Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Unused Pokémon Colosseum “TEST” program in FR/LG/E  (Read 1634 times)

0 Members and 1 Guest are viewing this topic.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Unused Pokémon Colosseum “TEST” program in FR/LG/E
« on: February 05, 2015, 10:41:10 pm »
While poking around in Emerald’s ROM, I noticed that at $9AA144, there’s a multiboot payload—a program designed to be transferred over the Link Cable to a connected GBA—with a header using the game ID “TEST”. (This ID is “BPEE” for Emerald, “AXVE” for Ruby… The string “TEST” is at offset $AC of the header, or $9AA1F0.)

The actual program is compressed using the LZ77 method built into the GBA BIOS, so for anyone who wants to look at it, I’ve put the decompressed file in the attachment to this post (frlge-TEST.bin). Looking at it in a sprite viewer, the file includes a complete copy of Ruby and Sapphire’s fonts, including the unused Unown font. It also contains a bunch of text in the Generation III games’ character encoding, starting at $1FDA8 of the decompressed file. Some of the latter messages hint at the origin of this program:

Quote
The save filehas been deleted...
The save file is corrupted.
There is no save file.
Please select \v0 POKéMON.
Please select a POKéMON.
Do what with \v4?
SWITCH
SEND OUT
SUMMARY
CANCEL
SELECT
DESELECT
POKéMON SKILLS
BATTLE MOVES
TYPE
HP
ATTACK
DEFENSE
SP. ATK
SP. DEF
SPEED
NONE
BERRY
CANCEL
INFO
-
--
---
POWER
ACCURACY
CANCEL
STATUS
 
No. \v0
Select additional POKéMON!
FIGHT
GIVE IN
POKéMON
What will
\v4 do?
PP
MOVE TYPE
NORMAL
FIGHT
FLYING
POISON
GROUND
ROCK
BUG
GHOST
STEEL
???
FIRE
WATER
GRASS
ELECTR
PSYCHC
ICE
DRAGON
DARK
Will you give in?
Yes
No
\v4 can’t be
switched out!
FOE \v0’s SHADOW TAG stops
\v4 from switching out!
FOE \v0’s ARENA TRAP stops
\v4 from switching out!
FOE \v0’s MAGNET PULL stops
\v4 from switching out!
\v4’s \v0 is disabled!
\v4 can’t use the same
move in a row due to the TORMENT!
\v4 can’t use
\v0 after the TAUNT!
\v4 can’t use the
sealed \v0!
CHOICE BAND allows the
use of only \v0!
There’s no PP left for
this move!
\v4 has no energy
left to battle!
\v4 is already
in battle!
\v4 has already been
selected.
You can’t switch \v4’s
POKéMON with one of yours!
\v4 has no
moves left!
CHARMANDER
KANGASKHAN
TYPHLOSION
Link standby...
Linking...
Please don’t turn off the power.
Save failed.
The link was interrupted.
This Game Pak cannot be linked to
POKéMON COLOSSEUM.
This Game Pak cannot trade with
POKéMON COLOSSEUM.
Receiving move data...
Sending POKéMON data...
Receiving battle POKéMON data...
Receiving battle data...
Start POKéMON trade.
End POKéMON trade.
Sending POKé COUPONS...
Receiving POKé COUPONS...
Your Berry Program was updated.
Unable to update Berry Program.

The word “filehas” on the first line is their typo, not mine, and I’m not sure what’s so special about Charmander, Kangaskhan, and Typhlosion. (Maybe they were used to test message lengths.)

There are a few other pieces of text in the file. Bizarrely, the strings “MALICIOSO” and “GIRO FUEGO” appear at $1FBFC; those are the Spanish names of the moves Leer and Fire Spin. Also, the ASCII strings “pokemon ruby version” and “pokemon sapphire version” each appear twice near the end of the file. (Amusingly, TCRF notes the fragments of this text, as they appear within the compressed block, and calls them an “Obvious leftover from when Pokemon Ruby and Sapphire were being developed.” Not so obvious now, is it? :D)

This program was definitely based on, but is not identical to, the program that Pokémon Colosseum runs on connected GBAs for multiplayer battles and trades. Colosseum’s multiboot program also uses the game ID “TEST”—despite being used in the final version! I extracted this program from both the NTSC and PAL versions of Colosseum, and will include those decompressed files in the attachment as well for anyone who wants to try to see what the differences actually are.

(The PAL version of Colosseum actually contains six copies of the “TEST” program. One is identical to the NTSC version, and the other five are in the PAL version’s five supported languages, including a second, different English copy. That’s the one I’ve named “colo-TEST-pal-en.bin”.)

The English FireRed and LeafGreen contain exactly the same program as Emerald, and identical copies—still with English text—are in the European localizations of FireRed, LeafGreen, and Emerald. As far as I can tell, there is no equivalent to this program in the Japanese versions: the only GBA header in those ROMs, other than the cartridge header itself, is the one for the Ruby/Sapphire Berry glitch fix (which uses game ID “AGBJ”, which was probably some sort of default but also actually represents the game GetBackers Dakkanya: Jigoku no Scaramouche).

Since it’s missing from the Japanese versions and untranslated in others, it seems fairly clear that this program isn’t used in the final game, but I can’t understand what it could possibly have been used for. When a GBA is linked with Pokémon Colosseum, Colosseum itself sends the required program to the GBA. What exactly would be accomplished by sending Colosseum’s link-battle program from a GBA running FireRed/LeafGreen to another GBA? The best theory I can think of is that Nintendo of America was experimenting with adding a single-cartridge multiplayer feature to FireRed and LeafGreen, based on the code from Colosseum. But that seems unlikely; is there an obvious explanation I’m missing?

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #1 on: February 06, 2015, 04:36:49 am »
Interesting. Can you provide the Berry Glitch fix ROMs from FR/LG/Emerald aswell? Would be interesting for me to reverse when I get the time, unless you already did and know what caused the Berry Glitch, and how the fix was done?
« Last Edit: February 06, 2015, 04:37:00 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #2 on: February 06, 2015, 07:48:34 am »
Interesting. Can you provide the Berry Glitch fix ROMs from FR/LG/Emerald aswell?
Sure. The Japanese, English, and European versions of the fix differ, but all are unchanged from FireRed/LeafGreen to Emerald. The fourth file I’ve included is the fix from the Japanese e-Reader cards 16-A001 and 16-A002. I haven’t really looked at the various GameCube discs that provided the fix, but if the above text dump is to be believed, Colosseum’s version of the fix is part of the “TEST” program.

Would be interesting for me to reverse when I get the time, unless you already did and know what caused the Berry Glitch, and how the fix was done?
That was what I was trying to find out when I ran into this. (The “TEST” code immediately follows the “AGBJ” Berry glitch fix in the FR/LG/E ROMs.) I haven’t learned much of anything yet, because I started out by looking at the Japanese e-Reader version of the fix. That was a poor choice, because in order to squeeze it onto two e-Reader cards, it makes heavy use of calls to the game’s own functions in ROM (only possible because, unlike the international releases, there was only one ROM version of Ruby/Sapphire in Japan; this was probably among the reasons why equivalent cards weren’t made for the English version). The version-independent fixes from the Western games should be easier to analyze.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #3 on: February 06, 2015, 09:49:09 am »
Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM...
« Last Edit: February 06, 2015, 10:00:49 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

SatoMew

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #4 on: February 06, 2015, 01:24:08 pm »
Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #5 on: February 06, 2015, 01:41:35 pm »
Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.

...this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Kraust

  • GCLF Member
  • Offline Offline
  • Random Lurker + Researcher
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #6 on: February 06, 2015, 04:43:16 pm »
Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.

...this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.

Does the GBA Hardware have some scratch space at the end of the ROM area that's not properly implemented in VBA? I am not very familiar with the GBA's architecture, but it could be accessing some temporary part of the GBA's memory (either RAM or otherwise) that's not normally used in regular execution.

It would be fascinating if the Berry Glitch was actually fixed by patching the GBA's Firmware.

SatoMew

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #7 on: February 06, 2015, 04:55:40 pm »
...this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.

I thought Háčky was talking about an unused program in Colosseum and not the Berry Program Update in FireRed, LeafGreen, and Emerald.

Does the GBA Hardware have some scratch space at the end of the ROM area that's not properly implemented in VBA? I am not very familiar with the GBA's architecture, but it could be accessing some temporary part of the GBA's memory (either RAM or otherwise) that's not normally used in regular execution.

It would be fascinating if the Berry Glitch was actually fixed by patching the GBA's Firmware.

Actually, when I tried the patch in VBA Link, I was using the GBA BIOS as well, otherwise it's not even possible to start it. The instance with Ruby or Sapphire gets stuck on a white screen right after the patch is sent. The second part of the patch is done in Ruby or Sapphire and this issue prevents me from progressing further.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #8 on: February 06, 2015, 05:19:20 pm »
Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM...
The program is decompressed into RAM at $02010000 and executed from there.

I thought Háčky was talking about an unused program in Colosseum and not the Berry Program Update in FireRed, LeafGreen, and Emerald.
The first post is about the program from Colosseum being in FR/LG/E. Wack0 changed the subject. :)

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #9 on: February 07, 2015, 05:36:45 am »
Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM...
The program is decompressed into RAM at $02010000 and executed from there.

Everything I read about multiboot ROMs described them as being decompressed at $2000000 (and then jumping to $20000C0). I'll change my IDA script to repoint it there.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #10 on: February 07, 2015, 07:04:45 am »
The program is decompressed into RAM at $02010000 and executed from there.
Everything I read about multiboot ROMs described them as being decompressed at $2000000 (and then jumping to $20000C0). I'll change my IDA script to repoint it there.
The multiboot payload that’s loaded at $2000000 consists of the decompression routine and the compressed data. The compression isn’t inherent to the multiboot process.

Some interesting things I’ve noticed:
  • Function $2010244 checks the ROM region code ($80000AF) and ROM version number ($80000BC) and compares it to a table. Apparently the patch is not needed for the JP v1.1, EN v1.2, or EU v1.1 releases of Ruby/Sapphire. (No-Intro doesn’t have an actual listing for JP v1.1, but does list two bad dumps of it, so I guess it exists?)
  • If I’m reading it right, function $2010B2C checks if the RTC is in the year 2001, and if so changes the RTC date to 2002-01-02.
  • Function $20109A8 checks whether the RTC value is greater than the last save time.
  • The graphics ($2013758) and tilemap ($2012F2C) are themselves LZ77-compressed. The graphics contain the pre-rendered text “The Berry Program Update will now begin...” “There is no need to update your Berry Program.” “Please turn off the power of your Game Boy Advance system and unplug the Game Link cable.” “Updating. the Berry Program. Please wait...” “Please don’t turn off the power of your Game Boy Advance system.” “Your Berry Program has been updated.” “Unable to update the Berry Program.”

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Unused Pokémon Colosseum “TEST” program in FR/LG/E
« Reply #11 on: May 20, 2017, 11:27:39 am »
I came across this thread looking for something else, and thought this looked familiar to me.

Indeed, this multiboot image is not unused.

The GameCube multiboot code changed from R/S to FR/LG/Emerald.

In R/S, after a multiboot image has been completely transferred over JoyBus, interrupts are disabled and the multiboot image is jumped to (the jump points to 0x20000C0, leaving the jump past the image header at offset 0 of the multiboot image unused. This was probably done for a very good reason: the entire 0xC0-byte image header is transferred over JoyBus in the clear, whereas everything after that is encrypted).

In FR/LG/Emerald, after a multiboot image has been completely transferred over JoyBus, the game code of the transferred multiboot image at 0x20000AC is checked. If it is equal to 0x65366347 (with endianness conversion, that's 'Gc6e', the game code for Pokémon Colosseum, specifically the NTSC-US version), the multiboot image that's the subject of this thread is copied to 0x2000000 (ie, copied over the transferred multiboot image), and THEN interrupts are disabled and the multiboot image jumped to.

This was most likely done for compatibility; my guess is that the original Colosseum (US) multiboot image is incompatible with FR/LG/Emerald.
« Last Edit: May 24, 2017, 08:03:11 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016