than the correct address 5:A014.

The local rankings now have the player’s prefecture and postal code in the title of the rankings (e.g., mine are called 「とうきょうと の ランキング」 and 「〒000 の ランキング」 because I set my prefecture to Tōkyō-to and didn’t set a postal code).

Selecting a blank entry in the top 10 now displays the message 「ここには だれも ランクイン してません」 No one is ranked here.

If the player’s score in any ranking is checked using the 「[player’s name] の じゅんい」 option and the player is #1 in that ranking, this message is displayed:

Quote
ランキングで トップを とった
あなたに…
すてきな プレゼントが あります
おたのしみに!

For earning the top spot in the ranking…
Here is a wonderful gift! Enjoy!

This triggers the GS Ball event; the player will receive the GS Ball upon leaving the PokéCom Center.


Pokémon News Debug Starting Issue
A News issue entitled 「ポケモンニュース デバッグかいしごう」 Pokémon News Debug Starting Issue appears only in the Japanese ROM at 7D:4DD0.  The function to copy this data into SRAM is at 7D:4DBB.

The main menu options are:
NameDescription
トレーナーランキング
Trainer Rankings
いろいろな ランキングが みれます
View the different rankings.
ポケモンなきごえクイズ
Pokémon Cries Quiz
ポケモンの なきごえを あててね!
Guess the Pokémon cries!
ゲーフリからのメッセージ
Message from Game Freak
ゲームフリークからの メッセージです
A message from Game Freak.
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

Trainer Rankings leads to a submenu identical to the first Trainer Rankings news data. The Pokémon Cries Quiz is identical to the one in the second Trainer Rankings news data. The Message from Game Freak could probably be translated better by someone who knows what they’re doing, but I’ll give it a shot:

Quote
さわやかな あきかぜが ふきぬける
きょう このごろですが
みなさま いかが おすごしで
いらっしゃいますでしょうか

われわれ クリスタルチームは
まいにち みぎてに マウス
ひだりてに こぶしを にぎりしめ
ねむくなれば おたがいを なぐり
かんせいに むけて はげんでおります

この ニュースは デバッグように
つくられて おります

ですので なきごえクイズなどでも
『ずかんにない ポケモンが!
…という ごしんぱいは
ごむようで ございます

それでは ひきつづき ニュースの
デバッグを よろしく おねがいします

もちろん ほかのところも
よろしく おねがいします
……… ……… ………

As the refreshing autumn breeze now blows through, is everyone getting along well?

Every day our Crystal Team is striving to finish the game, with our right hands holding our mice, and our left hands clenched in fists to hit each other if we get sleepy.

We made this News for debugging use.

Thus, in the Cries Quiz for example, you don’t need to worry about things like, “That Pokémon’s not in the Pokédex!”

That said, we ask that you continue with debugging the News.

Of course, we’d like you to work on other things as well…

This message seems to be directed at Nintendo’s product testers, which suggests it may have been deliberately included in the final build that Game Freak submitted for testing. The background music for the message is “National Park”.


Pokémon News First Issue
In the localized ROMs, the Pokémon News Debug Starting Issue is replaced by an entirely different issue entitled 「ポケモンニュース そうかんごう」 Pokémon News First Issue, found at 7D:4DD3. The function to copy this data into SRAM is at 7D:4DBE.

The fact that it appears in the localized ROMs and not the Japanese ROM suggests it may have been developed after the Japanese ROM was finalized. The name implies that it could be the actual first issue of Pokémon News that was published when the Mobile System GB launched in January 2001. However, I don’t think it is, because it contains the same script as the second Trainer Rankings data for awarding the GS Ball to a player who is #1 in any ranking, and I’m not aware of any documentation that the GS Ball was actually distributed in this manner.

The main menu options are:
NameDescription
ニュースガイド
News Guide
よみこんだ ニュースを かんたんに せつめいします
A brief description of the loaded News.
トレーナーランキング
Trainer Rankings
3つの テーマで ランキングを します!
Rankings in three categories!
ポケモンカルト
Pokémon Cult
これまでの ぼうけんを どこまで おもいだせるか テストします!
Test how well you remember your adventure so far!
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

The News Guide says:

Quote
ポケモンニュース そうかんごうでは
トレーナーランキングと
ポケモンカルトクイズで
おたのしみ ください!

あなたの ランキングの せいせきは
ランキングの こうしんを すれば
なんどでも かきかえられるので
がんばれば トップに なれるかも!

In the Pokémon News First Issue, please enjoy Trainer Rankings and the Pokémon Cult Quiz!

Your rankings can be updated as many times as you like; try your best and you might reach the top!

The Trainer Rankings submenu is pretty much the same as the second Trainer Rankings data (including the GS Ball reward), except that the player’s score for Number of Battle Tower wins is read from the correct address, 5:A014. The menu items have been rearranged and most of the descriptions rewritten:

NameDescription
ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の こうしん
Update Rankings
ランキングを よみこみなおします
あなたの せいせきも かわります
Reloads the rankings. Your results will also change.
ランキング の せつめい
Rankings Description
こんかいの ランキングの テーマに ついて せつめいします
Describes the current rankings categories.
やめる
Quit
さいしょの ページに もどります
Return to the first page.

The Rankings Description is more descriptive:

Quote
バトルタワーで かった かいすうは
40ばんどうろの バトルタワーで
あなたが これまでに なんにんの
トレーナーとの しょうぶに かったか
にんずうで きそいます

コイキングの おおきさは
いかりのみずうみに いる
つりめいじんに はかってもらった
コイキングの うち いちばん
おおきかった もので きそいます

むしとりたいかい こうとくてんは
しぜんこうえんで おこなわれる
むしとりたいかいで これまでに
とった いちばん たかい
てんすうで きそいます

“Number of Battle Tower wins” is ranked by the number of trainers you’ve won battles against so far in the Battle Tower on Route 40.

“Size of caught Magikarp” is ranked by the largest Magikarp measured by the Fishing Guru at Lake of Rage.

“Bug-Catching Contest high score” is ranked by the highest score earned so far in the Bug-Catching Contest held in the National Park.

The Pokémon Cult Quiz, unlike the cries quiz, is a proper quiz with scoring. Ten multiple-choice questions are presented in sequence, varying from mildly obscure (Is Mom’s specialty a Cinnabar Volcano bakemeat burger, curry, or yakisoba?) to incredibly obscure (How many times did Earl spin around before he entered the Pokémon Academy?). After you’ve answered all of the questions, Professor Oak evaluates your performance, although he doesn’t give any reward. The background music during the quiz is “Goldenrod Game Corner”, and the music for the evaluation is “Pokégear Radio: Professor Oak’s Pokémon Talk”.


News data structure
While I haven’t yet endeavored to write my own fake news, I have done some basic analysis of the structure of the existing data:

Header
The data has a six-byte header; the first two bytes are 00 A0, the next two bytes are a bytewise checksum of the data (excluding the header), and the final two bytes are the length of the data (excluding the header). As mentioned above, the duplicate News data at 7E:4000 in the Japanese ROM omits these checksum and length values, and therefore doesn’t work in the final game.

Screen data
Data for the opening screen of the News issue begins immediately after the header. Other screens use the same data structure, which may be placed anywhere in the file and called using script command $01.

LengthDescription
1Background music ID
1Number of custom palettes
Custom palette data. Four two-byte color values. Repeat × number of custom palettes.
1Number of boxes to draw
Box data. The first two bytes are origin x and y coordinates, the next two bytes are length and width, the fifth byte is the border type, and the sixth byte is the palette. Repeat × number of boxes to draw.
1Number of strings to print
Position to print a string, expressed as an offset into the screen buffer, followed by the string itself ($50-terminated). Repeat × number of strings to print.
12Menu origin x and y coordinates, number of columns and rows, column width and row height, plus six more bytes of menu parameters?
16Offsets to script data for each of the eight joypad buttons (A B Select Start ← → ↑ ↓). These offsets are relative to the start of the current screen data. The value $FFFF is used for a button which has no script.
1Number of menu items.
4Position to print menu descriptions, expressed as an offset into the screen buffer, and width and height of the area to be blanked before printing a description. (The blanked area begins one row above the given text position, to account for diacritics.)
1If not $00, loads the rankings table specified in 0:CD62. (That address should have been set by a script on the prior screen.)
Pointer to the name of each menu item. Repeat × number of items.
Pointer to script data for each menu item. Repeat × number of items.
Pointer to description text for each menu item. Repeat × number of items.

If anyone wants to have a go at documenting the News script commands, they’re in Jumptable17d72a in pokecrystal’s misc/mobile_5f.asm. Also of interest is the text character $15, which invokes another, smaller scripting language within a text string; this is used extensively in the Pokémon News data to insert variables into strings. Those commands are defined by the jumptable in Function17f047.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on August 16, 2017, 09:48:30 am
Cool! I've backed up all your documentation on http://42chan.org/mgb/gb.html. I always have a server if you need it for emulating the GB adapter..
Title: Re: Emulating the Mobile Adapter GB
Post by: Wack0 on August 16, 2017, 04:26:07 pm
I wonder how awkward that MD5 implementation is...

Game Freak's parser bugs don't surprise me. An RCE vector here would allow for some interesting custom servers; however RCE via trades exists too, which would be the more dangerous, in my opinion, as any player could trigger it. I guess a custom server would have to somehow detect it (given this RCE vuln would be in the P2P communication with "phone numbers" etc).

And now I'm thinking about a server with its own partial GB emulator, MITMing the connection if it detects an RCE via trading, and specifically implementing GB Mobile Adapter emulation itself so the payload can get any further data... Saved off for further reversing/analysis of course.
Title: Re: Emulating the Mobile Adapter GB
Post by: ISSOtm on August 16, 2017, 05:40:49 pm
Maybe when Mobile Adapter GB emulation is finished, a patch should be distributed to modify the ROM to add some checking ?
Also, is there any chance to allow homebrew games to use the Adapter ? I know I'm getting ahead of everything, but...
Title: Re: Emulating the Mobile Adapter GB
Post by: ajxpk on August 17, 2017, 05:50:48 am
Hey @Háčky. Finally I decided to register here. I'm following this project for quite a while now and I think it's great.
Even knowing that this is something for the future... how awesome it would actually be to see people battling and trading online on servers using the Japanese Crystal Version?

There's one thing I wanted to ask you about, is there any chance you might update the Python Script from last year to support the News System?
Possibly so that it downloads the so-called "First Issue" from the localized versions? I mean it's unlikely that we would be able to reconstruct what was actually distributed, even some of the later News have been documented by Kakeru... but there might be small details missing. I think with the "first issue" we are as close as we could get IMO.
Title: Re: Emulating the Mobile Adapter GB
Post by: catsinabucket on August 22, 2017, 02:29:45 am
Hi!

Like ajxpk, I have also just registered here and have been watching this for a while.

I just wanted to ask, does the mobile link cable itself work much differently to a standard link cable? (Apologies if this has already been said)

I ask because I have seen a product that allows a Game Boy to interface with an Arduino board and the like via a link cable (https://www.tindie.com/products/Fchaos/gameboy-coloradvancesp-link-cable-breakout-board/?pt=full_prod_search), and I was wondering if it would be possible to use this to emulate the Mobile Adapter with physical hardware.

Thanks, and keep up the good work! Really excited to see where this will go :)
Title: Re: Emulating the Mobile Adapter GB
Post by: Parzival on August 22, 2017, 07:08:13 am
Think of the standard link cable like connecting two PCs via a Local Area Network, while the Mobile Adaptor GB is like connecting them via modem. Because that's literally what you're doing.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on September 03, 2017, 03:05:22 pm
What happened to this? How is your progress Hacky?
Title: Re: Emulating the Mobile Adapter GB
Post by: wintiger0222 on October 30, 2017, 04:55:28 am
(https://imgur.com/3tJAhBt.png)
Well, I think there is no advancing at here, well.(Well, I think advance is not proper word, well)

I'm translating crystal into korean, and in the same time I tried to fix mobile functions.
(This is why there are no english at image)
Many Mobile Functions are worked well, and somethings are not.

I wrote some things ,with very very poor english grammer, that I have figured out.

mobile_5b.asm/Function16c000
Mobile protcol test when boot the game.

mobile_46.asm/Function11ac3e
Select Wanted pokemon at Pokecom mobile trade.(is this right name?)
Attached screen shot is works of this function.
Saddly, because of japanese name length limit, this cause crash.
To make this work You should change    "ld a, $6" into "ld a, $B" (part of ".asm_11b2e7 ") and erase first "call Placestring" at "Function11b242" , then this would works at english version.

It looks like return the value that which pokemon chosen.

mobile_40.asm/Function101231
Mobile Trade by Dialing

This seems works perfectly even if using english version.
(I tested this with Hacky's python script)

mobile_40.asm/Function101225
Mobile Battle by Dialing

This also seems works, but I coulden't test this.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on November 01, 2017, 04:36:27 pm
How exactly are you trying to ''fix the mobile functions''?
Title: Re: Emulating the Mobile Adapter GB
Post by: wintiger0222 on November 03, 2017, 03:09:10 am
How exactly are you trying to ''fix the mobile functions''?

Well, I'm trying to make this stable.


This are what I'm doing or done now.
However, I'm doing this with making korean fan translation of crystal version, so the 'Translation' means korean.
But my korean fan translation is based on english version, so it would be able to adapt for english version.


And this is what I'm supposed to do.
Title: Re: Emulating the Mobile Adapter GB
Post by: ravioli on November 04, 2017, 09:37:47 pm
How exactly are you trying to ''fix the mobile functions''?

Well, I'm trying to make this stable.

  • Replace PokeCom Center of Goldenrod City.
  • Enable SRAM Bank 4-7, which related to Mobile GB System.
  • Insert assembly code, related to mobile.
  • Figure out the purpose of dummied out mobile function.
  • Translate.

This are what I'm doing or done now.
However, I'm doing this with making korean fan translation of crystal version, so the 'Translation' means korean.
But my korean fan translation is based on english version, so it would be able to adapt for english version.

  • Move pointer address which cause glitch(Most thing is player's name)
  • Make simulator of Mobile Adapter and private server(if it can)
  • Write script related to mobile event like GSball event
  • Apply these to enlgish version, if I have enough time.

And this is what I'm supposed to do.

That sounds awesome! If you want to work with me you can contact me on discord, I would love to help you out
https://discord.gg/vHwmNBY