Glitch City Laboratories Archives

Re: Emulating the Mobile Adapter GB

Posted by: Torchickens

Date: 2019-11-08 11:41:09

Okay, tomorrow was two days ago, but I have this silly, old-fashioned obsession with factual accuracy and needed to recheck a bunch of things. I guess it would be easier if I posted more often :)

Question: If we connect to a server from a client, but it's over Dial-Up, is it still technically considered to be running on an actual adapter and therefore valid in TAS?

I think more research is needed to determine accurate timings for the adapter ;D

[size=12pt]HTTP authentication scheme[/size]
Nintendos mobile library will attempt to authenticate the user with the Mobile System GB server only when a POST request is made for [tt]http://gameboy.datacenter.ne.jp/cgb/upload[/tt] or [tt]http://gameboy.datacenter.ne.jp/cgb/ranking[/tt], and only if the filename at the end of the URI begins with a number indicating a service fee (even if its ¥0).

Even when those conditions are met, the library has a bug that can cause it to fail to detect whether authentication is required:

; Find the string terminator at the end of the URI .asm_1112a0 ld a, [hli] or a jr nz, .asm_1112a0 ; Now back up and find the last slash ; Right now, hl points to the byte *after* the string terminator! ; If that byte happens to be a slash ($2F), this code may ; fail to properly detect whether this is a paid upload. ; There ought to be a dec hl here. .asm_1112a4 ld a, [hld] cp $2f jr nz, .asm_1112a4

Since Pokémon Crystal does not erase the last URI in memory before writing the next in a series of requests, it is possible that the residual byte after the string terminator could be a slash if a previous URI was longer than the current one. A careful choice of URIs avoids this issue.

An authentication attempt begins by sending an HTTP GET request, to which the server responds with [tt]401 Unauthorized[/tt] and a [tt]WWW-Authenticate: GB00 name=""[/tt] header, where the [tt]name[/tt] is an arbitrary 36-byte value encoded in Base64.

The game then sends another GET request, this time with the header [tt]Authorization: GB00 name=""[/tt], where the [tt]name[/tt] is a concatenation of two separate Base64-encoded values: the first is the first 32 bytes from the [tt]WWW-Authenticate[/tt] name, and the second is a 36-byte value determined by a byzantine procedure:
[li]The login password is appended to the 48-character Base64-encoded [tt]WWW-Authenticate[/tt] name, and then this string is hashed with MD5.[/li]
[li]The 36-byte [tt]WWW-Authenticate[/tt] value is split into two 18-byte values, the first containing all of the even-numbered bits of the original and the second containing all of the odd-numbered bits. The first byte of each two-byte pair fills the most significant bits of each output byte, and the second byte fills the least significant bits. These values are concatenated into a new 36-byte string.[/li]
[li]The login ID is appended to the MD5 hash from step 1. This string is padded with $FF until it is 35 bytes long, then a $00 is added to make it 36 bytes.[/li]
[li]The 36-byte strings produced in steps 2 and 3 are xord.[/li]
[li]But that would have been too simple, so then each byte has bits 0, 3, and 6 rotated into bits 3, 6, and 0.[/li]

The first step necessitates that the server retains users plaintext passwords in order to calculate arbitrary MD5 hashes from themunless the value in the [tt]WWW-Authenticate[/tt] header is predetermined, which would allow the hash to be precalculated, but would make the rest of this shell game even more pointless as a successful authentication attempt could be replayed.

If the [tt]Authorization[/tt] header is valid, the server responds with [tt]200 OK[/tt] and a [tt]Gb-Auth-ID[/tt] header which contains an arbitrary string. The game then sends its POST request and includes the same [tt]Gb-Auth-ID[/tt] header.

[size=12pt]Pokémon News[/size]
A Pokémon News download begins by accessing [tt]http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/news/index.txt[/tt], a text file containing four URIs which are used to:
[li]Download metadata for the current News issue[/li]
[li]Upload selected data from the save file[/li]
[li]Upload scores to be added to the rankings, and receive the updated rankings in response[/li]
[li]Download the current News issue[/li]

The cost of Pokémon News was ¥100 per issue. The fourth URI should be tagged with that cost so that it is displayed by the game; the two upload URIs should be tagged with a cost of ¥0 so that the game will authenticate and upload the data.

Metadata
The metadata file is an unstructured hodgepodge of variable-length fields, the boundaries of which can only be determined by parsing each field in its own unique way. In typical Game Freak style, the game makes no effort to validate the data received from the server or protect against buffer overflows. A malformed metadata file can certainly crash the game and corrupt the save file (Ive done it more than once), and could probably execute arbitrary code.

Unique ID: This is a fixed-width field which, inexplicably, is 12 bytes long. If this ID is the same as the last News that was downloaded, then the download is aborted with the message はまで There was no new News.

Description: A text string, terminated with $50, that is displayed in the lower text box when the player is asked to confirm whether he or she wants to upload the save data and proceed with the News download.

Rankings save address: This 2-byte field contains the address where the rankings data will be stored in SRAM bank 6. Since the main News data will be written starting at 6:A000, the rankings data should be placed somewhere around 6:B000, such that the News does not overwrite the rankings.

Rankings metadata: This field begins with a 16-bit value denoting the length of the data that follows. The data is a series of 16-bit values, one for each rankings table that will be sent, indicating the width of a record in each rankings table. (For example, if there are 9 different rankings tables and each table contains 26-byte records, this field would be [tt]12 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00[/tt].)

Save data selection: This is a list of the regions of save data that will be sent to the server. Each region is specified by four bytes: the first byte is an SRAM bank, the second and third are an address, and the fourth is the number of bytes to send. The end of the list is marked with $FF. The requested data is concatenated and uploaded as a binary file.

Rankings data selection: This specifies the data that will be submitted for the rankings. The rankings data is submitted as keyvalue pairs in the manner of an HTML form submission, with the values encoded in ASCII hexadecimal. Each key is a string literal (in ASCII?) terminated with $50 (ASCII [tt]"P"[/tt]). Each value is specified with a bank number, address, and length in the same manner as the save data upload. The list of keyvalue pairs is terminated with $50 (i.e., an empty string where the name of the next key would be expected).

Although data can technically be read from anywhere in SRAM, there is a block of data at 5:A001A082 which exists specifically for use in the rankings. With the exception of 5:A016A017, which doesnt seem to be referenced at all, this block comprises 2-, 3-, or 4-byte big-endian values which are managed by a series of functions in bank $41. (Except for the Battle Tower win counter, these functions are still called in the English version in the relevant situations, but theyve been dummied out, and wouldnt work anyway since SRAM bank 5 doesnt exist.)

[table]
[tr][td]Address[/td][td]Length[/td][td]Description[/td][/tr]
[tr][td]A001[/td][td]4[/td][td]Play time when last entered the Hall of Fame (2 bytes hours, 1 byte minutes, 1 byte seconds)[/td][/tr]
[tr][td]A005[/td][td]4[/td][td]Step count when last entered the Hall of Fame[/td][/tr]
[tr][td]A009[/td][td]3[/td][td]Number of times the party was healed when last entered the Hall of Fame[/td][/tr]
[tr][td]A00C[/td][td]1[/td][td]Extraneous byte copied from 5:A03C when last entered the Hall of Fame[/td][/tr]
[tr][td]A00D[/td][td]3[/td][td]Number of battles when last entered the Hall of Fame[/td][/tr]
[tr][td]A010[/td][td]4[/td][td]Step count[/td][/tr]
[tr][td]A014[/td][td]2[/td][td]Number of Battle Tower wins[/td][/tr]
[tr][td]A018[/td][td]3[/td][td]Number of times TMs and HMs have been taught[/td][/tr]
[tr][td]A01B[/td][td]3[/td][td]Number of battles[/td][/tr]
[tr][td]A01E[/td][td]3[/td][td]Number of wild Pokémon battles[/td][/tr]
[tr][td]A021[/td][td]3[/td][td]Number of Trainer battles[/td][/tr]
[tr][td]A024[/td][td]3[/td][td]Unused[/td][/tr]
[tr][td]A027[/td][td]3[/td][td]Number of Hall of Fame inductions[/td][/tr]
[tr][td]A02A[/td][td]3[/td][td]Number of wild Pokémon caught[/td][/tr]
[tr][td]A02D[/td][td]3[/td][td]Number of hooked Pokémon encounters[/td][/tr]
[tr][td]A030[/td][td]3[/td][td]Number of Eggs hatched[/td][/tr]
[tr][td]A033[/td][td]3[/td][td]Number of Pokémon evolved[/td][/tr]
[tr][td]A036[/td][td]3[/td][td]Number of Berries and Apricorns picked[/td][/tr]
[tr][td]A039[/td][td]3[/td][td]Number of times the party is healed[/td][/tr]
[tr][td]A03C[/td][td]3[/td][td]Number of times Mystery Gift is used[/td][/tr]
[tr][td]A03F[/td][td]3[/td][td]Number of trades[/td][/tr]
[tr][td]A042[/td][td]3[/td][td]Number of uses of field move Fly[/td][/tr]
[tr][td]A045[/td][td]3[/td][td]Number of uses of field move Surf[/td][/tr]
[tr][td]A048[/td][td]3[/td][td]Number of uses of field move Waterfall[/td][/tr]
[tr][td]A04B[/td][td]3[/td][td]Number of times the player whited out[/td][/tr]
[tr][td]A04E[/td][td]3[/td][td]Number of Lucky Number Show prizes won[/td][/tr]
[tr][td]A051[/td][td]3[/td][td]Number of Phone calls made and received[/td][/tr]
[tr][td]A054[/td][td]3[/td][td]Unused[/td][/tr]
[tr][td]A057[/td][td]3[/td][td]Number of Colosseum battles[/td][/tr]
[tr][td]A05A[/td][td]3[/td][td]Number of times players Pokémon used Splash[/td][/tr]
[tr][td]A05D[/td][td]3[/td][td]Number of tree Pokémon encounters[/td][/tr]
[tr][td]A060[/td][td]3[/td][td]Unused[/td][/tr]
[tr][td]A063[/td][td]3[/td][td]Number of Colosseum wins[/td][/tr]
[tr][td]A066[/td][td]3[/td][td]Number of Colosseum losses[/td][/tr]
[tr][td]A069[/td][td]3[/td][td]Number of Colosseum ties[/td][/tr]
[tr][td]A06C[/td][td]3[/td][td]Number of times players Pokémon used SelfDestruct or Explosion[/td][/tr]
[tr][td]A06F[/td][td]2[/td][td]Current streak of consecutive slot machine wins[/td][/tr]
[tr][td]A071[/td][td]2[/td][td]Longest streak of consecutive slot machine wins[/td][/tr]
[tr][td]A073[/td][td]4[/td][td]Total coins won from slot machines[/td][/tr]
[tr][td]A077[/td][td]4[/td][td]Total money earned from battles (including Pay Day)[/td][/tr]
[tr][td]A07B[/td][td]2[/td][td]Largest Magikarp measured[/td][/tr]
[tr][td]A07D[/td][td]2[/td][td]Smallest Magikarp measured[/td][/tr]
[tr][td]A07F[/td][td]2[/td][td]Bug-Catching Contest high score[/td][/tr]
[tr][td]A081[/td][td]2[/td][td]Bytewise checksum of A001A080[/td][/tr]
[/table]

There are functions which would increment the three-byte values at 5:A024, 5:A054, and 5:A060, but these functions dont appear to be referenced even in the Japanese version.

5:A039 is incremented when the party is healed at a Pokémon Center, by the machine in Elms Lab, by Mr. Pokémon after giving the Mystery Egg, by Lance in the Rocket Hideout, by the old woman on Route 26, by resting in the bed on the S.S. Aqua, or before a Battle Tower or mobile Colosseum battle. It is not incremented when the party is healed after whiting out, by using a Sacred Ash, after winning or losing the first rival battle in Cherrygrove City, or after defeating the last Rocket Grunt in Slowpoke Well, Sailor Stanly on the S.S. Aqua, Lance at the Pokémon League, or Red at Mt. Silver.

The value from 5:A039 is then copied into 5:A009 when entering the Hall of Fame, but 4 bytes are copied rather than 3, so the high byte of the number of times Mystery Gift was used is copied into 5:A00C. (That byte will still always be $00, because Mystery Gift cant be used more than 65535 times before the SRAM battery runs out. ;))

5:A05A and 5:A06C are incremented when the effect of the move is executed during the players turn, regardless of whether it was chosen by the player, chosen by a disobedient Pokémon, or called through Metronome, Mirror Move, or Sleep Talk.

Save data upload
The game uploads the save data as specified in the metadata file. The body of the servers response is of no consequence.

Rankings upload
The game uploads the rankings data as specified in the metadata file. The server responds with the updated rankings tables. The game saves that data to the address specified in the metadata file. Each table begins with a 12-byte header:

[table]
[tr][td]Offset[/td][td]Length[/td][td]Description[/td][/tr]
[tr][td]$0[/td][td]4[/td][td]Number of ranked players (big-endian)[/td][/tr]
[tr][td]$4[/td][td]2[/td][td]Unknown[/td][/tr]
[tr][td]$6[/td][td]4[/td][td]Players rank (big-endian; will be treated as unranked if this value is greater than the number of ranked players)[/td][/tr]
[tr][td]$A[/td][td]2[/td][td]Number of entries in the table (big-endian)[/td][/tr]
[/table]

The number of ranked players may be greater than the number of entries in the table; e.g., 1000 players might be given ranks (shown only to themselves) even though the table only lists the top 10 (shown to everyone).

Each entry in the table is of the length specified in the metadata file. The first 24 bytes follow a fixed format and the remaining bytes (up to 4?) are the score value.

[table]
[tr][td]Offset[/td][td]Length[/td][td]Description[/td][/tr]
[tr][td]$00[/td][td]7[/td][td]Trainer name[/td][/tr]
[tr][td]$07[/td][td]1[/td][td]Prefecture (values assigned in gojūon order from $01 = Aichi-ken to $2F = Wakayama-ken)[/td][/tr]
[tr][td]$08[/td][td]2[/td][td]Unknown[/td][/tr]
[tr][td]$0A[/td][td]1[/td][td]Age[/td][/tr]
[tr][td]$0B[/td][td]1[/td][td]Gender ($00 = male, $01 = female)[/td][/tr]
[tr][td]$0C[/td][td]12[/td][td]Message (six two-byte little-endian easy chat words)[/td][/tr]
[tr][td]$18[/td][td]?[/td][td]Score (big-endian)[/td][/tr]
[/table]

News download
The game downloads the News issue, stores it at 6:A000, and then executes it.

Based on the historical accounts of Pokémon News (particularly Kakerus transcripts of the last seven issues), which describe various quizzes, minigames, and rewards (including, of course, the GS Ball), it can be surmised that the News involves a scripting language with many different commands. Without access to any of the original News downloads, it could be quite a challenge to determine how the data is packaged and what the available commands are, and then reconstruct something resembling a News issue.

Good news, everyone! Game Freak left us some samples in ROM bank $7D.

There are three unused functions in that bank which each copy a different block of data to 6:A000. If a News issue has already been downloaded, these functions overwrite it with data from the ROM. (If no News had been downloaded, the game will say まのま！ There is no old NEWS when attempting to view it. This can be manually overridden by setting 5:AA72 to $01.)

This data in the ROM does not include any of the metadata or rankings tables, only the main News download. (This means we dont know what data from the save file would be requested by the server, or what message would be displayed before downloading the News.) Also, dispointingly, none of the text of these News issues was translated in Vietnamese Crystal.

Heres a video showing each of the News issues found in the ROM.

Trainer Rankings
A News issue entitled Trainer Rankings appears at 7D:5C6B in the Japanese ROM and at 7D:5DB4 in the localized ROMs. The function to copy this data into SRAM is at 7D:5C56 in the Japanese ROM and at 7D:5D9F in the localized ROMs.

This is the simplest News issue found in the ROM, having no features other than the rankings. It matches the screenshots on pages 2526 of the Pocket Monsters: Crystal Version: Mobile Guide ( のてびき) packaged with the Mobile Adapter GB.

The main menu has four options:
[table][tr][td]Name[/td][td]Description[/td][/tr]
[tr][td]み
View Rankings[/td][td]なみま
View the different rankings.[/td][/tr]
[tr][td]のつ
Rankings Description[/td][td]のつで
A description of the rankings.[/td][/tr]
[tr][td]の
Update Rankings[/td][td]のま
Download the latest rankings.[/td][/tr]
[tr][td]
Quit[/td][td]みのま
Quit viewing the News.[/td][/tr][/table]

The background music for these menus is Elm Pokémon Lab.

Quit (or pressing B) returns to the News Machine menu. Update Rankings downloads the News metadata from the server, and then proceeds to submit the save data and rankings again only if the unique ID of the News issue has not changed. The description of the rankings says:

つので！
まくっ
なににはって
ま！

Rankings in three categories!
Now something from the save file you sent could be in the rankings!

View Rankings brings up a submenu to select from three ranking categories:
[li]でっ Number of Colosseum wins[/li]
[li]ととくて Bug-Catching Contest high score[/li]
[li]つっのき Size of caught Magikarp[/li]

In each category, there are three rankings:
[li]くの National ranking[/li]
[li]とどふの Prefectural ranking[/li]
[li]びばの Postal code ranking[/li]

The latter two rankings would depend on the prefecture and the three-digit prefix of the postal code entered in the Mobile Profile. If the player has opted not to enter a postal code, its treated as 000 (no actual Japanese postal code starts with 000).

The first of the downloaded rankings tables is expected to contain the national ranking for Colosseum wins, the second one the prefectural ranking for the same, the fourth one the national ranking for the Bug-Catching Contest, et cetera.

Selecting any ranking shows the top 10 entries; for each entry, the trainer name, score, gender, age, prefecture can be seen, as well as the message they set in the Mobile menu. At the bottom of each top-10 ranking, the player can see their own current score (read from the corresponding address in SRAM: 5:A063 for the Colosseum, 5:A07F for the Bug-Catching Contest, and 5:A07B for the largest Magikarp) and ranking (as of the last rankings download, so not necessarily consistent with the score read from SRAM). If the player is not ranked, their score is followed by the message なっね You were not ranked Sorry

The message ま[]のばみとできま There is no rankings data. You can see it by updating the rankings. appears in this News data (and all the other ones, too), but I dont know what circumstances would cause it to appear.

In the Japanese ROM only, there is a near-identical copy of this News data at 7E:4000. (In the localized ROMs, bank $7E instead contains data for the offline Battle Tower and Odd Egg event.) The only difference is that the copy at 7E:4000 is missing four bytes at offset $002. Two of these missing bytes represent the length of the remaining data and the other two bytes are a bytewise checksum of that data. Since the checksum fails, the game refuses to load this version of the data, saying のてま[]みみなてくだ The NEWS data is corrupted. Please download the NEWS again.

Trainer Rankings (bis)
Another News issue entitled Trainer Rankings appears at 7D:4015 in the Japanese ROM and 7D:4018 in the localized ROMs. The corresponding function to copy this data into SRAM is at 7D:4000 in the Japanese ROM and 7D:4003 in the localized ROMs.

The most obvious difference between this News issue and the other one is that the main menu has an additional option called なき Pokémon Cries Quiz, with the description のなきててね！ Guess the Pokémon cries!. The quiz has ten Pokémon to choose from: Suicune, Clefairy, Spearow, Gastly, Togepi, Zubat, Jynx, Espeon, Mewtwo, and Dunsparce. For each one, the player can listen to three different cries and guess which one is the correct cry for that Pokémon. Theres no scoring and no reward for guessing correctly. The background music for the quiz is Hurry Along 2.

The rankings menus have several changes:

The Update Rankings option has beenupdatedto give some feedback after the download: If successful, のま！ Rankings update done! If the news ID has changed, のにっぱみでくだ Rankings update failed Please load the new News. If cancelled by the user (or an error occurs?), のま Rankings update cancelled.

The category Number of Colosseum wins has been replaced by でっ Number of Battle Tower wins. Notably, this ranking tries to read the players score from the unused location 5:A016, rather than the correct address 5:A014.

The local rankings now have the players prefecture and postal code in the title of the rankings (e.g., mine are called ときとの and ０００の because I set my prefecture to Tōkyō-to and didnt set a postal code).

Selecting a blank entry in the top 10 now displays the message にはだてま No one is ranked here.

If the players score in any ranking is checked using the [players name]の option and the player is #1 in that ranking, this message is displayed:

でとっ
なに
てきなま
のみに！

For earning the top spot in the ranking
Here is a wonderful gift! Enjoy!

This triggers the GS Ball event; the player will receive the GS Ball upon leaving the PokéCom Center.

Pokémon News Debug Starting Issue
A News issue entitled Pokémon News Debug Starting Issue appears only in the Japanese ROM at 7D:4DD0. The function to copy this data into SRAM is at 7D:4DBB.

The main menu options are:
[table][tr][td]Name[/td][td]Description[/td][/tr]
[tr][td]
Trainer Rankings[/td][td]なみま
View the different rankings.[/td][/tr]
[tr][td]なき
Pokémon Cries Quiz[/td][td]のなきててね！
Guess the Pokémon cries![/td][/tr]
[tr][td]の
Message from Game Freak[/td][td]ので
A message from Game Freak.[/td][/tr]
[tr][td]
Quit[/td][td]みのま
Quit viewing the News.[/td][/tr][/table]

Trainer Rankings leads to a submenu identical to the first Trainer Rankings news data. The Pokémon Cries Quiz is identical to the one in the second Trainer Rankings news data. The Message from Game Freak could probably be translated better by someone who knows what theyre doing, but Ill give it a shot:

なきふきぬ
きので
みなまで
っまで

は
まにちみてに
ひだてにぶに
ねくなばなぐ
にてはでま

のはに
つくてま

でのでなきなどで
にな！
とぱは
でま

そではひきつづきの
くねま

ちほのと
くねま

As the refreshing autumn breeze now blows through, is everyone getting along well?

Every day our Crystal Team is striving to finish the game, with our right hands holding our mice, and our left hands clenched in fists to hit each other if we get sleepy.

We made this News for debugging use.

Thus, in the Cries Quiz for example, you dont need to worry about things like, That Pokémons not in the Pokédex!

That said, we ask that you continue with debugging the News.

Of course, wed like you to work on other things as well

This message seems to be directed at Nintendos product testers, which suggests it may have been deliberately included in the final build that Game Freak submitted for testing. The background music for the message is National Park.

Pokémon News First Issue
In the localized ROMs, the Pokémon News Debug Starting Issue is replaced by an entirely different issue entitled そ Pokémon News First Issue, found at 7D:4DD3. The function to copy this data into SRAM is at 7D:4DBE.

The fact that it appears in the localized ROMs and not the Japanese ROM suggests it may have been developed after the Japanese ROM was finalized. The name implies that it could be the actual first issue of Pokémon News that was published when the Mobile System GB launched in January 2001. However, I dont think it is, because it contains the same script as the second Trainer Rankings data for awarding the GS Ball to a player who is #1 in any ranking, and Im not aware of any documentation that the GS Ball was actually distributed in this manner.

The main menu options are:
[table][tr][td]Name[/td][td]Description[/td][/tr]
[tr][td]
News Guide[/td][td]みだにつま
A brief description of the loaded News.[/td][/tr]
[tr][td]
Trainer Rankings[/td][td]つのでま！
Rankings in three categories![/td][/tr]
[tr][td]
Pokémon Cult[/td][td]までのぼどまでだま！
Test how well you remember your adventure so far![/td][/tr]
[tr][td]
Quit[/td][td]みのま
Quit viewing the News.[/td][/tr][/table]

The News Guide says:

そでは
と
で
のみくだ！

なののきは
のば
などできので
ばばにな！

In the Pokémon News First Issue, please enjoy Trainer Rankings and the Pokémon Cult Quiz!

Your rankings can be updated as many times as you like; try your best and you might reach the top!

The Trainer Rankings submenu is pretty much the same as the second Trainer Rankings data (including the GS Ball reward), except that the players score for Number of Battle Tower wins is read from the correct address, 5:A014. The menu items have been rearranged and most of the descriptions rewritten:

[table][tr][td]Name[/td][td]Description[/td][/tr]
[tr][td]み
View Rankings[/td][td]なみま
View the different rankings.[/td][/tr]
[tr][td]の
Update Rankings[/td][td]みみなま
なのきま
Reloads the rankings. Your results will also change.[/td][/tr]
[tr][td]のつ
Rankings Description[/td][td]ののにつてつま
Describes the current rankings categories.[/td][/tr]
[tr][td]
Quit[/td][td]のにどま
Return to the first page.[/td][/tr][/table]

The Rankings Description is more descriptive:

でっは
０ばどので
なまでになにの
とのぶにっ
にできそま

のきは
のみみに
つにはってっ
のちちば
きっのできそま

ととくては
でな
とでまでに
とっちば
てできそま

Number of Battle Tower wins is ranked by the number of trainers youve won battles against so far in the Battle Tower on Route 40.

Size of caught Magikarp is ranked by the largest Magikarp measured by the Fishing Guru at Lake of Rage.

Bug-Catching Contest high score is ranked by the highest score earned so far in the Bug-Catching Contest held in the National Park.

The Pokémon Cult Quiz, unlike the cries quiz, is a proper quiz with scoring. Ten multiple-choice questions are presented in sequence, varying from mildly obscure (Is Moms specialty a Cinnabar Volcano ~~bakemeat~~ burger, curry, or yakisoba?) to incredibly obscure (How many times did Earl spin around before he entered the Pokémon Academy?). After youve answered all of the questions, Professor Oak evaluates your performance, although he doesnt give any reward. The background music during the quiz is Goldenrod Game Corner, and the music for the evaluation is Pokégear Radio: Professor Oaks Pokémon Talk.

News data structure
While I havent yet endeavored to write my own fake news, I have done some basic analysis of the structure of the existing data:

Header
The data has a six-byte header; the first two bytes are [tt]00 A0[/tt], the next two bytes are a bytewise checksum of the data (excluding the header), and the final two bytes are the length of the data (excluding the header). As mentioned above, the duplicate News data at 7E:4000 in the Japanese ROM omits these checksum and length values, and therefore doesnt work in the final game.

Screen data
Data for the opening screen of the News issue begins immediately after the header. Other screens use the same data structure, which may be placed anywhere in the file and called using script command $01.

[table]
[tr][td]Length[/td][td]Description[/td][/tr]
[tr][td]1[/td][td]Background music ID[/td][/tr]
[tr][td]1[/td][td]Number of custom palettes[/td][/tr]
[tr][td]8[/td][td]Custom palette data. Four two-byte color values. Repeat number of custom palettes.[/td][/tr]
[tr][td]1[/td][td]Number of boxes to draw[/td][/tr]
[tr][td]6[/td][td]Box data. The first two bytes are origin x and y coordinates, the next two bytes are length and width, the fifth byte is the border type, and the sixth byte is the palette. Repeat number of boxes to draw.[/td][/tr]
[tr][td]1[/td][td]Number of strings to print[/td][/tr]
[tr][td]?[/td][td]Position to print a string, expressed as an offset into the screen buffer, followed by the string itself ($50-terminated). Repeat number of strings to print.[/td][/tr]
[tr][td]12[/td][td]Menu origin x and y coordinates, number of columns and rows, column width and row height, plus six more bytes of menu parameters?[/td][/tr]
[tr][td]16[/td][td]Offsets to script data for each of the eight joypad buttons (A B Select Start ). These offsets are relative to the start of the current screen data. The value $FFFF is used for a button which has no script.[/td][/tr]
[tr][td]1[/td][td]Number of menu items.[/td][/tr]
[tr][td]4[/td][td]Position to print menu descriptions, expressed as an offset into the screen buffer, and width and height of the area to be blanked before printing a description. (The blanked area begins one row above the given text position, to account for diacritics.)[/td][/tr]
[tr][td]1[/td][td]If not $00, loads the rankings table specified in 0:CD62. (That address should have been set by a script on the prior screen.)[/td][/tr]
[tr][td]2[/td][td]Pointer to the name of each menu item. Repeat number of items.[/td][/tr]
[tr][td]2[/td][td]Pointer to script data for each menu item. Repeat number of items.[/td][/tr]
[tr][td]2[/td][td]Pointer to description text for each menu item. Repeat number of items.[/td][/tr]
[/table]

If anyone wants to have a go at documenting the News script commands, theyre in [tt]Jumptable17d72a[/tt] in pokecrystals misc/mobile_5f.asm. Also of interest is the text character $15, which invokes another, smaller scripting language within a text string; this is used extensively in the Pokémon News data to insert variables into strings. Those commands are defined by the jumptable in [tt]Function17f047[/tt].

^ I know this is an old post, but does the code to actually load Pokémon News remain in English Crystal? What measures would need to be done to bypass the checksum/could you bypass the check with Game Genie codes? I'm wondering if we could use this to make our own minigames with arbitrary code execution. Like instead of the normal quizzes, theme one around glitch Pokémon.

Re: Emulating the Mobile Adapter GB

Posted by: Háčky

Date: 2020-05-15 01:34:51

Heres a post I should have made ages ago. Heres an overelaborate version of the script I used. Heres a short video demonstration.

[size=12pt]Battle Tower[/size]
Overview
Once Mobile Mode is enabled by connecting the Mobile Adapter GB at startup, the Battle Tower is unlocked. Rather than the random opponents featured in the localized versions, the opponents were seven other players real parties that were downloaded prior to each Battle Tower challenge. A player could challenge up to five different Battle Rooms each day (according to the in-game clock). After completing a challenge, the player had the option to submit their results and possibly have their team appear in the Battle Room the next day, with the most successful challenger of the day becoming the Room Leader. Once downloaded and challenged, a Battle Room can be fought again, but results cannot be submitted on these repeat attempts. A separate feature allowed players to download a list of the Room Leaders of a particular room, which can be viewed on a monitor in the lobby after downloading.

The mechanics are otherwise the same as the offline Battle Tower in the localized games, except that no prizes are awarded: battles are 3 vs 3, levels above 40 are unlocked after defeating Lance at the Pokémon League, and Mewtwo, Mew, Lugia, Ho-Oh, and Celebi are barred from rooms below level 70.

Index file
When entering a Battle Tower challenge or requesting a list of Room Leaders, the game first downloads [tt]http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/battle/index.txt[/tt]. This file contains four URIs: the first is where the players team and score will be submitted at the end of a challenge, the second is a file containing the number of Battle Rooms, the third is a file containing the data for challenging a particular Battle Room, and the fourth is a file containing the list of Room Leaders.

The latter two file names should contain a string of four [tt]"X"[/tt]s, which will be replaced with a zero-padded decimal number corresponding to the requested Battle Room. The values [tt]0001[/tt][tt]0010[/tt] are used for Room 001 of each Battle Tower level from 10 to 100, [tt]0011[/tt][tt]0020[/tt] are for Room 002 of each level, and so on. Note that while the concept is the same as for the Egg Ticket redemption, the implementation details are different: there a variable number of [tt]"X"[/tt]s were allowed and the replacement value was hexadecimal.

To charge the fee of ¥10 for each Battle Room challenged, the file name of the challenge data should start with 10, and presumably the game would have to authenticate in order to download it. I previously explored how the game authenticates itself to upload data, but not to download it. With Pokémon News, I had assumed the authentication required for the ¥100 fee would occur when rankings data was uploaded before downloading the News itself, but with the Battle Tower, that cant be the case, because it only optionally uploads data after the Battle Tower challenge is completed, and the fee wasnt optional.

The way Nintendos mobile library handles uploads and downloads to and from the four different endpoints on [tt]gameboy.datacenter.ne.jp[/tt] ([tt]/cgb/download[/tt], [tt]/cgb/upload[/tt], [tt]/cgb/utility[/tt], and [tt]/cgb/ranking[/tt]) involves a lot of spooky action at a distance that I didnt have the patience to understand, but based on empirical testing of all four in authenticated and unauthenticated scenarios, I think the intent is that [tt]/cgb/download[/tt] is for unauthenticated downloads, [tt]/cgb/upload[/tt] is for authenticated uploads, [tt]/cgb/utility[/tt] is for authenticated downloads, and [tt]/cgb/ranking[/tt] is for unauthenticated uploads.

If [tt]/cgb/download[/tt] is used to download and the server demands authentication, the game will give authentication, receive the file, but then make an extra [tt]POST[/tt] request with no [tt]Content-Length[/tt] header, and rage-quit when the server tells it thats no good. In contrast, [tt]/cgb/utility[/tt] works as expected when authentication is required. (They both work the same when authentication is not required.)

If [tt]/cgb/ranking[/tt] is used to upload and the server demands authentication, the game will make a [tt]POST[/tt] request that gives authentication and uploads the file at the same time, then make another [tt]POST[/tt] request with [tt]Content-Length: 0[/tt]. In contrast, [tt]/cgb/upload[/tt] sends the authentication in a [tt]GET[/tt] request, then [tt]POST[/tt]s the file with its [tt]Gb-Auth-ID[/tt]. (Again, they both work the same when authentication is not required. If authentication is required and the file name does not start with a number indicating a fee, they both return error 32-401 instead of attempting authentication.)

Now, something called ranking being unauthenticated sounds like a bad idea to me, but I would speculate that the reason behind it is that authentication of the DION account was only for the purpose of charging a content fee, and was not available to the game developers as a method of identifying their players. There wouldnt be any additional charge (beyond the call charge) for submitting a score for a ranking, so it would use the unauthenticated [tt]/cgb/ranking[/tt]. If this is correct, Pokémon News would have used [tt]/cgb/ranking[/tt] for its uploads (and their file names wouldnt need a fee prefix) and [tt]/cgb/utility[/tt] for the main News download (prefixed with [tt]100[/tt]). Likewise, the Battle Room challenge download would use [tt]/cgb/utility[/tt] and the score submission would use [tt]/cgb/ranking[/tt].

Number of Battle Rooms
Whether entering a Battle Tower challenge or requesting a list of Room Leaders, the first thing the game does after downloading [tt]index.txt[/tt] is to ask how many Battle Rooms there are. This file must be exactly two bytes long. The total number of Battle Rooms across all levels is encoded as a 16-bit big-endian integer. This number should be a multiple of 10, as it will be divided by 10 to determine the number of Rooms at each of the ten levels. Perplexingly, the game attempts to validate this file by taking the bitwise-or of the two bytes and checking that its not less than 10. This will fail if the number is, for example, 260 (hex [tt]01 04[/tt]).

I havent seen any official documentation that mentions the number of Battle Rooms, but based on Kakerus Battle Tower after-action reports, we can infer that, at least in the latter months of the Battle Towers operation, there were 20 at each level and the actual content of this file was [tt]00 C8[/tt].

Room Leader list
These files (one for each Battle Room) must be exactly 150 bytes long. They contain 30 trainer names, each 5 bytes long. If the first byte of a name slot is $00, the name will be displayed as . Once downloaded, the list may be viewed on the monitor next to the attendant at any time. It appears as ten rows of three names, with scrolling required to view each row below the first six.

Battle Room challenge data
These files (one for each Battle Room) must be exactly 1428 bytes long. They contain seven 204-byte structures describing the Rooms trainers. The order that the trainers appear in the file is the reverse of the order that they will be battled, so the first entry in the file is the Room Leader.

[table]
[tr][td]Offset[/td][td]Length[/td][td]Description[/td][/tr]
[tr][td]$00[/td][td]5[/td][td]Trainer name[/td][/tr]
[tr][td]$05[/td][td]1[/td][td]Trainer class[/td][/tr]
[tr][td]$06[/td][td]54[/td][td]Pokémon 1 data[/td][/tr]
[tr][td]$3C[/td][td]54[/td][td]Pokémon 2 data[/td][/tr]
[tr][td]$72[/td][td]54[/td][td]Pokémon 3 data[/td][/tr]
[tr][td]$AE[/td][td]12[/td][td]Message before battle[/td][/tr]
[tr][td]$BA[/td][td]12[/td][td]Message after this trainer defeats (or draws?) the player[/td][/tr]
[tr][td]$C6[/td][td]12[/td][td]Message after the player defeats this trainer[/td][/tr]
[/table]

The Pokémon data is the standard 48-byte structure followed by 6 bytes for the nickname. (The OT name is not included. Theres no good reason the 48-byte structure was used rather than the 32-byte PC structure; the current HP and stats are all recalculated anyway. The one thing thats not recalculated is the status condition, but a Pokémon cant legitimately have a status condition when its uploaded to the Battle Tower.) The three messages consist of six two-byte easy chat words.

The game runs several sanity checks on each trainer:

If any of the easy chat words have invalid values, all of the trainers messages are replaced by the defaults:
く ? く !
っっ ! !!
く ! どそつ
If the trainer class is invalid ($00 or $44FF), its replaced with Youngster. (Leader, Rival, Pokémon Prof., Elite Four, Pkmn Trainer, Champion, Rocket, Twins, and Mysticalman are allowed, even though they probably shouldnt be.)
If a Pokémons species is invalid ($00 or $FCFF), its replaced with Smeargle.
If a Pokémons level is less than 2, its raised to level 2. If its greater than the maximum level of this Battle Tower challenge, its reduced to the maximum level.
If a Pokémons first move is blank or invalid ($FCFF), its replaced with Pound and the remaining move slots are cleared. If its second, third, or fourth move is invalid, that move slot is cleared.
As mentioned before, all Pokémons stats are recalculated.
If a Pokémons nickname contains invalid characters ($0104, $1418, $1D25, $3539, $3F, $495F), its renamed to its species name. (The set of accepted characters still includes many characters that are unavailable on the nickname screen.) In any case, the sixth character of the name is overwritten with the termination byte $50.
Then the Pokémons moves are checked again, apparently forgetting that this was already done. If the Pokémons first move were somehow still invalid (but not if it were blank) at this point, it would be replaced by Pound without clearing the rest of the move set. If its second, third, or fourth move is blank or invalid, then it and the subsequent slots are cleared. The net effect of these two checks is that blank or invalid moves and all moves that follow them are cleared, and if a Pokémons first move is blank or invalid, it will only know Pound.
If the trainers name contains invalid characters (using the same list as for Pokémon nicknames), it becomes (Chris/Kris).

Score submission
After completing the Battle Tower challenge, the player is given the option to submit their party and score. If they defeated all seven trainers, they are informed that they may become the Room Leader. The uploaded file is 246 bytes:

[table]
[tr][td]Offset[/td][td]Length[/td][td]Description[/td][/tr]
[tr][td]$00[/td][td]2[/td][td]Room number (big-endian, e.g., [tt]00 0A[/tt] for level 100 Room 001)[/td][/tr]
[tr][td]$02[/td][td]30[/td][td]E-mail address (read from Mobile Adapter GB)[/td][/tr]
[tr][td]$20[/td][td]4[/td][td]Trainer ID / secret ID[/td][/tr]
[tr][td]$24[/td][td]204[/td][td]Trainer data (in the same format as the download)[/td][/tr]
[tr][td]$F0[/td][td]1[/td][td]Number of trainers defeated[/td][/tr]
[tr][td]$F1[/td][td]2[/td][td]Number of turns taken (big-endian) xor $FFFF[/td][/tr]
[tr][td]$F3[/td][td]2[/td][td]Total damage taken (counted at end of each battle, big-endian) xor $FFFF[/td][/tr]
[tr][td]$F5[/td][td]1[/td][td]Number of fainted Pokémon (counted at end of each battle) xor $FF[/td][/tr]
[/table]

The players trainer class is chosen based on their gender and trainer ID. The two bytes of the trainer ID are xord and the result is used to select from a list of male or female trainer classes. Because of the peculiar algorithm used, some classes are much more likely than others:

[table]
[tr][td]Value[/td][td]Male class[/td][td]Female class[/td][/tr]
[tr][td]00[/td][td]Burglar[/td][td]Medium[/td][/tr]
[tr][td]0107[/td][td]Youngster[/td][td]Lass[/td][/tr]
[tr][td]080F[/td][td]Schoolboy[/td][td]Lass[/td][/tr]
[tr][td]1017[/td][td]Bird Keeper[/td][td]Beauty[/td][/tr]
[tr][td]181F[/td][td]Pokémaniac[/td][td]Beauty[/td][/tr]
[tr][td]2027[/td][td]Gentleman[/td][td]Skier[/td][/tr]
[tr][td]282F[/td][td]Bug Catcher[/td][td]Skier[/td][/tr]
[tr][td]3037[/td][td]Fisher[/td][td]Teacher[/td][/tr]
[tr][td]383F[/td][td]Swimmer[/td][td]Teacher[/td][/tr]
[tr][td]4047[/td][td]Sailor[/td][td]Swimmer[/td][/tr]
[tr][td]484F[/td][td]Super Nerd[/td][td]Swimmer[/td][/tr]
[tr][td]5057[/td][td]Guitarist[/td][td]Picnicker[/td][/tr]
[tr][td]585F[/td][td]Hiker[/td][td]Picnicker[/td][/tr]
[tr][td]6067[/td][td]Firebreather[/td][td]Kimono Girl[/td][/tr]
[tr][td]686F[/td][td]Blackbelt[/td][td]Kimono Girl[/td][/tr]
[tr][td]7077[/td][td]Psychic[/td][td]Pokéfan[/td][/tr]
[tr][td]787F[/td][td]Camper[/td][td]Pokéfan[/td][/tr]
[tr][td]8087[/td][td]Cooltrainer[/td][td]Cooltrainer[/td][/tr]
[tr][td]888F[/td][td]Boarder[/td][td]Cooltrainer[/td][/tr]
[tr][td]9097[/td][td]Juggler[/td][td]Swimmer[/td][/tr]
[tr][td]989F[/td][td]Pokéfan[/td][td]Swimmer[/td][/tr]
[tr][td]A0A7[/td][td]Officer[/td][td]Picnicker[/td][/tr]
[tr][td]A8AF[/td][td]Sage[/td][td]Picnicker[/td][/tr]
[tr][td]B0B7[/td][td]Biker[/td][td]Picnicker[/td][/tr]
[tr][td]B8BF[/td][td]Scientist[/td][td]Picnicker[/td][/tr]
[tr][td]C0CF[/td][td]Firebreather[/td][td]Kimono Girl[/td][/tr]
[tr][td]D0DF[/td][td]Blackbelt[/td][td]Kimono Girl[/td][/tr]
[tr][td]E0EF[/td][td]Psychic[/td][td]Pokéfan[/td][/tr]
[tr][td]F0FF[/td][td]Camper[/td][td]Pokéfan[/td][/tr]
[/table]

The last six bytes of the upload are the criteria used to rank trainers to determine the Room Leader, as listed on page 32 of the Pocket Monsters: Crystal Version: Mobile Guide. The order and format of these values allows a simple byte-for-byte comparison to determine the ranking. (A perfect run, in which all trainers were defeated in 3 turns with no damage taken, would result in the highest possible value of [tt]07 FF EA FF FF FF[/tt].)

How were trainers chosen for the next days Battle Rooms?
It is clear from the Mobile Guide that the trainers in each Battle Room were reset each day, and that the player with seven wins in that Room who submitted the highest score (based on turns, damage, and faints) became the next days Room Leader. It is not as clear when this reset occurred (midnight?), how two or more trainers with the same score were separated (time of submission?), what happened if no one submitted a seven-win score (logically, I would expect the existing Room Leader to remain?), or how the other trainers in the room were chosen. Page 33 of the Mobile Guide does have some mention of how the Rooms first trainer (who would be seventh in the data file) is selected:

だの1人のは績に人の中選ばま
However, the next days first trainer will be selected from among the people who submitted, irrespective of their score.

This implies that this slot was chosen differently from the other six, although nowhere is it explicitly stated how slots 26 were chosen.

If I had to guess how it actually worked, I would say that all entries were sorted by score, and the top six and a seventh chosen at random constituted the next days Battle Room. (If this were the case, having seven wins wouldnt technically be required to become Room Leader, as long as no one else had seven wins either.)

Battle Tower data in the localized ROMs
Because the Battle Tower was modified for offline use in the localized games, they contain pertinent data that is not present in the Japanese version. By reexamining this data with the Japanese versions mechanics in mind, a few new observations can be made.

The file currently named [tt]data/battle_tower/unknown.asm[/tt] in pokecrystal contains Japanese easy-chat messages for 70 trainers. Here they are converted to text. This data appears in all versions except the Japanese version, despite it having no use in those versions. The localized games instead give Battle Tower trainers a random selection from 40 sets of messages written as regular text scripts.

It is well-known that there are 70 trainer names and classes that are randomly selected for the offline Battle Tower (by mistake, only 21 of them are used in the 1.0 English ROM), and 21 Pokémon for each level that are also randomly selected.

There is no apparent relation between this list of trainers and this list of Pokémon, except that the number of Pokémon happens to be three times the number of trainers. However, a close examination of the easy-chat messages reveals that they correlate with both the trainer list and the Pokémon list, implying these were designed as 70 individual trainers, each with their own three Pokémon, rather than a mix-and-match buffet. (Of course, the three Pokémon still dont relate to the trainers class in the way that normal in-game rosters do; that wouldnt make a very good Battle Tower.)

Some easy-chat messages refer to specific Pokémon that appear in the corresponding position in the party list. For example, the first group of three messages are all about evolution, and the first party of three Pokémon is Jolteon, Espeon, and Umbreon. The second group of messages are all about Wobbuffet, and the second partys first Pokémon is a Wobbuffet. The forty-sixth group of messages refer to Umbreon, Gyarados, and Quagsire, and the forty-sixth party contains those Pokémon in that exact order.

Im no expert in the nuances of Japanese speech, but it appears to me that the style in which different trainers messages are written matches the trainer class in the corresponding position in the names list; for example, Youngsters speak like young boys. To pick out one obvious case, the forty-fourth trainer is Gentleman Hatcher, and the forty-fourth group of messages have him calling himself old man.

There is one further subtle hint that the order of the trainer names list is quite deliberate. If these seventy trainers correspond to ten Battle Rooms, one for each level, and the trainers in each Room are ordered as the Japanese Battle Tower expects, with the Room Leader first, then the place of highest honor, the Room Leader at level 100, should be the sixty-fourth position (the first one in the last group of seven). The sixty-fourth trainer name is Bug Catcher Tajiri.

The part in which I cite with a straight face some idle speculation on some random persons blog 17½ years ago
It is reasonable to assume that, before it was repurposed for the offline Battle Tower, a version of this data (with Japanese names for the trainers, which dont appear in any of the ROMs) was used to initialize the Battle Rooms, whether only during testing or also at the Mobile System GBs public launch. There is one piece of evidence, found in Kakerus after-action report of a level 20 Battle Tower challenge on October 6, 2002, that this data was used even after the public launch:

走ののと水砲と人っ使
そばのとの名はどでとので調べてみと
任天HPのに場て任天
不正置きのだで
で楽にち稼ぐと来ので！の人き！

Against Biker Enomoto, the Pokémon Im using devoured a Water Gun Quagsire.
Come to think of it, Ive heard the name Enomoto somewhere, so I tried looking it up, and
It also appears in the Nintendo websites Battle Tower hands-on preview. Is it a trainer Nintendo prepared?
I wonder if an illegal trainer might have been replaced? Its a mystery.
Thanks to that, I was able to record a comfortable win. With this momentum, I cleared Room 7! First seven-win streak!

Two days later, he mentioned encountering Biker Enomoto in two more level 20 Battle Rooms. In the linked article, from the January 2001 issue of Nintendo Online Magazine promoting the launch of the Mobile System GB, the writer also mentions entering a level 20 Battle Room and facing a Biker Enomoto.

The data for the offline Battle Tower includes a Biker, whose English name is Erickson, in the fourteenth position, which would make him the first trainer of the level 20 Battle Room. His corresponding partys last Pokémon is a Quagsire. What do you want to bet that Ericksons Japanese name was Enomoto?

There is one discrepancy between Kakerus account and the localized ROM data: the move set for Biker Ericksons Quagsire is Amnesia, Earthquake, Surf, and Rain Dance, but Kakeru mentions Water Gun. But I think theres a reason for that: Quagsire cannot legally know Amnesia until level 21. According to the Pokémon Battle Historia, the Battle Tower originally didnt check for illegal moves, but this changed in early March 2001 after widespread abuse. (It still didnt check for illegal move sets, according to Kakeru, who complained of a Blastoise knowing both Counter and Mirror Coat.) It is plausible that these stock Pokémon had to be altered to pass the legality check themselves, perhaps by giving them their default level-up moves, which for a level 20 Quagsire would be Water Gun, Tail Whip, and Slam.

I dont think its necessarily the case that Biker Enomoto was inserted into the Battle Room in place of an illegal submission. (Perhaps illegal submissions were handled in the same way as Game Freaks own illegal Quagsire?) It could simply be that the default trainers were used to fill Battle Rooms where fewer than seven scores were submitted the previous day.

^ I know this is an old post, but does the code to actually load Pokémon News remain in English Crystal? What measures would need to be done to bypass the checksum/could you bypass the check with Game Genie codes? I'm wondering if we could use this to make our own minigames with arbitrary code execution. Like instead of the normal quizzes, theme one around glitch Pokémon.

I think the main problem with loading Pokémon News in the English version would be that its expecting the data to be saved in an SRAM bank that doesnt exist. (For anyone who doesnt know, the Japanese Crystal cartridge has 8 banks [64 KiB] of SRAM, while every other GB/GBC Pokémon game has 4 banks [32 KiB]. Pokémon News is saved in bank 6.) The English version has a check in [tt]GetSRAMBank[/tt] that closes SRAM whenever leftover mobile code tries to access an invalid bank.

inb4 Mobile Adapter spoofing is an ACE vector
(funnily enough, we could send the vector AND THEN AN ENTIRE PAYLOAD as well from the server if this is indeed an ACE vector.)

I did suggest that it could be done with a corrupt Pokémon News metadata file ;)

Emulation & ROM Hacking

Emulating the Mobile Adapter GB - Page 4

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Re: Emulating the Mobile Adapter GB

Glitch City Laboratories Archives

Emulation &amp; ROM Hacking

Emulating the Mobile Adapter GB - Page 4

Emulation & ROM Hacking