Bootleg With Save Chip

[theSLAYER]

27 minutes ago, humble said:

GARY

Doing a search for that string in ASCII, ANSI, and EBCDIC in my legit save file and the bootleg ROM returned no results.  I`m guessing Nintendo is using some other encoding scheme but I admittedly have not investigated that deeply.  I`m hoping this won`t take too much of a more experienced person`s time. 

Indeed, Gen 1 have their own encoding.

https://bulbapedia.bulbagarden.net/wiki/Character_encoding_(Generation_I)

So you'll have to search for 86 80 91 98
 

29 minutes ago, humble said:

Not sure if this would affect it or not, but I`m using a Flash BOY with ``GBX Driver 2.0 build - Mar 29 2017`` to take save file and ROM downloads.  Am I allowed to upload my legit save file and the upper 1MB of the bootleg ROM (which I`ve verified does not include the original game code) to this forum?  It may make things easier.    Both files I`m working with are in a fresh 0:00 game timer state. 

Your legit save file? As in the save file from a none bootleg cart? I don't see why that would help.

Probably shouldn't upload part of the bootleg ROM.

[humble]

3 hours ago, theSLAYER said:

Indeed, Gen 1 have their own encoding.

https://bulbapedia.bulbagarden.net/wiki/Character_encoding_(Generation_I)

So you'll have to search for 86 80 91 98

Interesting!  I`ve used that site before, but I didn`t realize they included data like that.

That hex pattern was found twice in the legit cart`s SRAM dump, and three times in the bootleg ROM.  In the SRAM, it is at locations 25F6-25F9 and 4BF2-4BF5. 

The 25F6 block location appears to stand alone:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00
86 80 91 98 50
89 8E 87 8D 50 50
01 00 00 01 E1 13 BA 02 00 26 09 C7 05 04 01 00 00 00 04 04 04 10 40 C7 40 B0 40 00 FF 00 00 00 00 00 00 00 00 00 00 FF 00 00

The 4BF2 block location is surrounded by similar looking patterns:
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 80 92 87 50
89 80 82 8A 50
8D 84 86 80 91 98 50
89 8E 87 8D 50 8D 89 84 85 85 50 00 00 00 00 00 00

HOWEVER, on the bootleg rom, it only matches in one location (other than 684E-6851 and 689B-689E which are identical hits at the same locations in the Legit ROM), which is 1165F6-1165F9, which is outside the legit ROM`s memory boundaries.  This location looks similar to the legit SRAM location`s 25F6 block :
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00
86 80 91 98 50
89 8E 87 8D 50 50
01 00 00 01 58 94 BA 02 00 26 12 C7 06 03 00 01 00 00 04 04 04 10 40 C7 40 B0 40 00 FF 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00

Since 4BF2 is 25FC away FROM 25F6 in the legit`s SRAM, I went to 118BF2 to find this instead:

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

3 hours ago, theSLAYER said:

As in the save file from a none bootleg cart?

Yea, my expectation is that the ``save file`` is simply stored in it`s unmutated, contiguous entirety somewhere else in the ROM.  My initial idea was that the save file embedded in the ROM would look nearly identical to the contents stored in SRAM of my legit cart.  I`m beginning to lose faith that that is true.

Edited September 30, 2021 by humble
Make it easier to read

[humble]

So, after realigning based around the rival`s name, I came up with bytes 114000-11BFFF as containing the save file.  I extracted this section, saved as a .sav file and loaded it against my legit ROM with VisualBoyAdvance-1.7.2 and it worked!  The save file`s blank spaces look nothing alike, but it still operates.  I imagine that data isn`t read by normal game play until it`s been overwritten later.  I will let y`all know if I run into problems later.  Thank you so much theSLAYER for your tip on how I can align the two save files!

[theSLAYER]

glad you got it working

Out of curiosity, what was the size of the entire ROM dump when viewed in Hex editor? I wanna make a program that can pull out a save.

[humble]

2MB, or 200000 in base 16.  Everything after 11FA53 is just FF.  Mind you, this is just a fresh start game save though. 

I think it would be cool for someone to write a program for gen1 cartridges like someone did for the gen3 cartridges I`ve seen online in passing.

 

Do you want me to somehow send you the upper 1MB of data from the ROM?  My legit cartridges (that I bought new in 1998) only have a 1MB ROM, and the game code on these new bootleg carts match up (alignment wise) exactly with the legit ones.  Of course, there are quite a few values changed to handle the whole ``flash my own ROM when saving`` stuff.  I could also try to produce a patch file for a legit ROM if you`re interested and post it on here. 

[theSLAYER]

6 hours ago, humble said:

2MB, or 200000 in base 16.  Everything after 11FA53 is just FF.  Mind you, this is just a fresh start game save though. 

I think it would be cool for someone to write a program for gen1 cartridges like someone did for the gen3 cartridges I`ve seen online in passing.

 

Do you want me to somehow send you the upper 1MB of data from the ROM?  My legit cartridges (that I bought new in 1998) only have a 1MB ROM, and the game code on these new bootleg carts match up (alignment wise) exactly with the legit ones.  Of course, there are quite a few values changed to handle the whole ``flash my own ROM when saving`` stuff.  I could also try to produce a patch file for a legit ROM if you`re interested and post it on here. 

It’s probably fine for now. If the offsets you gave are accurate and static, then it should work. I’ll get to it once my PC troubles are over.

[ulmentflam]

Apologies if I am asking a redundant question. So I have extracted my saves from the bootleg version of the game and have found 2 .sav files (attached here). I would like to run the save in a legitimate ROM rather than the Bootleg ROM. I can open and view the save data in PKHeX, but when I boot the save into a legitimate ROM, it says the data is corrupted. Is it possible to load these saves into a legitimate ROM? If so, where should I begin to look in terms of editing the save, so it is no longer corrupted?

save0-2022-04-05 19-41-21-0xFC0000-halfpatched.sav save1-2022-04-05 19-41-22-0x1FC0000-halfpatched.sav

[theSLAYER]

2 hours ago, ulmentflam said:

Apologies if I am asking a redundant question. So I have extracted my saves from the bootleg version of the game and have found 2 .sav files (attached here). I would like to run the save in a legitimate ROM rather than the Bootleg ROM. I can open and view the save data in PKHeX, but when I boot the save into a legitimate ROM, it says the data is corrupted. Is it possible to load these saves into a legitimate ROM? If so, where should I begin to look in terms of editing the save, so it is no longer corrupted?

save0-2022-04-05 19-41-21-0xFC0000-halfpatched.sav 128 kB · 0 downloads save1-2022-04-05 19-41-22-0x1FC0000-halfpatched.sav 128 kB · 0 downloads

If you can view these in PKHeX, and proceed to export them, you should be able to directly restore them into a legitimate game.. unless it’s not as legitimate as you think they are

[ulmentflam]

12 hours ago, theSLAYER said:

If you can view these in PKHeX, and proceed to export them, you should be able to directly restore them into a legitimate game.. unless it’s not as legitimate as you think they are

Interesting. So I was testing the save with my dumped ROM from Emerald in mGBA. The save that was on the cart loads fine, but when I load the save dumped from PKHeX I get the corrupted save error message. I can confirm that the ROM is copied from a legitimate game, and that is why I wanted to test the save on the ROM in mGBA first. I will try to dump the legit ROM again to make sure it all copied over correctly. Should I just try and copy the sav directly to the cart? Is there potentially a known issue with mGBA and PKHeX that I am missing?

 

Okay, I have an update. I decided to load the save file to the legit cart and the same corrupt data error message appeared. However, the legit cart was able to load from the previous save, which is the same save I dumped from the bootleg cart. My guess mGBA does not have the ability to repair the save by loading from the "previous save". Everything seems to be working fine now. Thank you for your fantastic tool!

[theSLAYER]

5 hours ago, ulmentflam said:

Interesting. So I was testing the save with my dumped ROM from Emerald in mGBA. The save that was on the cart loads fine, but when I load the save dumped from PKHeX I get the corrupted save error message. I can confirm that the ROM is copied from a legitimate game, and that is why I wanted to test the save on the ROM in mGBA first. I will try to dump the legit ROM again to make sure it all copied over correctly. Should I just try and copy the sav directly to the cart? Is there potentially a known issue with mGBA and PKHeX that I am missing?

 

Okay, I have an update. I decided to load the save file to the legit cart and the same corrupt data error message appeared. However, the legit cart was able to load from the previous save, which is the same save I dumped from the bootleg cart. My guess mGBA does not have the ability to repair the save by loading from the "previous save". Everything seems to be working fine now. Thank you for your fantastic tool!

Gen 3 “Saves” have 2 blocks, a main Save block and a backup save block. So if the game tries to load the main Save, and the checksum is invalid, it’ll read the backup save.

So it didn’t repair anything, it just has to load the second half of the save. It just seems that mGBA save size setting is wrong or something, so it only load one half. Still, glad to hear it works 

[cavancullen]

@Manager

I love the program that ripps the save from the bootleg, works a charm! 

Is there a similar program that would inject the save back into said bootleg rom?

 

I also have rips of many bootleged pokemon gba roms is needed. 

 

Thanks

 

Cavan 

[theSLAYER]

49 minutes ago, cavancullen said:

@

• Manager

I love the program that ripps the save from the bootleg, works a charm! 

Is there a similar program that would inject the save back into said bootleg rom?

 

I also have rips of many bootleged pokemon gba roms is needed. 

 

Thanks

 

Cavan 

No. Injection isn’t so easy.

Requires a tool that gives you access of some kind for modifying the cart’s ROM (cause for bootleg Pokémon carts, the save is stored in the ROM)

Start reading from here:

 

It appears something called GB Operator may work, but given the condition of the world and how it’s affecting global shipping, I’ve not ordered one to try.

[cavancullen]

ahh fair enough, I have just been trawling through the hex but have the save file thats been modified at double the original save file so a pain to move it over. 

I have head that the bootleg mother 3 works as the original carts do when they have been flashed with a standard version of the rom with the joey jr. 

I have just ordered a couple of mother 3 carts from aliexpress to give it a go

 

 

 

[theSLAYER]

1 minute ago, cavancullen said:

ahh fair enough, I have just been trawling through the hex but have the save file thats been modified at double the original save file so a pain to move it over. 

That’s not really a giant deal, just half the doubled save

 

2 minutes ago, cavancullen said:

I have head that the bootleg mother 3 works as the original carts do when they have been flashed with a standard version of the rom with the joey jr. 

It comes back to the hardware that can flash carts. Do you have such a thing?

[cavancullen]

Yeah I have the joey JR v2 its pretty sweet

 

[theSLAYER]

28 minutes ago, cavancullen said:

Yeah I have the joey JR v2 its pretty sweet

 

You could try injecting the save back into the ROM, then inject the edited ROM back into the game. Take halves of the saves dumped and hex edit them Into the address given by the program. Make sure you keep an unedited backup. Use at your own risk.

[cavancullen]

thanks for the tip, it worked. just picked up some mother 3 bootlegs

going to give them a try as ive heard that they just work with retail roms

 

[kasaibouF29]

So I just extracted the sav file from my bootleg Sapphire Version rom, but it came out as two files. It did this on both Quick Search and Full Search. So which sav file is the real one?

This was just done with Full Search.

[BlackShark]

1 hour ago, kasaibouF29 said:

So which sav file is the real one?

Open both in PKHeX and check the Play Time in Trainer Data > Adventure Info.

[kasaibouF29]

They're both the same.

[theSLAYER]

3 hours ago, kasaibouF29 said:

They're both the same.

Then they’re both just copies of the save you have in-game. Congrats you’ve gotten your save.

[kasaibouF29]

1 minute ago, theSLAYER said:

Then they’re both just copies of the save you have in-game. Congrats you’ve gotten your save.

Thank you.