We hope our readers are familiar with the vast number of ROM hacks for the original 1st-gen Pokemon games. With certain sequences of button presses, it’s possible to duplicate items in the player’s inventory, get infinite money, or even catch a glimpse of the elusive MissingNo. [bortreb] is familiar with all these hacks, but his efforts to program a Game Boy from inside Pokemon is by far the greatest Pokemon glitch ever created.
This ‘total control’ ROM hack was inspired by [p4wn3r]’s extremely impressive 1 minute and 36 second long speed run for Pokemon Yellow. The technique used in [p4wn3r]’s run relies on the fact the warp points in Pokemon Yellow are right after the item list in the Game Boy’s memory. By corrupting the item list, [p4wn3r] figured out how to make the front door of his house warp directly to the end of the game resulting in the fastest Pokemon speed run ever.
Realizing this ROM hack is able to control the CPU with only the player’s inventory, [bortreb] wanted to see how far he could push this hack. He ended up writing a bootstrapping program by depositing and discarding items from the in-game PC, and was then able to reprogram the Game Boy with a number of button presses on the D-pad, select, start, A and B buttons.
The resulting hack means [bortreb] can actually make Pong, Pacman, a MIDI player, or even a copy of Pokemon Blue. In the video after the break, you can see all of [bortreb]’s speed run along with the finale of playing a MIDI file of the My Little Pony theme song. [bortreb] has a really amazing hack on his hands here that really pushes the definition of what can be done by tinkering around with a Pokemon ROM.
“… or even a copy of Pokemon Blue”
O rly?
Pokemon Blue is 512 KB, while the GameBoy only has 8KB of internal, general purpose SRAM…
Still, a very cool hack!
Hack is able to overvrite the flash memory ? xD
It’s not flash, its a mask rom. Which is “made” with the program in it, not so much programmed in.
While it is true the the game is mask rom, one could easily bootstrap some code into the ram, so that the cartridges can be switched out to a flash cart, then all that button pressing could write a full size game to that flash cart, then jump there. :)
Or more correctly, it could be Pokemon yellow that exists exclusively on the flash cart, so that no cart swap is necessary. Flash cart programming is generally just a few commands to certain addresses, first to erase a block, then to program a block.
Well Pokemon yellow is just a modified version of red/blue. I assume Nintendo just locked away some of the features and added the new features, while the old ones still exist.
That dude is the pokemon master!
Way da catch ’em all!
Pretty cool hack but…. calling the some of the most known glitches in videogames, such as MissingNo, a ROM Hack?
It’s not the missingno glitch at all. He used glitches that affected warp areas and such via various means in the speedrun, and in this is in-game programming. The missingno glitch (the one using cinnibar) doesn’t even work in yellow.
The “ROM hack” part comes from the fact that he is reprogramming parts of the game in real time. I find that really impressive.
I’m lost is this a Rom hack or a Glitch? A Rom Hack is a modification of the ROM to add or change functionality in game, a glitch is error in the original code allowing for functionality or dis-functionality not originally intended.
Somewhere between the two. It uses a stock Yellow rom (or cartridge) but the first step is to reset while saving, which is kinda in the gray area.
Because the carts all used Mask ROM, no true ROM-hacking is possible, but this is as close as it gets on-console with an original cartridge, and it produces similar results. Think of it like a softmod, because that’s exactly what it is.
This is NOT a Rom hack, theoretically this could be achieved on a stock gameboy with a stock Pokemon red game.
With corrupting the inventory he manages to control certain parts of the memory, so he writes bootstrap code (with buying certain amounts of stuff and putting them in the inventory) and gets execution on this code. The Bootstrap code reads 4 keys and stores them to memory, with that he writes a second Bootstrap that reads all 8 keys, so he can store 1 byte per frame to memory. With that he writes a midi sequencer and a PNG lib to memory together with the mlp music and a picture of balloons which are finally shown.
Thanks Mathias! I was trying to wrap my head around what was going on here. It sounds like a very painstaking process nonetheless. I’ll have to dig thru and read up on the sequencer a bit.
Great hack!!
I am certain what he has accomplished was not intended by the original creator..that being said, why then would this not be a hack?
Unfortunately, making anything especially complicated is impossible, due to the fact that the glitch is limited to only two banks of code (one bank is about 33kb). The average SNES or GB game is about 512kb, meaning very little would be available. Plus, much of that code would just be to get the game to start working, so you’d have little space left for actual coding.
Oh hush, clearly much can be done with very little. That’s a lesson from this very hack!
Could it not be a ROM hack AND a glitch?
My Little Pony theme song. So much win !
As others have said, this is not a ROM hack. A ROM hack takes the original game image then rewrites it, making a new ROM image that can be run later. What this hack is doing instead is taking the stock game image, running it, then exploiting glitches in the game enough to be able to load arbitrary machine code to RAM.
The key difference is that it’s possible to do this hack with the original game on a real machine by hand without hardware modifications if you want. But when you turn the system off, your code will be lost. ROM hacks require that you tamper with the game BEFORE you run it. And you need a custom cartridge to store your game/program if you want to run it on the real hardware. ROM hacks are persistent though.
It’d be hard to do on a real system (manually), since you have to save the game and shut it off at the exact right time, so you corrupt the right values.
So for all the people saying it would be impossible to put Pokemon Blue in, why would it be impossible if almost all the code and assets you need are already there? All one would have to do is update some of the data and modify the game code in RAM to use it (as well as not touch the poked code, preferably). Granted I have no idea how difficult that would be, but hey, I had no idea you could jailbreak Pokemon either so…
In theory maybe, but if any assets required for pokemon blue are not present on the red cartridge, those would have to be coded into and stored in ram. The question is, how much of the gameboys ram is used in the worst case scenario by the original game rom? Is there enough left over room to hold the modified game engine, its table of offsets redirecting items to where they are actually stored in the cartridge rom, and any assets not found on the cartridge rom?
The IF in your question seems unlikely to be true, but what do I know? I had no idea you could jailbreak Pokemon either!
This is more commonly known as a buffer overrun vulnerability.
Dear god, the commenters here are a bunch of idiots. (yeah yeah, it’s HAD, I know) This is a major achievement and all you people can do is kvetch that it’s “not a romhack”…
I agree, if all the majority of commenters can do is get stuck on the wording of the article, and not the monumental 3 months it and amazing amount of work bortreb put into this amazing work, it’s really sad.
+1
Brilliant indeed! Even if it is not a “rom hack”, it exploits a very nice buffer overflow situation where you have to hand-assemble your code using only a restricted set of values (the item types). Very nice and instructive!
“Even if…”? If it was a Rom hack it would be shit boring. It is interesting only because its NOT a ROM hack. Thats why we are telling the readers its not. Every ROM hack “is able to control the CPU”. Its the article that is wrong and downplays this achievement.
Well actually reading the comments it does seem every one is bashing it because it is *not* a rom hack, and not that this was merely an emendation to the article :)
screw the wording
this is quite the hack
i mean messing with the game without needing any kind of flashrom chip andorsoldering andor modded cart
way to go.
+5
… MLP song? really? thought we’d enjoy it? i’d have used the doom theme or e1m1
keep up the good hacking
PS: back in the day, we’d call this type of hack a “back door”
or a “way into the program”
That’s a sweet piece of old-school hacking… great work [bortreb] *raises glass*
Looks like he used a recording system to enter everything…
Sorry, but I think everyone is missing the coolest part…. he’s using a Pokemon game computer to hack a gameboy.
It’s very Matrix.
+1
Also looking for such codes