Handheld Underground

A mysterious sapphire

posted by taizou @ 2020-04-14 23:55:12 Dumps

Hey everyone I'm back??? With something pretty different!

It's Pokémon! Sapphire! For GBA! In English!

Now, you might be wondering: wasn't English Sapphire just a regular, boring, official release? Well, it was... but not like this.

This is an unofficial English translation, done between the game's Japanese and North American releases. The gap between those two releases was only four months, meaning the makers of this translation had to really rush it out the door to have any semblance of a viable market before the proper English version hit the shelves.

Not only that, they saw fit to copy protect it, using the same "YJencrypted" system used by Sintax for their bajillion GBA platformers, presumably to make sure no other enterprising bootleggers could horn in on their tiny window of opportunity.

The cartridge label does make it quite obvious that this was done before official US release materials were available - it's actually using pre-release cover art for the game, complete with the "RP" (rating pending) ESRB rating. This same artwork was also used for the "New Game Color Advance" release of Sintax's GBC strategy game "Pocket Monster Saphire".

The actual translation has a bit in common with the so-called "Chinese Emerald", and was probably done by the same people, but lots of the text is different (and weirder!).

Protection and dump assemblage

Now, as I mentioned, this cartridge is copy protected - but not in the same way GBC carts were commonly protected, where the game could often be fully dumped but just wouldn't run without the company's specific mapper being present. Oh no: "YJencrypted" carts have proper read protection and are gigantic bastards to extract data from.

As a quick summary: you can't read from the cart at all unless it's properly initialised by the GBA boot sequence (which I was never able to replicate manually, so had to fudge a way to reset without losing power), and then if you manage to bypass that, each cart has numerous "trap" addresses whereby reading from them will lock you out of reading any further data. And these differ for each cartridge, so the only way to determine which addresses these are is through trial and error.

If you do manage to dump the ROM from one of these cartridges, it will mostly work as a standard GBA ROM, with the exception that they use funky addressing/mirroring within the unused parts of the 32MB ROM address space, and again that differs per cartridge and I'm not sure of any pattern to it.

Another unusual thing it does is, after normal initialisation, replaces a few bytes of the Nintendo logo in the ROM header; this doesn't seem to serve any protection-related purposes as far as I know, but does prevent a GBA from somehow booting the game in this state. In this case, the substituted data is "90 AE 17 4E 59 4A" - the last two bytes are "YJ" in ASCII, so this may be some kind of "signature" for the protection...

Anyway, what all that means is I haven't been able to do my usual GBC thing of releasing a "raw dump" and then a "cracked" version where possible - instead what I'm presenting here is kind of a best effort at extracting a full, usable ROM from this thing.

This ROM was constructed as follows:

I was unsure about that last point at first, as it means hacking away a bit of the originally dumped data; but we know it actually does present the proper Nintendo logo at boot, since the game does boot with that logo, so restoring the logo is essentially restoring the normal boot state of the cart. Which is reasonable, I think.

(I did consider also releasing the less-rejiggered ROM e.g. the one with the skipped data still skipped, and the Nintendo logo partially-overwritten, but I don't believe that is any more of a "true"/"full" dump than this one, and would only cause confusion if I put it out into the wild - but if anyone is interested in taking a look at it, let me know)

I've tagged this as a "YJ restored" dump, which signifies basically that it was dumped and patched back up using the technique described above. It's not really a true "raw dump", since it was patched together and there's known repeated/overdumped data. But nor is it really cracked/hacked, since all the data patched in should, in theory, be present on the original cartridge.

Saving issues

Another caveat to be aware of: while the original Pokemon games used flash memory to save game data, this cart instead uses SRAM with a battery (as pirate copies commonly do), and is hacked to save to SRAM instead of flash. Official cartridges using SRAM only used 32 kilobytes. However, the original Pokemon Sapphire used 128 kilobytes of flash memory, and I believe (but have not verified) that this cartridge uses 64 kilobytes of SRAM (and, again, I haven't verified it, but based on the original save data structure, this would mean it definitely would not have the second "backup" save, and may also omit one or more of Hall of Fame, Mystery Gift/e-Reader or recorded battle data).

Since the GBA ROM header does not contain any save type information, emulators and flash carts have to autodetect the save type per ROM, and since this cartridge apparently uses a non-standard save type, it is fairly likely that you will encounter problems when saving or loading data. For example, the Everdrive detects it as using flash (which causes it to fail when saving), and mGBA and no$gba both detect it as using SRAM but only provide the 32KB an official game would have (which causes it to fail when loading). VisualBoyAdvance both detects it as using SRAM and provides the full 64KB, so it works there. In fact, it seems to provide 64KB for all SRAM-using games, which is inaccurate for official games, but correct for this one... so it may be working by accident. Your mileage may (and probably will) vary.

The actual ROM

Pokemon - Sapphire Version (Unl) (Eng) [YJ restored].zip

Thanks to Lightning of Twitch Plays Pokémon/RainbowDevs for lending the cart!

Update: The box!

Here are some pics of the box, thanks again to Lightning:

Amazingly, they used screenshots of the official translation on the back, I guess pre-release ones. And the text on the back... seems to be some kind of Telefang story? In decent English? I wonder where they got that from.

25 Comments

Comments

1posted by SuperfishMEMZ @ 2020-04-15 00:50:34

So Sintax's cart might has tons of trap addresses

2posted by FrostedGeulleisia @ 2020-04-15 01:14:49

Still suprised as to what translation process this went through, considering location names, Chinese (or Taiwanese) must have been somewhere in the translation process, and obviously how did they even read the text from\inject it into the ROM to begin with? While this isn't Vietnamese Crystal-tier, it's certainly the worst gen 3 translation I've seen.
In case you're curious, "sapphire" is written on the title screen with Times New Roman.
Now, a weird thing I've noticed when messing around, is how I wasn't able to inject Pokédex flags, but that might just be a vanilla Ruby\Sapphire thing (I really want to gather up all the Pokédex entries).
Differences to Chinese Emerald include the lack of trainer names as well, which is strange in itself.
This dump has one more issue though, if you manage to sit through it all the way to the Elite Fo-oh sorry, "Top Four Kings". the lights in the E4 chambers\corridors have a corrupted timer, making them rapidly switch between different tiles. Oh and the credits say "PokeMon Ruby", and that's it, the rest of the credits text was removed entirely.
And to end off, I can say i technically beat this bootleg, ending with a level 88 Blaziken, and 5 Zigzagoon. Pickup surely is broken in RS.

3posted by RacieB @ 2020-04-15 01:34:22

Yeah, that is the plot of Telefang 2, which coincidentally(?) was also bootlegged using the gen 2 protagonists artwork as "Pokémon Diamond / Jade 2" and "Pokémon Ruby"

4posted by anewkindofscience@yahoo.com @ 2020-04-15 03:43:24

Woah, cool! Was this done by the same people who did that Engrish Fire Red hack? If so, would you like to borrow my cart for that?

5posted by ? @ 2020-04-15 05:23:14

hacking is illegal

6posted by taizou @ 2020-04-15 19:43:31

@anewkindofscience not sure, I have the Leaf Green but it seemed to be different protection-wise, if I manage to dump Leaf Green then I could borrow your Fire Red since they'll probably at least be the same as each other. thanks for the offer anyway!

7posted by anewkindofscience@yahoo.com @ 2020-04-15 21:59:25

@taizou

No problem

8posted by anewkindofscience@yahoo.com @ 2020-04-15 22:03:21

@taizou

Oh, by the way, I was wondering if you would like to borrow some of my SKOB games (Pocket Monster Crystal, Dragon Ball Final Bout, the Original Version of King of Fighters R2). I managed to get Final Bout, and KOF R2 to sort of work, and posted about those on the forums, but can't seem to get any response out of Pocket Monster Crystal

9posted by FrostedGeulleisia @ 2020-04-15 22:10:32

@taizou
Do you mind showing us a picture or two of the Leaf Green bootleg? (mainly the translation itself)

10posted by taizou @ 2020-04-28 02:11:03

@anewkindofscience sorry i'm not looking to borrow anything for dumping at the moment really. my backlog is too big & i would only end up hanging onto them for months

11posted by anewkindofscience@yahoo.com @ 2020-04-28 02:30:01

@taizou No problem. If you ever change your mind, then feel free to email me. Also, do you know if the guys who made this translation did one for Pokemon Ruby as well?

12posted by guyzis @ 2020-05-02 05:43:28

No clue. Btw, where those guys the same who made the Green and Crystal translations?

13posted by taizou @ 2020-05-03 02:11:19

Yeah I'm pretty sure they did a Ruby version as well.

And I don't think they're the same people who translated Green and Crystal, but I have no idea really. It's hard to say since these translation teams were usually anonymous and commonalities in programming and fonts and whatever wouldn't carry over between GBC and GBA in most cases. The convention in Pokemon naming (stuff like PIdog) is pretty unusual and doesn't match up with Green and Crystal where they just have abbreviated or translated Chinese names, but... all of these translations even have inconsistent naming within the same game, so it doesn't really rule anything out.

14posted by SuperfishMEMZ @ 2020-05-09 08:21:54

I wonder if Nintendo use this technology to encrypt their GBA games.

15posted by guyzis @ 2020-05-11 00:40:58

No they didn't.

16posted by SuperfishMEMZ @ 2020-05-11 06:34:00

Ok. But why didn't Nintendo develop a similar technology?

17posted by taizou @ 2020-05-11 14:17:54

Nintendo started encrypting games from the DS onwards (although it was cracked pretty quickly). I guess for the GBA, it wasn't a priority for them - flash carts were still expensive, and pirate carts were mostly sold in markets where Nintendo didn't operate.

18posted by Lyra (POKEMON HGSS) @ 2020-05-23 12:04:44

Where is the Kris?
from Lyra, Johto

19posted by Lyra from Johto @ 2020-05-23 12:08:13

The back cover art in this hack features my friend, Kris. There is no Ethan in the Art? according to Me.
It is a Pirate Version of Pokemon RSE. But on the back cover art is Kris and in the main cover art is the Pre-release
one. I know that.

from Lyra, Johto

P.S I am the Protaganist and Rival of Pokemon HeartGold and SoulSilver

20posted by SuperfishMEMZ @ 2020-05-26 04:29:18

Sintax Translation Team: OK, we finally translated Pokémon Sapphire...Wait! What about the box art?
Sintax Box Art Designer: Sorry, we don't have time to make the box art and take screenshot in-game, so we have to use the pre-release box art and screenshots
Sintax Translation Team: What about the rating?
Sintax Box Art Designer: Since ESRB didn't rate this game yet, we should keep "Rating Pending" rating so we can make no one confused with this thing
Sintax Translation Team: k

21posted by guyzis @ 2020-05-27 16:05:36

I don't think sintax was behind this.

22posted by taizou @ 2020-05-29 01:19:36

yeah they almost certainly weren't

23posted by guyzis @ 2020-05-29 19:00:13

Yet it has Sintax's YJ encryption method. I'm probably guessing YJ was actually an encryption software that the bootleggers found online or something, and then they used it to encrypt their games. If only we had a YJ decrypter, we could get more "pure" dumps, since you need to move some stuff around and then patch all the way back up or something.

24posted by taizou @ 2020-05-30 21:22:13

YJ is the initials of the person that developed the protection, apparently they supplied it to different companies

25posted by guyzis @ 2020-05-31 13:26:08

So this YJ is a guy who made the tool in some company, and YJ's company was giving it away to GBA bootleggers. Interesting.

Question? Are there any YJE games other than this and the GBA Sintax platformer shit?