OAM DMA hijacking
Reason given: A technical explanation of what OAM DMA is and how it works would be great.
OAM DMA hijacking is a form of arbitrary code execution in Game Boy games, which allows for the player to execute code every frame.
This glitch works by hijacking the "OAM DMA" process associated with sprites. [elaboration needed]
An easy means to perform OAM DMA hijacking in both Pokémon Red and Blue and Pokémon Gold and Silver is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.
A basic way to do it is to replace FF80 with a jp instruction (C3 yy xx) to another routine stored in RAM. However, this will prevent the OAM sprites from updating.
Another exploit for Red and Blue can involve making the following modifications to the HRAM, as documented by luckytyphlosion:
At FF86, write "jr FFF9". At FFF9, write "dec a" At FFFA, write "jr nz, FFF9" At FFFC, write "jp [region]"
Do note that this will disable moving the character.
OAM DMA hijacking is useful as a form of 'real-time' arbitrary code execution, allowing the player to perform exploits such as walk through walls in Generation II or writing a 0x50 sub-tile permanently to the beginning of the screen data for Generation I.
|This article or section is a stub. You can help Glitch City Wiki wiki by expanding it.|