Pseudonymous Pokémon fan "TheZZAZZGlitch," hereafter simply ZZAZZ, has come up with an extremely unusual way to dump a Nintendo Game Boy Advance game ROM: by forcing a crash and listening to the sound the console makes.
"Turns out, the [Nintendo Game Boy Advance] crash sound is just the console playing its entire address space as sound data," ZZAZZ explains of the discovery. "If we have a clear recording, we can convert it back to actual bytes, thus dumping the RAM and ROM."
To investigate the concept, ZZAZZ crashed a game running in a Game Boy Advance emulator while recording its sound output. Investigating the audio recording, ZZAZZ found recognizable snippets of sound: "The game's instrument samples are in ROM," the tinkerer explains, "so we can hear them play out in sequence! Assuming a clean recording, like this one, it shouldn't be difficult to reconstruct the ROM."
Taking the recording as a base, ZZAZZ set about writing Python scripts which could process the audio and return the ROM and RAM contents. Initial attempts weren't promising: alignment issues caused the first reconstruction to fail, and even realigning things based on observation of the ROM which had been loaded into the emulator didn't quite get there. "I got a dump that was 99.76% accurate," ZZAZZ explains. "[but it] still didn't boot tho'."
The solution: more recordings. By making multiple dumps and merging them — using "a simple 'majority vote'" approach to resolving conflicts, ZZAZZ explains — the resulting ROM dump was 99.979 per cent accurate. While it booted, though, it showed obvious corruption, until the process was repeated with a total of seven distinct audio recordings — enough to correct the errors and create a ROM dump which matched the original perfectly.
Moving from an emulator to an actual GBA-compatible Nintendo DS proved challenging, requiring a custom-made mono audio cable and a total of 45 recordings, but a physical cartridge too revealed its secrets from the crash sound — unveiling a modern replica cartridge with Arm code for loading the ROM data from flash and into chip memory. "There is a lot of trickery involved to make it happen," ZZAZZ notes, "including even self-modifying code, to make sure the correct data is present at [the] correct address at boot."
The full project video is embedded above and available on ZZAZZ's YouTube channel; the Python source code has been published on ZZAZZ's "research archives," under an unspecified license. "This is hardly a ready-to-use solution," the tinkerer admits, "and requires a lot of tuning, depending on the source data format."