Pseudonymous Pokémon fan “TheZZAZZGlitch,” hereafter merely ZZAZZ, has give you a particularly uncommon technique to dump a Nintendo Sport Boy Advance sport ROM: by forcing a crash and listening to the sound the console makes.
“Seems, the [Nintendo Game Boy Advance] crash sound is simply the console enjoying its total tackle area as sound knowledge,” ZZAZZ explains of the invention. “If we have now a transparent recording, we will convert it again to precise bytes, thus dumping the RAM and ROM.”
To research the idea, ZZAZZ crashed a sport operating in a Sport Boy Advance emulator whereas recording its sound output. Investigating the audio recording, ZZAZZ discovered recognizable snippets of sound: “The sport’s instrument samples are in ROM,” the tinkerer explains, “so we will hear them play out in sequence! Assuming a clear recording, like this one, it should not be troublesome to reconstruct the ROM.”
Taking the recording as a base, ZZAZZ set about writing Python scripts which might course of the audio and return the ROM and RAM contents. Preliminary makes an attempt weren’t promising: alignment points brought on the primary reconstruction to fail, and even realigning issues primarily based on remark of the ROM which had been loaded into the emulator did not fairly get there. “I received a dump that was 99.76% correct,” ZZAZZ explains. “[but it] nonetheless did not boot tho’.”
The answer: extra recordings. By making a number of dumps and merging them — utilizing “a easy ‘majority vote'” strategy to resolving conflicts, ZZAZZ explains — the ensuing ROM dump was 99.979 per cent correct. Whereas it booted, although, it confirmed apparent corruption, till the method was repeated with a complete of seven distinct audio recordings — sufficient to appropriate the errors and create a ROM dump which matched the unique completely.
Preliminary makes an attempt proved glitchy, mounted by recording a number of instances and utilizing a “majority vote” strategy to conflicts. (📷: TheZZAZZGlitch)
Transferring from an emulator to an precise GBA-compatible Nintendo DS proved difficult, requiring a custom-made mono audio cable and a complete of 45 recordings, however a bodily cartridge too revealed its secrets and techniques from the crash sound — unveiling a contemporary duplicate cartridge with Arm code for loading the ROM knowledge from flash and into chip reminiscence. “There may be quite a lot of trickery concerned to make it occur,” ZZAZZ notes, “together with even self-modifying code, to verify the right knowledge is current at [the] appropriate tackle at boot.”
The total challenge video is embedded above and obtainable on ZZAZZ’s YouTube channel; the Python supply code has been revealed on ZZAZZ’s “analysis archives,” beneath an unspecified license. “That is hardly a ready-to-use resolution,” the tinkerer admits, “and requires quite a lot of tuning, relying on the supply knowledge format.”