Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Pokémon Discussion

Unused Pokémon Colosseum TEST program in FR/LG/E - Page 1

Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Háčky
Date: 2015-02-05 22:41:10
While poking around in Emeralds ROM, I noticed that at $9AA144, theres a multiboot payloada program designed to be transferred over the Link Cable to a connected GBAwith a header using the game ID TEST. (This ID is BPEE for Emerald, AXVE for Ruby The string TEST is at offset $AC of the header, or $9AA1F0.)

The actual program is compressed using the LZ77 method built into the GBA BIOS, so for anyone who wants to look at it, Ive put the decompressed file in the attachment to this post (frlge-TEST.bin). Looking at it in a sprite viewer, the file includes a complete copy of Ruby and Sapphires fonts, including the unused Unown font. It also contains a bunch of text in the Generation III games character encoding, starting at $1FDA8 of the decompressed file. Some of the latter messages hint at the origin of this program:

The save filehas been deleted…
The save file is corrupted.
There is no save file.
Please select \v0 POKéMON.
Please select a POKéMON.
Do what with \v4?
SWITCH
SEND OUT
SUMMARY
CANCEL
SELECT
DESELECT
POKéMON SKILLS
BATTLE MOVES
TYPE
HP
ATTACK
DEFENSE
SP. ATK
SP. DEF
SPEED
NONE
BERRY
CANCEL
INFO
-


POWER
ACCURACY
CANCEL
STATUS

No. \v0
Select additional POKéMON!
FIGHT
GIVE IN
POKéMON
What will
\v4 do?
PP
MOVE TYPE
NORMAL
FIGHT
FLYING
POISON
GROUND
ROCK
BUG
GHOST
STEEL
???
FIRE
WATER
GRASS
ELECTR
PSYCHC
ICE
DRAGON
DARK
Will you give in?
Yes
No
\v4 cant be
switched out!
FOE \v0s SHADOW TAG stops
\v4 from switching out!
FOE \v0s ARENA TRAP stops
\v4 from switching out!
FOE \v0s MAGNET PULL stops
\v4 from switching out!
\v4s \v0 is disabled!
\v4 cant use the same
move in a row due to the TORMENT!
\v4 cant use
\v0 after the TAUNT!
\v4 cant use the
sealed \v0!
CHOICE BAND allows the
use of only \v0!
Theres no PP left for
this move!
\v4 has no energy
left to battle!
\v4 is already
in battle!
\v4 has already been
selected.
You cant switch \v4s
POKéMON with one of yours!
\v4 has no
moves left!
CHARMANDER
KANGASKHAN
TYPHLOSION
Link standby…
Linking…
Please dont turn off the power.
Save failed.
The link was interrupted.
This Game Pak cannot be linked to
POKéMON COLOSSEUM.
This Game Pak cannot trade with
POKéMON COLOSSEUM.
Receiving move data…
Sending POKéMON data…
Receiving battle POKéMON data…
Receiving battle data…
Start POKéMON trade.
End POKéMON trade.
Sending POKé COUPONS…
Receiving POKé COUPONS…
Your Berry Program was updated.
Unable to update Berry Program.


The word filehas on the first line is their typo, not mine, and Im not sure whats so special about Charmander, Kangaskhan, and Typhlosion. (Maybe they were used to test message lengths.)

There are a few other pieces of text in the file. Bizarrely, the strings MALICIOSO and GIRO FUEGO appear at $1FBFC; those are the Spanish names of the moves Leer and Fire Spin. Also, the ASCII strings pokemon ruby version and pokemon sapphire version each appear twice near the end of the file. (Amusingly, TCRF notes the fragments of this text, as they appear within the compressed block, and calls them an Obvious leftover from when Pokemon Ruby and Sapphire were being developed. Not so obvious now, is it? :D)

This program was definitely based on, but is not identical to, the program that Pokémon Colosseum runs on connected GBAs for multiplayer battles and trades. Colosseums multiboot program also uses the game ID TESTdespite being used in the final version! I extracted this program from both the NTSC and PAL versions of Colosseum, and will include those decompressed files in the attachment as well for anyone who wants to try to see what the differences actually are.

(The PAL version of Colosseum actually contains six copies of the TEST program. One is identical to the NTSC version, and the other five are in the PAL versions five supported languages, including a second, different English copy. Thats the one Ive named colo-TEST-pal-en.bin.)

The English FireRed and LeafGreen contain exactly the same program as Emerald, and identical copiesstill with English textare in the European localizations of FireRed, LeafGreen, and Emerald. As far as I can tell, there is no equivalent to this program in the Japanese versions: the only GBA header in those ROMs, other than the cartridge header itself, is the one for the Ruby/Sapphire Berry glitch fix (which uses game ID AGBJ, which was probably some sort of default but also actually represents the game GetBackers Dakkanya: Jigoku no Scaramouche).

Since its missing from the Japanese versions and untranslated in others, it seems fairly clear that this program isnt used in the final game, but I cant understand what it could possibly have been used for. When a GBA is linked with Pokémon Colosseum, Colosseum itself sends the required program to the GBA. What exactly would be accomplished by sending Colosseums link-battle program from a GBA running FireRed/LeafGreen to another GBA? The best theory I can think of is that Nintendo of America was experimenting with adding a single-cartridge multiplayer feature to FireRed and LeafGreen, based on the code from Colosseum. But that seems unlikely; is there an obvious explanation Im missing?

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Stackout
Date: 2015-02-06 04:36:49
Interesting. Can you provide the Berry Glitch fix ROMs from FR/LG/Emerald aswell? Would be interesting for me to reverse when I get the time, unless you already did and know what caused the Berry Glitch, and how the fix was done?

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Háčky
Date: 2015-02-06 07:48:34

Interesting. Can you provide the Berry Glitch fix ROMs from FR/LG/Emerald aswell?

Sure. The Japanese, English, and European versions of the fix differ, but all are unchanged from FireRed/LeafGreen to Emerald. The fourth file Ive included is the fix from the Japanese e-Reader cards 16-A001 and 16-A002. I havent really looked at the various GameCube discs that provided the fix, but if the above text dump is to be believed, Colosseums version of the fix is part of the TEST program.

Would be interesting for me to reverse when I get the time, unless you already did and know what caused the Berry Glitch, and how the fix was done?

That was what I was trying to find out when I ran into this. (The TEST code immediately follows the AGBJ Berry glitch fix in the FR/LG/E ROMs.) I havent learned much of anything yet, because I started out by looking at the Japanese e-Reader version of the fix. That was a poor choice, because in order to squeeze it onto two e-Reader cards, it makes heavy use of calls to the games own functions in ROM (only possible because, unlike the international releases, there was only one ROM version of Ruby/Sapphire in Japan; this was probably among the reasons why equivalent cards werent made for the English version). The version-independent fixes from the Western games should be easier to analyze.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Stackout
Date: 2015-02-06 09:49:09
Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM…

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: SatoMew
Date: 2015-02-06 13:24:08
Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Stackout
Date: 2015-02-06 13:41:35

Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.


…this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Kraust
Date: 2015-02-06 16:43:16


Since the Berry glitch has been mentioned, does anyone know the full details on the Berry Program Update? I never used it and lack the hardware to test it, plus I haven't had much luck with VBA Link, where I get a white screen after sending the patch to the Ruby or Sapphire game.


…this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.


Does the GBA Hardware have some scratch space at the end of the ROM area that's not properly implemented in VBA? I am not very familiar with the GBA's architecture, but it could be accessing some temporary part of the GBA's memory (either RAM or otherwise) that's not normally used in regular execution.

It would be fascinating if the Berry Glitch was actually fixed by patching the GBA's Firmware.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: SatoMew
Date: 2015-02-06 16:55:40

…this is basically what we're discussing. White screen sounds like maybe the real hardware does something different. Which would explain it jumping to beyond the end of the ROM.


I thought Háčky was talking about an unused program in Colosseum and not the Berry Program Update in FireRed, LeafGreen, and Emerald.


Does the GBA Hardware have some scratch space at the end of the ROM area that's not properly implemented in VBA? I am not very familiar with the GBA's architecture, but it could be accessing some temporary part of the GBA's memory (either RAM or otherwise) that's not normally used in regular execution.

It would be fascinating if the Berry Glitch was actually fixed by patching the GBA's Firmware.


Actually, when I tried the patch in VBA Link, I was using the GBA BIOS as well, otherwise it's not even possible to start it. The instance with Ruby or Sapphire gets stuck on a white screen right after the patch is sent. The second part of the patch is done in Ruby or Sapphire and this issue prevents me from progressing further.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Háčky
Date: 2015-02-06 17:19:20

Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM…

The program is decompressed into RAM at $02010000 and executed from there.

I thought Háčky was talking about an unused program in Colosseum and not the Berry Program Update in FireRed, LeafGreen, and Emerald.

The first post is about the program from Colosseum being in FR/LG/E. Wack0 changed the subject. :)

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Stackout
Date: 2015-02-07 05:36:45


Just disassembled AGBJ (English), and it seems to set stuff up and immediately jump into thumb mode, into something past the end of the ROM…

The program is decompressed into RAM at $02010000 and executed from there.


Everything I read about multiboot ROMs described them as being decompressed at $2000000 (and then jumping to $20000C0). I'll change my IDA script to repoint it there.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Háčky
Date: 2015-02-07 07:04:45


The program is decompressed into RAM at $02010000 and executed from there.

Everything I read about multiboot ROMs described them as being decompressed at $2000000 (and then jumping to $20000C0). I'll change my IDA script to repoint it there.

The multiboot payload thats loaded at $2000000 consists of the decompression routine and the compressed data. The compression isnt inherent to the multiboot process.

Some interesting things Ive noticed:

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: Stackout
Date: 2017-05-20 12:27:39
I came across this thread looking for something else, and thought this looked familiar to me.

Indeed, this multiboot image is not unused.

The GameCube multiboot code changed from R/S to FR/LG/Emerald.

In R/S, after a multiboot image has been completely transferred over JoyBus, interrupts are disabled and the multiboot image is jumped to (the jump points to [tt]0x20000C0[/tt], leaving the jump past the image header at offset 0 of the multiboot image unused. This was probably done for a very good reason: the entire [tt]0xC0[/tt]-byte image header is transferred over JoyBus in the clear, whereas everything after that is encrypted).

In FR/LG/Emerald, after a multiboot image has been completely transferred over JoyBus, the game code of the transferred multiboot image at [tt]0x20000AC[/tt] is checked. If it is equal to [tt]0x65366347[/tt] (with endianness conversion, that's [tt]'Gc6e'[/tt], the game code for Pokémon Colosseum, specifically the NTSC-US version), the multiboot image that's the subject of this thread is copied to [tt]0x2000000[/tt] (ie, copied over the transferred multiboot image), and THEN interrupts are disabled and the multiboot image jumped to.

This was most likely done for compatibility; my guess is that the original Colosseum (US) multiboot image is incompatible with FR/LG/Emerald.

Re: Unused Pokémon Colosseum TEST program in FR/LG/E

Posted by: TheSixthItem
Date: 2017-06-19 09:35:44
If you still need the shiny zigzagoon berry glitch fix rom, https://digiex.net/threads/pokemon-gba-uk-berry-glitch-fix-shiny-zigzagoon-distribution-gba-rom-download-uk-eur.15077/