Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Non-Core Game Glitch Discussion

Pokémon Stadium - N64 ACE HYPE ! - Page 1

Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-01-21 07:34:10
MrCheeze did it. Basically, attempting to use Pokémon Stadium to trade Pokémon to a Gen I cartridge with more than 20 Pokémon, you get a buffer overflow.
Tweet
Demonstration video
Tech stuff

Get hyped guys, if we manage to make cartswap real on the N64, we basically pwn the fifth generation of consoles.

I'm going to send a R.O.B to Game Freak at this point. Via mail.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: Stackout
Date: 2017-01-21 07:56:32
i don't think N64 cartswap will be a thing because the protection.

Transfer Pak swapping on the other hand will be a breeze now N64 code exec has been obtained.

I love that the GB emulator seems to have been good enough, yet the save file parsing is terrible.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-01-21 08:21:23
I am fully aware of the protection.
AFAIK, building a N64 cartridge adapter like those for NES and SNES would fix the issue. I do know there are multiple protection chips for the N64, but I bet we could still perform cartswap on some games. Or maybe find a way to bypass the protection altogether, although that sounds unlikely to me.

Maybe we could break the emulator in funny ways now that we have ACE on the game :P
Just for the show, I guess. Still wonder how TASBot will total control the N64 with this.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: Stackout
Date: 2017-01-21 11:31:14

I am fully aware of the protection.
AFAIK, building a N64 cartridge adapter like those for NES and SNES would fix the issue. I do know there are multiple protection chips for the N64, but I bet we could still perform cartswap on some games. Or maybe find a way to bypass the protection altogether, although that sounds unlikely to me.

Maybe we could break the emulator in funny ways now that we have ACE on the game :P
Just for the show, I guess. Still wonder how TASBot will total control the N64 with this.


With ACE on the game you can probably somehow swap GB carts in Transfer Pak, then init the new cart and call the emulator.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-01-21 11:40:28
I was thinking about N64 cartswap.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: jfb1337
Date: 2017-03-29 06:44:33
The github says the maximum payload would be just under 128kb via 4 GB saves. But wouldn't it be possible to write a program that allows the user to keep removing GB carts to plug in new ones, and loading all the data off those? That way you could have an arbitrary large payload - limited only by the N64's RAM size.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-03-29 07:28:34
Removing GB carts doesn't see possible to me (IIRC the game periodically checks whether a cart is inserted, but I may be wrong) ; however, we could do either of :
- Plug two Gen I carts and 1 or 2 carts with more SRAM than Pokémon (which have only 4 SRAM banks). Cartswap may be used to write data to these other carts.
- Use the 128 kB to make a RAM writer and simply write your payload with your N64 controller(s)

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: jfb1337
Date: 2017-03-29 14:46:19
Yes but once you have ACE then what the game does shouldn't be a limiting factor, should it? You could just enter your own loop of checking whether GB carts are inserted and reading from them if there are new ones, without returning to the game's code. Unless it runs in a separate thread that the OS won't let us kill, which is unlikely.

And yes, for TAS then reading from the controllers is the easiest way to go, but if as non TAS-ing human you want to use a large payload more than once for some reason then it would be easier to store it, especially if you have access to one of those things that allows you to read/write the save file of a GB cart from a PC, then you wouldn't have to manually enter the payload at all.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: Yeniaul
Date: 2017-03-29 16:01:38
Not necessarily, if the GB game is emulated then we'd have to  find a way to break out of the emulator and even then we'd have to start using N64-format ASM which is vastly different and much larger.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-03-31 13:53:03

Yes but once you have ACE then what the game does shouldn't be a limiting factor, should it? You could just enter your own loop of checking whether GB carts are inserted and reading from them if there are new ones, without returning to the game's code. Unless it runs in a separate thread that the OS won't let us kill, which is unlikely.

I don't know the details about how it is performed, so I won't get hyped on it until it is confirmed.


And yes, for TAS then reading from the controllers is the easiest way to go, but if as non TAS-ing human you want to use a large payload more than once for some reason then it would be easier to store it, especially if you have access to one of those things that allows you to read/write the save file of a GB cart from a PC, then you wouldn't have to manually enter the payload at all.

Imagine if the payload you stored in your GB carts was a memory editor that also allows you to jump to anypart of memory.
Bam, you can write any code and have it ran. No TAS skillz required (see offgao's memory editor, it's the state-of-the-art ACE tool for Gen I)


Not necessarily, if the GB game is emulated then we'd have to  find a way to break out of the emulator and even then we'd have to start using N64-format ASM which is vastly different and much larger.

You got it slightly wrong. We can't escape the emulator without N64 ACE - the emulator is (according to MrCheeze) too solid to be escapable.
What we do is copy N64 ASM as raw hex from GB carts ; to avoid being limited with the 4 N64 controllers (and thus GB carts) the idea was to copy one's contents, swap it, and repeat until the whole payload has been written.

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: natanelho
Date: 2017-07-25 11:55:08
lol imagine somebody who wants to hack their n64 asks an expert to do the job, the expert comes with 4 pokemon carts and controllers and starts doing funny busyness… (I know it isnt really helpful for piracy/hacking)

great news! if its possible to write data from gen1 carts to the n64 ram, and then run the code why cant we just pass a small loop that instructs the n64 to write from controller or at least from the gb ram, which can be connected to a tas to write data super fast?

Re: Pokémon Stadium - N64 ACE HYPE !

Posted by: ISSOtm
Date: 2017-07-26 05:31:42
I think it's possible. No-one has done it so far, though.