Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of an article from Glitch City Laboratories wiki.

A live version of this article is available at the Glitch City Wiki here.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of the wiki in .tar.gz or .xml.gz formats.

OAM DMA hijacking

Arbitrary code execution in the Pokémon series



0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC

List of arbitrary code execution programs

(view, talk, edit)


More research is needed for this article.


Reason given: Document more effects of it. Can a Glitch Pokémon evolve if its sprite and name are "stable" enough? Are there many glitch cries available for Glitch Pokémon? List Glitch Type Sprites that could cause interesting effects. Study the causes and effects of the corruption of the PC Pokémon Selection in Fr/Lg. Test again the effect of Pokédex entries of Glitch Pokémon.







OAM DMA hijacking is a form of arbitrary code execution in Game Boy games, which allows for the player to execute code every frame.

This glitch works by hijacking the "OAM DMA" process associated with sprites. [elaboration needed]

An easy means to perform OAM DMA hijacking in both Pokémon Red and Blue and Pokémon Gold and Silver is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.

[b]YouTube video by PLASMA GER[/b]


Another exploit for Red and Blue can involve making the following modifications to the HRAM, as documented by luckytyphlosion:

At FF86, write "jr FFF9". At FFF9, write "dec a" At FFFA, write "jr nz, FFF9" At FFFC, write "jp [region]"

Do note that this will disable moving the character.

OAM DMA hijacking is useful as a form of 'real-time' arbitrary code execution, allowing the player to perform exploits such as walk through walls in Generation II or writing a 0x50 sub-tile permanently to the beginning of the screen data for Generation I.

This article or section is a stub. You can help wiki by [ expanding it].

Categories