Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: The CartSwap ACE - Using Pokémon to ACE / credits warp other games  (Read 8663 times)

0 Members and 1 Guest are viewing this topic.

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Goddamn it, only if I posted earlier, I could have been on YouTube. anyway, I challenge someone to speedrun SMB Deluxe: w  sm%.
« Last Edit: December 17, 2016, 08:12:09 am by Charmy »
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Wow, this is amazing!! Great work ISSOtm and TheZZAZZGlitch. I'm excited because I have a fair number of games in my GB/C collection and this makes me want to edit the SRAM in those games to do cool stuff. In Pokémon Crystal writing 0B to SRAM 01:BE3C allows you to obtain a GS Ball gift in Goldenrod City Pokémon Center, so theoretically you could use 8F/ws m to set that in the SRAM of your Crystal (which would be a neat no bad clone/Link Cable-less method of doing it).

Would love to see a Super Mario Bros. Deluxe trick that lets you access the lost-lost levels, or glitch monsters in monster battling games like Telefang, Bugsite and Sanrio Timenet.
« Last Edit: December 17, 2016, 06:30:02 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
Just saw ZZAZZ's video, fantastic work to both of you. So now it's possible, at this point to use the first-gen Pokemon games to 1) run arbitrary Game Boy code, 2) run arbitrary SNES code, and now 3) run arbitrary code in any other GB game. To me, this suggests a followup to look into:

  • Is it possible for the SNES to survive having its cartridge removed, in the same way as the GBC? If so, then taking over various SNES games should also be possible.

That's not the only crazy-but-possible idea for ACE applications, either. I can think of several others:

  • It is known to be possible to trigger ACE in an unglitched game via the Cable Club, and also to permanently install a payload to a save file. By combining these two facts, it should be possible to create the world's first Game Boy virus! In other words, a save file containing a payload that automatically triggers in the Cable Club, running code that copies the save file from one game to the other.
  • If the emulator used for Pokemon on the 3DS has any bugs in it that lets us elevate from GB ACE to 3DS ACE - a bug emulators can have! - then it could be used as a new 3DS homebrew entrypoint.
  • A more forgotten GB emulator is the one used for the Game Boy Tower in all three Pokemon Stadium games. If such a bug were found in this emulator, it would actually be even more significant: it would be the the first method ever discovered to get Arbitrary Code Execution on the N64.
  • If the above ACE glitch for the N64 turns out to exist, then it leads to the same followup question as the SNES: can we switch cartridges to take control of arbitrary N64 games? If so, perhaps we can finally find a way to beat Tick Tock Clock without requiring any A presses. ;)

We're living in exciting times, full of potential. Although due to the need for various hardware tests, as well us the generally poor state of N64 emulation, some of the things above would be much harder to pull off than others.


Finally, I have one other comment. I notice everyone around here seems to prefer using 8F as their method to trigger arbitrary code execution. But simply turning off while saving is sufficient to get total control over WRAM (tossing items to write any byte, swapping Pokemon to move memory around), and that this requires no setup at all, surely it must be possible go get arbitrary code much faster this way? But I may be missing something here, as I haven't personally triggered ACE using either method.
« Last Edit: December 18, 2016, 10:22:59 am by MrCheeze »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
ACE is possible using the SRAM Glitch (what you called "turning off while the game is saving"), but in non-JP versions, this is extremely hard.
Also, the problem with this glitch is that the game is quite unplayable due to a number of factors, so 8F / ws m are used mainly because the rest of the game is still accessible. tl;dr : it's more human-friendly.
If a "playaround TAS" comes out using this, it will certainly use the SRAM glitch to trigger ACE.


Your SNES idea seems very possible, maybe using a piggybacking adapter if needed (I doubt so, though). Yummy ! I'm going to write a method that would work for our purposes.
[offtopic]Also, we didn't test if we can swap cartridges on a SGB. This may entirely be possible.[/offtopic]


To get ACE on the Stadium emulator, I looked for the source code, but I can't find nothing. Darn.
If we can do something, well then I bet it will be about buffer overflow. I think someone here (SatoMew ?) had tried the invalid opcodes, and that failed.


Assuming we take control of the Stadium emulator, I'm almost certain it won't let us "Luigi transport" ACE, because the copy protection chip periodically checksums the cartridge. We might be able to knock it out in some way, but I dunno how.


Last thing, two of your links are broken. I bet the first one was this, but I don't see what the second is :/
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
Fixed the links, thanks.

Given the extreme versatility of the SRAM glitch, I have no doubt it's possible to compensate for its side effects. But I realize that's still more conceptual complexity than just using 8F, so point taken.

Good point about testing whether the SGB lets you swap Game Boy cartridges, that's an important thing to check since it's the only way to record high quality footage of the phenomenon. As for the SNES cartridges, I would have expected swapping them to work fine, but I asked Dotsarecool to try it out and his reply was "I can't get it to work. seems like it should work to me though". So perhaps the SNES depends on always having a cartridge loaded, one way or another.

And with the N64, far more information can be found in the page cited by the article you linked. Importantly, it reveals that only a small minority of games do any copy protection after boot. And the whole discussion on "boot emulators" seems at least tangentially relevant.

In general, with achieving cartridge swap on more consoles, it seems tricky to know if it's truly impossible or if there was some necessary step that was missed. But probably not worth putting much thought into it if it doesn't appear to be possible.

As for getting ACE in Stadium. I mentioned the state of N64 emulation is poor. Strangely, I managed to get the GB Tower to work fine in Stadium 2 in Project64, but Stadium 1's just gives a black screen. But this means that debugging tools can be used to work out what code the emulator-in-an-emulator is using, at least.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
I was thinking through what you could do with this last night and I suddenly thought I wonder if it's possible to store a homebrew game into an official Game Boy Memory cartridge?

In Japan there was a service called Nintendo Power in which you could save games on to Game Boy Memory or SFC Memory cartridges for cheaper than it would be compared to buying the actual cartridge, with a few games being exclusive to the service.

So could you write to SRAM with something like 8F/ws m (store data in box data first then copy memory to SRAM) and create data/a listing for a homebrew game? I really don't know if this would work though as I know nothing about how data is stored on a Game Boy Memory cartridge.
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
The games are stored in flash memory, not SRAM, but yes you can.
« Last Edit: December 18, 2016, 02:38:50 pm by MrCheeze »

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
The games are stored in flash memory, not SRAM, but yes you can.

I see, mm. Yeah I thought about what I said later and imagined that would probably be the case. That's pretty nifty. Thanks for the link. :)
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
In general, with achieving cartridge swap on more consoles, it seems tricky to know if it's truly impossible or if there was some necessary step that was missed. But probably not worth putting much thought into it if it doesn't appear to be possible.
My bet is that we need to look at the hardware. The good question being "What could lock the console ? What is active after the boot ?"
Also, the problem we have with SNES might be the I got with the PGB :
Apparently this may NOT work on a DMG, unless you have extreme luck. (Source, read the comments)
Quote from: Gameboygenius
@MelonStorm @vxbinaca Yes, there's a blocking bar on DMG (the first Gameboy.) But not only that. You will almost always crash the DMG when you remove the cartridge. I believe the reason for this is CMOS latchup. How they fixed this on GBC, if you open up the unit and look inside, is by moving the ground ping closer to the cartridge so it makes first and breaks last when you insert/remove the cartridge.
Quote from: furrtek
@Gameboygenius I'll have to get a DMG for testing then, I plan on using this for a game. Works fine on the GB Pocket and I don't see any difference in the placement of the contacts on the GBC slot.
To test, then.
But on SNES we maybe could try using a piggybacking adapter.
I have no SNES so I can't test. But if it works..!

As for getting ACE in Stadium. I mentioned the state of N64 emulation is poor. Strangely, I managed to get the GB Tower to work fine in Stadium 2 in Project64, but Stadium 1's just gives a black screen. But this means that debugging tools can be used to work out what code the emulator-in-an-emulator is using, at least.
I do have a N64, I could get Stadium (and possibly a Transfer Pak) in under three weeks... but my Pokémon Red cartridge's battery died. I dunno if that may matter, and if my EverDrive GB could be a replacement.
Also, did you try BizHawk ? Since this is the recommended emulator at TASVideos for the N64, I bet it has to be better :P
(And maybe it has to do with the rendering plugin. I really am a noob when it comes to the N64, I would like to learn the ASM for the MIPS proc but can't find tutorials ><)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Cryo

  • Arceus Tamer
  • Distinguished Member
  • Offline Offline
  • Glitch researcher
    • View Profile
Just an update, this does work on the SNES. ;D

Unfortunately, it doesn't work on the N64. I tested both Pokemon Stadium and Pokemon Stadium 2 on a physical N64, to no avail. It seems like the interrupt handler for the N64 takes precedence over the emulator's interrupt handler, whereas the SNES may just hand off all GB cartridge concerns to the SGB itself.

As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy. The VRAM glitch appeared to be a SNES-specific glitch due to the coloration, but idk. I'm not sure if it was an error in how the SNES handled the cartridge being removed, a side effect of the SGB's palette, or something else entirely.

Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Could anyone test if it works outside the SGB and can execute code on SMW or some other game on the SNES?
I don't think it's possible though.
« Last Edit: December 19, 2016, 12:39:54 am by Charmy »
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
That's what I had Dotsarecool test earlier, or at least an equivalent test. To recap, the compatibility for cartridge swap:

Game Boy: No
Game Boy Pocket: Yes?
Game Boy Color: Yes
Game Boy Advance/SP/Player: No

Game Boy cartridge in a Super Game Boy: Yes
Game Boy cartridge in a Transfer Pak: No

SNES cartridge: Apparently no No
N64 cartridge: Unknown No
« Last Edit: December 28, 2016, 12:20:24 am by MrCheeze »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Just an update, this does work on the SNES. ;D

Unfortunately, it doesn't work on the N64. I tested both Pokemon Stadium and Pokemon Stadium 2 on a physical N64, to no avail. It seems like the interrupt handler for the N64 takes precedence over the emulator's interrupt handler, whereas the SNES may just hand off all GB cartridge concerns to the SGB itself.
Yeah, thank you for testing ! This working on the SNES is good news, but I'd like a precision about the Stadium test : what exactly happened when you removed the cartridge ? What I'd like to know is if the emulator did a check on Pokémon R/B/Y and the checksum didn't match (or something like that) or if the emulator crashed (meaning it still tried to poll data from the cart).
This may be useless, but might not.

As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy. The VRAM glitch appeared to be a SNES-specific glitch due to the coloration, but idk. I'm not sure if it was an error in how the SNES handled the cartridge being removed, a side effect of the SGB's palette, or something else entirely.
Waaaaw. What the hell. x) It has to be SNES though, since it happened as you removed the cartridge.
I remember I tried the setup once and it didn't work, I still got a crash.
My theory about it was that somehow, interrupts weren't diasbled. This left me to wonder if it is possible for an interrupt to execute just after a DI instruction, and then for it to re-eanble interrupts when "reti" ? If that's the case, welp this glitch isn't 100% working.

Actually, I'm quite in the dark about this, I think it involves more knowledge in electronics than programming.
Well, we are doing things the console conceptors really didn't have in mind when they made the hardware xD

Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.
Oh, really ? I got this problem with my first setup (the old which polled $0001, waited for it to become $FF, and then for it NOT to be $FF), which had a 12% success rate (out of ~40 times, I got like 5 successful attempts), where all my successes had me pull the cart straight.
I like to think it comes from the pins disconnecting in an incorrect manner, but I don't quite know what could be the culprit.
According to this, this is the pin layout :
Quote from: GbDevWiki
Pin   Name    Expl.
 1     VDD     Power Supply +5V DC
 2     PHI     System Clock
 3     /WR     Write
 4     /RD     Read
 5     /CS     Chip Select
 6-21  A0-A15  Address Lines
 22-29 D0-D7   Data Lines
 30    /RES    Reset signal
 31    VIN     External Sound Input
 32    GND     Ground
I don't even know what the "PHI", "CS" and "RES" pins may be used for.
I'm really clueless.


Can I get some details about the test Dotsarecool did ? I'd like to try some things, but if you already did it then it's worthless :P
« Last Edit: December 19, 2016, 04:16:25 pm by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
My theory about it was that somehow, interrupts weren't diasbled. This left me to wonder if it is possible for an interrupt to execute just after a DI instruction, and then for it to re-eanble interrupts when "reti" ? If that's the case, welp this glitch isn't 100% working.

I think this shouldn't be possible. Z80 doesn't have any instruction pipelining or fancy hyperthreading stuff, so every clock cycle should execute exactly one instruction before checking for interrupts. So an interrupt could only happen either directly before disabling (instruction pointer on DI), or directly afterwards, ending up in a queue (instruction pointer on instruction after DI).

But if I'm wrong, there should be nothing preventing us from fixing the problem with brute force:

Code: [Select]
; the more the better
di
di
di
di
di
di

Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.
Oh, really ? I got this problem with my first setup (the old which polled $0001, waited for it to become $FF, and then for it NOT to be $FF), which had a 12% success rate (out of ~40 times, I got like 5 successful attempts), where all my successes had me pull the cart straight.
I like to think it comes from the pins disconnecting in an incorrect manner, but I don't quite know what could be the culprit.
According to this, this is the pin layout :
Quote from: GbDevWiki
Pin   Name    Expl.
 1     VDD     Power Supply +5V DC
 2     PHI     System Clock
 3     /WR     Write
 4     /RD     Read
 5     /CS     Chip Select
 6-21  A0-A15  Address Lines
 22-29 D0-D7   Data Lines
 30    /RES    Reset signal
 31    VIN     External Sound Input
 32    GND     Ground
I don't even know what the "PHI", "CS" and "RES" pins may be used for.
I'm really clueless.

I would assume there is some cartridge line that is connected to the internal reset pin on the CPU. Unwanted noise from pulling the cartridge would put this pin in a low state, which would explain the sudden hard resets.

Doing the swap as quickly as possible should partially prevent this. Also, pulling the cart straight up and evenly on both sides makes sure all pins disconnect at roughly the same time.

As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy.

These glitches seem really interesting to me. They directly affected the SNES hardware and escaped the Gameboy CPU, forcing me to think that the SGB probed the inserted GB cartridge for some purpose, read garbage data when in the middle of the cart swap and caused some kind of overflow.
I guess some reversing needs to be done on the SGB ROM to see whether it periodically accesses cartridge data and under what conditions.
« Last Edit: December 19, 2016, 07:13:30 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

MrCheeze

  • Distinguished Member
  • Offline Offline
  • It can display millions of polygons!
    • View Profile
By the way, I just stumbled on something interesting in what appears to be the official N64 programming manual.

Quote
osGbpakReadWrite

Read/write process to the Game Boy Game Pak memory

(...)

Caution is required when dealing with the returned values. This function cannot determine whether the Game Boy Game Pak has been pulled out, or whether Game Boy Game Paks have been exchanged. That is to say, a "0" (normal termination) is returned even if the Game Boy Game Pak has been removed during function operations. Thus, please confirm the status before and after calling this function to make sure the Game Boy Game Pak has not been removed.

In other words, they instruct programmers to (manually) verify that the game boy cartridge is never removed or swapped out. This both explains why the GB cartridge cannot be swapped even if game boy ACE is achieved, and tells us that the GB cartridge can be swapped if N64 ACE is ever found.