Ocarina of Time - Fast Lightnode SRM for title file and age change @MrCheeze

MrCheeze This is an improved version of the strat shown in this video. youtube.com/watch?v=dkWbRncjoj4

It works exactly the same way, using one arbitrary ram write to get the game to keep writing to another address in order to corrupt cutscene data. I thought it wasn't possible to do this in Hyrule Field because it looks like the game is softlocked with you sitting on the horse. But it turns out you can still pause and save. Ooops.

Filename (NTSC 1.2) - 80365834 8011DD08

updated 3 years ago

Ocarina of Time - Fast Lightnode SRM for title file and age change

MrCheeze 2021-06-22 | This is an improved version of the strat shown in this video. youtube.com/watch?v=dkWbRncjoj4

It works exactly the same way, using one arbitrary ram write to get the game to keep writing to another address in order to corrupt cutscene data. I thought it wasn't possible to do this in Hyrule Field because it looks like the game is softlocked with you sitting on the horse. But it turns out you can still pause and save. Ooops.

Filename (NTSC 1.2) - 80365834 8011DD08

Paper Mario - Block clip applications

MrCheeze 2022-09-06 | In Paper Mario, you can clip onto any block (?/brick/save/heart) using ultra boots. If the block is angled diagonally, you can do it fairly easily by standing still, which is why the Bowser's Castle clip has been known for many years. Doing on on an orthogonal block, though, is much harder and requires moving from the corner of a block to its side with perfect timing. The inputs for this were only recently discovered by Bonecrusher.

This video shows off known applications of this glitch. Some might be good for TAS timesaves, some allow reaching items in PM64 randomizer, and some may not have any practical use but still do SOMETHING.

Note that although the last clip shows a new way to retrigger prologue or get sushie glitch, it crashes all versions of the vanilla game except for the Wii VC release. See JCog's thread for info: twitter.com/JCog_/status/1565784030309744645

Paper Mario - Itemless NPC Clipping

MrCheeze 2022-09-01 | (Recommend watching at 2x speed)

It's been known for many years that in Paper Mario, hammering when squeezed between an NPC and a wall will clip you into the wall. Spin Jump and Tornado Jump also have the same effect. The reason for this is that wall collision is temporarily disabled during those actions (see here: youtube.com/watch?v=h2c8VG54270 ).

This is pretty nice in itself, but it would be nice to be able to do it without needing any items at all. As it turns out, we can! It seems that every useful NPC clip can be done just by talking to the NPC while squeezed close enough between them and the wall, or even just by turning Mario around. (Actually, I think the reason talking to NPCs even works is that it makes Mario turn instantly, but I'm not sure about this.)

A speedrun would generally always have Hammer anyway, but this is pretty useful for Paper Mario Randomizer. In particular, the itemless entry to Toy Box and escape from Goomba Village seem like they would come up frequently when playing randomizer with glitches. Most of the others are useful for rando as well.

Note that some NPC clips require using Bombette to push an NPC somewhere else, and Bombette is still required in those cases. It's only doing the clip itself that never needs any item.

This video features the following:

- goomba village escape
- black toad skip
- sushieless toad town star piece
- oaklie skip
- blue house skip
- toybox early
- storeroom early
- yellow, red, bubble, blue berry gate skip
- murder solved early

This actually obsoletes several of my recent videos, which show other ways to goomba village escape and toybox early that require items/partners.

Paper Mario - Early Toy Box (new easier Parakarry method)

MrCheeze 2022-08-31 | A few days ago, I posted an extremely difficult way to Toy Box that only requires Parakarry and no hammer ( youtube.com/watch?v=8Uuq2drYNqA ). Unfortunately it was extremely difficult to do in realtime.

However, just today, NaterTater discovered that NPCs can push you through walls when you're using Bow, Parakarry, or Kooper's ability. (We already knew they could do this when using hammer, spin jump, or tornado jump, but this was a new discovery.) Which means that you can use the already-known NPC Clip method to get into toy box instead. The only extra difficulty is that you have to cancel Parakarry's ability before he lifts you up too high.

Incidentally, you can also use this kind of npc pushing to escape from Goomba Village without a hammer, if you have Bow or Parakarry.

Paper Mario - Sun tower rock skip (Parakarry version)

MrCheeze 2022-08-29 | This is already possible without any items/partners ( youtube.com/watch?v=lXa9LFyCdgA ), and it's unclear whether the Parakarry version can be made any easier than the original - it requires moving to a precise position as the camera is still in the middle of rotating from Mario entering the cubbyhole.

Still, this is interesting if nothing else for our theoretical understanding of Parakarry clips. It seems like that the best-case scenario for clipping with him is for there to be a corner that's aligned along the X and Z axes, but for the camera to be angled (so that parakarry moves diagonally). This situation can happen at the sun tower, and it's also the principle behind the following:
- Clipping into the corner of the southern toad town shop (toy train / toybox early): youtube.com/watch?v=JJtoYASHwq4
- Deep focus outside Bowser's castle early: youtube.com/watch?v=CqJa3GzUTMM
- Repel Gel in the prologue stone block: youtube.com/watch?v=6SSP3qZwvQc (actually, the corner is not quite along the X/Z axis for this one)

Paper Mario - Early Toy Box (Parakarry Method)

MrCheeze 2022-08-24 | The clip onto the outside of Harry's Shop is already known, but is used just for getting the Toy Train early. But I've never seen anyone use it into get into the toy box itself.

Which is understandable, since 1) there's an easier early toy box that only requires hammer or ultra boots, and 2) moving along the outer edges of the buildings without clipping in or out of them is pretty difficult. Especially with the diagonal camera angle that you have to use. Still, it might be possible to make this more consistent somehow.

This is only really useful for randomizer, in the rare situation where you have Parakarry, but not Hammer or Bow or Ultra Boots.

Paper Mario - Star Stone via Sushie Glitch

MrCheeze 2022-08-23 | Encountering an enemy twice during Sushie glitch, and swapping partners the second time, gives you "clippy" so that you can clip out in the corner to the Star Stone.

This is entirely r0bd0g's discovery, but he didn't have a video showing the tricky part: youtube.com/watch?v=wIUuQD_Y-LU

You can also get clippy the normal way with Laki, which lets you reach the star stone as well.

Toad Town Sushie Glitch

MrCheeze 2022-08-23 | This is a truly legendary glitch in the Paper Mario community. It was done exactly once on console, without video, many years ago... and then nobody was ever able to replicate it again. And not for lack of trying, either.

Well, with careful study of the game's code (thanks decomp!) plus some experimentation, I finally understand the conditions that allow it to happen. Take a look at this diagram of the dock:
https://i.imgur.com/ToozTZu.png
To understand what's going on and what these lines mean, I need to explain how the process for mounting Sushie when you press c-down works.

1. The game casts a ray from Mario, in the direction he's facing. If there is a wall within 26 units of him in that direction, then we are allowed proceed to the next step, otherwise you can't get on Sushie.
Note that even though it looks like Mario can only face left or right, internally he has a full 360-degree angle. This angle is only set when moving in a direction on the ground. Also, to be clear, the edges of the dock are walls.
In the diagram, the brown line is 26 units away from the bottom-left dock edge. This means that the area below the brown line shows the area where mounting Sushie is possible (at least when Mario is facing perfectly diagonal down-left).

2. The game decides which of the edges of the dock you are using. Surprisingly, this has no relation to the wall detected in Step 1. Instead, a ray is cast from the center of the dock towards Mario, and this way continues until it hits a wall. Whichever wall is hit will be the side of the dock that you use. (If a non-dock wall is hit, you don't get on Sushie.)
In the diagram, x marks the center of the dock. Which means the area above the green line shows the area where (if Mario is standing there) the ray will hit the top-left side of the dock in this step.

3. Sushie is placed in the water. She is placed 40 units away from Mario - at a diagonal up-left angle if we hit the top-left side of the dock in step 2, and at a diagonal down-left angle if we hit the bottom-left side.
Actually, even though she's placed 40 units away, she will clip into the dock if she's placed within 9 units of its edge.
In the diagram, the purple line is 40-9=31 units away from the top-left edge. Which means, if Mario is to the right of the purple line and mounts Sushie using that edge, then she will clip into the dock.

So now we can put everything together and consider what happens if we press c-down in the tiny little triangle in the diagram, where the lines nearly intersect. (Enlarged: https://i.imgur.com/T4DzCfw.png )
First, the game does the initial check that there is a wall within 26 units of us in our facing direction. We are facing down-left, and are below the brown line, so we detect the bottom-left dock wall and this step passes.
Second, the game casts a ray from the center of the dock in the direction of Mario. This ray hits a wall that is a dock edge (the top-left one), and so we will be getting on Sushie via the top-left wall.
Third, the game places Sushie diagonally up-left from Mario. We are so far away from the edge (i.e., to the right of the purple line) that she ends up clipped into the dock instead, and we have Sushie glitch!

Now that we've finally figured out the conditions, it's not surprising that this glitch evaded the community for so long. The precise position is bad enough, but if that was all, I'm sure someone wandering on the dock and mashing would have gotten it again eventually. But Mario's secret internal angle ALSO mattering (which we didn't know about back then, and wouldn't have guessed was relevant now), makes it way too unlikely to luck into again. Only reading modern documentation and testing to work out the EXACT steps Sushie follows was enough to get it done.

As for actually doing the glitch in practice, here are the steps I use:

Step 1: Set Mario's internal angle to down-left, by making sure the last direction you moved on the ground was in that direction. An easy way to do this is by jumping while your stick is in the diagonal position.

Step 2: Using only midair motion, line Mario up against the wall in this position: https://i.imgur.com/FWivnjG.png

Step 3: Move Mario perfectly to the left, again only moving during jumps, until you get here: https://i.imgur.com/tYAoLg0.png
Then press c-down to get on Sushie. Note that it's safe to press it if you're still too far right, nothing will happen. If you get on sushie but don't clip, you're off in a different direction.

Step 4: Explore! This glitch is more famous for its irreproducibility than for its usefulness, but still: Along with stealing the Odd Key and Toy Train as I do in this video, it's also possible to explore:
- All of prologue
- Chapter 1 up to the Koopa Bros. Fortress door (even if the bridges are out): youtu.be/DzKI_7RGt7E
- Chapter 3 up to Tubba's Castle door: youtu.be/D48s7f8ivVA

Bypass Goomba Village yellow block from right (Itemless!)

MrCheeze 2022-08-19 | Previously I showed that you could bypass from the east if you have Super/Ultra Boots, Bombette, Parakarry, or Lakilester: youtube.com/watch?v=f1jOnrlu4Po
But it turns out that none of those methods are needed, there's a very easy way to do it with no items whatsoever.

In randomizer, this means you can get from a Toad Town spawnpoint to Goomba Village with ZERO item requirements! At least as long as you're able to do a difficult oob to cross the Goomba King bridge in reverse: youtube.com/watch?v=f9vkKj9MMRc

Bypass Goomba Village yellow block from left (NPC Lure + Super Boots)

MrCheeze 2022-08-19 | Another thing, mainly for rando.

By quickly tapping in and out of Goompapa or Goombaria's talk radius, they can be lured all the way to the right next to the yellow hammer block. This technique is known as NPC Luring. ( papermarioarchives.com/#/NPC_Luring )

As explained in this excellent video by Gorialis ( youtube.com/watch?v=h2c8VG54270 ), using a Hammer/Spin Jump/Tornado Jump will disable the collision of walls, but not the pushback of NPCs, which lets us clip through the wall here. Doing it with hammer is obviously useless, but Super or Ultra boots both let us bypass the block without a hammer.

There are a few other ways past this block:
1) Bombette has buggy behaviour on yellow blocks, and sets the flag for their destruction without breaking them immediately: twitter.com/MrCheeze_/status/1511910864282173441
2) A fairly easy Laki Teleport: youtube.com/watch?v=DPXLjSEEnBk
3) It's actually already known that this NPC clip into the block can be done totally itemless by talking to Goombaria, instead of spin jumping, but it seems very difficult and also I don't understand the theoretical reason why it's possible.

Paper Mario (rando) - exploring Gusty Gulch with Sushie Glitch

MrCheeze 2022-08-17 | In randomizer, you can get Sushie Glitch in prologue and bring it all the way here.
In vanilla, there is no known way to do this, but it is suspected that sushie glitch is possible to get in toad town (but undiscovered).

In any case, once you get Sushie here, it's possible to get all the items in Gulch, or to cancel the glitch and enter Tubba's castle.

Note that it is necessary to avoid the Tubba cutscene, it softlocks when you're riding Sushie. And it's somewhat difficult to avoid.

A few other things are possible by bringing sushie glitch from prologue, which I didn't show in this video:
- Goomba King without hammer
- Odd Key without blue house skip
- Toad Town storeroom items without storeroom key (or without hammer/parakarry to glitch in)
- Getting past the first bridge in Pleasant Path without having hammer/bombette to shake the tree

Bypass Goomba Village yellow block from right (5 methods) [OBSOLETE]

MrCheeze 2022-08-16 | Hammer, Super Boots, Bombette, Parakarry, Laki all work. For use in rando after doing one of these:
youtube.com/watch?v=iZ1_CBEKUrg
youtube.com/watch?v=f9vkKj9MMRc

In vanilla, the Bombette method won't make the block disappear until you reload the map - see here: twitter.com/MrCheeze_/status/1511910864282173441

Jumping on the block from the left doesn't seem to be possible, so Hammer or Bombette must be used if coming from that direction.

UPDATE: No items/partners are needed, just do this instead: youtube.com/watch?v=gClrnYAbF0Q

Ocarina of Time beaten with only 2 items! (low% LOTAD)

MrCheeze 2022-08-15 | Using some discoveries made in the last year, it is now possible to beat Ocarina of Time with only two items to escape the forest, achieve SRM, and use that SRM to run some ACE code that beats the game.

Reducing low% below this item count seems difficult or impossible, because:
1) SRM cannot be achieved while trapped in the forest using only one item from the forest.
2) All known methods of forest escape require obtaining at least one item (fairy ocarina/shield/sword/stick)
3) There is no known way to SRM using only one of the items from 2).

Setup is for japanese NTSC 1.0 on the N64.

Uses the following tricks:

Shield-only aqua forest escape, by Jolin: youtube.com/watch?v=fzNgPknkguI
Cucco dive with pots
Itemless well chus using Skullula elevator, also by Jolin: youtube.com/watch?v=ISKHAF_RSQ0
Dodongo's cavern eyes with bombchus: youtube.com/watch?v=LY1cg-85r_c
Dodongo's cavern shield+bombchu ACE setup by me.
Routing and other nonsense by nataliahasdied because I didn't know those first two things were even possible.

All of this should be possible RTA, although some of it is tricky, and it does require an exact joystick position.

Extra notes on the ACE setup:
12:03 Heap manip begins on exiting the boss door
12:39 The third bombchu is dropped on an exact frame, and from a somewhat precise position, in order for its final XY coordinates to form a jump instruction in memory ("jr t3") at address 801EFB24. For example in the video, The X and Y coordinates make 01770088 which is such an instruction. (In fact anything of the form 01[67]XXX[048C]8 will work).
13:14 Angle setup for FB24, and then load the other room again. This corrupts the draw pointer of a pot in the other room, so that when the pot is visible, the code at 801EFB24 will run. The code there is "jr t3", which very conveniently jumps to controller 3. On controller 3, we hold Dpad up, cdown, and (105, 125) to form 0804697D, which is a jump to filename. And finally, in our filename, we have code to increment a "cutscene value" which determines what cutscene will play on the next scene load.
13:22 Turn around a few times like I do (while holding the controller 3 stuff) in order to run the code described in the previous step for exactly 6 frames. This makes it so that on the next scene load, cutscene FFF5 will play. On Hyrule Field, this is a credits cutscene, and we can load hyrule field by dying and returning to title.

Paper Mario - Climbing the ice stairs to Crystal Palace using Sushie Glitch

MrCheeze 2022-04-08 | This is not useful in any way, because once you make it into Crystal Palace, there is no loading zone behind the door, and it's impossible to progress any further. Still, I thought it was interesting, and the way you have to do it is pretty surprising. For each set of ice stairs, you have to swim to the top a couple stairs at a time, and then do one long dive all the way back to the bottom again to "escape" from being inside the staircase while maintaining your swim height.

The only conceivable situation where this could be useful would be if a hypothetical PM64 randomizer (such as the new one: pm64randomizer.com ) added support for randomizing the loading zones between different regions. In this case, the last loading zone I take might lead not to Crystal Palace, but to somewhere else where having Sushie Glitch is actually useful.

If interested in Paper Mario glitches, you may also be interested in this recent discovery about hammer blocks: twitter.com/MrCheeze_/status/1511910864282173441

Super Mario Bros: The Lost Levels Speedrun in 5:55.1 (using SMW ACE)

MrCheeze 2022-03-06 | This is the fastest ever completion of SMB2j at time of writing. Unlike the runs that have been done before, this speedrun only works on the Super Mario All Stars+World version of the cartridge. This is because we switch games to SMW in order to use ACE to modify the save file to unlock all levels, as well as enable debug mode. Afterwards, either 8-4 or D-4 can then be used to beat the game, but I beat D-4 because the level is shorter and simpler (even more so when using debug mode noclip).

This is exactly the same ACE used by SethBling for this SMB2 (USA) speedrun: youtube.com/watch?v=1hiyFV68KCs
The ACE payload is "MVN/MVP $40F0; RTS". The reason such a simple payload can do so much is that it is a "block copy" opcode. Basically, it copies memory addresses $400000-$4000FF over memory addresses $F00000-$F000FF. The former is "open bus", which in this case means that it acts like it just contains the byte #$40 repeated forever. The latter is the save file for File A of SMB1,SMB2j,SMB2,and SMB3. Which means that this very short four-byte ACE has all of the following effects:
- Enable debug mode (which is done via a byte in the save for some reason)
- Unlock every world in SMB1 file A
- Unlock every world and level in Lost Levels file A (only this game lets you start somewhere other than the first level of each world, due to its difficulty)
- Unlock every world in SMB2 file A
- Unlock every world in SMB3 file A

Note that all of these effects will be lost when you next reset/power off the cartridge, due to some corrupted checksums.

This SMW ACE setup is fast enough that this is the fastest possible way to beat Lost Levels and SMB2. For SMB1, the ACE is slower than just beating the game normally. For SMB3, there is a different ACE that takes longer to setup, but skips having to play the last world and just credits warps in SMB3 instead ( youtube.com/watch?v=Sq-ZLlMCQvU ).

The timer shown in the video is slightly off because I started the timer two seconds before the official start of timing (pressing start on the lost levels title screen), and several seconds after the official end (touching the axe).

Arwing ACE payload for NTSC 1.2 (N64, Wii, Wii U, Switch)

MrCheeze 2022-01-27 | Using the method shown in this video youtube.com/watch?v=qe7JSRwF86E , we can achieve total control ACE relatively quickly from a new file.

This video shows a modification of my Arwing payload that works on 1.2, so that it can be used with that method.

To use it, follow the instructions from that video, but at 8:31, enter this payload instead of the one I use in the video: pastebin.com/8Lhznv7p

Crazy Lightnode SRM strat for Title File on Wii VC

MrCheeze 2021-12-07 | This is a slightly faster method to load the title (debug) file on JP-region Wiis. The effect in the video doesn't look much different from existing methods, but some really crazy stuff is going on behind the scenes.

First of all the "setup":
- Use filename 80834D7C 90024550 (ラレづモョ2ごば)
- Do a standard heap manip for 1.2 lightnode and a standard angle setup for ACA0
- Drop hands and cross the loading plane three times to do the lightnode RAM write and load the withered deku babas. The deku babas will trigger a load of the title file while they're loaded.
- Do not load any more withered deku babas for the rest of the run (unless you save and reset the game first), attempting to do so will crash.

And now, how it works:

N64 ram is located in Wii RAM at Wii address 80E74000-81274000. So when the Wii emulates N64 code that tries to write to N64 address X, the Wii actually writes to Wii address X+E74000. No bounds checking is done here, which means that theoretically you can write to anything in Wii memory, not just N64 ram.

The lightnode SRM filename given here tries to write to N64 address 90024554. Writing there on a real N64 would crash or do nothing, but on the wii, it writes to Wii address 90024554+E74000 = 90E98554. And this is actually in where the N64 *rom* is stored in memory. So what this ram write actually does is modify the withered deku baba overlay, in ROM, so that their update function pointer has a value of our choosing. And we choose it to be the "load debug file" function.

Note that there are several difficulties involved in making rom edits in this way:
- Only certain regions of the ROM are actually possible to reach using characters that can be typed in the filename - pastebin.com/jT2qZxei
- The rom data is compressed, so editing it to have useful results after decompression can be difficult. Fortunately the withered baba's update function pointer appears plainly in the compressed data, and so can be edited directly.
- The new function pointer that we write is NOT actually used directly. When the overlay gets loaded from rom into ram, it gets "relocated", which roughly means that a certain amount gets added/subtracted from it, depending on where the overlay actually loads (so, depending on the heap manip). The pointer we write only ends up pointing at the title file function with this particular heap manip, any other heap and it will just point so some random garbage location. This is why you can't load any more withered babas later on without the game crashing.

Finally, there is one important/funny disclaimer to this SRM as a whole, which is that it ONLY works on Japanese region Wiis - it will not work if you use homebrew to run the Japanese WAD without actually changing your Wii's region.
The reason for this is the "you will need the classic controller" disclaimer screen at game boot. On a JP Wii, it will load a japanese font and appear as normal japanese text ( https://i.imgur.com/nLYGIJX.png ). For other regions, it will load a western font and display the glitched text ƒNƒ‰ƒVƒbƒNƒRƒ"ƒgƒ [ƒ‰.ª•K—v,Å,· B instead ( https://i.imgur.com/548Wcsb.png ). The size of these two fonts is different, and as a result the distance between the N64 RAM and ROM in memory will be different depending on which of the fonts is loaded. So if you want to use this SRM on what was originally a non-japanese wii, you need to use different homebrew that actually changes the Wii region.

Incomplete idea for moonwarp ACE as deku (for low%)

MrCheeze 2021-11-26 | Using Turkenheimer's method (youtube.com/watch?v=pWRHSmdefFI), it is possible to use SRM to edit one instruction in the code that runs whenever the balloon explosion despawns.

It is difficult to get this to be a USEFUL instruction in practice, because the written instruction depends on your attached bubble's X and Y angle - and both angles are rounded so that only a few values are possible to achieve. (Possible values: pastebin.com/7trQENkV )

One instruction that CAN in theory be written is E5AEC360, which is swc1 $f14 0xC360($t5). When run in this context, this instruction will modify a variable in the blue bomber kid (Hugo) that determines where he will warp you if he is the fifth and final bomber to be caught. The particular value written - and therefore the destination of the warp - depends on Link's Z coordinate.

In this video, I do the following:

- First, I pop the balloon to spawn an explosion actor.
- Then, I SRM the effect of editing the explosion's code with SRM, by simply hacking the instruction to be E5AEC360. (In reality, you would need to follow Tuerk's heap manip, then SRM here using the red bomber (Jim), while having your attached bubble have x angle E5AE and y angle C360, in order to edit the code.)
- Then I do a setup for a particular Z position. The setup is to line up against the wall, turn around without moving, hold Z, hold Z+left for 7 frames, then let go of Z and left at the same time. All this needs to be done in the short time before the explosion actor despawns.
- After the explosion despawns, you just have to catch Hugo (all the other bombers must be caught already) and if the setup was correct he will warp you to the moon.

It remains to be seen whether the SRM can be done in practice using Jim and the needed angle.

Note that even if everything works out and this is possible, it would NOT be useful for any%. Fighting Majora as Deku Link is extremely difficult and slow ( youtube.com/watch?v=CBVsbU3Ek2o ), not to mention the extra time needed to capture all the bombers. This WOULD, however, become the optimal route for low%, which strives to obtain as few items as possible. This route uses ZERO inventory items (and therefore zero pauses), with the only thing it obtains at all being magic. It would also make a fairly interesting challenge run.

Bombchu + Bomber Text + Night Transition SRM

MrCheeze 2021-11-21 | Probably not useful, but good for documentation.

One idea to get SRM was to let a held bombchu explode during a night transition, and then let the actors that load at night load in its place, before Link has a chance to unfreeze and notice that his held actor is gone. Unfortunately this does not work, because Link unfreezes BEFORE the night actors load, and therefore drops his hands.

If you catch a bomber the last possible frame before a night transition, then Link remains frozen until after the night actors load, and so the idea actually works.

based on Tuerkenheimer's work: youtube.com/watch?v=D1gSLSAEWL4

Majoras Mask - SRM in first cycle (Sakon method)

MrCheeze 2021-11-06 | Recently, Tuerk demonstrated that SRM can be done using Deku Link's bubble, and therefore in first cycle: youtube.com/watch?v=D1gSLSAEWL4
Being able to skip having to play through the first cycle normally is the holy grail of MM glitch research, so this is a very exciting find. Turning it into a useful effect is definitely not easy though, with how few options are available for heap manipulation.

Here I demonstrate an easy method to get SRM using the same principles (although this exact setup is even more inflexible as far as heap manip goes).

First enter NCT on night of the first day. Stand in the corner and look in first person to despawn the bush cluster (En_Kusa2). Sidehop three times to the right and continue holding Z to get the camera into a specific position. Start charging a deku bubble right before the Sakon cutscene begins. (You can optionally let go of Z after starting to charge the bubble, but not before.) During the cutscene, Deku Link is frozen and will not notice that the bubble pops, and maintain his reference to it. Then, with this camera positioning, the cluster of bushes will load again at the very end of the cutscene and stay loaded - all still before Link ever had time to notice the bubble was killed, so he maintains his reference. A bush loads exactly where the bubble used to be and we can manipulate its position and rotation with SRM like a deku bubble.

Aside:
* Boomerang SRM writes XYZ position,
* Grab/Carry SRM writes XYZ position and Y rotation,
* Deku Bubble/Arrow SRM writes XYZ position and XYZ rotation.
So this is in some sense "more powerful" than previous types of SRM, though I don't know if that means anything in practice.

Inventory SRM for NTSC 1.0 and Rando

MrCheeze 2021-08-19 | lol

Necessary items: Shield, Strength, Fish (not from the lost woods grotto), Bombs, Bombchus. It might be possible to remove the need for one of the two explosive types with a differnet heap manip.

At the end, you can do angle setup for either 8AD8 or 8AE0. If the former, the inventory slots that are edited will be light arrow, nayru's love, bottle 1, and bottle 2. If the latter, the inventory slots that are edited will be bottle 3, bottle 4, adult trade slot, child trade slot.

Ocarina of Time - Setting up Total Control ACE with Arbitrary Ramwrites, also a new 100% NSR route

MrCheeze 2021-08-18 | The most powerful effects that we can achieve using SRM are arbitrary code execution (code modification) and arbitrary RAM modification (via methods other than ACE). Until now, though, we've only ever done those two things separately.

It turns out, though, that using LightNode arbitrary ramwrite SRM, we can set up large-scale ACE payloads (what I call "total control ACE") much faster than the old setups (youtube.com/watch?v=wIyEUScOMxc and youtube.com/watch?v=xWevY4JOUAA).

The core idea is still the same as in those videos - we eliminate one of the checks on filename length in file select, which serves the dual purposes of 1) giving us a space to type our payload, and 2) letting us corrupt various internal variables of a file select screen in a way that allows us to jump into the payload.

With that plus an optimized payload, we can complete 100% NSR faster than any previous method. Detailed setup for NTSC 1.2 (N64 or Wii U) below:

0:00 Create a new File 2 (not a file 1!) with the filename 803AB288 8000A260 (ラぅHァラ0ブキ).

0:20 Completely ordinary LightNode SRM setup up until dropping the rock with angle ACA0, as usual.

7:52 Cross the load plane three times, die to the deku babas, save, and return to title. The first time triggers the LNSRM - from now on, the game will overwrite a specific address every frame. Specifically, it constantly overwrites the address that the "check filename length" code will load in later on. The second and third crossing of the loading plane is just to get the babas to reload so that we can die to them.

8:18 Create a File 1 with the filename 803B2FA0 801DD928 (ラぇよバラとuま). Doesn't do anything yet, but this filename encodes a pointer to where we will be writing our ACE payload.

8:26 Go into File 3 name entry.
Press c-right until 'つ' is highlighted and then enter 'ち'
Press c-left all the way and enter 'リ' four times.

8:31 Enter the ACE payload now. For 100% NSR, use this one: pastebin.com/qKju5TFn
Press B to exit (don't create the file!)
Now, our payload is sitting in memory. We just need a way to run it.

8:58 Enter and exit options, then go back into File 3 name entry.
Press c-right until 'd' is highlighted and then enter '7'
Press c-right until 'a' is highlighted and then enter 'b'
Press c-right until 'b' is highlighted and then enter 'X'
Press c-left twice and enter 'い'
Blindly press up once, and then A. Wait for the file copy sound to play.
The effect of this setup is to copy our File 1 filename over a location in memory that specifies what code should run when the file select screen UNLOADS. And we made it point to the ACE payload that we entered in the previous step. Which means now we can...

9:20 Blindly press down, A, and A again to load file 2. The unloading of file select will cause our payload to run once.
As for what the NSR payload actually, it accomplishes 3 goals in just eight instructions:
1) The first is to enable use of the debug inventory editor whenever you pause - the inventory editor lets us obtain most - but not all - of the items required for 100% NSR, with an amount of control that would be hard to get via ACE alone without writing a much longer payload.
2) The second goal is to get the NSR requirements that are not covered by inventory editor: magic flag, double magic flag, double defence flag, double defense heart count, biggoron's sword flag, and has-obtained-any-gold-skulltulas flag. As a bonus, I also include making the gold skulltula count greater than 100, because doing that with the inventory editor is really slow. Funnily enough, the fastest way to set all this data without writing very much code is to paste a random chunk of memory over the save context that happens to fulfill all these conditions by calling the MemCpy function. I wrote a script to search RAM to find the block of data that we copy. Note that doing this completely overwrites our inventory with garbage, but this is fine because we're going to be fixing it with the inventory editor anyway.
3) The third requirement is a way to reach the credits.The Lost Woods bridge is already coded to trigger a cutscene when you enter it, so I just changed it so that it triggers a credits cutscene again.

9:26 After loading up the newly corrupted file, just pause and the debug menu will open automatically. Fill it in the way that I do to get all the necessary items and such. After doing so, probably best to verify the pause screen contents, since otherwise it might be tricky to spot if you missed anything.

10:29 Now, just go to the kokiri bridge as fast as possible. Note that as a side effect of the random garbage that we copied over our file, we have F boots equipped and a stick on B. Also a glitched C item that probably crashes, I wouldn't try to use it. Just make sure not to accidentally fly off to space, and then enjoy the credits!

Ocarina of Time - Grotto SRM as Adult from Lost Woods Goron City Room

MrCheeze 2021-08-17 | The previous idea for beating the Brawl demo of OoT turned out to be impossible, because of ACE not working properly in VC. This is a different idea entirely for beating Brawl: a setup for Grotto SRM designed to be as fast as possible coming from the Brawl premade save files, with the idea being that we can hopefully warp to the Ganon battle and defeat him in under 5 minutes. This heap manip is also probably useful in general in other (non-Brawl) situations.

Note: although this route technically exists in US Brawl, it is much better in JP Brawl because:
1) Only the Japanese save file has hookshot, which can be used to climb the ladder in the lost woods bridge room faster.
2) Mido is moved in JP only.
3) Text in the Ganon fight is presumably faster.

Heap manip:
- Spawn in lost woods from Goron City OR the grotto in the same room. (it doesn't matter for the heap manip whether the bombiwa is destroyed or not)
- drop bomb, load mido room
- after first bomb explodes, drop bomb, load the next room
- load the bush room
- SRM off the nearest bush and travel directly to the forest stage grotto room

Grotto SRM position setup from Savestate: youtube.com/watch?v=-k_7myYlaQc

Whether it is actually possible to get here, do the SRM, and defeat ganon in under 5 minutes remains to be seen. Timing will be very tight if so.

Ocarina of Time (Brawl Masterpiece) - Faster credits warp idea. (SRM/ACE)

MrCheeze 2021-08-14 | (Update from the future: The idea doesn't work when done in real Brawl, sadly. The code that we're trying to edit with ACE here remains in the VC cache and so trying to edit it does nothing.)

This is an idea for a faster way compared to my previous video (youtube.com/watch?v=fSrNF7txj20) of beating the Brawl demo of OoT within its 5 minute timer.

The key idea here is the same as before: get LightNode SRM as fast as possible. Since filenames can't be controlled in Brawl, we (unfortunately) have to use an exact joystick/controller input to control the effect of the lightnode SRM. The effect is to NOP out a certain instruction of code, so that when you die and return to title screen, it plays cutscene FFF3 on the current entrance instead of cutscene FFF3 in Hyrule Field. This is enough to credits warp.

The timesave here is from using the Adult Link premade file instead of the child one, which can actually do its lightnode SRM faster despite starting on the opposite end of Hyrule. Unlike the previous setup, this setup is the same for both the US and Japanese versions of Brawl. (Although there are differences: The US save starts 3 3/4 hearts while the JP save has 6, and only the Japanese file has hookshot.) The timesave from the new route is not huge, so finishing under 5 minutes is still difficult but seems like it should be possible. (As long as there's a way to get the exact joystick value.)

0:00 - Load the adult save file and just get to the forest entrance as quickly as possible.

1:15 - We need to reenter lost woods from the Kokiri side of the bridge; this sets up a wrong warp for later. Glitch off the bridge using any method. Skip past Mido (we need to use a hookshotless method unless playing on the japanese file). Enter and exit the forest stage grotto.

2:23 - Heap manip begins and is very simple: go forward a room, drop two bombs, and load the bush room while the bombs are loaded. Then superslide SRM the nearest bush through the loading plane as shown.

2:42 - We need to drop the bush while the fairy is loaded, with angle DDF8, DE58, or DE5C in order to point the lightnode SRM at our controller 1 inputs. I show one setup for this.

2:54 - It's mandatory to pause at least once in lost woods to overwrite the data that the cutscene pointer points to, otherwise the wrong warp will softlock. If you didn't do it earlier, do it now.

2:56 - Without unloading the room that the fairy is in, use bombs to die and prepare to return to title.

3:18 - As the scene unloads, you need to be holding the following on controller 1: A, C-Up, C-Right, and X=8, Y=-36 (unless the angle of the shield drop was DE5C, in which case it should be Y=-40). The lightnode SRM will trigger as the fairy unloads, and if all goes well, a wrong warp will take you to the Lon Lon Ranch house.

3:22 - In order to credits warp, we need to enter Lon Lon Ranch from the front entrance and then die. Exit the ranch and spam the title file bombchus against the tree in order to bring yourself down to half a heart, then re-enter the ranch.

4:24 - Once back in the ranch, die and return to title. Enjoy however much as you can before the timer expires and returns you to Brawl. As a side effect of being in title screen mode, you can press start to skip through the different credits scenes, though it's nowhere near enough to make it to the end screen.

Ocarina of Time - Lightnode SRM as Adult Link

MrCheeze 2021-08-14 | Could be useful from time to time. If only all heap manips were this easy, huh?

Done in lost woods not just because lost woods is a very nice location for heap manips, but because Mido's fairy is one of the few actors that we know to have a lightnode pointer that we can edit as adult. (Kokiri forest SRM doesn't seem possible when we can't use the crawlspace.)

Idea for beating the Brawl OoT Masterpiece with SRM/ACE

MrCheeze 2021-08-08 | (Update from the future: The idea doesn't work when done in real Brawl, sadly. The code that we're trying to edit with ACE here remains in the VC cache and so trying to edit it does nothing.)

An interesting challenge is whether it's possible to beat the Brawl demo of Ocarina of Time, which has a 5 minute time limit. It doesn't appear to be possible with non-SRM glitches. If we create a new file with an arbitrary filename, the intro uses almost all of our 5 minutes and we have no time to do anything. So the only hope is to find a way to get a useful SRM effect without using our filename at all.

The method shown in this video is a form of LightNode SRM (docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit), but unlike all previous LNSRM, we use our Controller 1 value instead of our filename to determine where to write to. Doing this has the restriction where we can only write the value 00000000, but this is surprisingly still enough to beat the game. It also has the practical difficulty where we have to cross a loading plane while holding an exact joystick value.

0:00 Load the JP Brawl child save. Note that their are minor differences between the JP/US/PAL save files - each one has different permanent rupees collected, and therefore needs a different heap manip than the others. But apart from needing a different heap manip, this should work on the US version too. Also, all versions have sword, shield, 50 rupees, and no nuts, so we do have to buy nuts first.

00:48 Heap manip is as shown for the JP version. Note that you must get low enough on hearts to enable critical camera. It's also important that you use navi here before getting return A.

02:43 Drop the rock with angle DDF8, DE58, or DE5C. This makes it so that the lightnode ramwrite will look at your controller 1 inputs and then write the value 00000000 wherever they point.

2:56 Cross the load plane while holding the following inputs on Controller (from the N64's point of view): A, C-Up, C-Right, X=8, Y=-36 (unless your angle was DE5C, in which case it will be Y=-40). Normally when holding these inputs Link will move downwards towards the camera. Also if Navi wasn't cleared earlier then this will call her and softlock the game. (To work around this softlock I used the tas-only workaround of crossing the load plane while Link is slashing, which makes the C-Up input not call her.)

2:58 Now that the ram write has occurred, we have made it so that whenever you game over and return to title, instead of loading the title screen, it will play cutscene FFF3 at the current entrance. There are a few specific entrances where this will warp to credits. One of these is Death Mountain Trail from Kakariko Village, so that's where we want to go next. We can't get there normally without going over the time limit, though. Fortunately there's an indirect path: If we enter deku tree and die, Deku Tree with cutscene FFF3 will wrong warp us to Dondongo's Cavern.

3:37 Now that we are in DC (and also in title file, incidentally), we have two goals: go to kak and back to set our current entrance to entering DMT, and die and return to title after doing so. We can work on both of these goals at the same time, and take advantage of the 50 bombchus that title file has to die as quickly as possible. Timing is extremely tight, but if all goes well, we can see the DMT credits and enjoy our victory... for a couple seconds, before the 5 minute timer expires and kicks us out again.

If you consider the Brawl premade files to be a valid starting state for OoT, then this is technically the fastest way to beat the game. :D

Ocarina of Time Any% PB in 8:20 (Dolphin)

MrCheeze 2021-07-28 | My best run since Dolphin was updated to support the hardware bug used in the new oot route (see thread: twitter.com/MrCheeze_/status/1418307382728437762 ). Uses safer strats (and of course much worse execution) than actual speedrunners, but I'm very happy with this run by my standards.

Also, accidentally got RNG rupees since I needed 1 rupee from rocks but they gave me 6, lmao.

*sum of best mentioned in chat at the end is wrong, it's actually 8:18.55. misread a number and didn't sanity check

Ocarina of Time - N64-Compatible Persistent Ram Editor

MrCheeze 2021-07-04 | crazy man runs around in the woods for 20 minutes then solves a sudoku

pastebin.com/3ynUe6Yx
pastebin.com/yL73GZHQ

Ocarina of Time - Credits Warp (ramwrite method) for N64/Wii/Wii U

MrCheeze 2021-06-20 | The fastest way to beat OoT is on the Gamecube. This is because in that version only, they made it possible to play back a recorded video file of the credits with a single function call.

Despite the useful LightNode arbitrary ram write technique being discovered since then (docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit), we have not been able to find any faster way to trigger the credits. Still, lightnode offers the opportunity to speed up other consoles so that they're not as far behind GC as they were before.

The basic idea of this route is this:
When you load the title screen, all cutscenes that CAN play in Hyrule Field are loaded into memory, including one mid-credits cutscene. Because most areas (including Kokiri Forest) are smaller than hyrule field, those stale cutscenes actually remain in memory, unused, even after you create a file and start playing in it.

Certain scenes, such as Deku Tree, have a cutscene that automatically plays when entering them for the first time. Using lightnode SRM, we can edit the entrance cutscene table, so that entering the dungeon plays a cutscene located elsewhere in memory - specifically, we can point it at the hyrule field credits cutscene which was never overwritten.

NOTE: There the credits cutscene data actually WILL be overwritten if you ever pause indoors. If you do a run with this route, you must make sure to ONLY pause in the kokiri forest scene, nowhere else. Otherwise the game will just crash with a black screen on entering deku tree.

This method theoretically could work on any version, but the setup here is for NTSC 1.2 for the sake of Wii and Wii U VC compatibility. (Lightnode doesn't use any ACE, so it works just fine on VC.)

- Filename: 80366F70 800F037C (ラをニヌラか3モ)
- As usual for lightnode SRMs, do Savestate's heap manip and Tsundere's angle setup: youtube.com/watch?v=Udk4ckbeucY
- Do not pause indoors do not pause indoors do not pause indoors do not pause indoors*
- Enter deku tree, win (I think timing ends here? it's kind of nebulous when exactly the credits start with this route)

*shoutouts to MiT Epona who tried doing runs before we figured this out

Ocarina of Time - Gain control on the title screen SRM (ram write edition)

MrCheeze 2021-06-19 | In the previous video (youtube.com/watch?v=JGJ8cklIsU0), I showed that we could leverage arbitrary ramwrite techniques to get the game to keep writing to an address of our choosing, each frame. Here I show another application of that technique, intended for a speedrun category with the following ruleset:
* No wrong warp (in a strict sense, so that there's no loopholes to skip to the end of the game somehow)
* Item generation/manipulation allowed
* Arbitrary ram writes allowed
* Taking control on the title screen, and modifying cutscenes to end them prematurely allowed

After doing a lightnode SRM with the filename 80381C94 8011DD08 (ラぁてゲラくy8), the game will constantly write a negative number to address 80381C94. This is the address where the twinrova title screen cutscene is stored, and placing a negative number will cause that cutscene to end instantly, giving the player control. This conveniently also ends attract mode so you can then travel to Ganon's Castle (or wherever you want) without accidentally doing any wrong warps that would make the run invalid.

(I wasn't able to find a way to do this that doesn't require waiting through the title screen, sorry.)

Ocarina of Time - turn master sword into light arrows SRM

MrCheeze 2021-06-14 | Three months ago, I found a new SRM application was discovered that allows us to write an arbitrary value to an arbitrary ram location, which most people are calling "Lightnode SRM". (For more info, see Savestate's writeup docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuRdfdH34wW9492RN-1YmIUM/edit and heap demo youtube.com/watch?v=Udk4ckbeucY .) This has many powerful applications, including making a persistent RAM editor (youtube.com/watch?v=J95D-gPBDuc).

Here, I demonstrate another effect that be achieved with lightnode SRM. Normally, beating Ganondorf is completely impossible without light arrows, as they're the only attack that can stun him - and getting light arrows legitimately takes a very long time, since they require spirit and shadow medallion to obtain, and magic and a bow to use them. But with arbitrary ramwrites, we can actually modify the "type" of damage that other weapons do. In particular, we can make it so that jumpslashing with the master sword has the light arrow damage flag set, which lets us bypass the need for light arrows entirely.

This application is intended for use in a hypothetical "No Item Manipulation/Wrong Warp" category with SRM allowed, also known as "GSRM". For it to be useful, the ruleset needs to be something along the lines of:
- No Wrong Warping of any kind (so the only way to beat the game is to defeat both Ganondorf and Ganon in Ganon's Castle).
- No item manipulation of any kind. In particular, no generating light arrows, or their prerequisites (Zelda's Lullaby, magic, bow, quiver, shadow medallion, spirit medallion).
- SRM is legal
- Arbitrary ram write is legal (we don't have a method that doesn't use it)
For me, these restrictions are interesting because it makes us see what SRM can do without the common "major effects" (free items and warps), and also leads us to finding new tech. But the resulting route also ends up having some rare OoT tricks because of all the items it skips.

Editing the master sword jumpslash damage bits is unfortunately not as simple as writing to them directly with Lightnode SRM. Doing this IS possible, but they reset back to their original values whenever you change scenes. Instead, we need a way to persistently overwrite the damage bits every frame. Fortunately, there is a way to do this (all addresses are NTSC 1.2):
- Using Lightnode SRM, we can use the filename "803AB54C 8011DD08" (ラぅKぢラくy8) to write the value "803AB54C" to address 8011DD0C.
- Address 8011DD0C is a pointer. I don't know what its original purpose is, but every frame, the game writes the value "8011E038" to wherever it points.
- Address 803AB54C is where the "master sword jumpslash" damage bits are stored. So after doing this SRM, those bits are constantly being changed to "8011E038". This value includes the bit for light arrow (00002000) as well as various other bits. Unfortunately, the other bits in this prevent master sword jumpslashes from doing damage to most enemies in the game, so we have to use normal slashes for almost everything.
- After doing this SRM, we can no longer reset the game without the game reverting to normal, so the only way to savewarp is to get a game over and return to title.

Timestamps for various events in the video:
0:00 Filename entry
2:14 Rupee collection (all permanent rupees must be collected)
3:54 Heap manip proper begins (see Savestate's video above)
5:24 The lightnode SRM (using Tsundere's ACA0 angle setup). Note that we have to void out afterwards - walking back into the village crashes for some reason.
Not shown: Getting 10 bombchus early from Bottom of the Well; door of time clip.
5:59 Reverse door of time skip via game over savewarp (because we can't reset after doing the SRM).
Not shown: Getting more deku nuts for Ganon, and a hylian shield for the hover into Ganon's Castle. (These can also be routed in earlier.) For the hover that I do, I also have to get hookshot, but I've been told that other hovers are possible that don't need it.
6:44 Badly hovering into Ganon's Castle (and like I said, this should ideally be replaced with a no-hookshot hover if possible).
7:45 Standard Armos trials skip due to minimal items
8:23 Just climbing ganon's tower without access to jumpslash damage, nothing special...
10:58 The point of it all: The Ganondorf fight with sword only. First, a standard setup to make him throw the tennis ball at you while you're on the middle platform, which makes it so that he always gets hit by the first rebound. Then, the light arrow jump attack itself - note that it's totally possible to miss him entirely here if you don't space it right. Once he's stunned, getting ISG and walking into his body will stunlock him - but it's important to do a regular slash before getting ISG for it to damage him properly.
11:59 collapse (boring)
15:56 Ganon phase 1 (deku nuts)
17:00 Ganon phase 2 (master sword, but without jumpslashes)

Majoras Mask 3D - Moonwarp SRM (citra)

MrCheeze 2021-03-14 | See Iwabi's video for the first time this was done on an actual 3DS: youtube.com/watch?v=ZuFs0w_msyA

See my twitter thread for more background info: twitter.com/MrCheeze_/status/1370950926299713538

Setup:

Save at the Deku Palace owl statue with bombs and bombchus ALREADY equipped on the X and Y buttons.
It should also be first cycle for the timing cues described below to work properly.

Reset the game to restore the heap to a clean state for the heap manip.
On the title screen, wait until the clock town scene, then load your file.
Triple slash clip into the palace. Line up against the wall under the bridge.

At 5:43 (not exact), take out a bomb and drop it.
Home buffer until EXACTLY 5:47. Then home buffer one more frame. Then, hold Y and Z into the subsequent frame to instantly shield drop a bombchu.
At 5:53 (not exact), open the gear/mask/item menu, and highlight an empty item slot, and a non-empty item slot. (This should be your first time doing this since restart.)
Close the menu, drop a bomb, and slash.
At 5:58-5:59, home buffer until the frame where the bombchu is flashing red and just barely overlapping with Link.
Hold L, R, and A into the next frame to grab the bomb with a long delay. Make sure to let go of R during the night transition or your SRM will be lost!

Enter the left room of the palace, but facing away from it - if you look at the scrub near the heart piece before doing the following setup, the game will crash.
Target against the frame of the door, and wait until exactly 6:39.
Start backwalking, and shield drop on the frame that I will do. If done properly this will make it so that the X and Y positions written into the deku guard via SRM will have a specific float-exact value.
Hurry through the palace garden, but make sure not to get caught - the guard positions are unfortunately RNG.
If the deku guard was SRMed correctly, he will be running through walls, soon to reach out of bounds. If you manage to catch him before it's too late, he will warp you straight to the moon!

Big shoutouts to the various contributors to this strategy. See the twitter thread above for more info.

really depressing and naive

MrCheeze 2021-03-04 | Recently, nim discovered a wrong warp glitch in SM64 that involves taking a teleporter and unloading its area at the same time. When that happens, the N64 crashes due to null pointer exceptions, but VC ignores the crash and continues. In that case the warp continues but with the parameters for the warp coming from weird places.
youtube.com/watch?v=YduutOI7uxY

He also noticed that some of the achievable params on PAL and Shindou trigger the credits cutscene in whatever level you arrive at. This crashes for multiple reasons (mainly rendering stuff that isn't loaded properly), but there was some hope that these crashes could be prevented.

This video uses some minor hacks to show what would happen if we trigger the credits cutscene to play, and NOT crash, after an (also hacked) wrong warp. Unfortunately, the credits sequence still cannot play out in full. If you manage to make it to the part of the cutscene that changes levels, it will try to warp you to an invalid level and therefore boot you out to the title screen. From what I've seen of the code, this seems to be totally unavoidable.

Jury's still out on whether the wrong warp glitch can be made to have any useful effect at all, even the ones that don't trigger credits cutscene. Right now it is known that a wrong warp from Wet Dry World to Wet Dry World is possible (yes really, the destination is just a coincidence), and WDW to Jolly Roger Bay should also be possible without crashing. There are many restrictions on the glitch so it's quite possible that nothing else works.

Majoras Mask 3D - Dry Bomb SRM (SRM Almost Anywhere) - non-first cycle setup

MrCheeze 2021-02-18 | See Willdelum's info for more info on dry bomb SRM. youtube.com/watch?v=EEQhKVPdWyU

See Gaby's video for how to do this without bottle: twitter.com/gabyelnuevo/status/1362671838850072578

For this setup:
- Take out a bottle.
- Home buffer (or in my case, frame advance) until the frame that the clock turns 5:54.
- Buffer A into the next frame to trigger the putaway animation. (this is used just to time an exact number of frames)
- Exactly 17 frames later, the A button with Put Away on it will disappear. Buffer X/Y into the next frame to drop the first bomb.
- The rest of the setup proceeds the same as in Willdelum's video. Drop a second bomb (timing doesn't matter), take out the bottle again, and grab the bomb on the last frame possible. If done correctly Link will SRM after the night transition.

(In theory, bow should also be usable instead of bottle in all cases. The putaway animation is all we need, and as far as I know it's the same for both.)

Majoras Mask 3D - Wet Bomb SRM

MrCheeze 2021-02-16 | This is ridiculously easy to pull off - all you have to do is take out a bomb in water, half a second or so before a night transition.

When a bomb touches water, a timer is set that will cause it to be killed about half a second later. If this timer ends during a night transition cutscene, then Link will will be frozen on the frame that the bomb is killed, and will not realize that he needs to drop his hands - and so SRM is achieved.

Extra technical note:
In MM3D only, having Link be frozen during one frame (the one where the bomb is killed) is enough to cause SRM. The reason for this is that in MM3D, free'd memory gets immediately set to CCCCCCCC, but in all other zelda64 engine games, freed memory does not get overwritten until something else loads in its place.

Update: Turns out you can even be above the water and still do this: youtube.com/watch?v=eOgZf_GfSjI

Spaceworld Deku Tree

MrCheeze 2021-01-29 | Pretty complicated for a tutorial dungeon!
(Map converted by Zel, as part of a restoration being worked on by him and others. I just contributed a few fixes to actor params and such to get the puzzles working properly.)

Phoenix learns about huskies (objection.lol)

MrCheeze 2020-12-31 | True story.

For more Husky facts, check out Oceanfalls (oceanfalls.net)

Pokemon Sword and Shield - Battle! VS Gym Leader - (OAA Mix)

MrCheeze 2020-10-22 | normal song

Ocarina of Time - Current Buttons SRM as adult in lost woods (using the skull kid memory leak)

MrCheeze 2020-10-20 | Based on the principle shown in this video, we can waste arbitrarily high amounts of memory in lost woods (though only in certain sized blocks).
youtube.com/watch?v=gljPx0UM2zo
Using that, plus a bug bottle for heap manip, a fish with code to call, and a bomb to superslide, we can achieve an SRM to edit our current button items. (NTSC 1.2)

This heap manip is somewhat tricky, the details are as follows:
- Spawn from goron city
- Go more than halfway through the tunnel, so that both rooms are loaded, but the game thinks the "main" current room is the goron city room.
- Wait for the one active skullkid to shoot all 7 sets of 3 needles and despawn.
- Unload the skull kid room and return to the same spot in the tunnel.
- Wait for the one active skullkid to shoot all 7 sets of 3 needles and despawn.
- Unload the skull kid room, destroy the bush that I do, and return to the same spot in the tunnel.
- Wait for the one active skullkid to shoot 3 sets of 3 needles.
- Drop bugs, then fish (the fish overlay will be at address 801F8F90).
- Recapture the fish
- Load the main entrance room
- Return to skull kid's room
- After unloading the entrance room, but before the skull kids shoot any needles, drop fish.
- Wait for the skullkids to shoot 1 set of 3 needles.
- Load the goron city room.
- Superslide off the bush that I do, and take it back to the entrance room.
- Angle setup for 9170 as shown.
- Enter the skullkid room.
- Wait for the skullkids to shoot 7 sets of 3 needles, between them.
- Load the goron city room and drop the bush.

You are now in Item SRM mode. Depending on the angle of the now-invisible bush, your B and C buttons will change to different items, as per this chart:
docs.google.com/spreadsheets/d/1SLJzamokLb7wDOaJh5x8DsxmMBy9oIYawyDN3dAWppw/edit#gid=1897587968

Ocarina of Time - Language Change SRM without Goron Bracelet

MrCheeze 2020-10-17 | NTSC 1.2

shoutouts to epona youtube.com/watch?v=VeTVo1lv7qg

Ocarina of Time - Fast heap manip for Grotto SRM as adult (NTSC 1.2)

MrCheeze 2020-10-15 | Everything from spawning from sacred forest until entering the forest stage room is heap manip. Note that, somewhat unintuitively, you have to go more than halfway through the tunnel to make sure that the Song of Storms *doesn't* despawn when you return back to the previous room.

Once the forest stage room is loaded, you can use Savestate's X position setups for changing the Grotto entrance value to glitched entrance.
Day: youtube.com/watch?v=edsHXo2lDSI
Night: youtube.com/watch?v=TRoM-D6GFpw

Then before entering the grotto, you choose your destination via angle setup as usual. The angle to destination mappings are in Exodus's spreadsheet:
docs.google.com/spreadsheets/d/19E9rxfi3XcqxfDdMf9ahLTlYgy4R_VVnzI4qZDzhRvg/edit#gid=125184608

(Angle setups can be found with Savestate's tool: youtube.com/watch?v=sToNBHo_O78)

Ocarina of Time - Arbitrary Function Calls in Lost Woods as Adult.

MrCheeze 2020-10-13 | This is exactly the same principle as my previous video about calling arbitrary existing game functions (youtube.com/watch?v=e-KrKn5D59w), but a new setup. Like the other one, this setup is for NTSC 1.2, but instead of taking place in kokiri forest as child and using deku nuts, it takes place in lost woods as adult and uses bombs, song of storms, and a strength upgrade. Also, instead of being determined by filename, the function that you call is determined by your controller 1 inputs. Nothing revolutionary but there might be some niche applications for this.

The steps needed to do this are as follows:
- Play on NTSC 1.2, and be adult with the items mentioned above.
- Spawn in Lost Woods from the zora river entrance.
- Mido Skip without hookshot (hookshot is an actor and affects heap manip)
- Follow the heap manip as shown so that the overlay for En_Weather_Tag loads at 801ED120. This will make it so that the instructions "lw $t9, 0xDE60($at); jr $t9" appears at 801ED17C. For the rest of the heap manip, we need nothing else to load at this address, so that this code is kept stale on the heap.
- Continue to follow the heap manip to load the bush at 801EA880 as I do, and SRM with it.
- Angle setup for D17C.
- Go back into the northeast room and drop. If everything was done correctly, we will have corrupted a Bombiwa's draw pointer to point at 801ED17C, where the code mentioned earlier is still sitting stale on the heap. The moment we look near the rock, the code will run. The effect of running that code, given the existing value of the $at register, will be this: "Load function pointer from 8011DE60, jump execution to function pointer." And as it happens, address 8011DE60 is the controller 1 input.
- Press buttons on the controller and put the joystick in a unit-exact position to create a pointer to the function you want to run. In my case, the function I chose to demonstrate with was at 80079EE4, which is a function related to updating your B and C buttons from using a bottle. When called in this way, it always has the effect of placing a fairy bottle on the B button, and giving you RBA.
- Walk so that you can see the bombiwa, and then depending on your situation you might want to get away from it again so that it stops running code based on your controller inputs. Alternatively, in a TAS context, it is be viable to keep varying the controller input so that you could call many different functions, if more are useful.

A few of the functions that can be called (nonexhaustive list obviously):
1.0 1.2
8006F804 8006FE64 change equips as if travelling through time (BA function)
8006FAD0 80070130 give [broken?] giant's knife
80071B7C ???????? RBA function direct (doesn't work)
800721A0 80072858 give/take hearts
800721CC 80072884 give/take rupees
800738E8 80073FA0 trade sequence timer
80079854 80079EE4 RBA function indirect (works)
80081130 80081760 edit equipment
80081188 800817B8 try to delete equipment but crashes
80081294 800818C4 edit upgrades
8008FFC0 80090610 load empty save
800900EC 8009073C load title screen save

Ocarina of Time - Lost Woods Skull Kid Memory Leak

MrCheeze 2020-10-12 | As adult, the skull kids in lost woods will shoot needles at you. Normally, there are limits preventing too many from spawning at once:

- Each needle has a timer and will despawn if it exists for too long.
- Each skull kid is only willing to shoot 7 volleys of 3 needles at a time, and will stop shooting if it has loaded that many.
- Needles despawn when you leave the room they are loaded in.

However, it is possible to bypass all of these restrictions.
- If the needles are always off-camera, their update function will never run. This means their timer will never expire.
- If you unload and reload the room the Skull Kid is in, the new Skull Kid will have its needle limit refreshed, and would be willing to spawn 21 more. Normally this would be useless, because unloading the skull kid's room would also mean unloading all his needles, except...
- When a skull kid shoots some needles, you would expect that the needles would be assigned to the same room that the Skull Kid is in. But this is not actually the case. Instead, the room that they are assigned to is determined by a global "current room" variable. Whenever there is only one room loaded, the "current room" value is obvious. However, when you are inside one of the log tunnels, so that two different rooms are loaded at once, then the value actually switches back and forth depending on how far through the tunnel you are. This means that if you position yourself in the tunnel correctly, the needles will actually be assigned to the room on the opposite end of the tunnel from where the skull kid is located - and therefore, you can unload the skull kid's room without unloading the needles.

So, what I do here is the following:
- spawn in entrance room (room 00)
- load skull kid room (room 01)
- position myself in the tunnel so that both rooms are loaded, but the "current room" variable is 00
- wait for the skull kid to shoot 21 shots, which are assigned to room 00 despite the skull kid not being in that room
- unload room 01 to despawn the skull kid, but keep the needles loaded
- load skull kid room (room 01)
- and repeat arbitrarily many times.

There might be more memory leaks in the game that operate on this same principle, if there are other places we can load actors while having two different rooms loaded at once.

Ocarina of Time - Age Change SRM without Goron Bracelet

MrCheeze 2020-10-09 | Because of the structure of its rooms, Lost Woods is probably the most versatile place in the game to SRM in. Unfortunately, it has one glaring restriction: It's not possible to pick up bushes without a strength upgrade, which means you can't SRM here without taking a major detour to obtain it or loading the title file.

...or at least, so we thought. It turns out that when you press A to pick up a bush, Link doesn't immediately check whether it's a bush or not, he only checks this once he actually reaches down and grabs it. This means that if you superslide off a bush, and pass through not just one but two different loading planes, something else is likely to load over the bush BEFORE link ever reaches down to grab it. This means that he won't detect it as being a bush, and will be able to pick it up successfully and SRM with it!

This is useful for No Item Manipulation/Wrong Warp with SRM (GSRM?), which is a category that is still under development. Up until now this category has not been able to achieve any useful SRM effects, due to its limited availability of items. Finding ways to make SRM useful with limited items, and without use of the two most powerful effects, is a pretty interesting challenge.

One thing that I did not manage to find, but that would be extremely useful, is a setup to do this superslide using only bombchus, and not the bomb that I used in this video.

Also, one other thing to keep in mind is that many Lost Woods SRM effects require you to grab the invisible bush at the very end, in order to manipulate the value that gets written into save context. Fortunately Age Change just wants to write zero so it doesn't have to do this, but this means certain other SRM effects still aren't achievable right now.

The heap shown is 1.2 NTSC.

OoT Language Change SRM

MrCheeze 2020-10-06 | With this, you can change a US copy of OoT into behaving exactly the same as a Japanese copy. You can also load "glitch languages", although they mostly behave the same as english - only a few textures will be corrupted. The effects of this SRM will persist on game over, starting a new file, etc. However, they are not saved to the cartridge when you turn the console off.

On a technical level, this SRM works the same way as all fish overlay SRM - we jump partway through a certain function in the fish overlay, and depending on where the overlay is allocated on the heap, we're able to write to a different part of the save context. Actually, we've started a spreadsheet to track the parts of save context that we might want to write to with this SRM, and the heap manips that have been found already: docs.google.com/spreadsheets/d/17BLPrpJRf7Vf01lYhXPKu1VumFAkxbGxyrww8ux5aZc/edit#gid=376145157

Ocarina of Time - Starting a new file with 99 rupees (New Game+)

MrCheeze 2020-10-05 | What? A non-SRM video?

When you game over and return to title, most of the save context from 0x1354 onwards (see decomp: github.com/zeldaret/oot/blob/174af7384d1cfcbf15da02d9069bf02bdc433c20/include/z64.h#L167) will keep its existing values into the title screen, and even into loading files or starting a new file. One of the values that can be preserved this way is the "rupee accumulator", which contains the number of rupees that are currently being loaded into your wallet.

(Shoutouts to dannyb and tharo who described and explained another NG+ effect that works on the exact same principle earlier today.)

In order to set this up, you must have a file that has Giant's Wallet and is set up to be able to sell the bunny hood to the Running Man. Then, all you have to do is sell the mask to him, and then immediately die and return to the title screen (saving isn't necessary). The rupee accumulator will continue to count down during the game over screen, as well as on the title screen itself. But if you mash through both quickly, you can reach the file select screen, and load an existing or newly-created file. Either way, the remaining rupees will be added to that file when you load it.

In a speedrunning context, this could theoretically be used to save time gathering shop rupees in hypothetical NG+ categories, although if ACE can be set up beforehand it's entirely redundant (youtube.com/watch?v=C2WdkMH9B54)

Ocarina of Time - Spawning Phantom Links with butterfly spawners and SRM

MrCheeze 2020-10-05 | In Ocarina of Time, there is a certain actor named named Obj_Mure. This actor is invisible in itself, but is responsible for spawning a group of actors when you approach it, and despawning them when you walk away. Normally, there are three types of actors that Obj_Mure can spawn - Fish, Bugs, and Butterflies. But strangely, there are actually two other actors they're programmed to be able to spawn - actor 0125 (bushes) and actor 0000 (the player character).

There is a variable in Obj_Mure that says which of these five actors it should spawn. Using SRM, we can edit this variable directly, changing it from a Butterfly spawner into a Player spawner. The game engine is built to assume that only one Player ever exists, so some pretty odd things will happen when there are multiple - watch the video to see what happens.

(One extra detail about the setup shown in this video: as a side effect of dropping the SRM, we accidentally also corrupt the linked list of heap nodes. With the heap manip in the video, it's possible to repair the list by attacking the two deku scrubs in order, so I do this in order to be able to better show off the effects of having multiple players loaded.)

OoT Master Quest - Grotto SRM heap manip (child)

MrCheeze 2020-09-27 | See previous videos for more info.
youtube.com/watch?v=FiZMZP0fJf0
youtube.com/watch?v=JOOcm-NMlIc
youtube.com/watch?v=gLdaZag8Vbk

For the manip, all of the below must happen in this order:
Spawn from forest stage
Load bombchu #1 (before scrub room unloads)
Unload scrub room
Drop bugs
Load bombchu #2
Bombchu #1 explodes
Charge a spin (must have magic)
Load room with the bushes
SRM off the nearest bush and walk back to the scrub room

OoT Master Quest - Grotto SRM heap manip (adult)

MrCheeze 2020-09-27 | The Gamecube builds of OoT have differences in memory layout, so a different setup is needed to achieve Grotto SRM.

We can easily use this to get a single-use warp to any scene in the game. However, chaining warps to multiple scenes is more difficult, if it's even possible at all. The reason for this is that on N64, there is an address that contains a copy of Link's angle located near the game's entrance table, so that if we set our entrance to a specific glitched value, it ends up reading from his angle to determine where to warp you. But on the gamecube builds, this address is too far away from the entrance table, so there's no glitched entrance value that will read from it. It's unclear right now whether or not there is any viable way to achieve an entrance chaining effect in Master Quest.

Do F Boots crash as adult on Wii U?

MrCheeze 2020-09-26 | Well yes, but actually no.

On N64 and Wii, deku stick as adult crashes the game immediately, due to trying to draw invalid display lists. On Wii U, it doesn't crash at all.

Turns out, the reason F boots crash as adult is also because of invalid display lists - adult link (but not child link) is coded to render whatever boots he's currently wearing. So it's natural to wonder if Wii U prevents this crash as well.

Turns out, it does and it doesn't. Sometimes it crashes instantly, sometimes you can actually use them for a short period as shown in this video. But the game is extremely unstable in this state, so this isn't usable for any practical purpose.