Pokémon Communication Center SRAM glitch (Japanese Crystal)
Read description for more information: This glitch may be familiar to players of the poorly translated version of Pokémon Crystal called "Pokémon Vietnamese Crystal".
In Japanese Pokémon Crystal, the game reads offset $A800 of the save file in order to execute a script in Goldenrod City's Pokémon Communications Center (PokéCom Center).
According to Hacky from the Glitch City Laboratories forums, the script values are supposed to range from 00-05. However, what the scripts are for is unknown.
If the script is 02 or 03, the game sets it back to 01 upon entering the PokéCom Center. If it is 05, then the game will bring up a glitched trade screen. This is (without further knowledge) perhaps related to the mobile trade sequence.
When the player performs their first save, or if save data is cleared via Up+Select+B, the $A800 script is set to $00 as intended. However, if the player is yet to perform a save or reset their data, the $A800 value may not be $00.
In the emulator BGB, initial SRAM values are randomized if there is no save file. In the emulator Bizhawk, there is no randomness and the initial SRAM value for $A800 is set to $FF.
If the player plays through Japanese Pokémon Crystal up to walking into the Pokémon Communication Center without saving the game, then they will be able to execute an invalid $A800 script, such as $FF.
Additionally, if you have a Japanese Pokémon Crystal cartridge with a dead battery, then the glitch may occur there. I tried the glitch with mine, and may have got the $FF glitch script due to the button lock-up effect.
Whether it is possible to get glitch scripts other than $FF on real hardware without arbitrary code execution is unknown.
Details about the $FF script (shown in this video):
Script $FF executes arbitrary code from $C2DD in RAM.
In my run up to Goldenrod City, entering the Poké Communication Center with this glitch script resulted in a lock-up, where the player cannot move around in the building and NPCs do not move.
I do not understand about the contents of the $C2DD region, though the area following it can be manipulated by opening the Pokégear or the Pokémon menu just before entering the Pokémon Communication Center.
Manipulating the effect:
1) After opening the Pokégear just before entering the building, I got an infinite loop of the message "おまたせ しました! こうかんの あいでが みつかっていた ようです あなたの あたらしい なかまです かわいがって あげて くださいね それでは またの ごりようを おまち しております!" - in the Pokémon Crystal text dump, the official translation is "Thank you for your patience. A trade partner has been found. It's your new partner. Please take care of it with love. We hope to see you again." (http://iimarck.us/dumps/dcrystal.txt) 2) Opening the Pokémon menu and closing it let me walk in the Poké Communications Center without visible glitches. I had a Croconaw and Egg in that order. 3) Switching the Egg as the first Pokémon and entering the Poké Communication Center would cause the game to reset and bring up the DMG (regular Game Boy) incompatibility message.
According to Hacky, there is a related function (unused in the English version) in the English Crystal disassembly, which is Function1709bb in misc/mobile_45.asm and the English version of the function checks the value at $A800 and resets it to 0 if it’s invalid, averting the crash.
Thank you to Hacky for finding the responsible SRAM offset and script $FF's execution pointer. Special thanks to SatoMew2 and Leeroy2304.
