of the Pokémon series
Arbitrary code execution
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
No further extensions
Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
Buffer overflow techniques
99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
Item stack duplication glitch
Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
Bad clone glitch
????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
Closed menu Select glitches
Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
2x2 block encounter glitches
Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
Large storage box byte shift glitch
Storage box remaining HP glitch | Generation I max stat trick
Pikachu off-screen glitch
Trainer corruption glitch
Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
Trainer escape glitch
Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
Walk through walls
Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
Surf down glitch
Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
(view, talk, edit)
Meta-map script activation refers to a set of glitches in Pokémon Red, Blue, and Yellow. These glitches will modify the "meta-map script" associated with a certain map, which is a special map script used to execute code on particular maps (one byte for each map). An example of a meta-map script is one that sets the event in Pallet Town where Professor Oak stops the player from walking into the grass. It is disabled later thanks to the game changing the ID of the meta-map script later.
Unlike the temporary map scripts stored at D36E-D36F, meta-map scripts are usually permanent unless the script itself changes the meta-map script ID to a different value. They are also specific to each map, unlike the D36E-D36F address that is a pointer to anywhere in the current bank in the ROM, or RAM. Therefore, if an invalid meta-map script causes a map (e.g. a route, a level of a cave) to become glitchy, it will persist even if the player leaves the map, and saves and resets the game.
Several variations of the Trainer escape glitch can modify the meta-map script in unintended ways on the location that the player escaped from the Trainer.
One of the most characteristic effects of meta-map script activation is the walking lag effect, also known as 0 ERROR, or Zero Error (due to an error code that appears in a text box when the player brings up the start menu). Apart from making the player wait a long time between steps (hence the name "walking lag") and the error code, glitchy sound effects and game freezes may also happen, depending on the player's coordinates and time spent on the map.
Certain invalid meta-map scripts also allow for arbitrary code execution.
The glitch can be pulled off by three variations of the Trainer escape glitch.
The first one involves setting up a "death-warp", returning to the original location to rematch the Trainer and defeating them without flashing the start menu.
The second one involves talking to an NPC on the original route while encounters are disabled and defeating them.
The third one involves forcing an encounter with an unbeaten Trainer on the original route through "text box matching". Text box matching basically forces the game to load the equivalent text box for the last text box in memory, and have that text box trigger a Trainer encounter.
The glitch map map 0xFE in English Yellow will set up glitch scripts on various maps, many of which will freeze the game.
A glitch script may also be activated by manipulating items in the expanded stored items pack. This is possible with the dry underflow glitch with storage box items.
Example procedure (death-warp method)
- Encounter a Pokémon in the grass in the sight of the last Trainer in Viridian Forest (closest to Pewter City).
- Black out in the wild encounter (e.g. by poison). The "!" will appear but you will return to the last Pokémon Center without battling the Trainer.
- Return to Viridian Forest without opening the start menu (it is also best to avoid any text box to make sure the upcoming battle begins).
- The battle with the Bug Catcher will start. Defeat them and the glitch script activation will occur.
Example procedure (fighting a Trainer on an encounter-disabled route method)
More research is needed for this article.
Reason given: Can battles be lost to trigger the glitch still?
- Perform any method of Trainer escape glitch that deactivates your START menu.
- Go to any Pokémon PC, change boxes to save the game.
- Reset. Your START menu will be active.
- Go to the map where the Trainer escape glitch was activated, but you shouldn't get any encounter.
- Fight any Trainer on the map. Since they can't notice you, you have to talk to them.
- Once the battle is finished, another battle may immediately start, with a glitched text box being displayed for a couple frames before being overwritten by the battle animation.
- Win all battles that may happen (up to 3 in a row have been reported to occur)
- Once the battles are over, the map will have the walking lag glitch activated.
Example procedure (text box matching method)
1. Go to Vermillion City.
2. Walk up to the route north of Vermilion.
3. From here, perform a Trainer-Fly glitch by flying away from the trainer in the upper left hand corner of the route.
4. Choose to fly back to Vermilion City.
5. Walk to the route that is east of Vermilion.
6. Fight any trainer here. It does not matter who the player fights, as long as the trainer walks at least one step towards the player.
7. After the trainer battle, the player should go back to Vermilion and talk to the lady wandering about outside (her text box ID is 01) - see the image below for the lady:
8. The player should then walk up to the route north of Vermilion one last time and the player will battle the Trainer with a level 20 Squirtle (if the Trainer was unbeaten). The walking lag glitch will begin afterwards.
Manually setting up a glitch script
Setting up the dry underflow glitch with stored PC items allows the player to manipulate certain meta-map scripts by modifying the item past item 50.
For example, item 100's quantity controls the map script for Route 8 (address D601 in Red/Blue, D600 in Yellow). Though a quantity of 1 for this item will set up a Special-stat encounter (as if activating the Trainer escape glitch), out of bounds values are glitch scripts associated with this glitch.
Triggering mechanism with the Trainer escape glitch
With the Trainer escape glitch, a text box always pop up before the special encounter happens. That is usually the Start menu, either because the player has been in a non-glitched area with trainers, or because the player has flashed the Start menu beforehand. However, by viewing a text box in an area without trainers ("text box ID matching"), or by not viewing a text box at all (usually with the death-warp method), the text box that pops up can be something else. In particular, it may belong to a trainer.
A trainer's text box is special: It executes a script that behaves differently according to whether the trainer has been defeated, and whether the trainer saw the player. In particular, if the trainer hasn't been defeated, and bit 0 of $CD60 isn't set, then the text box itself is responsible for starting the fight and adjusting the meta-map script ID. Normally, the meta-map script ID would be 0 (CheckFightingMapTrainers), and the text box advances it by 2, so that it becomes 2 (EndTrainerBattle, which should be executed after the fight).
Of course, when the Trainer escape glitch is active, everything becomes a mess. First, the meta-map script ID is already 1 (DisplayEnemyTrainerTextAndStartBattle), so the text box sets it to 3 (usually already out of bounds). Furthermore, if this text box itself is displayed by the meta-map script, DisplayEnemyTrainerTextAndStartBattle, then the script will increase the meta-map script ID again to 4. All of this happens before the fight (which will always be against the trainer, since the text box sets the enemy data, overwriting any special stats/attack stages last encountered) actually begins.
What happens after the fight will depend on what the meta-map script ID 4 (or 3 if the trainer is talked to directly) points to. See below for some common examples of effects.
Concrete examples of the effects below can be found in the Blue any% run.
Repeated trainer fights
On most maps with meta-map scripts, what comes after the table of script pointers is a table of text pointers. In particular, the first few glitch meta-map scripts are likely to be trainer's texts.
As mentioned before, trainer's texts are all text scripts that may initiate the battle, and they follow the same pattern:
TX_ASM ; 08
ld hl, SomeTrainerHeaderAtXXYY ; 21 yy xx
call TalkToTrainer ; CD CC 31
jp TextScriptEnd ; C3 D7 24
Here TX_ASM is a byte of 0x08 that signifies script in text. When this pointer is executed as a meta-map script, the game tries to interpret the 0x08 itself as code instead, which leads to:
ld [$yy21], sp ; 08 21 yy
<xx> ; xx
call TalkToTrainer ; CD CC 31
jp TextScriptEnd ; C3 D7 24
Since trainer headers are on switchable ROM Banks, the high byte of the address of one of them (xx) is always between 0x40 and 0x7F, and those values happen to all correspond to relatively "safe" (i.e. not jumps) one-byte assembly instructions.
In the grand scheme of things, the most important instruction is calling TalkToTrainer, which takes hl as the address of the trainer header. In particular, if the instruction denoted as <xx> doesn't change hl, then hl will be the address of the glitch meta-map script itself. This leads to more nonsense interpretation for the same piece of data, this time as a trainer header.
db $08 ; bit of "trainer beaten" event flag
db $21 ; trainer's view range
dw $xxyy ; address of "trainer beaten" event flag
dw $CCCD ; pointer to text before battle
dw $C331 ; pointer to text when talked to after defeated
dw $24D7 ; pointer to text when defeated
Hence the game checks "bit 8 of $xxyy" (i.e. bit 0 of $xxyy+1) to see whether this "trainer" has been defeated. However, this is not bit 8 of the trainer header in question. The reason is that address $xxyy+1 is on the switchable portion of the ROM (on the bank of the map), but the function to manipulate flag arrays is on bank 3, so this actually checks $xxyy+1 on bank 3, which is some completely unrelated data. Anyway, if the flag value turns out to be 0, then another fight begins, and the meta-map script ID advances by 2.
Unlike the special stat encounter, on this code path, the trainer class and the roster number depends on the "last text box ID". In particular, if the meta-map script is arrived by fighting a trainer, then the fight it triggers is still against the same trainer, since TalkToTrainer itself never changes this ID.
"Walking lag" effect
In the above case, the "trainer defeated" flag is some unrelated data, so another possibility is that it is 1 ("already defeated"). In this case, the script just displays the "text when talked to after defeated". However, since this is a piece of glitch text on a glitched code path, instead of a text box, glitches happen.
- When actually talking to a trainer, the text script is executed through DisplayTextID, which sets up a lot of things to transition from "overworld mode" to "text box mode". The glitch meta-map script directly executes TalkToTrainer without setting up all that, which means any text is printed on an invisible screen buffer, and cannot be seen normally.
- The text can be seen by bringing up the Start menu, but due to the "lag" effect explained below, it may be necessary to mash the Start button.
- However, the game will still try to hide any sprites behind the text box, which leads to sprites near the bottom of the screen disappearing without apparent reasons.
- The "text" is taken from $C331, which is actually the the second byte of the fourth sprite in the OAM buffer.
- If there has never been at least four sprites on the screen since the last fight (exiting a fight clears OAM), then the address will begin with two bytes of 0x00. The first 0x00 is interpreted as a text command to display what follows as a text string, and the second 0x00 is interpreted as a control character, which triggers an error trap, printing "%d ERROR." and ending the text display. Here "%d" is a temporary variable in HRAM that is supposed to be the ID of the current text displayed by DisplayTextID, but since we didn't come from that code path, it is usually the ID of the last text displayed.
- If there has been more than four sprites on the screen, then the address may contain several glitch text commands. Since glitch text commands are usually interpreted as sounds, glitchy sounds will play.
- Since DisplayTextID usually takes care of the last button press to close a text box, this glitch text box will close without an input.
- The above process happens on every overworld frame as long as the player isn't in the middle of a step. Since displaying text takes time (depending on the player's text speed option), the player will only be able to move or interact in-between those invisible glitch text boxes, resulting in an apparent "walking lag".
- Finally, in this case, the above-mentioned instruction "ld [$yy21], sp" may also show an effect. The effect depends on the value of yy, which in turn depends on the map and the script ID. For example, if $yy21 is in the OAM buffer, then the top left quarter of some sprite on the screen may be flickering.
Under this state, trainers won't see the player (because that is handled by the normal meta-map script), but the player can still talk to trainers to initiate a fight, which will advance the meta-map script ID by 2.
Map 0xFE corruption
After the player enters map 0xFE without a freeze using a safe level-script pointer for DC0E, they will be warped to map 0x99 (a house in Fuchsia City).
After using the expanded items pack to escape this map (as the exit by default will link back to the house), the player will be able to access maps with invalid meta-map scripts.
Fixing the glitch
More research is needed for this article.
Reason given: Add methods with details for each map
The glitch comes from the game advancing the map script ID but triggering more battles due to reading invalid flags, and not setting the ID back to 0 (the intended way), or from a glitch with the side effect of corrupting the map script.
Using item PC expanded item pack or arbitrary code execution allows fixing the glitch, but the method depends on the map the glitch was triggered on.
List of meta-map script addresses
These are the maps that support meta-map scripts, listed with the addresses that store the ID (one byte, 256 values) of the meta-map script.
(Thanks to the Pokémon Red disassembly for these addresses)
- W_OAKSLABCURSCRIPT:: ; d5f0
- W_PALLETTOWNCURSCRIPT:: ; d5f1
- W_BLUESHOUSECURSCRIPT:: ; d5f3
- W_VIRIDIANCITYCURSCRIPT:: ; d5f4
- W_PEWTERCITYCURSCRIPT:: ; d5f7
- W_ROUTE3CURSCRIPT:: ; d5f8
- W_ROUTE4CURSCRIPT:: ; d5f9
- W_VIRIDIANGYMCURSCRIPT:: ; d5fb
- W_PEWTERGYMCURSCRIPT:: ; d5fc
- W_CERULEANGYMCURSCRIPT:: ; d5fd
- W_VERMILIONGYMCURSCRIPT:: ; d5fe
- W_CELADONGYMCURSCRIPT:: ; d5ff
- W_ROUTE6CURSCRIPT:: ; d600
- W_ROUTE8CURSCRIPT:: ; d601
- W_ROUTE24CURSCRIPT:: ; d602
- W_ROUTE25CURSCRIPT:: ; d603
- W_ROUTE9CURSCRIPT:: ; d604
- W_ROUTE10CURSCRIPT:: ; d605
- W_MTMOON1CURSCRIPT:: ; d606
- W_MTMOON3CURSCRIPT:: ; d607
- W_SSANNE8CURSCRIPT:: ; d608
- W_SSANNE9CURSCRIPT:: ; d609
- W_ROUTE22CURSCRIPT:: ; d60a
- W_REDSHOUSE2CURSCRIPT:: ; d60c
- W_VIRIDIANMARKETCURSCRIPT:: ; d60d
- W_ROUTE22GATECURSCRIPT:: ; d60e
- W_CERULEANCITYCURSCRIPT:: ; d60f
- W_SSANNE5CURSCRIPT:: ; d617
- W_VIRIDIANFORESTCURSCRIPT:: ; d618
- W_MUSEUM1FCURSCRIPT:: ; d619
- W_ROUTE13CURSCRIPT:: ; d61a
- W_ROUTE14CURSCRIPT:: ; d61b
- W_ROUTE17CURSCRIPT:: ; d61c
- W_ROUTE19CURSCRIPT:: ; d61d
- W_ROUTE21CURSCRIPT:: ; d61e
- W_SAFARIZONEENTRANCECURSCRIPT:: ; d61f
- W_ROCKTUNNEL2CURSCRIPT:: ; d620
- W_ROCKTUNNEL1CURSCRIPT:: ; d621
- W_ROUTE11CURSCRIPT:: ; d623
- W_ROUTE12CURSCRIPT:: ; d624
- W_ROUTE15CURSCRIPT:: ; d625
- W_ROUTE16CURSCRIPT:: ; d626
- W_ROUTE18CURSCRIPT:: ; d627
- W_ROUTE20CURSCRIPT:: ; d628
- W_SSANNE10CURSCRIPT:: ; d629
- W_VERMILIONCITYCURSCRIPT:: ; d62a
- W_POKEMONTOWER2CURSCRIPT:: ; d62b
- W_POKEMONTOWER3CURSCRIPT:: ; d62c
- W_POKEMONTOWER4CURSCRIPT:: ; d62d
- W_POKEMONTOWER5CURSCRIPT:: ; d62e
- W_POKEMONTOWER6CURSCRIPT:: ; d62f
- W_POKEMONTOWER7CURSCRIPT:: ; d630
- W_ROCKETHIDEOUT1CURSCRIPT:: ; d631
- W_ROCKETHIDEOUT2CURSCRIPT:: ; d632
- W_ROCKETHIDEOUT3CURSCRIPT:: ; d633
- W_ROCKETHIDEOUT4CURSCRIPT:: ; d634
- W_ROUTE6GATECURSCRIPT:: ; d636
- W_ROUTE8GATECURSCRIPT:: ; d637
- W_CINNABARISLANDCURSCRIPT:: ; d639
- W_MANSION1CURSCRIPT:: ; d63a
- W_MANSION2CURSCRIPT:: ; d63c
- W_MANSION3CURSCRIPT:: ; d63d
- W_MANSION4CURSCRIPT:: ; d63e
- W_VICTORYROAD2CURSCRIPT:: ; d63f
- W_VICTORYROAD3CURSCRIPT:: ; d640
- W_FIGHTINGDOJOCURSCRIPT:: ; d642
- W_SILPHCO2CURSCRIPT:: ; d643
- W_SILPHCO3CURSCRIPT:: ; d644
- W_SILPHCO4CURSCRIPT:: ; d645
- W_SILPHCO5CURSCRIPT:: ; d646
- W_SILPHCO6CURSCRIPT:: ; d647
- W_SILPHCO7CURSCRIPT:: ; d648
- W_SILPHCO8CURSCRIPT:: ; d649
- W_SILPHCO9CURSCRIPT:: ; d64a
- W_HALLOFFAMEROOMCURSCRIPT:: ; d64b
- W_GARYCURSCRIPT:: ; d64c
- W_LORELEICURSCRIPT:: ; d64d
- W_BRUNOCURSCRIPT:: ; d64e
- W_AGATHACURSCRIPT:: ; d64f
- W_UNKNOWNDUNGEON3CURSCRIPT:: ; d650
- W_VICTORYROAD1CURSCRIPT:: ; d651
- W_LANCECURSCRIPT:: ; d653
- W_SILPHCO10CURSCRIPT:: ; d658
- W_SILPHCO11CURSCRIPT:: ; d659
- W_FUCHSIAGYMCURSCRIPT:: ; d65b
- W_SAFFRONGYMCURSCRIPT:: ; d65c
- W_CINNABARGYMCURSCRIPT:: ; d65e
- W_CELADONGAMECORNERCURSCRIPT:: ; d65f
- W_ROUTE16GATECURSCRIPT:: ; d660
- W_BILLSHOUSECURSCRIPT:: ; d661
- W_ROUTE5GATECURSCRIPT:: ; d662
- W_POWERPLANTCURSCRIPT:: ; d663
- W_ROUTE7GATECURSCRIPT:: ; d663
- W_SSANNE2CURSCRIPT:: ; d665
- W_SEAFOAMISLANDS4CURSCRIPT:: ; d666
- W_ROUTE23CURSCRIPT:: ; d667
- W_SEAFOAMISLANDS5CURSCRIPT:: ; d668
- W_ROUTE18GATECURSCRIPT:: ; d669