Read the blog post on [my blog](https://xcellerator.github.io/posts/tetsuji/) for a full write up of how this works.
Just wanna see it do the thing?
0. You might need to install `colorama` and `hexdump` with pip
1. Obtain a copy of the Japanese version of Pokemon Crystal (sha1sum `95127b901bbce2407daf43cce9f45d4c27ef635d`)
2. Using the [BGB emulator](https://bgb.bircd.org/), start the link cable listener (in the right-click menu) on the default port (8765)
3. Run the `mobile_adapter.py` script
4. Reset the game and you'll see the Mobile Adapter GB logo
5. In the game, go to a Pokemon Center and talk to the lady upstairs. Spam A through the menus, eventually she'll let you through to the next room
6. At the computer, you'll be asked for a phone number, enter anything you like
7. You'll see a (slow) animation of Pichu as the game connects and the messages are shuffled back and forth.
8. Eventually the game will [freeze with a single `3`](https://tmpout.sh/bggp/3/) in the top-left corner.
If you want to change the exploit's payload to something else, it's the `print_me` variable in `crystal.py`.
Many thanks to Háčky's original [writeup](https://archives.glitchcity.info/forums/board-76/thread-7509/page-0.html) for the great head start and Yuu for the original inspiration.
### Files
| Filename | Purpose |
| :-: | :-: |
| `mobile_adapter.py` | Main script for handling the communication as the Moble Adapter GB. Based on Háčky's original |
| `config.bin` | Config file for the Mobile Adapter GB. Can be deleted and recreated using the Mobile Trainer GB ROM |
| `crystal.py` | Handles the Battle Protocol in Pokemon Crystal. Injects the exploit and payload into the communication |
| `logger.py` | Logging I like to use |
| `pkm.py` | Handles some of the binary blobs that get shuffled around by Crystal |
| `pkm_list.py` | List of Pokemon and Moves as indexed in Pokemon Crystal |
| `email.txt` | Email that will be "received" over POP3 via any Mobile Adapter GB application. Contains a corrupted Ekans |
| `geodude_email.txt` | Similar to `email.txt` but contains a valid Geodude. Rename this to `email.txt` and be sure to ask for a Geodude |
| `index.html` | Simple webpage that will be loaded by the Mobile Trainer GB ROM, homepage is `/01/CGB-B9AJ/index.html` |
### Proof
Here's a gif of the exploit running and the log from `mobile_adapter.py`:
