Well, I've been wanting to make all of the Super Mario Advance games autoboot to the main game instead of going to the menu to choose either Mario Bros. or the main game.
Same for the Mother 1+2 collection.
So my request is if someone could explain to me:
1) How can I find which pointer is the one in charge at boot.
2) Upon selecting a game, find what is the pointer or to what part of the ROM (address/offset) is goes to.
Can anyone help me out on this?
There might not be a single pointer. It greatly varies on how they do the game selection. Some multicarts use bank swapping. Others just call a function for each game. For an official GBA cart it's likely just a specific function they call to launch the game.
I recall covering something like this before.
I do not think any known GBA games use bank swapping (it is popular on older systems for multicarts though), there are some oddities as those doing master codes might have found (Phantasy Star collection being the big one, more http://doc.kodewerx.org/hacking_gba.html#nonstandard ) and I must confess that I have not paid any real attention to the ? in 1 bundle games. Some flash carts and I suppose technically some homebrew would use bank swapping/page select and reset though.
Anyway as henke37 said it is more likely to just be a function, and probably not one that works standalone so you would probably want to call it after the initial IO and everything-- in case you were unaware the basic technique for GBA binary finding is the very first byte of the ROM is the first instruction and it is almost invariably a jump to the end of the header. At the end of the header there will usually be some IO, setting up stack pointers and whatever else and then a jump to somewhere in the 08?????? region which marks the actual binary.
Scene type intros hitched themselves to various places but subverting that jump in the 08?????? region is a good one to go for.
Finding out what the option menu does is fairly standard menu hacking, however rather than the usual trying to launch with options, forcing a given language, going right to a given mode or finding hidden debug menus then you need to go a bit deeper. Same principle though and it will likely still be some jump you can hopefully replicate earlier in the ROM.
Well I do know that the pointers are:
For example, Mother 1+2, the initial boot pointer is located at 0x0001F0 and the pointer is
A5 37 01 08
If that pointer is changed to F0 00 F0 08, then it autoboots to Mother 1.
I tried searching the ROM for more variations of ZZ YY XX 08 and got it to do this:
55 7A 00 08 -> Autoboots to some sort of Debug Mode for the M2 portion of the game.
ZZ YY 01 08 -> I don't remember the exact first two bytes, but I managed to get it to autoboot directly to the main Mother 1+2 title screen and another variation which boots directly into the Game selection screen.
That's all I could do, since I don't even know anything about debugging GBA games right now, nor with VBA nor NO$GBA.
There was some licensed carts using bank switching. It's the video ones.
I imagined the shrek films used bankswitching but I thought they were undumped and otherwise unanalysed. All the GBA videos I ever saw were otherwise 256Mbit ROMs which was still within the conventionally/directly addressable range.
Yep, they did use bank switching and an analysis of them was done about a month ago: https://mgba.io/2015/10/20/dumping-the-undumped/ (https://mgba.io/2015/10/20/dumping-the-undumped/)
Nice, I had missed that entirely. I was actually looking at grabbing them from US Ebay to have a look at but it would have drained my fun stuff money to for that month and I was not that invested.