Evie (ChickasaurusGL) 🌺 | Encounter Pokémon in Map 254 (0xFE) (via arbitrary (custom) map header glitch) (Pokémon Red/Blue) @ChickasaurusGL | Uploaded February 2022 | Updated October 2024, 15 hours ago.
Notes: This glitch is following my find that map FE has its header from CDCD in RAM; in the middle of the screen data copy. Can you customize it to your own town like I did previously with a different method? Maybe! ^-^ (the header does change lots of things regarding layout and a bad header is most of what typically causes map 0xFE to freeze in Red/Blue - directly because of its size and script). However, for this method I show off encounters; sadly they can't be changed with this method but are interesting invalid ones regardless. Note map FA also has a header from C348; again this is what typically causes it to freeze (the other things for map FA and FE freezing being the music).
With this in mind, it's actually viable to manipulate (even w/o arbitrary code execution, but more difficult). Within battle (for this method ride the Bicycle with the Bicycle music playing prior), we can use a buffer overflow to print tiles+then update the screen copy to write a specific map header for map FE.
Then, we change to map FE with expanded inventory (TM54 in item 33); and run away to load our new map, based on the data you input. We'll want a map tileset that doesn't dismount u from Bicycle (03 here), as while inputting custom data; it's only one data structure for the map; unfortunately the music track and bank is from ROM+always plays audio with a glitch sound bank (07 of bank 15), so by riding Bicycle in advance the Bicycle music overrides it, and glitch sound command from bank 15 is never accessed.
We'll also want a map width height that isn't too large; in case that activates the map size buffer overflow glitches (unless it's part of your plan, say to set up walk through walls but extra preparation would be needed not to write certain values that cause freezes).
Next, we'll want grass or water to encounter Pokémon, but what loads the current map view is more complex than just the map header; for instance with valid maps it could be influenced by map exit IDs; meant so the game remember what building you walked out of etc. (also known as map indexes but I personally don't like the name as it could be confused with the ID of the map itself), or the data structure for Fly destinations. Here however, we're running away from battle and I'm unsure what's happening exactly, though D35F is 04C3 (current map view RAM C304) on arrival; as for how it works in terms of whether C304 is written to and to what I don't know either. Map width/map height is also going to be involved in how the blocks are arranged, and maybe the "map data" pointer which I haven't properly researched.
Another time maybe we can find out how to lay out the correct blocks as soon as we arrive, but for now I used a work around; to modify item 33 quantity and item 34 to alter D35F-D360, and coordinates as well beyond that if needed. For whatever reason, a modification to block pointer 5555 with y-coordinate CC is quite nice for this (and I'm unsure why but rather than being taken from map FE's bank 2F another bank is read, though I didn't check the debugger).
When you open the Start menu, it may corrupt the tileset for some reason to what may be a glitch one, so the game is in a weird half-state between the corrupted tileset and the tileset you fed the game with the map header.
Gently walk up and down a little, or move a bit left for what may be water (is it technically or just an illusion? not sure but running out of time for today). Upon entering the grass (or water?), you can find wild Pokémon such as Dragonite, Seadra, Jynx and MissingNo. ^-^. Make sure to change D35E to a normal map to escape/prevent a freeze unless you set up the buffer overflow glitch to write the correct data to CDCD again.
Requirements:
D34A (our Rival name; can be altered with expanded inventory) must read in bytes: (a non-freezing header - the example used in this video is 03 09 1E 22 22 01 01 99 01 34 - in particular, 9901 was chosen for the map script because 0199 points to a ret. 03 was chosen due to the tileset that doesn't disable the Bicycle. 091E was chosen because it's the dimensions of Route 15; a really big route but not too big - to prevent a hypothetical case where you accidentally load a map connection and it freezes or erases the encounters).
(The data structure thanks Hat is explained here skeetendo.proboards.com/thread/15/rgby-map-headers )
You need a Pokémon with TM03 as its first move. e.g. Aゥ G (0xD4) learns it at Level 55. You can get it with glitches like Rival LOL glitch (character 0xD4).
You'll need FA7E (hence, you probably can't do this glitch on Stadium) to read solely the 0x53 control character 21 times, followed by a terminator like 00. The easiest way without ACE is probably connection copier, though maybe you could set those bytes up.
Notes: This glitch is following my find that map FE has its header from CDCD in RAM; in the middle of the screen data copy. Can you customize it to your own town like I did previously with a different method? Maybe! ^-^ (the header does change lots of things regarding layout and a bad header is most of what typically causes map 0xFE to freeze in Red/Blue - directly because of its size and script). However, for this method I show off encounters; sadly they can't be changed with this method but are interesting invalid ones regardless. Note map FA also has a header from C348; again this is what typically causes it to freeze (the other things for map FA and FE freezing being the music).
With this in mind, it's actually viable to manipulate (even w/o arbitrary code execution, but more difficult). Within battle (for this method ride the Bicycle with the Bicycle music playing prior), we can use a buffer overflow to print tiles+then update the screen copy to write a specific map header for map FE.
Then, we change to map FE with expanded inventory (TM54 in item 33); and run away to load our new map, based on the data you input. We'll want a map tileset that doesn't dismount u from Bicycle (03 here), as while inputting custom data; it's only one data structure for the map; unfortunately the music track and bank is from ROM+always plays audio with a glitch sound bank (07 of bank 15), so by riding Bicycle in advance the Bicycle music overrides it, and glitch sound command from bank 15 is never accessed.
We'll also want a map width height that isn't too large; in case that activates the map size buffer overflow glitches (unless it's part of your plan, say to set up walk through walls but extra preparation would be needed not to write certain values that cause freezes).
Next, we'll want grass or water to encounter Pokémon, but what loads the current map view is more complex than just the map header; for instance with valid maps it could be influenced by map exit IDs; meant so the game remember what building you walked out of etc. (also known as map indexes but I personally don't like the name as it could be confused with the ID of the map itself), or the data structure for Fly destinations. Here however, we're running away from battle and I'm unsure what's happening exactly, though D35F is 04C3 (current map view RAM C304) on arrival; as for how it works in terms of whether C304 is written to and to what I don't know either. Map width/map height is also going to be involved in how the blocks are arranged, and maybe the "map data" pointer which I haven't properly researched.
Another time maybe we can find out how to lay out the correct blocks as soon as we arrive, but for now I used a work around; to modify item 33 quantity and item 34 to alter D35F-D360, and coordinates as well beyond that if needed. For whatever reason, a modification to block pointer 5555 with y-coordinate CC is quite nice for this (and I'm unsure why but rather than being taken from map FE's bank 2F another bank is read, though I didn't check the debugger).
When you open the Start menu, it may corrupt the tileset for some reason to what may be a glitch one, so the game is in a weird half-state between the corrupted tileset and the tileset you fed the game with the map header.
Gently walk up and down a little, or move a bit left for what may be water (is it technically or just an illusion? not sure but running out of time for today). Upon entering the grass (or water?), you can find wild Pokémon such as Dragonite, Seadra, Jynx and MissingNo. ^-^. Make sure to change D35E to a normal map to escape/prevent a freeze unless you set up the buffer overflow glitch to write the correct data to CDCD again.
Requirements:
D34A (our Rival name; can be altered with expanded inventory) must read in bytes: (a non-freezing header - the example used in this video is 03 09 1E 22 22 01 01 99 01 34 - in particular, 9901 was chosen for the map script because 0199 points to a ret. 03 was chosen due to the tileset that doesn't disable the Bicycle. 091E was chosen because it's the dimensions of Route 15; a really big route but not too big - to prevent a hypothetical case where you accidentally load a map connection and it freezes or erases the encounters).
(The data structure thanks Hat is explained here skeetendo.proboards.com/thread/15/rgby-map-headers )
You need a Pokémon with TM03 as its first move. e.g. Aゥ G (0xD4) learns it at Level 55. You can get it with glitches like Rival LOL glitch (character 0xD4).
You'll need FA7E (hence, you probably can't do this glitch on Stadium) to read solely the 0x53 control character 21 times, followed by a terminator like 00. The easiest way without ACE is probably connection copier, though maybe you could set those bytes up.
