[Draft] Game Boy "Game-Reboot" PoC

*** DISCLAIMER ***

This "exploit" uses obscure and heavily unintended hardware behavior. NEVER deviate from any instruction given here, otherwise you could corrupt your save data from either cartridge, corrupt the program from either cartridge, or damage your Game Boy.
If you didn't follow the steps listed here and something went wrong, don't complain.
If you did but something went wrong, or you think you found out something new/interesting, post something about it. We love that. Also, we are active on this forum, and do our best to answer quickly.

Also please, read the first three sections before doing anything. You'll be at risk to miss some info or additional features (yep there are).

Now, please enjoy your stay.


** Proof Of Concept "Game Re-boot" 8F Setup & Method **

Now, here is a setup based on a mix of TheZZAZZGlitch's ideas and my previous post.

This is a PoC item pack setup that should be used like so :
1. Plug Pokémon R/B
2. Run 8F setup
3. Remove cartridge. Nothing should happen.
4. Plug any other cartridge. It should boot right away !

Here is the 8F setup, starting from the first item in the inventory pack. WARNING ! This setup relies on the value of register DE. See comment below.
Quantities noted in parentheses are ways to obtain those required ; a "+ 128" means "duplicate using MissingNo", a "- XX" means "toss XX of it".

8F
Item x[qty]
TM43 x99
Antidote x106 (= 1 + 128 - 23)
Escape Rope x26
Soda Pop x60
Fire Stone x251 (= 1 + 128 - 6 + 128)
Poké Ball x26
Fresh Water x61
Rare Candy x251
Lemonade x17
TM33 x[any qty] / Great Ball x233 (= 1 + 128 - 24 + 128)
; Nope, this is not TM33 ACE, guys.


** Things to note **

1. I did not try this on any hardware ! I don't have 8F on my cartridge right now. (Soon, though)
As such, I assumed all memory reads from the cartridge will return $00 when it has been removed.
BUT it may return $FF instead, which will make this setup NOT work.
However, if that is the case, it will be trivial to change the setup, so no worries.
2. This cannot be tested on emulators (AFAIK)
3. This assumes you have a GBC / GBA. More below.
4.This does NOT work on GBAs, since they have a tiny switch in the cartridge slot that switches the Game Boy between GBA and GBC compatibility.
http://pocketmedia.ign.com/media/news/image/otherstuff/gbalockout/cartcompare.jpg
http://pocketmedia.ign.com/media/news/image/otherstuff/gbalockout/cartslot.jpg
(Images sourced from IGN)
I tried powering the console without a cartridge having the switch "clicked" using a DS stylus, and releasing it while the GBC ROM was running. Apparently the display goes fully black, but the GBC tune still played. "Clicking" the switch again didn't do anything.
5. This may not work right with some cartridges that expect some values when booting, since this setup does the minimum to ensure the game is properly given control.
Most games with a "Soft Reset" option (like Pokémon with START+SELECT+A+B) or something similar should work fine.
6. Since this bypasses the GB "checksum check", this allows you to play some old, pirate, badly bootlegged cartridges !
7. Apparently this may NOT work on a DMG, unless you have extreme luck. ([url=https://youtu.be/dbj679iBo1U]Source, read the comments[/url])
[quote author=Gameboygenius]
@MelonStorm @vxbinaca Yes, there's a blocking bar on DMG (the first Gameboy.) But not only that. You will almost always crash the DMG when you remove the cartridge. I believe the reason for this is CMOS latchup. How they fixed this on GBC, if you open up the unit and look inside, is by moving the ground ping closer to the cartridge so it makes first and breaks last when you insert/remove the cartridge.
[/quote]
[quote author=furrtek]
@Gameboygenius I'll have to get a DMG for testing then, I plan on using this for a game. Works fine on the GB Pocket and I don't see any difference in the placement of the contacts on the GBC slot.
[/quote]


** Value of A / Number of Lemonades : Changing Consoles **

This will let you change the "model" of Game Boy you will be using, provided the game you use cares.
An example of this is Pokémon Gold, Silver and Crystal, which behave differently on GBs and GBC/As.

Here are the values the register A usually holds when the GBx leaves control to the game :
$01  SGB or Normal Gameboy (DMG)
$FF  SGB2 or Pocket Gameboy
$11  CGB or GBA

However, some games (such as Shantae and, apparently, Zelda Oracle of Ages/Seasons, see ROM0:0158 for "bit 0, b" or [url=https://raw.githubusercontent.com/Drenn1/ages-disasm/master/main.s]this disassembly[/url]) differentiate GBC and GBA by checking Bit 0 (parity) of the B register.
This bit is cleared by the GBC boot ROM, whereas the GBA sets it.
The above setup leaves this bit undefined. (Technical details below)
What you can do to force either GBC or GBA is :
[list type=decimal]
[li]Put a Bicycle x1 right after the 17 Lemonades near the end of the setup. For those wondering : this translates into a "ld b, 1". I can't manipulate the quantity (except through heavy glitching) because it is a key item.[/li]
[li]This will force GBA mode.[/li]
[li]To instead force GBC mode, put 4 or 5 Burn / Ice Heals right after the Bicycle. Before it WON'T WORK.[/li]
[/list]


* Effects of "faking" a console *

This has yet to be tested, since Pokémon Red and Blue make GBCs boot into "DMG (grey GB) mode", which removes GBC features. Effects will differ with Pokémon Yellow, which has GBC compatibility (check ROM0:0143, where $00 means "No GBC", $80 means "Maybe GBC", and $C0 means "GBC only")

When a game detects GBA, it usually applies different color palettes to compensate for a skewed color mixing (red tones are different on GBC and GBA).
Sometimes exclusive content is sometimes unlocked ; for example, Shantae gives you the Tinkerbat form only if you are playing on a GBA ([url=http://tasvideos.org/5248S.html#Forms]Source[/url])


* Undefined B *

The problem is that 8F setups usually modify B, and as such, B's value upon starting the new game will depend on the setup, but only on the setup.

So, B's value is undefined, yet consistent : it will be that same every time you run the script.
The Bicycle x1 sets B to 1, which has bit 0 set ; the Burn / Ice Heals x4 increment B, setting it to 2, which has bit 0 clear (whereas x5 decrements it, still clearing bit 0)


** GBz80 code **

When this code begins, register DE should equal $0001. If a setup is used that modifies DE... this won't work. The current 5- and 6-Pokémon setups work fine.

; We NEED to disable interrupts because they run from ROM.
; Servicing an interrupt before the cartridge is pulled will result in ROM being executed (and that's exactly what we're trying to avoid)
; Servicing an interrupt after the cartridge is pulled will result in execution NOP-sliding into VRAM. And we definitely don't want that.
di

; It is a pain to execute any "jp $xxxx" because of the three consecutive bytes and uncooperative item translations, so we will do a "jp (hl)" instead.
; As such, we need to set hl up.
; This one setup is smaller than one padding instruction, then loading a value into H and another into L, then modifying DE,
; *probably* saving one item slot.
ld h, e ; hl = $0122
dec bc ; Padding byte (harmless)
ld l, d ; hl = $0100, where the GB leaves execution after startup (usually a NOP followed by a JP to the game's bootstrap)
dec e ; de = $0000, which will be our "reference byte" address, which we will constantly poll to

; Now, we need to wait until a new cartridge is inserted.
; To do so, we first read the byte at ($0000), which is $FF in Pokémon Red/Blue.
; We will simply wait until it's not the case anymore.
.waitCartRemoved
ld a,(de)
dec a
inc a ; don't modify A, but update the Z flag
jr nz, waitCartRemoved (@-4, @+$FC)

inc b ; Padding byte

; Assuming all reads from ROM
.waitCartInserted
ld a,(de)
inc a
dec a
jr z, waitCardInserted

ld a, $11 ; games use this value to identify GBC (see G/S/C Glitch Dimension)

( dec bc ) ; if Great Ball
jp (hl) ; We jump to the memory location the GB gives control to at startup