Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: The CartSwap ACE - Using Pokémon to ACE / credits warp other games  (Read 9814 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
About the SNES version of the exploit, we would need to send some code to the SNES and run it.
That code would simply need to disable all interrupts then wait for some button to be pressed on controller #2 via the joypad auto-poll registers, then do stuff.

We could store the SNES payload with the PC items, and use a payload sender with 8F.
I'm still learning programming on the SNES, so I'll need some time to write down everything.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Cryo

  • Arceus Tamer
  • Distinguished Member
  • Offline Offline
  • Glitch researcher
    • View Profile
After a good bit more testing on a few physical systems with various games, I've found that one of the biggest contributor to whether or not the exploit is successful is the cleanliness of the cartridge.

With my dirtiest cartridge (Japanese Pokemon Red), which I haven't touched in ages, I often have to wiggle it a few times just to get it to boot properly. However, with my cleanest cartridge (English Pokemon Blue), I have to make serious efforts in order to get this cartridge to have any read errors.

My most recent test involved setting $FF00 to $EF (listening for P14) and entering STOP mode, that way I could break out of it by pressing on the D-Pad. I found that I actually had more success slowly pushing out my Pokemon Blue cartridge than I did yanking it out, even if I removed it by wiggling it slowly back and forth. The only time I got it to fail when inserting or removing the Pokemon Blue cartridge was when I was wiggling it in EXTREMELY slowly, which caused the sound to stop and the system to lock up. The weird part? Whenever I turned it back on (cartridge in the same position as the crash), the power light would come on, but the GameBoy logo would fail to appear. The screen would remain blank until I turned it off and adjusted the cartridge, but nothing else would affect it.

On the flip side, I was actually trying TheZZAZZGlitch's Super Mario Land 2 credits warp with the 8F Full Control method, but after 6 times of entering every button input and attempting the Stop 'N' Swop, I was never able to do it. I did just get this cartridge recently and I haven't cleaned it just yet, so it's probably dirty as well.


UPDATE: Okay, so as I was typing this, I was experimenting a bit more and came across something that's constant across all of the cartridges tested. And by "constant", I mean I've been sitting here on my bed surrounded by GameBoy cartridges and I've been doing nothing but testing out observations over and over, trying to see if I could get this to always work 100% of the time.

It turns out, the angle at which you insert and remove the cartridge is about 95%of the solution, while the cleanliness of the cartridge is the other 5%. I found that my Pokemon Blue cartridge has to be tilted clockwise slightly (when viewing the LCD) when removing and inserting it, and over the past few hours, while popping it in and out to test other cartridges for their "sweet spots", my game hasn't restarted or crashed once due to the insertion/removal of the Pokemon Blue cartridge.


Also, we may not even need a time delay on the payload; the code below works just as well (from my experiments, at least).

ACTIVATOR:
Code: [Select]
ld a,$EF
ldh ($00),a
stop

Just press any button on the D-Pad and the rest of the payload gets executed.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
The smallest SNES program I could come up with is 22 bytes long. Thus, we need to send multiple packets to the SNES. I think it would be better to make 8F a SNES packet sender, and have it send several DATA_SND packets before sending a final JUMP packet and crash the game (because SO LONG WE DON'T NEED YOU 8))


Now, here is a full guide on how to send appropriate packets to Weegee-fy the Super Game Boy as well !
(And even if this doesn't work, it's still a way to do SNES ACE via Pokémon Red ^^)


Tutorial
We are first going to write a packet and a tiny payload to feed the SNES some code.
But then we're in hell. Why ? Because the bytes we gotta send map to invalid items ! So we can't use items to store the packet data :(
And I've thought of a somewhat original (I guess) storage solution. We're gonna use Pokédex flags. Hell. Yeah.
First, setup your pack ! But don't use 8F quite yet !! The items are actually fairly simple (and cheap) to acquire, and you don't need many duplications.
Code: [Select]
8F
Any item x[any qty]
Awakening x[byte to write]
HP Up x175
Water Stone x4
Poké Ball x121
Great Ball x3
Burn Heal x3
X Accuracy x1 (Will change)
Antidote x34
Parlyz Heal x125
Ice Heal x46
Leaf Stone x34
TM01 x[any qty]
Lemonade x28
Guard Spec. x3
Super Repel x233
The usage is very simple : you just need to make the quantity of Awakenings match the value you're willing to write, and then you just use 8F.
The quantity of X Accuracies will increment each time. Basically, when you use 8F while having "A" Awakenings and "X" X Accuracies, the "X"th byte of the packet will turn into "A".
BIG FAT NOTE : NEVER USE 8F IF YOU HAVE MORE THAN 28 X ACCURACIES !!!! YOU WILL CORRUPT PARTY DATA AND MAKE 8F POTENTIALLY UNUSABLE !!!!
This will also corrupt your Pokédex flags. I made this because it makes the code simpler, and I guess when doing SGB to SNES ACE, Pokédex progression doesn't matter that much :D
You can toss some X Accuracies to write some bytes you may have screwed up. This is built to be fairly forgiving :)

So, we're going to write a packet (they are 16-byte long), and then 10 bytes of code to help send them to the SGB.
Use 8F once, and toss the extra X Accuracy.
Now, we're going to toss a certain number of Awakenings, use 8F, and repeat. For quantities greater than 99, I recommend doing multiple tosses to avoid mistakes : to toss 135, you can toss 99 then 36. For 245, you can toss 99 then 99 then 47.
Here goes the table :
135 | 0 | 0 | 0 | 245 | 30 | 224 | 87 | 255 (you can just press Down twice, that's faster) | 115 | 0 | 190 | 136 | 83 | 230 | 190 | 51 | 68 | 203 | 149 | 51 | 21 | 161 | 61 | 51 | 203

Now, you should swap the Lemonades with the Awakenings, the Guard Spec.s with the HP Ups, and the Super Repels with the Water Stones.
Use 8F. Congrats, you've successfully sent 11 bytes of code in the SNES's RAM !

I know it doesn't look like it's much, but don't-cha worry : you did 40% of the work, huzzah !
Now, do the item swaps again, and toss all X Accuracies but two.
You're going to build another packet ! Do the same as above, with this table this time :
245 | 0 | 0 | 245 | 182 | 112 | 6 | 83 | 51 | 203 | 240 | 11 | 148 | 4 | 129

Swap the items again, and use 8F.
You have successfully poked 22 bytes of code in the SNES's RAM ! Congrats, because now you're going to write one final packet. And it will be like, super easy.

Swap the items again, toss 111 Awakenings, toss all X Accuracies but one, use 8F. Then use 8F 15 more times without tossing anything.
Swap the items one last time, and I recommend that you save. When you feel ready, plug a controller into SNES port 2, make sure the A button is NOT held, and simply use 8F.
Now, control has been removed from the SGB ! The SNES CPU is patiently waiting that you press the A button on controller 2


Source code
Here is the code that builds the packets.
Code: [Select]
ld c, $byte
inc hl ; points to third item's quantity
xor a
ldi (hl), a ; reset it for next write
inc b
inc b
ld a, c
inc bc
inc bc
inc c
inc bc
ld l, $01
dec bc
ldi (hl), a
rrca
ld a, l
dec c
ld l, $2F
ldi (hl), a
ret

Here is the code that prepares the packet send :
Code: [Select]
ld a, $1C
scf
jr c, $D311 ; start of the second payload

Here is the code appended to the packets :
Code: [Select]
; The caller made a = $1C, so we will switch to bank $1C, home of SendSGBPacket !
call BankswitchHome ; $35BC
ld l, e ; hl = $D301, start of packet
call SendSGBPacket ; $5FEB
jp BankswitchBack ; $35CD
Hex :
Code: [Select]
CD BC 35
6B
CD EB 5F
C3 CD 35
This code would have been a pain to write using items, so instead it is jumped to when using 8F.

Here are the three packets, in hexadecimal :
Code: [Select]
$79 $00 $00 $00 $0B $E2 $20 $A9 $01 $8D $00 $42 $78 $AD $1A $42
$79 $0B $00 $00 $0B $4A $90 $FA $AD $1A $42 $10 $F5 $6C $FC $7F
$91 $00 $00 $00 $00 $00 $00
Note that for the second packet, we don't rewrite the first byte, since it is the same.
I built these packets to contain as many $00 bytes as possible (they are more convenient to write)

This is the SNES program I wrote and that is sent in the two 11-byte wide packets.
Code: [Select]
E2 20     SEP #$20            ; Make A 8-bit.

A9 01     LDA #$01
8D 00 42  STA $4200           ; Enable autopolling.
78        SEI                 ; Kill interrupts (IRQ) while game cart is removed.
                              ; NMI is alreay disabled by the SGB.

WaitForPlayer:
AD 1A 42  LDA $4212           ; Status register.
4A        LSR A               ; Pushes bit 0 into C.
90 FA     BCC .WaitForPlayer  ; C = 0 ? Joypad not ready :(
AD 1A 42  LDA $421A           ; Joypad #2 status register, low byte.
10 F5     BPL .WaitForPlayer  ; Bit 7 set ? A pressed ! This means GET DAT MOFO!!!1!!11!

; At this point, we have ACE on the new cart.
6C FC 7F  JSR ($7FFC)         ; This just restarts the cart as a PoC.
                              ; So replace this with whatever you want.


One last thing : I'm going to write a program that gives packet building indications to help use this setup.
It should be done in a few days.
« Last Edit: December 22, 2016, 11:19:58 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
FYI: I heard from some smart people who generally know what they're talking about (DwangoAC/Myriachan) that the reason SNES cartridges can't be swapped is the CIC lockout chip, same as the N64.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
That makes sense, but I'm wondering if a piggybacking adapter (those that let you play bootlegged or out-of-region cartridges) may solve the problem by leaving a CIC plugged into the console while we swap cartridges.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

RFan573

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Will this allow cartridge-swapping in Pokemon Stadium? Would be fun to see it.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Nah, we tested this and sadly the N64 checks if there is a cartridge in. That's sad, but we can't do anything :(
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

RFan573

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Nah, we tested this and sadly the N64 checks if there is a cartridge in. That's sad, but we can't do anything :(
Well that sucks. Well, we've still got the header-editing method.
Tried with any other Game Boys? (i.e. GB Boy Colour and the Game Boy Player w/ both official software and GB Interface)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
I dunno if anyone tried the GB Player, but all handheld consoles  plus SGB and N64 have been tested.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

shutterbug2000

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #39 on: February 13, 2017, 07:34:22 pm »
So, I tried this on my SGB, and upon pulling the cart out, it just goes the blank nintendo logo. Any ideas?

Yeniaul

  • Guest
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #40 on: February 13, 2017, 09:28:04 pm »
My GB player attachment is going bad so treat this with a grain of salt, but upon yanking the cart out I got a crash similar to the DSI crashes on Wii.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #41 on: February 15, 2017, 08:40:58 am »
shutterbug2000 : sometimes it does this. Try again, it usually works after a few tries.
Cryo confirmed it on a SGB.

I recommend pulling the cart quickly, seems to work better.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Yeniaul

  • Guest
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #42 on: February 15, 2017, 09:59:45 am »
I recommend pulling the cart quickly, seems to work better.
If this reply was to me, I pulled it as fast as possible.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #43 on: February 15, 2017, 11:44:16 am »
Nah, it wasn't to you.

I didn't mention, though, that why the console sometimes resets or crashes is out of my field of knowledge, since I guess it involves advanced electronics and understanding of the hardware. I'm forced to do blind guesses about what happens, so don't mind my ignorance :P
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Yeniaul

  • Guest
Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games
« Reply #44 on: February 15, 2017, 08:01:29 pm »
Nah, it wasn't to you.

I didn't mention, though, that why the console sometimes resets or crashes is out of my field of knowledge, since I guess it involves advanced electronics and understanding of the hardware. I'm forced to do blind guesses about what happens, so don't mind my ignorance :P
It is indeed the equivalent of Wii's DSI error screens. Think of them as no-color Windows NT BSODs (the WinNT ones thathave the entire stack onscreen and COM debugging, that is)