OAM DMA hijacking: Difference between revisions
→Taking over the joypad
| (4 intermediate revisions by one other user not shown) | |||
Line 3:
{{clr}}
'''OAM DMA hijacking''' ('''Object Attribute Memory Direct Memory Access hijacking''') is a means of changing the OAM DMA routine at FF80-FF89 (though the actual end can be extended e.g. FF89 could use two bytes for a relative jump, in which case FF8A is occupied) in Game Boy games by glitching or hacking. In this case, this article will describe how to do it with glitches in the Pokémon games.
This glitch works by hijacking the
An easy means to perform OAM DMA hijacking in both {{RB}} and {{GS}} is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.
Line 12:
It can be used for both arbitrary code execution and adding custom OAM sprite entries.
==Normal behaviour==
During gameplay, FF80 is typically always executed and in [[Pokémon Red and Blue]], [[Pokémon Yellow]] the OAM DMA [[I/O]] register (represented by FF46 on the memory map) is altered by the following routine:
ld a,c3
ld (ff46),a
ld a,28
dec a
jr nz,ff86
ret
When C3 is written to FF46, it means that the OAM sprites will be mirrored at C3XX in RAM. The OAM sprites are stored at the sprite attribute table in FE00-FE9F. For more information, see [https://gbdev.io/pandocs/OAM.html#vram-sprite-attribute-table-oam this section in the Pan Docs].
==Setup (additional arbitrary code execution)==
Line 40 ⟶ 52:
At the desired RAM address (e.g. D34A), write:
ld a,(FFD3) ; a=random "
ld (FFF8),a ; put a into FFF8, which controls what buttons are being pressed.
ret ; Don't execute any code after D350.
| |||