Hacking the Game Boy cartridge protection
Вставка
- Опубліковано 7 лют 2025
- In this video we hack the GameBoy cartridge protection by building our own GameBoy cartridge using an FPGA!
You can find the FPGA source-code on my Github here: github.com/ghi...
ModernVintageGame on the CIC chips: • Secrets of the Nintend...
The Gbdev wiki: gbdev.gg8.se/w...
Equipment used in the video:
FPGA Board: Digilent Arty 7
Level shifters: TXS0108E
A GameBoy...
Errata:
I messed up the resolution - the logo is 48px by 8px, not 96px by 16px!
You can also find me on Twitter: / ghidraninja
amazing work and great video !
I was wondering why youtube would recommand me this channel but it is because of you !
Thanks for crediting Stack Smashing in your recent video on the GB's bootloader, MVG - another cool hardware channel to add to my subs! :)
Stacksmashing, mvg, and live overflow. The gang is all here
I always get a kick out of seeing that my favorite UA-cam channels watch each other lol
Couldn't agree more!!
This is wonderful. Thank you for posting it.
I'm really stunned with how far FPGA boards have progressed. I hope you release the GB cartridge soon! My son has been fascinated since I showed him how we can use my oscilloscope to sniff the datalines of the SNES controller bus in real time. This led into a discussion of different pin types and how we could sniff other types and how you might glitch them. This is perfect because I can setup a bread board to branch off from my Super Game boy.
I actually wondered back then, why they didn't develop that bootup logo with variations or animation from the game or "presented by Pepsi cola" etc
You can technically animate the screen by not clearing VRAM and instead doing something else with the screen the moment the BIOS gives control. Several demos do this. However, this was most likely prohibited by Nintendo's cert requirements; they probably wouldn't want someone doing this with their trademarks.
@SuperSmashDolls You would also need version detection for Game Boy, Super Game Boy, and Game Boy Colour and up or it'll look bizarre.
Because you would still distribute the Nintendo logo illegally, even when its not shown on boot.
you could just add 2 extra screens that say "produce" "gameboys" - then it's no longer a trademark violation but a statement of fact
@@finthegeek Nah, you still didn't have the right to recreate the logo
That awkward pause at the end to reach the advertisable video length ;)
*coughs*
UA-cam is weird, Why put a minimum advisable length, it only encourages long and cringy videos while real gems like these are left behind.
No use, Nintendo will claim it / disable ads...
@@HA7DN
*Knock! Knock!*
Who's there?
😈 *NINTENDO* 😈
There aren’t any ads on the vid
Gotta love it when you can't wait for a PCB to arrive, so you just go and make one... And then design the PCB anyway, and release it for others! Nice!
Name dropping MVG? Instant subscribe. This was interesting too. I sort of knew this but didn't realize how simple it was.
They could've multiplexed the first 8 Address lines to behave as Data Lines sometimes, you'd only need an 8-bit latch to hold the address before a data read or write. That's how the old 8086 CPU worked, still a pretty cool workaround to having 8 extra pins.
I think the GBA did something like that. If I remember speaking to an engineer doing it at the time, he said the bus can auto-increment addresses too so you're not clocking in a new address every fetch.
You can multiplex all of them. Few different approaches exist here. They can also may write through section of map which controls address window.
I think they wanted to simplify and reduce costs for cartidges
N64 carts work in the same way. Once a high and low address is latched it just strobes the read pin and the ROM automatically adds 2 to the address for every edge (word aligned access)
Nintendo lawyers from the 90's enters chat. This is really fascinating haha, great vid!!
Sega sued Accolade for that exact thing and lost the Cort case. If the system requires the logo to be displayed. Then there is no copyright infringement
accolade vs sega "Accolade's acts of reverse engineering Sega Genesis software to learn about its security systems and subsequent publishing of unlicensed Sega Genesis games are protected under the fair use doctrine of copyright law. Sega is held responsible for using its security system to place its trademark on Accolade's games."
Clever license protection, for its time.
aw man you profilepic is freakin cool
almost want to steal but that would be uncool
It's from the Super NES game, Super Metroid. It IS the Super Metroid. So I don't own it either :)
@@InsaneFirebat yeah yeah I know. But still It's not cool if theres more than 1 with that pic.
It sounds clever.
But Sega tried more or less the same thing, it got to court, and was ruled unenforceable.
The legal judgement was something to the effect that because you HAD to include this trademarked logo to get any software running, you had no choice in the matter, and thus couldn't be prosecuted for it...
These kind of things seem pretty clever, but they rarely seem to work in the company's favour in court, because courts seem to favour allowing people to write their own software for a given hardware platform over protecting the platform owner...
@@InsaneFirebat It's grown up Baby Metroid!
A lawsuit in the early 90's removed the legal underpinnings for this sort of usage of trademarks as a form of copy protection. lookup Sega vs. Accolade for more info. Accolade published unlicensed games that used Sega's copy-protection code including the part that displayed the Sega logo. A court eventually ruled that the code usage was fair use and Sega's act of requiring display of a trademark for a game work was an "improper use" of trademark because it served to limit competition which is the function of patents and not trademarks.
I’ll be completely honest. I have no idea what any of this really means, but I’m just fascinated by the technical jargon and seeing how things work, and you actually have a pretty chill voice, too, so I’ve subscribed. ^_^
it will be perfect for gameboy's re-shells that has "game girl" on it.
You are just amazing... You make it so much easier to understand how games and their consoles work together. Ive always had an interest in programming and hacking and with your knowledge and great explanations I'm able to move forward with my own projects.. Thanks and awsome videos.
This guy has some serious engineer skills... I'm amazed!!!
I am looking forward to more beginner Ghidra tutorials from you on your channel, they are very helpful!
I always wondered why the logo was blank if you didn't insert a cartridge.
It's not integrated into the system itself, as you now know.
Whenever I receive a notification that you have uploaded a new video, I immediately stop whatever I was doing and sit to watch your video. What an awesome work. Keep up the good work! ✌❤
Came here from the MVG video on the GB bootloader, this is awesome. I look forward to watching your other videos! :D
Quickly becoming one of my favorite youtube channels. This guy is going places!
That was a clever way of copy protection! Really interesting video, well done!
Incredible, never knew they already made this technique inside the gameboy
i dreamt about doing things like this since when i was a kid. this fueld my interest and carrer significantly. thanks, gameboy.
Sehr interessantes und informatives Video! Super cool wie solche Technik früher funktioniert hat
Congratulations! 👏👏👏
I would happily watch a few ads to help encourage you to make more videos of this type. Your skills are insane 👍
Mistakes Were Made - How the Gameboy copy protection was defeated
I don't get the joke.
@@bangerbangerbro Watch MVG
it's trademark protection, like Sega TMSS
"Mistakes were made." - Well, not for the time when it was invented. FPGAs were prohibitively expensive at the time, so were ASICs.
I want 1 video every day, I enjoy this more than all animes
This is very awesome, would love to see something similar for the game boy advance
Nice Hackers reference with "Hack the planet" on the PCB at the end
making a mechanism to be able to sue people more easily instead of actual copy protection is one of the most nintendo things nintendo has ever done
It's a little harder for the user and more expensive, but it's possible to load one game's Nintendo logo by inserting its cartridge, turning on the console, and swapping it with the hack game. This also makes it possible to boot into worn down games to see what actually happens there. I tested it myself by inserting 007 Nightfire, turning on my DS, and swapping it with MKSC. I know it's GBA but all 3 consoles in the Game Boy family have the same boot screen function, but the graphic and sound effect are different for each model (minus the GBA's backwards compatibility).
Wow, that's really easy to extract a cartridge rom. Thought it would be more difficult than just a parallel read after seeing the Snes protection.
Remarkably simple. This is an excellent entry point for anyone looking to get into hardware hacking. Great video! 👍
Interestingly, a similar hack was demonstrated by Argonaut Games to Nintendo. Normally this would've ended up in a lawsuit, but Ninty was reportedly impressed by it that Argonaut became one of their partners, eventually culminating in _Star Fox_ for the SNES.
You are an inspiration, I'm a small tech youtuber doing some videos on the pi, IT career tops etc.. love your content man.
That is really interesting. I always enjoy learning new things about old tech!
Also when Ghidra ninja teaches us.
Nice work there! I was watching this with pleasure, thanx for that!
Glad you enjoyed it :)
Even though I wouldn’t take the time to do this, I love watching.
Imagine bringing one of these back to the 1990s
That is pretty in-depth and awesome information. Great video!
Forcing pirates to use your logo so you can get them for copyright. It's brilliant.
Even If I don´t understand too much about this. It´s quite satisfaying to watch this videos.
That was very informative and a good presentation. Well done!
For the level shifting, it may be a better idea to use IMO level shifting chips with external direction control like SN74LVC16T245 for the address and signal lines. Those chips needs control signals, but thise can be derived from the CS, RD and WR pins using some 74LVC1Gxx logic. This means for the target board it can be directly connected without the need of level shifters, and since those SN74LVCxxT245 chips contains line redrivers, you can even run longer wires with little ill effects. Also you can include an op amp like LMV321 to buffer the audio line, basically also a redriver.
Love the vid awesome work. Just binge watching all your vids
You might want to have a look at the SACHEN cartridges. They were released in the 90s and showed their logo while booting. And they somehow worked just fine.
That sounds interesting, will try to get my hands on one! I also have a cartridge that displays its own logo, using the same method as shown in the video (though not with an FPGA)
They probably switched ROM banks when the logo was read or after some set duration.
Some time many years ago, I read through an annotated, decompiled copy of the GB boot ROM, and IIRC it didn't compare the cartridge and onboard logos bit-for-bit. Instead, it calculated a line-by-line hash/checksum for each horizontal line of the logos, and compared those.
I had one of these Sachen cartridges, and I remember thinking that the "Sachen" logo looked really weird; it was barely readable. I believe that this was done in order to return the same hash/checksum values as the proper "Nintendo" logo, despite displying a different image.
You guys have a lot of spare time in your life
Dear Stacksmashing, In the past had a game from a company called "Sachen", no Nintendo logo appeared instead the logo "Sachen" and it still worked on the official gameboy
This is the kind of content I crave.
It only took 31 years, but it has finally been done.
well, some bootleg cartridges did this back then
glad to hear you bypass the nintendo logo !! ...
This was also leveraged by Sony on the PSOne, not the original Playstation that had the wobble track copy protection but the later version, the small one.
The original one displayed whatever logo the disc had, the PSOne checked against a ROM stored logo and if they didn't match, the console didn't boot the game.
Li Cheng Industries-published Game Boy games has the Nintendo logo modified to read "Niutoude".
That doesn't use this exploit - AFAIK CGB just doesnt check the bottom half of the logo
Great content man. Keep it up! 👍🏻
The breakout PCB looks useful, looking forward to the gerbers being released :)
With coronavirus floating around, you really want more things to be released into the public?
Reminds me of how the AIM protocol used to request a CRC of a random range of bytes from the official AOL client, making it very difficult for a third party client to use the protocol without bundling or referencing the copyrighted client exe.
You can use an ice40 fpga or one of those chinese $5 fpgas for the cartridge. It's also possible to load the binaries of a game to the internal block ram of the fpga. Or if you're feeling adventurous, add a microsd card slot in which you can read from the fpga.
Yea the problem is getting an ICE40 board with enough IOs and enough RAM - I wanted to try it on one of my ECP5 boards though
should've replace "Hacked" text into "Hello World"
Analyzing the video, I came up with another idea that would have been possible with technology of the day.
Since you mentioned the presence of a 1mhz clock signal, you could power a very small microcontroller that could just count cycles and since the boot process always takes the same amount of time , swap the hacked logo bank and the original one based on said counter.
And it could be a very small additional ROM just mapped to the address.
Excellent content as usual!
I have a Mega Memory cartridge (onto which you can backup game saves) and unless used on a Game Boy Advance, it says "Megamem" instead of Nintendo but it still runs fine! There's also a Smartcom personal organizer cartridge that says Smartcom instead of Nintendo but still boots fine (although I've heard it's not compatible with the Game Boy Advance) and Rocket Games' unlicensed Game Boy Color games say ROCKET instead of Nintendo but again they still run fine!
Very clever hybrid technical/juridical protection. The only mistake programmers made, defeated all - they shouldn't read the logo twice.
There was a game back in the day that did this, but I don't remember which. You can definitely achieve this effect with discrete logic though.
This was inspiring. This was fascinating.
Read all the comments and no mention of the "Mega Memory Card" for GB - that displayed a "MegaMem" logo on boot.
It's a rather shrewd form of DRM that relies more on their lawyers filing trademark lawsuits and less on active protection. An even lower-tech method would be the "NINTENDO" trademark stamped on Famicom Disk System floppies which was required for the FDS to boot. Bootleggers were too chicken to stamp that exact wordmark so they came up with ways to dodge it until they realised that only a few indentations was all it took to defeat it.
Argonaut Software has a less elegant but more indigenous solution- they’d have a capacitor and resistor that when the GB was powered up, the capacitor would be empty at the time and send the GB the Argonaut text. But when the second read is done, the capacitor would have charged and somehow trigger the ROM to return the Nintendo logo.
www.eurogamer.net/articles/2013-07-04-born-slippy-the-making-of-star-fox
They didn’t get into the specifics tho, but I’d think that the capacitor would meddle with the address bits to shift the memory access.
This would work for memory map. Double the ROM, and the cap is page select. (Delay via RC time constant, which works since this is very static.) Giving two pages with the same address space. The controller still believes it is working within a single page.
They could also build a write through section of address space were they can change the page select.
Technisches Gebrabbel auf Englisch mit deutschem Akzent - ich kann dir nicht sagen, wieso, aber irgendwie hat das Charme. 😅 super Video, mega interessant. Danke! 😊👍🏻
as always great video, thank you sir
Nice work. You could simplify the FPGA code slightly by just replacing the logo address range during the first read, and otherwise just always return the original ROM data. After all, the ROM already contains the correct logo.
An interessting and cool example of the use of the audio pin on a cartridge is nanoloop mono:
www.nanoloop.de/mono/index.html
"On the original Game Boy models, one pin of the cartridge connector functions as audio input, connected to the built-in amplifier. This unique feature allows to generate sound on the cart and play it through the headphone output on a completely analog signal path.
In the nanoloop mono cart, the analog components (op-amps, comparators, logic cells etc) of a PIC microcontroller are connected and configured in such a way that they form a hybrid soundchip with 3 analog filters and a true random noise generstor, using only a few passive external components."
Btw, nanoloop mono also has a custom logo shown when booting
Yea I also own a regular nanoloop cartridge and it also shows a custom logo :)
Fantastic & inspiring video!
This is impressive but couldn't you just have two ROM chips, an SN74S08, and an SR latch that feeds into a transistor that flips the chip select between the ROMs each time you try and read 0x0133? So you'd start with a hacked ROM, read the logo in up to 0x0133, route the relevant address lines through the SN74S08, trigger the SR latch which would then switch the transistor and changes the CS line over to the genuine ROM? It sees like a lot less hassle than building a full FPGA setup?
The Mega Memory Card did this, I think. I remember it having a different bootup logo but still working.
Edit: TCRF confirms this; "One peculiar aspect of the device is that it uses a trick to switch the cartridge base memory area during the boot process to display a custom logo in the startup animation, instead of the usual Nintendo logo."
Here's the thing with the Game Boy's copy protection method - It's using criminal entrapment (you're _forced_ to commit trademark infringement for your game to work) to implement an anticompetitive business practice. Both of which are themselves illegal. So if Nintendo actually sued anyone, they risk getting countersued. And remember, Nintendo wasn't quite the media monster at the time that it is today, if a big enough studio were to produce an unauthorized game, it would have caused a LOT of trouble for Nintendo.
Such an amazing video! Instant subscribe.
Collaboration between two wonderful engineering channels, amazing. Shove a CodeBullet or CodeParade in there too!
I can't imagine that this would have ever held up in court. You can't attach your trademark to random functional mechanisms to use it as a hammer for things that have nothing to do with trademark. I wonder if it was ever tested in court.
Your Channel is just awesome!
this knowlegde is awesome! congratulations and thank you for the video! ;-)
Very interesting video.
Since he still stores the nintendo logo in memory, would it still be considered illegal? Even though the logo isn't showed.
No. At least not in the US. Companies like Nintendo hoped for that to be the case but Sega lost a very similar case against Accolade back in 1992.
I quote Wikipedia: "...Sega is held responsible for using its security system to place its trademark on Accolade's games." In other words, even showing the actual Nintendo logo in this very particular case wouldn't be illegal. It's just that having your own logo is so much cooler.
@@z01010000b Well in the video he did say something to effect of "so it is legal".
Nah trademark law works differently lol it has to be shown to count as a violation xD
Data ownership is legally gray. Suppose you copyright the word “foo”. Does that reasonably mean you own the byte representation? What if I use the bytes to make a colored t shirt, is that infringing?
Good video. BTW, the word infamous is not 'in-famous', it has the stress on the word in, so it is 'IN-fa-mous'.
A project I may work on once I finish my senior design, would be to make a similar cartridge but build an FPGA onto it... may be a fun way to mess around with verilog and some game boy stuff.
Good channel, with great content. Keep up the great work.
youtube out here guessing my interests again
knows I already watch, and like, liveoverflow and am interested in electronics
So the cartridge "protection" works just like in the Mega Drive? Interesting video by the way!
amazing job! thanks for sharing your findings
Every single concept of this video is pure gold... Yes, even the comments.
That is the coolest thing I've ever seen!
Is think Nintendo's approach to lock the nintendo was actually pretty smart.
They still kept the private flashing of cards possible, but could prohibit the commercial use of it
This is really cool, but what is the practical use of this? Do you plan to get into GameBoy homebrew game development? It would be really cool if so.
Nice Hackers reference on the breakout cart ;)
Nintendo had better lawyers than engineers.
2:09 At least in the United States of America, Nintendo would probably have lost such a lawsuit. U.S. courts don't let a trademark holder assert a trademark as an ersatz patent. Kellogg v. Nabisco; Sega v. Accolade.
Pretty sure this was designed before that ruling.
I was going to mention this as well, although it's interesting that Sega continued using their Trademark Security System on the Saturn and Dreamcast well past the 1992 ruling against them. Presumably they hoped it would be enforceable in other jurisdictions.
This was an amazing video!
Dude you have earned my subscription
This video is amazing! Good job!
Here from liveoverflow✌🏼
Love these videos!