SRAM glitch

From Glitch City Wiki
Jump to navigation Jump to search
Major glitches of the Pokémon series


Arbitrary code execution

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


No further extensions

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


Buffer overflow techniques

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)


Item stack duplication glitch (Generation I)

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch


Bad clone glitch (Generation II)

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))


Closed menu Select glitches (Japanese Red/Green)

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch


Pomeg glitch (Generation III)

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch


Voiding (Generation IV)

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


2x2 block encounter glitches (Generation I)

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch


Glitch City

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)


Large storage box byte shift glitch

Storage box remaining HP glitch | Generation I max stat trick


Pikachu off-screen glitch

Trainer corruption glitch


SRAM glitches

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches


Trainer escape glitch

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation


Walk through walls

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls


Surf down glitch

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))

(view, talk, edit)
PRAMA Initiative a également une page sur SRAM glitch.

The SRAM glitch, also known as the save corruption glitch or the save abuse glitch, is a method of performing a partial save in Pokémon Red, Blue, and Yellow with a hard reset, such that the party data in the SRAM is carried into the new save file. Most notably, it allows the player to obtain an expanded party of 255 Pokémon immediately after starting a new game. It also allows the player to send party Pokémon to a new game.

The glitch exploits a quirk in the code for saving the game to get a save file with a correct checksum. The necessary timing for the hard reset is very precise (less than 0.1 second), but it is still much easier than getting the correct checksum by chance.

Procedure

Clearing the save file

This glitch can be executed at any point in the game, but is most often done at the very start of a new game to access an expanded party. For this purpose, the player needs to clear any existing save files:

  1. Press Up+Select+B on the title screen (not the title menu; it is the screen with the "Pokémon" logo and version name, and can be reached from the title menu by pressing B).
  2. Choose "Yes" to the "Clear all saved data?" prompt.

Even if the player does not have an existing save file (e.g. on a fresh cart), it is still recommended to clear the save file anyway. Clearing the save file will set the SRAM to all 0xFF bytes, which guarantees that this glitch will give the player an expanded party. On the other hand, the contents of uninitialized SRAM is unpredictable: There is a good chance it will be 0xFF anyway, but it can also be something else. In particular, some emulators initialize the SRAM to 0x00, which means even if this glitch succeeded, it will not give the player an expanded party.

Save corruption

The following steps can be done at any point in the game.

  1. Open the start menu, and select "Save".
  2. Select "Yes" in the "Yes/No" dialog box, but at a very precise moment, power off or reset the console.
    • Soft resetting (holding Start+Select+A+B) will not work, as the game prevents soft resets while it is saving.
    • The timing to power off or reset is after the "Yes/No" dialog box has disappeared, but before the text changes to "Now saving..." (Red/Blue) or "Saving..." (Yellow).
      • The time window between those two visual cues is around 20 frames (depending somewhat on the version and the circumstances), but the window to successfully perform this glitch is only 4 frames.
    • Note that on the Game Boy Player the reset fadeout delay applies, so the player needs to press the reset button earlier accordingly, before the player selects "Yes" by pressing A, and possibly even before the "Yes/No" dialog box appears (this is often the case when speedrunning).

If the glitch was successful, a Continue option will be present when the game is started again, but the player's party will be replaced by the existing party data in the SRAM. In particular, the player will be able to access their Pokémon screen even if they never received the starter (unless the party data in the SRAM had 0 Pokémon).

There are two ways the glitch can fail:

  • When rebooting the game the message "The file data is destroyed!" may appear, which usually indicates the reset happened too early and will remove the Continue option.
  • If the Continue option does appear, the player may find their party data unchanged (if the player never received the starter in this game, then the Pokémon screen cannot be accessed), which indicates that either the reset happened too late, or the player didn't set up the SRAM data properly (see Clearing the save file above).

Variants

255 Pokémon glitch

Main article: 255 Pokémon glitch

By performing the SRAM glitch while the player has no save file, the party data will become whatever is in the SRAM, and is likely to be all 0xFF bytes (in particular, clearing the save file will set the SRAM to all 0xFF). As a result, the player will have 255 Pokémon in the party. When the player opens the party screen, it will appear to show nothing in the party, but the player will be able to scroll the cursor to any of the 255 slots and switch Pokémon around.

The expanded party can be exploited in many ways. For example:

  • Warp to the Safari Zone: Swapping the 3rd Pokémon with the 36th can warp the player to the Safari Zone gate. (discovered by VaeporSage)
  • Walk through walls: Swapping Pokémon 62 with 63 allows the player to walk through walls. (discovered by hibiki ganaha)
  • Expanded item pack: Swap Pokémon 9 with Pokémon 10, and then with Pokémon 11. If you want to undo the effects of the 255 Pokémon glitch, stand on the right tile of the house's exit mat, and swap Pokémon 187 with Pokémon 178, wait a while[clarification needed], and press A.

Send party Pokémon to a new game

Main article: Send party Pokémon to a new game

If the player starts a new game while a save file already exists, and successfully performs the SRAM glitch, then the party Pokémon from the old save file will appear in the new game.

If the glitch fails due to the reset happening too early, then the game will say "The file data is destroyed!", but the saved party Pokémon data is in fact not overwritten. Therefore, if the player starts a new game in this state and try again, they may still be able to retrieve those party Pokémon. (Of course, if the reset happens too late and the save was successful, then the party would be overwritten and unable to be retrieved.)

Pokémon cloning

Main article: Pokémon cloning (Generation I)#Save menu method

The SRAM glitch can also be performed while a save file from the same playthrough exists, overwriting the player's current party with the party from the old save file. In particular, if the player saves the game, deposits a Pokémon into the Pokémon Storage System, then performs the SRAM glitch successfully, then that Pokémon will exist in both the box and the party, essentially cloned.

Explanation

When saving the game in Generation I, the game calls three functions, each only saving a part of it, and the parts are in fact overlapping:

  • The first function[1] saves everything, except the party data.
  • The second function[2] only saves the current box data.
  • The third function[3] saves the party data, the Pokédex data, and (in Yellow) Pikachu's happiness and mood.

Besides being used for a full save, the third function is also used after trading a Pokémon in the Cable Club. Presumably at least one of the first two functions is also intended to be used somewhere else, but they don't seem to be in the final game.

The importance of having three functions is that all three functions will compute a checksum from the full save data on the SRAM, and write it to the SRAM. When performing a full save, the first function would result in an inconsistent save file, and checksum it. At this point, if the player resets the game, the save file would be considered valid by the game since the checksum is correct.

Furthermore, the second function would then save the current box data to the SRAM, which takes a significant number of frames, but actually does nothing because the current box data is already saved by the first function. Therefore, during this period, the checksum on the SRAM will remain valid, resulting in a relatively large time window for the hard reset.

References