Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation IV Glitch Discussion

Obtaining Arceus via the Void Glitch - Page 1

Obtaining Arceus via the Void Glitch

Posted by: Cryo
Date: 2017-01-10 23:20:21
By using the RETIRE trick, it is possible to obtain Arceus via the Void glitch.

The steps below must be followed exactly. The RAM values being manipulated are loaded map data, and entering any map different than the ones you'd encounter by following the steps below may overwrite the data we need.

STEPS: (from the Poketch Co. door)
[tt]
=======
Step 1
=======
1 S
17 W
14 N
2015 W
512 S
Save & Reset

=======
Step 2
=======
32 E
384 S
32 W
1792 S
128 W
32 S
192 W
64 S
160 W

=======
Step 3
=======
96 S
96 E
32 S
63 E
1 N
63 E (or 64 E if you've already been to Pal Park before)
191 N
1 N

=======
Step 4
=======
192 E
66 S
1 N

=======
Step 5
=======
192 W
64 N
64 W
32 N
128 W
64 N
64 W
96 N
226 E
Start -> RETIRE

=======
Step 6
=======
34 S
33 W
128 S
160 W
160 S
160 E
31 S
1 S
64 E
166 N
1 N
Start -> RETIRE[/tt]

Video: https://www.youtube.com/watch?v=VrhHXG3cuAw


[size=12pt]EXPLANATION[/size]

Each of the steps listed above loads a desired map property into memory, which we then travel to in order to encounter that property as our current map ID (in turn loading different map properties). Below are the target maps that get loadedas well as the map property that determines the next map IDin order to activate the RETIRE trick.

[tt]
(2) Underground
    Sprite 1:
        X Coordinate: 392 (Route 221)

(392) Route 221
    Warp 1:
        Map ID: 393 (Pal Park entrance)

(393) Route 221 R1-01
    Warp 1:
        Map ID: 251 (Pal Park)
[/tt]

The maps and properties below lead to the Hall of Origin.

[tt]
(45) Oreburgh City
    Sprite 13:
        X Coordinate: 316 (Lake Valor cavern)

(316) Lake Valor R1-03
    Sprite 0:
        Flag: 510 (Hall of Origin)
[/tt]

Once Arceus is captured, the only thing left to do is to disable Pal Park mode and exit the void, which is done by using RETIRE in the Pal Park map. This is the only way to initiate the [tt]StopGreatMarsh 1[/tt] function.

Note: Encountering maps with IDs greater than 558 will overwrite almost all of the map data, so RAM values 0x022F - 0xFFFF should be avoided.


THE RETIRE TRICK
Using the RETIRE option in Pal Park works as expectedasking if you'd like to leave, then either warping you out or doing nothing. However, when used anywhere else, the RETIRE option will immediately run the 4th script loaded in a given map.

An important distinction to make is that this does not refer to the script at index 3 of the map data. Instead, it refers to the order that the scripts are run. For example, the Hall of Origin has only 3 scripts, but the order that the scripts are run is as follows:



Since the 3rd script is loaded twice, using the RETIRE option runs Script 3, which happens to be the encounter script for Arceus.


EDIT: After doing research into a few rare cases of the game crashing after Arceus is caught, I noticed that the cause of the freeze was caused by users hacking the Shaymin event into their game. Specifically, the data at [Base + 0x23998] is permanently changed from 0x76 to 0x7A after using the Oak's Letter key item and opening up Seabreak Path.

This can be fixed by doing these steps in place of the [tt]1792 S[/tt]:

[tt]1152 S
32 E
64 S
32 W
576 S[/tt]

Re: Obtaining Arceus via the Void Glitch

Posted by: SatoMew
Date: 2017-01-11 05:34:01
Wow, amazing discovery, Cryo! :) Is this for Diamond and Pearl only?


After saving at 430N and resetting, your position in RAM is set to [tt][base] + 0x227D0[/tt]. We're looking for a specific X coordinate's location in RAM, which is at [tt][base] + 0x24A8C[/tt]. There are multiple areas in RAM that hold your X coordinate, but this one in particular has a slight delay that allows us to battle Arceus in the Hall of Origin itself.


These addresses are for the English versions, correct?

Re: Obtaining Arceus via the Void Glitch

Posted by: Torchickens
Date: 2017-01-11 05:41:03
Amazing find Cyro! :D Is this your work or did somebody else make the initial discovery? Nevertheless kudos to you.

So after so many years we can now get Arceus with the void glitch (but with walk through walls).

Do you think there might be a way to bypass the invisible walls by making different steps?

Re: Obtaining Arceus via the Void Glitch

Posted by: Cryo
Date: 2017-01-11 11:17:33

Wow, amazing discovery, Cryo! :) Is this for Diamond and Pearl only?

These addresses are for the English versions, correct?


Thanks! The steps will only work with the English editions of Diamond and Pearl, but the steps could definitely be modified to work with Platinum as well as the various languages of each!



Amazing find Cyro! :D Is this your work or did somebody else make the initial discovery? Nevertheless kudos to you.


Ahh thank you! ;w;

But yes, I discovered the new findings utilized in the method (mostly controlled RAM jumping and the RETIRE trick) and crafted the steps to encounter the legit HoO (map ID 510) and battle Arceus.



Do you think there might be a way to bypass the invisible walls by making different steps?


Absolutely! As long as we can encounter our X and/or Y coordinate data in the void, all that would need to be altered are the steps to get there. My exact method in the original post isn't the only way to obtain Arceus though.

In practice, all that matters is the following process:

Re: Obtaining Arceus via the Void Glitch

Posted by: Torchickens
Date: 2017-01-11 12:51:22
You're very welcome. :)

Cool, thanks for the information.

Re: Obtaining Arceus via the Void Glitch

Posted by: Cryo
Date: 2017-01-23 12:57:31

Do you think there might be a way to bypass the invisible walls by making different steps?


I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

I've updated the original post with the steps. ;)

Re: Obtaining Arceus via the Void Glitch

Posted by: ISSOtm
Date: 2017-01-23 13:10:12
Wow ! Amazing. Could… could there be a way to obtain ACE using such a method ? Maybe using an invalid map to overwrite a script pointer, then adding the RETIRE option, then using the option to run some payload code in RAM ?
Not sure if that's even possible x)

Re: Obtaining Arceus via the Void Glitch

Posted by: Torchickens
Date: 2017-01-23 13:34:08


Do you think there might be a way to bypass the invisible walls by making different steps?


I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

I've updated the original post with the steps. ;)


Amazing! I didn't expect it to be found this quickly. Congratulations!! This is groundbreaking. :D

Re: Obtaining Arceus via the Void Glitch

Posted by: Torchickens
Date: 2017-01-24 15:25:37
SM confirmed it in the Korean version.
https://www.youtube.com/watch?v=WqkKYRcOgOQ

Re: Obtaining Arceus via the Void Glitch

Posted by: Stackout
Date: 2017-01-24 20:57:45
Now THIS looks interesting.

Any chance of a more technical writeup? I still don't fully understand why this actually works, in fact, the explanations that have been given just make more questions.

The list of steps and the current explanation, to me, seem like bits are being flipped somewhere useful, and this is being abused to gain some kind of write primitive. Is this basically correct?

Re: Obtaining Arceus via the Void Glitch

Posted by: Krys3000
Date: 2017-01-25 01:50:42
That IS amazing. I need to test this!

Re: Obtaining Arceus via the Void Glitch

Posted by: Krys3000
Date: 2017-01-25 11:03:57
Report working on French games

[img]https://pbs.twimg.com/media/C3B6a_aUEAArMOK.jpg[/img]

Re: Obtaining Arceus via the Void Glitch

Posted by: Cryo
Date: 2017-01-25 15:09:14

SM confirmed it in the Korean version.
https://www.youtube.com/watch?v=WqkKYRcOgOQ


Report working on French games


Oh awesome!


Now THIS looks interesting.

Any chance of a more technical writeup? I still don't fully understand why this actually works, in fact, the explanations that have been given just make more questions.

The list of steps and the current explanation, to me, seem like bits are being flipped somewhere useful, and this is being abused to gain some kind of write primitive. Is this basically correct?


Sure thing!

It (unfortunately) doesn't provide any form of arbitrary write capabilities; rather, it forces known values to be loaded into RAM for chained exploitation.


[size=12pt]BACKGROUND[/size]

Pokemon D/P uses dynamic addressing, so the base address and most associated memory offsets will be different across each localization of D/P. For consistency, I'll be using the addresses and offsets for the US version of D/P.

All maps in the game have 4 main event properties associated with them: Furniture (statues, plants, etc.), Objects (sprites), Warps (doors, cave entrances, etc.), and Triggers (automatic script-triggering tiles). Below is a table of the base address and memory offsets that will come into play later.

Base Address      = [0x02106FC0]

Map Matrix Height = Base + 0x22AD8
Map Matrix Width  = Base + 0x22AD9
Map Matrix Layout = Base + 0x22ADA
Map Data          = Base + 0x23C6E

Furniture Count  = Map Data + 0x20
Object Count      = Map Data + 0x24
Warp Count        = Map Data + 0x28
Trigger Count    = Map Data + 0x2C

Furniture Address = Map Data + 0x30
Object Address    = Map Data + 0x34
Warp Address      = Map Data + 0x38
Trigger Address  = Map Data + 0x3C

Furniture Data    = [Furniture Address]
Object Data      = [Object Address]
Warp Data        = [Warp Address]
Trigger Data      = [Trigger Address]



[size=12pt]MAP MATRIX LAYOUT[/size]

At offset [tt]0x22ADA[/tt] from the base address, we've got the layout of the map matrix. This is an 1800-byte section that defines which map ID you'll enter when you travel a certain distance in that map. In Sinnoh, this takes up much of the 1800-byte space, whereas indoor areas take up hardly any of it.

The reasoning behind the 1800-byte length comes from the maximum matrix height and width allowed30x30. Let's use Sinnoh as an example, which has matrix dimensions 30x30. This means that the layout of map IDs contained within this area wrap around every 30 map IDs, or every 60 bytes. It may be hard to visualize by just looking at a stream of map IDs, so I've placed the 1800-byte map matrix layout over the Town Map so you can see just how it all fits together.

Hex view with padded zeroes: http://i.imgur.com/zOn4ZHR.png
Decimal view without padding: http://i.imgur.com/OCFVokR.png

Visually, traveling downwards from Jubilife City into Route 202 is simply going from map ID 3 to map ID 343, which is true, but what's also happening is that your position in RAM is being offset by a number of map IDs equal to the value of the matrix width30 in this case. This means that traveling downwards by 1 map ID is the same as traveling to the right 30 map IDs. Since each map ID takes up 2 bytes, it can be more accurately said that traveling downwards by 1 map ID (32 steps) actually seeks 60 bytes forward in RAM.

Following the map matrix layout is a 900-byte section that defines the border map height. Following that is another 1800-byte section that defines the actual map data indices (which contain movement permissions, 3D model data, terrain information, etc.), but we're only concerned with the data after all of the previous 4500 bytes.


[size=12pt]MAP DATA[/size]

The previous 4500 bytes are all determined upon loading your saved game. As long as you don't initiate a warp (such as entering a doorway or triggering an automated warp like the Vista Lighthouse elevator), the aforementioned bytes will remain unchanged. The bytes concerned with map data, however, will predictably change depending on which map you're currently in.

Starting at offset [tt]0x23C80[/tt] from the base address is the loaded data for the current map ID. When a new map is entered, such as when traveling downwards from Jubilife City to Route 202, the previous 4500-byte section will remain the same while the map data after it will change depending on what furniture, objects, warps, and triggers are present.

What's even more interesting is that old data will only ever be overwritten by new data. Even if a new area is loaded, if the previous map contained more map data than the new map, then the old map data will still remain there. For example, traveling downwards from Jubilife City to Route 202 will cause many of the sprites that Jubilife City loaded to remain in memory since Jubilife City loads many more sprites than Route 202.

This is the data that we'll be manipulating in order to successfully exploit this mechanism to load any location we want.


[size=12pt]HOW IT WORKS[/size]

With all the necessary background information out of the way, it's time to explain what's really going on from start to finish.

Since the Poketch Co.'s map matrix is only 1x1, traveling down or right will seek 2 bytes forward in memory, while traveling left or up will seek 2 bytes backward in memory. That being said, the first 5 steps before the Save/Reset will seek 126 bytes backward in memory, then 32 bytes forward in memory.

This places us 94 bytes behind the beginning of the map matrix layout, which happens to be a map whose ID is greater than 558. Map IDs above that point default to the properties of Jubilife City, making them safe to save in, but they also overwrite nearly all of the current map data due to how many objects it loads.

After saving and resetting, however, our position in RAM is vastly different; instead of being 94 bytes behind the beginning map matrix layout, we're now 834 bytes into the map matrix layout. This is because of how the game recalculates your current offset in relation to your current X/Y coordinates.

Upon saving the game, the map matrix layout data associated with that map ID is written to your save file. After resetting at this point, our position in RAM was recalculated to conform to the new map matrix dimensions, which are now 30x30.

This recalculation can be described in the following pseudocode:

x_offset = floor(x / 32) * 2
y_offset = floor(y / 32) * (2 * matrix_width)

current_offset = matrix_layout_start + x_offset + y_offset


The 32 E and 32 W steps before and after the 384 S are to bypass an area that contains map IDs between 176 and 188, which will guarantee a crash when an action that redraws the entire screen (such as exiting a battle or returning from the Pokedex, bag, etc.) is performed.

The 1792 S is to get through the entirety of the map matrix layout, placing us in the actual map data. At step 1664 S, we actually encounter an Underground area (map ID 2), which loads all of its map data; Sprite 1 of the Underground is located at X coordinate 392, which is the map ID for Route 221.

If we can encounter that X coordinate data for Sprite 1 in RAM, then the map data for Route 221 will load, immediately changing every piece of data around us and opening up new avenues of map loading and map resource loadingeffectively allowing a form of controlled teleporting in the void. The 160 W steps at the end of Step 2 put us at that very address, and the map data for Route 221 loads around us.

Route 221 happens to contain a warp whose destination is map ID 393, which is the Pal Park entrance. Repeating the previous methodology, that first 1 N step in Step 3 lands us at that address and loads the map data for the Pal Park entrance.

The Pal Park entrance understandably contains a warp to map ID 251, which is Pal Park itself. We use the same method to travel to the address containing that warp destination data, and that second 1 N step in Step 3 is what loads the map data for Pal Park and also puts us into Pal Park mode.

Step 4 is short, but the 66 S step does two important things. The 65 S step loads the map data for map ID 45, Oreburgh City.  Sprite 13 in this data has an X coordinate of 316, which is the map ID for Lake Valor cavern. Funny enough, this destination is loaded in the exact spot that we traveled to for Oreburgh City (map ID 45) just immediately before. The last final step of those 66 S steps loads the map data for Lake Valor cavern. The 1 N step afterwards is to correct for the previous 1 S needed to get to Lake Valor cavern.

Sprite 0 in Lake Valor cavern has a flag value of 510, which is the map ID for the Hall of Origin.

Even now the Hall of Origin would be impossible to access, since every single movement would end up in that particular address being impossible to access. The only mechanism that saves this method is that entering a Mystery Zone area clears out the first few dozen bytes where the addresses and furniture, object, warp, and trigger counts are stored, since Mystery Zones all have a value of 0 for these.

That final 226 E in Step 5 traverses this now-cleared space in order to arrive at Sprite 0's flag value and, as a result, load the map data for the Hall of Origin.

Unfortunately, the Hall of Origin itself doesn't have any event properties with a value of 510, meaning that we only have 1 tile (the tile we're currently on) in which to encounter Arceus. This does mean that we have to battle and catch Arceus in the Mystery Zone, since Arceus's script moves us up 2 spaces, but that's a sacrifice made in the interest of catching Arceus for the first time ever in under 15 minutes.

After the battle is over, we repeat the same method for the first few stepsRoute 221, then the Pal Park entrance, and finally Pal Park. Using the RETIRE option in Pal Park is literally the only way to get out of the void and Pal Park mode both at once.


[size=12pt]OTHER STUFF[/size]
I've attached dumps of all of the scripts and event properties for every map in the US version of D/P for convenience. (mostly for looking up usable map properties for map data loading purposes)

Also, it is possible to catch Arceus in the Hall of Origin, but it involves an 11k trek downwards and utilizes the (quite chaotic) loading of 3D models in order to spawn a map that contains a model with ID 510 (which itself is a broken pillar). Ironically, the only map in the game to contain this specific 3D model happens to be Spear Pillar. I chose this method because it's much shorter and much easier to predict what data is going to be loaded.

Re: Obtaining Arceus via the Void Glitch

Posted by: Krys3000
Date: 2017-01-26 02:59:17
Thank you for these explanations Cryo, makes it very easier to understand.
I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks :)

Re: Obtaining Arceus via the Void Glitch

Posted by: Cryo
Date: 2017-01-26 11:02:28

Thank you for these explanations Cryo, makes it very easier to understand.
I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks :)


Sure!

Whenever you load Spear Pillar (map ID 220), the value at [Base + 0x2A576] becomes 510. This area is preceded by a ton of other data though, so it's extremely difficult to get to, if not impossible. It would require loading areas that replaced the data in front of it such that it was made safe.

A more efficient method, however, may be loading the Battle Tower's WiFi Battle Room (map ID 331), since that's located at [Base + 0x2974D], which is very near the start of that data section. It might be doable, but it's definitely a better shot than the Spear Pillar one.

Here are my personal notes on the path, for reference:

[tt]Model Path
==========

Bypass softlock zone (176-188)
    32 E
    384 S
    32 W

Bypass minefield and hit 0x2 (Underground)
    1792 S

Get to map 0x188 (Route 221)
    128 S
    128 W
    32 S
    192 W
    64 S
    160 W

Get to map 0x189 (Pal Park Entrance)
    96 S
    96 E
    32 S
    63 E
    1 N

Get to map 0x251 (Pal Park)
    64 E
    191 N
    1 N

Get to map 0xA7 (Snowpoint Gym)
    416 S
    128 E

Get to map 0xA5 (Snowpoint City)
    128 N
    160 E
    32 S
    224 E
    32 N

Get to map 0x41 (Eterna City)
    224 E
    32 N
    64 E
    32 S
    96 E
    320 N
    96 E

Get to map 0x14B (Wi-Fi Battle Room)
    32 W
    32 N
    128 W
    128 N
    384 W
    64 S
    32 E
    64 S

Get to the Hall of Origin
    320 S
    32 E
    11520 S
    …[/tt]