Exploiting Game Boy Camera's SRAM storage to run minigames via cart swap (w/shoddy "Snek Fly" game)

Channel:
Evie (ChickasaurusGL) 🌺
Subscribers:
17,700
Published on ● Video Link: https://www.youtube.com/watch?v=g5aphQHE7N4


Game:
Swap (1990)
Duration: 5:56
1,299 views
64

(Note this hasn't been tested on a real Game Boy Color yet.)

Save files coming shortly. ^^

Concept:

Perform the cart swap glitch to run a modified version of Game Boy Camera's start up routines. In this case, I jumped straight after the OAM DMA routine and added my own. https://mirawww.glitchcity.wiki/wiki/...

The vulnerability chosen was a menu mode DA16. Invalid value 09 runs arbitrary code execution in Echo RAM F0C9. You can have this region not be changed in the setup, then add your own bootstrap code to open and run the SRAM (for purposes not just limited to minigames but perhaps swap back DLC as well).

To make your own minigames, you'll want to learn GB Programming. Example https://mirawww.glitchcity.wiki/wiki/...

And tools such as RGBDS and how to use BGB emulator. https://tcrf.net/Help:Contents/Findin...

Inspiration:
I originally intended a basic Snake game. I'm a crap programmer though that can't make anything better than a bootleg, and has a bit of a messy code structure, so the idea for the Game Boy Camera minigame to add changed to a silly excuse for a "Snake" that can Fly/go anywhere it wants (and I didn't know how to render in the limited palette), and just has to get to an egg. ^^ The moving "IN" (originally was meant to be part of "win").

There are actually a number of unused content and bugs in the Snek Fly game. Here's one: The collision is unacceptable and has to be exact with the flying IN letters (however, in the 'release', I don't even know if it works at all).

The Game Boy Camera has a lot of SRAM banks. Here is a breakdown of SRAM storage which include photo data. However, it isn't the entirety of the data; and data might also be reserved for border data, etc.

2:a000 #1
2:b000 #1
3:a000 #2
3:b000 #2
4:a000 #3
4:b000 #3
5:a000 #4
5:b000 #4
6:a000 #5
6:b000 #5
7:a000 #6
7:b000 #6
8:a000 #7
8:b000 #7
9:a000 #8
9:b000 #8
a:a000 #9
a:b000 #9
b:a000 #a
b:b000 #a
c:a000 #b
c:b000 #b
d:a000 #c
d:b000 #c
e:a000 #d
e:b000 #d
f:a000 #e
f:b000 #e
1:a000 #f
1:b000 #f

This also means theoretically Game Boy Camera dotcodes are a thing, though for this video I decided to use a more distributed portion of SRAM bank 2. In the future I'll test if you can double cart swap using dotcodes for DLC, since one idea might be to use a selection of photo dotcodes to add MissingNo. back sprites for arbitrary sprite glitch Pokémon back into the game.

Coincidentally, imablissey made a video about how to add DLC to Pokémon Ruby with custom e-Reader cards, so check them out. ^^    • I made DLC for Pokémon Ruby & Sapphire  



Other Videos By Evie (ChickasaurusGL) 🌺


2023-09-08Pillar position reset after opening the menu (Gold/Silver/Crystal)
2023-09-08Type 0xFF mail arbitrary code execution access point (Pokémon Crystal JP)
2023-09-08Glitches when modifying memory address D09B before viewing a text box (Red/Blue)
2023-09-08Clearing the mailbox (EN Gold/Silver)
2023-09-08Frame block copier arbitrary RAM modification (Generation I)
2023-09-08Experimental Pokédex nest buffer overflows (Generation I)
2023-09-08Cloning over/deleting a corrupted box contents w/arbitrary code execution (Gold/Silver EN request)
2023-09-08Clearing the mailbox (Japanese Crystal) (request)
2023-06-20Get any Pokémon w/any move+set of internal types (AncientPower Bulbasaur in video) (No ACE) (Yellow)
2023-06-01The uppercut invulnerability exploit (Game Freak's 1994 Pulseman) (warning: flashing lights)
2023-05-27Exploiting Game Boy Camera's SRAM storage to run minigames via cart swap (w/shoddy "Snek Fly" game)
2023-04-18NamingScreenType (D07D/C) arbitrary code execution (Generation I)
2023-04-18Agatha's badge describer glitch and arbitrary code execution from Antidote badge (Pokémon Red/Blue)
2023-04-18Special text box IDs during Trainer-Fly that work independent of maps (Generation I)
2023-04-18Use DHNhIT4 89 ゥ N (0x74) to obtain the 0xFF PP value without PP underflow glitch (Pokémon Yellow)
2023-03-21Using Dex dump glitch to simulate the expanded party and almost filling our Pokédex (Generation I)
2023-03-21PP copier glitch - Corrupting a Pokémon's nickname and making it over Level 100 (Generation I)
2023-03-21Glitch blackboard text arbitrary code execution (Generation I)
2023-02-27Level 0 Pokémon cannot evolve by stone/obtain Level 0 Clefairy w/Brock Through Walls (Generation I)
2023-02-27Obtain MissingNo. (0xAF) with GoldBadge item (addendum to the GoldBadge glitch) (Red/Green v1.0)
2023-02-27Select glitch 35 Pokémon swap for instant Safari Zone exit glitch (Glitch City) (Red/Green/Blue JP)