This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see 0x1500 control code arbitrary code execution.

This page serves as a repository on a 0x1500 ACE setup for the English, Italian and Spanish versions of Pokémon Crystal. It is part of the TimoVM's Gen 2 ACE setups set of guides.

The preparation is best done during morning or midday in-game. If needed, you can change the in-game clock with the help of this tool.

If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.

When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.

Setting up initial ACE

Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, instead printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.

By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way, we can escape the text printing function and trigger arbitrary code execution based on the data of the last viewed party pokémon.

In practice, the initial ACE setup will be created using the following general process:

1. Obtain a Spearow
2. Obtain an unterminated name pokémon.
3. Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.

This guide can be performed right after obtaining poké balls for the first time, but can be performed regardless of game progression.

Regarding PKHex

At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.

Step 1: Obtaining a Spearow

1. Obtain a Spearow through one of the following methods:
   • Catch a Spearow in the wild. It is recommended to catch a Spearow in the south part of route 46, which is accessible from the beginning of the game. (30% encounter odds, only during morning or midday)
   • Talk to the gate guard between Goldenrod City and route 35 to obtain a Spearow.
2. Head to the nearest pokémon center and continue with the next step.

Step 2: Preparing the bad clone and remaining items

1. Use the bad clone glitch to obtain a pokémon with an unterminated name.
   1. For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
   2. Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
   3. After rebooting the game, use a potion up to where the game brings up the party screen. the potion doesn't have to actually be used, you can cancel from here), then check the newly deposited pokémon.
   4. If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
   5. If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
2. Now that you have an unterminated name pokémon, put it in box 14. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 14.
3. You now have everything needed for the setup, you can continue with the next step.

Step 3: Testing the setup and using ACE

Now that we have everything ready, we'll be verifying the setup by testing a code that will safely exit ACE without any additional side effects. Once we have verified the setup, we can replace the test box code with another box code to apply various effects.

In order to be able to test the setup, rename box 14 to the following names:

Using the ACE setup

Before executing ACE, arrange your party as follow:

• Slot 1 - Spearow
• Slots 2-6 aren't relevant for this setup.

Next, make sure you set up the following:

• Make box 14 the current active box, ensure that the bad clone is the only pokémon in box 14.
• Make sure that the box name code you wish to execute was correctly entered.

Finally, in order to execute ACE, do the following actions:

1. Stand in front of the PC on the second floor of any pokémon center. Take one step down, take one step left until you end up at the location indicated by the above screenshot on the left. Save the game here and reset.
2. After reloading the save, take one step to the right and take one step up. You should now be standing right in front of the PC. (these steps need to be taken in the correct order, otherwise the setup will not work)
3. Open the start menu, select Spearow so that you get the option to look at its summary and switch its party position as indicated by the above screenshot on the right, then exit and close the start menu.
4. Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.

If the game doesn't crash, the setup was a success and you can continue to the next step.

Setting up an ACE environment

While we now have a way to execute box name codes using ACE, the current setup has a few drawbacks:

• Executing ACE requires performing various specific steps, preventing us from using ACE whenever we want.
• Box name codes have a limited characterset, effectively meaning that it's difficult to set up more complicated ACE effects.

To resolve this issue, we're going to install the Mail Writer. This is a 50 byte program, installed as a series of TM quantities, that will allow us to quickly and efficiently write and execute any arbitrary code we want.

To do that, we're going to use a box name code to obtain 255 copies of all TMs, then sell them in specific quantities to write out a program. Alongside that, the box name code will also add a TM15 to the main item pocket. Using this TM15, outside of the TM/HM pocket, will allow us to execute the Mail Writer at any time without requiring additional setup.

The mail writer itself will be installed in the TM/HM pocket through the following two step process:

1. Execute a box code using 0x1500 control code ACE that sets the quantities of all 50 TMs to x255, as well as placing a TM15 in the main item pocket and installing a setup so that using this TM15 will redirect execution to the start of the TM/HM pocket.
2. Sell TMs in specific quantities so that the amount of TMs in the TM/HM pocket spell out a small mail writer program.

Step 4: setting all TM quantities to x255

• Rename box names to form the following language dependent codes. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().

• Then, execute 0x1500 control code ACE using the method described in the [section here].

• If the code was successfully executed, the TM/HM pocket should now be completely filled with 255 copies of every TM. Additionally, the first item in the main item pocket will have changed into a TM15. Using it will execute code in the TM/HM pocket. Make sure to save after verifying that the code worked.

Step 5: Selling TMs to form a program in the TM/HM pocket

Now that we have obtained x255 of every TM, we'll be selling specific amounts of these in order to form a program. This program differs slightly depending on the specific language you're using. The following table displays how many TMs of each kind you need to end up with, along with the amount of money you gain by selling them.

Once you're done selling all TMs, simply use TM15 to activate the mail writer.

Language independent TMs

Language dependent TMs

Once this has been done, continue to the next step.

Step 6: Using the mail writer

From now on, simply use the TM15 in the main item pocket to start up the Mail riter.

The Mail Writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail.

This will cause the mail writer to convert the newly written code into assembly. It will also print a checksum (sum of all written values) on the screen just to the right of the lower row. This can be used to verify if a code was entered correctly.

Due to a lack of available memory in the TM/HM pocket, it is not possible to quit the RAM writer without executing the newly written code. If you ever accidentally activate the mail writer and would like to quit, simply write a mail containing "Rh" then confirm and exit the RAM writer.

Assembly can easily be converted to mail codes using TimoVM's MailConverter. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write.

Controls

Between entering mail codes, the mail writer will ask for user input.

• Press SELECT to open a new mail and continue writing data.
• Press START to immediately jump to and start executing the newly written program. Only use this when you've finished every mail.
• Press any other button to go back one byte at a time to correct errors. If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail. This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.

Enter your mail code, then press "END".	It prints the checksum and waits for input.

What to do with the Mail writer

The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:

• Mail codes: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc..
• RAM writer: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.

Addendum: repairing the TM15 bootstrap

In case something happens with the TM15 bootstrap that causes it to no longer function, you can repair bootstrap without having to reset TM quantities using the following procedure:

• Enter the following language-specific box names. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().

• Execute 0x1500 ACE using the usual steps.
• If the code executes succesfully without crashing the game, the bootstrap has now been repaired.

Appendix: In-depth explanation of the setup

Effect of Onix

Defeating the provided list of pokémon and viewing Onix's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:

5F		ld e, a
00		nop
21 67 00	ld hl, $0067	; Determined by Onix's moves, Tackle and Screech
00		nop
BF		cp a, a
1E 00		ld e, $00	; $BF1E corresponds to Onix's OTID of 48926
01 XX 00	ld bc, $00XX	; $XX is determined by the exact level of the opponents fought
D2 00 F0	jp nc, $F000

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution slides harmlessly through move, OTID and experience data before jumping to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

Effect of Sandshrew

Defeating the provided list of pokémon and viewing Sandshrew's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:

1B		dec de
30 0A		jr .jump
XX XX XX XX XX XX XX XX XX 73	; Move, OTID and experience is skipped over by the jr instruction
00		nop		; .jump
C3 00 F0	jp $F000

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution jumps over move, OTID and experience data, followed by another jump to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

Effect of the mail

The last read mail is buffered from $D002 onward. Please note that viewing the bad clone in box #1 will write the value $01 to $D003 and $D004. Converting the characters from the mail to assembly results in the following, ordered by language:

English

FA 01 01	ld a, ($0101)	; a = $C3
A7		and a, a		; Reset carry flag
D4 75 FB	call nc, wBoxNames
A7		and a, a		; Reset carry flag
E1		pop hl		; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM.
D0		ret nc

French

FA 01 01	ld a, ($0101)	; a = $C3
D6 F5		sub $F5		; a = $CE, TM15's item ID
EA 93 F8	ld (wItems), a	; Main item pocket, first item ID
D6 F3		sub $F3		; a = $DB
EA 86 FB	ld ($FB86), a
EA E9 FB	ld ($FBE9), a
4E		ld a, a
D6 BA		sub $BA		; a = $21
EA 75 FB	ld (wBoxNames), a
D6 FF		sub $FF		; a = $22
EA B7 FB	ld ($FBB7), a
AF		xor a		; a = $00, set zero flag
CC 75 DB	call z, wBoxNames
E1		pop hl		; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM.
D0		ret nc

German

FA 01 01	ld a, ($0101)	; a = $C3
87		add a, a		; a = $86
C6 9C		add $9C		; a = $22
EA A9 FB	ld ($FBA9), a
C6 FF		add $FF		; a = $21
EA 75 FB	ld (wBoxNames), a
AF		xor a		; a = $00
F6 4E		or $4E		; a = $4E
F6 80		or $80		; a : $CE
EA 93 F8	ld (wItems), a	; Main item pocket, first item ID
F0 F0		ld a, ($FFF0)	; a = 0, zero flag is NOT reset
C4 75 FB	call z, wBoxNames
E1		pop hl		; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM.
C0		ret nz

Italian & Spanish

FA 01 01	ld a, ($0101)	; a = $C3
D6 A1		sub $A1		; a = $22
EA C8 FB	ld ($FBC8), a
AF		xor a		; a = $00
CD 75 FB	call wBoxNames
EA 9F FB	ld ($FB9F), a	; Prevent a game crash when viewing the box name
F6 4E		or $4E		; a = $DE
C6 F0		add $F0		; a = $CE
EA 93 F8	ld (wItems), a	; Main item pocket, first item ID
E1		pop hl		; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM.
C9		ret

Effect of the box name

Box name data starts from $D8BF onward. Converting the provided mail code to assembly results in the following:

English

F6 FF		or $FF		; a = $FF, reset carry flag
D0		ret nc		; Safely return to normal game operation

French

21 80 80	ld hl, $8080
C9		ret		; Safely return to normal game operation

German

21 80 80	ld hl, $8080
F6 FF		or $FF		; a = $FF, reset carry & zero flag
C0		ret nz		; Safely return to normal game operation

Italian & Spanish

C9		ret		; Safely return to normal game operation

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

• Attempting to toss 21 items will buffer $15 at $D10C.
• For a list at the highest size it has ever been, the "Quantity" of the CANCEL button will be $00, which will be buffered at $D10D when the CANCEL button is used with A. This forms the required $1500 to start executing ACE.
• By opening the start menu and moving one step up at the specified location, the game will load in a $C0 (ret nz) at $CD70, allowing safe return from the effects of $1500. The game will resume executing from $D10E onward.
• The last pokémon viewed is buffered from $D10E onward. Setting Tackle ($21) as its first move allows safe passage over Screech ($67).
• Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
• Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
• Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
• At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
• Afterwards, the game will simply execute the box name code.

• For the alternative method, selecting Spearow to read its mail will buffer both its species and party slot to $D108 and $D109. By putting a Spearow in the topmost party slot, this will buffer a $15 and $00 respectively. One drawback of this approach is that these RAM values are more volatile and are immediately overwritten after executing ACE. Luckily, Onix’s species ID ($5F) acts as a text terminator, preventing users from accidentally crashing the game if they forget to reset these values.

Additional note: $D086 isn’t actually relevant to the setup. The reason it’s mentioned here is because using an item buffers the item’s name to this location, placing a $50 terminator just a bit after where the pokémon’s name is normally buffered. Having this terminator in place will allow you to safely view an unterminated pokémon’s name.

Plain text transcript for codes

• Mail

4 4 4 h ‘s … 5 h Pk ‘d 

4 4 4 j' ♀ é T 2 j' / é G 5 é & 5
j' à é ... 5 j' 9 é x 5 p î ... s' Pk ô 

4 4 4 H ë : é j 5 ë 9 é ... 5 p 0
0 A é T 2 $ $ ö ... 5 Pk Ä

4 4 4 ° b é Ì 5 p Ù ... 5 é ] 5 0
È $ é T 2 Pk Í

4 4 4 ° b é Ì 5 p Ù ... 5 é ] 5 0
È $ é T 2 Pk Í

• Test box code

0 9 'd

A A A ô

A A A 0 9 Ä

Í

Í