The fact that the L-shaped tweaking pattern causes really weird effects has been known for a while now and was previously known as the "????? Glitch", but after analyzing the effects of the tweak, I decided to give it a more descriptive name that mirrors its effectsthe "Cascade Glitch".
[size=12pt]TRIGGERING THE CASCADE GLITCH[/size]
In order to trigger the glitch, all you need to do is tweak using any L-shaped pattern in the fastest gear of your bike.
No really, that's it.
The reason it's called the Cascade Glitch is because of the one constant that always occurs each time this glitch is triggeredstarting from the map data ID (0 - 665) that you refreshed the screen in, the map tile data, 3D model data, building data, et al. for each successive map data ID is written to RAM immediately after the tweak. The chaotic nature of such an effect means that freezes will occur a lot of the time.
However, because the data written to RAM depends on the map data ID that you refreshed the screen in, you're able to influence the data that gets written and, to a loose extent, where that data gets written. This means that altering progression flags is completely possible using this method.
So what exactly happened here?
As a little background information, the tile data for each map should be at least somewhat legible, such as the map tile data for lower Jubilife City below.
Okay, so that's not the actual map tile data for lower Jubilife City, but it gets the point across that it should at least be somewhat legible and able to be discerned just from looking at the layout.
First, to pull off this tweak, you'll want to refresh your screen anywhere in the area below. You can do this by opening the Bag or performing any action that forces the graphics to be redrawn.
Next, perform the tweak as shown in the previous GIF. If you need help locating the loadlines in order to do this, you can find them here.
After performing the tweak, the map tile data for Route 202 will be replaced with the data below.
Definitely not what it should be.
If you were to load the graphics for this area, it would look a little something like this:
(just a rough sketch; the actual visual data would probably look a lot cooler)
The section containing pointers to the currently-loaded map data (as well as the data that will be imminently loaded) can be found at [tt]Base + 0x8BAD0[/tt]. This section has enough space for 3 areas, which is all that should ever need to be reserved within normal gameplay, since it's not possible to load 4 different areas in such quick succession. I'm guessing that's what the devs though, anyway.
I've created a visual representation of the pointer storage location as well as the pointers to the current map data for additional detail, found below.
The 4 pointers are arranged in the following order:
In this case, the 3rd pointer is the address of the garbled data. This means that the area we're currently in (Route 202) should be located in the bottom-left of the 4 currently loaded areas, which it is.
Doing this in Valor Lakefront yields some pretty amazing results. Instead of simply writing the data for each successive map data ID, it completely annihilates your base pointers. The base pointers located at [tt]0x02101D20[/tt] just get overwritten with zeroes.
Since there aren't any base pointers, the game just kind of gives up and crashes. It also messed up my ASLR calculations in the VET script and caused all of my values to return 0.
If that kind of thing is possible just by tweaking, then I think that this may very well be our best chance at ACE in Gen IV.
I should be receiving an IS-NITRO-DEBUGGER development kit through the mail within the next few days, and I highly plan to analyze this glitch further on actual hardware. It's hard to tell whether some of these results are due to emulation errors or whether these would actually happen on a console.