Celebi to Mew conversion
Reason given: Document required box names
Through manipulation of the VRAM to contain 0xFB at a specific location, it is possible to force the conversion of Celebi to Mew between Pokémon Gold and Pokémon Yellow.
Note that this is not confirmed on a real console, only an emulator.
Undefined (memory based) possibly one way conversions
Celebi (hex:FB) has a difficult to predict conversion for transferring from Pokémon Gold/Silver to Generation I, but always becomes hex:$63 (Omastar) for Crystal to Gen I, where it is apparently extrapolated out of the table from the remainder of the ROM bank.
An Egg (hex:FD) has a difficult to predict conversion in G/S/C.
When the game converts a Generation II ID into a Generation I ID, it tries to find its position in the conversion table and marks that position as the ID.
For example, Kangaskhan has the Generation II ID $73. The game will search from the beginning of the conversion table. Since it finds Kangaskhan as the second entry, its Generation I ID becomes $02.
$FB (in Gold and Silver) nor $FD appear in the remainder of the ROM bank. This causes the game to search for $FB in writable memory instead.
Celebi turning into Mew
Through trial and error, ChickasaurusGL found that if you write FB to 803A in VRAM, you can cause Celebi to turn into Mew. This is part of the VRAM for the player's sprite and unfortunately is updated often.
But with Coin Case arbitrary code execution, you can force the game to constantly write to this address; leaving your overworld sprite corrupted until you reset the game, and allowing Celebi to turn into Mew.
ChickasaurusGL used this linked method by Crystal_ where you use the Coin Case to write to bytes based on box 9's name to do the following:
1) Give ourselves glitch Pokédex mode 06 by writing to D67E - access point for ACE at FB0E. i.e. DB0E (done last).
2) Write the main code for writing to VRAM at DB2D.
3) Write data at FB0E that hijacks the HRAM (FFF9+) so that the game always jumps to DB2D (see OAM DMA hijacking).
4) Get ????? (FF) as Pokémon 1 (DA23=FF) to enable the Time Capsule exploit.
The following data must be written at FB0E using an arbitrary code execution method.
26 FF 2E 86 3E 18 22 3E 71 22 2E F9 3E 3D 22 3E 20 22 3E FD 22 3E C3 22 3E 2D
22 3E DB 22 C9 3E FB EA 3A 80 C9
06 should be written to D67E to get glitch Pokédex mode 0x06, which will execute the code at FB0E.
FF should be written to DA23 to get a ????? (FF) for the Time Capsule exploit
This is a representation of the code at FB0E:
This is @FB0E:
ld h, FF
ld l, 86
What it does:
1) Writes dec a (3D) jr nz,FFF9 (20 FD), jp DB2D (C3 2D DB) to FFF9+ (an address that executes by itself).
When the processor gets to FFF9, it:
- Jumps only until the register 'a' is 0. Apparently gives the processor enough time for DMA to complete, for the trick to work on a real console.
- Jumps to DB2D to activate code.
2) Writes ld a,FB; ld [803A],a to DB2D.
ld a, FB; ld [803A], a - makes the game write FB to 803A until the game is powered off, allowing Celebi to convert into Mew.
- ChickasaurusGL (article description, with permission)
- luckytyphlosion: OAM DMA hijacking