Pokémon Communication Center SRAM glitches

From Glitch City Wiki
Jump to navigation Jump to search
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC


List of arbitrary code execution programs

(view, talk, edit)
Please note that this glitch only exists in the Japanese versions of the game, or is otherwise a glitch
from a Pokémon game which was only released in Japan.
Locked up controls at the Pokémon Communication Center are a confirmed effect on real hardware

The Pokémon Communication Center SRAM glitches are glitches which occur in the Japanese version of Pokémon Crystal, which cause unusual effects to occur upon entering the Pokémon Communication Center, including game freezes.

Details

In Japanese Pokémon Crystal, the game reads offset $A800 of the save file (specifically SRAM bank 5:A800) in order to execute a script in Goldenrod City's Pokémon Communications Center (PokéCom Center).

According to Háčky from the Glitch City Laboratories forums, the script values are supposed to range from 00-05. However, what the scripts are for is unknown.

If the script is 02 or 03, the game sets it back to 01 upon entering the PokéCom Center. If it is 04, then the game will bring up a glitched Pokémon transfer screen, in which you can obtain a Pokémon, such as ????? (00). What determines the Pokémon is currently unknown.

When the player performs their first save, or if save data is cleared via Up+Select+B, the $A800 script is set to $00 as intended. However, if the player is yet to perform a save or reset their data, the $A800 value may not be $00.

In the emulator BGB, initial SRAM values are randomized if there is no save file. In the emulator Bizhawk, there is no randomness and the initial SRAM value for $A800 is set to $FF.

If the player plays through Japanese Pokémon Crystal up to walking into the Pokémon Communication Center without saving the game, then they will be able to execute an invalid $A800 script, such as $FF.

The glitch may occur with a Japanese Pokémon Crystal cartridge with a dead battery. For example, it is possible for the controls to lock-up upon entering the Pokémon Communication Center with a dead battery Japanese Pokémon Crystal cartridge.

Whether it is possible to get glitch scripts other than $FF on real hardware without arbitrary code execution is unknown.

Details about the $FF script

Script $FF executes arbitrary code from $C2DD in RAM.

In ChickasaurusGL's run up to Goldenrod City, entering the Poké Communication Center with this glitch script resulted in a lock-up, where the player could not move around in the building and NPCs do not move.

The area following C2DD can be manipulated by opening the Pokégear or the Pokémon menu just before entering the Pokémon Communication Center.

Manipulating the effect

1) After opening the Pokégear just before entering the building, it is possible to obtain an infinite loop of the message "おまたせ しました! こうかんの あいでが みつかっていた ようです あなたの あたらしい なかまです かわいがって あげて くださいね それでは またの ごりようを おまち しております!" - in the Pokémon Crystal text dump, the official translation is "Thank you for your patience. A trade partner has been found. It's your new partner. Please take care of it with love. We hope to see you again." (http://iimarck.us/dumps/dcrystal.txt)

2) Opening the Pokémon menu and closing it lets you walk in the Poké Communications Center without visible glitches. Tested with a Croconaw and Egg in that order.

3) Switching the Egg as the first Pokémon and entering the Poké Communication Center can cause the game to reset and bring up the DMG (regular Game Boy) incompatibility message.

According to Háčky, there is a related function (unused in the English version) in the English Crystal disassembly, which is Function1709bb in misc/mobile_45.asm and the English version of the function checks the value at $A800 and resets it to 0 if it’s invalid, averting the crash.

YouTube video

YouTube video by ChickasaurusGL


Credits

  • ChickasaurusGL, Háčky, et al
  • ChickasaurusGL (video, article description text)