Crashes a game on the Game Boy Advance the device continues to make sounds. They sound a lot like binary data is being played back. This gave the hobbyist TheZZAZZGlitch the idea that the contents of the ROM (Read Only Memory) of the game module are reproduced here (via Ars Technica). So, as he describes in a video on YouTube, he recorded the output and examined it.
In fact, after about an hour and 50 minutes, the audio samples stored on the game module start playing. So the hobbyist tried to restore the contents of the module from the recorded data. He developed a Python script for this. In the first attempt, the restored data matched the original by 99.76 percent – the hobbyist compared it with the ROM that he had started in an emulator for the test.
However, long sequences of zero bytes proved to be problematic, leading to incorrect assignments. Here the hobbyist did a little trick by comparing it with the original ROM, determining the addresses of the corresponding blocks and adjusting them accordingly in his output. For an exact reconstruction, he also evaluated seven individual recordings; for each byte, his script selects the most frequently occurring value (majority vote).
Fake module with a surprising structure
But the approach doesn’t just work with an emulator. For a practical test with real hardware, TheZZAZZGlitch used a fake game module. He discovered that even with a series of optimizations and 45 evaluated recordings, the module’s code did not correspond to that of an original module.
So he looked at the differences and realized that the game’s code had been modified. Because the hardware of the module was saved: While the original contains a ROM as well as a flash chip for storing memory states, the clone has both together in a flash memory. To make this work, the original code was modified so that it copies a routine for writing the save game into the Game Boy’s RAM and starts it from there. This avoids access conflicts that would inevitably arise if the processor tried to read commands from the module during the writing process.
A message indicating a dead backup battery for the real time clock has also been modified. Because the battery was also saved on the fake module.