lists/awesome-gbdev
1
0
Fork 0
mirror of https://github.com/gbdev/awesome-gbdev.git synced 2025-08-17 21:32:14 +02:00
Code Issues Releases Wiki Activity

Merge pull request #16 from ISSOtm/patch-1

Browse Source 
Add some info to DMA hijacking about combining with cartswap
This commit is contained in:
Antonio Vivace
2017-04-24 18:38:30 +02:00
committed by GitHub
parent 3f2c28ec30 8c2e0283ec
commit fb26075f3e
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
articles/dma_hijacking.md
View File

@@ -52,7 +52,7 @@ ret
DMAHook can be anywhere (in WRAM, mostly). It will be executed in the context of the VBlank interrupt, so for most games interrupts will be disabled, etc. DMAHook can be anywhere (in WRAM, mostly). It will be executed in the context of the VBlank interrupt, so for most games interrupts will be disabled, etc.
An alert reader will notice the new DMA handler modifies C (whereas the original simply zeroes A). I don't know any game whose behavior is altered by this. An alert reader will notice the new DMA handler modifies C (whereas the original simply zeroes A). I don't know any game whose behavior is altered by this.
DMA hijacking is also useful when combined with cartswap (swapping carts without shutting the console down, concept found by furrtek, developed by Cryo and me on the GCL forums), because it allows porting ACE to other games. DMA hijacking is also useful when combined with [cartswap](https://gist.github.com/ISSOtm/3008fd73ec66cb56f1caecfcc8b6fb6f) (swapping carts without shutting the console down, concept found by furrtek, developed by Cryo and me on the GCL forums), because it allows porting ACE to other games.
General procedure : General procedure :
@@ -73,8 +73,20 @@ Possible "attack vectors", ie ways of affecting the recipient game, are setting
Manipulating the stack with this technique can not crash if the triggering game state is specific enough. I achieved text pointer manipulation in Pokémon Red this way. Manipulating the stack with this technique can not crash if the triggering game state is specific enough. I achieved text pointer manipulation in Pokémon Red this way.
### Details
Here are some details on how to combine DMA hijacking and cartswap to pwn any game.
First thing you will need is to find some RAM to store the DMA hook code. We'll call it "HookRAM". I recommend checking how much memory is allocated to the stack.
Then :
- Clear as much RAM as needed for the game to run properly
- Copy the DMA hook code to HookRAM
- Copy the hijacked DMA routine to HRAM
- Emulate all game initialization up to right before DMA routine copy / HookRAM clearing
- Jump back to ROM
## Trivia ## Trivia
DMA hijacking works similarly to the GameShark : it detected when the GB tried reading from the VBlank interrupt vector, and responded with instructions that applied the codes. DMA hijacking works similarly to the GameShark : it detected when the GB tried reading from the VBlank interrupt vector, and responded with instructions that applied the codes.
And yep, it is possible to use DMA hijacking to emulate GameShark codes. I have a PoC in Pokémon Red (a VBA BGB save state), if anyone's interested. And yep, it is possible to use DMA hijacking to emulate GameShark codes. I have a PoC in Pokémon Red (a BGB save state), if anyone's interested.