Serial interrupt ACE: Difference between revisions

Serial interrupt ACE (view source)

Revision as of 23:08, 6 May 2024

215 bytes added , 12 days ago

Adding tags; replacing "exploit" with "glitch" in certain places; adding incomplete/researchneeded notices

VisualWikitext

Kagamiin

20

edits

Revision as of 22:47, 6 May 2024 (view source) Kagamiin (talk \| contribs) (Created the page) Tag: Visual edit		Revision as of 23:08, 6 May 2024 (view source) Kagamiin (talk \| contribs) (Adding tags; replacing "exploit" with "glitch" in certain places; adding incomplete/researchneeded notices) Tag: Visual edit Newer edit →
Line 1: {{Arbitrary code execution}}{{Researchneeded\|In Pokémon Crystal, the Mobile Link functionality might also be exploitable for serial interrupt arbitrary code execution, which could lead to discovering more good target pointers (currently we only have one)}} {{Arbitrary code execution}}▼ '''Serial interrupt ACE''' (Serial interrupt Arbitrary Code Execution), also known as '''Invalid printer opcode ACE''' (Invalid printer opcode Arbitrary Code Execution), is ana ~~exploit~~glitch in {{Y}}, as well as {{GSC}}, that allows arbitrary code to be executed by the serial interrupt handler, which is responsible for handling communications via the Game Boy Link Cable, and also responsible for controlling communication with the Game Boy Printer peripheral. The ~~exploit~~glitch is set up by modifying the value of the variable '''wPrinterOpcode''' (address $D49A in {{Yellow}}, $C1D4 in {{GS}}, $C2D5 in {{C}}) to an invalid value, modifying '''wPrinterConnectionOpen''' ($D499 in [[Pokémon Yellow]], $C1D3 in {{GS}}, $C2D4 in {{C}}) to 0x01, and then using [[arbitrary code execution]] to initiate a transfer through the serial port. The glitch can then be triggered as many times as needed by the target code by simply initiating another serial transfer before returning. This ~~exploit~~glitch can be useful for (though not necessarily being needed for) implementing code that utilizes the Game Boy's serial communication feature, or as a substitute to [[OAM DMA hijacking]] for code that needs to run more frequently, since while the OAM DMA routine only gets called about 60 times per second, the serial interrupt in Pokémon can be invoked up to almost 950 times per second using this technique (or double that if playing in a Game Boy Color with the double CPU speed setting selected). == Mechanism behind the ~~exploit~~glitch == In {{RB}}, the Game Boy Link Cable feature is used to allow for linking up two instances of the game together. This allows for two players to battle against each other or trade Pokémon. The Game Boy's built-in serial interface was used to implement this. In {{Y}}, as well as in {{GSC}}, the feature was extended to allow the game to be linked up to the Game Boy Printer peripheral, which allowed the player to print out Pokédex entries, among other things. Line 17: Some good choices for invalid '''wPrinterOpcode''' values, along with their target locations, are: {{Incomplete\|More options for values for wPrinterOpcode for Generation II games}} {\| class="wikitable" \|+{{Y}} Line 69 ⟶ 70: \|Echo RAM of wStackBottom + 1 \|} There exist many other values for '''wPrinterOpcode''' in all games that can be used for arbitrary code execution, but not all of them necessarily land in good places for storing an ACE payload or trampoline; exploring those values is left as an exercise to the reader. == Setup == Invalid printer opcode ACE can be bootstrapped by any other arbitrary code execution technique in {{Y}} or {{GSC}}, but using [[Arbitrary code execution#Via items\|glitch items]] (for {{Y}}) or [[TM/HMs outside of the TM/HM pocket\|wrong pocket TM/HM ACE]] (for {{GSC}}) is by far the easiest way. See [[Arbitrary code execution#In Generation I\|Arbitrary code execution in Generation I]] and [[Arbitrary code execution#In Generation II\|Arbitrary code execution in Generation II]] for other ways of executing arbitrary code in Pokémon. Line 142 ⟶ 141: * [[Arbitrary code execution]] * [[OAM DMA hijacking]] ▲{{[[Category:Arbitrary code execution}}]] [[Category:Generation I glitches]] [[Category:Generation II glitches]] [[Category:Incomplete]] [[Category:Articles needing further research]]