EnHacklopedia EnHacklopedia » Individual Systems - In Depth » Hacking GBA

Hacking GBA

Creative Commons License

All files (HTML, CSS, images) included in EnHacklopedia are licensed under the Creative Commons Attribution-ShareAlike 3.0 License. All authors contributing to EnHacklopedia should be made aware of the license before contributing. If the author does not agree to the licensing, his or her contributions will not be accepted into the project.

History

  • 04-19-2007
    • Added new screens. (dlong)
  • 04-12-2007
    • Merged Cheat Devices. (dlong)
  • 04-11-2007
    • Updated ARv3 code types; Added information on cheat devices; Added guide on converting codes. (dlong)
  • 04-10-2007
    • Added information on VBA, VBA-SDL, and ARM7. (dlong)
  • 04-09-2007
    • Updated footer, again. (dlong)
  • 04-08-2007
    • Updated footer. (dlong)
  • 04-07-2007
    • Added information on encryption and master codes. (dlong)
  • 04-05-2007
    • Initial Release. (dlong)

Hacking using VBA-H

VBA-H's Cheat Menu

VBA-H (Visual Boy Advance - Hacker's Edition) is a modified version of Visual Boy Advance 1.7.2 developed by kenobi and Labmaster. As it was modified from VBA 1.7.2, it has the exact same compatibility which means that although it is compatible with the vast majority of GBA games, it will not work with all of them. The most notable games that are not compatible with this version are the Classic NES Series games.

The changes in VBA-H are all in the cheat menu. In addition to the options provided in the normal edition, VBA-SDL allows several restrictions, both by address range and difference from previous value. A flag compare option is provided as well as a way to force the displaying of results no matter how many were found.

VBA-H's disassembler

VBA-H provides the same disassembler that VBA provides. All registers are listed as well as the mode and flags. An R16 is listed; however this is simply CPSR mislabeled. A "Goto R15" option is provided which will move the disassembly to the latest instruction, and the window allows both ARM and THUMB to be viewed. This option is only a disassembler and not a debugger. For debugging, VBA-SDL-H must be used.

Button Values

On the GBA, the word at 0x04000130 always contains the buttons that are being pressed. The GBA stores the button values XORed with 0x3FF. The button values are as follows:

Button Value
A 1
B 2
Select 4
Start 8
Right 0x10
Left 0x20
Up 0x40
Down 0x80
R 0x100
L 0x200

Gameshark Advance and Action Replay v3

Description - Gameshark Advance

Gameshark Advance Splash ScreenAction Replay v1/2 Splash Screen
Action Replay v1/2 Main ScreenAction Replay v1/2 Code Editing Scren

The Gameshark Advance was the original cheat device for the Gameboy Advance. While more functional than the cheat devices for the Gameboy, it is still far less functional than its equivalent for the N64. The GSA's code types include 8-, 16-, and 32-bit writes, a slide code, a 16-bit If Equal To conditional, and a 16-bit ROM patch. The GSA also does not provide a code searching feature, something that had been provided in all incarnations for the Gameboy. Finally, the codes are encrypted, a first for any handheld cheat device. In Europe, the Gameshark is referred to as the Action Replay. The two products shared a name starting with revision 3, an entirely different product referred to as ARv3.

Gameshark Advance Code Types

All the following codes are in RAW form. To work, they must be encrypted.
Code type Description
0aaaaaaa 000000xx 8-bit RAM write
Writes xx to 0aaaaaaa
1aaaaaaa 0000xxxx 16-bit RAM write
Writes xxxx to 0aaaaaaa
2aaaaaaa xxxxxxxx 32-bit RAM write
Writes xxxxxxxx to 0aaaaaaa
3000cccc xxxxxxxx
aaaaaaaa aaaaaaaa
aaaaaaaa ...
32-bit group write
Writes xxxxxxxx to cccc different addresses. Due to a bug, xxxxxxxx is also written to the address xxxxxxxx. If cccc is odd, the last four bytes should be 0's.
6aaaaaaa 0000xxxx 16-bit ROM patch
Intercepts reads to the address 0x08000000 + (0aaaaaaa >> 1) and returns the value xxxx when necessary. The GSA can handle a maximum of one user-defined ROM patch, and possibily zero depending on the type of master code used.
6aaaaaaa 1000xxxx 16-bit ROM patch
Same as the above ROM patch except that it is enabled prior to the game booting.
8a1aaaaa 000000xx 8-bit GS Button RAM write
Writes xx to 0a0aaaaa when the GS button is pressed.
8a2aaaaa 0000xxxx 16-bit GS Button RAM write
Writes xxxx to 0a0aaaaa when the GS button is pressed.
80F00000 0000xxxx Slowdown on GS Button
While the GS button is pressed, the GS will perform xxxx loops per call to the code handler, slowing down the game.
Daaaaaaa 0000xxxx 16-bit If Equal To
Executes the next code only if xxxx is equal to the value located at 0aaaaaaa.
E0zzxxxx aaaaaaaa 16-bit Multiline If Equal To
Executes the next zz codes only if xxxx is equal to the value located at 0aaaaaaa.
Faaaaaaa 00000x0y Hook Routine (for Enablers)
The GSA code handler hooks the routine at 0aaaaaaa. x determines whether or not the GSA must be turned off before starting the game. If it is 0, this is the case. y is the type of hook where it is one of the following:
1 - Executes code handler without backing up $lr.
0002 - Executes code handler and backs up $lr.
3 - Replaces a 32-bit pointer used for long branches.
xxxxxxxx 001DC0DE ID Code (for Enablers)
Used by GSA to autodetect games. xxxxxxxx should be the word located at 0x0800000AC.
DEADFACE 0000xxxx DEADFACE
Changes the encryption seeds.

Description - Action Replay v3

Action Replay v3 DisclaimerAction Replay v3 main screen
Action Replay v3 - Add GameAction Replay v3 options screen

After Interact went bankrupt and sold the Gameshark name rights, Datel decided to directly sell their product in North America. Because of this, the Action Replay name became used in both North America and Europe. This name synchrony began with the third revision of the AR, for the GBA. The ARv3 adds a massive number of code types, 114 in total. Additionally, the ARv3 uses a different encryption, although this has been cracked as well.

Action Replay Code Types

Type Description AR Crypt Code Type
Normal RAM Write Codes
00a0aaaa xxxxxxyy 8-bit RAM Write/Fill
Fills the area from 0a00aaaa to 0a00aaaa + xxxxxx with yy.
00
02a0aaaa xxxxyyyy 16-bit RAM Write/Fill
Fills the area from 0a00aaaa to 0a00aaaa + xxxx * 2 with yyyy.
01
04a0aaaa yyyyyyyy 32-bit RAM Write
Writes yyyyyyyy to 0a00aaaa.
02
Pointer RAM Write Codes
40a0aaaa xxxxxxyy 8-bit Pointer RAM Write
Writes yy to the address located in 0a00aaaa + xxxxxx.
20
42a0aaaa xxxxyyyy 16-bit Pointer RAM Write
Writes yyyy to the address located in 0a00aaaa + xxxx * 2.
21
44a0aaaa yyyyyyyy 32-bit Pointer RAM Write
Writes yyyyyyyy to the address located in 0a00aaaa.
22
Add Codes
80a0aaaa 000000yy 8-bit Add Code
Adds yy to the byte stored at 0a00aaaa.
40
82a0aaaa 0000yyyy 16-bit Add Code
Adds yyyy to the halfword stored at 0a00aaaa.
41
84a0aaaa yyyyyyyy 32-bit Add Code
Adds yyyyyyyy to the word stored at 0a00aaaa.
42
Write to IO Registers
C600aaaa 0000yyyy 16-bit IO Register Write
Writes yyyy to 0x0400aaaa.
63
C700aaaa yyyyyyyy 32-bit IO Register Write
Writes yyyyyyyy to 0x0400aaaa.
E3
If Equal To
08a0aaaa 000000yy 8-bit If Equal To (1 line)
Executes next code only if yy is equal to the byte stored at 0a00aaaa.
04
48a0aaaa 000000yy 8-bit If Equal To (2 lines)
Executes next two codes only if yy is equal to the byte stored at 0a00aaaa.
24
88a0aaaa 000000yy 8-bit If Equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is equal to the byte stored at 0a00aaaa.
44
C8a0aaaa 000000yy 8-bit If Equal To (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not equal to yy.
64
0Aa0aaaa 0000yyyy 16-bit If Equal To (1 line)
Executes next code only if yy is equal to the halfword stored at 0a00aaaa.
05
4Aa0aaaa 0000yyyy 16-bit If Equal To (2 lines)
Executes next two codes only if yy is equal to the halfword stored at 0a00aaaa.
25
8Aa0aaaa 00000yyyy 16-bit If Equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is equal to the halfword stored at 0a00aaaa.
45
CAa0aaaa 0000yyyy 16-bit If Equal To (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not equal to yy.
65
0Ca0aaaa yyyyyyyy 32-bit If Equal To (1 line)
Executes next code only if yy is equal to the word stored at 0a00aaaa.
06
4Ca0aaaa yyyyyyyy 32-bit If Equal To (2 lines)
Executes next two codes only if yy is equal to the word stored at 0a00aaaa.
26
8Ca0aaaa yyyyyyyy 32-bit If Equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is equal to the word stored at 0a00aaaa.
46
CCa0aaaa yyyyyyyy 32-bit If Equal To (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not equal to yy.
66
If Not Equal To
10a0aaaa 000000yy 8-bit If not equal To (1 line)
Executes next code only if yy is not equal to the byte stored at 0a00aaaa.
08
50a0aaaa 000000yy 8-bit If not equal To (2 lines)
Executes next two codes only if yy is not equal to the byte stored at 0a00aaaa.
28
90a0aaaa 000000yy 8-bit If not equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is not equal to the byte stored at 0a00aaaa.
48
D0a0aaaa 000000yy 8-bit If not equal To (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not not equal to yy.
68
12a0aaaa 0000yyyy 16-bit If not equal To (1 line)
Executes next code only if yy is not equal to the halfword stored at 0a00aaaa.
09
52a0aaaa 0000yyyy 16-bit If not equal To (2 lines)
Executes next two codes only if yy is not equal to the halfword stored at 0a00aaaa.
29
92a0aaaa 00000yyyy 16-bit If not equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is not equal to the halfword stored at 0a00aaaa.
49
D2a0aaaa 0000yyyy 16-bit If not equal To (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not not equal to yy.
69
14a0aaaa yyyyyyyy 32-bit If not equal To (1 line)
Executes next code only if yy is not equal to the word stored at 0a00aaaa.
0A
54a0aaaa yyyyyyyy 32-bit If not equal To (2 lines)
Executes next two codes only if yy is not equal to the word stored at 0a00aaaa.
2A
94a0aaaa yyyyyyyy 32-bit If not equal To (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is not equal to the word stored at 0a00aaaa.
4A
D4a0aaaa yyyyyyyy 32-bit If not equal To (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not not equal to yy.
6A
If less than (signed)
18a0aaaa 000000yy 8-bit If less than (signed) (1 line)
Executes next code only if yy is less than (signed) the byte stored at 0a00aaaa.
0C
58a0aaaa 000000yy 8-bit If less than (signed) (2 lines)
Executes next two codes only if yy is less than (signed) the byte stored at 0a00aaaa.
2C
98a0aaaa 000000yy 8-bit If less than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (signed) the byte stored at 0a00aaaa.
4C
D8a0aaaa 000000yy 8-bit If less than (signed) (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not less than (signed) yy.
6C
1Aa0aaaa 0000yyyy 16-bit If less than (signed) (1 line)
Executes next code only if yy is less than (signed) the halfword stored at 0a00aaaa.
0D
5Aa0aaaa 0000yyyy 16-bit If less than (signed) (2 lines)
Executes next two codes only if yy is less than (signed) the halfword stored at 0a00aaaa.
2D
9Aa0aaaa 00000yyyy 16-bit If less than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (signed) the halfword stored at 0a00aaaa.
4D
DAa0aaaa 0000yyyy 16-bit If less than (signed) (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not less than (signed) yy.
6D
1Ca0aaaa yyyyyyyy 32-bit If less than (signed) (1 line)
Executes next code only if yy is less than (signed) the word stored at 0a00aaaa.
0E
5Ca0aaaa yyyyyyyy 32-bit If less than (signed) (2 lines)
Executes next two codes only if yy is less than (signed) the word stored at 0a00aaaa.
2E
9Ca0aaaa yyyyyyyy 32-bit If less than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (signed) the word stored at 0a00aaaa.
4E
DCa0aaaa yyyyyyyy 32-bit If less than (signed) (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not less than (signed) yy.
6E
If greater than (signed)
20a0aaaa 000000yy 8-bit If greater than (signed) (1 line)
Executes next code only if yy is greater than (signed) the byte stored at 0a00aaaa.
10
60a0aaaa 000000yy 8-bit If greater than (signed) (2 lines)
Executes next two codes only if yy is greater than (signed) the byte stored at 0a00aaaa.
30
A0a0aaaa 000000yy 8-bit If greater than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (signed) the byte stored at 0a00aaaa.
50
E0a0aaaa 000000yy 8-bit If greater than (signed) (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not greater than (signed) yy.
70
21a0aaaa 0000yyyy 16-bit If greater than (signed) (1 line)
Executes next code only if yy is greater than (signed) the halfword stored at 0a00aaaa.
11
61a0aaaa 0000yyyy 16-bit If greater than (signed) (2 lines)
Executes next two codes only if yy is greater than (signed) the halfword stored at 0a00aaaa.
31
A1a0aaaa 00000yyyy 16-bit If greater than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (signed) the halfword stored at 0a00aaaa.
51
E1a0aaaa 0000yyyy 16-bit If greater than (signed) (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not greater than (signed) yy.
71
22a0aaaa yyyyyyyy 32-bit If greater than (signed) (1 line)
Executes next code only if yy is greater than (signed) the word stored at 0a00aaaa.
12
62a0aaaa yyyyyyyy 32-bit If greater than (signed) (2 lines)
Executes next two codes only if yy is greater than (signed) the word stored at 0a00aaaa.
32
A2a0aaaa yyyyyyyy 32-bit If greater than (signed) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (signed) the word stored at 0a00aaaa.
52
E2a0aaaa yyyyyyyy 32-bit If greater than (signed) (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not greater than (signed) yy.
72
If less than (unsigned)
28a0aaaa 000000yy 8-bit If less than (unsigned) (1 line)
Executes next code only if yy is less than (unsigned) the byte stored at 0a00aaaa.
14
68a0aaaa 000000yy 8-bit If less than (unsigned) (2 lines)
Executes next two codes only if yy is less than (unsigned) the byte stored at 0a00aaaa.
34
A8a0aaaa 000000yy 8-bit If less than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (unsigned) the byte stored at 0a00aaaa.
54
E8a0aaaa 000000yy 8-bit If less than (unsigned) (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not less than (unsigned) yy.
74
2Aa0aaaa 0000yyyy 16-bit If less than (unsigned) (1 line)
Executes next code only if yy is less than (unsigned) the halfword stored at 0a00aaaa.
15
6Aa0aaaa 0000yyyy 16-bit If less than (unsigned) (2 lines)
Executes next two codes only if yy is less than (unsigned) the halfword stored at 0a00aaaa.
35
AAa0aaaa 00000yyyy 16-bit If less than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (unsigned) the halfword stored at 0a00aaaa.
55
EAa0aaaa 0000yyyy 16-bit If less than (unsigned) (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not less than (unsigned) yy.
75
2Ca0aaaa yyyyyyyy 32-bit If less than (unsigned) (1 line)
Executes next code only if yy is less than (unsigned) the word stored at 0a00aaaa.
16
6Ca0aaaa yyyyyyyy 32-bit If less than (unsigned) (2 lines)
Executes next two codes only if yy is less than (unsigned) the word stored at 0a00aaaa.
36
ACa0aaaa yyyyyyyy 32-bit If less than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is less than (unsigned) the word stored at 0a00aaaa.
56
ECa0aaaa yyyyyyyy 32-bit If less than (unsigned) (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not less than (unsigned) yy.
76
If greater than (unsigned)
30a0aaaa 000000yy 8-bit If greater than (unsigned) (1 line)
Executes next code only if yy is greater than (unsigned) the byte stored at 0a00aaaa.
18
70a0aaaa 000000yy 8-bit If greater than (unsigned) (2 lines)
Executes next two codes only if yy is greater than (unsigned) the byte stored at 0a00aaaa.
38
B0a0aaaa 000000yy 8-bit If greater than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (unsigned) the byte stored at 0a00aaaa.
58
F0a0aaaa 000000yy 8-bit If greater than (unsigned) (Disable Codes)
All codes are disabled when the byte at 0a00aaaa is not greater than (unsigned) yy.
78
32a0aaaa 0000yyyy 16-bit If greater than (unsigned) (1 line)
Executes next code only if yy is greater than (unsigned) the halfword stored at 0a00aaaa.
19
72a0aaaa 0000yyyy 16-bit If greater than (unsigned) (2 lines)
Executes next two codes only if yy is greater than (unsigned) the halfword stored at 0a00aaaa.
39
B2a0aaaa 00000yyyy 16-bit If greater than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (unsigned) the halfword stored at 0a00aaaa.
59
F2a0aaaa 0000yyyy 16-bit If greater than (unsigned) (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa is not greater than (unsigned) yy.
79
34a0aaaa yyyyyyyy 32-bit If greater than (unsigned) (1 line)
Executes next code only if yy is greater than (unsigned) the word stored at 0a00aaaa.
1A
74a0aaaa yyyyyyyy 32-bit If greater than (unsigned) (2 lines)
Executes next two codes only if yy is greater than (unsigned) the word stored at 0a00aaaa.
3A
B4a0aaaa yyyyyyyy 32-bit If greater than (unsigned) (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy is greater than (unsigned) the word stored at 0a00aaaa.
5A
F4a0aaaa yyyyyyyy 32-bit If greater than (unsigned) (Disable Codes)
All codes are disabled when the word at 0a00aaaa is not greater than (unsigned) yy.
7A
If AND
38a0aaaa 000000yy 8-bit If AND (1 line)
Executes next code only if yy AND the byte stored at 0a00aaaa is not equal to 0.
1C
78a0aaaa 000000yy 8-bit If AND (2 lines)
Executes next two codes only if yy AND the byte stored at 0a00aaaa is not equal to 0.
3C
B8a0aaaa 000000yy 8-bit If AND (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy AND the byte stored at 0a00aaaa is not equal to 0.
5C
F8a0aaaa 000000yy 8-bit If AND (Disable Codes)
All codes are disabled when the byte at 0a00aaaa AND yy is 00.
7C
39a0aaaa 0000yyyy 16-bit If AND (1 line)
Executes next code only if yy AND the halfword stored at 0a00aaaa is not equal to 0.
1D
79a0aaaa 0000yyyy 16-bit If AND (2 lines)
Executes next two codes only if yy AND the halfword stored at 0a00aaaa is not equal to 0.
3D
B9a0aaaa 00000yyyy 16-bit If AND (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy AND the halfword stored at 0a00aaaa is not equal to 0.
5D
F9a0aaaa 0000yyyy 16-bit If AND (Disable Codes)
All codes are disabled when the halfword at 0a00aaaa AND yy is 00.
7D
3Aa0aaaa yyyyyyyy 32-bit If AND (1 line)
Executes next code only if yy AND the word stored at 0a00aaaa is not equal to 0.
1E
7Aa0aaaa yyyyyyyy 32-bit If AND (2 lines)
Executes next two codes only if yy AND the word stored at 0a00aaaa is not equal to 0.
3E
BAa0aaaa yyyyyyyy 32-bit If AND (Multi-line)
All subsequent codes until the z20 code type or end of code list are executed only if yy AND the word stored at 0a00aaaa is not equal to 0.
5E
FAa0aaaa yyyyyyyy 32-bit If AND (Disable Codes)
All codes are disabled when the word at 0a00aaaa AND yy is 00.
7E
Always... codes
0Ea0aaaa xxxxxxxx Always skip next line 07
4Ea0aaaa xxxxxxxx Always skip next two lines 27
8Ea0aaaa xxxxxxxx Always skip remaining codes 47
CEa0aaaa xxxxxxxx Always skip all codes 67
One line special codes
00000000 xxxxxxxx End of code list
No codes after this point are executed.
z00
00000000 0800xx00 Slowdown code
The AR performs xx loops per code cycle, slowing the game down.
z04
Two line special codes
00000000 10a0aaaa
000000xx 00000000
8-bit AR Button RAM Write
Writes xx to 0a00aaaa when the AR Button is pressed.
z08
00000000 12a0aaaa
0000xxxx 00000000
16-bit AR Button RAM Write
Writes xxxx to 0a00aaaa when the AR Button is pressed.
z09
00000000 14a0aaaa
xxxxxxxx 00000000
32-bit AR Button RAM Write
Writes xxxxxxxx to 0a00aaaa when the AR Button is pressed.
z0A
00000000 18a0aaaa
0000xxxx 00000000
16-bit ROM Patch
Patches 0x08000000 + (0a00aaaa >> 2) with xxxx.
z0C
00000000 1Aa0aaaa
0000xxxx 00000000
16-bit ROM Patch
Patches 0x08000000 + (0a00aaaa >> 2) with xxxx.
z0D
00000000 1Ca0aaaa
0000xxxx 00000000
16-bit ROM Patch
Patches 0x08000000 + (0a00aaaa >> 2) with xxxx.
z0E
00000000 1Ea0aaaa
0000xxxx 00000000
16-bit ROM Patch
Patches 0x08000000 + (0a00aaaa >> 2) with xxxx.
z0F
00000000 40000000 Execute codes normally
All conditionals currently going on do not apply after this point.
z20
00000000 60000000 Execute all following codes
All following codes are executed regardless of anything else.
z30
00000000 80a0aaaa
000000xx vvddiiii
8-bit slide code
Writes dd bytes, starting at the address 0a00aaaa with the value xx and incrementing the address by iiii and the value by vv each iteration.
z40
00000000 82a0aaaa
0000xxxx vvddiiii
16-bit slide code
Writes dd halfwords, starting at the address 0a00aaaa with the value xxxx and incrementing the address by iiii * 2 and the value by vv each iteration.
z41
00000000 84a0aaaa
xxxxxx vvddiiii
80000000 00000000
32-bit slide code
Writes dd words, starting at the address 0a00aaaa with the value xxxxxxxx and incrementing the address by iiii * 4 and the value by vv each iteration. The final line is needed to prevent a bug in the AR from occurring.
z42
Special Codes
C4aaaaaa 00000bcd Master Code
Hooks the address 08aaaaaa for the code handler. if b is 1, the AR switch must be turned off when the game starts. Otherwise, it doesn't matter. c determines the number of codes the AR processes at a time. d is the type of hook. 0 is BL and 1 is Push LR then BL.
62
xxxxxxxx 001DC0DE ID Code
Used by the AR to auto-detect games. xxxxxxxx should be the word at 0x080000AC.
--
DEADFACE xxxxxxxx DEADFACE
Changes the encryption seeds.
--

Encrypting/Decrypting Gameshark/Action Replay codes

AR Crypt

Gameshark and Action Replay codes are encrypted and decrypted with AR Crypt. To encrypt codes, put the appropriate, formatted code in the left box. The choose RAW in the left radio box. On the right radio box, choose ARV1/2 for Gameshark or ARV3/4 for Action Replay. Decrypting codes works in a similar fashion. ARV1/2 or ARV3/4 on the left and RAW on the right. ARCrypt also provides an option to format codes. This only does one code at a time however. Input the address followed by the value and select the appropriate ARCrypt code type, then press the create button. Underneath the address and value, the correctly formatted code will be displayed, and will be display encrypted in the right textarea. For some code types, such as slide codes, additional options will be displayed in the middle of the window. Customize these as necessary.

Creating GS/AR master codes

Hacking Standard Master Codes

To create a master code for the Gameshark or Action Replay, a ROM of the game will be required, as well as AR Crypt. In AR Crypt, go to Special, then "Find Master Code and ID Code"; Load the ROM, and the master codes will be listed. Test each master code individually with a normal code. If the code works, then the master code being used is a legitimate master code. If AR Crypt does not come up with any results or non of the possible master codes works, a non-standard master code must be hacked.

Hacking Nonstandard Master Codes

The information in this section is based on a post originally by Parasyte.

Both AR Crypt and VBA-SDL-H are required for hacking non-standard master codes, as well as a Hex Editor. Examples are provided for Baulder's Gate and Phantasy Star Collection.

Baulder's Gate

Load Baulder's Gate up into VBA-SDL and enter the gameplay part of the game. Then load up a hex editor, open the rom, and search for 0x0047C0460847C046. This is the beginning of the long branch routine. For Baulder's Gate, it's at 0x006A9888 which is GBA address 0x086A9888. It disassembles to:

086A9888 bx r0
086A988A mov r8, r8 ; NOP
086A988C bx r1
086C988E mov r8, r8
086A9890 bx r2
086A9892 mov r8, r8

etc. These bx instructions are what we want to try to hook. What we are looking for is a bx instruction which is executed many times per second. Start with the bx r0. Tell VBA-SDL to break whenever that instruction is executed (bt 086A9888) and have the game resume (c). The game doesn't break, so this isn't what we want. Go back to the debugger (F11) and move on to bx r1. Set a breakpoint on that and resume gameplay. The game breaks. This is good. Copy down the value of R1 (since we are testing bx r1) and resume gameplay. It will break again. Copy down the new value of R1. Continue this process until it appears that all the possible values r1 have been copied. For this game, the values are 0x03003ef8, 0x0869FC05, 0x0869E145, 0x02000634, 0x02000514, 0x0869E3D5, and 0x0869E0D9. Now delete the breakpoint and move to another area (say, the tavern), and repeat the process. Here, the values obtained are 0x0869E3D5, 0x0869D5A1, 0x0869D165, 0x0869C881, 0x03003EF8, 0x0869FC05, 0x0869D81D, and 0x0869CF61. Now, find the common addresses. They are 0x03003EF8, 0x0869FC05, and 0x0869E3D5. Now it's time to make the mastercode.

One by one, search for each of the values in the ROM. Starting with 0x03003EF8, we must first rearrange this into the order it will appear in the ROM. Divide it into seperate bytes (0x03, 0x00, 0x3E, and 0xF8), then reverse the order, giving us 0xF83E0003. Search for this in the ROM. It is not present. Move to the next value, 0x0869FC05. Searching for 0x05FC6908 turns up four locations. This is not good. Any one of the four could be correct or, even worse, they could each be correct in a seperate part of the game. Go to the final value, 0x0869E3D5. Searching for 0xD5E36908 turns up only one location! Success. The location is 0x007EF48C. Turn the 00 into C4, and add 000084x1 as the value, where x is the register value used (r1 here). The final code is C47EF48C 00008411. If the code is being made for the Gameshark, the address should have the initial two zeros replaced with 48, and the value should be 000001x1, with x still being the register. For Gameshark, the final decrypted could is F87EF48C 00000111.

Phantasy Star Collection

It is impossible to hack a universal master code for Phantasy Star Collection, because it contains four executables. The intro does not need a master code, but each of the other three executables (the three games) require a seperate master code. For Phantasy Star II and Phantasy Star III, creating a master code is simple enough. However, for Phantasy Star, there is a problem. The Phantasy Star exectuable is located at 0x08738000, and it is impossible to create a standard BL-type master code from any address above 0x0840001C. This is further complicated by the fact that the long branch routine does not exist in the Phantasy Star executable, so creating a master code the same way as for Baulder's Gate will not work. In this case, we shall take a different approach - find the interrupt handler. These are executed several times per second, so they are perfect.

Load up Phantasy Star Collection in VBA-SDL-H. The GBA interrupt vector is always located at 0x03007FFC. Use the mw command to display the word there; it should be a pointer. For me, it is 0x020207d0. This is an ARM address, because it is an even number. Had it been THUMB, it would have been 0x020207d1. Disassemble the arm (da) starting at 0x020207d0. Here is what I have:

02020884 E59F1010 ldr r1, [$0202089C] (=$02000070)
02020888 E0811002 add r1, r1, r2
0202088C E5910000 ldr r0, [r1]
02020890 E12FFF10 bx r0

This code loads pointer 0x02000070 into r1. Then, it adds r2 to it.Finally, it loads a pointer from that address into r0 and branches to that address. This is a prime example of a jump table (large amount of pointers stored in RAM). Dump the jump table from 0x02000070 with the mw command:
02000070 087384A1 0873A9FD 0873AA01 0873A9FD
02000080 0873A9FD 0873AA21 0876CA91 0873A9FD
02000090 0873A9FD 0873A9FD 0873A9FD 0873A9FD
020000A0 0873A9FD 0873A9FD 00000000 00000000

All of these pointers are odd numbers, which means they are all pointers to THUMB instructions. There are five in total: 0x087384A1, 0x0873A9FD, 0x0873AA01, 0x0873AA21, and 0x0876CA91. Disassemble each of these addresses. Be sure to convert each address into an even number by subtracting 1. Here is what we have:

087384A0 B5F0 push {r4-r7, lr}
087384A2 4A2B ldr r2, [$08738550] (=$020004E8)
087384A4 482B ldr r0, [$08738554] (=$04000130)
087384A6 8801 ldrh r1, [r0, #0x0]
087384A8 4B2B ldr r3, [$08738558] (=$000003FF)
087384AA 1C18 add r0, r3, #0x0
087384AC 4041 eor r1, r0


0873A9FC 4770 bx lr


0873AA00 4904 ldr r1, [$0873AA14] (=$0400000C)
0873AA02 4A05 ldr r2, [$0873AA18] (=$00004409)
0873AA04 1C10 add r0, r2, #0x0
0873AA06 8008 strh r0, [r1, #0x0]
0873AA08 3908 sub r1, #0x8
0873AA0A 4A04 ldr r2, [$0873AA1C] (=$00007028)
0873AA0C 1C10 add r0, r2, #0x0
0873AA0E 8008 strh r0, [r1, #0x0]
0873AA10 4770 bx lr


0873AA20 4770 bx lr


0876CA90 4906 ldr r1, [$0876CAAC] (=$02000052)
0876CA92 8808 ldrh r0, [r1, #0x0]
0876CA94 2800 cmp r0, #0x0
0876CA96 D008 beq $0876CAAA
0876CA98 8808 ldrh r0, [r1, #0x0]
0876CA9A 3801 sub r0, #0x1
0876CA9C 8008 strh r0, [r1, #0x0]
0876CA9E 0400 lsl r0, r0, #0x10
0876CAA0 2800 cmp r0, #0x0
0876CAA2 D102 bne $0876CAAA
0876CAA4 4902 ldr r1, [$0876CAB0] (=$02000054)
0876CAA6 2001 mov r0, #0x1
0876CAA8 7008 strb r0, [r1, #0x0]
0876CAAA 4770 bx lr

The second and fourth routines simply contain bx lr, meaning they do nothing at all. There's no reason to trust either of them. The first one is the joypad routine - very promising. Take the pointer to this routine (0x087384A1), byteswap it (0xA1847308) and search the ROM for it with a hex editor. There's only one result, and it is definitely inside the Phantasy Star executable. This pointer is located at 0x007383FC. Attach the C4 codetype (F8 for Gameshark) and the 000084x3 value (000001x3 for Gameshark). Back in the ARM assembly, the first bx instruction was bx r0. So, the x is replaced with 0. The final code is C47383FC 00008403 for AR and F87383FC 00000103 for GS.

Codebreaker Advance and Gameshark SP

Codebreaker Advance DisclaimerCodebreaker Advance Game List
Codebreaker Advance Code ListCodebreaker Advance New Code Screen

Description - Codebreaker Advance

Pelican released the Codebreaker Advance shortly after the GSA came out. Like the GSA, it is a step up from its Gameboy counterpart, but lacks a trainer. Notable code types that the CBA has added includ the slide code, 8- and 16-bit writes, conditionals, and a bitwise AND. However, the CBA does not implement a 32-bit RAM write or a ROM patch, both of which the GSA has. Codebreaker codes are encrypted by default, but unencrypted codes can be allowed, by not having a 9-code as the first line of a master code.

Gameshark SP

The Gameshark name was purchased by MadCatz, who also purchased the rights to the Codebreaker Advance software. In reality, all the Gameshark SP is, is a renamed Codebreaker Advance.

Codebreaker/Gameshark SP code types

Code type Description
0000xxxx yyyy Master Code
xxxx is the CRC of the game. yyyy is flags include: 0x0008 (CRC exists and is used to autodetect the game) and 0x0002 (Disable interrupts)
1aaaaaaa xxxy Master Code
0x0aaaaaaa is the hook address for the Codebreaker. y determines the CBA Code Handler Store Address (address = (y << 0x16) + 0x08000010) and xxx determines the hook type (0x100 is 32-bit Long Branch (THUMB), 0x200 is 32-bit Long Branch (ARM), 0x300 is 8-bit Long Branch (THUMB), and 0x400 is 8-bit Long Branch (ARM).
3aaaaaaa 00xx 8-bit RAM write
xx is written to 0aaaaaaa.
4aaaaaaa yyyy
zzzzxxxx iiii
Slide code
0aaaaaaa is the starting address and yyyy is the starting value. xxxx is the number of repetitions with zzzz being the value increment and iiii being the address increment.
6aaaaaaa yyyy 16-bit bitwise AND
ANDs the 16-bit value at the address 0aaaaaaa with yyyy and then writes it back to 0aaaaaaa.
7aaaaaaa yyyy 16-bit If Equal To
Executes the next code only if the 16-bit value at the address 0aaaaaaa is equal to yyyy.
8aaaaaaa yyyy 16-bit RAM write
yyyy is written to 0aaaaaaa.
9yyyyyyy yyyy Change encryption seeds.
Changes encryption seeds.
Aaaaaaaa yyyy 16-bit If Not Equal To
Executes the next code only if the 16-bit value at the address 0aaaaaaa is not equal to yyyy.

Encrypting/Decrypting Codebreaker/Gameshark SP codes

CBA Crypt

Codebreaker (and by extension, Gameshark SP) codes are encrypted and decrypted with CBA Crypt. To use this, first put the first line of the CB master code (the one that starts with a 9) in the left box. If the first line of the master code does not start with a 9, then encryption and decryption are not necessary. Underneath the 9 code, put the codes you want to encrypt or decrypt and press the appropriate button. On the right side, the encrypted or decrypted codes will appear. The first line will be the same on both sides. Ignore this line. The rest of the box is when you need.

Creating GSSP/CBA master codes

To create a master code for the Codebreaker or Gameshark SP, a ROM of the game will be required, as well as GBA Tool. Open GBA Tool up and click the browse button. Find the load, and load it. Then press search. A list of potential master codes will be displayed. Test each master code on the game with any code. If the code works, you have a valid master code.

ARM7 Assembly

The GBA uses an ARM7TMDI chip. The ARM architecture provides two modes, ARM and THUMB, and well as 31 32-bit registers. Only 16 of these registers are visible at a time, with R13, R14, and R15 being for the Stack Pointer, the Link Register, and the Program Counter respectively. The ARM instruction set uses 32-bit operations, whereas the THUMB set uses 16-bit. THUMB is designed to produce smaller code with the same speed as ARM and much of the functionability. One major limiation of THUMB is that many instructions cannot access registers above R07. In ARM, 4 bits are set aside for a conditional. The operation is executed only if the current flags meet that condition. More information on ARM and THUMB can be found in the official ARM and THUMB manuals, as well as GBATek, all provided on the documents page.

Hacking using VBA-SDL-H

VBA-SDL-H

VBA-SDL-H is a modified version of VBA-SDL V1.7.2 by kenobi and Labmaster. Compatibility wise, it has the same limitations as VBA-H. VBA-SDL-H has been modified to include extra options such as Don't break on, Conditional Breaks, Break on Read, Break on Change, and Last Branch. In addition to this, it provides the same options provided by the official version of VBA-SDL.

Inside the console window, VBA-SDL-H lists all the registers, as well as CPSR, the mode, and the status flags. Additionally, the next instruction to be executed is displayed. If the last option was enabled, the same information is also provided for when the last branch occured. This feature has some bugs, however, and does not always work properly. h brings up a list of all available commands with a description. The c command resumes the functioning of the game. bt and ba break on the THUMB and ARM addresses provided respectively, when they are executed. bd [number] deletes the corresponding bt or ba instruction. This function has a small bug in that the last remaining breakpoint must be deleted manually. bpw [address] [bytes] breaks when [address] or any addresses up to [bytes] bytes afterwards are written to. The cow changes bpw to act as a break on change, which will not break if the value being written to the specified address is the same as the address's current value. bpr functions the same way as bpw, but it breaks when an address is read from instead of written to. The bpwc and bprc instruction delete all breaks on write and read, and the bl option lists all of these breakpoints. The db is used to disassemble the specified address from triggering a breakpoint. The instruction will still execute as normal, but VBA-SDL-H will ignore it with regard to breakpoints. cba and cbt instructions are also allowed. These instructions set conditional ARM and THUMB breakpoints.

The d, da, and dt instuctions disassemble the memory located at specified address. d disassembles in the game's current mode, while dt and da force THUMB and ARM disassembly. The next twenty operations are shown in either case. If no address is provided, disassembly begins at the current location of the game.

The mb, mh, and mw instructions show the memory at the location provided in terms of bytes, halfwords, and words. 0x100 bytes are shown in all cases and the ASCII representation of these bytes is provided on the right side. The eb, eh, and ew instructions can be used to modify these memory values; additionally, er is provided to modify the value of a register.

Miscellaneous instructions include io, which displays the status of the I/O registers, dload and dsave which load and save raw data files, load and save, which loads or saves an Fx style save, n which executes the next instruction, and radix, which sets the print radix to the specified base. Additionally, verbose changes the verbose level, where shows the call chain, locals shows the local variables of a given address, and lf logs all output to a file. Finally, the print instruction attempts to print the value of an expression.

Converting codes

ARCrypt converts codes betweent the three formats. Put the code to be converted in the left box, choose the appropriate devices, and hit convert. AR and GS codes must be encrypted during this process.