Expanded party

From Glitch City Wiki
Jump to navigation Jump to search

An expanded party is a Pokémon party containing more than six Pokémon.

The player can find many glitch Pokémon and unstable hybrid Pokémon in the expanded party.

The expanded party can be accessed by having over 6 Pokémon directly (D163 in Red/Blue), or by using a glitch to access/swap them without actually having them. This can be done with both the closed menu Select glitch (Japanese versions only) or no expanded party international Select glitching.

In Pokémon Red, Green, Blue, and Yellow

An expanded party can be obtained with the SRAM glitch (including from a save file erased with Up+Select+B, which will give the player 255 party Pokémon), Super Glitch, special menu select glitches (by swapping lift destination and Cerulean City badge man entries), and arbitrary code execution.

Without using the SRAM glitch

Another means of obtaining the expanded party is as such:

  • Go to the PC in a Pokémon Center.
  • Go to deposit a Pokémon but view its summary first on the deposit/stats/cancel screen. This Pokémon must also have Super Glitch, preferably 0xA6 for the guaranteed corruption, but others have a chance of working.
  • After depositing it, check deposit again. If the party is glitched, the Super Glitch corruption worked, otherwise try again (The player can also skip this step to save time, at the risk of it having not worked, or use a memory viewer to check instead).
  • If Super Glitch is successful, the player will now have 255 Pokémon (due to a corruption of 0 Pokémon caused by the tiles at the Pokémon Center and Super Glitch, and an underflow from depositing).
  • Optionally (but recommended so viewing the expanded party doesn't freeze the game), the player can withdraw a Pokémon from the box, resulting in a party size matching the index number of the chosen Pokémon (for instance, withdrawing Exeggutor makes the expanded party not freeze but changes the party size to 10 (0x0A), and withdrawing Q (0xFF) makes the expanded party not freeze but keeps the size at 255)). Only the first species byte of the stored Pokémon matters.

Applications

From the expanded party, it is possible to perform many tasks; such as:

  • Altering items and registered Pokémon in the Pokédex (if a Pokémon is swapped with the 10th).
  • Digging up Pokémon that the player doesn't own.
  • Performing the Fossil conversion glitch.
  • Enabling the player to walk through walls (if the 62nd Pokémon is swapped with the 63rd).

In Pokémon Red, Green, and Pokémon Blue (Japanese), the closed menu Select glitches perform party Pokémon switches ignoring the number of Pokémon in the party; which allows for 'simulated' expanded party switches. A similar exploit (but requiring multiple glitches) in the English versions can be achieved with map size memory corruption.

Sometimes freezes occur when switching certain Pokémon beyond slot 6 or with a closed menu Select glitch due to the zero maximum HP glitch, in which one of the Pokémon has 0 maximum HP but over 0 current HP. This can be worked around by having a 0xFF Pokémon above the desired slot to place the 0 maximum HP Pokémon, so the game doesn't have to handle the HP (with the problem possibly caused by a division by zero when the game attempts to draw the HP bar).

Banning in speedruns

The expanded party has been banned from 151 Pokémon speedruns (catching all 151 species of valid Pokémon aiming for the fastest time possible) for both (Red/Blue and Yellow); the rational that using the glitch to obtain Pokémon wouldn't be seen as obtaining them. Specifically, the expanded party also allows the player to directly change their Pokédex flags having never caught those Pokémon; and the Pokémon beyond slot 6 are extrapolated beyond the data structures for main data, Trainer names, and nicknames (as illustrated below).

Memory addresses

Notes: This assumes no potential technicalities and that the extrapolations are correct. At least the species byte 1 and main data has yielded results, but has only been briefly been checked. This data is for Pokémon Red and Blue; addresses are -1 in Yellow version, and +5 of what they were in the English versions for non-English European versions. For Japanese version data, see Expanded party/RGBYJP.

Pokémon # Species byte 1 Main data
(44 bytes each)
Trainer name
(11 bytes each)
Nickname
(11 bytes each)
1 $D163 $D16B $D273 $D2B5
2 $D164 $D197 $D27E $D2C0
3 $D165 $D1C3 $D289 $D2CB
4 $D166 $D1EF $D294 $D2D6
5 $D167 $D21B $D29F $D2E1
6 $D168 $D247 $D2AA $D2EC
7 $D169 $D273 $D2B5 $D2F7
8 $D16A $D29F $D2C0 $D302
9 $D16B $D2CB $D2CB $D30D
10 $D16C $D2F7 $D2D6 $D318
11 $D16D $D323 $D2E1 $D323
12 $D16E $D34F $D2EC $D32E
13 $D16F $D37B $D2F7 $D339
14 $D170 $D3A7 $D302 $D344
15 $D171 $D3D3 $D30D $D34F
16 $D172 $D3FF $D318 $D35A
17 $D173 $D42B $D323 $D365
18 $D174 $D457 $D32E $D370
19 $D175 $D483 $D339 $D37B
20 $D176 $D4AF $D344 $D386
21 $D177 $D4DB $D34F $D391
22 $D178 $D507 $D35A $D39C
23 $D179 $D533 $D365 $D3A7
24 $D17A $D55F $D370 $D3B2
25 $D17B $D58B $D37B $D3BD
26 $D17C $D5B7 $D386 $D3C8
27 $D17D $D5E3 $D391 $D3D3
28 $D17E $D60F $D39C $D3DE
29 $D17F $D63B $D3A7 $D3E9
30 $D180 $D667 $D3B2 $D3F4
31 $D181 $D693 $D3BD $D3FF
32 $D182 $D6BF $D3C8 $D40A
33 $D183 $D6EB $D3D3 $D415
34 $D184 $D717 $D3DE $D420
35 $D185 $D743 $D3E9 $D42B
36 $D186 $D76F $D3F4 $D436
37 $D187 $D79B $D3FF $D441
38 $D188 $D7C7 $D40A $D44C
39 $D189 $D7F3 $D415 $D457
40 $D18A $D81F $D420 $D462
41 $D18B $D84B $D42B $D46D
42 $D18C $D877 $D436 $D478
43 $D18D $D8A3 $D441 $D483
44 $D18E $D8CF $D44C $D48E
45 $D18F $D8FB $D457 $D499
46 $D190 $D927 $D462 $D4A4
47 $D191 $D953 $D46D $D4AF
48 $D192 $D97F $D478 $D4BA
49 $D193 $D9AB $D483 $D4C5
50 $D194 $D9D7 $D48E $D4D0
51 $D195 $DA03 $D499 $D4DB
52 $D196 $DA2F $D4A4 $D4E6
53 $D197 $DA5B $D4AF $D4F1
54 $D198 $DA87 $D4BA $D4FC
55 $D199 $DAB3 $D4C5 $D507
56 $D19A $DADF $D4D0 $D512
57 $D19B $DB0B $D4DB $D51D
58 $D19C $DB37 $D4E6 $D528
59 $D19D $DB63 $D4F1 $D533
60 $D19E $DB8F $D4FC $D53E
61 $D19F $DBBB $D507 $D549
62 $D1A0 $DBE7 $D512 $D554
63 $D1A1 $DC13 $D51D $D55F
64 $D1A2 $DC3F $D528 $D56A
65 $D1A3 $DC6B $D533 $D575
66 $D1A4 $DC97 $D53E $D580
67 $D1A5 $DCC3 $D549 $D58B
68 $D1A6 $DCEF $D554 $D596
69 $D1A7 $DD1B $D55F $D5A1
70 $D1A8 $DD47 $D56A $D5AC
71 $D1A9 $DD73 $D575 $D5B7
72 $D1AA $DD9F $D580 $D5C2
73 $D1AB $DDCB $D58B $D5CD
74 $D1AC $DDF7 $D596 $D5D8
75 $D1AD $DE23 $D5A1 $D5E3
76 $D1AE $DE4F $D5AC $D5EE
77 $D1AF $DE7B $D5B7 $D5F9
78 $D1B0 $DEA7 $D5C2 $D604
79 $D1B1 $DED3 $D5CD $D60F
80 $D1B2 $DEFF $D5D8 $D61A
81 $D1B3 $DF2B $D5E3 $D625
82 $D1B4 $DF57 $D5EE $D630
83 $D1B5 $DF83 $D5F9 $D63B
84 $D1B6 $DFAF $D604 $D646
85 $D1B7 $DFDB $D60F $D651
86 $D1B8 $E007 $D61A $D65C
87 $D1B9 $E033 $D625 $D667
88 $D1BA $E05F $D630 $D672
89 $D1BB $E08B $D63B $D67D
90 $D1BC $E0B7 $D646 $D688
91 $D1BD $E0E3 $D651 $D693
92 $D1BE $E10F $D65C $D69E
93 $D1BF $E13B $D667 $D6A9
94 $D1C0 $E167 $D672 $D6B4
95 $D1C1 $E193 $D67D $D6BF
96 $D1C2 $E1BF $D688 $D6CA
97 $D1C3 $E1EB $D693 $D6D5
98 $D1C4 $E217 $D69E $D6E0
99 $D1C5 $E243 $D6A9 $D6EB
100 $D1C6 $E26F $D6B4 $D6F6
101 $D1C7 $E29B $D6BF $D701
102 $D1C8 $E2C7 $D6CA $D70C
103 $D1C9 $E2F3 $D6D5 $D717
104 $D1CA $E31F $D6E0 $D722
105 $D1CB $E34B $D6EB $D72D
106 $D1CC $E377 $D6F6 $D738
107 $D1CD $E3A3 $D701 $D743
108 $D1CE $E3CF $D70C $D74E
109 $D1CF $E3FB $D717 $D759
110 $D1D0 $E427 $D722 $D764
111 $D1D1 $E453 $D72D $D76F
112 $D1D2 $E47F $D738 $D77A
113 $D1D3 $E4AB $D743 $D785
114 $D1D4 $E4D7 $D74E $D790
115 $D1D5 $E503 $D759 $D79B
116 $D1D6 $E52F $D764 $D7A6
117 $D1D7 $E55B $D76F $D7B1
118 $D1D8 $E587 $D77A $D7BC
119 $D1D9 $E5B3 $D785 $D7C7
120 $D1DA $E5DF $D790 $D7D2
121 $D1DB $E60B $D79B $D7DD
122 $D1DC $E637 $D7A6 $D7E8
123 $D1DD $E663 $D7B1 $D7F3
124 $D1DE $E68F $D7BC $D7FE
125 $D1DF $E6BB $D7C7 $D809
126 $D1E0 $E6E7 $D7D2 $D814
127 $D1E1 $E713 $D7DD $D81F
128 $D1E2 $E73F $D7E8 $D82A
129 $D1E3 $E76B $D7F3 $D835
130 $D1E4 $E797 $D7FE $D840
131 $D1E5 $E7C3 $D809 $D84B
132 $D1E6 $E7EF $D814 $D856
133 $D1E7 $E81B $D81F $D861
134 $D1E8 $E847 $D82A $D86C
135 $D1E9 $E873 $D835 $D877
136 $D1EA $E89F $D840 $D882
137 $D1EB $E8CB $D84B $D88D
138 $D1EC $E8F7 $D856 $D898
139 $D1ED $E923 $D861 $D8A3
140 $D1EE $E94F $D86C $D8AE
141 $D1EF $E97B $D877 $D8B9
142 $D1F0 $E9A7 $D882 $D8C4
143 $D1F1 $E9D3 $D88D $D8CF
144 $D1F2 $E9FF $D898 $D8DA
145 $D1F3 $EA2B $D8A3 $D8E5
146 $D1F4 $EA57 $D8AE $D8F0
147 $D1F5 $EA83 $D8B9 $D8FB
148 $D1F6 $EAAF $D8C4 $D906
149 $D1F7 $EADB $D8CF $D911
150 $D1F8 $EB07 $D8DA $D91C
151 $D1F9 $EB33 $D8E5 $D927
152 $D1FA $EB5F $D8F0 $D932
153 $D1FB $EB8B $D8FB $D93D
154 $D1FC $EBB7 $D906 $D948
155 $D1FD $EBE3 $D911 $D953
156 $D1FE $EC0F $D91C $D95E
157 $D1FF $EC3B $D927 $D969
158 $D200 $EC67 $D932 $D974
159 $D201 $EC93 $D93D $D97F
160 $D202 $ECBF $D948 $D98A
161 $D203 $ECEB $D953 $D995
162 $D204 $ED17 $D95E $D9A0
163 $D205 $ED43 $D969 $D9AB
164 $D206 $ED6F $D974 $D9B6
165 $D207 $ED9B $D97F $D9C1
166 $D208 $EDC7 $D98A $D9CC
167 $D209 $EDF3 $D995 $D9D7
168 $D20A $EE1F $D9A0 $D9E2
169 $D20B $EE4B $D9AB $D9ED
170 $D20C $EE77 $D9B6 $D9F8
171 $D20D $EEA3 $D9C1 $DA03
172 $D20E $EECF $D9CC $DA0E
173 $D20F $EEFB $D9D7 $DA19
174 $D210 $EF27 $D9E2 $DA24
175 $D211 $EF53 $D9ED $DA2F
176 $D212 $EF7F $D9F8 $DA3A
177 $D213 $EFAB $DA03 $DA45
178 $D214 $EFD7 $DA0E $DA50
179 $D215 $F003 $DA19 $DA5B
180 $D216 $F02F $DA24 $DA66
181 $D217 $F05B $DA2F $DA71
182 $D218 $F087 $DA3A $DA7C
183 $D219 $F0B3 $DA45 $DA87
184 $D21A $F0DF $DA50 $DA92
185 $D21B $F10B $DA5B $DA9D
186 $D21C $F137 $DA66 $DAA8
187 $D21D $F163 $DA71 $DAB3
188 $D21E $F18F $DA7C $DABE
189 $D21F $F1BB $DA87 $DAC9
190 $D220 $F1E7 $DA92 $DAD4
191 $D221 $F213 $DA9D $DADF
192 $D222 $F23F $DAA8 $DAEA
193 $D223 $F26B $DAB3 $DAF5
194 $D224 $F297 $DABE $DB00
195 $D225 $F2C3 $DAC9 $DB0B
196 $D226 $F2EF $DAD4 $DB16
197 $D227 $F31B $DADF $DB21
198 $D228 $F347 $DAEA $DB2C
199 $D229 $F373 $DAF5 $DB37
200 $D22A $F39F $DB00 $DB42
201 $D22B $F3CB $DB0B $DB4D
202 $D22C $F3F7 $DB16 $DB58
203 $D22D $F423 $DB21 $DB63
204 $D22E $F44F $DB2C $DB6E
205 $D22F $F47B $DB37 $DB79
206 $D230 $F4A7 $DB42 $DB84
207 $D231 $F4D3 $DB4D $DB8F
208 $D232 $F4FF $DB58 $DB9A
209 $D233 $F52B $DB63 $DBA5
210 $D234 $F557 $DB6E $DBB0
211 $D235 $F583 $DB79 $DBBB
212 $D236 $F5AF $DB84 $DBC6
213 $D237 $F5DB $DB8F $DBD1
214 $D238 $F607 $DB9A $DBDC
215 $D239 $F633 $DBA5 $DBE7
216 $D23A $F65F $DBB0 $DBF2
217 $D23B $F68B $DBBB $DBFD
218 $D23C $F6B7 $DBC6 $DC08
219 $D23D $F6E3 $DBD1 $DC13
220 $D23E $F70F $DBDC $DC1E
221 $D23F $F73B $DBE7 $DC29
222 $D240 $F767 $DBF2 $DC34
223 $D241 $F793 $DBFD $DC3F
224 $D242 $F7BF $DC08 $DC4A
225 $D243 $F7EB $DC13 $DC55
226 $D244 $F817 $DC1E $DC60
227 $D245 $F843 $DC29 $DC6B
228 $D246 $F86F $DC34 $DC76
229 $D247 $F89B $DC3F $DC81
230 $D248 $F8C7 $DC4A $DC8C
231 $D249 $F8F3 $DC55 $DC97
232 $D24A $F91F $DC60 $DCA2
233 $D24B $F94B $DC6B $DCAD
234 $D24C $F977 $DC76 $DCB8
235 $D24D $F9A3 $DC81 $DCC3
236 $D24E $F9CF $DC8C $DCCE
237 $D24F $F9FB $DC97 $DCD9
238 $D250 $FA27 $DCA2 $DCE4
239 $D251 $FA53 $DCAD $DCEF
240 $D252 $FA7F $DCB8 $DCFA
241 $D253 $FAAB $DCC3 $DD05
242 $D254 $FAD7 $DCCE $DD10
243 $D255 $FB03 $DCD9 $DD1B
244 $D256 $FB2F $DCE4 $DD26
245 $D257 $FB5B $DCEF $DD31
246 $D258 $FB87 $DCFA $DD3C
247 $D259 $FBB3 $DD05 $DD47
248 $D25A $FBDF $DD10 $DD52
249 $D25B $FC0B $DD1B $DD5D
250 $D25C $FC37 $DD26 $DD68
251 $D25D $FC63 $DD31 $DD73
252 $D25E $FC8F $DD3C $DD7E
253 $D25F $FCBB $DD47 $DD89
254 $D260 $FCE7 $DD52 $DD94
255 $D261 $FD13 $DD5D $DD9F
256 $D262 $FD3F $DD68 $DDAA

Other buffers:

Swapping mechanics

Since each party Pokémon has four distinct pieces of data, for party Pokémon beyond number 6, those data regions often overlap, which causes the effect of swapping two Pokémon to be non-obvious. In addition, the data regions for Pokémon main data extrapolates to the stack region as well as the Echo RAM region, which may also cause complicated behaviors. Discounting possible stack corruption issues, the procedure for swapping two different party Pokémon works as follows[1]:

  • Swap their species bytes 1 using the HRAM byte hSwapTemp as the buffer.
  • Swap their main data using the buffer wSwitchPartyMonTempBuffer ($CC97 for R/B).
  • Swap their Trainer names using the buffer wSwitchPartyMonTempBuffer.
  • Swap their nicknames using the buffer wSwitchPartyMonTempBuffer.

The details of each individual swap operation should only matter in rare cases, such as when the main data regions of the two Pokémon overlap or when one of them overlaps with the buffer (both thanks to the Echo RAM). Denoting the Pokémon selected first as Pokémon A and the one selected second as Pokémon B, each individual swap operation works as follows:

  • Copy the data for Pokémon B to the buffer.
  • Copy the data for Pokémon A to the data for Pokémon B.
  • Copy the buffer to the data for Pokémon A.

Healing an expanded party

When trying to fully heal an expanded party in Pokémon Red, Green, Blue, and Yellow, the game will attempt to restore HP, status conditions and PP for Pokémon beyond the sixth slot of the party, causing out-of-bounds memory addresses to be corrupted.

Doing any of the following things causes the game to heal the party, and may cause memory corruption if done while having an expanded party:

  • Healing at a Pokémon Center
  • Blacking out
  • Healing by talking to Mom at the player's house in Pallet Town
  • Healing at the nurse in Silph Co. 9F
  • Stepping onto the purified zone in Pokémon Tower 5F
  • Ending a Link Cable battle
  • Ending the battle against the rival in Oak's Lab

Conditions for triggering the glitch

There are specific conditions that trigger the memory corruption to happen when healing the party. Notably, it's the lack of a 0xFF terminator byte within the list of party Pokémon species that causes memory corruption, since the party healing function looks for the 0xFF terminator byte to know when it's reached the end of the party.

As such, not all expanded party scenarios will trigger memory corruption from healing the party - most notably, an expanded party obtained via the SRAM glitch will not trigger memory corruption, since the 0xFF terminator byte lies at the beginning of the list. An expanded party obtained via Super Glitch, however, will likely trigger the memory corruption, since Super Glitch tends to overwrite the 0xFF terminator byte at the end of the party Pokémon species list.

Memory corruption pattern

The memory corruption caused by healing with an expanded party is sparse, but can affect a large diversity of memory locations, depending on how soon the 0xFF terminator byte is found.

For each non-0xFF byte found in the party Pokémon species list, the party healing routine traverses the party Pokémon records beginning at 0xD16B (for Pokémon Red and Blue), 0xD16A (for Pokémon Yellow), 0xD12B (for Pokémon Red and Green). Each record is 44 (0x2C) bytes long and the following offsets in each record are manipulated as such:

Offsets Description Action
0x01, 0x02 HP

(wPartyMon#HP)

Overwritten with the values copied from offsets 0x22, 0x23 respectively
0x04 Status conditions

(wPartyMon#Status)

Overwritten with the value 0
0x1C, 0x1D, 0x1E, 0x1F PP for moves

(wPartyMon#PP)

Lower 6 bits are overwritten with max PP value determined from move ID read from offsets 0x08, 0x09, 0x0A, 0x0B respectively, plus bonus PP calculated from PP Up count determined from upper 2 bits of the preexisting value (which are kept the same)

NOTE: If one of the move IDs read is 0, nothing is overwritten for the current offset and the later offsets are skipped, since the game assumes the move list to be terminated.

To calculate the addresses manipulated when healing a certain party slot, multiply the zero-based index of the slot by the size of the Pokémon record (0x2C bytes), add that to the party starting address depending on the game version as mentioned before, and add the offsets mentioned above to get the effective addresses accessed when that particular party index is healed.

Since the healing routine uses 16-bit pointers to traverse the memory and only looks for a 0xFF terminator byte to stop execution, it can potentially corrupt memory past the end of the expanded party region (that is, beyond the 256th party Pokémon record) and reach I/O registers and HRAM. This has been confirmed with an oversized expanded party obtained via memory hacking and using a debugger.

Effects

Screenshot of Pokémon Blue, in the player's house in Pallet Town sitting in front of where his Mom is supposed to be, except she's missing, and the background has two scratchy diagonal streaks of horizontal stripes of glitch tiles stippled throughout it.
Tilemap corruption caused by healing an expanded party of at least 107 Pokémon (in this case, over 115, which overflows the screen buffer)

Healing with an expanded party may cause the game to crash. This can be caused by corruption of the stack, but it can also be caused by corruption of the map script pointer (which does not usually happen due to an unused memory address containing 0x00 terminating a PP restore as explained above, but can be made to happen if nearby memory was previously corrupted by something like Super Glitch).

Another effect that has been observed after expanded party healing is repeated text prompts, either bringing up a normal text box or a glitched one. It's speculated that this could also be caused by corruption of the map script pointer, since no other affected memory addresses have been found to be a possible cause for this.

Other memory corruption side-effects include possible corruption of game state variables such as party Pokémon OT names and nicknames, owned/seen Pokédex flags, bag items, rival name, map text pointer, map connection data, current sprite set ID, warp entries, signs, trainer data, map connection boundaries and map view VRAM pointer, box items, missable object flags, game progress flags, saved meta-map scripts, event flags, day care Pokémon data and boxed Pokémon data, as well as possible corruption of sound engine variables and the tilemap causing mild graphical and audio glitches.

Pokémon Center glitch animation

An unrelated effect can also be seen when healing at a Pokémon Center with an expanded party, where the animation for placing Poké Balls on the healing station will attempt to place more than 6 Poké Balls, overflowing the OAM buffer and slowly filling the screen with glitch tiles. This animation starts after the party healing has been performed, and is based on the party count, not the presence of the 0xFF terminator byte in the party species list. If the party count is high enough, this can corrupt the map data.

An interesting thing to point out is that the glitch animation will not happen with a party that's merely missing its 0xFF terminator byte but has a normal party count, but the corruption from the party healing itself will still happen in this case.

In Pokémon Gold, Silver and Crystal

An expanded party can be obtained with the ????? party overloading or arbitrary code execution. It is more prone to freezes than in Generation I.

The expanded party with specific requirements can enable the party-based map distortion glitch found by werster and RingRush.

Additionally, it is possible to cause limited memory corruption by swapping the moves of party Pokémon beyond slot 6 using the "move" option.

In Pokémon Emerald

This article is incomplete. Please feel free to add any missing information about the subject.

The expanded party can be accessed indirectly with Glitzer Popping, directly through the News Reporter trick (itself currently requiring Glitzer Popping), and possibly both directly and indirectly through arbitrary code execution.

Other names

  • Pokédos Cartouche (or Poké-dos Cartouche).

See also

Trivia

  • Despite the huge size of the expanded party, it can seemingly not touch HRAM.
This article or section is a stub. You can help Glitch City Wiki by expanding it.