Glitch City Laboratories Archives

You can use this to get infinite items by having the Pokemon in the third slot hold an item, every time you give them mail after performing this glitch you will receive the item they were holding but the Pokemon will still be holding the item in their hand, you can then repeat this process as many times as needed so long as you have enough pieces of Mail. However I doubt this would be useful in a speedrun, as to perform the glitch requires having an 'empty' Pokemon in the first slot of your party, and the only way i know of to do this is through the Pomeg Berry glitch. I'm sorry if my description of how to perform the glitch isn't very clear, I will try to come up with a better documentation so that others can recreate it.

Nice find !


So, from my tests, it turns out to be something like :

-You give a letter to the first party Pokémon (empty slot).
-Then, you hit Up twice in order to select party Pokémon 0xFF, and you give him an Item (the "Item" option is always available, probably due to a coding insight that overrides the "check if the party slot is not an Egg/Bad Egg/empty slot" condition).
-Then, either the Item is directly given to the first party Pokémon during the "give an Item" procedure, or the empty party slot 0xFF is moved in front of the party.
In either cases, the empty slot in first party slot now has a non-mail item.
-However, the contents of its mail hasn't been suppressed, as well as a counter that keeps how many letters have been written, and which letter is held by which Pokémon.

-When you repeat the procedure, the new mail will take on the second mail slot, then 3rd, then… up to the 6th mail slot.
Once the game reaches the 6th given mail, more non-intended behaviour happens.

-When you try to give a new mail to a Pokémon after that, the game will look at the contents of mail 0xFF. [The game may be counting down the amount of mail given to party Pokémon, which could then trigger this effect.]
A copy of the selected mail is subtracted from the Bag.
If the Pokémon was already holding an Item, a copy of this Item is added to the Bag (with a check that the Bag isn't full). [The Item is indeed returned to the Bag at this moment in the procedure since even if you quit the mail menu that comes out later by hitting B, the item is still duplicated and one exemplary of the mail is removed.]
The contents for mail 0xFF are read in Pc Pokémon data [Box 2 Slot 27, as Npo said. The mail data is affected by DMA so a specific manipulation of PC Pokémon data is indeed possible.]
Due to another coding insight, the game doesn't check if the 0xFF-th mail already exists [The – word is 0xFFFF. 0x0000 is treated as ????, probably like all non-valid words. Thus, the 0xFF-th mail most always have non-FFFF data, but even if everything is set to 0xFFFF the game will present you the writing mode for the 7th mail]
When exiting this menu, the "change the Pokémon's held Item by a mail" command doesn't happen due to another coding error.
Thus, the Pokémon keeps its previous item, there is one less mail in the Bag, and no mail is given.


This also allows one to modify the data read as 0xFF-th mail data with all the possible non-glitched words.


Regarding the potential data modification, you can affect, as Npo pointed out :
PC Pokémon, Box 2 Slot 27 (located around 0x0202A98C with DMA)
2nd substructure : double-words 2 and 3
3rd substructure : doubles-word 1 and 2, 1st word of double-word 3. [the whole double-word 3 isn't affected]
4 double-words + 1 word = 9 words = 9 mail words you can manipulate

However, the Pokémon will turn into a Bad Egg after such a modification if its checksum isn't preserved.
This requires to know beforehand the data that is written in such double-words, which requires the ID/Secret ID couple of the trainer, the PID of the Pokémon, and some information regarding its EVs and contest stats.
Hopefully, all these things are known for in-game traded Pokémon.

This manipulation procedure could be used to create a Bootstrap Pokémon for ACE in a faster way than the one I planned, but this is completely dependant on the list of hex words that can be used for mail words.
This piece of code looks like this in general : 0258C903 0800B402. [For ACE redirected to Pyramid Bag Items in Emer non-Jpn, with a DMA translation of 18 double-words]
By having the 3rd substructure of the Pokémon being its EVs, xxxxC903 0800B402 could be obtained reasonably (08 is via Pokéblocks, while the rest requires EV manipulation on 4 stats).
Then, 0x0258 could be obtained with this glitch without having to play on double-corrupting the Pokémon and then use the held Item data and one more double-corruption to get it.

This glitch could also be used to obtain certain glitch moves on in-game traded Pokémon quite easily, or certain Items.

Is there a table/list somewhere of all the valid words for mails/tv news in RSE ?


Edit : I couldn't get to the contents of the 8th mail even by setting the contents of the 7th mail to 0xFFFF.
This may be possible, but I don't know how.

This opens to something that I didn't consider.
With another Instant Pomeg Glitch Pokémon (or with the same one but with a specific DMA pattern), it should be possible to affect the value of the 1st party Pokémon that managed the number of the held mail.

Since the data for held mails is quite short, it should start a bit before PC Pokémon data (unless I'm wrong), so not many things other than PC Pokémon corruption could be achieved this way.
However, this could allow us to modify the PID/TID/name/OT/.. of a PC Pokémon.

Edit : In Japanese Emerald, the PC Pokémon data affected by the 0xFF-mail data may be different.

In regards to trying to construct a bootstrap Pokemon using the mail glitch, since there is no valid message that corresponds with 0x0258 you cannot simply write this message to edit the Pokemon, however, it may be possible to write a number that would result in the Pokemon having more EVs then needed, and then reduce it to the desired EV count using berries. for example on an in game traded Pokemon, that has been successfully corrupted, the higher two bytes of the PID would be 0x4000, and writing "MUK" from Pokemon 2 (0x2a58) to the corresponding EV stats would result in 106 and 88 EVs (once decrypted). We want to write 0x0258 which is 66 and 88 EVs once decrypted, so by giving the Pokemon 4 EV reducing berries, the encrypted data will be what we desire. A similar strategy can be used to construct bootstrap Pokemon for other purposes.

Oh yeah, I completely forgot about the potential use of EV-reducing berries.

I haven't looked at all the potential Pokémon names that can be used (especially those with a high second byte).

However, when corrupting the PID/TID of a Pokémon, you will only have a non-Egg form with 2 corruptions (PID and TID) and not just one (except two special cases).
And since PID xor TID is used for data encryption, the 0x4000xxxx that appear on the in-game traded Pokémon's PID and TID after a double-corruption (or 4001xxxx for Meowth and Plusle's PID) compensate together.
Thus, regarding (Speed Es)(Def EVs), the desired values are 0x02 and 0x058 to form 0x0258.
For the other EVs, the xor-ing changes everything, so it will really be dependent on the possible valid words.

The single in-game traded Pokémon that have their EVs substructure as 3rd substructure is Meowth (normal and double-corrupted)
[ Meowth : PID 0x0000008B, TID 0x00016559, PID xor TID : 0x000165D2, MGEA->AMEG ]
Its second substructure will be either Growth (normal) or Miscellanous (double-corrupted).
The data in Growth substructure that could then be changed is its Exp, PP bonuses, Happiness, and ??? (something whose use I don't know).

Thus, two contest stats, the ??? thing (that's at 0x0000), the PP bonuses, and the happiness can be determined beforehand and then be used to get a constant checksum after modifying Meowth's EVs with the Emerald Mail glitch.

An happiness of 0xFF could be useful as its crypted version is FF xor 65 = 9A.
Thus, a change of this 9A for something like 0x12 would change the happiness to 0x77, which would induce a checksum subtraction of 0x8800. (near the 0x8000 maximal change).


Unfortunately, none of the Emerald in-game traded Pokémon have their Growth substructure as their 3rd substructure (in either their normal or double-corrupted form).

However, for the Attacks substructure, Seedot (normal and double-corrupted) and Horsea (double-corrupted) have this substructure as their 3rd substructure.

Although after performing a single corruption to a any Pokemon would result in it turning into an egg, you can still hatch the egg into a Pokemon to be able to modify it's EVs but still have a PID xor TID of 4000xxxx (or 4001xxxx in Meowths case) you would just have to make sure that the species of the Pokemon that is hatched is a non glitch Pokemon, or a Pokemon who doesn't cause the game to crash upon hatching. This way you can still modify the PID xor TID value (is there a shorthand name for that value?) through corruption and still be able to modify it's EVs. Unfortunately the only in game traded Pokemon who has EVs in the third substructure is Meowth and because of it's PID xor TID value, the required EVs to write the bootstrap code is over the limit, even with the work around I described previously. However this means you are not necessarily restricted to only being able to write valid hex values.  This is just a rough over view of the method, I will type up a better step by step method when I have time later today.  :)

Also, although not as nice as using the in game traded Pokemon, we can use rng manipulation to catch pokemon with a specific PID, and using the fact that you can also READ the encrypted data (so long as it's a valid message) as well as write to it, you can calculate your players entire TID without needing to catch a shiny pokemon normally.
The method would work like this. Catch a bunch of spinda (since you can easily figure out their PID from their spots / IVs) and place one in the Box 2 slot that is edited by the mail glitch, and check to see if you can read any data on the left side of the mail (the values that would be Xord with your SID) if you can't replace the spinda with a new one until you find one that works (shouldn't take too long since there are ~1800 valid messages and your checking 4 different values each time) then you would figure out what data the valid message corresponds too and plug it into this equation
PID(high) Xor MessageIndex Xor Data = SID

This is just a rough over view of the method, I will type up a better step by step method when I have time later today.  :)

List of decrypted values depending on their slot and substructure :
Growth (G)
Slot 1 and 4: upper Experience bytes
0x0000 if Smeargle's EXP is lower or equal to 65.535
0x0001 else. (as they have less than 131.072 exp at Lv 50)
Slot 2: Unknown data
0x0000 for every Pokémon
Slot 3: Held Item
0x0000 (No held Item)

Attacks (A)
Slot 1 and 4 : Move 4
0x0000 (No 4th Move)
Slot 2: 256*PP4 + PP3
0x0000 (0 PPs for Move 3 and 0 PPs for Move 4)
Slot 3: Move 2
0x0000 (No Move 2)

EVs and Conditions (E)
All slots:
0x0000 (No EVs, No Contest stats)

Miscellaneous (M) (a little more complicated)
Slot 1 and 4:  IVs
Compute : (floor(Speed IV/2))+16*(Special Atk IV) + 512*(Special Def IV) + 32.768*(Ability) in decimal.
Then convert this value to hexadecimal to obtain the decrypted value.

Ability is 0 if the Pokémon has its first ability, and 1 if it has its second ability. (It is 0 for a wild Smeargle.)

Slot 2:Ribbons and Obedience
0x0000 (No Ribbons)

Slot 3: Origins Info
Compute : Met Lv + (Origin version)*128 + (Ball)*2048 + (Trainer gender)*32.768 in decimal.
Then, convert it to hexadecimal to obtain the decrypted value.

Origin version is 3 for Emerald
Ball is 1 for Master Ball, 2 for Ultra Ball, 9 for Repeat Ball.
Trainer gender is 0 for male and 1 for female
For the whole possible values, check bulbapedia's page : https://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III


- Obtain the hexadecimal value tied to the mail word.
If this isn't a Pokémon name, find the value here : https://pastebin.com/s53DQyxX
If this is the name of a Gen 3 Pokémon, the tied value is the hexadecimal identifiant of this Pokémon in Gen III. (not the national Pokédex number) List of Gen III identifiants : https://bulbapedia.bulbagarden.net/wiki/List_of_Pok%C3%A9mon_by_index_number_(Generation_III)
If this is the name of a Gen 1-2 Pokémon that isn't in the Hoenn Pokédex, the tied value is the hexadecimal identifiant of this Pokémon.

If the message is the name of a Gen 1-2 that is in the Hoenn Pokédex, Abra for example, then you will have to double check to see if it's from the Pokemon 1 or Pokemon 2 group. You can do this by re writing the name of the Pokemon from Pokemon group 2 and then attempt to give the mail to the Pokemon, if a message appears asking you if you want to stop giving the mail to the Pokemon, than note that the Pokemon name came from group 2, if it ask you if your OK with giving this message to the Pokemon then note down that the Pokemon name came from group 1. DO NOT GIVE the Pokemon the mail!
If the Pokémon's name is from the "Pokémon 1" group, then its tied value is 0x00yy the hexadecimal identifiant of this Pokémon.
If the Pokémon's name is from the "Pokémon 2" group, then its tied value is 0x2Ayy, where yy is the hexadecimal dentifiant of this Pokémon.


- Then, obtain the PID in hexadecimal with the formula : PID = (mail word value) xor (high PID) xor (decrypted value).

Well, unfortunately no.
When hatching an Egg, its TID is changed to yours and all its data is re-encrypted with the new PID xor TID.
Thus, you completely lose the 0x0000xxxx TID from the in-game trainer of the in-game traded Meowth, which makes the rest of the procedure undoable unless you can determine your Secret ID and do many calculations.

This is a really nice idea, and a really nice way to determine the Secret ID of a save file in Gen III !
Good Pokémon to catch for an easy PID determination are Smeargles as they are high levelled and are easy to find and by catching them up to a few minutes after a soft-reset, their TID is easily found on RNG Reporter.



For them, the indicative information becomes : ….

I like the idea of using smeargle better, calculating a PID from spinda spots gets kinda finicky. I did do some calculations for the odds of finding a spinda that would work for my method and it comes out to about 7%, so a box for a box full of spinda there is a ~89% chance one of them will work. The odds would be slightly different for smeargel since most of the possible values that could be read from ie. Move 4 , PP3 + PP4 Move 2, ext. would always have the same value of zero unencrypted, so if smeargles PID mod 24 = 0 for example, all for slots would be the same number. This is also true in some cases for spinda as well, so it would ultimately be a pretty small change in odds. It would still be better to go for the smeargle strategy.

Either way this method is MUCH faster then trying to find a shiny Pokemon! And using rng manipulation you can now search for PID's that would xor with your trainer id so that you can write values into the item slot to get specific glitch items much faster and easier. Or even to set up bootstrap pokemon.