Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Video Games Discussion

The CartSwap ACE - Using Pokémon to ACE / credits warp other games - Page 2

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Charmy
Date: 2016-12-17 08:01:28
Goddamn it, only if I posted earlier, I could have been on YouTube. anyway, I challenge someone to speedrun SMB Deluxe: w  sm%.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Torchickens
Date: 2016-12-17 18:20:14
Wow, this is amazing!! Great work ISSOtm and TheZZAZZGlitch. I'm excited because I have a fair number of games in my GB/C collection and this makes me want to edit the SRAM in those games to do cool stuff. In Pokémon Crystal writing 0B to SRAM 01:BE3C allows you to obtain a GS Ball gift in Goldenrod City Pokémon Center, so theoretically you could use 8F/ws m to set that in the SRAM of your Crystal (which would be a neat no bad clone/Link Cable-less method of doing it).

Would love to see a Super Mario Bros. Deluxe trick that lets you access the lost-lost levels, or glitch monsters in monster battling games like Telefang, Bugsite and Sanrio Timenet.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-17 21:49:40
Just saw ZZAZZ's video, fantastic work to both of you. So now it's possible, at this point to use the first-gen Pokemon games to 1) run arbitrary Game Boy code, 2) run arbitrary SNES code, and now 3) run arbitrary code in any other GB game. To me, this suggests a followup to look into:



That's not the only crazy-but-possible idea for ACE applications, either. I can think of several others:



We're living in exciting times, full of potential. Although due to the need for various hardware tests, as well us the generally poor state of N64 emulation, some of the things above would be much harder to pull off than others.


Finally, I have one other comment. I notice everyone around here seems to prefer using 8F as their method to trigger arbitrary code execution. But simply turning off while saving is sufficient to get total control over WRAM (tossing items to write any byte, swapping Pokemon to move memory around), and that this requires no setup at all, surely it must be possible go get arbitrary code much faster this way? But I may be missing something here, as I haven't personally triggered ACE using either method.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-18 08:51:14
ACE is possible using the SRAM Glitch (what you called "turning off while the game is saving"), but in non-JP versions, this is extremely hard.
Also, the problem with this glitch is that the game is quite unplayable due to a number of factors, so 8F / ws m are used mainly because the rest of the game is still accessible. tl;dr : it's more human-friendly.
If a "playaround TAS" comes out using this, it will certainly use the SRAM glitch to trigger ACE.


Your SNES idea seems very possible, maybe using a piggybacking adapter if needed (I doubt so, though). Yummy ! I'm going to write a method that would work for our purposes.
[offtopic]Also, we didn't test if we can swap cartridges on a SGB. This may entirely be possible.[/offtopic]


To get ACE on the Stadium emulator, I looked for the source code, but I can't find nothing. Darn.
If we can do something, well then I bet it will be about buffer overflow. I think someone here (SatoMew ?) had tried the invalid opcodes, and that failed.


Assuming we take control of the Stadium emulator, I'm almost certain it won't let us "Luigi transport" ACE, because the copy protection chip periodically checksums the cartridge. We might be able to knock it out in some way, but I dunno how.


Last thing, two of your links are broken. I bet the first one was this, but I don't see what the second is :/

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-18 13:36:15
Fixed the links, thanks.

Given the extreme versatility of the SRAM glitch, I have no doubt it's possible to compensate for its side effects. But I realize that's still more conceptual complexity than just using 8F, so point taken.

Good point about testing whether the SGB lets you swap Game Boy cartridges, that's an important thing to check since it's the only way to record high quality footage of the phenomenon. As for the SNES cartridges, I would have expected swapping them to work fine, but I asked Dotsarecool to try it out and his reply was "I can't get it to work. seems like it should work to me though". So perhaps the SNES depends on always having a cartridge loaded, one way or another.

And with the N64, far more information can be found in the page cited by the article you linked. Importantly, it reveals that only a small minority of games do any copy protection after boot. And the whole discussion on "boot emulators" seems at least tangentially relevant.

In general, with achieving cartridge swap on more consoles, it seems tricky to know if it's truly impossible or if there was some necessary step that was missed. But probably not worth putting much thought into it if it doesn't appear to be possible.

As for getting ACE in Stadium. I mentioned the state of N64 emulation is poor. Strangely, I managed to get the GB Tower to work fine in Stadium 2 in Project64, but Stadium 1's just gives a black screen. But this means that debugging tools can be used to work out what code the emulator-in-an-emulator is using, at least.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Torchickens
Date: 2016-12-18 14:02:02
I was thinking through what you could do with this last night and I suddenly thought I wonder if it's possible to store a homebrew game into an official Game Boy Memory cartridge?

In Japan there was a service called Nintendo Power in which you could save games on to Game Boy Memory or SFC Memory cartridges for cheaper than it would be compared to buying the actual cartridge, with a few games being exclusive to the service.

So could you write to SRAM with something like 8F/ws m (store data in box data first then copy memory to SRAM) and create data/a listing for a homebrew game? I really don't know if this would work though as I know nothing about how data is stored on a Game Boy Memory cartridge.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-18 14:36:09
The games are stored in flash memory, not SRAM, but yes you can.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Torchickens
Date: 2016-12-18 15:20:48

The games are stored in flash memory, not SRAM, but yes you can.


I see, mm. Yeah I thought about what I said later and imagined that would probably be the case. That's pretty nifty. Thanks for the link. :)

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-18 16:52:46

In general, with achieving cartridge swap on more consoles, it seems tricky to know if it's truly impossible or if there was some necessary step that was missed. But probably not worth putting much thought into it if it doesn't appear to be possible.

My bet is that we need to look at the hardware. The good question being "What could lock the console ? What is active after the boot ?"
Also, the problem we have with SNES might be the I got with the PGB :

Apparently this may NOT work on a DMG, unless you have extreme luck. (Source, read the comments)

@MelonStorm @vxbinaca Yes, there's a blocking bar on DMG (the first Gameboy.) But not only that. You will almost always crash the DMG when you remove the cartridge. I believe the reason for this is CMOS latchup. How they fixed this on GBC, if you open up the unit and look inside, is by moving the ground ping closer to the cartridge so it makes first and breaks last when you insert/remove the cartridge.


@Gameboygenius I'll have to get a DMG for testing then, I plan on using this for a game. Works fine on the GB Pocket and I don't see any difference in the placement of the contacts on the GBC slot.

To test, then.

But on SNES we maybe could try using a piggybacking adapter.
I have no SNES so I can't test. But if it works..!


As for getting ACE in Stadium. I mentioned the state of N64 emulation is poor. Strangely, I managed to get the GB Tower to work fine in Stadium 2 in Project64, but Stadium 1's just gives a black screen. But this means that debugging tools can be used to work out what code the emulator-in-an-emulator is using, at least.

I do have a N64, I could get Stadium (and possibly a Transfer Pak) in under three weeks… but my Pokémon Red cartridge's battery died. I dunno if that may matter, and if my EverDrive GB could be a replacement.
Also, did you try BizHawk ? Since this is the recommended emulator at TASVideos for the N64, I bet it has to be better :P
(And maybe it has to do with the rendering plugin. I really am a noob when it comes to the N64, I would like to learn the ASM for the MIPS proc but can't find tutorials ><)

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Cryo
Date: 2016-12-18 23:52:06
Just an update, this does work on the SNES. ;D

Unfortunately, it doesn't work on the N64. I tested both Pokemon Stadium and Pokemon Stadium 2 on a physical N64, to no avail. It seems like the interrupt handler for the N64 takes precedence over the emulator's interrupt handler, whereas the SNES may just hand off all GB cartridge concerns to the SGB itself.

As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy. The VRAM glitch appeared to be a SNES-specific glitch due to the coloration, but idk. I'm not sure if it was an error in how the SNES handled the cartridge being removed, a side effect of the SGB's palette, or something else entirely.

Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Charmy
Date: 2016-12-19 00:39:08
Could anyone test if it works outside the SGB and can execute code on SMW or some other game on the SNES?
I don't think it's possible though.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-19 01:29:17
That's what I had Dotsarecool test earlier, or at least an equivalent test. To recap, the compatibility for cartridge swap:

Game Boy: No
Game Boy Pocket: Yes?
Game Boy Color: Yes
Game Boy Advance/SP/Player: No

Game Boy cartridge in a Super Game Boy: Yes
Game Boy cartridge in a Transfer Pak: No

SNES cartridge: Apparently no No
N64 cartridge: Unknown No

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-19 03:25:13

Just an update, this does work on the SNES. ;D

Unfortunately, it doesn't work on the N64. I tested both Pokemon Stadium and Pokemon Stadium 2 on a physical N64, to no avail. It seems like the interrupt handler for the N64 takes precedence over the emulator's interrupt handler, whereas the SNES may just hand off all GB cartridge concerns to the SGB itself.

Yeah, thank you for testing ! This working on the SNES is good news, but I'd like a precision about the Stadium test : what exactly happened when you removed the cartridge ? What I'd like to know is if the emulator did a check on Pokémon R/B/Y and the checksum didn't match (or something like that) or if the emulator crashed (meaning it still tried to poll data from the cart).
This may be useless, but might not.


As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy. The VRAM glitch appeared to be a SNES-specific glitch due to the coloration, but idk. I'm not sure if it was an error in how the SNES handled the cartridge being removed, a side effect of the SGB's palette, or something else entirely.

Waaaaw. What the hell. x) It has to be SNES though, since it happened as you removed the cartridge.
I remember I tried the setup once and it didn't work, I still got a crash.
My theory about it was that somehow, interrupts weren't diasbled. This left me to wonder if it is possible for an interrupt to execute just after a DI instruction, and then for it to re-eanble interrupts when "reti" ? If that's the case, welp this glitch isn't 100% working.

Actually, I'm quite in the dark about this, I think it involves more knowledge in electronics than programming.
Well, we are doing things the console conceptors really didn't have in mind when they made the hardware xD


Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.

Oh, really ? I got this problem with my first setup (the old which polled $0001, waited for it to become $FF, and then for it NOT to be $FF), which had a 12% success rate (out of ~40 times, I got like 5 successful attempts), where all my successes had me pull the cart straight.
I like to think it comes from the pins disconnecting in an incorrect manner, but I don't quite know what could be the culprit.
According to this, this is the pin layout :

Pin  Name    Expl.
1    VDD    Power Supply +5V DC
2    PHI    System Clock
3    /WR    Write
4    /RD    Read
5    /CS    Chip Select
6-21  A0-A15  Address Lines
22-29 D0-D7  Data Lines
30    /RES    Reset signal
31    VIN    External Sound Input
32    GND    Ground

I don't even know what the "PHI", "CS" and "RES" pins may be used for.
I'm really clueless.


Can I get some details about the test Dotsarecool did ? I'd like to try some things, but if you already did it then it's worthless :P

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: TheZZAZZGlitch
Date: 2016-12-19 07:08:48
My theory about it was that somehow, interrupts weren't diasbled. This left me to wonder if it is possible for an interrupt to execute just after a DI instruction, and then for it to re-eanble interrupts when "reti" ? If that's the case, welp this glitch isn't 100% working.


I think this shouldn't be possible. Z80 doesn't have any instruction pipelining or fancy hyperthreading stuff, so every clock cycle should execute exactly one instruction before checking for interrupts. So an interrupt could only happen either directly before disabling (instruction pointer on DI), or directly afterwards, ending up in a queue (instruction pointer on instruction after DI).

But if I'm wrong, there should be nothing preventing us from fixing the problem with brute force:

; the more the better
di
di
di
di
di
di



Also, this doesn't seem to have been mentioned yet, but when testing on actual hardware, the game will do a hard reset about 50% of the time. I've had the best luck when pulling the cartridge straight out as quickly as possible and when inserting it by resting it on the cartridge slot and giving it a quick push with the bottom of my palm. If I remove it slowly or tilt it when pulling it out, it hard resets whenever it's pulled out much of the time. Similarly, if I insert it too slowly, it hard resets upon making contact with the cartridge reader much of the time. The issue is persistent across the DMG (latch removed), CGB, SGB, and MGB models. I haven't tested a Game Boy Light yet, since I don't have one, but I'd guess it also suffers the same fate.

Oh, really ? I got this problem with my first setup (the old which polled $0001, waited for it to become $FF, and then for it NOT to be $FF), which had a 12% success rate (out of ~40 times, I got like 5 successful attempts), where all my successes had me pull the cart straight.
I like to think it comes from the pins disconnecting in an incorrect manner, but I don't quite know what could be the culprit.
According to this, this is the pin layout :

Pin  Name    Expl.
1    VDD    Power Supply +5V DC
2    PHI    System Clock
3    /WR    Write
4    /RD    Read
5    /CS    Chip Select
6-21  A0-A15  Address Lines
22-29 D0-D7  Data Lines
30    /RES    Reset signal
31    VIN    External Sound Input
32    GND    Ground

I don't even know what the "PHI", "CS" and "RES" pins may be used for.
I'm really clueless.


I would assume there is some cartridge line that is connected to the internal reset pin on the CPU. Unwanted noise from pulling the cartridge would put this pin in a low state, which would explain the sudden hard resets.

Doing the swap as quickly as possible should partially prevent this. Also, pulling the cart straight up and evenly on both sides makes sure all pins disconnect at roughly the same time.


As a few points of interest, there were two unintended effects that occurred when trying to do the glitch: One was a softlock and the other was a VRAM glitch that I haven't seen before on a Game Boy.


These glitches seem really interesting to me. They directly affected the SNES hardware and escaped the Gameboy CPU, forcing me to think that the SGB probed the inserted GB cartridge for some purpose, read garbage data when in the middle of the cart swap and caused some kind of overflow.
I guess some reversing needs to be done on the SGB ROM to see whether it periodically accesses cartridge data and under what conditions.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-19 20:25:41
By the way, I just stumbled on something interesting in what appears to be the official N64 programming manual.

osGbpakReadWrite

Read/write process to the Game Boy Game Pak memory

(…)

Caution is required when dealing with the returned values. This function cannot determine whether the Game Boy Game Pak has been pulled out, or whether Game Boy Game Paks have been exchanged. That is to say, a "0" (normal termination) is returned even if the Game Boy Game Pak has been removed during function operations. Thus, please confirm the status before and after calling this function to make sure the Game Boy Game Pak has not been removed.


In other words, they instruct programmers to (manually) verify that the game boy cartridge is never removed or swapped out. This both explains why the GB cartridge cannot be swapped even if game boy ACE is achieved, and tells us that the GB cartridge can be swapped if N64 ACE is ever found.