Evie (ChickasaurusGL) 🌺 | Game Boy Printer bad serial/opcode arbitrary/remote code proof of concept (Pokémon Yellow) @ChickasaurusGL | Uploaded December 2021 | Updated October 2024, 2 hours ago.
Notes:
Pokémon Yellow has its own set of opcodes for the Game Boy Printer. I noticed with cheats you can overwrite D49A, which is meant to temporarily store the opcode but the game usually hangs so I set a breakpoint to the start of 3A:4A5E (PrinterSerial_).
If you then enable the cheat, the next command is hijacked to the relative pointer from D49A (3A:4A6D is the pointer table) and command 0x26 goes beyond the table and executes arbitrary code at FAC9. So, I stored a code there (from PC Pokémon around the FAC9/DAC9 area in the WRAM) to encounter Mew after closing the menu. A simple RAM write is safe, as long as you are fast enough to immediately disable the code (and disable your breakpoint) and close the menu with B after the code execution.
As this is possible, maybe you could write a code (for ws m, 4F etc.) that checks for the right time to write the new value, then closes the menu for you? I'm not actually sure how this affects the interaction with the Game Boy Printer/if anything really happens, but there is some documentation in the Pokémon Yellow disassembly, including this list of valid commands. Also if the Game Boy Printer can send those commands for the game to run, could you mod the Game Boy Printer to send 0x26?
Without me knowing how it really works, it's at least another access point; from the printer error message ^^.
.Jumptable:
dw .Nop
dw .SignalTransmissionStart
dw .SendHeaderByte1
dw .SendHeaderByte2
dw .SendHeaderByte3
dw .SendHeaderByte4
dw .DataByte
dw .SendChecksumLo
dw .SendChecksumHi
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
dw .SignalTransmissionStart
dw .Send_0F
dw .Send_00
dw .Send_00
dw .Send_00
dw .Send_0F
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2_
dw .SignalTransmissionStart
dw .SignalQuit
dw .Send_00
dw .Send_00
dw .Send_00
dw .SignalQuit
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
# So the glitch commands may be the ones beyond this table.
Notes:
Pokémon Yellow has its own set of opcodes for the Game Boy Printer. I noticed with cheats you can overwrite D49A, which is meant to temporarily store the opcode but the game usually hangs so I set a breakpoint to the start of 3A:4A5E (PrinterSerial_).
If you then enable the cheat, the next command is hijacked to the relative pointer from D49A (3A:4A6D is the pointer table) and command 0x26 goes beyond the table and executes arbitrary code at FAC9. So, I stored a code there (from PC Pokémon around the FAC9/DAC9 area in the WRAM) to encounter Mew after closing the menu. A simple RAM write is safe, as long as you are fast enough to immediately disable the code (and disable your breakpoint) and close the menu with B after the code execution.
As this is possible, maybe you could write a code (for ws m, 4F etc.) that checks for the right time to write the new value, then closes the menu for you? I'm not actually sure how this affects the interaction with the Game Boy Printer/if anything really happens, but there is some documentation in the Pokémon Yellow disassembly, including this list of valid commands. Also if the Game Boy Printer can send those commands for the game to run, could you mod the Game Boy Printer to send 0x26?
Without me knowing how it really works, it's at least another access point; from the printer error message ^^.
.Jumptable:
dw .Nop
dw .SignalTransmissionStart
dw .SendHeaderByte1
dw .SendHeaderByte2
dw .SendHeaderByte3
dw .SendHeaderByte4
dw .DataByte
dw .SendChecksumLo
dw .SendChecksumHi
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
dw .SignalTransmissionStart
dw .Send_0F
dw .Send_00
dw .Send_00
dw .Send_00
dw .Send_0F
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2_
dw .SignalTransmissionStart
dw .SignalQuit
dw .Send_00
dw .Send_00
dw .Send_00
dw .SignalQuit
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
# So the glitch commands may be the ones beyond this table.
