Glitzer Popping

From Bulbapedia, the community-driven Pokémon encyclopedia.
Revision as of 01:20, 23 March 2016 by Jarticuno (talk | contribs)
Jump to navigationJump to search

Glitzer Popping is a subglitch of the Access Pokémon beyond slot 6 subglitch of the Pomeg glitch. As with the latter subglitch, it can only be initially performed in Pokémon Emerald (and can also be performed in FireRed and LeafGreen via trading with Emerald).

Method

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: Copied from "Access Pokémon beyond slot 6" section: Huge amount of information missing; e.g. discuss how scrolling far enough corrupts memory in Storage Boxes 3(?) and onward, segue into how this plus the checksum verification and the related dynamic ordering of Pokemon data substructures can cause certain Pokemon (Eggs) to reliably change species based on the EVs they had, allowing the player to obtain any Pokemon (Glitzer Popping).

Effects

Glitzer Popping effectively enables the player to obtain arbitrary Pokémon. This is currently the only known method to obtain event-exclusive Pokémon in the Generation III games, as well as the only known method to obtain a large number of glitch Pokémon, at least one of which is known to enable arbitrary code execution.

Cause

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: Large cleanup for readability

Using the Pomeg Glitch in a certain way, it is possible to force the game to send an empty slot in battle (it appears as Pokémon n°0 with completely blank data, and is also called Decamark). If the party is opened after that, this empty slot (who is the currently fighting Pokémon) is ordered first in the party. Since that Decamark has completely blank stats, opening his moves, trying to flee without a Fluffy Tail, or spending a turn without reviving a team member will make the player white out; viewing its summary can also freeze the game. By opening and closing a Pokémon summary, the party Pokémon counter is refreshed, and counts 0 Pokémon (it counts Pokémon from first party slot until he finds an empty slot). This makes the Party Pokemon Selection pointer underflow, allowing it to select 256 party slots instead of 1-6. Going over the "Quit" button directly teleports the pointer to the 256th party slot.

Pushing/maintaining Up after that makes the party Pokemon Selection Pointer scroll through the party slots, from the 256th to the 1st one. This makes it select blocks of RAM data and treat them as party Pokémon data (size of 100 bytes). The 256th party slot ends up being over PC Pokemon data (around Box 2, Slot 24 for Emerald and Box 3, Slot 1 for Fire Red/Leaf Green), and scrolling up will go over Day Care data, Contest data, map data (NPCs with their location and script address), flag data (story, trainers, events...), Bag, PC Items, Battle Frontier data, Trainer data (name, ID, SID...), and other things, in that order.

Each time the Party Pokemon Selection Pointer selects a new party slot, an anti-cheating function is applied to the selected "Pokémon". If the checksum of the "Pokémon" is invalid, it is changed into a Bad Egg. This change is made by setting the Egg Status flag of the Pokémon to 1, and by setting two other bits to 1 in order to turn that Egg into a "Bad" Egg. As the blocks of data considered as Party Pokémon aren't actually Party Pokémon to begin with, the checksum of a selected "Pokémon" will nearly always be invalid if it isn't empty.

The Egg Status flag can be at 4 different locations in a Pokémon's data. It belongs to one of the 4 substructures of the Pokémon and these substructures are ordered depending on the Pokémon's PID (PID modulo 24); since these substructures are also crypted with the Pokémon's PID and TID, setting the Egg status flag to 1 can result in either a bit set to 1 or 0 (depending on TID xor PID). However, the two "Bad" Egg bits are at a fixed location and will always be set to 1 if the Pokémon's checksum is invalid. These bit changes are what corrupts RAM data, which can induce many good things - as this corruption only changes up to 3 bits on a block of 100 bytes, only a tiny portion of RAM data is corrupted in the process. Since one of these bits isn't on a set location and can be changed to either 1 or 0, the addresses and nature of the corruption won't be fixed too.

Another element of randomness is added by the DMA. The DMA is a cheat-prevention script that moves the RAM addresses of a good amount of data every time the player engages in battle, enters a door, opens their Bag, and so on. The DMA changes the RAM addresses of values by translating them from several double-words. A value affected by DMA can take 32 different addresses, each separated by a double-word (4 bytes). Party Pokémon aren't affected by DMA, which means that the addresses of every party slot is constant; however, the data read on party slots beyond slot 6 is affected by DMA. Since party Pokémon data is 25 double-words long, and since the DMA translation is at most 32 double-words long, every double-word on a party slot beyond slot 6 can end up on an address where one of the bit corruptions can occur. However, as both RAM values and the addresses where corruption occur can move, interferences can easily occur between these two, that can sometimes prevent a set double-word to suffer from the Egg Flag corruption. For example, the Ever Grande City Fly location can't always be corrupted because of such an interference.

Using different strategies, it is possible to manipulate the corruption of some values and ensure that no other value in an area near them has been corrupted, allowing for a somehow pinpointed corruption. With this glitch, the PID and/or TID of PC Pokémon can be corrupted, while leaving the rest of the Pokémon's data untouched. As PID and TID encrypt the 4 substructures of a Pokémon, corrupting them will heavily change the Pokémon's checksum. The two "Bad" Egg bits corruption won't preserve the checksum, making them unusable for Pokémon corruption, but the Egg State Flag corruption can easily preserve the checksum. The Egg State Flag corruption changes the checksum by a multiple of 0x4000; as a Pokémon's checksum is coded on a word, if that multiple is even, the checksum won't be changed. Only a few things can make that multiple odd, and they can be easily prevented, making Pokémon corruption viable.

As PID manages the order of the 4 substructures of a Pokémon, corrupting it changes that order, which means that the game will read the substructures of that corrupted Pokémon in a wrong order (for example, the Moves substructure gets read on the EVs substructure). This change of substructures order allows manipulation of many parts of the Pokémon's data (species, held item, experience, moves, EVs, origin, IVs, obedience, etc.) by giving it specific moves, EVs, Friendship, Held Items, and so on, before corrupting it. Out of the 24 theorically possible changes of substructure order, only 10 can happen. These changes are called Corruption Types as they completely determine the effects of a PID corruption on a Pokémon.

Even if corrupting a Pokémon's PID with the Egg State flag corruption preserves its checksum and changes its substructure order, it also changes the encryption of these substructures (PID or TID changes). This change of encryption brings some changes to the decrypted values, and this can be a hindrance to the corrupted Pokémon. It will for example turn the Pokémon in an Egg, give it glitched moves 2 and 4, and/or affect its attributes. Having a corrupted Pokémon in an Egg is a hindrance as hatching it removes/resets its attributes; many Glitch Pokémon will also freeze the game when hatched, and always having moves 2 and 4 glitched can prevent you from using them, seeing them, swapping them, or changing them.

However, corrupting both PID and TID of a Pokémon in the course of 2 Glitzer Popping uses leaves the corrupted Pokémon with a valid checksum, a change of substructure orders, and a restored substructure encryption (PID or TID was changed back to its original value). This procedure can then be used for a precise corruption of nearly every Pokémon, leaving them without any residual glitched value.

Origin/Discovery

050Diglett.png This section is incomplete.
Please feel free to edit this section to add missing information and complete it.
Reason: Werster. Explain the sequence of events that led to the discovery of this subglitch

Video

By Werster


References


Bulbapedia logo.png This article is a stub. You can help Bulbapedia by expanding it.


Multiple
generations
Transform glitchesGlitch TrainersCloning glitchesError messagesArbitrary code execution
Generation I GlitchesBattle glitchesOverworld glitches
--0 ERRORBroken hidden itemsCable Club escape glitchDual-type damage misinformation
Experience underflow glitchFight Safari Zone Pokémon trickGlitch CityItem duplication glitchItem underflow
Mew glitchOld man glitchPewter Gym skip glitchPokémon merge glitchRhydon glitchRival twins glitch
Select glitches (dokokashira door glitch, second type glitch) • Super Glitch
Time Capsule exploitWalking through wallsZZAZZ glitch
Generation II GlitchesBattle glitches
Bug-Catching Contest glitchCelebi Egg glitchCoin Case glitchesExperience underflow glitch
Glitch dimensionGlitch EggTeru-samaTime Capsule exploitTrainer House glitchesGS Ball mail glitch
Generation III GlitchesBattle glitchesOverworld glitches
Berry glitchDive glitchPomeg glitchGlitzer Popping
Generation IV GlitchesBattle glitchesOverworld glitches
Acid rainGTS glitchesPomeg glitchRage glitch
Surf glitchTweakingPal Park Retire glitch
Generation V GlitchesBattle glitchesOverworld glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Frozen Zoroark glitchSky Drop glitch
Generation VI GlitchesBattle glitchesOverworld glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Lumiose City save glitchSymbiosis Eject Button glitchToxic sure-hit glitch
Generation VII GlitchesBattle glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Toxic sure-hit glitchRollout storage glitch
Generation VIII Glitches
Charge Beam additional effect chance glitchCharge move replacement glitchChoice item lock glitch
Toxic sure-hit glitchRollout storage glitchParty item offset glitch
Generation IX Glitches
Glitch effects Game freezeGlitch battleGlitch song
Gen I only: Glitch screenTMTRAINER effectInverted sprite
Gen II only: Glitch dimension
Lists Glitches (GOMystery DungeonTCG GBSpin-off)
Glitch Pokémon (Gen IGen IIGen IIIGen IVGen VGen VIGen VIIGen VIII)
Glitch moves (Gen I) • Glitch types (Gen IGen II)


Project GlitchDex logo.png This article is part of Project GlitchDex, a Bulbapedia project that aims to write comprehensive articles on glitches in the Pokémon games.