Glitzer Popping

From Bulbapedia, the community-driven Pokémon encyclopedia.
Jump to navigationJump to search

Glitzer Popping is a subglitch of the Access Pokémon beyond slot 6 subglitch of the Pomeg glitch. As with the latter subglitch, it can only be performed in Pokémon Emerald, Fire Red, and Leaf Green.

Method

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: Copied from "Access Pokémon beyond slot 6" section: Huge amount of information missing; e.g. discuss how scrolling far enough corrupts memory in Storage Boxes 3(?) and onward, segue into how this plus the checksum verification and the related dynamic ordering of Pokemon data substructures can cause certain Pokemon (Eggs) to reliably change species based on the EVs they had, allowing the player to obtain any Pokemon (Glitzer Popping).

Effects

Glitzer Popping effectively enables the player to obtain arbitrary Pokémon. This is currently the only known method to obtain event-exclusive Pokémon in the Generation III games, as well as the only known method to obtain a large number of glitch Pokémon, at least one of which is known to enable arbitrary code execution.

Cause

Using Pomeg Glitch in a certain way, it is possible to force the game to send an empty slot in battle (it appears as Pokémon n°0 with completely blank data, and is also called Decamark). If the party is opened after that, this empty slot (who is the currently fighting Pokémon) is ordered first in the party.

- Since that Decamark has completely blank stats, opening his moves, trying to flee without a Fluffy Tail, or speding a turn without reviving a team member will make the player black out. Viewing its summary can also freeze the game.

By opening and closing a Pokémon summary, the party Pokémon counter is refreshed, and counts 0 Pokémon (it counts Pokémon from first party slot until he finds an empty slot). This makes the Party Pokemon Selection pointer underflow, allowing it to select 256 party slots instead of 1-6. Going over the "Quit" button directly teleports the pointer to the 256th party slot.

Pushing/maintaing Up after that makes the party Pokemon Selection Pointer scroll through the party slots, from the 256th to the 1st one. This makes it select blocks of RAM data and treat them as party Pokémon data (size of 100 bytes).

- The 256th party slot ends up being over PC Pokemon data (around Box 2 Slot 24 for Emerald and Box 3 Slot 1 for Fire Red/Leaf Green), and scolling up will go over Day Care data, Contest data, map data (NPCs with their location and script adress), flag data (story, trainers, events,..), Bag, PC Items, Battle Frontier data, Trainer data (name, ID, SID,..) in that order. (along with many other tiny things)

Each time the Party Pokemon Selection Pointer selects a new party slot, an anti-cheating function is applied to the selected "Pokémon". If the checksum of the "Pokémon" is invalid, he is changed into a Bad Egg. This change is made by setting the Egg Status flag of the Pokémon to 1, and by setting two other bits to 1 in order to turn that Egg into a "Bad" Egg.

- As the blocks of data considered as Party Pokémon aren't Party Pokémon to begin with, the checksum of a selected "Pokémon" will nearly always be invalid if it isn't empty.

The Egg Status flag can be at 4 different locations in a Pokémon's data. (it belongs to one of the 4 substructures of the Pokémon and these substructures are ordered depending on the Pokémon's PID (PID modulo 24)) Since these substructures are also crypted with the Pokémon's PID and TID, setting the Egg status flag to 1 can result in either a bit set to 1 or a bit set to 0 (depending on TID xor PID). However, the two "Bad" Egg bits are at a fixed location and will always be set to 1 if the Pokémon's checksum is invalid.

These bit changes are the ones who corrupt RAM data, which can induce many good things. As this corruption only changes up to 3 bits on a block of 100 bytes, only a tiny portion of RAM data is corrupted in the process. Since one of these bits isn't on a set location and can be changed to either 1 or 0, the adresses and nature of the corruption won't be fixed too.

Another element of randomness is added by the DMA. The DMA is a cheat-prevention script that moves the RAM adresses of a good amount of data every time the player makes a battle, enters a door, opens its Bag,.. The DMA changes the RAM adresses of values by translating them from several double-words. A value affected by DMA can take 32 different adresses, each separated by a double-word (4 bytes).

Party Pokémon aren't affected by DMA, which means that the adresses of every Party Slot is constant. However, the data read on Party Slots beyond Slot 6 is affected by DMA. Since Party Pokémon data is 25 double-words long, and since the DMA translation is at most 32 double-words long, every double-word on a Party Slot beyond slot 6 can end up on an adress where one of the bit corruptions can occur. (corruption caused by the invalid checksum of the "Pokemon" in that party Slot)

- However, as both RAM values and the adresses where corruption occur can move, interferences can easily occur between these two, that can sometimes prevent a set double-word to suffer from the Egg Flag corruption. (ex : The Ever Grande Fly Location can't always be corrupted because of that)

Using different strategies, it is possible to manipulate the corruption of some values and ensure that no other value in an area near them has been corrupted, allowing for a somehow pinpointed corruption.

With this glitch, PC Pokémon PID and TID can be corrupted while leaving the rest of the Pokémon's data untouched.

As PID and TID encrypt the 4 substructures of a Pokémon, corrupting them will heavily change the Pokémon's checksum. The two "Bad" Egg bits corruption won't preserve the checksum, making them unuseable for Pokémon corruption, but the Egg State Flag corruption can easily preserve the checksum.

- The Egg State Flag corruption changes the checksum by a multiple of 0x4000. As a Pokémon's checksum is coded on a word, if that multiple is even, the checksum won't be changed. Only few things can make that multiple odd, and they can be easily prevented.

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: dump info from TASvideos Pokemon Emerald submission

Origin/Discovery

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: Werster. Explain the sequence of events that led to the discovery of this subglitch

Video

By Werster


References


Bulbapedia logo.png This article is a stub. You can help Bulbapedia by expanding it.


Multiple
generations
Transform glitchesGlitch TrainersCloning glitchesError messagesArbitrary code execution
Generation I GlitchesBattle glitchesOverworld glitches
--0 ERRORBroken hidden itemsCable Club escape glitchDual-type damage misinformation
Experience underflow glitchFight Safari Zone Pokémon trickGlitch CityItem duplication glitchItem underflow
Mew glitchOld man glitchPewter Gym skip glitchPokémon merge glitchRhydon glitchRival twins glitch
Select glitches (dokokashira door glitch, second type glitch) • Super Glitch
Time Capsule exploitWalking through wallsZZAZZ glitch
Generation II GlitchesBattle glitches
Bug-Catching Contest glitchCelebi Egg glitchCoin Case glitchesExperience underflow glitch
Glitch dimensionGlitch EggTeru-samaTime Capsule exploitTrainer House glitchesGS Ball mail glitch
Generation III GlitchesBattle glitchesOverworld glitches
Berry glitchDive glitchPomeg glitchGlitzer Popping
Generation IV GlitchesBattle glitchesOverworld glitches
Acid rainGTS glitchesPomeg glitchRage glitch
Surf glitchTweakingPal Park Retire glitch
Generation V GlitchesBattle glitchesOverworld glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Frozen Zoroark glitchSky Drop glitch
Generation VI GlitchesBattle glitchesOverworld glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Lumiose City save glitchSymbiosis Eject Button glitchToxic sure-hit glitch
Generation VII GlitchesBattle glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Toxic sure-hit glitchRollout storage glitch
Generation VIII Glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Toxic sure-hit glitchRollout storage glitchParty item offset glitch
Generation IX Glitches
Glitch effects Game freezeGlitch battleGlitch song
Gen I only: Glitch screenTMTRAINER effectInverted sprite
Gen II only: Glitch dimension
Lists Glitches (GOMystery DungeonTCG GBSpin-off)
Glitch Pokémon (Gen IGen IIGen IIIGen IVGen VGen VIGen VIIGen VIII)
Glitch moves (Gen I) • Glitch types (Gen IGen II)


Project GlitchDex logo.png This article is part of Project GlitchDex, a Bulbapedia project that aims to write comprehensive articles on glitches in the Pokémon games.