Arbitrary Code Execution in Pokemon Stadium (first ever N64 ACE!) MrCheeze 2017-01-21 | The above footage is from an unmodified copy of Pokemon Stadium. Instead, the effects are triggered by glitching the save file of a Game Boy game in the Transfer Pak, so that there are more than 20 Pokemon in the last PC box. This causes a buffer overflow in Stadium's trade system.For more of the technical details, see my notes here:github.com/MrCheeze/pokestadium-aceNote that because the trade system is used, doing this on a real console requires two controllers, each with a Transfer Pak and a first-generation Pokemon game. Only the second game's save file needs to be glitched, however.
Ocarina of Time 3D - Grotto SRM (proof of concept) MrCheeze 2024-09-22 | For a few years now, Ocarina of Time, Majora's Mask, and Majora's Mask 3D have been upended by the discovery of SRM. But OoT3D was the odd one out, because although SRM was possible, no one was ever able to achieve any useful effect with it.This demo, doesn't quite change that, because we still don't have any setup to warp somewhere RTA at all, let alone somewhere useful. But it does show that warping places is in fact possible in this game.Shoutouts to @gamestabled and @exodus122 who did the actual theory for this stuff a while back. I just found the heap. Also to @lotusspacia548 for testing this stuff for ages and showing off the method of SRM used here.Anyway, some notes, first on the heap manip:* Spawn at the bottom end of the river as child. The owl should not be present. Surprisingly, it does not matter for the heap which bomb rocks you have or haven't broken.* The load plane between the two zora river rooms is on the bridge. I'm not sure about this, but I think the state of the heap may vary slightly depending on which way the camera is pointed when you cross the load plane (like it does for kokiri SRM in oot64). In any case, we toss the cucco to the upper room, then enter the room while holding a bombchu. We then continue upwards towards the cluster of butterflies over the music staff, so that those butterflies spawn BEFORE our chu explodes.* Cucco attack SRM is super easy. The one tricky thing is that you need to not to actually get hurt by a cucco, which will make you drop your hands.* We want the attack cuccos to have despawned before we cross the bridge back to the lower room. Conversely, we do NOT want the butterflies from the butterfly spawner to have despawned.Once you actually cross the bridge back to the lower room, your position immediately becomes very important. Specifically, the X and Y position of your hands are written into the z rotation and parameters of the grotto (which determine where it warps you), and the Y position is also written into a variable called "objBankIndex", which is important only in that it will unfortunately cause the grotto to despawn if it ever has a value outside the range 0x00-0x10 for even a single frame. So, in order to get a useful grotto SRM, you must ensure the following:* Let's say your hand Y position float is 0xZZAABZZZ. To avoid deleting the grotto, AA must be in the range 00-10 during _every_ frame between when you cross the load plane and when you drop the actor. That's why I jump off the bridge and cross the loading plane while I'm falling - the position on the bridge kills the grotto, but the position right above the water surface is fine.* In order for the grotto to actually warp you somewhere useful (i.e. not one of the normal grottos), B must equal 0 or 8 on the frame you drop the held actor.* Now say your hand X position float is 0xZZZZCCCC. Assuming the previous requirements were met, the game will look up grotto array index (CCCC+1) in this table that gameestabled made, and take the corresponding entrance as the destination that the grotto takes you to: docs.google.com/spreadsheets/d/1QDMRT2lbHX80KOqD_51m7QC-dtmSergn8kLWXOxNFiU/edit?gid=1700996634#gid=1700996634Let's make it more concrete. In this demo, I fall in the water and drop my hands with an X position of 0x453E1C9F and a Y position of 0x44000D5E. This means that AA=00, which is a safe value (and it was also some safe value on the preceding frames). So the grotto doesn't despawn. B=0, so the grotto is capable of taking us somewhere other than a grotto. And CCCC=1C9F, so the grotto looks up index 1CA0 in the table, which says that that index takes us to entrance 0224. And according to wiki.cloudmodding.com/oot/Entrance_Table_(Data) , entrance 0224 as child at night takes us to Zora's Fountain from Zora's Domain, which is exactly what happens! So we can accurately predict the warp for a given position.By the way, the position of link's hands depends on the exact frame he is on within his breathing animation. I sure hope it's possible to work around these difficulties and make an RTA-viable setup to warp somewhere useful with this - or even better, to a manipulable variable glitched entrance - but it is far from guaranteed that this can be done.
Ocarina of Time Glitch - Prevent Dark Link from ever attacking MrCheeze 2024-08-05 | Dark Link is implemented in a radically different way from every other enemy in the game. His AI literally generates virtual controller inputs, and then feeds them to the same code the game uses to control the real Link. (There's some extra behaviour added, but that's the basic idea.) This can lead to bugs, because code can run that was only ever intended for the real Link.Dark Link is coded to hold the Z button to target Link under most circumstances, but to let go of the button if he is more than 610 units away.Whenever you jumpslash, Dark Link is coded to press A and move backwards, in order to backflip.The bug in the above is this: If you jumpslash when Dark Link is far away, he will press A intending to backflip. But since he is not holding Z, he will instead do the default action for the A button - putting away your sword. Once he has done this, he is _permanently_ stuck unable to use the sword for the rest of the battle. This can easily be done by luring him to one corner of the map, and then running to the other corner and jumpslashing.This seems to have been discovered by @petrie911 as part of the Ocarina of Time decompilation project: github.com/zeldaret/oot/blob/6c4935dc184122d395e1f546ec35573c4d2d3d96/src/overlays/actors/ovl_En_Torch2/z_en_torch2.c#L625
Ocarina of Time - Wrong Warp to Any Scene (without SRM) MrCheeze 2024-02-05 | This is a discovery that builds on the same dynapoly overflow glitch that lets you wrong warp to collapse ("Ganonfloor"): youtube.com/watch?v=oAIJbdmqd_0The basic idea of dynapoly overflow is that if we load too many actors that have solid collision at once, the data for that collison will overflow its buffer and end up corrupting the scene's collision data. This most significantly can be used to generate collision that acts as a loading zone.Every scene in the game has a list of exactly 31 exit values that can theoretically be triggered by such a loading zone. One of the entrance values reachable in Dodongo's Cavern, glitched entrance 1E00, has a very interesting behaviour in the GameCube versions of the game. On those versions, if you are currently child link and it is nighttime, then the scene that this entrance value takes you to is determined by the volume of the "enemy nearby" music that has played most recently. This value can be manipulated to warp you to any scene in the game!(It will always warp to the first spawn in the scene, though. In that respect, this is a weaker glitched entrance than the one that can be achieved with SRM.)This is exciting stuff, but it turns out generating a polygon that takes you to entrance 1E00 is a bit tricky. The game actually looks in a certain framebuffer for polygon data, which in the GC versions is filled in every time you pause. So we actually have to pause while certain exact pixel values are on the screen in order to construct a reachable floor polygon that acts as a loading zone to that entrance. In fact, there are two framebuffers, and each pause only has a 50% chance of of filling in the correct buffer, so we have to pause several times to be sure.This was (as usual) researched in collaboration with natalyahasdied, and builds greatly on the analysis of how the original Ganonfloor works by cadmic and others.And now, the play by play:00:00 As mentioned, we must be playing on a GameCube version of the game. The setup shown here should work as-is on Japanese and US versions of the vanilla game, from the Master Quest or Collector's Edition discs. Significantly more work would be needed to get it working in Master Quest itself. It will never work on non-GameCube versions, as entrance 1E00 does not have a dynamic destination on those versions.00:10 Enter DC as child at night. (There are no dynamic entrances that seem to be reachable as adult or during the day.)01:00 A setup to set the enemy music volume value to 4F (which corresponds to the scene ID for Ganon), using the business scrub. Note that it stops updating entirely when there is no longer a hostile enemy nearby. Also, some enemies such as Beamos don't update the value. (But Tektites, Keese, and Baby Dodongos all do - so they can theoretically be used to setup the enemy volume with less of a detour.)1:30 I hack myself to the far side of the load plane because I don't know how to do the glitch that gets you there. Being on the far side is what allows for duping rooms, and therefore what allows for overflowing the dynapolys.1:40 Dupe the main room three times to trigger the overflow we need. Once the corruption has happened, it remains, even if we unload the duped rooms.1:50 Unload all the copies of the main room, for no reason other than to fix the textures. We need them to be normal for the upcoming framebuffer manipulation. But don't go so far in the Baby Dodongo room as to spawn them, or they will change the enemy music volume.1:55 In order to get some exact pixel values into the frame buffer, we need an exact position. Here I do an easy setup for a Z position of -285.68. (There is a wiggle room of about 0.1 on this value, but I don't know the exact range.)2:20 Line up against the bombwall for an X position of 806.0, then ESS turn to angle EAE8.2:45 Holding Z (actually L) at this position and angle, and then waiting for the camera to fully settle, gives us precisely the pixel values we need. Pause to have a 50% chance of putting those pixel values in the correct framebuffer. Here, it worked on the first try, but I paused a few more times anyway for demonstration.3:00 We can't actually walk around the Beamos, the floor has been corrupted and we would just fall through it. But we can sidehop past him (or blow him up and jump).3:05 To actually trigger the loading zone, jump towards the pillar. (There are other nearby spots where it can be triggered as well). The loading zone doesn't work while the pillars are still, so I made sure they're moving before jumping. (EDIT: This happens because one of its vertices of the lz comes from the particles spawned as the pillars move!)3:10 I show one possible destination, which is Ganon (skipping the collapse cutscene). But, note that the glitched entrance is chainable! You can warp to arbitrary scene A, then setup a new enemy music volume, then die to warp again to scene B, and so on! Many possible applications for this...
Wo ist Kazooie? dubbed to English with AI MrCheeze 2023-10-14 | with AI captions for a bonus layer of AI jank(yes, the song really does just stop like that)
1 2 Haferbrei (1 2 Oatmeal) dubbed to English with AI MrCheeze 2023-10-13 | this is what technology was made for
DRAW MONSTA CARDO dubbed from Japanese to English with AI MrCheeze 2023-10-10 | elevenlabs.io/dubbing is pretty funny stuffsource video is youtube.com/watch?v=ROCevLH6PGQ
Super Mario Bros. in 35 seconds, via Hayauchi Super Igo Cartridge Swap! MrCheeze 2023-08-28 | For years, it has been known that by booting up SMB1, cartridge swapping to Tennis, and then cartridge swapping back, you can access 256 different worlds (most of them glitched).A couple weeks ago, I showed that this cartridge swap is also possible using Legend of Zelda, although it only gives you access to 1 glitch world: youtube.com/watch?v=Ie_gyHG8hAUToday, I searched again through the NES library to see if I could find a game that gives you access to a large number of glitched worlds like Tennis, but with more control over what world you end up in. It turns out, there is one! The Japanese-only Go game "Hayauchi Super Igo" happens to store the game options in the same place that SMB1 stores the continue world. If you start up SMB1, cartridge swap to Super Igo, specify the world number you want, start the game, soft reset Super Igo (important!), cartridge swap back to SMB1, and then press A+Start to continue, then you can play whatever glitched world you want!Well, more accurately, you seem to only be able to access 128 out of 256 worlds, because the options seem to correspond to the following bits in the world number.1. Board Size: 0x80, if 13x132. Player Count: 0x20, if two-player3. Unknown: 0x10, if the right option selected4. Unknown: 0x08, if the left option selected5. numbers 2-9: 0x00-0x07, depending on the option chosen6. 60/30/20: does not do anythingSo, there unfortunately does not seem to be any way to set bit 0x40 in the world number. Still, if you specifically want to visit one of the other 128 worlds, this is the easiest way to do it!(As for the video itself, it's a funny example of what you can do with this. Note that reaching the axe in ANY world except for worlds 1-7 will set the "game clear" flag, however only world 8 will give you the "your quest is over" text).
Unlocking Super Mario Bros world select and a glitch world, using Legend of Zelda! MrCheeze 2023-08-12 | There's a famous trick on the NES where you can access glitch worlds in SMB1 by booting up Mario, quickly swapping cartridges to NES Tennis and playing for a few seconds, and then swapping back to Mario again. The reason this works is explained in this excellent Retro Game Mechanics Explained video: youtube.com/watch?v=hrFHNgJlJSgIn short, SMB1 checks certain memory locations on startup. If it sees certain values that are normally present during SMB1 gameplay ($07D7-$07DC all less than 0A, and $07FF=A5), then it assumes that you just pressed the reset button (or got a game over/beat the game), instead of cold booting. If so, it then looks at two other memory addresses, and unlocks certain features based on their values:- If $07FC is nonzero then world select is unlocked (PUSH BUTTON B TO SELECT A WORLD). This is normally set on completing the game, and lets you choose from worlds 1-8.- If you press A+Start instead of just Start on the title screen, you will continue from whatever world number is stored in $07FD. This is normally stored on getting a game over.So, the reason why Tennis works is that it doesn't modify any of the precondition addresses, but DOES write to the "continue world" address at $07FD.An open question, then, is: Are there any games on the NES that can be used to set the SMB1 world select flag? And are there any besides Tennis that can be used to store glitched worlds into the Continue World address? I searched the NES library for such games, and it turns out the answer to both questions is yes! Not only that, the game I found that can do it is one of the most famous: NES Legend of Zelda!It seems surprising that this would stay undiscovered for decades, but there's a good reason. LoZ needs to be in a specific state in order to trigger anything in SMB1. You need to have visited certain rooms in level 8, but AVOIDED some other rooms in level 7 and 8, in order to meet the memory conditions described above. For details, see this diagram:https://i.imgur.com/4tpDBhe.pngOn the bright side, it only takes a couple minutes from a fresh file to visit those rooms. Not only that, the fact that you have visited them saves to the cartridge. Which means that after doing the one-time setup, it only takes a few seconds to boot SMB1, swap to LoZ and load your save file, then swap back to SMB1 and make use of the world select or glitched continue world number.In this video, I demonstrate the full process - setting up the LoZ save file, and then what it can do in Mario:0:00 - The first step is to acquire the Candle, which is needed to enter Level 8. This needs 60 rupees, which can be found at the northeast corner of the map.2:54 - Entering the first room of Level 8, sets $07FD to 0x20. This corresponds in SMB1 to setting the continue world to "World X".3:00 - Entering the room to the left, sets $07FC to 0x20. This corresponds in SMB1 to enabling the world select flag. Then, I save the game in order to permanently store these two RAM values to the cartridge save file.If you like, the previous setup only needs to be done once. The following steps can then be repeated whenever you want.3:11 - Start by loading SMB1. The sole purpose of doing this is to set $07FF to 0xA5, which is a value it will look for when we swap back to it later.3:17 - Cartridge swap to Legend of Zelda. Note that LoZ does not use or initialize memory address $07FF at all, so the value is retained. Then, I load the file that was set up earlier, to put the saved room visitation flags into $07FC and $07FD.3:27 - Stop 'n' swop back to Mario. We can now do one of two things: Either push button B to choose one of worlds 1-8 to start in, or press a+start to start in glitch World X (this is the only glitch world that Zelda can unlock, at least without ACE).3:34 - Let's explore World X! As it turns out, this world is a clone of 8-4, except it functions as just one long room. (The pipes don't lead anywhere, but the "loopbacks" that normally prevent you from just walking straight forward to Bowser don't exist either.)5:00 - Grab the axe to beat the game, well sorta. A princess does appear in this glitch level, and reaching her does set the "game complete" flag and return you to the title screen... nevertheless, she is very clear in saying that our princess is actually in another castle. Your speculations are as good as mine as to what this means.To me, the reason why this is so cool is not so much the ability to start in world 1-8 and a single glitch world. Rather, it's the fact that two of the biggest titles on the NES happen to interact perfectly with each other for this to work, and - unlike the interaction between Tennis and SMB1 - this interaction was never discovered before.Supplementary material for nerds:pastebin.com/bFeZEKeYgithub.com/MrCheeze/BizHawk/commit/e9d6f8d692a30e5c13bcfd7fc73a976193efa148
Paper Mario - Undocumented Koopa Koot Give Up feature MrCheeze 2023-02-08 | Koopa Koot doesn't work how we thought.According to all sources on the internet, as well as my previous understanding, Koopa Koot works like this: There are twenty favours, each of which is unlocked by reaching a certain story progression in the game AND completing all previous favours. Most favors have a 1-coin reward, but certain specific favours reward you with Silver/Gold Credit for the playroom, or three star pieces.How it ACTUALLY works:There are twenty favours which can technically be completed in any order at all. Each favour is unlocked solely by your story progress in the game. However, the only way to do the favours in a non-default order is to activate a favor, and then walk into Toad Town from Pleasant Path. This will trigger an obscure option when talking to Koot of giving up on the current favour. After giving up, he will then ask you the _next_ favour that is unlocked according to your current story progress. This does not skip favours entirely - once you get to the end of the list of unlocked favours (either by completing or giving up on the rest), Koot will ask you again to do the favours that you previously skipped (in a random order).Also, Koot's rewards are not given for completing any _specific_ favour, they are given based on the total _number_ of favours completed:2 - Silver Credit10 - Gold Credit4/8/12/16/20 - three Star Pieces.One of the reasons this functionality is so obscure is that it only triggers when walking to Toad Town on foot - if you take the blue pipe instead, as most people would, Koot will never offer the option to give up.It's always fun to discover new things about games you'd expect to be fully documented by now. But it's especially funny when it's just a basic, intended feature - one that many players would have encountered and used, just none of the ones who write wikis and guides and whatnot.
Paper Mario glitch - Jungle invisible blocks without jumping (Bombette) MrCheeze 2023-01-02 | Did you know that the four Bellbell Plants in Paper Mario are not just decorative, they signal that there's an invisible block right next to them? The game never tells you this.In any case, this means it's actually possible to hit any of the invisible blocks in the jungle, by dropping Bombette onto the cubic hitbox from behind the plant, and using her to blow up the block. This is useful for Paper Mario Randomizer, which has a setting that disables jumping until you find the regular boots.Some of these are more precise to do than others. The first one I show in the video is the hardest... it seems to be help to walk into the bell plant from the side rather than above, and even then you have to be somewhat precise about blowing up Bombette as late as possible.
Paper Mario - Block clip applications MrCheeze 2022-09-06 | In Paper Mario, you can clip onto any block (?/brick/save/heart) using ultra boots. If the block is angled diagonally, you can do it fairly easily by standing still, which is why the Bowser's Castle clip has been known for many years. Doing on on an orthogonal block, though, is much harder and requires moving from the corner of a block to its side with perfect timing. The inputs for this were only recently discovered by Bonecrusher.This video shows off known applications of this glitch. Some might be good for TAS timesaves, some allow reaching items in PM64 randomizer, and some may not have any practical use but still do SOMETHING.Note that although the last clip shows a new way to retrigger prologue or get sushie glitch, it crashes all versions of the vanilla game except for the Wii VC release. See JCog's thread for info: twitter.com/JCog_/status/1565784030309744645
Paper Mario - Itemless NPC Clipping MrCheeze 2022-09-01 | (Recommend watching at 2x speed)It's been known for many years that in Paper Mario, hammering when squeezed between an NPC and a wall will clip you into the wall. Spin Jump and Tornado Jump also have the same effect. The reason for this is that wall collision is temporarily disabled during those actions (see here: youtube.com/watch?v=h2c8VG54270 ).This is pretty nice in itself, but it would be nice to be able to do it without needing any items at all. As it turns out, we can! It seems that every useful NPC clip can be done just by talking to the NPC while squeezed close enough between them and the wall, or even just by turning Mario around. (Actually, I think the reason talking to NPCs even works is that it makes Mario turn instantly, but I'm not sure about this.)A speedrun would generally always have Hammer anyway, but this is pretty useful for Paper Mario Randomizer. In particular, the itemless entry to Toy Box and escape from Goomba Village seem like they would come up frequently when playing randomizer with glitches. Most of the others are useful for rando as well.Note that some NPC clips require using Bombette to push an NPC somewhere else, and Bombette is still required in those cases. It's only doing the clip itself that never needs any item.This video features the following:- goomba village escape- black toad skip- sushieless toad town star piece- oaklie skip- blue house skip- toybox early- storeroom early- yellow, red, bubble, blue berry gate skip- murder solved earlyThis actually obsoletes several of my recent videos, which show other ways to goomba village escape and toybox early that require items/partners.
Paper Mario - Early Toy Box (new easier Parakarry method) MrCheeze 2022-08-31 | A few days ago, I posted an extremely difficult way to Toy Box that only requires Parakarry and no hammer ( youtube.com/watch?v=8Uuq2drYNqA ). Unfortunately it was extremely difficult to do in realtime.However, just today, NaterTater discovered that NPCs can push you through walls when you're using Bow, Parakarry, or Kooper's ability. (We already knew they could do this when using hammer, spin jump, or tornado jump, but this was a new discovery.) Which means that you can use the already-known NPC Clip method to get into toy box instead. The only extra difficulty is that you have to cancel Parakarry's ability before he lifts you up too high.Incidentally, you can also use this kind of npc pushing to escape from Goomba Village without a hammer, if you have Bow or Parakarry.
Paper Mario - Sun tower rock skip (Parakarry version) MrCheeze 2022-08-29 | This is already possible without any items/partners ( youtube.com/watch?v=lXa9LFyCdgA ), and it's unclear whether the Parakarry version can be made any easier than the original - it requires moving to a precise position as the camera is still in the middle of rotating from Mario entering the cubbyhole.Still, this is interesting if nothing else for our theoretical understanding of Parakarry clips. It seems like that the best-case scenario for clipping with him is for there to be a corner that's aligned along the X and Z axes, but for the camera to be angled (so that parakarry moves diagonally). This situation can happen at the sun tower, and it's also the principle behind the following:- Clipping into the corner of the southern toad town shop (toy train / toybox early): youtube.com/watch?v=JJtoYASHwq4- Deep focus outside Bowser's castle early: youtube.com/watch?v=CqJa3GzUTMM- Repel Gel in the prologue stone block: youtube.com/watch?v=6SSP3qZwvQc (actually, the corner is not quite along the X/Z axis for this one)
Paper Mario - Early Toy Box (Parakarry Method) MrCheeze 2022-08-24 | The clip onto the outside of Harry's Shop is already known, but is used just for getting the Toy Train early. But I've never seen anyone use it into get into the toy box itself.Which is understandable, since 1) there's an easier early toy box that only requires hammer or ultra boots, and 2) moving along the outer edges of the buildings without clipping in or out of them is pretty difficult. Especially with the diagonal camera angle that you have to use. Still, it might be possible to make this more consistent somehow.This is only really useful for randomizer, in the rare situation where you have Parakarry, but not Hammer or Bow or Ultra Boots.
Paper Mario - Star Stone via Sushie Glitch MrCheeze 2022-08-23 | Encountering an enemy twice during Sushie glitch, and swapping partners the second time, gives you "clippy" so that you can clip out in the corner to the Star Stone.This is entirely r0bd0g's discovery, but he didn't have a video showing the tricky part: youtube.com/watch?v=wIUuQD_Y-LUYou can also get clippy the normal way with Laki, which lets you reach the star stone as well.
Toad Town Sushie Glitch MrCheeze 2022-08-23 | This is a truly legendary glitch in the Paper Mario community. It was done exactly once on console, without video, many years ago... and then nobody was ever able to replicate it again. And not for lack of trying, either.Well, with careful study of the game's code (thanks decomp!) plus some experimentation, I finally understand the conditions that allow it to happen. Take a look at this diagram of the dock:https://i.imgur.com/ToozTZu.pngTo understand what's going on and what these lines mean, I need to explain how the process for mounting Sushie when you press c-down works.1. The game casts a ray from Mario, in the direction he's facing. If there is a wall within 26 units of him in that direction, then we are allowed proceed to the next step, otherwise you can't get on Sushie.Note that even though it looks like Mario can only face left or right, internally he has a full 360-degree angle. This angle is only set when moving in a direction on the ground. Also, to be clear, the edges of the dock are walls.In the diagram, the brown line is 26 units away from the bottom-left dock edge. This means that the area below the brown line shows the area where mounting Sushie is possible (at least when Mario is facing perfectly diagonal down-left).2. The game decides which of the edges of the dock you are using. Surprisingly, this has no relation to the wall detected in Step 1. Instead, a ray is cast from the center of the dock towards Mario, and this way continues until it hits a wall. Whichever wall is hit will be the side of the dock that you use. (If a non-dock wall is hit, you don't get on Sushie.)In the diagram, x marks the center of the dock. Which means the area above the green line shows the area where (if Mario is standing there) the ray will hit the top-left side of the dock in this step.3. Sushie is placed in the water. She is placed 40 units away from Mario - at a diagonal up-left angle if we hit the top-left side of the dock in step 2, and at a diagonal down-left angle if we hit the bottom-left side.Actually, even though she's placed 40 units away, she will clip into the dock if she's placed within 9 units of its edge.In the diagram, the purple line is 40-9=31 units away from the top-left edge. Which means, if Mario is to the right of the purple line and mounts Sushie using that edge, then she will clip into the dock.So now we can put everything together and consider what happens if we press c-down in the tiny little triangle in the diagram, where the lines nearly intersect. (Enlarged: https://i.imgur.com/T4DzCfw.png )First, the game does the initial check that there is a wall within 26 units of us in our facing direction. We are facing down-left, and are below the brown line, so we detect the bottom-left dock wall and this step passes.Second, the game casts a ray from the center of the dock in the direction of Mario. This ray hits a wall that is a dock edge (the top-left one), and so we will be getting on Sushie via the top-left wall.Third, the game places Sushie diagonally up-left from Mario. We are so far away from the edge (i.e., to the right of the purple line) that she ends up clipped into the dock instead, and we have Sushie glitch!Now that we've finally figured out the conditions, it's not surprising that this glitch evaded the community for so long. The precise position is bad enough, but if that was all, I'm sure someone wandering on the dock and mashing would have gotten it again eventually. But Mario's secret internal angle ALSO mattering (which we didn't know about back then, and wouldn't have guessed was relevant now), makes it way too unlikely to luck into again. Only reading modern documentation and testing to work out the EXACT steps Sushie follows was enough to get it done.As for actually doing the glitch in practice, here are the steps I use:Step 1: Set Mario's internal angle to down-left, by making sure the last direction you moved on the ground was in that direction. An easy way to do this is by jumping while your stick is in the diagonal position.Step 2: Using only midair motion, line Mario up against the wall in this position: https://i.imgur.com/FWivnjG.pngStep 3: Move Mario perfectly to the left, again only moving during jumps, until you get here: https://i.imgur.com/tYAoLg0.pngThen press c-down to get on Sushie. Note that it's safe to press it if you're still too far right, nothing will happen. If you get on sushie but don't clip, you're off in a different direction.Step 4: Explore! This glitch is more famous for its irreproducibility than for its usefulness, but still: Along with stealing the Odd Key and Toy Train as I do in this video, it's also possible to explore:- All of prologue- Chapter 1 up to the Koopa Bros. Fortress door (even if the bridges are out): youtu.be/DzKI_7RGt7E- Chapter 3 up to Tubba's Castle door: youtu.be/D48s7f8ivVA
Bypass Goomba Village yellow block from right (Itemless!) MrCheeze 2022-08-19 | Previously I showed that you could bypass from the east if you have Super/Ultra Boots, Bombette, Parakarry, or Lakilester: youtube.com/watch?v=f1jOnrlu4PoBut it turns out that none of those methods are needed, there's a very easy way to do it with no items whatsoever.In randomizer, this means you can get from a Toad Town spawnpoint to Goomba Village with ZERO item requirements! At least as long as you're able to do a difficult oob to cross the Goomba King bridge in reverse: youtube.com/watch?v=f9vkKj9MMRc
Bypass Goomba Village yellow block from left (NPC Lure + Super Boots) MrCheeze 2022-08-19 | Another thing, mainly for rando.By quickly tapping in and out of Goompapa or Goombaria's talk radius, they can be lured all the way to the right next to the yellow hammer block. This technique is known as NPC Luring. ( papermarioarchives.com/#/NPC_Luring )As explained in this excellent video by Gorialis ( youtube.com/watch?v=h2c8VG54270 ), using a Hammer/Spin Jump/Tornado Jump will disable the collision of walls, but not the pushback of NPCs, which lets us clip through the wall here. Doing it with hammer is obviously useless, but Super or Ultra boots both let us bypass the block without a hammer.There are a few other ways past this block:1) Bombette has buggy behaviour on yellow blocks, and sets the flag for their destruction without breaking them immediately: twitter.com/MrCheeze_/status/15119108642821734412) A fairly easy Laki Teleport: youtube.com/watch?v=DPXLjSEEnBk3) It's actually already known that this NPC clip into the block can be done totally itemless by talking to Goombaria, instead of spin jumping, but it seems very difficult and also I don't understand the theoretical reason why it's possible.
Paper Mario (rando) - exploring Gusty Gulch with Sushie Glitch MrCheeze 2022-08-17 | In randomizer, you can get Sushie Glitch in prologue and bring it all the way here.In vanilla, there is no known way to do this, but it is suspected that sushie glitch is possible to get in toad town (but undiscovered).In any case, once you get Sushie here, it's possible to get all the items in Gulch, or to cancel the glitch and enter Tubba's castle.Note that it is necessary to avoid the Tubba cutscene, it softlocks when you're riding Sushie. And it's somewhat difficult to avoid.A few other things are possible by bringing sushie glitch from prologue, which I didn't show in this video:- Goomba King without hammer- Odd Key without blue house skip- Toad Town storeroom items without storeroom key (or without hammer/parakarry to glitch in)- Getting past the first bridge in Pleasant Path without having hammer/bombette to shake the tree
Bypass Goomba Village yellow block from right (5 methods) [OBSOLETE] MrCheeze 2022-08-16 | Hammer, Super Boots, Bombette, Parakarry, Laki all work. For use in rando after doing one of these:youtube.com/watch?v=iZ1_CBEKUrgyoutube.com/watch?v=f9vkKj9MMRcIn vanilla, the Bombette method won't make the block disappear until you reload the map - see here: twitter.com/MrCheeze_/status/1511910864282173441Jumping on the block from the left doesn't seem to be possible, so Hammer or Bombette must be used if coming from that direction.UPDATE: No items/partners are needed, just do this instead: youtube.com/watch?v=gClrnYAbF0Q
Ocarina of Time beaten with only 2 items! (low% LOTAD) MrCheeze 2022-08-15 | Using some discoveries made in the last year, it is now possible to beat Ocarina of Time with only two items to escape the forest, achieve SRM, and use that SRM to run some ACE code that beats the game.Reducing low% below this item count seems difficult or impossible, because:1) SRM cannot be achieved while trapped in the forest using only one item from the forest.2) All known methods of forest escape require obtaining at least one item (fairy ocarina/shield/sword/stick)3) There is no known way to SRM using only one of the items from 2).Setup is for japanese NTSC 1.0 on the N64.Uses the following tricks:Shield-only aqua forest escape, by Jolin: youtube.com/watch?v=fzNgPknkguICucco dive with potsItemless well chus using Skullula elevator, also by Jolin: youtube.com/watch?v=ISKHAF_RSQ0Dodongo's cavern eyes with bombchus: youtube.com/watch?v=LY1cg-85r_cDodongo's cavern shield+bombchu ACE setup by me.Routing and other nonsense by nataliahasdied because I didn't know those first two things were even possible.All of this should be possible RTA, although some of it is tricky, and it does require an exact joystick position.Extra notes on the ACE setup:12:03 Heap manip begins on exiting the boss door12:39 The third bombchu is dropped on an exact frame, and from a somewhat precise position, in order for its final XY coordinates to form a jump instruction in memory ("jr t3") at address 801EFB24. For example in the video, The X and Y coordinates make 01770088 which is such an instruction. (In fact anything of the form 01[67]XXX[048C]8 will work).13:14 Angle setup for FB24, and then load the other room again. This corrupts the draw pointer of a pot in the other room, so that when the pot is visible, the code at 801EFB24 will run. The code there is "jr t3", which very conveniently jumps to controller 3. On controller 3, we hold Dpad up, cdown, and (105, 125) to form 0804697D, which is a jump to filename. And finally, in our filename, we have code to increment a "cutscene value" which determines what cutscene will play on the next scene load.13:22 Turn around a few times like I do (while holding the controller 3 stuff) in order to run the code described in the previous step for exactly 6 frames. This makes it so that on the next scene load, cutscene FFF5 will play. On Hyrule Field, this is a credits cutscene, and we can load hyrule field by dying and returning to title.
Paper Mario - Climbing the ice stairs to Crystal Palace using Sushie Glitch MrCheeze 2022-04-08 | This is not useful in any way, because once you make it into Crystal Palace, there is no loading zone behind the door, and it's impossible to progress any further. Still, I thought it was interesting, and the way you have to do it is pretty surprising. For each set of ice stairs, you have to swim to the top a couple stairs at a time, and then do one long dive all the way back to the bottom again to "escape" from being inside the staircase while maintaining your swim height.The only conceivable situation where this could be useful would be if a hypothetical PM64 randomizer (such as the new one: pm64randomizer.com ) added support for randomizing the loading zones between different regions. In this case, the last loading zone I take might lead not to Crystal Palace, but to somewhere else where having Sushie Glitch is actually useful.If interested in Paper Mario glitches, you may also be interested in this recent discovery about hammer blocks: twitter.com/MrCheeze_/status/1511910864282173441
Super Mario Bros: The Lost Levels Speedrun in 5:55.1 (using SMW ACE) MrCheeze 2022-03-06 | This is the fastest ever completion of SMB2j at time of writing. Unlike the runs that have been done before, this speedrun only works on the Super Mario All Stars+World version of the cartridge. This is because we switch games to SMW in order to use ACE to modify the save file to unlock all levels, as well as enable debug mode. Afterwards, either 8-4 or D-4 can then be used to beat the game, but I beat D-4 because the level is shorter and simpler (even more so when using debug mode noclip).This is exactly the same ACE used by SethBling for this SMB2 (USA) speedrun: youtube.com/watch?v=1hiyFV68KCsThe ACE payload is "MVN/MVP $40F0; RTS". The reason such a simple payload can do so much is that it is a "block copy" opcode. Basically, it copies memory addresses $400000-$4000FF over memory addresses $F00000-$F000FF. The former is "open bus", which in this case means that it acts like it just contains the byte #$40 repeated forever. The latter is the save file for File A of SMB1,SMB2j,SMB2,and SMB3. Which means that this very short four-byte ACE has all of the following effects:- Enable debug mode (which is done via a byte in the save for some reason)- Unlock every world in SMB1 file A- Unlock every world and level in Lost Levels file A (only this game lets you start somewhere other than the first level of each world, due to its difficulty)- Unlock every world in SMB2 file A- Unlock every world in SMB3 file ANote that all of these effects will be lost when you next reset/power off the cartridge, due to some corrupted checksums.This SMW ACE setup is fast enough that this is the fastest possible way to beat Lost Levels and SMB2. For SMB1, the ACE is slower than just beating the game normally. For SMB3, there is a different ACE that takes longer to setup, but skips having to play the last world and just credits warps in SMB3 instead ( youtube.com/watch?v=Sq-ZLlMCQvU ).The timer shown in the video is slightly off because I started the timer two seconds before the official start of timing (pressing start on the lost levels title screen), and several seconds after the official end (touching the axe).
Arwing ACE payload for NTSC 1.2 (N64, Wii, Wii U, Switch) MrCheeze 2022-01-27 | Using the method shown in this video youtube.com/watch?v=qe7JSRwF86E , we can achieve total control ACE relatively quickly from a new file.This video shows a modification of my Arwing payload that works on 1.2, so that it can be used with that method.To use it, follow the instructions from that video, but at 8:31, enter this payload instead of the one I use in the video: pastebin.com/8Lhznv7p
Crazy Lightnode SRM strat for Title File on Wii VC MrCheeze 2021-12-07 | This is a slightly faster method to load the title (debug) file on JP-region Wiis. The effect in the video doesn't look much different from existing methods, but some really crazy stuff is going on behind the scenes.First of all the "setup":- Use filename 80834D7C 90024550 (ラレづモョ2ごば)- Do a standard heap manip for 1.2 lightnode and a standard angle setup for ACA0- Drop hands and cross the loading plane three times to do the lightnode RAM write and load the withered deku babas. The deku babas will trigger a load of the title file while they're loaded.- Do not load any more withered deku babas for the rest of the run (unless you save and reset the game first), attempting to do so will crash.And now, how it works:N64 ram is located in Wii RAM at Wii address 80E74000-81274000. So when the Wii emulates N64 code that tries to write to N64 address X, the Wii actually writes to Wii address X+E74000. No bounds checking is done here, which means that theoretically you can write to anything in Wii memory, not just N64 ram.The lightnode SRM filename given here tries to write to N64 address 90024554. Writing there on a real N64 would crash or do nothing, but on the wii, it writes to Wii address 90024554+E74000 = 90E98554. And this is actually in where the N64 *rom* is stored in memory. So what this ram write actually does is modify the withered deku baba overlay, in ROM, so that their update function pointer has a value of our choosing. And we choose it to be the "load debug file" function.Note that there are several difficulties involved in making rom edits in this way:- Only certain regions of the ROM are actually possible to reach using characters that can be typed in the filename - pastebin.com/jT2qZxei- The rom data is compressed, so editing it to have useful results after decompression can be difficult. Fortunately the withered baba's update function pointer appears plainly in the compressed data, and so can be edited directly.- The new function pointer that we write is NOT actually used directly. When the overlay gets loaded from rom into ram, it gets "relocated", which roughly means that a certain amount gets added/subtracted from it, depending on where the overlay actually loads (so, depending on the heap manip). The pointer we write only ends up pointing at the title file function with this particular heap manip, any other heap and it will just point so some random garbage location. This is why you can't load any more withered babas later on without the game crashing.Finally, there is one important/funny disclaimer to this SRM as a whole, which is that it ONLY works on Japanese region Wiis - it will not work if you use homebrew to run the Japanese WAD without actually changing your Wii's region.The reason for this is the "you will need the classic controller" disclaimer screen at game boot. On a JP Wii, it will load a japanese font and appear as normal japanese text ( https://i.imgur.com/nLYGIJX.png ). For other regions, it will load a western font and display the glitched text ƒNƒ‰ƒVƒbƒNƒRƒ"ƒgƒ [ƒ‰.ª•K—v,Å,· B instead ( https://i.imgur.com/548Wcsb.png ). The size of these two fonts is different, and as a result the distance between the N64 RAM and ROM in memory will be different depending on which of the fonts is loaded. So if you want to use this SRM on what was originally a non-japanese wii, you need to use different homebrew that actually changes the Wii region.
Incomplete idea for moonwarp ACE as deku (for low%) MrCheeze 2021-11-26 | Using Turkenheimer's method (youtube.com/watch?v=pWRHSmdefFI), it is possible to use SRM to edit one instruction in the code that runs whenever the balloon explosion despawns.It is difficult to get this to be a USEFUL instruction in practice, because the written instruction depends on your attached bubble's X and Y angle - and both angles are rounded so that only a few values are possible to achieve. (Possible values: pastebin.com/7trQENkV )One instruction that CAN in theory be written is E5AEC360, which is swc1 $f14 0xC360($t5). When run in this context, this instruction will modify a variable in the blue bomber kid (Hugo) that determines where he will warp you if he is the fifth and final bomber to be caught. The particular value written - and therefore the destination of the warp - depends on Link's Z coordinate.In this video, I do the following:- First, I pop the balloon to spawn an explosion actor.- Then, I SRM the effect of editing the explosion's code with SRM, by simply hacking the instruction to be E5AEC360. (In reality, you would need to follow Tuerk's heap manip, then SRM here using the red bomber (Jim), while having your attached bubble have x angle E5AE and y angle C360, in order to edit the code.)- Then I do a setup for a particular Z position. The setup is to line up against the wall, turn around without moving, hold Z, hold Z+left for 7 frames, then let go of Z and left at the same time. All this needs to be done in the short time before the explosion actor despawns.- After the explosion despawns, you just have to catch Hugo (all the other bombers must be caught already) and if the setup was correct he will warp you to the moon.It remains to be seen whether the SRM can be done in practice using Jim and the needed angle.Note that even if everything works out and this is possible, it would NOT be useful for any%. Fighting Majora as Deku Link is extremely difficult and slow ( youtube.com/watch?v=CBVsbU3Ek2o ), not to mention the extra time needed to capture all the bombers. This WOULD, however, become the optimal route for low%, which strives to obtain as few items as possible. This route uses ZERO inventory items (and therefore zero pauses), with the only thing it obtains at all being magic. It would also make a fairly interesting challenge run.
Bombchu + Bomber Text + Night Transition SRM MrCheeze 2021-11-21 | Probably not useful, but good for documentation.One idea to get SRM was to let a held bombchu explode during a night transition, and then let the actors that load at night load in its place, before Link has a chance to unfreeze and notice that his held actor is gone. Unfortunately this does not work, because Link unfreezes BEFORE the night actors load, and therefore drops his hands.If you catch a bomber the last possible frame before a night transition, then Link remains frozen until after the night actors load, and so the idea actually works.based on Tuerkenheimer's work: youtube.com/watch?v=D1gSLSAEWL4
Majoras Mask - SRM in first cycle (Sakon method) MrCheeze 2021-11-06 | Recently, Tuerk demonstrated that SRM can be done using Deku Link's bubble, and therefore in first cycle: youtube.com/watch?v=D1gSLSAEWL4Being able to skip having to play through the first cycle normally is the holy grail of MM glitch research, so this is a very exciting find. Turning it into a useful effect is definitely not easy though, with how few options are available for heap manipulation.Here I demonstrate an easy method to get SRM using the same principles (although this exact setup is even more inflexible as far as heap manip goes).First enter NCT on night of the first day. Stand in the corner and look in first person to despawn the bush cluster (En_Kusa2). Sidehop three times to the right and continue holding Z to get the camera into a specific position. Start charging a deku bubble right before the Sakon cutscene begins. (You can optionally let go of Z after starting to charge the bubble, but not before.) During the cutscene, Deku Link is frozen and will not notice that the bubble pops, and maintain his reference to it. Then, with this camera positioning, the cluster of bushes will load again at the very end of the cutscene and stay loaded - all still before Link ever had time to notice the bubble was killed, so he maintains his reference. A bush loads exactly where the bubble used to be and we can manipulate its position and rotation with SRM like a deku bubble.Aside:* Boomerang SRM writes XYZ position,* Grab/Carry SRM writes XYZ position and Y rotation,* Deku Bubble/Arrow SRM writes XYZ position and XYZ rotation.So this is in some sense "more powerful" than previous types of SRM, though I don't know if that means anything in practice.
Inventory SRM for NTSC 1.0 and Rando MrCheeze 2021-08-19 | lolNecessary items: Shield, Strength, Fish (not from the lost woods grotto), Bombs, Bombchus. It might be possible to remove the need for one of the two explosive types with a differnet heap manip.At the end, you can do angle setup for either 8AD8 or 8AE0. If the former, the inventory slots that are edited will be light arrow, nayru's love, bottle 1, and bottle 2. If the latter, the inventory slots that are edited will be bottle 3, bottle 4, adult trade slot, child trade slot.
Ocarina of Time - Setting up Total Control ACE with Arbitrary Ramwrites, also a new 100% NSR route MrCheeze 2021-08-18 | The most powerful effects that we can achieve using SRM are arbitrary code execution (code modification) and arbitrary RAM modification (via methods other than ACE). Until now, though, we've only ever done those two things separately.It turns out, though, that using LightNode arbitrary ramwrite SRM, we can set up large-scale ACE payloads (what I call "total control ACE") much faster than the old setups (youtube.com/watch?v=wIyEUScOMxc and youtube.com/watch?v=xWevY4JOUAA).The core idea is still the same as in those videos - we eliminate one of the checks on filename length in file select, which serves the dual purposes of 1) giving us a space to type our payload, and 2) letting us corrupt various internal variables of a file select screen in a way that allows us to jump into the payload.With that plus an optimized payload, we can complete 100% NSR faster than any previous method. Detailed setup for NTSC 1.2 (N64 or Wii U) below:0:00 Create a new File 2 (not a file 1!) with the filename 803AB288 8000A260 (ラぅHァラ0ブキ).0:20 Completely ordinary LightNode SRM setup up until dropping the rock with angle ACA0, as usual.7:52 Cross the load plane three times, die to the deku babas, save, and return to title. The first time triggers the LNSRM - from now on, the game will overwrite a specific address every frame. Specifically, it constantly overwrites the address that the "check filename length" code will load in later on. The second and third crossing of the loading plane is just to get the babas to reload so that we can die to them.8:18 Create a File 1 with the filename 803B2FA0 801DD928 (ラぇよバラとuま). Doesn't do anything yet, but this filename encodes a pointer to where we will be writing our ACE payload.8:26 Go into File 3 name entry.Press c-right until 'つ' is highlighted and then enter 'ち'Press c-left all the way and enter 'リ' four times.8:31 Enter the ACE payload now. For 100% NSR, use this one: pastebin.com/qKju5TFnPress B to exit (don't create the file!)Now, our payload is sitting in memory. We just need a way to run it.8:58 Enter and exit options, then go back into File 3 name entry.Press c-right until 'd' is highlighted and then enter '7'Press c-right until 'a' is highlighted and then enter 'b'Press c-right until 'b' is highlighted and then enter 'X'Press c-left twice and enter 'い'Blindly press up once, and then A. Wait for the file copy sound to play.The effect of this setup is to copy our File 1 filename over a location in memory that specifies what code should run when the file select screen UNLOADS. And we made it point to the ACE payload that we entered in the previous step. Which means now we can...9:20 Blindly press down, A, and A again to load file 2. The unloading of file select will cause our payload to run once.As for what the NSR payload actually, it accomplishes 3 goals in just eight instructions:1) The first is to enable use of the debug inventory editor whenever you pause - the inventory editor lets us obtain most - but not all - of the items required for 100% NSR, with an amount of control that would be hard to get via ACE alone without writing a much longer payload.2) The second goal is to get the NSR requirements that are not covered by inventory editor: magic flag, double magic flag, double defence flag, double defense heart count, biggoron's sword flag, and has-obtained-any-gold-skulltulas flag. As a bonus, I also include making the gold skulltula count greater than 100, because doing that with the inventory editor is really slow. Funnily enough, the fastest way to set all this data without writing very much code is to paste a random chunk of memory over the save context that happens to fulfill all these conditions by calling the MemCpy function. I wrote a script to search RAM to find the block of data that we copy. Note that doing this completely overwrites our inventory with garbage, but this is fine because we're going to be fixing it with the inventory editor anyway.3) The third requirement is a way to reach the credits.The Lost Woods bridge is already coded to trigger a cutscene when you enter it, so I just changed it so that it triggers a credits cutscene again.9:26 After loading up the newly corrupted file, just pause and the debug menu will open automatically. Fill it in the way that I do to get all the necessary items and such. After doing so, probably best to verify the pause screen contents, since otherwise it might be tricky to spot if you missed anything.10:29 Now, just go to the kokiri bridge as fast as possible. Note that as a side effect of the random garbage that we copied over our file, we have F boots equipped and a stick on B. Also a glitched C item that probably crashes, I wouldn't try to use it. Just make sure not to accidentally fly off to space, and then enjoy the credits!
Ocarina of Time - Grotto SRM as Adult from Lost Woods Goron City Room MrCheeze 2021-08-17 | The previous idea for beating the Brawl demo of OoT turned out to be impossible, because of ACE not working properly in VC. This is a different idea entirely for beating Brawl: a setup for Grotto SRM designed to be as fast as possible coming from the Brawl premade save files, with the idea being that we can hopefully warp to the Ganon battle and defeat him in under 5 minutes. This heap manip is also probably useful in general in other (non-Brawl) situations.Note: although this route technically exists in US Brawl, it is much better in JP Brawl because:1) Only the Japanese save file has hookshot, which can be used to climb the ladder in the lost woods bridge room faster.2) Mido is moved in JP only.3) Text in the Ganon fight is presumably faster.Heap manip:- Spawn in lost woods from Goron City OR the grotto in the same room. (it doesn't matter for the heap manip whether the bombiwa is destroyed or not)- drop bomb, load mido room- after first bomb explodes, drop bomb, load the next room- load the bush room- SRM off the nearest bush and travel directly to the forest stage grotto roomGrotto SRM position setup from Savestate: youtube.com/watch?v=-k_7myYlaQcWhether it is actually possible to get here, do the SRM, and defeat ganon in under 5 minutes remains to be seen. Timing will be very tight if so.
Ocarina of Time (Brawl Masterpiece) - Faster credits warp idea. (SRM/ACE) MrCheeze 2021-08-14 | (Update from the future: The idea doesn't work when done in real Brawl, sadly. The code that we're trying to edit with ACE here remains in the VC cache and so trying to edit it does nothing.)This is an idea for a faster way compared to my previous video (youtube.com/watch?v=fSrNF7txj20) of beating the Brawl demo of OoT within its 5 minute timer.The key idea here is the same as before: get LightNode SRM as fast as possible. Since filenames can't be controlled in Brawl, we (unfortunately) have to use an exact joystick/controller input to control the effect of the lightnode SRM. The effect is to NOP out a certain instruction of code, so that when you die and return to title screen, it plays cutscene FFF3 on the current entrance instead of cutscene FFF3 in Hyrule Field. This is enough to credits warp.The timesave here is from using the Adult Link premade file instead of the child one, which can actually do its lightnode SRM faster despite starting on the opposite end of Hyrule. Unlike the previous setup, this setup is the same for both the US and Japanese versions of Brawl. (Although there are differences: The US save starts 3 3/4 hearts while the JP save has 6, and only the Japanese file has hookshot.) The timesave from the new route is not huge, so finishing under 5 minutes is still difficult but seems like it should be possible. (As long as there's a way to get the exact joystick value.)0:00 - Load the adult save file and just get to the forest entrance as quickly as possible.1:15 - We need to reenter lost woods from the Kokiri side of the bridge; this sets up a wrong warp for later. Glitch off the bridge using any method. Skip past Mido (we need to use a hookshotless method unless playing on the japanese file). Enter and exit the forest stage grotto.2:23 - Heap manip begins and is very simple: go forward a room, drop two bombs, and load the bush room while the bombs are loaded. Then superslide SRM the nearest bush through the loading plane as shown.2:42 - We need to drop the bush while the fairy is loaded, with angle DDF8, DE58, or DE5C in order to point the lightnode SRM at our controller 1 inputs. I show one setup for this.2:54 - It's mandatory to pause at least once in lost woods to overwrite the data that the cutscene pointer points to, otherwise the wrong warp will softlock. If you didn't do it earlier, do it now.2:56 - Without unloading the room that the fairy is in, use bombs to die and prepare to return to title.3:18 - As the scene unloads, you need to be holding the following on controller 1: A, C-Up, C-Right, and X=8, Y=-36 (unless the angle of the shield drop was DE5C, in which case it should be Y=-40). The lightnode SRM will trigger as the fairy unloads, and if all goes well, a wrong warp will take you to the Lon Lon Ranch house.3:22 - In order to credits warp, we need to enter Lon Lon Ranch from the front entrance and then die. Exit the ranch and spam the title file bombchus against the tree in order to bring yourself down to half a heart, then re-enter the ranch.4:24 - Once back in the ranch, die and return to title. Enjoy however much as you can before the timer expires and returns you to Brawl. As a side effect of being in title screen mode, you can press start to skip through the different credits scenes, though it's nowhere near enough to make it to the end screen.
Ocarina of Time - Lightnode SRM as Adult Link MrCheeze 2021-08-14 | Could be useful from time to time. If only all heap manips were this easy, huh?Done in lost woods not just because lost woods is a very nice location for heap manips, but because Mido's fairy is one of the few actors that we know to have a lightnode pointer that we can edit as adult. (Kokiri forest SRM doesn't seem possible when we can't use the crawlspace.)
Idea for beating the Brawl OoT Masterpiece with SRM/ACE MrCheeze 2021-08-08 | (Update from the future: The idea doesn't work when done in real Brawl, sadly. The code that we're trying to edit with ACE here remains in the VC cache and so trying to edit it does nothing.)An interesting challenge is whether it's possible to beat the Brawl demo of Ocarina of Time, which has a 5 minute time limit. It doesn't appear to be possible with non-SRM glitches. If we create a new file with an arbitrary filename, the intro uses almost all of our 5 minutes and we have no time to do anything. So the only hope is to find a way to get a useful SRM effect without using our filename at all.The method shown in this video is a form of LightNode SRM (docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit), but unlike all previous LNSRM, we use our Controller 1 value instead of our filename to determine where to write to. Doing this has the restriction where we can only write the value 00000000, but this is surprisingly still enough to beat the game. It also has the practical difficulty where we have to cross a loading plane while holding an exact joystick value.0:00 Load the JP Brawl child save. Note that their are minor differences between the JP/US/PAL save files - each one has different permanent rupees collected, and therefore needs a different heap manip than the others. But apart from needing a different heap manip, this should work on the US version too. Also, all versions have sword, shield, 50 rupees, and no nuts, so we do have to buy nuts first.00:48 Heap manip is as shown for the JP version. Note that you must get low enough on hearts to enable critical camera. It's also important that you use navi here before getting return A.02:43 Drop the rock with angle DDF8, DE58, or DE5C. This makes it so that the lightnode ramwrite will look at your controller 1 inputs and then write the value 00000000 wherever they point.2:56 Cross the load plane while holding the following inputs on Controller (from the N64's point of view): A, C-Up, C-Right, X=8, Y=-36 (unless your angle was DE5C, in which case it will be Y=-40). Normally when holding these inputs Link will move downwards towards the camera. Also if Navi wasn't cleared earlier then this will call her and softlock the game. (To work around this softlock I used the tas-only workaround of crossing the load plane while Link is slashing, which makes the C-Up input not call her.)2:58 Now that the ram write has occurred, we have made it so that whenever you game over and return to title, instead of loading the title screen, it will play cutscene FFF3 at the current entrance. There are a few specific entrances where this will warp to credits. One of these is Death Mountain Trail from Kakariko Village, so that's where we want to go next. We can't get there normally without going over the time limit, though. Fortunately there's an indirect path: If we enter deku tree and die, Deku Tree with cutscene FFF3 will wrong warp us to Dondongo's Cavern.3:37 Now that we are in DC (and also in title file, incidentally), we have two goals: go to kak and back to set our current entrance to entering DMT, and die and return to title after doing so. We can work on both of these goals at the same time, and take advantage of the 50 bombchus that title file has to die as quickly as possible. Timing is extremely tight, but if all goes well, we can see the DMT credits and enjoy our victory... for a couple seconds, before the 5 minute timer expires and kicks us out again.If you consider the Brawl premade files to be a valid starting state for OoT, then this is technically the fastest way to beat the game. :D
Ocarina of Time Any% PB in 8:20 (Dolphin) MrCheeze 2021-07-28 | My best run since Dolphin was updated to support the hardware bug used in the new oot route (see thread: twitter.com/MrCheeze_/status/1418307382728437762 ). Uses safer strats (and of course much worse execution) than actual speedrunners, but I'm very happy with this run by my standards.Also, accidentally got RNG rupees since I needed 1 rupee from rocks but they gave me 6, lmao.*sum of best mentioned in chat at the end is wrong, it's actually 8:18.55. misread a number and didn't sanity check
Ocarina of Time - N64-Compatible Persistent Ram Editor MrCheeze 2021-07-04 | crazy man runs around in the woods for 20 minutes then solves a sudokupastebin.com/3ynUe6Yxpastebin.com/yL73GZHQ
Ocarina of Time - Fast Lightnode SRM for title file and age change MrCheeze 2021-06-22 | This is an improved version of the strat shown in this video. youtube.com/watch?v=dkWbRncjoj4It works exactly the same way, using one arbitrary ram write to get the game to keep writing to another address in order to corrupt cutscene data. I thought it wasn't possible to do this in Hyrule Field because it looks like the game is softlocked with you sitting on the horse. But it turns out you can still pause and save. Ooops.Filename (NTSC 1.2) - 80365834 8011DD08
Ocarina of Time - Credits Warp (ramwrite method) for N64/Wii/Wii U MrCheeze 2021-06-20 | The fastest way to beat OoT is on the Gamecube. This is because in that version only, they made it possible to play back a recorded video file of the credits with a single function call.Despite the useful LightNode arbitrary ram write technique being discovered since then (docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit), we have not been able to find any faster way to trigger the credits. Still, lightnode offers the opportunity to speed up other consoles so that they're not as far behind GC as they were before.The basic idea of this route is this:When you load the title screen, all cutscenes that CAN play in Hyrule Field are loaded into memory, including one mid-credits cutscene. Because most areas (including Kokiri Forest) are smaller than hyrule field, those stale cutscenes actually remain in memory, unused, even after you create a file and start playing in it.Certain scenes, such as Deku Tree, have a cutscene that automatically plays when entering them for the first time. Using lightnode SRM, we can edit the entrance cutscene table, so that entering the dungeon plays a cutscene located elsewhere in memory - specifically, we can point it at the hyrule field credits cutscene which was never overwritten.NOTE: There the credits cutscene data actually WILL be overwritten if you ever pause indoors. If you do a run with this route, you must make sure to ONLY pause in the kokiri forest scene, nowhere else. Otherwise the game will just crash with a black screen on entering deku tree.This method theoretically could work on any version, but the setup here is for NTSC 1.2 for the sake of Wii and Wii U VC compatibility. (Lightnode doesn't use any ACE, so it works just fine on VC.)- Filename: 80366F70 800F037C (ラをニヌラか3モ)- As usual for lightnode SRMs, do Savestate's heap manip and Tsundere's angle setup: youtube.com/watch?v=Udk4ckbeucY- Do not pause indoors do not pause indoors do not pause indoors do not pause indoors*- Enter deku tree, win (I think timing ends here? it's kind of nebulous when exactly the credits start with this route)*shoutouts to MiT Epona who tried doing runs before we figured this out
Ocarina of Time - Gain control on the title screen SRM (ram write edition) MrCheeze 2021-06-19 | In the previous video (youtube.com/watch?v=JGJ8cklIsU0), I showed that we could leverage arbitrary ramwrite techniques to get the game to keep writing to an address of our choosing, each frame. Here I show another application of that technique, intended for a speedrun category with the following ruleset:* No wrong warp (in a strict sense, so that there's no loopholes to skip to the end of the game somehow)* Item generation/manipulation allowed* Arbitrary ram writes allowed* Taking control on the title screen, and modifying cutscenes to end them prematurely allowedAfter doing a lightnode SRM with the filename 80381C94 8011DD08 (ラぁてゲラくy8), the game will constantly write a negative number to address 80381C94. This is the address where the twinrova title screen cutscene is stored, and placing a negative number will cause that cutscene to end instantly, giving the player control. This conveniently also ends attract mode so you can then travel to Ganon's Castle (or wherever you want) without accidentally doing any wrong warps that would make the run invalid.(I wasn't able to find a way to do this that doesn't require waiting through the title screen, sorry.)
Ocarina of Time - turn master sword into light arrows SRM MrCheeze 2021-06-14 | Three months ago, I found a new SRM application was discovered that allows us to write an arbitrary value to an arbitrary ram location, which most people are calling "Lightnode SRM". (For more info, see Savestate's writeup docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit and heap demo youtube.com/watch?v=Udk4ckbeucY .) This has many powerful applications, including making a persistent RAM editor (youtube.com/watch?v=J95D-gPBDuc).Here, I demonstrate another effect that be achieved with lightnode SRM. Normally, beating Ganondorf is completely impossible without light arrows, as they're the only attack that can stun him - and getting light arrows legitimately takes a very long time, since they require spirit and shadow medallion to obtain, and magic and a bow to use them. But with arbitrary ramwrites, we can actually modify the "type" of damage that other weapons do. In particular, we can make it so that jumpslashing with the master sword has the light arrow damage flag set, which lets us bypass the need for light arrows entirely.This application is intended for use in a hypothetical "No Item Manipulation/Wrong Warp" category with SRM allowed, also known as "GSRM". For it to be useful, the ruleset needs to be something along the lines of:- No Wrong Warping of any kind (so the only way to beat the game is to defeat both Ganondorf and Ganon in Ganon's Castle).- No item manipulation of any kind. In particular, no generating light arrows, or their prerequisites (Zelda's Lullaby, magic, bow, quiver, shadow medallion, spirit medallion).- SRM is legal- Arbitrary ram write is legal (we don't have a method that doesn't use it)For me, these restrictions are interesting because it makes us see what SRM can do without the common "major effects" (free items and warps), and also leads us to finding new tech. But the resulting route also ends up having some rare OoT tricks because of all the items it skips.Editing the master sword jumpslash damage bits is unfortunately not as simple as writing to them directly with Lightnode SRM. Doing this IS possible, but they reset back to their original values whenever you change scenes. Instead, we need a way to persistently overwrite the damage bits every frame. Fortunately, there is a way to do this (all addresses are NTSC 1.2):- Using Lightnode SRM, we can use the filename "803AB54C 8011DD08" (ラぅKぢラくy8) to write the value "803AB54C" to address 8011DD0C.- Address 8011DD0C is a pointer. I don't know what its original purpose is, but every frame, the game writes the value "8011E038" to wherever it points.- Address 803AB54C is where the "master sword jumpslash" damage bits are stored. So after doing this SRM, those bits are constantly being changed to "8011E038". This value includes the bit for light arrow (00002000) as well as various other bits. Unfortunately, the other bits in this prevent master sword jumpslashes from doing damage to most enemies in the game, so we have to use normal slashes for almost everything.- After doing this SRM, we can no longer reset the game without the game reverting to normal, so the only way to savewarp is to get a game over and return to title.Timestamps for various events in the video:0:00 Filename entry2:14 Rupee collection (all permanent rupees must be collected)3:54 Heap manip proper begins (see Savestate's video above)5:24 The lightnode SRM (using Tsundere's ACA0 angle setup). Note that we have to void out afterwards - walking back into the village crashes for some reason.Not shown: Getting 10 bombchus early from Bottom of the Well; door of time clip.5:59 Reverse door of time skip via game over savewarp (because we can't reset after doing the SRM).Not shown: Getting more deku nuts for Ganon, and a hylian shield for the hover into Ganon's Castle. (These can also be routed in earlier.) For the hover that I do, I also have to get hookshot, but I've been told that other hovers are possible that don't need it.6:44 Badly hovering into Ganon's Castle (and like I said, this should ideally be replaced with a no-hookshot hover if possible).7:45 Standard Armos trials skip due to minimal items8:23 Just climbing ganon's tower without access to jumpslash damage, nothing special...10:58 The point of it all: The Ganondorf fight with sword only. First, a standard setup to make him throw the tennis ball at you while you're on the middle platform, which makes it so that he always gets hit by the first rebound. Then, the light arrow jump attack itself - note that it's totally possible to miss him entirely here if you don't space it right. Once he's stunned, getting ISG and walking into his body will stunlock him - but it's important to do a regular slash before getting ISG for it to damage him properly.11:59 collapse (boring)15:56 Ganon phase 1 (deku nuts)17:00 Ganon phase 2 (master sword, but without jumpslashes)
Majoras Mask 3D - Moonwarp SRM (citra) MrCheeze 2021-03-14 | See Iwabi's video for the first time this was done on an actual 3DS: youtube.com/watch?v=ZuFs0w_msyASee my twitter thread for more background info: twitter.com/MrCheeze_/status/1370950926299713538Setup:Save at the Deku Palace owl statue with bombs and bombchus ALREADY equipped on the X and Y buttons.It should also be first cycle for the timing cues described below to work properly.Reset the game to restore the heap to a clean state for the heap manip.On the title screen, wait until the clock town scene, then load your file.Triple slash clip into the palace. Line up against the wall under the bridge.At 5:43 (not exact), take out a bomb and drop it.Home buffer until EXACTLY 5:47. Then home buffer one more frame. Then, hold Y and Z into the subsequent frame to instantly shield drop a bombchu.At 5:53 (not exact), open the gear/mask/item menu, and highlight an empty item slot, and a non-empty item slot. (This should be your first time doing this since restart.)Close the menu, drop a bomb, and slash.At 5:58-5:59, home buffer until the frame where the bombchu is flashing red and just barely overlapping with Link.Hold L, R, and A into the next frame to grab the bomb with a long delay. Make sure to let go of R during the night transition or your SRM will be lost!Enter the left room of the palace, but facing away from it - if you look at the scrub near the heart piece before doing the following setup, the game will crash.Target against the frame of the door, and wait until exactly 6:39.Start backwalking, and shield drop on the frame that I will do. If done properly this will make it so that the X and Y positions written into the deku guard via SRM will have a specific float-exact value.Hurry through the palace garden, but make sure not to get caught - the guard positions are unfortunately RNG.If the deku guard was SRMed correctly, he will be running through walls, soon to reach out of bounds. If you manage to catch him before it's too late, he will warp you straight to the moon!Big shoutouts to the various contributors to this strategy. See the twitter thread above for more info.
really depressing and naive MrCheeze 2021-03-04 | Recently, nim discovered a wrong warp glitch in SM64 that involves taking a teleporter and unloading its area at the same time. When that happens, the N64 crashes due to null pointer exceptions, but VC ignores the crash and continues. In that case the warp continues but with the parameters for the warp coming from weird places.youtube.com/watch?v=YduutOI7uxYHe also noticed that some of the achievable params on PAL and Shindou trigger the credits cutscene in whatever level you arrive at. This crashes for multiple reasons (mainly rendering stuff that isn't loaded properly), but there was some hope that these crashes could be prevented.This video uses some minor hacks to show what would happen if we trigger the credits cutscene to play, and NOT crash, after an (also hacked) wrong warp. Unfortunately, the credits sequence still cannot play out in full. If you manage to make it to the part of the cutscene that changes levels, it will try to warp you to an invalid level and therefore boot you out to the title screen. From what I've seen of the code, this seems to be totally unavoidable.Jury's still out on whether the wrong warp glitch can be made to have any useful effect at all, even the ones that don't trigger credits cutscene. Right now it is known that a wrong warp from Wet Dry World to Wet Dry World is possible (yes really, the destination is just a coincidence), and WDW to Jolly Roger Bay should also be possible without crashing. There are many restrictions on the glitch so it's quite possible that nothing else works.
Majoras Mask 3D - Dry Bomb SRM (SRM Almost Anywhere) - non-first cycle setup MrCheeze 2021-02-18 | See Willdelum's info for more info on dry bomb SRM. youtube.com/watch?v=EEQhKVPdWyUSee Gaby's video for how to do this without bottle: twitter.com/gabyelnuevo/status/1362671838850072578For this setup:- Take out a bottle.- Home buffer (or in my case, frame advance) until the frame that the clock turns 5:54.- Buffer A into the next frame to trigger the putaway animation. (this is used just to time an exact number of frames)- Exactly 17 frames later, the A button with Put Away on it will disappear. Buffer X/Y into the next frame to drop the first bomb.- The rest of the setup proceeds the same as in Willdelum's video. Drop a second bomb (timing doesn't matter), take out the bottle again, and grab the bomb on the last frame possible. If done correctly Link will SRM after the night transition.(In theory, bow should also be usable instead of bottle in all cases. The putaway animation is all we need, and as far as I know it's the same for both.)
Majoras Mask 3D - Wet Bomb SRM MrCheeze 2021-02-16 | This is ridiculously easy to pull off - all you have to do is take out a bomb in water, half a second or so before a night transition.When a bomb touches water, a timer is set that will cause it to be killed about half a second later. If this timer ends during a night transition cutscene, then Link will will be frozen on the frame that the bomb is killed, and will not realize that he needs to drop his hands - and so SRM is achieved.Extra technical note:In MM3D only, having Link be frozen during one frame (the one where the bomb is killed) is enough to cause SRM. The reason for this is that in MM3D, free'd memory gets immediately set to CCCCCCCC, but in all other zelda64 engine games, freed memory does not get overwritten until something else loads in its place.Update: Turns out you can even be above the water and still do this: youtube.com/watch?v=eOgZf_GfSjI
Spaceworld Deku Tree MrCheeze 2021-01-29 | Pretty complicated for a tutorial dungeon!(Map converted by Zel, as part of a restoration being worked on by him and others. I just contributed a few fixes to actor params and such to get the puzzles working properly.)
Phoenix learns about huskies (objection.lol) MrCheeze 2020-12-31 | True story.For more Husky facts, check out Oceanfalls (oceanfalls.net)
Ocarina of Time - Current Buttons SRM as adult in lost woods (using the skull kid memory leak) MrCheeze 2020-10-20 | Based on the principle shown in this video, we can waste arbitrarily high amounts of memory in lost woods (though only in certain sized blocks).youtube.com/watch?v=gljPx0UM2zoUsing that, plus a bug bottle for heap manip, a fish with code to call, and a bomb to superslide, we can achieve an SRM to edit our current button items. (NTSC 1.2)This heap manip is somewhat tricky, the details are as follows:- Spawn from goron city- Go more than halfway through the tunnel, so that both rooms are loaded, but the game thinks the "main" current room is the goron city room.- Wait for the one active skullkid to shoot all 7 sets of 3 needles and despawn.- Unload the skull kid room and return to the same spot in the tunnel.- Wait for the one active skullkid to shoot all 7 sets of 3 needles and despawn.- Unload the skull kid room, destroy the bush that I do, and return to the same spot in the tunnel.- Wait for the one active skullkid to shoot 3 sets of 3 needles.- Drop bugs, then fish (the fish overlay will be at address 801F8F90).- Recapture the fish- Load the main entrance room- Return to skull kid's room- After unloading the entrance room, but before the skull kids shoot any needles, drop fish.- Wait for the skullkids to shoot 1 set of 3 needles.- Load the goron city room.- Superslide off the bush that I do, and take it back to the entrance room.- Angle setup for 9170 as shown.- Enter the skullkid room.- Wait for the skullkids to shoot 7 sets of 3 needles, between them.- Load the goron city room and drop the bush.You are now in Item SRM mode. Depending on the angle of the now-invisible bush, your B and C buttons will change to different items, as per this chart:docs.google.com/spreadsheets/d/1SLJzamokLb7wDOaJh5x8DsxmMBy9oIYawyDN3dAWppw/edit#gid=1897587968
Ocarina of Time - Language Change SRM without Goron Bracelet MrCheeze 2020-10-17 | NTSC 1.2shoutouts to epona youtube.com/watch?v=VeTVo1lv7qg
