OAM DMA hijacking

From Glitch City Wiki
Jump to navigationJump to search
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC

List of arbitrary code execution programs

(view, talk, edit)
More research is needed for this article.
Gen III 00FC-0114.png
Reason given: A technical explanation of what OAM DMA is and how it works would be great.

OAM DMA hijacking is a form of arbitrary code execution in Game Boy games, which allows for the player to execute code every frame.

This glitch works by hijacking the "OAM DMA" process associated with sprites. [elaboration needed]

An easy means to perform OAM DMA hijacking in both Pokémon Red and Blue and Pokémon Gold and Silver is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.

YouTube video by Crystal_

A basic way to do it is to replace FF80 with a jp instruction (C3 yy xx) to another routine stored in RAM. However, this will prevent the OAM sprites from updating.

Another exploit for Red and Blue can involve making the following modifications to the HRAM, as documented by luckytyphlosion:

At FF86, write "jr FFF9". 
At FFF9, write "dec a" 
At FFFA, write "jr nz, FFF9"
At FFFC, write "jp [region]"

Do note that this will disable moving the character.

OAM DMA hijacking is useful as a form of 'real-time' arbitrary code execution, allowing the player to perform exploits such as walk through walls in Generation II or writing a 0x50 sub-tile permanently to the beginning of the screen data for Generation I.

This article or section is a stub. You can help Glitch City Wiki wiki by expanding it. RB 234 fs crop.png