Game Boy Printer bad serial/opcode arbitrary/remote code proof of concept (Pokémon Yellow)

Channel:
Evie (ChickasaurusGL) 🌺
Subscribers:
17,700
Published on ● Video Link: https://www.youtube.com/watch?v=FI8pPtMdMe0


Game:
Pokémon Yellow (1998)
Duration: 0:37
905 views
40

Notes:
Pokémon Yellow has its own set of opcodes for the Game Boy Printer. I noticed with cheats you can overwrite D49A, which is meant to temporarily store the opcode but the game usually hangs so I set a breakpoint to the start of 3A:4A5E (PrinterSerial_).

If you then enable the cheat, the next command is hijacked to the relative pointer from D49A (3A:4A6D is the pointer table) and command 0x26 goes beyond the table and executes arbitrary code at FAC9. So, I stored a code there (from PC Pokémon around the FAC9/DAC9 area in the WRAM) to encounter Mew after closing the menu. A simple RAM write is safe, as long as you are fast enough to immediately disable the code (and disable your breakpoint) and close the menu with B after the code execution.

As this is possible, maybe you could write a code (for ws m, 4F etc.) that checks for the right time to write the new value, then closes the menu for you? I'm not actually sure how this affects the interaction with the Game Boy Printer/if anything really happens, but there is some documentation in the Pokémon Yellow disassembly, including this list of valid commands. Also if the Game Boy Printer can send those commands for the game to run, could you mod the Game Boy Printer to send 0x26?

Without me knowing how it really works, it's at least another access point; from the printer error message ^^.

.Jumptable:
dw .Nop
dw .SignalTransmissionStart
dw .SendHeaderByte1
dw .SendHeaderByte2
dw .SendHeaderByte3
dw .SendHeaderByte4
dw .DataByte
dw .SendChecksumLo
dw .SendChecksumHi
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
dw .SignalTransmissionStart
dw .Send_0F
dw .Send_00
dw .Send_00
dw .Send_00
dw .Send_0F
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2_
dw .SignalTransmissionStart
dw .SignalQuit
dw .Send_00
dw .Send_00
dw .Send_00
dw .SignalQuit
dw .Send_00
dw .SignalTransmissionEnd
dw .Receive1
dw .Receive2
# So the glitch commands may be the ones beyond this table.



Other Videos By Evie (ChickasaurusGL) 🌺


2022-02-01Another Ekans glitch in Pokémon Blue (left-facing shore tile glitch+Glitch City RAM Cut manip)
2022-02-01ESP 8 prototype and 風といっしょに (Kaze to Issho ni) comparison (Mewtwo Strikes Back Japanese Ending song)
2022-01-24Map attribute merge+remove walls instead of walking through them (Red/Blue map FE+certain tilesets)
2022-01-16Random freeze after viewing and closing the Trainer Card (Brilliant Diamond/Shining Pearl)
2022-01-16Different field move/summary/hatch sprites on Decamarks (Ruby/Sapphire)
2022-01-16Decamark 0x939E trade evolving into Lugia and fixing the stat menu glitch (FireRed/LeafGreen(?))
2021-12-20Small online timeout message outside of battle glitch (Brilliant Diamond and Shining Pearl)
2021-12-20Game Boy (DMG) boot ROM Rev 1 as opposed to Rev 0 cart handling comparisons
2021-12-13The Pokédex rating for having 152 Pokémon actually runs arbitrary code execution ◕ᴗ◕✿ (Red/Green)
2021-12-12Replacing X's (エックス) "Nintendo presents" screen w/Pokémon Yellow cart swap arbitrary code execution
2021-12-12Game Boy Printer bad serial/opcode arbitrary/remote code proof of concept (Pokémon Yellow)
2021-12-04Randomly select your moves in battle save file (Pokémon Yellow)
2021-12-03Pokémon Yellow 'fusion Pokémon names' save file
2021-11-12Create your own glitch hedge maze puzzle ^-^ (Pokémon Yellow)
2021-11-12How to make unstable Yellow MissingNo. not freeze every time with arbitrary code execution ^-^
2021-11-11How to beat Pokémon Red without moving, without arbitrary code execution and no Trainer ID manip ^-^
2021-11-08Surf on an artificial water tile originating from glitch item text (Pokémon Red and Blue)
2021-11-04HiddenItemCoords's 0 x or y coordinate design flaw (Generation I)
2021-11-04CoolTrainer♀ 10-20% HP switch chance coding flaw (Generation I)
2021-11-02Turning Splash into a One-hit-KO move (exclamation point arbitrary code execution, Pokémon Red/Blue)
2021-10-31Using submerge glitch to encounter Mew in water-grass (no ACE challenge) (Red/Green) (ポケモン バグ)


Other Statistics

Pokémon Yellow Statistics For Evie (ChickasaurusGL) 🌺

Currently, Evie (ChickasaurusGL) 🌺 has 1,242,059 views for Pokémon Yellow across 140 videos. There's close to 19 hours worth of content for Pokémon Yellow published on his channel, or 14.53% of the total watchable video on Evie (ChickasaurusGL) 🌺's YouTube channel.