Some tools, a glitching section

README.md

@@ -22,6 +22,8 @@ Here you can find everything to get started and master the development of unoffi
   - [Tools](#tools)
 - [Programming Tutorials](#programming-tutorials)
   - [ASM](#asm)
+    + [Glitches and exploits](#glitches-and-exploits)
+    + [Timings](#timings)
   - [C](#c)
 - [Open-Source Games](#games)
   - [ASM](#asm-1)
@@ -135,13 +137,17 @@ Here you can find everything to get started and master the development of unoffi
 - [Gambatte](http://sourceforge.net/projects/gambatte/) - Open-source, cross-platform and accurate emulator for Game Boy and Game Boy Color.
 
 ### Tools
-- [ZGB](https://github.com/Zal0/ZGB) - A little engine for creating games for the original Game Boy.
+- [ZGB](https://github.com/Zal0/ZGB) - A little engine for creating games for the original Game Boy (expands gbdk, more info [here](http://zalods.blogspot.com/2017/01/zgb-little-engine-for-game-boy.html)).
+- [DevSound](https://github.com/DevEd2/DevSound) - Sound driver embeddable in homebrews which supports pulse width manipulation, arpeggios, and multiple waveforms.
 - [Game Boy Tile Data Generator](http://www.chrisantonellis.com/gameboy/gbtdg/) - HTML5 / JS web application that will convert bitmap images to hexidecimal data appropriate for use in tile based graphical applications, specifically GB.
 - [rgbds_textmate](https://github.com/Bananattack/rgbds_textmate) - Some syntax highlighting rules for coding in Z80 assembly as a Textmate language plugin. Works in Sublime Text 2 and 3\. The syntax is particularly designed for rgbds and Game Boy-specific Z80 instructions.
 - [Harry Mulder's GB Development](http://www.devrs.com/gb/hmgd/intro.html) - Some sources and home of Game Boy Tile Designer and Game Boy Map Builder tools.
 - [GBT PLAYER](https://github.com/AntonioND/gbt-player) - A music player library and converter kit for Game Boy that can be used with RGBDS.
 - [ROM Header Utility](http://catskull.net/GB-Logo-Generator/) - An online tool to inspect and modify a ROM's header data, including the logo.
 - [gbcamextract](https://github.com/jkbenaim/gbcamextract) - Extracts photos from Game Boy Camera saves.
+- [GBExtended](http://www.tensi.eu/thomas/programming/gameboy/gbextended.html) - C library extending gbdk.
+- [GBZ80 to items](http://issotm.github.io/gbz80toitems3/) - 
+An online converter, translates gameboy assembly into Pokémon R/B/Y items ([Source](https://github.com/ISSOtm/gbz80-to-items))
 
 ## Programming Tutorials
 ### ASM
@@ -155,6 +161,10 @@ Here you can find everything to get started and master the development of unoffi
 - [Reverse Engineering for Beginners](https://beginners.re/) - Free ebook (1060 pages) by Dennis Yurichev.
 - [FlappyBoy: Making a simple Game Boy Game](http://voidptr.io/blog/2017/01/21/GameBoy.html)
 
+#### Glitches and exploits
+- [DMA hijacking](https://github.com/avivace/awesome-gbdev/blob/master/articles/dma_hijacking.md) - A simple technique that allows you to run custom code in most GB/SGB/CGB games, provided you have an ACE exploit. [Demo video](http://gbdev.gg8.se/forums/viewtopic.php?id=430).
+- [Pokèmon Yellow ASM hack](http://pastebin.com/raw.php?i=WaFyrr21) - Debug menu. [Demo video](https://www.youtube.com/watch?v=BkIDPwkeGWs).
+
 #### Timings
 - [Game Boy DMA transfer routines](http://exez.in/gameboy-dma) - Understanding and using DMA routines.
 - [Nitty Gritty Gameboy Cycle Timing](http://blog.kevtris.org/blogfiles/Nitty%20Gritty%20Gameboy%20VRAM%20Timing.txt)
@@ -202,6 +212,9 @@ Here you can find everything to get started and master the development of unoffi
 - [Super Princess' 2092 Exodus](https://github.com/Zal0/gbjam2016)
 - [GBsnake](https://github.com/brovador/GBsnake)
 - [gb-mines](https://github.com/andreasjhkarlsson/gb-mines)
+- [oranges](http://www.atari2600land.com/gameboy/oranges.html)
+- [red hot princess carnage](https://github.com/Imanolea/bitbitjam3_red_hot_princess_carnage)
+- [loderunner](http://www.tensi.eu/thomas/programming/gameboy/loderunner.html)
 
 ## ROMs Disassembly
 - [Sonic 1](https://github.com/Kroc/Sonic1-Z80-ASM)

articles/dma_hijacking.md

@@ -0,0 +1,80 @@
+# DMA Hijacking
+Article by [ISSOtm](https://github.com/ISSOtm/gbz80-to-items).
+
+## What is this ?
+It's a simple technique that allows you to run custom code in most GB/SGB/CGB games, provided you have an ACE exploit.
+
+What's the point, then? It's that code ran through DMA Hijacking will be run on every game frame (for most games, at least).
+
+## How is it done ?
+If you are familiar enough with OAM, you know about that feature called *OAM DMA* that requires a small routine to be ran in HRAM ?
+
+Well, most games copy the routine when starting up and run it on every frame. I encountered some games which don't transfer OAM unless a specific flag is set ; I believe that it is always possible to override this limitation. more on that later.
+
+But if the routine is modified while the game is running - assuming you modify it fully in-between to VBlanks to prevent a crash, or you temporarily put a RET while modifying - then the game will happily run your custom routine.
+
+Here is the standard routine, given by Nintendo in the GB programming manual :
+```
+ld a, OAMBuffer >> 8
+ldh [$FF46], a
+ld a, $28
+DMALoop:
+dec a
+jr nz, DMALoop
+ret
+```
+
+It's usually placed right at `$FF80`, but this isn't true for every game.
+Now, overwriting the routine to place custom code would yield us 10 bytes to perform custom operations, at the cost of sprites.
+But we can do better.
+
+```
+call DMAHook
+ldh [$FF00+c], a
+ld a, $28
+DMALoop:
+dec a
+jr nz, DMALoop
+ret
+```
+
+Allows us to make the perfect compromise !
+Here is a pattern for DMAHook :
+
+```
+DMAHook:
+[ custom code, do whatever you want, it's VBlank time ! ]
+ld c, $46
+ld a, OAMBuffer >> 8
+ret
+```
+
+DMAHook can be anywhere (in WRAM, mostly). It will be executed in the context of the VBlank interrupt, so for most games interrupts will be disabled, etc.
+An alert reader will notice the new DMA handler modifies C (whereas the original simply zeroes A). I don't know any game whose behavior is altered by this.
+
+DMA hijacking is also useful when combined with cartswap (swapping carts without shutting the console down, concept found by furrtek, developed by Cryo and me on the GCL forums), because it allows porting ACE to other games.
+
+General procedure :
+
+- Acquire ACE in the donor game
+- Perform cartswap, insert the recipient game
+- Pseudo-initialize the recipient (clear enough memory to avoid crashing, while keeping our custom code in an unused region of memory we don't clear)
+- Place the modified DMA handler in HRAM
+- Transfer control back to the recipient's ROM
+- ????
+- Profit.
+
+[Video demonstration, performed by Torchickens/ChickasaurusGL in BGB](http://youtu.be/BNyDmZlbsNI)
+
+Possible applications are checking for a button combo to trigger specific code (for example, credits warp), checking one or multiple memory addresses to detect a certain game state, etc.
+
+Possible "attack vectors", ie ways of affecting the recipient game, are setting certain memory addresses (like GameShark), or even better : manipulating the stack.
+
+Manipulating the stack with this technique can not crash if the triggering game state is specific enough. I achieved text pointer manipulation in Pokémon Red this way.
+
+
+
+## Trivia
+DMA hijacking works similarly to the GameShark : it detected when the GB tried reading from the VBlank interrupt vector, and responded with instructions that applied the codes.
+
+And yep, it is possible to use DMA hijacking to emulate GameShark codes. I have a PoC in Pokémon Red (a VBA BGB save state), if anyone's interested.