Edit: A very detailed breakdown was posted below that describes some of the internals of this.
On a whim I decided to pick up FE8 again after a solid decade+ of the cartridge sitting in my closet as I have a friend who is interested in doing a playthrough. Way back when I had last played (late 2000’s/early 2010’s), the enemy control glitch was already pretty well known, but there were a bunch of other claims on various forums that were never proven. For example:
- “You can do enemy control without a PWASE; it is just frame perfect and difficult to do.'“
- “There is a method to do it with Phantoms instead of a PWASE.”
- “You can perform the glitch on the last chapter to grab Wretched Air and Naglfar.”
Back in the day I wrote all of these off as people trying to get attention, so imagine my surprise a year or two ago when I stumbled across a YouTube video that described the top-left tile of a map could be converted into a PWASE if some other tile is changed.
This was pretty wild to me to see one of these childhood rumors come to life, and it got me thinking: what is actually going on under the hood? And more importantly, were the other rumors actually true as well? Perhaps there was some other roundabout way to recreate the same set of circumstances to corrupt turn order - how would that work? Given how much time had elapsed, I figured this would already be science’d to death and back, however I haven’t found a deep dive into the assembly that explains why this happens.
For fun I grabbed FEBuilder and and emulator to see if I could diagnose this myself, but then I realized it is probably better not to reinvent the wheel; I am sure there are others who could help move me from “blind research” to “hey look at these specific functions”. So with that in mind…does anyone know what is going on from a hardware perspective?
This is the obvious stuff. You can perform the enemy control glitch reliably if you:
- Have an enemy stand on a PWASE.
- Have the enemy attack you from that tile.
- Soft/hard reset the game right as their sprite changes from active to greyed out.
- When re-entering the game, control is passed back to the player, despite being the wrong team.
Given that this works on a hard reset, and you can remove the cartridge from the GBA entirely (glitch remains across power cycles), the corruption is entirely contained to the cartridge itself and must be stored in persistent Flash ROM or EEPROM at address at 0x0EXXXXXX (cartridge memory). Unfortunately, the Memory Viewer of Virtual Boy only goes to 0x09XXXXXX, so I haven’t found a convenient way to view it yet.
Unconfirmed/speculation on my part: I have heard from others that the reason this occurs is because FE8 has a slightly different way of handling maps with “traps”. When figuring out what to do next, it creates an array of pointers to various functions and then steps through that array, executing each function in order. If this is true, then I assume that the very last pointer in that array is aimed at the “return control to enemy” function, and by resetting the game we are interrupting the execution control before it has a chance to run everything in that list, so upon loading back into the game it defaults to player control.
Another option for us is simply: “Can we find some other way to create a very long to-do list for the game to work on, so that there is more time to interrupt the turn order?”
This all sounds good in theory, but I have no proof. But if this is true: is there another way we can corrupt/bypass that array? What mechanic is changing the top-left tile into a PWASE? Can we turn other tiles into a PWASE?
For example, there is a ROM patch that fixes the enemy control glitch by editing memory address 0x377A0 from value 0x0320 to 0x07E0. (For some reason I can’t link to the thread.) What does that address have to do with this process, and what do these specific values “fix”?
Any pointers (hah) would be greatly appreciated.