Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Video Games Discussion

The CartSwap ACE - Using Pokémon to ACE / credits warp other games - Page 3

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-20 20:13:52
About the SNES version of the exploit, we would need to send some code to the SNES and run it.
That code would simply need to disable all interrupts then wait for some button to be pressed on controller #2 via the joypad auto-poll registers, then do stuff.

We could store the SNES payload with the PC items, and use a payload sender with 8F.
I'm still learning programming on the SNES, so I'll need some time to write down everything.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: Cryo
Date: 2016-12-21 22:22:54
After a good bit more testing on a few physical systems with various games, I've found that one of the biggest contributor to whether or not the exploit is successful is the cleanliness of the cartridge.

With my dirtiest cartridge (Japanese Pokemon Red), which I haven't touched in ages, I often have to wiggle it a few times just to get it to boot properly. However, with my cleanest cartridge (English Pokemon Blue), I have to make serious efforts in order to get this cartridge to have any read errors.

My most recent test involved setting $FF00 to $EF (listening for P14) and entering STOP mode, that way I could break out of it by pressing on the D-Pad. I found that I actually had more success slowly pushing out my Pokemon Blue cartridge than I did yanking it out, even if I removed it by wiggling it slowly back and forth. The only time I got it to fail when inserting or removing the Pokemon Blue cartridge was when I was wiggling it in EXTREMELY slowly, which caused the sound to stop and the system to lock up. The weird part? Whenever I turned it back on (cartridge in the same position as the crash), the power light would come on, but the GameBoy logo would fail to appear. The screen would remain blank until I turned it off and adjusted the cartridge, but nothing else would affect it.

On the flip side, I was actually trying TheZZAZZGlitch's Super Mario Land 2 credits warp with the 8F Full Control method, but after 6 times of entering every button input and attempting the Stop 'N' Swop, I was never able to do it. I did just get this cartridge recently and I haven't cleaned it just yet, so it's probably dirty as well.


UPDATE: Okay, so as I was typing this, I was experimenting a bit more and came across something that's constant across all of the cartridges tested. And by "constant", I mean I've been sitting here on my bed surrounded by GameBoy cartridges and I've been doing nothing but testing out observations over and over, trying to see if I could get this to always work 100% of the time.

It turns out, the angle at which you insert and remove the cartridge is about 95%of the solution, while the cleanliness of the cartridge is the other 5%. I found that my Pokemon Blue cartridge has to be tilted clockwise slightly (when viewing the LCD) when removing and inserting it, and over the past few hours, while popping it in and out to test other cartridges for their "sweet spots", my game hasn't restarted or crashed once due to the insertion/removal of the Pokemon Blue cartridge.


Also, we may not even need a time delay on the payload; the code below works just as well (from my experiments, at least).

ACTIVATOR:

ld a,$EF
ldh ($00),a
stop


Just press any button on the D-Pad and the rest of the payload gets executed.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-22 08:26:27
The smallest SNES program I could come up with is 22 bytes long. Thus, we need to send multiple packets to the SNES. I think it would be better to make 8F a SNES packet sender, and have it send several DATA_SND packets before sending a final JUMP packet and crash the game (because SO LONG WE DON'T NEED YOU 8))


Now, here is a full guide on how to send appropriate packets to Weegee-fy the Super Game Boy as well !
(And even if this doesn't work, it's still a way to do SNES ACE via Pokémon Red ^^)


[size=14pt]Tutorial[/size]
We are first going to write a packet and a tiny payload to feed the SNES some code.
But then we're in hell. Why ? Because the bytes we gotta send map to invalid items ! So we can't use items to store the packet data :(
And I've thought of a somewhat original (I guess) storage solution. We're gonna use Pokédex flags. Hell. Yeah.
First, setup your pack ! But don't use 8F quite yet !! The items are actually fairly simple (and cheap) to acquire, and you don't need many duplications.

8F
Any item x[any qty]
Awakening x[byte to write]
HP Up x175
Water Stone x4
Poké Ball x121
Great Ball x3
Burn Heal x3
X Accuracy x1 (Will change)
Antidote x34
Parlyz Heal x125
Ice Heal x46
Leaf Stone x34
TM01 x[any qty]
Lemonade x28
Guard Spec. x3
Super Repel x233

The usage is very simple : you just need to make the quantity of Awakenings match the value you're willing to write, and then you just use 8F.
The quantity of X Accuracies will increment each time. Basically, when you use 8F while having "A" Awakenings and "X" X Accuracies, the "X"th byte of the packet will turn into "A".
[size=18pt]BIG FAT NOTE : NEVER USE 8F IF YOU HAVE MORE THAN 28 X ACCURACIES !!!! YOU WILL CORRUPT PARTY DATA AND MAKE 8F POTENTIALLY UNUSABLE !!!![/size]
This will also corrupt your Pokédex flags. I made this because it makes the code simpler, and I guess when doing SGB to SNES ACE, Pokédex progression doesn't matter that much :D
You can toss some X Accuracies to write some bytes you may have screwed up. This is built to be fairly forgiving :)

So, we're going to write a packet (they are 16-byte long), and then 10 bytes of code to help send them to the SGB.
Use 8F once, and toss the extra X Accuracy.
Now, we're going to toss a certain number of Awakenings, use 8F, and repeat. For quantities greater than 99, I recommend doing multiple tosses to avoid mistakes : to toss 135, you can toss 99 then 36. For 245, you can toss 99 then 99 then 47.
Here goes the table :
[pre]135 | 0 | 0 | 0 | 245 | 30 | 224 | 87 | 255 (you can just press Down twice, that's faster) | 115 | 0 | 190 | 136 | 83 | 230 | 190 | 51 | 68 | 203 | 149 | 51 | 21 | 161 | 61 | 51 | 203[/pre]
Now, you should swap the Lemonades with the Awakenings, the Guard Spec.s with the HP Ups, and the Super Repels with the Water Stones.
Use 8F. Congrats, you've successfully sent 11 bytes of code in the SNES's RAM !

I know it doesn't look like it's much, but don't-cha worry : you did 40% of the work, huzzah !
Now, do the item swaps again, and toss all X Accuracies but two.
You're going to build another packet ! Do the same as above, with this table this time :
[pre]245 | 0 | 0 | 245 | 182 | 112 | 6 | 83 | 51 | 203 | 240 | 11 | 148 | 4 | 129[/pre]
Swap the items again, and use 8F.
You have successfully poked 22 bytes of code in the SNES's RAM ! Congrats, because now you're going to write one final packet. And it will be like, super easy.

Swap the items again, toss 111 Awakenings, toss all X Accuracies but one, use 8F. Then use 8F 15 more times without tossing anything.
Swap the items one last time, and I recommend that you save. When you feel ready, plug a controller into SNES port 2, make sure the A button is NOT held, and simply use 8F.
Now, control has been removed from the SGB ! The SNES CPU is patiently waiting that you press the A button on controller 2


[size=14pt]Source code[/size]
Here is the code that builds the packets.

ld c, $byte
inc hl ; points to third item's quantity
xor a
ldi (hl), a ; reset it for next write
inc b
inc b
ld a, c
inc bc
inc bc
inc c
inc bc
ld l, $01
dec bc
ldi (hl), a
rrca
ld a, l
dec c
ld l, $2F
ldi (hl), a
ret


Here is the code that prepares the packet send :

ld a, $1C
scf
jr c, $D311 ; start of the second payload


Here is the code appended to the packets :

; The caller made a = $1C, so we will switch to bank $1C, home of SendSGBPacket !
call BankswitchHome ; $35BC
ld l, e ; hl = $D301, start of packet
call SendSGBPacket ; $5FEB
jp BankswitchBack ; $35CD

Hex :

CD BC 35
6B
CD EB 5F
C3 CD 35

This code would have been a pain to write using items, so instead it is jumped to when using 8F.

Here are the three packets, in hexadecimal :

$79 $00 $00 $00 $0B $E2 $20 $A9 $01 $8D $00 $42 $78 $AD $1A $42
$79 $0B $00 $00 $0B $4A $90 $FA $AD $1A $42 $10 $F5 $6C $FC $7F
$91 $00 $00 $00 $00 $00 $00

Note that for the second packet, we don't rewrite the first byte, since it is the same.
I built these packets to contain as many $00 bytes as possible (they are more convenient to write)

This is the SNES program I wrote and that is sent in the two 11-byte wide packets.

E2 20    SEP #$20            ; Make A 8-bit.

A9 01    LDA #$01
8D 00 42  STA $4200          ; Enable autopolling.
78        SEI                ; Kill interrupts (IRQ) while game cart is removed.
                              ; NMI is alreay disabled by the SGB.

WaitForPlayer:
AD 1A 42  LDA $4212          ; Status register.
4A        LSR A              ; Pushes bit 0 into C.
90 FA    BCC .WaitForPlayer  ; C = 0 ? Joypad not ready :(
AD 1A 42  LDA $421A          ; Joypad #2 status register, low byte.
10 F5    BPL .WaitForPlayer  ; Bit 7 set ? A pressed ! This means GET DAT MOFO!!!1!!11!

; At this point, we have ACE on the new cart.
6C FC 7F  JSR ($7FFC)        ; This just restarts the cart as a PoC.
                              ; So replace this with whatever you want.



One last thing : I'm going to write a program that gives packet building indications to help use this setup.
It should be done in a few days.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: MrCheeze
Date: 2016-12-28 00:18:09
FYI: I heard from some smart people who generally know what they're talking about (DwangoAC/Myriachan) that the reason SNES cartridges can't be swapped is the CIC lockout chip, same as the N64.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-28 04:36:56
That makes sense, but I'm wondering if a piggybacking adapter (those that let you play bootlegged or out-of-region cartridges) may solve the problem by leaving a CIC plugged into the console while we swap cartridges.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: RFan573
Date: 2016-12-31 00:25:47
Will this allow cartridge-swapping in Pokemon Stadium? Would be fun to see it.

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2016-12-31 07:06:45
Nah, we tested this and sadly the N64 checks if there is a cartridge in. That's sad, but we can't do anything :(

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: RFan573
Date: 2017-01-01 23:16:51

Nah, we tested this and sadly the N64 checks if there is a cartridge in. That's sad, but we can't do anything :(

Well that sucks. Well, we've still got the header-editing method.
Tried with any other Game Boys? (i.e. GB Boy Colour and the Game Boy Player w/ both official software and GB Interface)

Re: The Luigi Exploit - Could Pokémon be used to ACE / credits warp other games ?

Posted by: ISSOtm
Date: 2017-01-02 04:06:20
I dunno if anyone tried the GB Player, but all handheld consoles  plus SGB and N64 have been tested.

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: shutterbug2000
Date: 2017-02-13 19:34:22
So, I tried this on my SGB, and upon pulling the cart out, it just goes the blank nintendo logo. Any ideas?

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: Yeniaul
Date: 2017-02-13 21:28:04
My GB player attachment is going bad so treat this with a grain of salt, but upon yanking the cart out I got a crash similar to the DSI crashes on Wii.

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: ISSOtm
Date: 2017-02-15 08:40:58
shutterbug2000 : sometimes it does this. Try again, it usually works after a few tries.
Cryo confirmed it on a SGB.

I recommend pulling the cart quickly, seems to work better.

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: Yeniaul
Date: 2017-02-15 09:59:45
I recommend pulling the cart quickly, seems to work better.
If this reply was to me, I pulled it as fast as possible.

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: ISSOtm
Date: 2017-02-15 11:44:16
Nah, it wasn't to you.

I didn't mention, though, that why the console sometimes resets or crashes is out of my field of knowledge, since I guess it involves advanced electronics and understanding of the hardware. I'm forced to do blind guesses about what happens, so don't mind my ignorance :P

Re: The CartSwap ACE - Using Pokémon to ACE / credits warp other games

Posted by: Yeniaul
Date: 2017-02-15 20:01:29

Nah, it wasn't to you.

I didn't mention, though, that why the console sometimes resets or crashes is out of my field of knowledge, since I guess it involves advanced electronics and understanding of the hardware. I'm forced to do blind guesses about what happens, so don't mind my ignorance :P

It is indeed the equivalent of Wii's DSI error screens. Think of them as no-color Windows NT BSODs (the WinNT ones thathave the entire stack onscreen and COM debugging, that is)