Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: The Cascade Glitch - Gateway to Gen IV ACE  (Read 1656 times)

0 Members and 1 Guest are viewing this topic.

Cryo

  • Arceus Tamer
  • Distinguished Member
  • Offline Offline
  • Glitch researcher
    • View Profile
The Cascade Glitch - Gateway to Gen IV ACE
« on: February 16, 2017, 03:41:29 pm »
By utilizing the L-shaped tweaking pattern in Pokemon Platinum, you're able to cause a bunch of weird stuff to happen, such as slowing everything in Jubilife City to a crawl or modifying the map right under your feet

The fact that the L-shaped tweaking pattern causes really weird effects has been known for a while now and was previously known as the "????? Glitch", but after analyzing the effects of the tweak, I decided to give it a more descriptive name that mirrors its effects—the "Cascade Glitch".


TRIGGERING THE CASCADE GLITCH

In order to trigger the glitch, all you need to do is tweak using any L-shaped pattern in the fastest gear of your bike.

No really, that's it.


THE EFFECTS

The reason it's called the Cascade Glitch is because of the one constant that always occurs each time this glitch is triggered—starting from the map data ID (0 - 665) that you refreshed the screen in, the map tile data, 3D model data, building data, et al. for each successive map data ID is written to RAM immediately after the tweak. The chaotic nature of such an effect means that freezes will occur a lot of the time.

However, because the data written to RAM depends on the map data ID that you refreshed the screen in, you're able to influence the data that gets written and, to a loose extent, where that data gets written. This means that altering progression flags is completely possible using this method.


EXAMPLE



So what exactly happened here?

As a little background information, the tile data for each map should be at least somewhat legible, such as the map tile data for lower Jubilife City below.

Code: [Select]
1111111111111111111111111111111111111111111111111100006900000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111110000000000111111111111111111111111111100000000000000
1100000000000000000000111111111111110000000000001100000000000000
1100000000000000000000111111111111110000000000001100000000000000
1100000000000000000000001111111111000000000000001100000000000000
00001111111100006E0000111111111111110000690000000000000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
0000000011111111111111111111111111111111111111111100000000000000
0000000011000000000011111111111111111111111111111100000000000000
0000000011000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111110000000000000000000000
0000000000000069000011111111111111111111110000000000000000000000
0000000011111111111111001111111111001111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000000000000000000111111111111110000000000000000000000000000
0000000000000000000000111111111111110000000000000000000000000000
0000000000000000110000111111111111110000000000000000000000000000
0000000000000000110000000011111100000000000000000000000000000000
0000000000000000111111111111111111110000000000000000000000000000
0000000000000000111111111111111111110000000000000000000000000000

Okay, so that's not the actual map tile data for lower Jubilife City, but it gets the point across that it should at least be somewhat legible and able to be discerned just from looking at the layout.

First, to pull off this tweak, you'll want to refresh your screen anywhere in the area below. You can do this by opening the Bag or performing any action that forces the graphics to be redrawn.



Next, perform the tweak as shown in the previous GIF. If you need help locating the loadlines in order to do this, you can find them here.

After performing the tweak, the map tile data for Route 202 will be replaced with the data below.

Code: [Select]
a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000
e700a0006c7e00222200a0006c004094fd22220040009400e099d0222200e000
990000e7ab2222000000e700a0006c7e00222200a0006c004094fd2222004000
9400e099d0222200e000990000e7ab2222000000e700a06c7e222200a0006c00
4094fd22220040009400e099d0222200e000990000e7ab2222000000e700a000
6c7e00222200a0006c004094fd22220040009400e099d0222200e000990000e7
ab2241000000e700004021030000007c07348022220000000000407707242630
800040000000802122ad062e800080800041220300c000009724250040400000
40c040212200470000404000802224c080006500e04080254000000300c00021
2200474000400000402224c04000970800404025210080c08000360820224140
8000000300222400000097084000002521004000400047080022220040008000
800065242508e000800000000040210300000000974000222200000040004000
47242528004040008000802122006528e0808080004122030000007c07242634
4000000000c0402122770730000040000022248080ad062ee000802640800003
00000021227c0734800000000022240040770730804040262100000080ad062e
80224180808080030022240000004734c0000025210040c04000973000222200
4000808080003624252e20008000000000402103000000004740002222000000
4000400097242528000040008000802122003628200080000041220100008014
0226258000000000400000262500000080800040802122004200804000400022
22c0000040c08000802226408000c20080400027254000c0000040c080272100
8000800042008022220000400000000040222200800080808080002222b0002c
c00000004022220080008000801402262580000000004060002624000080802e
e080802222b0002c4000000000222200808000008000c2262700800000400060
002524004080802e200080252700000000400000002527004000800080000040
210100280000f04040222228f8004038f8000022223800c00028000000242540
00380000403808252500402808000018c02122ad06c00000c000402222008000
001880c000222500000000000018002526004018800000008025210000280000
f040002222380000003808000022222808004018c0000724264b011810c00000
102526000000c00000280021220000004028f8c000222238f800003800004022
26280000f0000028f82525004038f8000038002521c0002800000040c0222238
0000403808004022222808000018c0ad062525c00000c0004000802625000018
80c000000021220000000018000040222218800000008000002227280000f040

Definitely not what it should be.

If you were to load the graphics for this area, it would look a little something like this:

(just a rough sketch; the actual visual data would probably look a lot cooler)




ADDITIONAL INFO

The section containing pointers to the currently-loaded map data (as well as the data that will be imminently loaded) can be found at Base + 0x8BAD0. This section has enough space for 3 areas, which is all that should ever need to be reserved within normal gameplay, since it's not possible to load 4 different areas in such quick succession. I'm guessing that's what the devs though, anyway.

I've created a visual representation of the pointer storage location as well as the pointers to the current map data for additional detail, found below.



The 4 pointers are arranged in the following order:
  • Top-Left
  • Top-Right
  • Bottom-Left
  • Bottom-Right

In this case, the 3rd pointer is the address of the garbled data. This means that the area we're currently in (Route 202) should be located in the bottom-left of the 4 currently loaded areas, which it is.




MISCELLANEOUS

Doing this in Valor Lakefront yields some pretty amazing results. Instead of simply writing the data for each successive map data ID, it completely annihilates your base pointers. The base pointers located at 0x02101D20 just get overwritten with zeroes.

The result?



Since there aren't any base pointers, the game just kind of gives up and crashes. It also messed up my ASLR calculations in the VET script and caused all of my values to return 0.

If that kind of thing is possible just by tweaking, then I think that this may very well be our best chance at ACE in Gen IV.


POSTSCRIPT

I should be receiving an IS-NITRO-DEBUGGER development kit through the mail within the next few days, and I highly plan to analyze this glitch further on actual hardware. It's hard to tell whether some of these results are due to emulation errors or whether these would actually happen on a console.

Aera

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ... ...
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #1 on: February 16, 2017, 03:44:17 pm »
ok hand emoji
Welcome to the Battle Tower! I am your guide to the Single and Double Battle Rooms. Would you like to take the Battle Room challenge?

>CHALLENGE
>INFO
>DARKRAI
>SHAYMIN
>EXIT

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #2 on: February 16, 2017, 05:37:54 pm »
That's really interesting. I saw Crystalmourne's video about the cascade glitch but didn't know exactly what it was. Hope you or another person find arbitrary code execution with it!
« Last Edit: February 16, 2017, 05:43:09 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Online Online
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #3 on: February 17, 2017, 03:48:02 am »
Yes, we've been thinking on how this glitch could lead to ACE for a while, but it's hard to progress blind... If I remember well, during PRAMA's tweaking research group works, we also noticed that sometimes it introduces the OT in Pokémon names and weird stuff like that. I hope it will eventually lead somewhere.
« Last Edit: February 17, 2017, 03:49:05 am by Krys3000 »

BUGLITCH

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • aze
    • View Profile
    • PRAMA Initiative
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #4 on: February 19, 2017, 09:16:56 pm »
Yes, we've been thinking on how this glitch could lead to ACE for a while, but it's hard to progress blind... If I remember well, during PRAMA's tweaking research group works, we also noticed that sometimes it introduces the OT in Pokémon names and weird stuff like that. I hope it will eventually lead somewhere.

If I remember well the trick was messing up with the name and it wasn't ending properly (no FF at the end) so we could see the OT in it. (Because it is located just after the name in the RAM)

So yes, it's not only about maps.

As far as I know it can impact on:
- Name of Pokémons (Wild encounter or Pokémon hatch from eggs. I don't remember if it is the case for battle against trainers)
- Texts (The most common effect is text becoming blank or one letter repeating itself)
Here's some example:






- Color palette of the Trainer Card (it is quite common too).
- And as you said, it can slow the game down, which is really interesting.
- It can also, obviously, crash. Which is in fact also interesting.

The glitch was also affecting some sprites but I can't tell if it was just emulation related.

But anyway, as you can see it's messing up with a lot of different stuff so if we're able to really understand how it works we could try to use it in a useful way. (Like messing up with scripts?)
So yeah, that's indeed a great gateway to ACE!

Aera

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ... ...
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #5 on: February 22, 2017, 08:00:54 am »
I did a lot of research into the corruption of graphics with this glitch, especially in the menus, it's currently useless however as the game freezes upon opening any menu.
Welcome to the Battle Tower! I am your guide to the Single and Double Battle Rooms. Would you like to take the Battle Room challenge?

>CHALLENGE
>INFO
>DARKRAI
>SHAYMIN
>EXIT

BUGLITCH

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • aze
    • View Profile
    • PRAMA Initiative
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #6 on: March 03, 2017, 10:05:43 am »
I did a lot of research into the corruption of graphics with this glitch, especially in the menus, it's currently useless however as the game freezes upon opening any menu.

What do you mean?
For me the games isn't freezing every time at all.

Maybe it depends on the location you did the Cascade Glitch, the effect really seems to depends on the location, like, you get pretty much the same effects if you do it twice at the same place.
Also, the "OPTIONS" menu NEVER crash. So if you want to reload graphics use this one. Even after that, the effects in the menu and on wild Pokémon will stay.

Actually battles seems to crash a lot, I don't know if it's only related to text as I never seen others effects on battle.
The only effect that I manage to keep after a saving and resetting was the name of a Pokémon hatched from an egg. Not very useful.

I had also noticed that after doing the CG, some genuine tweak pattern now crash, including the CG one. Seems strange.
Maybe we should try to do the CG more than once.

« Last Edit: March 03, 2017, 10:39:50 am by BUGLITCH »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Online Online
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #7 on: March 05, 2017, 05:30:59 am »
Just to mention that BUGLITCH is also a member of PRAMA, which means he reports stuff on french games. If this can explain differences :P

BUGLITCH

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • aze
    • View Profile
    • PRAMA Initiative
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #8 on: March 05, 2017, 07:12:48 am »
Just to mention that, as a reliable member of PRAMA, I also tested on a US version, which means I report stuff on both games. If this can explain that I find strange the fact that his game crashes :P

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Online Online
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #9 on: March 05, 2017, 07:18:30 am »
Why am I not aware of this? I may have to whip you more often  :D
« Last Edit: March 05, 2017, 12:02:13 pm by Krys3000 »

Aera

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ... ...
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #10 on: March 12, 2017, 04:59:55 am »
When I was talking about freezing, I meant on console.
Welcome to the Battle Tower! I am your guide to the Single and Double Battle Rooms. Would you like to take the Battle Room challenge?

>CHALLENGE
>INFO
>DARKRAI
>SHAYMIN
>EXIT

▒h POKé▓░

  • GCLF Member
  • Offline Offline
  • À Á hx Ë Ú ÚLOLA ÁÂÁIÁI U would like to battle!
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #11 on: March 12, 2017, 11:05:58 am »
Doing this on console also, I can't seem to get it to work either. 99% of any tweaking patterns I've tried on the fast bike just freeze the game instantly. Even the example shown on the first post doesn't seem to work, freezing like all the others... The one that slows down Jubilife City does work, strangely enough, but opening any menu froze the game.
Does the outcome of the tweaking depend on other factors (like items in the bag, party Pokémon, etc.), or does it just not work on console?

Cryo

  • Arceus Tamer
  • Distinguished Member
  • Offline Offline
  • Glitch researcher
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #12 on: March 12, 2017, 06:25:17 pm »
Does the outcome of the tweaking depend on other factors (like items in the bag, party Pokémon, etc.), or does it just not work on console?

It depends on how the hardware deals with certain conditions, especially when the error handler isn't called and the operating environment gets highly corrupted. The corruption itself is mostly based on the current state of the loaded map tile data, but other factors could definitely affect the glitch.

Parzival

  • The Betrayed, The Cleansed, The Reborn
  • GCLF Member
  • *
  • Offline Offline
  • It begins.
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #13 on: May 08, 2017, 06:49:57 pm »
When RTS is enabled for Platinum on my R4, when the game normally crashes, the RTS wrapper is called and I can save/load my states or return to the R4 firmware just fine.
...could we use this to load homebrew?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

Caveat

  • The Metropolitan Mutant of Ark
  • GCLF Member
  • *
  • Offline Offline
  • Wrrrooooooaaaar! Peeko!
    • View Profile
Re: The Cascade Glitch - Gateway to Gen IV ACE
« Reply #14 on: May 09, 2017, 04:49:44 am »
In your Torterra example, do the Pokemon's moves actually change or is it just cosmetic?

If they do, maybe one of the glitch moves can be utilized for ACE...

Even if not, maybe you could utilize the glitch to corrupt the Pokemon's moves?
HOLD ME, I'M A PALE MACHINE
LIFE IS JUST OKAY OUT HERE, ANYONE CAN SEE
I'M LONELY, WITH MY PALE MACHINE
EYES WILL RUN WITH TIRED TEARS, LIVING LIKE A DREAM


Japanese Glitchdex
Petscop Thread

Twitter
(warning: contains bad grammar and copious rambling)