Inject save file in bootleg ROM

[Haki96]

Hi, 

I try to explain the problem starting from the beginning.  I was playing with FireRed on the NDS when I found the possibility to exctract the save battery  with GbaBackup Tool and use this for pokemon  trade on the emulator ( this was the only possibility that I had since I've got only a NDS and a GBA and it is not possible to connect them for pokemon trade) , then I restored the save with same tool.

After playing FireRed I decided to play Emerald , which was a gift of a friend of mine. I've tried the same trick but I discovered that my cart was a bootleg.
At this point the problem is to take the save file ( but i think that is possible with GbaBackup Tool, than manage the same with an emulator and use another programme that i've seen here to extract the save file from the gba file) and morever to inject the new save file in to the bootleg cart.
is there same method available for the injection? I've also seen some hardware devices and some particular flashcart which is able to flash bootleg cart.

 

Edited October 19, 2020 by Haki96

[theSLAYER]

Depends on what bootleg cart you have.

Some Gen 3 bootleg carts actually stores the save in the ROM partition.
So dump your ROM, then check if the save is there using this:

(note: don't upload your ROM, it's against the rules)

[Haki96]

Thank you for the answer!

As you suggest  I run the save extractor and it has found the save file (128 KB). 
Now, it would be possible to modify the save and then inject it on the cart? 

EDIT: I know that I will use an hex editor and insert the modified value there, but i just want to understand how  to insert physically the save file in cart.

Edited October 19, 2020 by Haki96

[theSLAYER]

not sure if you can inject ROMs back into your cart.

if you can, you can edit the save on the ROM backup, then inject it.

[Haki96]

I found these different methods :

1)On the web there is a device which let to link GBA and PC , than let to flash the new game (with the  new save) on the cart.

2) There are some particular flashcart that are able to flash directly the bootleg cart in slot-2 of NDS.

Are there any others ways?

[theSLAYER]

1 hour ago, Haki96 said:

I found these different methods :

1)On the web there is a device which let to link GBA and PC , than let to flash the new game (with the  new save) on the cart.

2) There are some particular flashcart that are able to flash directly the bootleg cart in slot-2 of NDS.

Are there any others ways?

hmmm, looks like my tool doesn't tell you where the offsets of the save were.
Gimme a while and I'll change that.

Then, you can hex edit the save into those positions, then flash the new ROM file into your bootleg game (if that doesn't break it).

If you want to test on whether it'll break it, you can flash an unedited version back [the one you dumped]
(It is a risk, however)

edit: I've made the change to the tool, make sure to redownload it.

[Haki96]

1 hour ago, theSLAYER said:

hmmm, looks like my tool doesn't tell you where the offsets of the save were.
Gimme a while and I'll change that.

Then, you can hex edit the save into those positions, then flash the new ROM file into your bootleg game (if that doesn't break it).

If you want to test on whether it'll break it, you can flash an unedited version back [the one you dumped]
(It is a risk, however)

edit: I've made the change to the tool, make sure to redownload it.

Thank you !
So now, your programme extract the save file and also provide the information relative to the offset position in the name of the file.
Just  another  question for you :  the programme generates 2 save file, which one is correct?
 

[theSLAYER]

1 minute ago, Haki96 said:

Thank you !
So now, your programme extract the save file and also provide the information relative to the offset position in the name of the file.
Just  another  question for you :  the programme generates 2 save file, which one is correct?
 

Generate is a strong term; generate implies that it creates the save. It simply extracts the data in there, and names it .sav.
Nothing more, nothing less.

As for why there are two saves, maybe one is a backup saved by the bootleg cart, who knows really. I say check both in PKHeX and see which one has more time lapsed..

[Haki96]

I used PKHeX but it gives me an error :

Binary is not compatible with save file. Current file generation 3

Probably the bootleg cart manage the save in an unusual way...

[theSLAYER]

@Haki96 No idea why the saves you sent me are only half each (the other half are 0xFFs),so I cloned the first half to fill the second half.
Also they were both identical, so just have the edited one (using the one I sent you) replace the data at both offsets.

[Haki96]

I understand, I think that this is a mechanism inside the bootleg cart : If i ran the dumped rom with the emulator and i try to export the battery file I get at first a 128 MB save, after  few seconds  it begin automatically a 64 MB file

I analyzed the rom and it is patched  ... the situation is becoming too much complicate for me 

[theSLAYER]

11 hours ago, Haki96 said:

I understand, I think that this is a mechanism inside the bootleg cart : If i ran the dumped rom with the emulator and i try to export the battery file I get at first a 128 MB save, after  few seconds  it begin automatically a 64 MB file

I analyzed the rom and it is patched  ... the situation is becoming too much complicate for me 

Well, modifying saves of bootleg carts isn't the easiest thing in the world, since the methods deviate from what's common...

[KMSteter_88]

Hello @theSLAYER, can you explain better about the changes in 1.0.5? I lost myself on that part of "If dumped save is only half in size, the half is cloned to form a second half" hahaha

[theSLAYER]

20 minutes ago, KMSteter_88 said:

Hello @theSLAYER, can you explain better about the changes in 1.0.5? I lost myself on that part of "If dumped save is only half in size, the half is cloned to form a second half" hahaha

Every save normally has 2 parts in the save. 1 main, 1 backup.

However in a previous example, there's only 1 part. And PKHeX won't be able to read those.
So, if there's only 1 part, it'll be cloned to form a complete save, so PKHeX can read it.

[theSLAYER]

@PapierDragon post what you sent me here (as well as read this thread).
What you're asking should be in a public forum.

[PapierDragon]

I hope you can help me. and also like to help me. I have some Pokemon Hacks, and i like do it on a bootleg card. my games all cant save i search much on google all say to me i need a "sram patch". i try it from gbata but also not work for me. so i search more and found on gatemp, i need do with hex editor change some code that the game save into the rom. i try some but also not work. can you tell me what i have to edit for this rom to make it work? I not want sell them, its only for me and my collection.

[theSLAYER]

Your save is saved different from a legitimate carts, so most save editing methods won't work.

I don't have the expertise in this area, hence it's better if someone else that knows can jump in and help. (one of the reasons why it's better to have it posted in a public area).

The next best thing I can think of, is cheat codes. Check if you can use Action Replay/Gameshark on your cart. If cheat codes work, then able we can do something bout it.

[PapierDragon]

This i have found but it not work for me. maybe someone understand it. i do this but game not save inside the rom

 

 

The ROM --> SRAM loading is basically done to be able to save without battery. Over all the behavior of those roms is as follows:
During Boot:
Load ROM Area to SRAM

During Save:
Save to SRAM --> Copy SRAM back into ROM area and do some voodoo calls to persist.

However:
After a bit of fiddling here and there, I came to the following workflow:

1. Apply GBATA SRAM patch as normal

2. Search for Bank switching pattern in a Hex Editor. For FLASH1M_V103 the pattern is:

Code:

054B 8021 0902 0922 1206 9F44 1180 0349 C302 C918 1180 7047

3. Replace it with pattern:

Code:

054B 8021 0902 0922 1206 9F44 9021 0905 0000 0000 0870 7047

Obviously this is different for different FLASH types. I will try to create some automatic patching script in python or C this weekend that should cover other FLASH1M versions as well.


----
Technical explanation:

For some reason, GBATA SRAM patching does some "voodoo" bank switching that does apparently not work on real cartridges.
To make it work, I removed the "voodoo" parts and simply say:
Write $BANKNUMBER to 0x9000000

And that's it

 

On 10/20/2020 at 6:30 AM, theSLAYER said:

Depends on what bootleg cart you have.

Some Gen 3 bootleg carts actually stores the save in the ROM partition.
So dump your ROM, then check if the save is there using this:

(note: don't upload your ROM, it's against the rules)

Can you also do that this tool insert a save? Scan where it is and replace it?

[theSLAYER]

It's a extractor, not an injector.