Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Debug menus in Japanese Crystal  (Read 5457 times)

0 Members and 1 Guest are viewing this topic.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Debug menus in Japanese Crystal
« on: January 05, 2016, 09:01:23 am »
I came across what appears to be text for a few debug menus, which are only present in the Japanese version of Pokémon Crystal (not in the English version, and not in Gold and Silver). I haven’t started to work out how to load the menus—someone else might like to try!—but it does look like there’s some surviving code. They’re in bank $12, which is the same bank as the main menu.

$4AE81:
Quote
パレットへんこう
リセット
デバックモード オン
デバックモード オフ
“Palette Change” may refer to this well-known feature. “Reset”, “Debug Mode On”, and “Debug Mode Off” are vague, but tempting. (“A secret switch! Press it? Who wouldn’t?”)

$4AF2F:
Quote
シュウイチ
メグミ
ゲンキ
シュン
ヒトミ
エイジ
ナツホ
ゴロウ
コウイチ
ヤスアキ
カオリ
ツトム
ヨウイチ
ミズホ
マイク
ヨウタ
マナブ
リカ
クリオ
ミエハル
ミノル
マコト
チサト
モトヒロ
ヒデノリ
タケノリ
タロウ
エミ
アオイ
This appears to be a list of the trainers (plus アオイ/Buena) who can be registered on the Pokégear’s phone.

$4B030:
Quote
ラジオとう
ポケモンリーグ
てつどう
ロケットだん
ぜんぶオフ
“Radio Tower”, “Pokémon League”, “Railway”, “Team Rocket”, “All Off”. Would probably set/clear flags of the major story events.

$4B0A1:
Quote
エックス
ワイ
“X” and “Y”. Probably not a reference to the sixth-generation games :P

$4B13D:
Quote
でんわ
でんわフラグ
ラジオせんきょ
アオイポイント
ジーエスボール
カウンター
“Phone”, “Phone Flag”, “Radio Occupation”, “Buena Points”, “GS Ball” (!), and “Counter” (of what?).

$4B1E0:
Quote
いる
いない

$4B1F2:
Quote
みんな
ライコウ
エンテイ
スイクン
“All”, “Raikou”, “Entei”, “Suicune”.

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #1 on: January 05, 2016, 10:08:42 am »
I wonder if these are translated in Vietnamese Crystal...
Youtube
 

Guess where this is?

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #2 on: January 06, 2016, 03:08:58 pm »
Apparently I hadn’t even gotten to the good part, which is in bank $3F:
Quote
ファイト
つうしんよう
フィールド
サウンド
アニメ
そのた
とけいきのう
グラフィック
いろいろ
“Fight”, “Communication Method” (based on the following text, this seems to be about selecting from the different Mobile Adapter cables), “Field”, “Sound”, “Animation”, “Other”, “Clock Function”, “Graphics”, “Various”.

Quote
わざマシンとじる
ゲーム
ワープ
テスト1
テスト2
テスト3
テスト4
かいふく
つぎ▶
パソコン
キャラ
ツールギア
じっけん
つくる
フロア
たまご
きろく
タイマー
いろいろ
どうぐ
むしとり
こづくり
うまれる
タマダ
ソガべ
カガヤ
マツダ
テツジ
I don’t know what the first one means, other than it’s something to do with TMs. After that, “Game”, “Warp”, “Test” 1–4, “Recovery”, “Next ▶”, “PC”, “Character”, “Tool Gear”, “Experiment”, “Make”, “Floor”, “Egg” (written in hiragana), “Record”, “Timer”, “Various”, “Item”, “Bug Catching”, “Child Making”, “Be Born”, “Egg” (in katakana this time). The last four are developers’ names: Hisashi Sogabe, Keita Kagaya, Yoshinori Matsuda, and Tetsuji Oota.

Next there are some text strings that seem to line up with the translated debug strings found in the English version, such as those regarding breeding compatibility. There’s a menu related to clock adjustments, and a list of warp destinations (which looks to be every town except Indigo Plateau, plus Lake of Rage, Mt. Silver, and the Rock Tunnel entrance).

Then it gets even more interesting:
Quote
スロットマシン
ポーカーゲーム
ぺアゲーム
ピクロス
“Slot Machine”, “Poker Game”, “Pair Game”, “Picross”. Were there supposed to be four Game Corner games? And could this have been the reason the GBC version of Pokémon Picross wasn’t released?

A string 「テストファイト」 (Test Fight) is followed by a preformatted table that looks eerily similar to something from the Ruby debug ROM:
Quote
・.  なまえ    レべル
1.▶000 ーーーーー  000
2. 000 ーーーーー  000
3. 000 ーーーーー  000
4. 000 ーーーーー  000
5. 000 ーーーーー  000
6. 000 ーーーーー  000

Finally, this looks suspiciously like a track listing for a sound test:
Quote
ストップ 
タイトル 
どうろ1 
どうろ3 
どうろ4 
リニア  
バトル1 
バトル3 
バトル4 
ポケセン 
しせん1 
しせん2 
しせん3 
あさ   
シオン  
ちか2  
ちか3  
つれてく2
カジノ  
じてんしゃ
でんどう 
タウン1 
タウン3 
かち1  
かち2  
かち3  
かち4  
ジム   
マイホーム
ラボ   
オーキド 
ライバル1
ライバル2
なみのり 
しんか  
こうえん 
おしまい 
キキョウ 
タウン12
まいこ  
ちか17 
バトル11
バトル13
どうろ13
ヒワダ  
ヨシノ  
バトル12
バトル14
バトル15
バトル16
ラボ11 
ちか112
どうろ15
どうろ18
こうそく 
しょうねん
しょうじょ
ロケット 
あやしい 
ぼうさん 
ワカバ  
コガネ  
クチバ  
ラジオ  
ふえ   
とう11 
とう11ー
とう12 
とう14 
みち111
みち112
みち113
ちか12ー
ちか113
バト112
アンノーン
かち22 
ごうロード
つれてく1
とう15 
こもり  
マーチ  
タイトル1
タイトル2
スタート 
いせき  
せんきょ 
ぶよう  
たいまい 
たいかい 
かいでんぱ
プリンタ 
エンド2 
イブキ  
インプット
モバイル1
あいことば
ミナキ  
タイトル3
バトルタワ
スイクン 
バトタワ2
ポケコミ


I wonder if these are translated in Vietnamese Crystal...
Funny you should ask that…I only found all this because I was in the process of putting together a TCRF article on Vietnamese Crystal ;D (There’s loads of duplicate translations, including some that were probably done by different people, plus a few unreferenced strings that I can’t even identify, like “SHIRK VERY HANDLY”.) The answer is that they translated “X”, “Y”, “IN”, and “NOT IN” (but didn’t use a valid pointer to “IN”, which set me off on this journey, so a big thank you to whoever made that mistake!). All the really juicy stuff was left untouched.

pokechu22

  • Decamark Researcher+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #3 on: January 06, 2016, 06:34:22 pm »
Quote
スロットマシン
ポーカーゲーム
ぺアゲーム
ピクロス
“Slot Machine”, “Poker Game”, “Pair Game”, “Picross”. Were there supposed to be four Game Corner games? And could this have been the reason the GBC version of Pokémon Picross wasn’t released?

I'm guessing that the "Pair game" reffers to the unused memory game?
When I underline text, that usualy means I am using the [‍acroynm] tag to provide aditional information.  Hover over it to view.
My youtube channel

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #4 on: January 15, 2016, 10:05:40 pm »

Forcing this menu to appear in place of the Option menu is fairly straightforward, but most of the menu options don’t work and a couple of them crash the game.

For example, the 「ジーエスボール」 (GS Ball) option calls this function:
Code: [Select]
DebugGSBall: ; 4B205
ld a, $05
call $2FDA
ld a, $0B
ld [$A000], a
call $2FEA
ret
This opens SRAM bank 5 with a call to $2FDA, then sets $A000 to $0B, then closes SRAM with a call to $2FEA.

Or, it would, except that the functions to open and close SRAM are at $2F9D and $2FAD, not $2FDA and $2FEA. Apparently this debug code was built for a different version of the ROM, and the calls to functions above around $2E00 in bank 0 are offset by exactly $3D bytes. Restoring the functionality of this menu is just a matter of correcting these several function calls; I’ve attached an IPS patch which does this.

So, what does this menu do?

Phone (でんわ)

Brings up this submenu in which a trainer can be selected. After you make a selection, and close the menu, you will receive a phone call from that trainer, regardless of whether they’re registered in your Pokégear.

Phone Flags (でんわフラグ)

Brings up this submenu, which allows certain event flags (having nothing to do with the phone?) to be set or cleared. 「ラジオとう」 sets event flag $021, named EVENT_CLEARED_RADIO_TOWER in pokecrystal. 「ポケモンリーグ」 sets event flag $044, EVENT_BEAT_ELITE_FOUR. 「てつどう」 sets event flag $0CD, EVENT_RESTORED_POWER_TO_KANTO. 「ロケットだん」 sets event flag $022, EVENT_CLEARED_ROCKET_HIDEOUT. 「ぜんぶオフ」 clears all four of these flags.

Radio Occupation (ラジオせんきょ)
Sets $D84A to $7F, which gives the player all Johto badges except the Rising Badge. Team Rocket’s occupation of the Radio Tower begins when the seventh badge is received.

Buena Points (アオイポイント)
Sets $DC11 to $1D. This puts 29 points on the Blue Card, one short of the maximum.

GS Ball (ジーエスボール)
Sets offset $A000 of the save file to $0B. This has no apparent effect. I’m guessing the Mobile Adapter needs to be connected before the GS Ball can be received at the PokéCom Center?

Counter (カウンター)
Calls function 41:6255. This is _MobilePrintNum in pokecrystal’s misc/mobile_41.asm. Apparently this function is supposed to print a number on the screen, but the debug menu code doesn’t set any parameters and it doesn’t appear to do anything.


There doesn’t seem to be any surviving code for the first debug menu with the Palette Change/Reset/Debug Mode On/Debug Mode Off options. There are a few functions related to the X and Y strings, but I haven’t figured what they do yet. There’s a lot of code associated with the Raikou/Entei/Suicune menu, suggesting that it must do something quite elaborate. I haven’t even started on bank $3F.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #5 on: January 16, 2016, 10:20:32 am »
Nice work. The thing with the SRAM functions, and that this debug stuff is not in any other gen2 game, makes me think that it's in there because of a linker fuckup.

Any chance of making Game Genie codes to get this working? (Game Genie on GB/C are for ROM patches, right?)
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #6 on: January 18, 2016, 12:19:23 am »
Nice work. The thing with the SRAM functions, and that this debug stuff is not in any other gen2 game, makes me think that it's in there because of a linker fuckup.
It looks like the release build of bank $12 was written over the top of the debug build. The release code runs from $48000 to $4AE7C. The rest of the bank ought to be filled with $00, but instead the area from $4AE7D to $4B9E8 is code from the debug build. $4AE7E is the start of the Palette Change/Reset/Debug Mode menu—the code and header for that menu would likely have been in the region that was overwritten. Some of the leftover debug-build code is just normal gameplay functions that also appear in the release build of bank $12.

I’m guessing the same thing happened in bank $3F, and probably any other bank that had debug code in it. But odds are that Game Freak wasn’t nice enough to place all of their debug code near the end of a bank, so some leftovers could be perfectly mundane. I guess we’d at least be able to tell how many bytes were removed.

Any chance of making Game Genie codes to get this working? (Game Genie on GB/C are for ROM patches, right?)
Yes, but it only accepts three codes at a time, and GBC-only cartridges like Pokémon Crystal won’t even fit in the cartridge slot :P

But just in case you’d like to enter the codes into an emulator rather than an actual Game Genie…

Replace the Option menu with something more entertaining:
008-189-D5D
008-199-085
008-1A9-4C2
??8-1C9-E6E
??8-1E9-A27
??8-1F9-807
018-229-F72
The question marks are where the bank and address go. The phone/flags/etc. menu is at 12:70DE, so enter 12 DE 70.

Patch function calls for Phone option:
D7E-AA9-B3A
2FE-AB9-2AA
DCE-C39-80E
34E-C49-3BE

Patch function calls for Phone Flags option:
41F-EF9-193
41F-F79-193
41F-FF9-193
410-078-193
410-208-193

Patch function calls for GS Ball option:
9D2-088-801
AD2-108-4C1



Coordinates viewer

Displays the player character’s map coordinates in hexadecimal.

This function is at 12:7048, so enter 12 48 70 into the above code to replace the Option menu.
However, with this code, the game will freeze when exiting the coordinates window. Surely there’s a way around that, but I haven’t bothered to find it.

Patch function calls for coordinates viewer:
8C0-498-C4D
CC0-5F8-C4E
310-608-2A2
B00-658-5DD
B00-6E8-5DD
A10-718-911


Rainbow Wing test

Selecting Raikou, Entei, or Suicune on this menu brings up a text box which will say 「いる」 if that Pokémon is present in either the party or PC with the player’s OT name and ID, or 「いない」 if not. Selecting 「みんな」 will check for all three beasts and display 「いる」 if all three are present, or 「いない」 if at least one is absent. Catching all three legendary beasts and having them in the party or PC is the prerequisite for obtaining the Rainbow Wing. (I guess they didn’t think someone would put them in the Day Care…)

This function is at 12:7173, so enter 12 73 71 into the above code to replace the Option menu.

Patch function calls for Rainbow Wing test:
9D2-958-801
AD2-AA8-4C1
AD2-BA8-4C1
9D2-D08-801
AD2-F28-4C1
AD3-098-4C1


Other isolated debug functions
Code: [Select]
Function4aea5:
call Special_CelebiShrineEvent
ret

This plays the animation of Celebi descending into Ilex Forest.



Code: [Select]
Function4b16c:
callba Function16d43b
ret

This ends up displaying a non-functional “Mobile Trade” screen:



Code: [Select]
BOGUS_OFFSET EQU $3d

Function4b213:
ld a, $ff
call RandomRange + BOGUS_OFFSET ; $2f83 + $3d
ld [PlayerID], a ; $d48c
ld a, $ff
call RandomRange + BOGUS_OFFSET
ld [PlayerID + 1], a
ld a, $ff
call RandomRange + BOGUS_OFFSET
ld [wSecretID], a ; $d83d
ld a, $ff
call RandomRange + BOGUS_OFFSET
ld [wSecretID + 1], a
ret

This sets the trainer ID and secret ID to random values.

Code: [Select]
Function4b234:
callba $4b483
ret

This calls (using an unnecessary bank switch) the debug build’s copy of the function which displays a menu used to select three Pokémon for mobile battles.

(I’d initially thought that menu was something unused, because unlike in later generations, Crystal’s Battle Tower does not give you a menu to select your three Pokémon; the clerk just won’t let you in unless you have exactly three in your party. If they created such a menu for mobile battles, why didn’t they also use it for the Battle Tower?)


The remaining functions appear to be identical to what’s in the release build, including the code that executes the Rainbow Wing search, the nearly-identical code that searches for a species irrespective of OT, and the aforementioned menu for selecting three Pokémon. These non-debug functions altogether take up 1966 bytes, which is likely the amount of other debug code in bank $12 that didn’t make it into the ROM. :'(

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #7 on: January 18, 2016, 09:39:34 am »
These are amazing findings, Háčky! :)

GS Ball (ジーエスボール)
Sets offset $A000 of the save file to $0B. This has no apparent effect. I’m guessing the Mobile Adapter needs to be connected before the GS Ball can be received at the PokéCom Center?

Manually setting $A000 to $0B in BGB worked for me. Here's a video. (and, for the sake of comparison, the same event in Western Crystal)

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #8 on: January 18, 2016, 03:39:10 pm »
Manually setting $A000 to $0B in BGB worked for me. Here's a video. (and, for the sake of comparison, the same event in Western Crystal)

Oh. It didn’t work for me because…I was using a save file in which the GS Ball had already been obtained. *facepalm*



As I suspected, bank $3F went through exactly the same process as bank $12. The release build ends at $FD412. The debug build segment starts midway through the text 「こうかんした [$D066] げんき? [$D046]は すっごく かわいいわ!」 (localized as “How is that [$D086] I traded you doing? Your [$D050]’s so cute!”), which appears in the release build at $FD13C and would have started in the debug build at $FD407 (the first 12 bytes are cut off). This implies there would have been 715 bytes of debug code earlier in this bank.

The first 712 bytes of the debug leftovers ($FD413–$FD6DA) are normal text and code related to in-game trades and Mom buying items with your money. (The three-byte discrepancy is because the release build ends with a nop and two rets, which are likely artifacts of the debug code being cut from the release build.) This leaves us with a region from $FD6DB to $FF5D1 which ought to be 100% pure debugging goodness.

It’s great that there’s so much debug code…but not so great that all of it will need to be patched to work in the release build. That may take a while.
« Last Edit: January 18, 2016, 03:41:26 pm by Háčky »

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #9 on: February 28, 2016, 06:02:53 pm »
Yeah, that took a while.

Since many of the debug functions in bank $3F make calls to various other banks, I ended up looking at the end of every bank in order to find all fragments of the debug build, and piece together a map of known correspondences between addresses in the debug build and the release build. As it turns out, all surviving fragments other than those in banks $12 and $3F simply duplicate the regular code/data at the end of the bank. However, these fragments are useful, because pointers or function calls can be compared with the equivalent code in the release build to find the corresponding addresses.

It’s sort of like a giant Pokémon Picross puzzle, without the pesky microtransactions :P

I’ve made the assumption that if two locations in a bank have the same offset between the two builds, then everything between those two locations will also have the same offset. This assumption would fail if a number of bytes was removed from the release build in one place and the exact same number of bytes was added in a different place, but that seems unlikely. In fact, it seems unlikely that anything would be added in the release build that wasn’t in the debug build—but that apparently did happen in bank $24, which is why the one offset in the table below is negative.

BankReleaseDebugOffset
000000–25E20000–25E20
002AFB–3F422B38–3F7F3D
017B58–7E1E7BBB–7E8163
037F22–7F267F27–7F2B5
09501A–7D85506B–7DD651
0B7E38–7E467E3F–7E4D7
0F68FA699197
0F7D40–7E9D7DDF–7F3C9F
124000–66CF4000–66CF0
1266D0–723A
1266D0–6E7C723B–79E7B6B
136F57–73587359–775A402
2053E6–5F01541D–5F3837
244000–42514000–42510
246439–6C3A642C–6C2D−D
257AC0–7C117B02–7C5342
257EEE–7F3F7F40–7F9152
2E60DD–620E620F–6340132
3479C2–7C327C33–7EA3271
3F5148–540F5413–56DA2CB
3F56DB–75D1
4046FD–48A64996–4B3F299
4076CA–7AF97AFA–7F29430
41637D–6397678B–67A540E
4167BA–6E226E23–748B669
467F99–7F9F7FA0–7FA67
5C4000–40B04000–40B00
5C6B12–73547355–7B97843
5E7607–76287629–764A22

The attached IPS patch fixes (I think) all of the resolvable function calls in the debug code of banks $12 and $3F. This patch doesn’t enable access to any debug menus, it just makes them work if you do access them. There are over 150 bytes changed in bank $3F, so it doesn’t seem practical to list them all as Game Genie codes.

I’ve also come up with a simpler Game Genie code for accessing debug menus, which relies on the Select button rather than the Option menu. This avoids issues with popping windows. It does cause some graphical issues with some menus, most of which can be solved by opening and closing the Start menu both before and after pressing Select.

??B-609-F7A
??B-619-3BF
??B-629-2A7

The first line is the bank number and the last two are the address in little-endian order. For example, to call 3F:5C3D when the Select button is pressed, enter the codes 3FB-609-F7A · 3DB-619-3BF · 5CB-629-2A7.

Most of the text scripts (as opposed to raw strings such as the menu options) within bank $3F’s debug code are translated in the English ROM’s bank $6F. I’ve put these official translations in quotation marks, whereas my own translations are in italics. Note that some of the official translations don’t quite make sense in the context that they’re used.


Debug menu (3F:56DB)


The text to the left says ROM Version. The displayed build date is stored in ASCII, presumably because it was automatically generated by the build system, and is converted at runtime to the game’s own character set.

This menu actually has nine programmed options, but is set to display only the first, second, third, fourth, ninth, fifth, eighth, and sixth, in that order. The missing seventh option is 「とけいきのう」 Clock Function. Additionally, there’s unreferenced code for a menu related to Mobile Adapter cables, plus one other function that’s no longer functional, in the midst of the code for these menu options.

Fight (ファイト)
Code: [Select]
DebugFight: ; fd8b7
ld hl, wMonStatusFlags
set 0, [hl] ; Disable post-battle text.

predef $3a

ld hl, wMonStatusFlags
res 0, [hl] ; Re-enable post-battle text.
ret

This calls predef $3A.

…What is predef $3A, you ask?

It’s…just a ret.

Specifically, it’s one of those two rets at the end of the release build of bank $3F. This implies that the intended function should exist somewhere in the debug build, but there’s technically no way to know which function it is.

…Let’s take a wild guess and say that it’s 3F:657C, because that one has something to do with a fight.



On the first screen, the player’s party may be chosen. The D-Pad moves the cursor, A increments the selected value, and B decrements it. The Pokédex number defaults to 000 (no Pokémon) and may be set to any value from 000 to 253 (glitch Egg). The level also defaults to 000—which, if left at that value, also means that no Pokémon will be generated—but can only be changed to a value from 001 to 100. The party Pokémon will be generated with their standard level-up moves for the chosen species and level. Pressing Start moves on to the second screen.



This screen is for setting up the opponent. The option at the top can be toggled between 「ワイルドモンスター」 Wild Monster and 「トレーナー」 Trainer.

For a wild Pokémon, the species and level may be set as on the previous screen, and the default level-up moves will be displayed. By scrolling down, the four moves can be changed to any value from 0 (no move) to 251 (Beat Up).

For a Trainer, the trainer class and ‘level’ (actually the roster number, just like in the long-range trainer glitch in Generation I) can be set. The trainer class selection has a minor bug: pressing A cycles through values from 001 to 066 (Rocket Grunt ♀), while pressing B when the value is 000 or 001 resets it to 061 (Twins). Either way, it’s not possible to select trainer class 067 (Mysticalman), which was added in Crystal. The ‘level’ can be set from 001 to 100, but defaults to 020, even though it’s initially displayed as 000. If the ‘level’ is greater than the number of rosters assigned to that trainer class, then the roster is taken from a subsequent trainer class.

Pressing Start begins the battle. The game will return to the party selection screen after the battle, so another test fight can be set up. Pressing Select exits the test fight menu.

Side effects include:
  • JohtoBadges is set to $80 (only the Rising Badge is obtained), so that all Pokémon are obedient and no stats are boosted. (However, any boosts from Kanto badges will be preserved.)
  • The Key Items, Balls, and Items pockets are cleared, and the following items are given:
    • Master Ball ×99
    • Ultra Ball ×99
    • Great Ball ×99
    • Poké Ball ×99
    • Heavy Ball ×99
    • Level Ball ×99
    • Lure Ball ×99
    • Fast Ball ×99
    • Friend Ball ×99
    • Moon Ball ×99
    • Love Ball ×99
    • Full Restore ×99
    • Revive ×99
    • Max Revive ×99
    • X Attack ×99
    • X Defend ×99
    • X Speed ×99
    • X Special ×99
    • Ether ×99
    • Max Ether ×99
    • Elixer ×99
    • Guard Spec. ×99
    • Poké Doll ×99
    • X Accuracy ×99
    • Full Heal ×99
    • Super Potion ×99
    • Antidote ×99
    • Burn Heal ×99
    • Ice Heal ×99
    • Awakening ×99
    • Parlyz Heal ×99
  • The player’s name is set to 「ゴールド」 Gold.
  • After the battle, the player’s party is deleted.
The code for this menu is a sprawling mess and I haven’t analyzed it thoroughly, so it probably has other effects that I’ve missed.

Communication Method (つうしんよう)
Calls 01:5BB9, which is in the middle of an instruction. It must have been calling something that was moved or excluded from the release build.

Field (フィールド)
Code: [Select]
DebugField: ; fd780
callba EraseBattleTowerStatus ; 05:4d09
callba ResetWRAM ; 01:5b96?
ret

The first function call sets offset $A800 of the save file to $00. It’s known that this offset is checked upon entering the PokéCom Center and that the game may crash if it’s greater than $05. The corresponding function in the English version clears offset $3E45 instead, which is apparently used for the Battle Tower. This function is called when overwriting the old save file after starting a new game.

The second function clears game data from WRAM, as is done when starting a new game (without erasing the previous save file). However, 01:5B96 is very close to the 01:5BB9 that’s called by the Communication Method option, so it’s likely that both of these were pointing to the 99 bytes of overwritten debug code in bank 1.

Sound (サウンド)


Pressing Up and Down selects a music track (starting with track 0, 「ストップ」 Stop—which is, of course, Lance’s and Red’s encounter theme—and ending with track 102, 「ポケコミ」 PokéCom), and pressing A plays it. Left and Right select a sound effect (ranging from 000 to 206), and Start plays it. Not mentioned in the on-screen instructions is that pressing B will stop the music. There’s no way to exit this screen, but why would you want to do that?

Various (いろいろ)
Calls 41:68DD, which is likely part of the 603 bytes of overwritten debug code known to have been somewhere between 41:67A5 and 41:6E23.

Animation (アニメ)
Calls 34:4695, which is immediately after code related to Pokémon frontsprite animations, and was probably the location of the 625 bytes of overwritten debug code in that bank.

Graphics (グラフィック)


Brings up a submenu with options 「ポケモン」 Pokémon and 「トレーナー」 Trainer. Selecting either option sets $D002 accordingly and then calls 20:541D. This is clearly supposed to be calling the Pokémon/trainer palette test, which is at 20:53E6 in the release build.

Other (そのた)
Code: [Select]
DebugOther: ; fd8ce
callba $10ed51
call WaitPressAorB_BlinkCursor ; $0a76
callba $108d13
callba $108026
callba $10802a
callba $108000
callba $108016
callba $108012
ret

The first call is to a function that’s unused in the final game, which displays the title screen. Pressing A twice will move on to the remaining code. There’s some sort of screen corruption/flickering that appears on the title screen and persists afterward; I’m not quite sure what this is, or why it happens.

The rest of these functions are used to display a mobile trade between ゲーフリ Game Freak, who trades a Venusaur with OT 08961 かびーん (does this mean something?), and クリーチャ Creatures, who trades a Charizard with OT 22020 マツミヤ Matsumiya. (Those OT IDs are 23 01 and 56 04 in hexadecimal.)

Clock Function (とけいきのう)
Calls 3F:40BE, which must have been part of the 715 bytes of debug code that was overwritten earlier in this bank.

Unreferenced Mobile Adapter menu (3F:579D)


This menu has the options 「なし」 Nothing, 「けいたい」 Mobile, 「シーディエムエー」 CDMA, 「ドコモけいピッチ」 DoCoMo PHS, 「ディーディーアイピッチ」 DDI PHS, and 「むせいげんけいたい」 Unlimited Mobile. Selecting an option will set offsets $E800 and $9000 of the save file (with the value at $9000 being the ones’ complement of the value at $E800) and display a corresponding message:

Option$E800$9000Message
なし
Nothing
$00$FF「なにも つながっていない」
“There is nothing connected.”
けいたい
Mobile
$01$FE「けいたいでんわの アダプタを かくにん!」
“Check cell phone adapter.”
シーディーエムエー
CDMA
$02$FD「シーディーエムエーの アダプタを かくにん!」
“Check CDMA adapter.”
ドコモけいピッチ
DoCoMo PHS
$03$FC「ドコモけいピッチの アダプタを かくにん!」
“Check DOCOMO PHS adapter.”
ディーディーアイピッチ
DDI PHS
$04$FB「ディーディーアイピッチの アダプタを かくにん!」
“Check DDI PHS adapter.”
むせいげんけいたい
Unlimited Mobile
$81$7E「たいせんむせいげんの けいたい アダプタを かくにん!」
“Check unlimited battle mobile adapter.”

Does anyone have a clue as to what an “unlimited battle mobile adapter” is?

Setting these values (other than Nothing) causes the game to act as if the Mobile Adapter has been connected: the Mobile System GB logo is displayed before the copyright screen; the Mobile and Mobile Stadium options are added to the main menu; Pokémon Cable Club attendants ask whether I’d like to make a mobile or cable connection; the PokéCom Center’s Administration Office, Trade Corner, and News Machine and the Battle Tower are accessible, and both areas play their special music. Of course, any feature that actually requires sending data through the Mobile Adapter fails with error 10-000:



Unreferenced function (3F:58FC)
Code: [Select]
Functionfd8fc:
callba WeedleShinyPalette ; 02:68f7‽
ret

Weedle’s shiny palette probably wasn’t meant to be called as a function. Oddly, there are no other signs that the debug build had anything special in bank $02.


Quick-start (3F:5983)
Function 3F:5983 seems to be intended as some sort of accelerated start for debugging purposes. It does a bewildering variety of peculiar things:
  • Picks a random trainer class and sets the player’s name to the name of the first trainer in that class. (The last trainer class, Mysticalman, cannot be selected, which may be a sign that this code was written for Gold and Silver.)
  • Sets the rival’s name to 「レッド」 Red. (Plot twist: Silver is actually the same person as Red. You’ve never seen the two of them in the same room, have you?)
  • Sets the player’s money to 999999円.
  • Sets the Coin Case to 99 coins. (Not 9999, just ninety-nine.)
  • Adds a level 80 Meganium, Typhlosion, or Feraligatr, chosen at random, to the party.
  • Generates 10 random Pokémon between Bulbasaur and Suicune, excluding Unown, and sends them to the PC. The first one is level 21, the second is level 22, and so on up to level 30.
  • Sets the TM/HM pocket to have one of each TM and HM.
  • Gives the following items:
    • Bicycle
    • Old Rod
    • Good Rod
    • Super Rod
    • Coin Case
    • Itemfinder
    • Flower Mail ×6
    • Master Ball ×99
    • Ultra Ball ×99
    • Poké Ball ×99
    • Heavy Ball ×99
    • Level Ball ×99
    • Lure Ball ×99
    • Fast Ball ×99
    • Potion ×30
    • Rare Candy ×20
    • Full Heal ×99
  • Sets all 251 Pokémon as seen and owned in the Pokédex.
  • Sets Unown A as the first entry in the Unown Dex, and Unown G as the form shown in the Pokédex.
  • Sets the Pokégear to have phone numbers $01 through $0A registered (Mom, Prof. Oak, Bill, Prof. Elm, Schoolboy Jack, Pokéfan Beverly, Sailor Huey, and three values which are invalid in Crystal, which may be another sign that this was written for Gold and Silver).
  • Sets the Pokédex, the Pokégear, and its Radio, Phone, and Map Cards as having been obtained.
  • Sets all decorations as obtained.
  • Initializes the roaming Raikou and Entei.
  • Sets bit 7 of $D83F (StatusFlags). (Pokecrystal identifies this as ENGINE_BUG_CONTEST_ON, but I don’t think it’s related to the Bug-Catching Contest at all. The only place I see that it’s used is in MainMenu_GetWhichMenu, which checks this flag but then does the same thing whether it’s set or not. The flag is set in-game when the Mystery Egg is given to Prof. Elm.)
  • Sets the event flag for having given the Mystery Egg to Prof. Elm.
  • Sets the clock to 12:34.
  • Randomizes the Lucky Number Show’s number.
Super-sized debug menu (3F:5C3D)


This menu has text for 26 options (not counting 「とじる」 Close and 「つぎ▶︎」 Next ▶︎), of which 25 have associated code and only 20 are displayed:

Page 1: 「ワープ」 Warp, 「こづくり」 Breed, 「つくる」 Make, 「ツールギア」 Tool Gear, 「パソコン」 PC
Page 2: 「どうぐ」 Item, 「かいふく」 Recovery, 「じっけん」 Experiment, 「ゲーム」 Game, 「いろいろ」 Various
Page 3: 「トスト1」 Test 1, 「テスト2」 Test 2, 「テスト3」 Test 3, 「テスト4」 Test 4, 「うまれる」 Hatch
Page 4: 「タマダ」 Tamada, 「ソガベ」 Sogabe, 「カガヤ」 Kagaya, 「マツダ」 Matsuda, 「テツジ」 Tetsuji

Unused options: 「キャラ」 Character, 「タイマー」 Timer, 「フロア」 Floor, 「きろく」 Record, 「むしとり」 Bug Catching
Unreferenced text: 「たまご」 Egg

To replace Tamada (which is useless, and can be quickly accessed by pressing Left to go to page 4) with one of the unused options, use the Game Genie code ??C-36A-B32. Insert the value 03 for Character, 0E for Timer, 10 for Floor, 11 for Record, or 13 for Bug Catching.

Warp (ワープ)


Brings up a map similar to the one for selecting a Fly destination. The first party Pokémon is used as the cursor. Unlike the Fly map, pressing Down or Right will advance the cursor to the next destination (e.g., from New Bark Town to Cherrygrove City), and pressing Up or Left will move the cursor back to the previous destination. Any Fly destination may be selected, in both Johto and Kanto (the map will switch between the two), regardless of whether the location has been visited. This includes Rock Tunnel, which is programmed as a Fly destination but cannot normally be flown to because the associated flag is never set.

After a destination is selected, the text 「ワープします!」 “Warping…” is displayed, and the player warps using a spinning animation.

There’s also partial code for a text-based warp menu, which presumably would have been used before the Fly map was created. That menu omits Indigo Plateau, but includes 「じぶんのうち」 My Home. It also calls Lake of Rage 「イカリの みずうみ」, with katakana 「イカリ」, whereas its final name is spelled entirely in hiragana. This could be because Lake of Rage was originally a town.

Breed (こづくり)
Checks the compatibility of the two Pokémon deposited at the Day Care. If there aren’t two Pokémon deposited, displays 「2かい いないので こづくり できません」 “You need two POKéMON for breeding.” If the two Pokémon are incompatible, displays 「こづくりできません」 “Breeding is not possible.” If they are compatible, displays 「あいしょう [$D296]です こづくり しますか?」 “The compatibility is [$D265]. Should they breed?” Saying Yes generates an Egg which can be obtained from the Day-Care Man.

Make (つくる)
This menu generates a Pokémon and sends it to your PC. If your Box is full, it fails with the message 「ボックスが いっぱい!」 “The BOX is full!”



At first, only the species is displayed. The species can be set to a value between 001 and 251 using the A and B buttons.



Pressing Down reveals five more lines. The second line is the level, which can be set between 001 and 100. The next four lines are the Pokémon’s moves, which are automatically set to the default level-up moves for the chosen species and level. The moves can be changed to any value between 001 and 251. (It’s not possible to make an empty move slot, except when the Pokémon would know fewer than four moves at the chosen level.) If a move cannot be learned by the Pokémon or its pre-evolutions either by level-up, TM/HM, or as an Egg move, then it will be marked with ×.



Scrolling below the move list reveals three more values: the first is the Attack/Defense IV byte, the second is the Speed/Special IV byte, and the last represents the square root of the stat experience that will be assigned to every stat. (The square root of stat experience is functionally equivalent to EVs in later generations, except that there’s no 510 EV cap.) Each of these values can be set between 000 and 255. When one of these values is selected, the Pokémon’s stats will be calculated and shown on the right of the screen.

Pressing Start closes the menu and sends the Pokémon to your PC.

Tool Gear (ツールギア)


This submenu seems to be related to the real-time clock, but none of the options have any discernible effect.

OptionEffect
とけい
Clock
Sets bit 0 of $D831 and clears bit 0 of $D835.
ざひょう
Coordinates
Sets bit 0 of $D831 and sets bit 0 of $D835.
アジャスト
Adjust
Calls 3F:4000 _AnimateTileset, which freezes the game because its parameters aren’t set. It’s probably supposed to call an overwritten debug function instead. After that, it calls functions related to refreshing the time-of-day palettes.
60びょう
60 Seconds
Sets bit 7 of $D835, then jumps to the same code used by Adjust to refresh time-of-day palettes.
24じかん
24 Hours
Clears bit 7 of $D835, then jumps to the same code used by Adjust to refresh time-of-day palettes.
けす
Erase or Turn Off
Clears bit 0 of $D831.

Bit 0 of $D831 and bits 0 and 7 of $D835 don’t seem to be used anywhere. The equivalent addresses for the English version are $D83E and $D842.

PC (パソコン)


Does what it says on the tin.

Item (どうぐ)


Allows an item in the range of 1 (Master Ball) to 251 (HM09!) to be selected with Up/Down, and a quantity from 1 to 99 to be selected with Left/Right. Pressing A gives you the item and displays 「[$D05B]を リュックにいれました」 “The [$D073] was put in the PACK.” If the corresponding pocket is full, it instead says 「どうぐを リュックに いれられません!」 “That item can’t be put in the PACK.”

Recovery (かいふく)
Heals your Pokémon and displays 「ポケモンの たいりょうくを かいふくしました」 “Your POKéMON’s HP was healed.”

Experiment (じっけん)
Tries to call a full-screen menu at 40:76B0, which is probably a debug function that was overwritten.

Game (ゲーム)


Brings up this submenu with three options and a suspicious gap at the bottom. Selecting an option leads to the prompt 「[$D066]で あそびますか?」 “Will you play with [$D086]?”, where the variable is filled with the name of the option you selected.「スロットマシン」 Slot Machine does exactly what you’d expect, 「ポーカーゲーム」 Poker Game is Card Flip, and 「ペアゲーム」 Pair Game is the unused memory game.

There’s unused text for a fourth option, 「ピクロス」 Picross.

Various (いろいろ)
Calls 41:68DD, the same function called by the other debug menu’s Various option.

Test 1–4 (テスト1〜4)
Each of these displays the prompt 「イベント [$D066]を テストしますか?」 “Test event [$D086]?”, where the variable is the corresponding number from 1 to 4. Saying Yes launches an event script. In addition to the four scripts that can be called from this menu, there are nine unused scripts:

ScriptEffect
テスト1
Test 1
(3F:648C)
Displays the text 「はじめ!」 “Start!”, fades to white, fades in, then displays 「おわり!」 “End!” Is this Game Freak’s version of Hello World?
テスト2
Test 2
(3F:64D1)
If the player character is a girl, changes her into her Cable Club disguise and says 「おとこのこに!」 “For a boy!” If she’s already wearing the disguise, changes her back to her normal appearance and says 「おんなのこに!」 “For a girl!”

If the player character is a boy, displays 「おとこのこには かんけいないよ!」 “This doesn’t concern a boy!”
テスト3
Test 3
(3F:64B4)
Gives an Egg containing a level 20 Abra. If the party is full, overwrites the sixth party Pokémon with the Egg.
テスト4
Test 4
(3F:6530)
Warps the player directly in front of the Hall of Fame machine, and inducts the party into the Hall of Fame (without Lance’s assistance). As usual, the game rolls the credits, exits to the main menu, and the player is returned to New Bark Town.
Unused
(3F:64AE)
Launches the Dude’s tutorial on how to catch Pokémon.
Unused
(3F:64B8)
Causes the Egg in the first party slot to hatch. If the first party member isn’t an Egg, it just briefly displays a white screen.
Unused
(3F:64C1)
Causes the player character to briefly run in place, then disappear, then fall back into place from the top of the screen.
Unused
(3F:652A)
A wild level 10 Ditto appears.
Unused
(3F:6543)
Initiates Team Rocket’s occupation of the Radio Tower.
Unused
(3F:654A)
Rolls the credits as if Red was just defeated, placing the player outside Mt. Silver afterward.
Unused
(3F:654C)
Overwrites the PC item storage with quantity 99 of the items numbered 1 (Master Ball) through 50 (Teru-sama).
Unused
(3F:6566)
Calls function 41:68D6, which is very close to the Various function 41:68DD, and is probably an overwritten debug function.
Unused
(3F:656E)
Displays the Mobile Adapter connection prompt with an incorrect palette. Maybe it would do more than that if a connection could be made.

Hatch (うまれる)
If there’s an Egg in the party, this makes it ready to hatch on the next step, and display the text 「うまれる!」 “It’s going to hatch!” (If there’s more than one Egg, only the first one is affected.) If there’s no Egg in the party, displays 「タマゴが ない!」 “There is no EGG.”

Tamada (タマダ)
Earlier I misread this as タマゴ. It’s actually named after tool programmer Sousuke Tamada. I’m guessing he’s not an egg. :-[

This calls function 41:68DD, the same one called by the Various option of both this menu and the other one. The only difference is that Tamada passes a value of $01 in register c, whereas both instances of Various pass $00.

Sogabe (ソガベ)
Named after programmer Hishahi Sogabe. Displays the prompt for selecting the level cap for a Battle Tower challenge. After selecting a level, attempts to make a Mobile Adapter connection.

Kagaya (カガヤ)
Named after programmer Keita Kagaya. Deletes the contents of the Card Folder and removes its passcode.

Matsuda (マツダ)
Named after programmer Yoshinori Matsuda. Calls 12:66D0, which would have been the beginning of the debug code in bank $12.

Tetsuji (テツジ)
Named after game/script/map designer Tetsuji Oota.



Hey, that looks familiar.

Character (キャラ)
Code: [Select]
DebugCharacter: ; fde86
ld a, $00
ret

Not only has this option been removed from the menu, but the function has been stubbed out. Oh well.

Timer (タイマー)
Blanks the screen and then calls 3F:40BE, the same function called by the other debug menu’s Clock Function.

Floor (フロア)


If you’re standing in the elevator of the Celadon Department Store, displays this elevator menu which has the six floors in reverse order. The elevator will move to the selected floor without any sound or visual effects.

The menu can be viewed outside the elevator as long as the backup map ID is one of the floors of the Celadon Department Store—that is, if you’ve stepped into the Celadon Department Store elevator, and haven’t entered another special map since then, such as the Pokémon Center 2F or Goldenrod Department Store’s elevator—but selecting a floor has no effect outside of the elevator.

Record (きろく)
Displays two pages of text:


Number of times wild Pokémon were battled: 0
The number is a two-byte value taken from $DBD3, equivalent to $DC0D in the English version. This address is not used by the game and thus should always be 0. The text seems to suggest that functionality similar to Mauville City’s Storyteller was planned.


Timer status: 00000000
This number is the value at SRAM address 0:AC80 (sRTCStatusFlags) displayed in binary.

Bug Catching (むしとり)


Displays 「たいかい のこりじかん」 “Remaining Time”, followed by the number of minutes and seconds remaining in the Bug-Catching Contest. It even counts down in real time!

Unreferenced dummy function (3F:5D0A)
This function displays the text 「げんざい このきのうは つかうことが できません」 “That can’t be used right now.” Although the localized text doesn’t say what “that” is, the original Japanese refers to a function or feature (きのう), implying that this could have been a placeholder for something that wasn’t finished.

Unreferenced OT ID editor (3F:610D)


Displays the text 「へんこうするナンバーを してい してください」 “Which number should be changed?” The five-digit number can be edited using Left/Right to move the cursor and Up/Down to change the value. Pressing A changes the OT ID of the first party Pokémon to the chosen value modulo 65536.


Unreferenced lists

3F:6E6F
Code: [Select]
03 63 04 63 0B 63 10 63 11 63 12 63 13 63 14 63
FF

This list looks very much like an item inventory, with every second byte being a quantity of 99. That would mean:
  • BrightPowder ×99
  • Great Ball ×99
  • Ice Heal ×99
  • Hyper Potion ×99
  • Super Potion ×99
  • Potion ×99
  • Escape Rope ×99
  • Repel ×99
BrightPowder and Ice Heal? Those are some odd choices. Hmm…what if this was a Generation I item inventory?
  • Great Ball ×99
  • Poké Ball ×99
  • Antidote ×99
  • Full Restore ×99
  • Max Potion ×99
  • Hyper Potion ×99
  • Super Potion ×99
  • Potion ×99
That seems more likely.


3F:7261
Code: [Select]
07 09 0A 0E 10 14 16 1C 31 42 53 59 5B 63 64 67
68 69 72 7D 7E 8B 8E 95 98 9A 9B B2 B3 B4 BB BE
FF

This list is in the middle of the code that checks move legality on the Make submenu.

I think these values make the most sense if they’re read as Generation I Pokémon index numbers:
  • Nidoking
  • Ivysaur
  • Exeggutor
  • Gengar
  • Nidoqueen
  • Arcanine
  • Gyarados
  • Blastoise
  • Golem
  • Dragonite
  • Ninetales
  • Dragonair
  • Kabutops
  • Omastar
  • Jigglypuff
  • Flareon
  • Jolteon
  • Vaporeon
  • Beedrill
  • Butterfree
  • Machamp
  • Cloyster
  • Clefable
  • Alakazam
  • Starmie
  • Venusaur
  • Tentacruel
  • Charmeleon
  • Wartortle
  • Charizard
  • Vileplume
  • Victreebel
My best guess is that this is supposed to be a list of Pokémon that, in Red and Green (and international Red and Blue), could only be obtained through evolution—i.e., starter evolutions, trade evolutions, stone evolutions (except Raichu and Wigglytuff, which could be caught in Cerulean Cave), fossil evolutions, and other evolved Pokémon that couldn’t be caught in the wild in those games. But Jigglypuff seems out of place (it’s the only unevolved Pokémon), and Persian, Poliwrath, Primeape, and Rapidash are missing.

What’s a list like that doing in the middle of Crystal’s debugging tools? Damned if I know.



As a bonus, here’s some text from this bank that did get translated in Vietnamese Crystal:

JapaneseViet CrystalEnglish
なにも つながっていないNOT SUCCEEDThere is nothing
connected.
けいたいでんわの
アダプタを かくにん!
ENSURED THE
BROUGHT
TELLPHONE’S
ACCESSORIES
Check cell phone
adapter.
シーディーエムエーの
アダプタを かくにん!
ENSURED THE CD MA
ACCESSORIES
Check CDMA
adapter.
ドコモけいピッチの
アダプタを かくにん!
TOCOMO’S
ACCESSORIES
ENSURING
Check DOCOMO PHS
adapter.
ディーディーアイピッチの
アダプタを かくにん!
DDI’S ACCESSORIES
ENSURING
Check DDI PHS
adapter.
たいせんむせいげんの けいたい
アダプタを かくにん!
THE FIGHTING
ACCESSORIES
ENSURING IS
UNLIMITED
Check unlimited
battle mobile
adapter.
ロム バージョンMEMORYROM Version
[$D05B]を 
リュックにいれました
PUT [$D05B]
IN BAG
The [$D073]
was put in the
PACK.
こづくりできませんDON’T MAKE TOO
SMALL
Breeding is not
possible.
あいしょう [$D296]です
こづくり しますか?
MAKE [$D296] SMALL?The compatibility
is [$D265].
Should they breed?
タマゴが ない!EGG!There is no EGG.
うまれる!BORNED!It’s going to
hatch!
おわり!THE ENDEnd!
おんなのこに!IS WOMAN!For a girl!
おとこのこには
かんけいないよ!
NOT RELATE
TO MAN
This doesn’t
concern a boy!
テスト ファイトEXAMTest Fight
№.  なまえ    レベル,LEVEL№.  Name   Level
ワイルドモンスターGRACE ELFWild Monster
トレーナーCOACHTrainer
№.  なまえ        レべル№.LEVEL     NUMBER№.  Name       Level
たいりき
こうげき
ぼうぎょ
すばやさ
とくこう
とくぼう
VIGOR
DEFEN
SPEED
PREST
HP
Attack
Defense
Speed
Spcl. Atk
Spcl. Def
おんがく
じょうげ エー

こうかおん
さゆう  スタート
MUSIC
UP-D
CAST COIN
START
Music
Up/Down A

Sound Effect
Left/Right Start

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #10 on: February 28, 2016, 09:03:24 pm »
Damn, that's some nice reversing writeup if ever I saw one, and I've read all of pocorgtfo.

That list at 3F:7261... I noticed it's in order of index number. I doubt that's a coincidence.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #11 on: March 04, 2016, 09:55:46 am »
Wow, I'm flabbergasted by this. Apparently, it's been there for 15 years without anyone finding it :o This is awesome, Háčky, so thank you for actually taking the time to study and document it all :)

The debug ROM code is from the internal October 17, 2000 build. Crystal was released on December 14, 2000 so that it makes almost 2 months in between the two ROMs. It'd be nice if someone leaked debug ROMs of Crystal, hehe ;D

As a reminder, before Pokémon Crystal was officially announced, there was information circulating about an upcoming game tentatively titled Pocket Monsters X (ポケットモンスターX) with support for a Game Boy mobile phone adapter. X's initial release date of April 2000 was seemingly postponed until 2001 because of Nintendo's decision to delay the Game Boy Advance from August 2000 to 2001. The servers would be hosted by Kyocera.

For a Trainer, the trainer class and ‘level’ (actually the roster number, just like in the long-range trainer glitch in Generation I) can be set. The trainer class selection has a minor bug: pressing A cycles through values from 001 to 066 (Rocket Grunt ♀), while pressing B when the value is 000 or 001 resets it to 061 (Twins). Either way, it’s not possible to select trainer class 067 (Mysticalman), which was added in Crystal. The ‘level’ can be set from 001 to 100, but defaults to 020, even though it’s initially displayed as 000. If the ‘level’ is greater than the number of rosters assigned to that trainer class, then the roster is taken from a subsequent trainer class.

I wasn't aware that ??? (???) and RIVAL (ライバル) were different Trainer classes, or are they? "???" is 0x09, RIVAL is 0x2A. In the trainer palette test, 0x09 takes the previously loaded Trainer class as its own.

Fight seems to generate garbled party Pokémon data at random.

Pressing Up and Down selects a music track (starting with track 0, 「ストップ」 Stop—which is, of course, Lance’s and Red’s encounter theme—and ending with track 102, 「ポケコミ」 PokéCom), and pressing A plays it. Left and Right select a sound effect (ranging from 000 to 206), and Start plays it. Not mentioned in the on-screen instructions is that pressing B will stop the music. There’s no way to exit this screen, but why would you want to do that?

Is it me or are a lot of the sound effects the exact same ones from Red, Green, Blue, and Yellow? They don't seem to be the similar ones from Gold, Silver, and Crystal but it could be a placebo effect. I also remembered the sound effect compilation included with Pokémon Techno (ポケモンテクノ), a bonus track in the official soundtrack of Red, Green, and Blue which was released in Japan on November 1, 1997.

Some of the themes are mislabeled. 「キキョウ」 Kikyo (Violet) plays the Azalea & Blackthorn theme, 「ヒワダ」 Hiwada (Azalea) plays the Ecruteak & Cianwood theme, and 「ヨシノ」 Yoshino (Cherrygrove) plays the Violet & Olivine theme. 「マイホーム」 My Home is Pallet's theme, which would imply that the creator himself gave it that name (as Pallet is based on his hometown of Machida, Tokyo).

「ふえ」 Flute is the radio's Poké Flute channel but is sound 038 (0x26) the old Poké Flute? It can be played by using a restored Teru-sama 0x38 (in Korean Gold and Silver) but I'm not sure if they changed the theme.

Route 26's theme is called 「ごうロード」. relates to strength, so I guess they see it as the Harsh Road that precedes Victory Road (「チャンピオンロード」 Champion Road, called 「とう15」 in the sound test)?

「かいでんぱ」 Mysterious Radio Waves is obviously Team Rocket's evolution-inducing radio signal that plays at the Lake of Rage, and this is how it's called by the official soundtrack of HeartGold and SoulSilver. 「プリンタ」 Printer is the well-known Game Boy Printer theme from Yellow, which was also rearranged for HeartGold and SoulSilver as the Pokéwalker theme. Shame that there is no classic-style version that plays the original :(

「インプット」 Input is the Mobile Center theme (in Stadium 2) while 「モバイル1」 Mobile 1 is the Mobile Link theme. As to 「ポケコミ」 PokéCom, I guess we now know where the unused shortened English name for the Pokémon Communication Center, POKéCOM CENTER, comes from ;)

「スイクン」 Suicune has the same title as its unused rearrangement 0x166 in the ROM of Ruby and Sapphire, SUIKUN. The official soundtrack of HeartGold and SoulSilver calls the classic-style version, then recycled for Omega Ruby and Alpha Sapphire, 「戦闘!スイクン」 Battle! Suicune.

The rest of these functions are used to display a mobile trade between ゲーフリ Game Freak, who trades a Venusaur with OT 08961 かびーん (does this mean something?), and クリーチャ Creatures, who trades a Charizard with OT 22020 マツミヤ Matsumiya. (Those OT IDs are 23 01 and 56 04 in hexadecimal.)

花瓶 (かびん) is a flower vase so it makes sense, except that Venusaur is not nicknamed and かびーん is the OT's name. ガビーン is apparently manga slang for the depiction of shock and disappointment. 「かびーん」 in katakana also refers to the name of a scrapped Capsule Monsters design that was some sort of special in-game encounter.

Unreferenced Mobile Adapter menu (3F:579D)


This menu has the options 「なし」 Nothing, 「けいたい」 Mobile, 「シーディエムエー」 CDMA, 「ドコモけいピッチ」 DoCoMo PHS, 「ディーディーアイピッチ」 DDI PHS, and 「むせいげんけいたい」 Unlimited Mobile. Selecting an option will set offsets $E800 and $9000 of the save file (with the value at $9000 being the ones’ complement of the value at $E800) and display a corresponding message:

Option$E800$9000Message
なし
Nothing
$00$FF「なにも つながっていない」
“There is nothing connected.”
けいたい
Mobile
$01$FE「けいたいでんわの アダプタを かくにん!」
“Check cell phone adapter.”
シーディーエムエー
CDMA
$02$FD「シーディーエムエーの アダプタを かくにん!」
“Check CDMA adapter.”
ドコモけいピッチ
DoCoMo PHS
$03$FC「ドコモけいピッチの アダプタを かくにん!」
“Check DOCOMO PHS adapter.”
ディーディーアイピッチ
DDI PHS
$04$FB「ディーディーアイピッチの アダプタを かくにん!」
“Check DDI PHS adapter.”
むせいげんけいたい
Unlimited Mobile
$81$7E「たいせんむせいげんの けいたい アダプタを かくにん!」
“Check unlimited battle mobile adapter.”

Does anyone have a clue as to what an “unlimited battle mobile adapter” is?

Setting these values (other than Nothing) causes the game to act as if the Mobile Adapter has been connected: the Mobile System GB logo is displayed before the copyright screen; the Mobile and Mobile Stadium options are added to the main menu; Pokémon Cable Club attendants ask whether I’d like to make a mobile or cable connection; the PokéCom Center’s Administration Office, Trade Corner, and News Machine and the Battle Tower are accessible, and both areas play their special music. Of course, any feature that actually requires sending data through the Mobile Adapter fails with error 10-000:


Aw yeah, finally a way to unlock the Pokémon Mobile System GB :D

As to the "unlimited battle mobile adapter", I've no idea. For the record, mobile battles could be held by paying the carrier service fees whereas the Battle Tower cost ¥10. (source 1, 2)

I noticed that Mobile Stadium is missing from the main menu. Does this mean that it is only displayed when connected to Stadium 2? Or is the debugging code related only to the Mobile Center and other Pokémon Mobile System GB features?

Another interesting thing is that while starting a new game, the Mobile Center takes the place of the regular screen that asks if you are a boy or a girl.



Forcing Crystal to run in Game Boy mode shows that it skips the Mobile System GB screen loaded on Game Boy Color mode after the boot ROM.

Any Fly destination may be selected, in both Johto and Kanto (the map will switch between the two), regardless of whether the location has been visited.

This would be handy for regular gameplay. In the remakes, they sort of fixed this but you can only fly to either region from Indigo Plateau or Route 26.

Scrolling below the move list reveals three more values: the first is the Attack/Defense IV byte, the second is the Speed/Special IV byte, and the last represents the square root of the stat experience that will be assigned to every stat. (The square root of stat experience is functionally equivalent to EVs in later generations, except that there’s no 510 EV cap.) Each of these values can be set between 000 and 255. When one of these values is selected, the Pokémon’s stats will be calculated and shown on the right of the screen.

Are there any references, used or unused, to 「うまれつきのつよさ」 innate strengths, which is apparently the Japanese name that Game Freak has always called individual strengths (IVs)? Japanese fans often use the expression "individual values" (個体値) though. I've found the kanji rendering of うまれつきのつよさ (生まれつきの強さ) in use alongside 個体値 on an old Japanese fan site from 1999-2000 so it's safe to assume that the terminology is as old as Gold and Silver, if not older.

Brings up this submenu with three options and a suspicious gap at the bottom. Selecting an option leads to the prompt 「[$D066]で あそびますか?」 “Will you play with [$D086]?”, where the variable is filled with the name of the option you selected.「スロットマシン」 Slot Machine does exactly what you’d expect, 「ポーカーゲーム」 Poker Game is Card Flip, and 「ペアゲーム」 Pair Game is the unused memory game.

There’s unused text for a fourth option, 「ピクロス」 Picross.

Given how the original Pokémon Picross for the Game Boy and Game Boy Color appeared on magazines in early 1999, I suppose this may have been carried over from Gold and Silver.

テスト2
Test 2
(3F:64D1)
If the player character is a girl, changes her into her Cable Club disguise and says 「おとこのこに!」 “For a boy!” If she’s already wearing the disguise, changes her back to her normal appearance and says 「おんなのこに!」 “For a girl!”

If the player character is a boy, displays 「おとこのこには かんけいないよ!」 “This doesn’t concern a boy!”

Is this disguise code reused in normal gameplay or does the game use something else?

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #12 on: March 04, 2016, 10:24:33 pm »
I wasn't aware that ??? (???) and RIVAL (ライバル) were different Trainer classes, or are they? "???" is 0x09, RIVAL is 0x2A. In the trainer palette test, 0x09 takes the previously loaded Trainer class as its own.

$09 is the rival’s trainer class for the first five battles; $2A is for the sixth and seventh battles where he has a different sprite. Both of these classes are named RIVAL (ライバル) internally, although this name isn’t shown when you battle him. (I guess it would be a bit of a spoiler if the first battle said “RIVAL ??? wants to fight!”)

The Test Fight menu gets the trainer class name using the function GetTrainerClassName, which inexplicably treats trainer class $09 (RIVAL1 in pokecrystal) as a special case and returns the rival’s given name (in your case ???; in my case it’s レッド because I ran that silly quick-start function…), but doesn’t do the same for $2A. This function is only used in-game for phone calls, the Bug-Catching Contest, and the Places and People radio show (which cannot mention the rival, Prof. Oak, Cal, or Red), so that behavior is never seen.

Some of the themes are mislabeled. 「キキョウ」 Kikyo (Violet) plays the Azalea & Blackthorn theme, 「ヒワダ」 Hiwada (Azalea) plays the Ecruteak & Cianwood theme, and 「ヨシノ」 Yoshino (Cherrygrove) plays the Violet & Olivine theme.

I hadn’t noticed that. I wonder if these tracks got shuffled around as the Johto region was redesigned?

Looking over it again, another odd track name is 「かち4」 Victory 4, which follows the three standard victory themes (Trainer Battle, Wild Pokémon, and Gym Leader). This track is used for Mt. Moon Square (confusingly called Mt. Moon on the HG/SS soundtrack, whereas the music played inside Mt. Moon is Rock Tunnel). If it was originally written as a victory theme, that would certainly explain why it’s so short.

「プリンタ」 Printer is the well-known Game Boy Printer theme from Yellow, which was also rearranged for HeartGold and SoulSilver as the Pokéwalker theme. Shame that there is no classic-style version that plays the original :(

Completely off-topic, but something I don’t think I’ve ever seen mentioned is that the looping part of the printer theme is channel 3 of Pikachu’s Beach played at a much slower tempo. The only unique section is the second measure of the intro (B E D♯ C♯ B A G♯ F♯).

花瓶 (かびん) is a flower vase so it makes sense, except that Venusaur is not nicknamed and かびーん is the OT's name. ガビーン is apparently manga slang for the depiction of shock and disappointment. 「かびーん」 in katakana also refers to the name of a scrapped Capsule Monsters design that was some sort of special in-game encounter.

That last point strongly suggests to me that かびーん is Kōji Nishino’s nickname (from which カビゴン was derived), which would make sense as a counterpart to Matsumiya.

I noticed that Mobile Stadium is missing from the main menu. Does this mean that it is only displayed when connected to Stadium 2? Or is the debugging code related only to the Mobile Center and other Pokémon Mobile System GB features?

The Mobile Stadium option appears if, in addition to those other two Mobile Adapter values being set, offset $E000 of the save file is not $00. This was already set in my save file; I think it was corrupted by a dodgy emulator in the past. It should be possible to use an N64 emulator with Transfer Pak support to see if Stadium GS sets this value.

Are there any references, used or unused, to 「うまれつきのつよさ」 innate strengths, which is apparently the Japanese name that Game Freak has always called individual strengths (IVs)? Japanese fans often use the expression "individual values" (個体値) though. I've found the kanji rendering of うまれつきのつよさ (生まれつきの強さ) in use alongside 個体値 on an old Japanese fan site from 1999-2000 so it's safe to assume that the terminology is as old as Gold and Silver, if not older.

That term doesn’t appear in the ROM.

テスト2
Test 2
(3F:64D1)
If the player character is a girl, changes her into her Cable Club disguise and says 「おとこのこに!」 “For a boy!” If she’s already wearing the disguise, changes her back to her normal appearance and says 「おんなのこに!」 “For a girl!”

If the player character is a boy, displays 「おとこのこには かんけいないよ!」 “This doesn’t concern a boy!”

Is this disguise code reused in normal gameplay or does the game use something else?

The Test 2 script sets/clears the flag ENGINE_KRIS_IN_CABLE_CLUB and calls the special commands ReplaceKrisSprite and Special_SetPlayerPalette, which are the same commands used by the Cable Club scripts. The real Cable Club scripts are slightly more elaborate in that they spin the player around and play a sound effect.

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #13 on: March 05, 2016, 07:30:16 pm »
$09 is the rival’s trainer class for the first five battles; $2A is for the sixth and seventh battles where he has a different sprite. Both of these classes are named RIVAL (ライバル) internally, although this name isn’t shown when you battle him. (I guess it would be a bit of a spoiler if the first battle said “RIVAL ??? wants to fight!”)

I see. If we somehow forced the game to display RIVAL, would that have any negative side effects?

Not surprisingly, $09 in Test Fight under a completely fresh save file returns the rival's name as "???" just like in his actual first battle.

I hadn’t noticed that. I wonder if these tracks got shuffled around as the Johto region was redesigned?

You mean during the development of Gold and Silver? It's likely.

Looking over it again, another odd track name is 「かち4」 Victory 4, which follows the three standard victory themes (Trainer Battle, Wild Pokémon, and Gym Leader). This track is used for Mt. Moon Square (confusingly called Mt. Moon on the HG/SS soundtrack, whereas the music played inside Mt. Moon is Rock Tunnel). If it was originally written as a victory theme, that would certainly explain why it’s so short.

HeartGold and SoulSilver differ from Gold, Silver, and Crystal in this regard.

In the originals, Mt. Moon uses the same theme as the Rock Tunnel and a separate theme for Mt. Moon Square. In the remakes, Mt. Moon plays 「つながりのどうくつ」 Union Cave (classic-style version) whereas Mt. Moon Square also plays 「おつきみやま」 Mt. Moon (classic-style version). The Rock Tunnel still plays the same theme so the official soundtrack labeled the track 「イワヤマトンネル」Rock Tunnel (classic-style version).

Mt. Moon Square in HeartGold and SoulSilver even plays Union Cave most of the time, except between Monday nights and Tuesday dawns, but it's been a while so I'll confirm this next Monday.

The Mobile Stadium option appears if, in addition to those other two Mobile Adapter values being set, offset $E000 of the save file is not $00. This was already set in my save file; I think it was corrupted by a dodgy emulator in the past. It should be possible to use an N64 emulator with Transfer Pak support to see if Stadium GS sets this value.

Which N64 emulator do you recommend?

The Test 2 script sets/clears the flag ENGINE_KRIS_IN_CABLE_CLUB and calls the special commands ReplaceKrisSprite and Special_SetPlayerPalette, which are the same commands used by the Cable Club scripts. The real Cable Club scripts are slightly more elaborate in that they spin the player around and play a sound effect.

Oh, thanks, as well as for the rest of the information I didn't quote :)

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Debug menus in Japanese Crystal
« Reply #14 on: March 07, 2016, 02:41:34 pm »
Mt. Moon Square in HeartGold and SoulSilver even plays Union Cave most of the time, except between Monday nights and Tuesday dawns, but it's been a while so I'll confirm this next Monday.

My memory was correct. In HeartGold and SoulSilver, Mt. Moon only plays during the weekly Clefairy event.