Direct Messages - SMB1 ACE

Direct Messages

SMB1 ACE

Lain added Kosmic to the group. 2025-12-25 17:46

Lain added Simplistic to the group. 2025-12-25 17:46

Is this the -1 hate club?

Yes

yes

I drove myself a little crazy trying to figure anything out..

The situation with the triple koopas is so infuriating

i did make some little hack where i just dropped the -1 level data into.. i like 1-3, so i could look at the spawns in smbutil. not sure if that would be useful. but, i didn't find anything great in it.

https://tenor.com/qVLI3somcwo.gif

We tried the 2P vine glitch but it seems like you only get access to the last Bowser so it's a no go

there is another bowser later on, but it’s a little harder to spawn it in, and it’s a ways away

I wasn't able to get anything to load after that power-up spawns, is there a way to circumvent that?

there's a koop that spawns in off-screen, but doesnt clear its movement speed, so if you put it in a slot that has high x speed you can keep it spawned in to prevent all the slots from filling with things that never despawn

Oh that's an astute observation

still hard to do anything useful with it, especially with the time constraints.

312.66 KB

19:53

This is creepios tas that gets to the much later bowser

19:53

You have to cheat to make the igt timer not run out

19:54

If we get a timer extension glitch we could probably ace off him

19:54

Had a crazy idea of dying to stop time ticking but still surviving, if that makes sense. If you have infinite jump game genie code you can swim out of pits after dying

19:55

Make like, powerup "jump" out of a pit with the glitched mushroom... Which doesn't solve other problems but I'm curious if it's a thing

19:55

I guess mushroom disappears too high up for that

We tried to see if grabbing the flagpole then getting hit would cause the timer to stop ticking, it didn't

19:56

the timer would still decrement

Oh good thinking

19:56

Dang that's unfortunate

19:57

This is my list i wrote previously about all the ways it doesn't quite work

19:57

this is my list so far of our dilemma

Need 1 more
Bullet barely too late
Koopas barely too early
Normally could turn them around with damage… doesn’t happen underwater
Could turn them around by being on the right side of them when they land…. They are not high up. 
The goomba is…. Goombas dont turn around. 
Exactly 1 enemy too late, the buzzy beetle you can turn around
Bloopers could come down and turn koopas around but blooper is too late
Actually… enemies never turn each other around when underwater
Assuming this is done so bloopers dont turn cheep cheeps around
..is what i thought. But they never turn around regardless. Why???
Could do it later but run out of time lol
Could maybe do it with earlier firebar? But it’s actually not a full double firebar….
Could maybe turn enemies around with firebar glitch but firebar isn’t next to enemies on the ground
Test if COULD turn cheep cheep around…. But cheep is too slow lol!! Out of time
Hammer bros chase you after a while….. But NOT to the right!
Earlier bowser??? How close is that. Oh… powerup slot
Midway, different bowser?
If you could keep fire from midway with the vine glitch it’s possible (apparently?)
Killing bowser turns into a fireflower that hurts you lol??

Kosmic

this is my list so far of our dilemma

Need 1 more
Bullet barely too late
Koopas barely too early
Normally could turn them around with damage… doesn’t happen underwater
Could turn them around by being on the right side of them when they land…. They are not high up. 
The goomba is…. Goombas dont turn around. 
Exactly 1 enemy too late, the buzzy beetle you can turn around
Bloopers could come down and turn koopas around but blooper is too late
Actually… enemies never turn each other around when underwater
Assuming this is done so bloopers dont turn cheep cheeps around
..is what i thought. But they never turn around regardless. Why???
Could do it later but run out of time lol
Could maybe do it with earlier firebar? But it’s actually not a full double firebar….
Could maybe turn enemies around with firebar glitch but firebar isn’t next to enemies on the ground
Test if COULD turn cheep cheep around…. But cheep is too slow lol!! Out of time
Hammer bros chase you after a while….. But NOT to the right!
Earlier bowser??? How close is that. Oh… powerup slot
Midway, different bowser?
If you could keep fire from midway with the vine glitch it’s possible (apparently?)
Killing bowser turns into a fireflower that hurts you lol??

Yeah that's basically the same issues we came up with

alright everyone. It is time for the ACE video

14:10

@Simplistic @Lain how exhaustively did you test all your theories for getting it to work? For me the only way i really see it happening at this point is doing stuff to get different enemies to spawn. There seems to be a ton of entities around that second bowser

if we can get the firebar to spawn, or one of the koopas up in the sky, that should do it

Image attachment

14:22

these sky koopas (assuming they actually work? Are they value 00) come immediately before bowser in the list so that seems, like it should just work?? but idk

14:22

the lower one might not be 00. smb util says "koopa troopa (stomped)" (edited)

14:27

firebar seems impossible because the blooper and buzzy beetle come before it in the list

14:27

oh, is that why we can't get these other 2 koopas in the sky? Have to wait for the beetle to spawn and by then the screen is too far to load the koopas?

trying to turn the grey cheep cheep around by taking damage from this firebar, for the sake of testing

Image attachment

i dragged in HappyLee a little. he unfortunately couldn't figure anything out either. :) except that you can reach that first bowser faster without doing the floor clip by clipping through the flagpole. which is fine, we only need like an extra minute to try to reach the next bowser..

Kosmic

these sky koopas (assuming they actually work? Are they value 00) come immediately before bowser in the list so that seems, like it should just work?? but idk

depends on the order of the enemies, they can't spawn in when they would be on screen or very close to being on screen. so if their order in the enemy data means a later enemy has to spawn before them, there's a good chance they can never actually spawn.

Kosmic added KingOfJonnyBoy to the group. 2026-02-12 17:43

brought jonnyboy up to speed

17:44

Image attachment

Image attachment

Kosmic

@Simplistic @Lain how exhaustively did you test all your theories for getting it to work? For me the only way i really see it happening at this point is doing stuff to get different enemies to spawn. There seems to be a ton of entities around that second bowser

haven't done a more thorough deep dive by looking at the enemy list or anything, but none of the intuitive ideas got anywhere

these glitched objects in the sky. Noticed they look like a bowser hitbox. These don't happen to use the DuplicateEnemyObj function do they...?

they are from bowser afaik, but i couldn't see any way to get any use out of them. i didn't try too hard though.

i havent debugged in fceux enough. How can i put a breakpoint on DuplicateEnemyObj to know if it uses that function

look up the address, open the debugger, press "add" under the breakpoints on the right and write in the address and check "execute"

Image attachment

Image attachment

18:27

oh right, offset for FDS :D

it's A57D on FDS

yeah, should be, -$2000-ish (edited)

lst file for that version

1.23 MB

nice

oh do you have the smbutil compatible ROM on hand? just to save the hassle of having to port over the data myself

theres this, if it suits your needs. its just fds minus world in 1-1

1-1_minus_world.nes

40.02 KB

18:34

via creepio

great that works

Oh in actual gameplay it won't be good because of hard mode flagged enemies

18:35

But good for smb util

yeah that's fine, just wanted a visualization of the enemy list

18:39

"Koopa Troopa (green)" is the 00 we need, smbutil sorts the enemies by ID so it's the first one in the type list

Yeah I think those 2 koopas are impossible to spawn because they're after the buzzy beetle in the object list

Could someone explain to me how the floatey variable crash method works in 2j

threecreepio

look up the address, open the debugger, press "add" under the breakpoints on the right and write in the address and check "execute"

thank you for this explanation! And yeah I didnt know how to find the fds offset. Unfortunately that glitched object doesn't call the function

KingOfJonnyBoy

Could someone explain to me how the floatey variable crash method works in 2j

im not familiar with that. Is that the type of crash used in smb1 1-1 / 1-2? The "crashes" I know in 2j are entrance pointer glitches, or ace

Kosmic added 100th_Coin to the group. 2026-02-13 18:16

on the topic of "why does the third bowser turn into a fire flower when killed with fireballs?" in this instance, DuplicateObj_Offset is 05. inside BowserGfxHandler, we load DuplicateObj_Offset into Y, and lda Enemy_State,x sta Enemy_State,y, so now the item sprite slot's state is 20 There already appears to be an object that's an item, though it's not in slot 5. This runs PowerUpObjHandler, which runs GrowThePowerUp since the item slot state is now 20. This runs DrawPowerUp. So the sprite in slot 3 (or perhaps another slot? I reproduced this without using the TAS, so it might've been another slot. I still needed to cheat to increase the time limit though.) is running DrawPowerUp, which uses the X and Y positions of slot 5, since that's the powerup slot. So bowser is visually replaced with a fire flower. The object ID isn't changing.

21:07

in summary, bowser's second object is in the item slot. Killing him needs to set the state of the item slot, which triggers an existing powerup outside sprite slot 5 to run the subroutine for the item appearing. This causes the bowser half in the item sprite slot to visually be replaced with a powerup.

ah that makes more sense than my theory which is that the developers knew, and they hate me.

... still plausible

Simplistic

haven't done a more thorough deep dive by looking at the enemy list or anything, but none of the intuitive ideas got anywhere

I have it written down in my notes that ACE would be possible if you could have fire starting from the midway. Could you elaborate on that? Is that with growing the vine, or something else? Also, I've heard you can spawn a mushroom with the vine corruption stuff. How exactly does that work?

18:16

Another thing. Let's say the koopa did turn around when we took damage from it, and we have the perfect conditions. Do we know what ACE would look like from there? The situation is a bit different from 2j, like we dont have a moving poison mushroom and moving platform and all that. But I also dont know all the methods to ACE in smb1, maybe it's pretty straightforward with L+R. I was interested in making a TAS of what this would look like, with just 1 game genie code that lets you turn enemies around underwater

Kosmic

Another thing. Let's say the koopa did turn around when we took damage from it, and we have the perfect conditions. Do we know what ACE would look like from there? The situation is a bit different from 2j, like we dont have a moving poison mushroom and moving platform and all that. But I also dont know all the methods to ACE in smb1, maybe it's pretty straightforward with L+R. I was interested in making a TAS of what this would look like, with just 1 game genie code that lets you turn enemies around underwater

It would definitely be a bit more work. In part because there aren't as many enemies nearby to mess with, but also that we can't just increment OperMode and have the disk load take care of fixing everything up. I can try to make some TAS version that does something with a GG code..

this game genie code does it, I just didnt know how ace works from there

Image attachment

what would BRK do in the FDS version? I haven't looked into how the FDS works yet, but I see the BRK vector is still $FFF0. I assume that would end up somewhere in the FDS BIOS?

yeah we looked at that, seemed to work similarly to 2j

1

the upper 2 bits of RAM address $0101 tells the FDS BIOS how to service an IRQ request. the default value set by the BIOS on power on and reset just acknowledges the IRQ and delays before returning, and FDS SMB1 sticks with this default handler so BRK would just be a fancy 2 byte NOP

1

Okay cool. I was about to explain how a jump to address $FFF0 would run into an RTS (rather than an RTI), but it looks like that's not going to happen. (edited)

Kosmic

I have it written down in my notes that ACE would be possible if you could have fire starting from the midway. Could you elaborate on that? Is that with growing the vine, or something else? Also, I've heard you can spawn a mushroom with the vine corruption stuff. How exactly does that work?

re the first thing, as I understand it's just the 2p vine glitch letting you get to a later bowser. the object data pointer gets offset enough so that you're at the 2nd bowser right after the castle

hmm ive been trying the vine from both the beginning and the midway but not seeing that result

19:15

there a bunch of koopas at the castle, and you can do the first half of ace with the usual same bowser after the castle. But a little after that i get a bunch of invisible glitched objects and all the slots get full

19:15

oh I suppose those are probably the usual same glitched ones that creepio used the invisble koopa + platform ride to despawn

19:15

i see

19:17

looks like everything comes like 14 pages earlier?

19:19

i dont think this would make the later bowser possible but idk

19:20

well, the later bowser normally is on page 53. Starting from the midway you can get to like 41 or so, so i guess it could be if all the stuff didnt clog up the slots

19:20

maybe im still misunderstanding it though

yeah getting there with any speed without filling the slots is probably not possible

you'd also need to haul a green koopa over while still being able to free a slot for bowser, which doesn't sound very fast

iirc there was a parakoopa that could spawn in that you can shoot and have survive long enough to still be loaded when that bowser spawns in. but, if you can actually get it spawned if you got there legitimately somehow, i don't know

oh right there is a side to side parakoopa, i thought it was just the stopped one that spawns a red shell when you kill it fsr

threecreepio

yeah getting there with any speed without filling the slots is probably not possible

Oh, so it wasn't a confirmed thing that spawning the vine would make ace possible if you could have fire?

21:44

Hmm maybe this was the status and I shouldn't have written down that it was actually possible

Image attachment

21:46

I think the 2 demos that could be fun to do a proof of concept tas of is if you could turn the koopa around with damage, and another where you had infinite time and did it off the later bowser

21:46

@threecreepio can you explain the invisible koopa that's in the floor? And how you got it to keep a certain amount of speed or whatever?

in case anyone wants to look for setup options, here's an example of getting the ACE with that $B8C3 = $80 cheat applied. just gets to the bowser and triggers ACE, doesn't actually do anything useful with it.

game_genie_ace.fm2

175.96 KB

I guess now would be a good time to ask what would be considered a valid game completion? Do we need to be at the end of 8-4, or just trigger the ending sequence mid-level? Since the ending sequence is tethered to the standard end of world logic, it seems a bit ambiguous

good question. the 2j ace doesn't end at the end of the level, and doesn't touch the axe.

My old stop n' swop ACE TAS simply sets the game to be in world 8 just before mario falls to the axe, which was much easier in N-2 since there's an axe right next to bowser. It would be near-impossible without total control to set up an axe for mario to land on in world -1 though.

#8197: OnehundredthCoin's NES Super Mario Bros. "Stop 'n' Swop arbi...

Submission #8197 from 2023-04-02

If we don't require 8-4, then it's like.. Not that different from minus world ending

well the 2j ace can do total control, it's just a bit finicky, so shouldn't be impossible to get working in a TAS at least.

1

But it is a weird situation

basically it really really wants to crash.. but in 2j you can keep staving it off. not sure how smb1 will affect that.. spr0 might make it harder.

One step at a time though. Before we figure out what to do with the ACE, I think we should get the PC in RAM without cheats first, then go from there. We're not certain what the limitations will be until we get something to work.

So close to working legit and yet so far

23:04

My two cents would be that an exploit would need to trigger the victory mode subs (with or without axe, 2j skips the axe anyway) and it needs to be world 8 so the proper text and music shows up, since I interpret the -3 ending as being a technicality of using bcs instead of beq for the B press part specifically

Oh man the floor tiles will change if we set it to 8. That'll be awesome

threecreepio

in case anyone wants to look for setup options, here's an example of getting the ACE with that $B8C3 = $80 cheat applied. just gets to the bowser and triggers ACE, doesn't actually do anything useful with it.

was bored so I made an example payload with this. staves off spr0 inf loop by putting bowser near the status bar, then disables spr0 hit detection, sets world 8, and triggers victory mode to beat the game

eeglua_ace_payload.fm2

267.18 KB

01:19

pretty much just the 2j tc method to allow for resetting timer control to buy enough time for the necessary writes

huh the bricks didnt change. I guess because theyre already rendered

01:21

did you have to stomp it rather than take damage to turn around?

01:23

cuz i think theres a world where enemies turn around underwater- it's kind of just a side effect that they don't because that code comes after the branch to leave to prevent stomping underwater. But now we're using a side effect of the game genie code to stomp them vs. showing off what could be if we were allowed to take damage to turn it around

01:23

i didnt think about how you take damage at the time of ace, so taking damage from koopa would kill you at ace..?

Kosmic

cuz i think theres a world where enemies turn around underwater- it's kind of just a side effect that they don't because that code comes after the branch to leave to prevent stomping underwater. But now we're using a side effect of the game genie code to stomp them vs. showing off what could be if we were allowed to take damage to turn it around

I just did that because creepio's tas did and I only modified the inputs as needed to set up the fireball X positions and write to memory after triggering ACE

Kosmic

i didnt think about how you take damage at the time of ace, so taking damage from koopa would kill you at ace..?

Pretty sure you could get away with being small at the time of ACE since the important thing is having the environment freeze so execution allows for using both controllers as part of an instruction

01:29

Damage scrolling to load bowser is just one way that can be done

oh! Okay gotcha

01:31

I didnt know the detail of how the damage triggered ace

I'm probably not the first person to discover this, but I just found out that you can extend the length of these "ropes" before the platforms fall. This likely won't contribute at all to running ACE, but I found it amusing and thought I'd share.

Image attachment

haha, nice find. Yeah here's a fun example related to that https://www.youtube.com/watch?v=V80S15o1kg0

[TAS] SMB2J 3-3 Vertical Screen Wrap Demonstration

YouTube video thumbnail

1

15:14

oh, hmm i guess that one isn't quite the same thing

15:14

misremembered

15:14

like sort of but not quite

15:16

these platforms might be one of the most broken things in the game honestly. Theres so much nonsense with them. The lengthening thing is shown for a couple seconds here along with a lot of other things https://www.youtube.com/watch?v=RC8JXFGcKY8&t=3m26s

The Craziest Glitches in Super Mario Bros.

YouTube video thumbnail

I'm currently attempting to get one of these platforms to reach their top speed, but even at the longest length I could get it, I still need it to fall for 13 more frames.

Image attachment

oh i see, to reach the new bytes

15:17

you might be able to get it with the inheritance glitch, ive seen them ZIP upward super fast. Not downward i dont think.. if that matters

1

yup. I'm pretty sure this code might be unreachable. I cannot feasibly see these reaching their max speed.

it's in that video at one point

Kosmic

you might be able to get it with the inheritance glitch, ive seen them ZIP upward super fast. Not downward i dont think.. if that matters

oh wait- that's 100% what I need.

15:18

specifically making them move upwards fast.

it's at 4:53, i think ive seen it zip up even more than that but see if osmething like that will work

Ngl it'd be cool to do like game genie ACE runs even if ACE isn't vanilla possible

Simplistic

was bored so I made an example payload with this. staves off spr0 inf loop by putting bowser near the status bar, then disables spr0 hit detection, sets world 8, and triggers victory mode to beat the game

ah smart!

Kosmic added Kriller37 to the group. 2026-02-19 17:08

hello!

Kriller!!!

Hello hello!

Inb4 Kriller cracks smb1 ace

I knew nothing about nothing, but just talked with kosmic for an hour or 2 and got a low down of the situation

19:10

shared ideas and such but nothing ground breaking

It is very funny how close it is and nothing works

Kriller had some good ideas I hadn't really thought of but to no avail

threecreepio

It is very funny how close it is and nothing works

yea it is wild

Kosmic

Kriller had some good ideas I hadn't really thought of but to no avail

what all was suggested? Just to catch the rest of us up on the new ideas.

we were talking about the second bowser, the one you can reach with time still on the clock that is just past those 3 koopas. kosmic was telling me we just need to keep a koopa loaded a little longer. My ideas were maybe you can get a lot of x-pos, take damage just before the koopa goes off screen, and maybe the koopa would stay loaded as the screen scrolls during the damage taking animation and then load the bowser? Also it would allow the screen to scroll while the koopa isnt moving further left

22:50

but that didnt work, the koopas still just unload when they go off screen

Ah. Clever idea though

then I thought you could fire ball kill the last koopa just before it goes off screen, if the shell could fly to the right during the dying animation and then run right and barely keep it loaded that way while we load the bowser, but it seems that the shell flies left always if you shoot if from the right side (tried L+R fire balls too and didnt make a difference)

22:52

and then kosmic hacked the direction of the shell after the kill to be towards the right, and even with that hack it doesnt seem very close

22:53

and obviously you could combine these ideas too but it really doesnt seem to be very close

yeah even if you stomp the last koop on the first possible frame with the GG code i think it unloads too fast after exiting the screen, have to have it walk right a little bit.

dang

100th_Coin

what all was suggested? Just to catch the rest of us up on the new ideas.

I also had the thought to try using the long firebar instead of bowser for the first overflow glitch, then we could keep slots more full. But bowser is of course listed before the long firebar in the object list, because every useful object has to be out of order

dang

You can get the retainer object after the first bowser to not spawn, but that is kinda counterproductive. Again, everything that can spawn already does, the 50 other things can't spawn because of spawn order

btw the idea of turning enemies around with firebars has been tossed around, but that doesn't seem to work? Taking damage from a firebar can make enemies face left/right but it doesn't seem to change their x speed

yeah it just makes them dance a bit

okay

14:28

actual closest breakthrough yet

1

14:28

standby

Kosmic will send the video, hopefully this will be interesting, I finally had a good idea for a change.. you can't turn a goomba, but.. (edited)

Behold.

2

woah

Huh what

quest_2_minus_world_ace_crash.fm2

127.14 KB

whoa

you can't turn goombas around... but you can beetles, and goombas are beetles in quest 2.

1

17:26

still no green koopa on screen. Not sure if it leads anywhere. But it's a lead!

this is quite a lead

17:32

FCEUX, please.

Image attachment

oh i forgot i started from savestate, i was thinking i didnt

17:33

uhhh

17:33

ill splice two tases together for you

1

17:36

that one also used a cheat to make it quest 2, so ill just make a full proper playthrough for 6.5 minutes real quick

yeah, I ran the TAS and saw the goomba spawn

oh, did it actually work from a savestate outside of the tas editor?

17:37

like is the savestate encoded in the fm2?

1

it works outside of TASeditor, yeah. Though for tracelogging purposes, it's nice to have the TAS editor.

17:39

mostly so I can frame rewind and step ahead at any pace.

and yeah, it's easy to crash it that way, but it's not enough to trigger ACE so far at least

17:40

if we could reach the next bowser we'd have an extra slot filled

17:40

but we can't :D

So to trigger ACE, we need a koopa, or something, right?

17:40

What actually causes the crash? That's what I wanted to tracelog.

yeah, the duplicateenemy-whatever-code wants to place a value in enemy_flag, $80 | bowsers_slot. it places it in the first 00 byte it finds from the start of enemy_flag. if all the flags are filled it just runs off looking for the next 00 in memory to replace. and the green koops are 00.

17:43

so it replaces the enemy id of a green koop with $84, which is a little too high for an enemy_id and that places it at a bit of code that is trying to check the timercontrol, and interprets that as its indirect jump location. and right after the timercontrol is a couple of mirror values for joypad inputs used by the menus.

Right, I remember most of the route hunting in SMB2J.

so when theres no green koopa, where does it land and why does it crash

for all we know, this could still be exploitable.

i think creepio has looked at it before, but we'll still look of course

yeah i did look at it before, was a bit ago.. from what i recall it wasn't very useful.

17:55

the memory area after that is the entity states, anyway (edited)

The first 00 byte it can possibly take at this point is the one from Player_State, if you're grounded. Even though that value is used for a jump table, the only value that would read out-of-bounds is 84 and that just takes you to $2060 (edited)

That seems pretty significant. Jumping to the PPU registers is not nothing. Any idea what the PPU open bus value will be when we read $2060?

18:00

It's also worth noting the FCEUX does not properly emulate reads from address $2004, and its mirrors. (edited)

Minus_World_Quest_2_ACE_Crash_FULL.fm2

659.87 KB

1

18:03

took a sec to get it sync'd up

18:03

it's always fun when one tas has player 2 inputs enabled and the other doesnt

18:03

you get to drag the cursor over a few thousand lines and insert characters

100th_Coin

It's also worth noting the FCEUX does not properly emulate reads from address $2004, and its mirrors. (edited)

so if we do end up executing code at $2060, assuming we end up reading $2064 and it's not the operand of a NOP instruction, or some other insignificant operand, we won't be accurately emulating the outcome.

100th_Coin

That seems pretty significant. Jumping to the PPU registers is not nothing. Any idea what the PPU open bus value will be when we read $2060?

is there any way I'd be able to figure that out from the Mesen debugger? not well-versed with PPU open bus

Simplistic

is there any way I'd be able to figure that out from the Mesen debugger? not well-versed with PPU open bus

PPU open bus is really simple. Whatever value was most recently written to a PPU register will be the value you read back. Or if the CPU reads from $2007, the open bus value is the buffer value that was read. (edited)

hmm, if that's the case I believe Mirror_PPU_CTRL will be the last value written to the PPU before the game loop?

I have no idea what the most recent write to a PPU register would be. There's a lot of reads from $2002 waiting for the sprite zero hit, then presumably writes to $2006 to update the scroll

18:09

If rendering is disabled during the writes to $2006, then there would need to be another write to $2001 to re-enable rendering. (edited)

It seems like this bit runs unconditionally on every NMI, just before JSRing over to the operation mode jump table

Image attachment

Let me log that under normal gameplay to see what the value of Mirror_PPU_CTRL_REG1 would be

18:14

10

18:14

So if that's the value read by $2060, that's a BPL instruction, and now we need to know the state of the CPU's negative flag.

18:15

anyway, let me just run the TAS and see what happens (edited)

18:18

ah, this seems to crash because sprite zero's OAM data was overwritten

18:21

c856984567 A:58 X:DC Y:00 S:F0 P:nvUbdizC $D2AE: 99 00 02 STA $0200,Y @ $0200 = #$18

18:22

~~no wait- that's setting that up properly.~~ No- FCEUX's logger is different than what I'm used to. This is in fact overwriting $200 with 58. it used to be 18 (edited)

18:28

let's see why DrawSpriteObject is running with Y set to 00

18:29

Y was F8, then this runs

tya                        ;add eight to the offset in Y to
clc                        ;move to the next two sprites
adc #$08
tay

18:32

It's weird that the game would let Y overflow there and overwrite sprite zero. Anyway, this crash is not jumping to RAM or anything, so I don't think it can be exploited. I'm gonna get dinner then play around with this some more.

Quest 2!!

Kosmic

Behold.

100th_Coin

ah, this seems to crash because sprite zero's OAM data was overwritten

ah.

100th_Coin

So if that's the value read by $2060, that's a BPL instruction, and now we need to know the state of the CPU's negative flag.

N flag is guaranteed to be clear from JumpEngine

Simulating the conditions on Mesen, it seems like execution ends up at $FD91 and at some point along the way it hits a STP instruction :(

18:57

I am testing with the 01A revision FDS BIOS though, maybe the ROM is different on another version?

Simplistic

N flag is guaranteed to be clear from JumpEngine

okay, so then we branch to $2072, reading from the PPU flags. If this is still in VBlank, we'd run BCC, otherwise, BPL again. Regardless, I think we end up executing $20x4, at which point we read from the OAM buffer that FCEUX is emulating incorrectly. (edited)

Does bizhawk emulate it correctly

yes

19:06

well- not entirely. I made a test to verify if it reads the correct value on every ppu cycle of a scanline, but the parts that bizhawk gets wrong would be exclusively if rendering was enabled when reading from $2004. I assume this would be read during vblank, which bizhawk does get correct. (edited)

Simplistic

I am testing with the 01A revision FDS BIOS though, maybe the ROM is different on another version?

That brings up a good point, what happens on Rev 0?

Tbf I'm not sure if the way I tested would even represent the OAM buffer as read in a TAS, for example. Pretty confident that it'll end up at $2084 regardless, since rendering will have started well before the game loop runs

oh- if vblank ends before that runs, then there's a chance bizhawk will also be emulating this wrong.

19:12

Okay, another concern with address $2004 is that the value being read has cpu/ppu alignment differences, with one of the alignments potentially introducing random bit flips. So this is absolutely not the desired solution for an ACE exploit.

Oh I made a pretty substantial mistake, the savestate I was using before had the Bowser at a different location so Mirror_PPU_CTRL was 0x10, in actuality it's 0x11 for our scenario

19:20

Though it did end up at $FD91 again

there's something beautiful about the bloober sprite turning into a shell when it crashes. :)

Image attachment

Woah what the

19:47

Why does that happen?

think that enemy_state that got written to it was the 'demoted' state for koops

Presumably for the same reason Sprite Zero is overwritten.

100th_Coin

Okay, another concern with address $2004 is that the value being read has cpu/ppu alignment differences, with one of the alignments potentially introducing random bit flips. So this is absolutely not the desired solution for an ACE exploit.

does this mean like it's dead, or it's just not ideal but can be looked into more? Might be the only exploit we've got

It can work, but would be inconsistent on real hardware

is it due to starting state, or just tiny differences in real time cycles or?

I would need to know a bit more about the exact timing for the reads from $2004. It might still be consistent if we're reading in the middle of OAM2 init

12:56

Right, when you power on the console, the CPU and PPU clocks are effectively in a random state. There are 12 master clock cycles per CPU cycle, and 4 master clock cycles per PPU cycle. The CPU and PPU clocks or not necessarily lined on up the same master clock cycle, for instance, a PPU cycle can occur 0, 1, 2, or 3 cycles later than the CPU cycle. We call this the "alignment" between the clocks. Since the PPU is running separately from the CPU, and it does a bunch of behavior both when the ppu clock goes low and when the ppu clock goes high, there are certain side effects surrounding reads from ppu registers that have alignment-based results. Reading from $2004 is mostly consistent, but on a single alignment you appear to read the value from the OAM buffer a ppu cycle earlier than the other alignments, relative to the start of the scanline. In english, there's a 1/4 chance this clock alignment can affect the value read from $2004. That being said, there's a decent window during a visible scanline in which the oam buffer will have a known value for 64 ppu cycles in a row. If we read from it within that range, we don't need to worry about this at all. (edited)

ok awesome, thanks for the explanation

12:58

if the worst case scenario was it did lead to successful ace but only worked on real hardware 3/4 of the time i think that'd still be a huge win. Or even if it only worked like 1/12 of the time haha

1

and then depending on how OAM Evaluation goes (what sprites will be drawn on the following scanline), there's another ~64 ppu cycles in a row with a known value. Fewer cycles in a row the more objects are on the next scanline.

12:59

and then finally a single problematic ppu cycle, followed by 19 more ppu cycles in a row after that which are good.

13:00

basically, we have about 40% of the ppu cycles that are fine.

13:02

but yeah- if I can get a log of the jump to $2060, then I should be able to tell what ppu cycle each of the reads are occurring on.

100th_Coin

but yeah- if I can get a log of the jump to $2060, then I should be able to tell what ppu cycle each of the reads are occurring on.

what do you need for this? Accurate emulator?

Any log that also prints how many ppu cycles into the frame this is. Can FCEUX do that?

13:06

I think simplistic was saying that it would run on a visible scanline? If this is still occurring in VBlank, then FCEUX might even be emulating it properly, but I'd have to check.

is this ppu number what youre looking for

Image attachment

13:08

this is not the same moment it's something else random

oh, okay, so FCEUX is not handling reads from $2004 properly, even with rendering being disabled.

2: Reads from $2004 should give you a value in OAM, but do not increment the OAM address.

Image attachment

just put a break point on a random code

13:09

gotcha

scanline 33 Pixel 75

This is during the read to the mirror of $2004? I think Simplistic said it would read $2084, but I'll need to check

13:10

yeah, $2084

13:11

can you put a breakpoint on reading $2084? Possibly even executing that address, if FCEUX doesn't consider executing it to be reading it.

100th_Coin

scanline 33 Pixel 75

This is during the read to the mirror of $2004? I think Simplistic said it would read $2084, but I'll need to check

this was something completely random

ah

ok so breakpoint on 2084 and then first frame it crashes?

I would assume those would be the same frame? Just the ppu numbers like in the above image on the read from $2084

13:15

If it crashes later, that's not super important to me right now.

it's not breaking on reading or executing it

is this with the ACE exploit? It wouldn't read that under normal play.

this is with the buzzy beetle 2nd quest crash

I wouldn't be able to test anything right now, but if anyone has a TAS and wants to test what happens after execution goes to $2060, you just need to load the 2nd bowser while grounded, make sure you aren't loading during damage scroll since that overwrites the player state

oh ok il be grounded

13:17

woah lol

Image attachment

1

If $2084 isn't executed try $2064, I think PPU open bus is actually 0x11 because I did my initial testing from a vine glitch save state where Bowser was displaced from his normal location (edited)

oh right. Try $2064

it didnt hit the breakpoint

13:18

oh now it did

13:18

on execute, not on read

1

13:19

Image attachment

if ppu open bus is $11, that would run ORA ($0011), Y

13:19

That's looking good.

Image attachment

13:19

oh no wait- 234

13:20

even bizhawk gets that range wrong

13:20

and mesen

is there an emulator you know i can run this test with

13:21

can accuracy coin do this log

haha

I'd have to look around. My current plan B is to implement FDS support into my emulator.

ahh

I mean- I could probably fix it in bizhawk. I know what the issue is.

i have to get writing the script for my video, have to have this thing out in 2-2.5 weeks. Any progress can always be tacked onto the very end, thankfully. But yeah for anything to be included in my vid at least, hopefully it can be figured out soon!

Could keeping fire or crouching entering the crash result in PPU execution occurring at a better point in the scanline?

13:25

Since either action would probably entail a slightly different code path prior to trying to handle movement subs

this is the range that both mesen and bizhawk are getting wrong, from whenever the OAM Address overflows (in the provided screenshot, it's pixel 200) to 256. Basically, in the correct results, every other ppu cycle is reading FC from the last value OAM2, but both Mesen and Bizhawk are reading the first value of OAM2. That's probably a single line fix. Also, the fewer objects there are on the following scanline, the larger that range will be, since the OAM address will overflow sooner. (edited)

Image attachment

13:30

let me fix this in bizhawk and then try it there. That would be easier than implementing FDS into my emulator, heh.

somehow everything always seems to come back to CPU/PPU alignment.

the more you look at this console, the worse it gets. (edited)

14:01

on my console, the singular alignment where you seemingly read from the OAM buffer early also has a bunch of bit-flips in the reads from $2004.

14:01

not every console tested has the bit flips though.

14:02

we've tested 2 consoles. Not a great sample size, but the fact that they both act differently is...

fun

14:03

we also tested a console with a pre-G ppu revision, which can't even read from $2004. Oh yeah- some console's can't even read from that register, and presumably just get the PPU open bus.

14:03

I forgot about that entirely... this might be worth looking into.

have you checked punes? i know it had some situations where it at least handled CPU/PPU alignment better than Mesen.

14:04

but then it has other issues afaik.

puNES seems to have failed to run my sync routine properly, and the data is off by a few ppu cycles.

14:05

though, looking at the results, it still wouldn't have passed even if it did sync properly

14:05

the part of sprite evaluation where the shifters get set up has some incorrect data in it.

i know both mesen or bizhawk have some alignment where it breaks, but, never looked too much into why exactly.

14:07

would be nice to get that fixed. maybe it's fixed in Mesen2 i have no idea.

Simplistic

Could keeping fire or crouching entering the crash result in PPU execution occurring at a better point in the scanline?

this time i just walked into the crash with fire mario

100th_Coin

we've tested 2 consoles. Not a great sample size, but the fact that they both act differently is...

fun

thats crazy it could work on some consoles and not others lol

Do you have a TAS that starts at power on and eventually runs $2064?

a tiny modification to the one from earlier will do that, ill send it over

1

Full_Game_2064_crash.fm2

654.44 KB

1

14:34

sorry it took me a bit to get around to it

all good. I should be able to run this in bizhawk

the current build of bizhawk fails to load the FDS.

Image attachment

14:56

I'm gonna lose it

14:57

I spent like- 30 minutes struggling with some github issue, and I can't even run the FDS game. I really hope this isn't something I accidentally caused in an earlier PR.

huh, weird. I have old versions which load it

15:02

is that regular smb1-J

yeah, I think I made changes to how APU registers work and that probably broke this.

okay, I have fixed the issues in bizhawk, FDS is working again and the $2004 stuff has been fixed too. (edited)

15:44

Pull Request made.

15:44

time to run that tas

kosmicGO

15:48

legend (edited)

the TAS desynced in bizhawk in 8-2 because of a coinflip with a koopa. I just had mario not touch the koopa and we're so back. (okay, he hit a hammer bro in 8-3 as I was typing this, but this one will probably be an easy fix too.)

15:56

unreal cheep cheep due to the different RNG

Image attachment

huh, why is it different

FCEUX seems to take less time to load the disks

why does that change rng?

good question. I had to remove a few frames to make it pass 1-1, assuming that it was all synced up just right. It's possible that it was still out of sync, despite seemingly working fine

16:08

sloppy bizhawk resync

Full_Game_2064_crash_Bizhawk_Resync.tasproj

506.68 KB

16:12

the bizhawk tracelogger seems to dislike this.

2064:  18        CLC             A:20  X:00  Y:0A  SP:F5  P:21  nvTbdizC  Cy:859112061  PPU-Cy:19332
2066:  A0 FF     LDY #$FF        A:20  X:00  Y:A0  SP:F5  P:A1  NvTbdizC  Cy:859112063  PPU-Cy:19338

CLC isn't a 2-byte instruction, yet it seems to skip address $2065. Let me run bizhawk from visual studio with some breakpoints set. (edited)

16:15

okay, in reality, this is A0, an LDY #Immediate instruction.

16:15

hence why the Y register is changing from 0A to A0. that was subtle.

Here's the log in bizhawk, omitting the BRK routine.

7.47 KB

16:26

the RTI at address $2073 is due to the sprite zero hit flag being set. I highly doubt we could set the sprite overflow flag by this time, but that would let us run an RTS

16:26

let me figure out where that RTS would lead...

16:33

that would RTS to $9136.

16:36

that would lead to SizeChk in PlayerCtrlRoutine. let me see what else is on the stack at this point, where will the next RTS lead?

16:40

$8EFE inside GameCoreRoutine, and we have returned to the main game loop.

16:42

I'm gonna need to figure out all those ??? instructions that bizhawk annoyingly chooses not to log. If we can control the A register through some wacky means, that crash at $8E68 could be potentially avoided.

looks like mostly some shifting instructions, + of course 42 which will halt.. the X2's are not fun instructions.

43 B3 is SRE ($00B3, X). that instruction is guaranteed to clear the negative flag. dang. (edited)

16:49

no wait- it's not like LSR

16:49

there's an EOR after that

16:49

so it's not guaranteed.

16:50

the result of that will always be positive, so the only way the EOR results in a negative number is if A was already negative.

16:50

I think I'm doing something wrong with my math, since that appears to be the case (edited)

16:50

oh- I have it backwards. it is setting the negative flag, so the BMI is taken. (edited)

16:51

oh, and if the branch doesn't get taken, it's another unavoidable crash.

16:51

61 b8 62 (edited)

I'm not going to say this is a dead end just yet, but this isn't looking super promising.

hey at least this has a lot of fun rabbitholes

I don’t know why I just had this revelation at 3 in the morning, but the address $2064 situation is absolutely not a dead end yet. The slightest change in whatever code runs before jumping there will result in a different sprite being evaluated during the read from $2004. If timed properly, we could potentially make it land on a sprite X coordinate and run what we byte we want. I’ll try looking into this when I wake up.

02:58

More likely though, a sprite Y coordinate. Since the PPU evaluates each object in OAM by checking if the Y coordinate is in range for the next scanline. (edited)

02:59

Since address $2065 and $2066 will be copies of the data from $2064, there’s not too many useful operands for a jump instruction… perhaps JMP ($6C6C) is useful?

03:00

Something to look into.

Dang. JMP ($6C6C) would jump to $3524.

11:29

which is the ppu registers again.

I was wondering if you could BCS $B0 to eventually make it to mirrored system RAM but I'm assuming a PPUDATA read would break that?

yeah. We would somehow need to keep branching backwards, despite $2002, $2004 and $2007 reads updating the PPU bus.

Okay, the values that we are most likely to read from $2004 are $FF (OAM2 Init, and Sprite Fetching), and the Y position of Object 63, which is address $2FC (OAM Evaluation will hold this value every other ppu cycle after the OAM address overflows. Additionally, if the following scanline doesn't have any sprites, the PPU Idle period (the final 20 ppu cycles in HBlank) will also read this value, since $2004 reads in that range read from the first index in OAM2). It looks like the blooper is the object being shuffled around into Object 63 in OAM, which could be pretty big if we can manipulate it's Y position. I imagine any amount of stalling will result in a different read from $2004 since the NMI occurring on different PPU cycles would result in the $2004 read landing on a different ppu cycle of a scanline. Plus tiny changes also change the contents of OAM, so we do have some potential here. (edited)

12:25

The question is what do we want to run here?

12:26

With the limitations of how executing code from the PPU Registers works, it's not the most flexible.

is it the blooper's Y position, or "High" Y position? Or both?

12:26

I want to share the range of possible values we can get it to

on screen position. 00 at the top, the number gets larger the lower it is. (edited)

Image attachment

not the high position.

1

A0 is the lowest it can be on screen, 20 is the highest it can be

I don't know exactly how the Y position of the blooper object translates to this particular OAM entry. we're looking at the tentacles of the blooper, which is 16 pixels lower than the top of it's head.

oh gotcha

So, presumably the range is B0 to 30? (edited)

12:31

and it was A0 when the jump to $2064 happened in the TAS you sent me. Which is in that range, so that makes sense.

let me see if it's 90 on this ram watch then

1

looks like it

Image attachment

it's 8F on the break point so easily 90 yeah

100th_Coin

Dang. JMP ($6C6C) would jump to $3524.

I cannot stress how unfortunate it is that this leads directly to another mirror of $2004.

13:10

It would be equally as unfortunate if it jumped to a mirror of $2002 or $2007, but any of the other mirrors and we could get another indirect JMP going.

13:11

The PPU Read Buffer ($2007) currently holds FF so that's useless.

you know, on that note, reads from $2007 while rendering is enabled is rather esoteric. Neither my emulator, mesen, nor bizhawk get it right. I just wrote a test for this, and now I gotta do a lot of research to figure out how I'm getting the results I am.

okay, reading from $2007 mid-rendering is really messed up, and there's a good reason no emulators right now do that right. I'm going to need to completely re-do how my emulator handles reads on the PPU. I don't even want to think about how I'd need to change bizhawk to implement this properly.

14:31

Basically, every time the ppu reads something, it needs to make two ppu cycles. The PPU reuses the lower 8 bits of the address bus for the data bus, so every read takes two ppu cycles. The first cycle uses all 14 bits as the address bus, and the second cycle uses the lower 8 bits as the data bus. So when you read from $2007, if you perform this read at the same time the ppu is using the lower 8 bits as the data bus, you read from a combination of the address bus and the data bus being used as a single address.

14:33

so reading from $2007 is significantly worse than reading from $2004. (edited)

Okay, even worse, reads from $2007 during rendering would likely have different results on different consoles. This is a complete disaster full of analogue behavior.

Kosmic added SBDWolf to the group. 2026-02-24 18:50

heard interesting stuff was going on here sbdEyes

sbdEyes

Haha

@100th_Coin wolf might want the bizhawk version of the movie you made

SBDWolf

heard interesting stuff was going on here sbdEyes

sbdEyes

yeah calling in the ace avengers

should I zip it, or send the source code. The PR hasn't been merged yet.

oh right. FDS is broken on the current build

are you using a custom fork of bizhawk for this?

This was just the most recent dev build, but I changed 3 lines. (edited)

fine either way for me, i can build it if necessary

19:07

gotcha

https://github.com/100thCoin/BizHawk/tree/OamBuffer2004Fix

GitHub - 100thCoin/BizHawk at OamBuffer2004Fix

BizHawk is a multi-system emulator written in C#. I've added the ability to load roms without clearing RAM in the middle of a TAS. - GitHub - 100thCoin/BizHawk at OamBuffer2004Fix

19:09

It sounds like you are partially caught up? Especially if you know about the fork I made, heh. This was mostly made to fix the reads from $2004, since bizhawk was getting that ever so slightly wrong. The issue with the reads from $2007 is a bit more intimidating to fix.

kosmic filled me in a bit, yeah. seems like this is jumping to the PPU registers area? looks very complex to work with

that's the current lead, yeah. A jump to $2060.

19:13

Which will read $2064 as an opcode. That's the most exciting part, but I don't know what all we can do with that. 60 40 and 6C wouldn't be helpful. Kosmic made a TAS, which ended up running RTI at some point, though that eventually crashes while executing some level's tile data. (edited)

$2064 is PPUCTRL, right?

OAMDATA

19:16

If you need a refresher on how reading from $2004 works while in the middle of rendering a visible scanline, let me know, because I very recently did a LOT of research into this.

SBDWolf

$2064 is PPUCTRL, right?

oh goodness i made the rookie mistake on counting in decimal notation here lol

100th_Coin

If you need a refresher on how reading from $2004 works while in the middle of rendering a visible scanline, let me know, because I very recently did a LOT of research into this.

what i have to work with for this register at the moment is what's written on the nesdev wiki, i'm not sure i ever tinkered with it much. i'll ask if i have any questions, thanks

1

19:21

oh, i guess i need the actual movie file too, if you've modified the inputs from the fceux version

Full_Game_2064_crash_Bizhawk_Resync.tasproj

506.68 KB

1

100th_Coin

If you need a refresher on how reading from $2004 works while in the middle of rendering a visible scanline, let me know, because I very recently did a LOT of research into this.

To simplify, reading from $2004 when rendering is enabled on:

Dots 1 through 64 of a scanline will always read $FF. (Secondary OAM initialization)
Dots 65 through 256 will read from the "OAM Buffer" (OAM Evaluation)
    - Odd ppu cycles set up the OAM Buffer with the value read from Primary OAM.
    - Even ppu cycles write the OAM buffer to secondary OAM (even if the object isn't in range of this scanline) unless:
        - The OAM Address has overflowed, in which case even ppu cycles will now read from secondary OAM.
        - Secondary OAM is full, in which case even ppu cycles will now read from index 0 of secondary OAM.
Dots 257 through 320 read from the "OAM Buffer" in an 8 cycle pattern: (Sprite Fetch)
    - There are $20 bytes of secondary OAM. Starting at index 0, these cycles will all read from secondary OAM.
    - the secondary OAM address is incremented after the read on cycle 0, 1, 2, and 7 of this 8-cycle-pattern.
Dots 321 through 340 (and dot 0 of the following scanline) will read secondary OAM, index 0. (Idle)

The most important thing to note is that it's fairly common to read the Y position of the final entry in OAM. (set by the blooper in that TAS) The OAM address is going to overflow long before dot 256, making reads from the final object's Y position more frequent. (The fewer objects there are on the scanline, the sooner the OAM Address will overflow.) We're certainly not guaranteed to read from that object's Y position every time we read from $2004, but it's more common than you'd think. Something like 40%. (edited)

okay interesting, thanks for the breakdown. aside from various jump opcodes, i have a few other far-fetched ideas for what could be done with this:

what happens if the code just rides this whole registry area and open bus and reaches $6000? that's a pretty unique case, but iirc battletoads's credits warp works by going through open bus and eventually reaching ROM space again, where the first thing it executes just so happens to be the credits.
could it be possible to execute some opcodes that write to $6000 or close to its vicinity to write a payload in that area of memory and then execute that?

(edited)

unfortunately, I don't think it can reach open bus. If it ever reads PPUSTATUS as an opcode, the result is 40 since the sprite zero hit flag is set. RTI.

19:50

writing to $6000 would be pretty cool though

hm, okay bummer. i guess with this lead then there'd be no way around quickly jumping out of that memory area

19:53

certainly very challenging. iirc i found a similar exploit in castlevania 1 at some point that jumped to the PPU registries area, couldn't come up with much from that

It's worth noting that the first time we read PPUDATA ($2007) we will read $FF from the buffer. Any further reads from $2007 are... tragically difficult to properly emulate, as analogue behavior starts to ruin things.

i see

$2007 was certainly not meant to be read in the middle of a visible scanline.

one more thing, you said that an RTS wouldn't be helpful. is it because it would immediately crash, or would it be able to run some code after that RTS?

Let me double check. I think it just returns to stable code.

where i'm getting at is, would it be possible to perform some kind of write to some area of memory after where the RTS would return to, then execute said RTS?

19:57

so basically, preparing some payload in the area that the RTS would lead to

19:57

maybe RTI could be useful too in that case

100th_Coin

Here's the log in bizhawk, omitting the BRK routine.

Here's the log from the TAS (omitting all the code between BRKs and RTIs

19:59

oh right, reading $2002 affects the ppu open bus, so reading $2003 as the opcode can also be an RTI (edited)

19:59

granted, $2002 only affects the upper 3 bits.

20:01

That's why the read at $2062 wasn't an RTI.

20:07

RTS leads to $9136 (stable code) (edited)

i see. i did manage to get that bizhawk fork built and the tas running here too

1

20:12

can't easily see that state of the stack but another option could be to PLA/PHA and then RTS in hopes of jumping somewhere else?

20:12

i see this starts out with a $20 in the accumulator so probably not PHA unless you can change that

ooooooh. I mean- we're pretty much guaranteed to run an RTI. let's see what a PHA, PLA, or JSR $2020 would do to this

20:19

PHA ... RTI would return to $9135 (one byte earlier than the plain ol' RTS, since RTI doesn't increment the PC after running.) This runs 93 A0 01 AD 54 07 before syncing back up with stable code. PLA .. RTI would return to $FD91. Part of the FDS BIOS. JSR $2020 ... RTI would push 61 and 20 to the stack, then RTI would return to $3620 (edited)

20:19

let me check what would run in the BIOS at that address.

TXA or TYA into PHA then RTS might also allow getting to RAM since X and Y contain 00 and 0A respectively

20:20

certainly difficult to run that many specific opcodes in a sequence with this method though

100th_Coin

let me check what would run in the BIOS at that address.

SLO <$03
BRK
BRK
BRK
BRK
BEQ
BRK
BRK
CPX #$F0
BEQ

(edited)

20:21

Not sure if the BEQ would be taken or not (edited)

20:23

there's a dozen BEQs and BMI's, but if none of those end up branching anywhere, there's an RTS to $7D8E

dang

100th_Coin

Since address $2065 and $2066 will be copies of the data from $2064, there’s not too many useful operands for a jump instruction… perhaps JMP ($6C6C) is useful?

and i'm guessing this is the reason for why a JMP indirect is not useful here

100th_Coin

Dang. JMP ($6C6C) would jump to $3524.

^ it just jumps to more PPU registers

this memory area is starting to sound more and more like purgatory

100th_Coin

there's a dozen BEQs and BMI's, but if none of those end up branching anywhere, there's an RTS to $7D8E

hold on, I'm looking into what this would run. This is the middle of level tile data, not regular code

1

20:29

This would run a PHP before the first branch, so as long as none of these branches end up crashing, this is already a good start, heh.

20:31

okay, I have no idea how this will behave, let me just hex-edit the value in OAM to run this.

20:34

oh Whoops I forgot that if OAMDATA is a 1-byte opcode, we're gonna re run this opcode many times. I was way off.

6E1C:  6C 06 00  JMP ($0006)     A:20  X:00  Y:0A  SP:F5  P:21  nvTbdizC
2060:  11 11     ORA ($11),Y *   A:20  X:00  Y:0A  SP:F5  P:21  nvTbdizC
2062:  51 11     EOR ($11),Y *   A:20  X:00  Y:0A  SP:F5  P:21  nvTbdizC
2064:  18        CLC             A:20  X:00  Y:0A  SP:F5  P:21  nvTbdizC
2065:  68        PLA             A:35  X:00  Y:0A  SP:F6  P:21  nvTbdizC
2066:  68        PLA             A:91  X:00  Y:0A  SP:F7  P:A1  NvTbdizC
2067:  3E FF FF  ROL $FFFF,X     A:FD  X:00  Y:0A  SP:F8  P:A1  NvTbdizC
206A:  5D 7D 18  EOR $187D,X *   A:FD  X:00  Y:0A  SP:F8  P:20  nvTbdizc
206D:  FF        ???             A:1C  X:00  Y:0A  SP:F8  P:20  nvTbdizc
2070:  FF        ???             A:39  X:00  Y:0A  SP:F8  P:20  nvTbdizc
2073:  5F        ???             A:D8  X:00  Y:0A  SP:F8  P:A0  NvTbdizc
2076:  FF        ???             A:A8  X:00  Y:0A  SP:F8  P:A1  NvTbdizC
2079:  47        ???             A:60  X:00  Y:0A  SP:F8  P:61  nVTbdizC
207B:  47        ???             A:60  X:00  Y:0A  SP:F8  P:61  nVTbdizC
207D:  B0 B0     BCS $202F       A:60  X:00  Y:0A  SP:F8  P:60  nVTbdizc
207F:  1F        ???             A:60  X:00  Y:0A  SP:F8  P:60  nVTbdizc
2082:  5F        ???             A:60  X:00  Y:0A  SP:F8  P:60  nVTbdizc
2085:  F8        SED             A:17  X:00  Y:0A  SP:F8  P:61  nVTbdizC
2086:  F8        SED             A:17  X:00  Y:0A  SP:F8  P:69  nVTbDizC
2087:  47        ???             A:17  X:00  Y:0A  SP:F8  P:69  nVTbDizC
2089:  00        BRK             A:17  X:00  Y:0A  SP:F8  P:79  nVTBDizC
208B:  40        RTI             A:17  X:00  Y:0A  SP:F8  P:79  nVTBDizC
617D:  62        ???             A:17  X:00  Y:0A  SP:FB  P:AE  NvTbDIZc

20:34

Okay, that means that we got more options

20:35

PHP PHP ... RTI could do some damage

20:35

unlikely that $2004 will be read as 08, but just for research purposes...

20:39

okay, the RTI goes to $3131, runs RTI again, going to $FD91 ... ... ... it crashes at address $8EE5.

wow, dang

20:42

what about running the TXS opcode into RTI?

1

oh dang, how'd I forget about TXS

20:42

one sec, I'm trying PHA PHA first.

20:43

no wait- that will just go to PPU registers again. I'll skip that and try TXS, heh (edited)

yeah $2020 presumably

1

20:44

idk you always enter this state with these specific register values i suppose

well... I'm about to raise your hopes and dash them away quite expertly.

20:46

RTI leads to $AC35. A second RTS goes directly to address $0001

20:46

we're in RAM.

20:46

immediately into a JSR $5305.

20:46

open bus.

20:47

this then runs until $6000 and the game ~~reboots~~, gets stuck in an infinite loop. HA (edited)

20:48

Image attachment

20:48

if address $07 is something we can manipulate, maybe we can do something more exciting though. This is a crazy lead. (edited)

none of this is scratch RAM is it?

I have no idea what address $07 is used for. let me see what all writes to it

20:52

6E1A: 85 07 STA $07 A:20

20:53

no way. it's the jump table routine. (JumpEngine) (edited)

20:53

so that will always be 20... let's try changing $0005 into a 3 byte opcode...

20:54

the same subroutine heh

20:54

our best bet is to branch around this somehow

is it possible to make $0005 into a 1 byte opcode instead?

it's also set up during the jump table stuff taking us to $2060 (edited)

20:56

06E0A                           JumpEngine:
06E0A 0A                               asl          ;shift bit from contents of A
06E0B A8                               tay
06E0C 68                               pla          ;pull saved return address from stack
06E0D 85 04                            sta $04      ;save to indirect
06E0F 68                               pla
06E10 85 05                            sta $05
06E12 C8                               iny
06E13 B1 04                            lda ($04),y  ;load pointer from indirect
06E15 85 06                            sta $06      ;note that if an RTS is performed in next routine
06E17 C8                               iny          ;it will return to the execution before the sub
06E18 B1 04                            lda ($04),y  ;that called this routine
06E1A 85 07                            sta $07
06E1C 6C 06 00                         jmp ($06)    ;jump to the address we loaded

ah welp

20:57

seems like $0003 can only otherwise contain a $02 which is KIL (edited)

20:57

and i'm guessing $0001 is also probably fully consistent? (edited)

I'm taking a look

20:58

Ahhhhrg. I tried to copy the contents of the tracelogger and bizhawk crashed...

1

21:00

it happened a second time... Okay, I can no longer copy stuff from the tracelogger now for seeming no reason.

SBDWolf

seems like $0003 can only otherwise contain a $02 which is KIL (edited)

it doesn't look like that address is written to on the frame with the jump to RAM. What writes there?

i just consulted the RAM map on data crystal - facing direction

1

we could do l+r, right?

oh yeah L+R does give it $03 you're right

21:04

just tested it

not that a value of $03 would help...

21:05

that's still a 2-byte long instruction

and a SLO

nothing wrong with the unofficial instructions once you know how they work. As long as you aren't running one that crashes the CPU.

yeah, just this one doesn't seem very useful, right?

21:06

ASL + ORA basically

ah, I wasn't sure what you point was. But yeah, SLO isn't helpful here.

yeah, they can definitely be useful, think my first cv1 payload had some ISC's because i was extremely limited with the bytes i could use to manipulate the accumulator

21:09

regardless i guess this specific jump to RAM is unfortunately looking like a dead end?

OOohhhhh, that gives me an idea. you know- TXS isn't the only instruction to destroy the stack pointer. We can run SHS (opcode $9B)

21:11

Ahhhh, by what I can only assume is some sort of Egyptian curse I have, this results in setting the stack pointer to 00 just like TXS.

21:11

this instruction transfers A & X to the stack pointer, so that checks out if X was 00. (edited)

darn, if only only X was... literally any other value

8EF2: AE 53 07 LDX $0753

21:13

that's what most recently set X to 00

Wait, that's the current character

21:13

Will be 0x01 for Luigi (edited)

oooooooh

21:14

okay, before I get my hopes up, let me poke that value

21:15

we got another place in RAM

21:15

this is huge (edited)

21:15

$1AA9

$2A9 i think?

oh woah, hold up- we modified something important in the FDS. BRK is behaving differently now

21:16

every BRK seems to subtract $100 from the PC?!?!?!?!?!???!?!?!?!??!?!!?!?!?!?!?!?!?!

21:16

1EA1:  00        BRK             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112254  PPU-Cy:19911
E1C7:  2C 01 01  BIT $0101       A:86  X:01  Y:0A  SP:FE  P:FC  NVTBDIzc  Cy:859112261  PPU-Cy:19932
E1CA:  30 1E     BMI $E1EA       A:86  X:01  Y:0A  SP:FE  P:3C  nvTBDIzc  Cy:859112265  PPU-Cy:19944
E1CC:  50 0B     BVC $E1D9       A:86  X:01  Y:0A  SP:FE  P:3C  nvTBDIzc  Cy:859112267  PPU-Cy:19950
E1D9:  48        PHA             A:86  X:01  Y:0A  SP:FE  P:3C  nvTBDIzc  Cy:859112270  PPU-Cy:19959
E1DA:  AD 01 01  LDA $0101       A:86  X:01  Y:0A  SP:FD  P:3C  nvTBDIzc  Cy:859112273  PPU-Cy:19968
E1DD:  38        SEC             A:1E  X:01  Y:0A  SP:FD  P:3C  nvTBDIzc  Cy:859112277  PPU-Cy:19980
E1DE:  E9 01     SBC #$01        A:1E  X:01  Y:0A  SP:FD  P:3D  nvTBDIzC  Cy:859112279  PPU-Cy:19986
E1E0:  90 06     BCC $E1E8       A:1D  X:01  Y:0A  SP:FD  P:3D  nvTBDIzC  Cy:859112281  PPU-Cy:19992
E1E2:  8D 01 01  STA $0101       A:1D  X:01  Y:0A  SP:FD  P:3D  nvTBDIzC  Cy:859112283  PPU-Cy:19998
E1E5:  AD 31 40  LDA $4031       A:1D  X:01  Y:0A  SP:FD  P:3D  nvTBDIzC  Cy:859112287  PPU-Cy:20010
E1E8:  68        PLA             A:0E  X:01  Y:0A  SP:FD  P:3D  nvTBDIzC  Cy:859112291  PPU-Cy:20022
E1E9:  40        RTI             A:86  X:01  Y:0A  SP:FE  P:BD  NvTBDIzC  Cy:859112295  PPU-Cy:20034
1DA3:  00        BRK             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112301  PPU-Cy:20052

21:18

unfortunately, A=20, so I just realized unless X= $20, SHS will just do the same thing as TXS in the previous test. (edited)

21:18

we desperately need to move the stack pointer after this.

21:21

But you're right, this is OAM data before it crashes.

1AA9:  DD 03 A0  CMP $A003,X *   A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112442  PPU-Cy:20475
1AAC:  F8        SED             A:86  X:01  Y:0A  SP:01  P:79  nVTBDizC  Cy:859112446  PPU-Cy:20487
1AAD:  DD 43 A8  CMP $A843,X *   A:86  X:01  Y:0A  SP:01  P:79  nVTBDizC  Cy:859112448  PPU-Cy:20493
1AB0:  F8        SED             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112452  PPU-Cy:20505
1AB1:  DE 03 A0  DEC $A003,X     A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112454  PPU-Cy:20511
1AB4:  F8        SED             A:86  X:01  Y:0A  SP:01  P:78  nVTBDizc  Cy:859112461  PPU-Cy:20532
1AB5:  DE 43 A8  DEC $A843,X     A:86  X:01  Y:0A  SP:01  P:78  nVTBDizc  Cy:859112463  PPU-Cy:20538
1AB8:  F8        SED             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112470  PPU-Cy:20559
1AB9:  7A        NOP             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112472  PPU-Cy:20565
1ABA:  02        ???             A:86  X:01  Y:0A  SP:01  P:F8  NVTBDizc  Cy:859112474  PPU-Cy:20571

21:23

This would require some insane work, but in theory, OAM can be manipulated. (edited)

21:24

If we execute a single PHA or PHP, we should be able to smoothly execute beyond this point without decrementing the PC by $100 every BRK. (edited)

how would this relate with already having to set up OAM so that $2004 returns a TXS?

The actual contents of OAM are from the previous frame. By the time this runs, $200 will be filled with a new set of OAM data.

right, so hopefully it's possible set up two consecutive frames with the correct data i guess

there is a LOT of 02 in this OAM data...

21:27

palette 2 attribute data

mine field

if we could make a branch...?

21:29

Okay, we need to move the stack pointer by any means, and avoid crashing. Maybe a sprite Y position of $20? How far up do the bubbles move before disappearing? (edited)

$20 :)

21:30

that's where the water line is

as in, they get to hold the value $20, or do they die at $21?

          lda Bubble_Y_Position,x
          sbc #$00                 ;subtract borrow from airbubble's vertical coordinate
          cmp #$20                 ;if below the status bar,
          bcs Y_Bubl               ;branch to go ahead and use to move air bubble upwards
          lda #$f8                 ;otherwise set offscreen coordinate
Y_Bubl:   sta Bubble_Y_Position,x  ;store as new vertical coordinate for air bubble
ExitBubl: rts                      ;leave

oooooh

21:32

they all use 02 as their attribute byte, so we get to JSR to $0274. This fixes the stack pointer issue, but we are once again in OAM, so those $02's are still an issue.

21:36

the crash at $2BA is unavoidable, since princess peach is occupying that slot of OAM. Off-screen vertically at $f8 is a one-byte-instruction, CHR data of $7A is a one-byte instruction, and attributes of $02.

21:36

so we need a branch

21:37

okay, let me remove all the BRK routines from this log and see what we run before moving to OAM

21:38

oh wait a second- we only end up here because of reads from $2007, which I have determined bizhawk doesn't do accurately in this situation. (edited)

21:41

Since $2007 will (accurately) be read as $FF the first time, the ppu data bus will be FF, making it really difficult on us.

21:43

Image attachment

21:44

I do not think it's realistic to read 00 from $2087 or $208F in this situation

21:45

if only we could disable rendering...

21:45

then the reads from $2007 wouldn't be problematic

in theory the main thing that matters is *eventually* hitting an RTI right? idk how much chaos $2007 can provide before that happens

21:49

though analog behavior in general sounds horrible

1

The question is, can we even know for sure than an RTI would run. If we're relying on $2002 to make this work, the lower 5 bits of the ppu bus are going to be set by $2007

21:52

The only way I can imagine this working would be the absolutely nightmarish scenario of attempting to rely on a second read from $2004.

21:52

let me see how many ppu cycles pass between the two $2004 reads

hmm okay i see the issue

21:54

i guess this means that there's basically no avoiding $2007 then? since we can't jump, branch, or return in just a single instruction with $2004

99 ppu cycles pass. (We read $2007 a second time. it's the high byte operand of an ISC $--FF, X Let's just ignore this for now.)

SBDWolf

i guess this means that there's basically no avoiding $2007 then? since we can't jump, branch, or return in just a single instruction with $2004

not meaningfully at least

so if we read from OAMDATA on dot 245, the next read would be from dot 3, during OAM2 Init.

21:57

but if we could somehow delay it such that the first read is from the PPU idle stage, (on a scanline that determines there are no sprites on the next scanline) we could read $2004 from dot 79 through 99. If any of those have 40 in the OAM buffer, then in theory, it could be done. But this is such an unrealistic set up.

21:58

and I don't even know where this ends up... presumably address $0000 again, where we run into that JSR to open bus

21:59

The issue with moving the stack pointer to 00 (or 01) is that we run the risk of overwriting bytes used by the Famicom Disk System

22:01

[$0100]:    PC action on NMI. $C0 (NMI #3) on reset.
[$0101]:    PC action on IRQ. $80 (BIOS acknowledge and delay) on reset.
[$0102]:    RESET flag. $35 on reset after the boot files have loaded.
[$0103]:    RESET type. $AC = first boot of the game, $53 = the game was soft-reset by the user.

oh yeah

okay, screw it. Let's see what happens if we read all values 61 through DF from $2064. If any of these update the ROM data in a way that we can take advantage of. (edited)

22:09

or presumably, any indirect addressed opcodes

22:10

like- we could do ROR $6E6E (edited)

I need some way to automate this... (edited)

22:19

I forgot that FDS has no write protection so you can just overwrite any value in the ROM (edited)

Yeah if we can just write one byte at a time, reset, next byte.. build up a payload over a few hours..

currently modding my emulator to run every value possible from $2004 and output the result, heh.

so these are the bytes in the ROM we can mess with.

and what's the value that's getting written to them based on?

presumably read-modify-write instructions

22:48

oh no wait- I totally didn't initialize the registers for this test

22:48

good call

22:49

A = 20, X = 0, Y = 0A let me run this again real quick (edited)

22:51

6E : Write $37 to address $6E6E
6F : Write $1A to address $6F6F
7B : Write $50 to address $7B85
7E : Write $01 to address $7E7E
7F : Write $DD to address $7F7F
8C : Write $0A to address $8C8C
8D : Write $20 to address $8D8D
8E : Write $00 to address $8E8E
8F : Write $00 to address $8F8F
99 : Write $20 to address $99A3
9B : Write $00 to address $9BA5
9C : Write $08 to address $9C9C
9D : Write $20 to address $9D9D
9E : Write $00 to address $9EA8
9F : Write $20 to address $9FA9
CE : Write $5D to address $CECE
CF : Write $06 to address $CFCF
DB : Write $9E to address $DBE5
DE : Write $85 to address $DEDE
DF : Write $47 to address $DFDF

22:52

I'd have to do some more verbose logging if you want me to record specifically why the value is what it is.

6E6E: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L2431 7B85: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L4250 7E7E: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L4577 7F7F: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L4636 8C8C: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L5195 8D8D: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L5231 8E8E: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L5266 8F8F: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L5371 99A3: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L6742 9BA5: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L7018 9C9C: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L7168 9D9D: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L7301 9EA8: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L7470 9FA9: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L7658 CECE: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L14416 CFCF: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L14559 DBE5: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L16168 DEDE: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L16283 DFDF: https://github.com/threecreepio/smb/blob/master/smb1_fds.lst#L16331 not actually looked at what code is there, just figured i'd link them all

smb/smb1_fds.lst at master · threecreepio/smb

Contribute to threecreepio/smb development by creating an account on GitHub.

thanks! I'm currently copy/pasting those lines, and writing down what the most recent label was

there are some options like, if we can mess with enemy data in a level, reset and go there and see if anything interesting happened. :) not the neatest approach but who knows.

here are my notes.

most recent label:
the line before being modified
the line after being modified, with minor comments.

4.27 KB

23:23

yeah, these don't immediately look promising. I'll see what the changes to the enemy data can do.

yeah at least changing enemy data could throw it off into something interesting.

I assume E_GroundArea1 is for 1-1? Where is E_GroundArea9 for?

2-1

1

23:26

and no, 1 is 3-3

1

23:26

they're not in any sensible order :)

23:28

so i assume those values are like, things that will be consistently written? like if we get a write to 7E7E, it'll always be 01?

unless the FDS ever needs to completely reload the ROM

23:29

so in theory, if this is a situation like ROR $6E6E we could keep shifting that byte over and over

yeah. it shouldn't ever reload, i just meant, it'll consistently be these values that run. the 01 wouldn't ever be a 02 or anything. i haven't kept up with the conversation so don't know what data we're executing exactly. :)

I didn't notice anything unusual in 3-3. Granted, I don't know the level by heart, but changing a 03 to a 01 didn't have a very big effect.

23:31

time to change a bb to a dd in 2-1.

23:35

once again I didn't notice anything unusual... (edited)

23:35

maybe it was something with the vine, one sec (edited)

23:35

nope

23:36

what level is the tile data for L_UndergroundArea1

1-2

23:37

could load up smbutil and check exactly what those changes would do, but, if it's not immediately obvious it's probably nothing interesting

okay, that one was pretty easy to spot

Image attachment

it made this koop instantly die.

Image attachment

that explains why I didn't notice, heh

and it changed the type of this koop, into another kind of koop that i believe behaves exactly the same.

Image attachment

Ha!

23:42

There was so much potential with writing to PRG RAM. I'm shocked nothing useful came from that.

two very uninteresting changes, unfortunately.

23:43

yeah changing level data seems pretty unlikely to give us anything interesting. can't hurt to check, i guess

23:45

1-2 changes the brick next to this coin to an empty block! (edited)

Image attachment

23:46

undergroundarea_3 does this! so that's kinda fun.

Image attachment

23:48

aaand L_WaterArea2 removes a lot of this pit.

Image attachment

well, completely obliterating the code at $8F8F and replacing it with a BRK has some fun effects. Lots of game crashes due to a sprite zero hit no longer occurring. (edited)

at least that's an effect!

oh dang, I got the game to reset itsself. This isn't just a sprite zero hit thing (edited)

23:50

let me attempt to modify the TAS to write here and then soft reset. This could be something,.

23:51

I need address $2FC to be 8F

yeah definitely jumps into ram somewhere

23:53

or atleast, it can

oh man, how do you manipulate bloopers? I got it to a position of 8E on the frame that writes to the OAM address I'm looking for.

23:55

it's in the corrent OAM slot every 3rd frame. oof

awful lot of fun testing these things in a virtual machine on an old laptop.

ooh, a bubble can occupy this OAM slot too. I might not need to manipulate a blooper.

it can actually make it pretty far into RAM before crashing, just not really far enough.

managed to get it to run to $6E8 from $00 somehow, haha

Got it. (edited)

Overwrite_8F8F.tasproj

533.62 KB

yeah i mean it's definitely close to something interesting

By some definition, we have technically just performed a single intentional instruction worth of ACE.

if we can get it just to 6fc, we're at the joypads, which would be something. it'll almost definitely crash afterwards..

00:19

and it is running through enemy positions and things.. it just crashes too early for that to be super helpful.

At least we have a proof of concept TAS that overwrites a byte in the game, heh.

yeah i didn't see that happening. now if it can be console verified is another question. :D

1

00:23

took about a year of effort but we've crashed SMB1 in a way never before thought possible.

it should be possible to console verify this.

I'm very confident in my $2004 research.

00:33

unless we verify this on an everdrive and it (for some reason) prevents writes to $8F8F, then I confidently believe this should sync

i think i can execute one instruction where i'm in control of the opcode, just that the operands are like, either 6060 or A0A0.

anything interesting with indirect addressed instructions?

haven't really checked, still trying to see if there's any way to get 2 bytes. but don't think there is, because it crashes a little too quickly :)

00:40

pretty straight-forward though.. beat the game so you get world select, do the 8F8F thing, start in world 5 or 8 and you get a koop or buzzy beetle on screen before the game crashes, and it'll execute its X position, so you can stomp it wherever you want.

havent read anything yet but it looks like you guys have been working hard

Image attachment

1

00:41

time to catch up

things are going great

Image attachment

what the lol

00:41

wow i gotta see what happened

00:42

brb diving in

00:42

that almost looks like an smb3 hammer suit

In summary, we can read pretty much any value from $2064, resulting in $2065 and $2066 to have the same value. I automated running every value at $2064 to see what the outcome would be, and we can write to quite a lot of the PRG RAM. (the game code, stored in RAM). Address $8F8F appears to be the most useful byte to overwrite. I then made a modification to my bizhawk resync TAS, so it runs 8F 8F 8F at address $2060, overwriting $8F8F with the value 00, where we then reset the console and goof around from there. (edited)

yeah i've just been doing it with a cheat for now, hopefully doesn't make a big difference, unless the crash also overwrites other bits of the prg ram

I can check, but I don't think it overwrites any other bytes

now we're.. getting.. somewhere..

Image attachment

1

00:53

we're experiencing some minor technical difficulties..

Image attachment

woah! did you overwrite parts of CHR RAM so the title screen fails to load properly?

threecreepio

we're experiencing some minor technical difficulties..

Woahhhhhhhhh

00:53

i read everything

00:53

woudl you like me to try to console verify something

Are you console verifying this with an everdrive, or an FDS? (edited)

100th_Coin

woah! did you overwrite parts of CHR RAM so the title screen fails to load properly?

no, whatever it did is in the game too, i haven't checked what happened yet. just been messing around seeing if something interesting happens.

00:54

and the CHR looks fine

I could use everdrive or more ideally i think would be to use real FDS + FDS Key (disk drive emulator)

Real FDS would be ideal, yeah

probably not the disk since it sounds like permanent change? Or does it only persist until reset

00:55

poweroff*

it writes to PRG RAM, not the disk

ok gotcha i just saw a linea bout no protection writing to ROM

Right, that was referring to PRG RAM not having a protection.

1

did you end up switching characters to luigi or did taht not lead somewhere

A lot of mappers protect PRG RAM, so that was a welcome surprise.

Kosmic

did you end up switching characters to luigi or did taht not lead somewhere

that was not needed

100th_Coin

Got it. (edited)

alright. So try to console verify this then?

let me check real quick that you cannot write to the disk by mistake somehow. I highly doubt it could, but better safe than sorry.

it changed.. 6065 to 20. wonder what 6065 is

ill use the fds key so it doesnt matter

1

VRAM_AddrTable_Low ah :D

im not familiar with .tasproj, what is that for

00:57

ist hat for bizhawk, or tas editor or?

bizhawk's TAStudio

00:58

I could convert to .bk2 if you want

00:58

I don't have a handy way to convert it directly to .r08

ill try to dump it, a lot of times i've always had desync's from dumping through bizhawk but i can often resync them with hex editor

00:58

usually need toj ust delete a frame on the front or something

01:00

oh do i need your build of bizhawk

01:00

Image attachment

so it moved vram_buffer2 from $341 to $320 which is really mostly just going to screw with things, don't think it'd do anything all too crazy.

Oh yeah, do you need me to make a build of it and send it your way?

yes please

100 Mb... oof. one second, I need to upload this to dropbox or something

01:04

I also have a copy of the TAS inside the movies folder, but that was just left there by mistake, heh (edited)

01:04

oh whoops, and a copy of the FDS BIOS in the firmware folder

01:04

I'll need to delete this once you download it

ive got it

1

oh- this might be a debug build, so it's going to run slower and have a command prompt

yeah it's being funny with me

01:07

it is running quite slow

do you want me to build it again so it's not using the debug mode? that will speed it up

that would be nice

01:08

if it's not too much trouble

so 6060 is around the vram tables, A0A0 is in the maze loopbacks, so at least nothing that we'll benefit much from changing.. indirect to 6060 goes to CEAA which is in the players graphics table, indirect jmp to A0A0 is 8D04, which is in the middle of L_UndergroundArea2..

not at all. two clicks.

01:10

Same situation, I didn't delete the BIOS so let me know when you download it (edited)

done

can also execute the deafult X locations of enemies.. so, 606060, 808080, 909090, 58E0E0, 000000, A0A0A0.. so that would be RTS, NOP NOP NOP, BCC $90, CLI CPX #$E0, BRK or LDY #$A0. yay.

ok i finally got it dumping

the Hole_Empty thing mostly just.. removes all the pits. which is nice, an easymode patch

01:23

maybe i can finally do lightning

Image attachment

hahaaaa

01:23

tas 8-2 just jump the plant

well that was awkward.

Image attachment

oh of course theyre climbable

01:26

@100th_Coin ill probably find this out at the end of the dump playback, but what does this tas do? How will we know that it worked on console?

01:26

it's in 1-2 on quest 2 atm

you'll need to hit the reset button after the TAS ends, since the game crashes, but afterwards, running around in 1-1 should certainly crash the game or reset to the title screen.

oh gotcha

01:27

i see it changed the title screen

01:28

k ill try it on console now

01:28

just needs controller 1 right

yeah

yoink

insta desync kosmicGO

kosmicGO

ouch

01:31

you said that's common with bizhawk dumping to .r08 though, right?

01:32

I think I removed two inputs from the FCEUX TAS when resyncing it in bizhawk. maybe adding those back will help?

yeah for some reason it's off by like 15 frames instead of 1 or 2 though lol

wow

it starts on literal first frame of title screen by coincidence

01:33

ill delete 14 and see how it goes

01:34

er wait i need to add 14

01:35

but i dont really know how to insert with the hex editor, only modify or delete

send the r08 file. I can try and figure that out (edited)

i think i got it

1

01:37

hmm well it inserted some frames but not enough

01:37

now im just going to have to guess and check

Wait- doesn't the .r08 file format ignore lag frames entirely? It's just a log of the inputs every time the controllers were strobed.

01:39

I've never used a replay device, so I'm not 100% certain how running the files back works, though I imagined that wouldn't be an issue.

Wait it might be desyncing cause of the BIOS? (edited)

oh, so true

the replay device just ignores all lag frames

01:40

and the bios counts

right, that makes sense.

ok i made 7 new versions just deleting a frame at a time. Spray and pray

1

01:47

gah. I wish bizhawk dumps worked better

01:47

this one is off by a lot more than expected though

01:49

ooooh

I'm genuinely surprised bizhawk has more syncing issues than FCEUX, considering FCEUX has actually inaccuracies with the frame timing. Is it an issue with the .r08 dumping script? (edited)

i think it was off by just 1

01:50

let me try this

01:50

the tas has me mashing start and i push start 1 frame before you actually can

01:50

then again several frames later

oh yeah

hey looks like it was the classic off by 1

01:53

sync'd!

1

1

01:53

it was just in a confusing way

01:53

now i know, always just delete 1f

1

01:54

Image attachment

threecreepio

yoink

ah man lol, just saw that

oh exciting

Image attachment

02:01

thats what it did

hm. that looks different... if you reset and run through 1-1, does it crash?

it should crash just from the demo right

02:03

and have an altered title screen?

I haven't tried. I also didn't notice an altered title screen. (edited)

when the demo starts running. but the title screen should be fine.

oh, the bizhawk dump it had a slightly altered title screen

02:03

and yeah crashed when it ran forward

02:03

console is not crashing

02:03

i can plug in my actual controller if you think it'll make a difference

nah it crashes from the demo

02:04

if it worked

ok, well tomorrow i can try running it on the real disk but i dont think that will change anything either

i have no idea if there's a CPU/PPU alignment thing with this

02:04

i assume not?

i mean it's beautiful

We could run a test on the console to see if the $2004 timing is different than what I expected. to be fair, my sample size it currently 2 for that test, both consoles behaving differently. (edited)

02:06

Oh wait... what revision PPU is this?

02:06

because if this is pre-G then it wouldn't work.

im on an AV Famicom

is this RGB modded too?

yeah

yeah I don't think it will work on the RGB modded ppu

i also have an rgb modded toploader nes but didnt want to go through pin adapter

02:07

haha, gotcha. So i have to scout out the childhood nes from my parents house

02:07

and play it on everdrive? idk

let's verify real quick with an everdrive, if you don't mind. On page 18 I have a test called $2004 stress test. Can you run that and then press select?

AccuracyCoin.nes

40.02 KB

ok after this i need to go to bed

1

sounds good.

will this test work on powerpak

yeah

ok i can only use powerpak + pin adapter for the famicom

02:11

I see "Adress $2004 behavior"

that runs a similar test.

oh stress test is on 19

ah woops, wrong number page

02:11

my bad

Image attachment

what?!

Image attachment

now I'm even more confused.

haha, im not sure

well... good night Kosmic! I have a lot of reflection to do, heh.

yeah sorry to give you more questions than answers

02:12

good night!! Thanks for all your hard work everyone

02:13

definitely some fun results if nothing else

haha good night!

Good night!

The only thing I got left is to assume the test was ran on the bad cpu/ppu alignment. I'll need to find some way to confirm or deny that theory in a way that doesn't require kosmic to run a hundred tests. (edited)

Image attachment

02:14

for stress test

1

o hold up. let me verify that bizhawk is in the good alignment.

Kosmic

for stress test

thank you!!!

02:15

this test was ran on one of the good alignments.

Image attachment

02:16

okay yeah, it's the good alignment in bizhawk too.

02:17

I mean, these test results are telling me that both bizhawk and this console should have the same timing on the $2004 reads... This is going to keep me up.

so.. in 4-1, mario's Y-Pos can be 5D-B0, lakitu's offscreen Y-Pos cycles from 88-A0, the byte after lakitu Y-pos is fixed E0. so whatever opcodes you can got your Y-pos to from 5D-80, with a single byte operand of 88-A0, or a two byte operand of E088-E0A0 should be possible.. then it'd you know, crash again.. one fun issue with this whole endeavour is that even if we do execute a byte that we want, the game is very much in an about-to-crash state. (edited)

ran it again this morning on the actual disk and made sure the tas ran from poweron and not reset. Crash looked a little different (is that expected?) but still no crash in 1-1

11:53

my attempt at an underflow/infinite timer glitch

Kosmic

ran it again this morning on the actual disk and made sure the tas ran from poweron and not reset. Crash looked a little different (is that expected?) but still no crash in 1-1

ooh, that's what the crash is supposed to look like. It's a shame it still didn't work...

100th_Coin

ooh, that's what the crash is supposed to look like. It's a shame it still didn't work...

ah, dang!

Let me mess around a bit more. I'm pretty sure we're reading from $2004 when the ppu is alternating back and forth with the value we want every other ppu cycle. There should be 20 ppu cycles in a row with this value (slightly later in the scanline) , though I have no idea if I'll actually be able to cause specific delays here. (edited)

Kosmic

now i know, always just delete 1f

interesting to note that the FDS seemingly reads the controller briefly after power on. (edited)

Image attachment

oh

12:10

maybe thats it

this one reads from $2004 a single ppu cycle earlier. Since we should be reading the desired byte every other ppu cycle and the other TAS seems to miss it, logic would dictate that surely this will work!

Overwrite_8F8F_Offbyone.tasproj

508.58 KB

im on it 🫡

1

it fails to write to $8F8F in bizhawk, but might work on your console.

i did the standard delete 1 frame and it desync'd

this time the regular dump was what worked

12:46

anyway, it's playing

12:46

will report back in 8 minutes

did you start the TAS from a soft reset on the SMB1 title screen, or during the FDS disk reading? I'm wondering if that one frame 3 frames after power on is included, heh.

uhh, what

12:53

it didnt even crash

what?!

it just paused? I plugged my controller in and unpaused and nothing happened

it should have unpaused on a specific frame...

oh, after how long

like- a second after pausing or so

That was with your inputs after plugging in a controller, yeah?

yeah

12:58

i dont assume i unplugged it so fast that it didnt do it

12:59

why did it not crash at all though lol

I unpaused 67 frames after the frame I paused. I don't know how the .r08 dumper works, but you didn't stop the script when the game was paused, did you? (edited)

i just let the whole thing play, i had left the room and came back to it finished

1

Kosmic

why did it not crash at all though lol

it looks like the a button was pressed, so mario was no longer grounded.

ah

13:00

let me peek in the .r08 a bit

13:00

did you push A in the tas at all

13:00

at the end

the final input in the TAS is just the start button

weird...

I don't press A before pausing

im sure i just pushed start

13:02

in this dump i see a start press and then half a frame after it and then the file ends

the final inputs:

Image attachment

Kosmic

in this dump i see a start press and then half a frame after it and then the file ends

half a frame? What if you add some padding to the end?

13:03

just a few extra zeroes

yeah ill try that

13:05

er wait sorry it's not half a frame after, that is part of the start press

13:05

but yeah i think you do want like 2 extra frames of padding after last inputs

13:06

so thats probably it

13:06

for future reference on console verifying, yeah always put some extra inputs after your last one

1

13:09

lol now it desync'd and id need to remove the frame at the start im sure

13:09

it must have sync'd because the last frame of the movie got eaten or, whatever

13:12

ok it's going, see you in 8 minutes

1

https://www.youtube.com/watch?v=Fp5Aq05FsW8

2026 02 25 11 19 29

YouTube video thumbnail

1

Yooo?!

that looks good

https://youtu.be/ah8W0LEwwhQ

2026 02 25 11 23 28

YouTube video thumbnail

13:25

when thats done processing you will see some fun

if you still have the game loaded, could you reset, enter a few worlds and it should reset and get weird

13:25

ah yeah

13:26

that looks right

Well now hold on. How can the console and bizhawk simultaneously pass my $2004 stress test while having different results!?

13:26

I'm gonna explode.

i mean it at least has similar looking failures to what we're going for.. if the exact same byte change has happened. probably

Oh duh. It's because bizhawk is actually wrong, and I know why...

i mean its clearly failing on the 32px scroll boundary, and in a way that looks like it hit a BRK, so, pretty certain.

100th_Coin

Oh duh. It's because bizhawk is actually wrong, and I know why...

When you read from $2004 the value that matters is the value in the OAM Buffer at the end of the read. Bizhawk uses the value at the start of the read, like it does for every other read. And the reason it passes my test is because it improperly syncs with my sync routine to be off-by-one from the intended ppu cycle, but the off-by-one reads re-align it, so it passes the test. (edited)

13:28

that's not something I could confidently fix in bizhawk...

13:30

bizhawk incorrectly clears the sprite zero hit flag on dot 0 of the pre-render line, which is why it's off by 1 cycle in my sync routine.

did a bunch of stuff, pretty much the full extent of what i can possibly do i think https://youtu.be/Cg25hOENPRE

2026 02 25 11 26 22

YouTube video thumbnail

13:32

if theres anything else you can think of let me know

1

important thing is that it clearly works on console, so, if we can find things to do with it we know it's likely useable.

that looks like it worked as intended!

threecreepio

important thing is that it clearly works on console, so, if we can find things to do with it we know it's likely useable.

Right, and this doesn't necessarily need to be a write to $8F8F. The other stuff didn't look particularly useful, but I know I haven't tried every one of those bytes.

i did try the ones that seemed like they had any potential at all, and nothing else really made any significant impact

13:36

like breaking ReadJoypads doesn't really help us that much. :)

1

At one point in this run, mario gains an incredibly powerful chin.

Image attachment

hah

we certainly broke the game https://www.youtube.com/watch?v=iB5rYyJk8KU

20260225 113321

YouTube video thumbnail

13:39

im good to poweroff now i assume

actually i'm dumb

13:40

there's something that might be super useful in there

ah it just crashed the game.. well.. that's unfortunate..

disk is back to normal

1

ah no never mind.. this might be good..

1

changing 6F6F to 1A stops the timer from counting down, so we can reach the later bowser in -1.

1

no way

13:42

and have a regular koopa this time so it lands in the earlier 00?

well we at least should have all the time in the world to set it up, and i know there's a koop nearby, question if it can get into the right slot

wow

13:44

ace to set up later ace

I can make a TAS to set that up. I guess I should make a version that also reads from $2004 1 ppu cycle early like I did last time, so we can run this on the console.

i think that parakoopa is probably our only shot? Theres a ton of other bowsers but not other koopas past there

13:44

let me look at it again

yeah i'm just using a GG code, so it's all good

1

why is the koopas slot important?

well the important thing is getting Bowser to where he'll write 84 to the koop, so it just needs to not fill that slot.

like you mean there just needs to be 1 open slot when we load bowser?

yeah but bowser needs to load into the correct slot for the ACE to jump to the controller inputs.

oh, huh

and that means we can drag 2 buzzys all the way with us to fill up some slots.. no time issues

thats good

13:48

yeah the buzzys is nice

of course we can't beat a level because the timer won't count down :D

we just want ace baby

ohhhh

threecreepio

of course we can't beat a level because the timer won't count down :D

the ace to stop the timer will leave us in -1 right? Or will it reset the game?

13:50

oh...

It would also crash the game, requiring a reset, yeah (edited)

so now the entire roadblock is 1-1 timer countdown

mmm yeah, might want to game over in -1 so we can resume? (edited)

1

ohh, hold A+Start

13:51

amazing

13:51

this is so elaborate lol

13:52

this is super out there but just typing it while it's on my mind as a rabbit hole: Could any change we make affect what minus world loads?

so the route is: Beat the game to enable hard mode Game over in world -1 Write to $6F6F (crash) (reset) Start the game in world -1 Infinite time

yes!

if you just resume after beating the game, doesn't it still load into the world you ended in? or am i misremembering that.. not done a lot of second quest runs :)

holding A does take you to minus world!

1

that's one enemy slot off from jumping to player 2 controller inputs. so, close. would need to somehow trigger damage, and have the enemy in the next slot.

Image attachment

oooh

you want it in slot 2?

i want slot 1 to be 84, not 83.

and what makes that happen

14:01

i didnt know the glitched enemy could be different values

14:01

or that slots mattered until just barely

there's something lovely about sitting in the middle of an open plan office playing super mario..

ok i have to go do some things, if you can explain what we need to make the conditions happen i can work on the gameplay side of things. What makes it 83 vs. 84, and what are all the paths to victory slot-wise

so, bowser spawns into enemy slot 3, it'll write 83 into the 'flag' slot for the duplicate object. the $80 tells it that it's a duplicate object, the $03 tells it which slot has the 'parent' object.

ah, i see. So we need bowser to load into the last enemy slot, just before the powerup slot, to get 84?

14:09

right now i see him in 2 and 4+5, but we're obviously not getting 82 or 84, so i assume these numbers are not aligned

yeah, in my list '0' is the player, which is right before the enemy list, but in the game when using enemies, 0 is the first enemy slot

14:11

similarly for fireballs, bubbles, blocks, they're right after eachother in memory but have different labels.

threecreepio

yeah, in my list '0' is the player, which is right before the enemy list, but in the game when using enemies, 0 is the first enemy slot

so just to confirm, we need the slot just above the star flag slot to be open when we reach bowser?

going to have to wait until after work to keep looking. :) but it seems promising.

Kosmic

so just to confirm, we need the slot just above the star flag slot to be open when we reach bowser?

yeah

there are a couple paths toward the last bowser. You can do the first glitch with either the first OR second bowser. And you can choose what bowsers to kill. I think you can even kill the bowser before the flagpole, ace on the one after the flagpole, and then get the one we usually crash on to despawn? Have to remember if that's right

14:14

i have played a lot with stuff after killing the bowser before the flagpole

you can test it out by setting a cheat of 6F6F to 1A, then just trying to see if you can find an approach. i guess either in hard mode or not, since we don't have to beat the game.

we basically just need a beetle/platform/glitch koopa to be in that slot, and make them go off screen right before bowser, right

threecreepio

you can test it out by setting a cheat of 6F6F to 1A, then just trying to see if you can find an approach. i guess either in hard mode or not, since we don't have to beat the game.

we have to be in hard mode to get this far, right?

yes

ahh oh yeah

14:16

forgot, the buzzy glitch needs it :) never mind..

Yeha were in q2

and you can't unset hard mode. but there's no downsides for this anyway.

We can also turn some goombas (buzzys) around to follow us later I'm pretty sure

14:17

There's at least 1

14:17

And it should be spawnable

so we need that slot to be the only one available so bowser spawns into it.. we need a green koop on screen which conveniently does spawn right before it.. and you need to be taking damage, but, in 2j at least we stave off the crash by setting player 2 inputs to $60, which should be fine here too, hopefully.

14:19

also there is at least 1 more bowser after this one i'm pretty sure, so we have one more chance if this one doesn't line up..

Damage should be easy

14:19

There's like 4 more bowsers but no koopas

14:19

Green koopas

gotcha

20 red ones

love it

Not even "green koopa (stopped)"

14:20

Like there's a million before

14:20

Does killing those give enemy 00

probably. worth checking the red ones too, not sure if any of the glitchy enemy id red koops turn into green koops when you kill them.. probably not but, maybe.

Oh, smarr

14:21

T

and if they do become enemy type 0, then you need to spawn bowser before they despawn. :)

I think i see a path for this

same :D hopefully

theres probably a few honestly

Image attachment

1

beat me??

15:14

nice

it's crashing in a very weird way though. :) need to see if it's recoverable..

15:14

but it does trigger the controller 2 read.

15:15

so definitely don't stop looking. :)

different enemy combos will affect that crash somehow?

hit ctl1

Image attachment

is that good

well it means we can execute a 2 byte instruction based on both controller inputs, which is what we do in 2j.

big

then the next step is figuring out what to execute from there to trigger something we want.. which will either be easy or incredibly difficult. it's not quite as easy to affect what values are being written to like X positions.

If you were to make a 3-byte instruction, what would be the high byte operand?

15:26

or- what byte follows the two controller inputs?

00

dang

ye

15:27

but we can do indirect operations to all the enemy data, so, with some careful despawn timing there could be a few options

15:28

then there's a question of what we can do that actually doesn't just crash the game since we can't just trigger the disk loading.

how is this situation different from the earlier bowser one done with the game genie code

don't recall, have not had that easy access to any NES stuff since i've been in the US, did that one trigger victory mode? it doesn't look like it's being too unstable, so probably can do things from here.

oh I didnt know you were over here

yeah in new york til april. unfortunately missed the gdq thing by like one day. :)

15:31

which i think was near here

I'm a little lost, how would we have fire into -1 if we have to use continue code?

6 hour drive or so

Simplistic

I'm a little lost, how would we have fire into -1 if we have to use continue code?

oh, that's a good point

ah haha you're smart

ok so it's back to 1-1 timer countdown being the wall

that's why we need full nights sleep..

15:34

funny right when you said that my playback had hit the 1-1 flagpole and got stuck. :)

The GG code thing was more or less doing the same thing as 2J TC so as long as we can get to that entry point and find a way to prevent sprite 0 from causing an inf loop, we should be good

man

haha

thats so troll, just this one timer countdown. Again

if only we could be in 1-2 we'd be set

100th_Coin

6E : Write $37 to address $6E6E
6F : Write $1A to address $6F6F
7B : Write $50 to address $7B85
7E : Write $01 to address $7E7E
7F : Write $DD to address $7F7F
8C : Write $0A to address $8C8C
8D : Write $20 to address $8D8D
8E : Write $00 to address $8E8E
8F : Write $00 to address $8F8F
99 : Write $20 to address $99A3
9B : Write $00 to address $9BA5
9C : Write $08 to address $9C9C
9D : Write $20 to address $9D9D
9E : Write $00 to address $9EA8
9F : Write $20 to address $9FA9
CE : Write $5D to address $CECE
CF : Write $06 to address $CFCF
DB : Write $9E to address $DBE5
DE : Write $85 to address $DEDE
DF : Write $47 to address $DFDF

How many of these would change if X = 1?

this isn't using X

15:36

oh no wait it totally is (edited)

15:36

you're so right. let me run that again

ah that could maybe give some more options

this is the luigi thing right

Yeah

(I didn't save that program so I need to write it again, heh.)

15:39

I really had to make hacky changes to the copy of my emulator to make that run, since I do not have FDS support, and I didn't want to keep those changes so I undid it before going to sleep. I didn't forsee myself needing to run it again

let's hope one of the other changes is writing fire state to mario permanently and we just do another loop

15:40

or Luigi i guess

one of the things did mess with the powerup handler, but i dont think it did that in any way that helped.

let's mess up HandlePECollisions imho

Mario:

6E : Write $37 to address $6E6E
6F : Write $1A to address $6F6F
7B : Write $50 to address $7B85
7E : Write $01 to address $7E7E
7F : Write $DD to address $7F7F
8C : Write $0A to address $8C8C
8D : Write $20 to address $8D8D
8E : Write $00 to address $8E8E
8F : Write $00 to address $8F8F
99 : Write $20 to address $99A3
9B : Write $00 to address $9BA5
9C : Write $08 to address $9C9C
9D : Write $20 to address $9D9D
9E : Write $00 to address $9EA8
9F : Write $20 to address $9FA9
CE : Write $5D to address $CECE
CF : Write $06 to address $CFCF
DB : Write $9E to address $DBE5
DE : Write $85 to address $DEDE
DF : Write $47 to address $DFDF

Luigi:

6E : Write $37 to address $6E6E
6F : Write $1A to address $6F6F
7B : Write $50 to address $7B85
7E : Write $23 to address $7E7F
7F : Write $07 to address $7F80
8C : Write $0A to address $8C8C
8D : Write $20 to address $8D8D
8E : Write $01 to address $8E8E
8F : Write $00 to address $8F8F
99 : Write $20 to address $99A3
9B : Write $00 to address $9BA5
9C : Write $08 to address $9C9D
9D : Write $20 to address $9D9E
9E : Write $01 to address $9EA8
9F : Write $20 to address $9FA9
CE : Write $5D to address $CECE
CF : Write $06 to address $CFCF
DB : Write $9E to address $DBE5
DE : Write $07 to address $DEDF
DF : Write $BC to address $DFE0

(edited)

Kosmic pinned a message to this channel. 2026-02-25 15:54

new addresses:

7E : Write $23 to address $7E7F
7F : Write $07 to address $7F80
9C : Write $08 to address $9C9D
9D : Write $20 to address $9D9E
DE : Write $07 to address $DEDF
DF : Write $BC to address $DFE0

(edited)

15:56

no wait- I forgot to prepare RAM. I only set up the ROM one sec

15:56

I think that applies to the data last night too, so we might have a lot more addresses here in a second. (edited)

neat

oh whoops, I forgot another step when I made that data, one second. I was wondering why the results were different than last night. (edited)

16:07

okay, it looks like there was a few new addresses (edited)

9E : Write $01 to address $9EA8 this does also trigger a jump to RAM, but, to $01.

100th_Coin

new addresses:

7E : Write $23 to address $7E7F
7F : Write $07 to address $7F80
9C : Write $08 to address $9C9D
9D : Write $20 to address $9D9E
DE : Write $07 to address $DEDF
DF : Write $BC to address $DFE0

(edited)

I have updated this with the new correct information

16:09

and the big list above that message

Kosmic pinned a message to this channel. 2026-02-25 16:09

unfortunately all these new addresses are just 1 address later than ones we already could write to (edited)

som, 7E7F would be some byte in 3-3's enemy data, 7F80 is in 2-1s enemy data, 9C9D is the lda in lda PowerUpType in the powerup handler.. 9D9E is the lda in lda Player_Y_HighPos in initblock_xy_pos.. DEDF is in VictoryMusData, DFE0 is in BowserFlameEnvData

16:13

so powerup handler would be main interesting choice there

16:14

oh it did something interesting

it made you always fire mario

wow this is so fortunate

16:20

you're getting code execution at $0F34 right?

Kosmic

it made you always fire mario

Did Kosmic actually check this, or was this just wishful thinking?

no i was just coping

16:21

this silence from creepio... is it good?

16:21

hes about to post victory screen

Simplistic

you're getting code execution at $0F34 right?

exactly

16:25

can get to controller 2 input easily enough, maybe controller 1

oh wow

if we can, then this could be super practical.. you can still grab the powerups too, just need to be fast.

grab the powerups?

ay ctl 1

Image attachment

oh, like it doesn't break if you collect powerups again

16:27

oh wow so you reset then grab a powerup and that triggers ace?

if you let the powerup grow it triggers ace

1

ahh

so we could get fire by doing quick grabs before they've grown, set up enemies the way we want, trigger ace

woah (edited)

and we can even beat levels

16:28

right and you can go to whatever levle in the game might have good conditions

so what this needs is just, doing the -1 thing with luigi?

that's with Luigi, and 9C from the OAM read?

yeah 9C : Write $08 to address $9C9D

1

you couldnt have written this story crazier

yeah super easy to get ctl 1 inputs with this

so, to recap: beat the game to unlock hard mode, Luigi needs to perform the ACE exploit, writing $08 to 9C9D And we're smooth sailing? No more world -1 game over, right?

yep

16:31

then we just need to figure out what the best setup is for the ACE, but, seems like limitless potential..

Should I just optimize the luigi ACE section, or is it way too early for that? (edited)

did you do it with cheats there in 1-2

yeah, just set 9C9D to 08

16:33

with hard mode on

oh, i mean the ace setup

16:33

like hacked positions

16:34

did you get to ctrl 1 legitimately

oh you get ctl1 inputs just by letting a fire flower grow in 1-2

16:34

no need for any hackery

oh lol

16:35

ok so when you say the best setup for ace you dont mean to reach ctl1, you mean payload

yeah

16:36

like we can start in any world, and we can play like normal until we feel like doing ACE. so it's just finding whatever is best for it..

oh right, i see, enemy positions can affect possible routes

100th_Coin

Should I just optimize the luigi ACE section, or is it way too early for that? (edited)

i don't know, should we try to console verify it for good measure? if we can run it, get a crash on the powerup..

yes lets do that

good call

we can't safely RTS or anything though so it's a question what will happen when we try to return control, but, that's no worse than any of the other options we've had..

16:42

since i haven't paid attention to what you've been messing with for these PPU crashes, how hard are they to set up?

honestly not too difficult. I'm using the Y position of the blooper. Every 3 frames, address $2FC is filled with the data for the blooper's tentacles. I just need the crash to happen on the frame after the Y position was set with the blooper tentacles. (edited)

threecreepio

oh you get ctl1 inputs just by letting a fire flower grow in 1-2

does it have to be a flower?

Kosmic

does it have to be a flower?

nah

ok so any powerup and then just whatever is on screen will affect if it makes it to ctl1 ?

at least the star worked just like the fire flower, not sure about mushroom

oh, gotcha

yeah mushroom is fine, so, not affected by the type itself

and you did in 1-2 because of the enemies or?

no in 1-1 it landed on ctl2, i'm running on very little sleep.. was up pretty late tinkering with this last night and had to wake up at 5 am for meetings.. so i can't atm remember why. :D

16:49

but it will vary a bit, any value between 734 and 74A could shift things around.. which is:

StaircaseControl      = $0734
AreaObjectHeight      = $0735
MushroomLedgeHalfLen  = $0736
EnemyDataOffset       = $0739
EnemyObjectPageLoc    = $073a
EnemyObjectPageSel    = $073b
ScreenRoutineTask     = $073c
ScrollThirtyTwo       = $073d
HorizontalScroll      = $073f
VerticalScroll        = $0740
ForegroundScenery     = $0741
BackgroundScenery     = $0742
CloudTypeOverride     = $0743
BackgroundColorCtrl   = $0744
LoopCommand           = $0745
StarFlagTaskControl   = $0746
TimerControl          = $0747
CoinTallyFor1Ups      = $0748
SecondaryMsgCounter   = $0749

16:50

and i think it was the scenery in 1-1 that messed it up a bit.

ohh, i see now

oh do the mountains and bushes make a 02?

yeah

I guess in that case could see if any of the fence x-1 levels work if we wanted to save a level transition

yeah i think looking through the -1s for which works best will be a good plan

2-1, 3-1, 5-1, 7-1, 8-1 (edited)

16:58

now powerups in 8-1 though

16:58

oh theres the star

possibly early powerups to get fire to set up enemies, or just stomp enemies and despawn.

2-1 has two powerups really early

mmm

and 5 powerups total (+ a 1up? 6?)

16:59

vine?

16:59

guessing vine does not count haha (edited)

went quickly from "there's no way to set this up in SMB1" to, hey every single area in the game is a candidate!

and all it took was quest 2 past the flagpole in the minus world on the FDS version as Luigi

and yeah 2-1 also works

if we want to use fireballs, we need 3 powerups right?

yeah

ok so if we're doing it in an x-1 that pretty much means 2-1 or 3-1

17:07

theres a ton of enemies around the star in 2-1, if that helps/gives a lot to work with

17:07

parakoopas near the powerup at the end for y component

17:07

3-1 has hammer bros so thats unique to work with

17:09

definitely would be fun to see this room in a run for speed

Image attachment

17:09

come out of here then hit the 1up or star

yeah unfortunately entering a pipe clears out state :)

17:13

it is a bit of memory to make it through unscathed, but, not bad.

ahhhh. I spent the past 15 minutes TASing the crash and I just realized I was still Mario.

17:23

I wrote to the wrong byte, heh (edited)

kosmicSad

1

Oh, yeah you'll have to pick 2p and die as mario

Okay, step 1. When I converted the .fm2 to a .bk2 it used an outdated .tasproj input format preventing me from being able to record inputs. This entire time I've been manually changing the inputs on the timeline, so I'm fixing that real quick. (edited)

17:27

then after killing mario, I'll just edit the input log so all those player 1 inputs are now player 2 inputs.

the blooper didn't spawn!?

Image attachment

17:37

everything else synced just fine as luigi

Haha

the only thing I can think of was subpixels that the buzzy beetle had when mario died to it (edited)

17:40

what address would that be?

should start at $0401 iirc

wait- those get reset during screen transitions

17:44

I have no idea why the blooper is missing

hmm

it's not an issue of sprite slots being all occupied

if the bloober just doesn't spawn for luigi i'm going to start being in a bad mood

Well, here's the TAS anyway... I'm gonna go get dinner.

SMB1_Luigi.tasproj

607.7 KB

i can confirm luigi is bloober-capable

Image attachment

Fascinating

can you check the enemy_ids to see what's loaded in?

18:07

something must have taken the bloobers spot, which is weird

I’ll do that after dinner, yeah

i bet if we add 1 extra frame at the start of minus world it'll work

hm my only guess is the blooper did spawn but immediately swam to the right off screen?

18:42

different blooper rng

1

18:42

i stopped the tas and then just swam to the right and the blooper spawns fine

mm if you're stopping to let the buzzy catch up you need to be sure the bloober hasn't spawned yet

18:43

or it can swim off too fast

okay, I got the blooper to spawn again, but I need to completely re-do the set up for the crash. not the biggest setback.

18:51

oh wow, I actually got to keep all the inputs. I just needed mario to move to the right slightly later.

18:51

SMB1_Luigi.tasproj

608.53 KB

18:51

let me make an off-by-one version for the console

18:53

Yoooo?! This landed on dot 331, during the ppu idle. it should sync on console regardless

18:53

It's a shame it relies on RNG for the blooper movement though. It would be nice to be able to copy/paste these inputs for a future more optimized run.

18:54

oh wait- I was looking at the wrong read from $2004. it's on dot 235. (edited)

18:55

I guess in theory, the second read would land there regardless though

19:00

no wait- if the second read from $2007 is inaccurately emulated here (I seriously believe it is) then there's no guarantee we execute address $2074 on the right cycle. Only one way to find out though? I still think there's a good chance this works on both bizhawk and real hardware.

alright ill run it

exciting

19:05

and sure.. it being RNG is annyoing, but like, get there on the right framerule, find a consistent setup, not worse than any of the other ridiculous things in this game. if anyone were to ever try to RTA this..

1

Right. I was mostly pointing out how it was reading from a different ppu cycle than last time, which I would have no idea how to manipulate to such a degree. I feel like I got lucky here having the second read from OAMDATA land during ppu idle.

is there some padding on the end of this one

You should add padding regardless. there are no inputs afterwards, so the .r08 dumper would likely not add anything.

100th_Coin

Right. I was mostly pointing out how it was reading from a different ppu cycle than last time, which I would have no idea how to manipulate to such a degree. I feel like I got lucky here having the second read from OAMDATA land during ppu idle.

then again, last time I was messing around trying to make the read happen later, attempting to get the first read to happen during ppu idle, which I was off by like, 100 ppu cycles. I never considered the reads from $206C or $2074.

ah gotcha

alright it's going!

This one happened 13 ppu cycles earlier than the previous TAS we tried console verifying, so this time the second read does land in the ppu idle. (edited)

Kosmic

alright it's going!

exciting!

would any ofy ou want to watch the result live

yeah sure! VC?

yes!

Let's do it

100th_Coin started a call that lasted 43 minutes 2026-02-25 19:12

are you still here 100th coin? i dont hear you if youre trying to talk

19:20

np if not

I am... is my mic not working?!

extremely good judges

Image attachment

19:33

we win, gg to all!!

5

mmc5 calm down

Image attachment

i have to head out guys, amazing work!!!

see ya later!

take care! Thanks for the console verification! This is huge

thanks for verifying, insane development

huge stuff indeed

ok guys doing stupid napkin head math this is going to be extremely close to 5 minutes

19:37

lol

19:37

oh well, thats up to the crash

heh. I can't wait

so definitely longer

yeah it'd be silly if it was faster, but, would have been fun!

maybe we'll lose 19 seconds this time instead of save it

begin with 2nd quest enabled and then we save time

begin with the write to $9C9D already performed, and then we save time

so true

19:40

sub minute

Made an example payload in 2-1, being given a free PLP helped create a safe return. Payload isn't optimized but it creates pointers to set world number and victory mode. The FM2 relies on enabling GG code AEPOSK and forcing $07FC to 0x01

smb1_9c9d_ace.fm2

31.02 KB

1

haha very nice

and very fast, so that's good (edited)

Huh I'm curious exactly what the pipeline is! Not even using fire

00:26

Really curious about what the increased xpos is for and what's affecting what

2-1's area pointer corresponds to a useful instruction for safely returning back to game code, but by the time I could get to the first powerup, the page location used by the enemy loading code became 2, which causes a crash. I scrolled far enough to change that page location to 3 but not so far as to load the coin heaven warp. Needed a little xpos gain to do this off the second mushroom, though in hindsight you might be able to get this off the 1up. After that, I needed the screen scroll position to be a good value and have 96 on-screen xpos at the time of the powerup fully growing. Since the return instruction created by the xpos doesn't change in this state, moving around as a byproduct of the controller inputs is fine as long as the screen doesn't scroll very much. Not having fireball X positions to work with makes it take longer to change the values we need but it's faster than powering up.

Oh awesome, exactly what I was looking for

09:30

I might mess with growing the 1-up, on page 3, with screen xpos 96 (edited)

you can get to page 3 for, maybe 5 frames or so in 3-1 just hitting the first mushroom. But no time to head left and get to 96 xpos

11:58

does it have to be page 3, or just > 2 or?

2 is bad because it will hang the CPU when you hit it, generally anything ending in 2 is scariest.. 82, A2, C2 and E2 are OK.

ok getting page 3 and 96 xpos with the 1up is very easy, i think now i just need good screen scroll position? Not sure which address that refers to or what good positions are

12:09

HorizontalScroll?

yeah

12:10

i haven't looked into setups yet, feels like i'm very ACE'd out at the moment. :) but that should be right.

that's fair lol. Wish I knew what good values were or how to figure it out. Simplistic's tas does BE, so need an equivalent

you can open the debugger, set a breakpoint to $0000-$1FFF and you'll hit it when you jump to RAM execution. then you should be able to just hit run and it'll stop on every RAM step so you can see which byte you're getting stuck at. not sure if that would help.

i guess i just look at the instruction set and try to make one that doesnt do much

12:15

if you do one of the blank ones what happens?

Image attachment

and yeah, then you can just use the hex editor in fceux to change the bytes around to see what would maybe work better

12:15

under that table, there's a radio button

12:15

click like "show illegal opcodes" or something

ah i see

12:15

well apparently i am getting "Nop #" with 89

12:15

which seems ideal? lol

feels like that could have been on by default :)

12:16

yeah that at least shouldn't crash it on its own. :) then it will advance over that next byte, so what you can need to do is adjust between 1-2-3 byte instructions to skip over any bad data, if there's something bad in the way that you can't modify.

i see. BE was a 3 byte so maybe thats it

12:17

thanks for teaching me

Kosmic pinned a message to this channel. 2026-02-26 12:17

Not a problem

hitting the coin block to get up to the 1up does add 1 extra instruction into the mix, because it increments CoinTallyFor1Ups. Not sure if that will mess things up

12:54

I got ace happening, now going to copy and paste simplistic's payload

12:56

ah it crashed

oh no

hmm, yeah i dont know the payload enough to know why it crashes there, it just gets to one of the returns and then crashes

13:16

here's the tas

2-1_ace_with_1up_test.fm2

58.27 KB

I can take a look real quick

the extra instruction from the coin tally is an ORA. I know theres a lot of ORA's throughout so i would think it might just get zero'd out at some point but maybe that is the issue, i dont know

13:19

or 1'd out I guess? It gets OR'd with an address containing 00 as far as I know, so should come out all 1's?

13:19

not sure if the accumulator is important

13:20

er wait what am i saying. The OR with 00 should do nothing basically

13:20

Image attachment

yeah OR with 0 will mostly just update your flags, so, set/clear the zero and negative flags. (edited)

the way i did it isn't a ton faster than the first one, but it can definitely be optimized better with the way you get the enemy to page 3. Should be able to ACE in about 5 seconds from movement which is pretty good!

I'm having trouble getting this to sync because of how FCEUX handles lag frames, what settings would I need to replicate your playback

I had old ppu on I guess? Oh and pretty old fceux version... 2.2.2

13:54

I do really need to use newer

woa

Image attachment

i missed a lot the past couple days huh

a little bit

15:55

just acing smb1 and stuff

And console verifying it.

and some mild sleep deprivation

i think i should be able to play a second tas from the reset after the crash to console verify game end ace

15:57

my 2-1 test up there started from reset. But need to get it working

the game should stop reading inputs at the crash, so, if it ignores lagframes it should be possible to just graft them onto eachother

1

oh hmm thatd be cool, though id hate for it to be out of sync after 8 minutes

that's fair

definitely worth trying at some point

upside if it works is that it'd be easier to console verify other setups, just need to hit the reset manually

it'd just be a minor convenience really. I can easily start a new tas from a reset

fair

and once we get the powerup corruption, i can leave it on and try however many times we want from reset, if it's not sync'd or something needs adjusting

if the firebar near the castle in minus world was 1 block to the right, we could set up ace without fireflower

16:32

although, the later bowser would load into slot 0 or 2, not sure if that works?

16:35

oh we also wouldnt need to be in quest 2, lol

16:35

but, we woulnd't have the blooper on screen

Kosmic

just acing smb1 and stuff

is this real?

Yeah

yessir

what????

16:40

in what level?? minus world??

bro didnt read 900 messages??

how long does it take???

What variable is it that we're overwriting? Something to do with mario's status. (edited)

let me figure out. It's probably a few seconds north of 5 minutes LOL

no wayyyy its slower than any%

16:41

is there a video of this ace somewhere hidden in these 900 messages??

Anyway, that leads to a jump to $2060. We read OAM data from $2064, which we use to overwrite address $9C9D, and now every time a powerup completes the rising out of box animation, we get ACE. (edited)

Kriller37

is there a video of this ace somewhere hidden in these 900 messages??

yes

16:41

oh no wait- that was shown in a VC

it happens in two steps

well- there's a video of an earlier ACE that didn't lead anywhere (edited)

dang this is just crazy great work everyone!

100th_Coin

What variable is it that we're overwriting? Something to do with mario's status. (edited)

Player_State, used to run the correct movement subroutine (grounded, jumping, falling, climbing)

1

ah, hence why mario needs to be grounded. that's the 00 we overwrite

Kriller37

dang this is just crazy great work everyone!

you saw the crash from using quest 2 to lure the beetle to the right, right?

yea

they figured out a small range of bytes in the game you could modify with that. And then the game crashes. But on FDS you can hit reset and go to title screen and keep the code change

16:43

one of the code changes corrupts the routine of powerups coming out of blocks and leads to ACE

16:43

https://discord.com/channels/@me/1453881597286809772/1476422065308307600

16:43

another one of the routes that almost worked was you could freeze the timer!!! it was the infinite timer we were looking for. But there was no way back to minus world after the reset (edited)

16:44

1-1 timer wouldn't tick down

16:44

you could hold A+Start but then you dont have fire lol

YOU FROZE THE TIMER

16:45

WHAT

16:45

WHAT

like using ACE to modify 1 byte that froze the timer basically

ahh ok I see

it was going to be sick, using ACE to make a bigger ACE possible later in minus world

Kosmic

https://discord.com/channels/@me/1453881597286809772/1476422065308307600

this is the final result and the most current version? doing ace here in 2-1?

then the plan was to game over in world -1 so you start in -1, circumventing the whole "timer never runs out post-flagpole" issue. But then we realized no fire mario. (edited)

it was so convoluted

Kriller37

this is the final result and the most current version? doing ace here in 2-1?

thats the first payload since ace became real yesterday. We can do it earlier with the 1up mushroom to go like a second faster (presumably)

dude this is just bonkers

right, before it gets buried in 900 messages, we should probably pin this

SMB1_Luigi.tasproj

612.66 KB

Kosmic pinned a message to this channel. 2026-02-26 16:47

this is the TAS that sets up the ACE exploit

oh yeah and you have to be Luigi. Lol

you have to be luigi for ace?

16:47

hahahahahaha

that fact alone might be the difference between saving time or not

just gets better

i have to test it still to see how fast it is

16:48

2.5 minutes to beat minus world to get quest 2 active, then die and switch to luigi + go back to minus world and set up ACE possibility, then reset and load into 2-1 to win the game (edited)

16:48

it's right around 5 minutes with napkin math

16:49

oh i wonder if you pick 2 player game if you just begin as Luigi immediately after minus world

16:49

i dont actually know!!!!!!!!!!!!!!!!!!!!!!!!!

16:49

that would save time

16:49

thats how it works when you beat 8-4

1

16:49

4:53

(edited)

16:50

ill test that in a sec, right now im making a tas of crashing the game on the ace bowser if the firebar was 1 block farther right

this ace has not been announced outside of this group chat right?

correct

cool

ive posted some little updates in my supporters discord, just like vague screenshots

16:51

and said "big things"

big things indeed

but i want it to be a surprise if it works or not in the video because it is SUCH a rollercoaster

16:51

it will be out in 2 weeks

amazing

16:51

wow

after you get the powerup corruption thing set up i think it could be rta viable. But doing that rta seems kind of terrible

16:52

its like dependent on blooper rng and exact frames you load bowser on and stuff

Kosmic

oh i wonder if you pick 2 player game if you just begin as Luigi immediately after minus world

yea but iirc you have to go back to the title screen for quest 2 behavior to take effect

16:54

because beating the game enables world select, but being on the title screen with world select is what enables 2nd quest

Kosmic

4:53

(edited)

4:54.01

lol

tis a possible frame

okay this didnt work properly because i didnt realize moving 1 enemy in smbutil will sort the entire list of enemies into the order they "should" be in. So it's making the long firebar spawn. But this is proof of concept. Not that it matters because it's not real. But i do have a question based on what i saw

17:21

https://youtu.be/4z5ZNef5uuc when it's done processing

Firebar 1 block to the right

YouTube video thumbnail

17:22

i need someone to tell me whats up with the firebars after the castle...

17:23

it just pops into existence, even though it's already on screen. Although actually, now i notice that it appears at the same time as the long firebar loads in. So it must be some glitch related to them both being loaded in or, i dont know

17:26

i was going for 2 firebars + flag + retainer. But weird things with firebar happened. But yeah could definitely set up ""ace"" without fire if that firebar was 1 block to the right

17:26

not sure if it leads somewhere without blooper around etc

Simplistic

because beating the game enables world select, but being on the title screen with world select is what enables 2nd quest

this is accurate... unfortunate but it also makes sense. And this is probably exactly why it works that way. If it didnt work like this, luigi would start in quest 2 every time

made a runthrough using happylee's minus world ending tas, then playing to the crash in -1. We're at 5:09............ (edited)

That is fantastic.

here it is, if anyone wants to use it. From here we just need the powerup corruption ace, reset, then whatever optimized ace to win from there

full_ace_speed_test.fm2

461.04 KB

18:52

there might be like, a second or so to take off of it with better powerup grabs and minus world

18:53

and i still played on old version so simplistic is not happy to use this and i played on fceux so 100th coin is not happy to use this

18:53

lol

Tbf my woes with the previous TAS might have just been because you started from a soft reset, I wouldn't know how to do that on FCEUX

i just reset the console in the emu then did start TAS from here

18:55

i just wanted to make it useable for console verification

Right yeah that makes sense, fsr I thought TAS editor forced power on behavior

i dont use the tas editor so i guess thats why

18:56

i just use keyboard

18:59

https://youtu.be/I2cIhMEtLCY

full run crash demo

YouTube video thumbnail

yeah for some annoying reason fceux doesn't show the reset in the tas editor, even though it saves it.

for the record if we could skip the dying as mario to become luigi it would save about 8 seconds, not enough haha

Kosmic

here's the tas

Figured out how to play this back properly, the issue is that you continue to scroll the screen as you trigger ACE and that changes the horizontal scroll to a 2 byte instruction, which breaks the alignment expected by the payload

19:54

Ideally you'd kill your rightwards speed before ACE triggers so you can keep the same scroll while the payload is written

Also 3-1 may have potential to be fast, the only reason the page location doesn't go to 3 soon after passing the question blocks is because the enemy slots are full; maybe you could quickly kick a parakoopa to the left and then set up the horizontal scroll needed for a safe return while the powerup grows?

20:07

2-1 is already fast though so idk if 3-1 would be faster or not, plus the payload would need to be a little different to work around a halt instruction the bonus room area pointer creates

oooh, I love the clip through the flagpole

Kosmic

https://youtu.be/I2cIhMEtLCY

I can't really tell from the video. Did you make sure the crash happens with the correct value from the blooper's Y position?

i hate bizhawk so much :)

1

100th_Coin

I can't really tell from the video. Did you make sure the crash happens with the correct value from the blooper's Y position?

no, I don't know how to set it up. I just got there

1

you said this was an old version of FCEUX?

20:40

oh wow

Image attachment

Simplistic

Also 3-1 may have potential to be fast, the only reason the page location doesn't go to 3 soon after passing the question blocks is because the enemy slots are full; maybe you could quickly kick a parakoopa to the left and then set up the horizontal scroll needed for a safe return while the powerup grows?

3-1 can work, just gotta figure out what to do from here

Image attachment

not much has changed since 2008, heh.

Image attachment

1

Simplistic

3-1 can work, just gotta figure out what to do from here

Wow, awesome. Would that be faster? I'm guessing yes

100th_Coin

you said this was an old version of FCEUX?

2.2.2

20:47

Sorry I'll not do anymore on that old thing...

20:48

I definitely didn't use 0.98 lol

oh. interesting. I wonder why the metadata in the movie said it was from FCEU 0.98.28

Yeah no clue

Kosmic

Wow, awesome. Would that be faster? I'm guessing yes

Believe so, unless maybe you're able to do the 2-1 1up really fast

The fact you need to get the enemies to page 3 + climb the coin block- seems like 3-1 will be faster

20:49

I'm sure it can be pretty clean but not faster

20:50

The powerup block is objectively 6 blocks closer and doesn't require coin block

20:50

But I haven't seen what you needed to do to clear enemies

hm, the blooper is occupying different slots in OAM than last time with the new TAS. (edited)

Kosmic

But I haven't seen what you needed to do to clear enemies

Something like this, real simple

100th_Coin

hm, the blooper is occupying different slots in OAM than last time with the new TAS. (edited)

I'm assuming that'd be because the blooper is occupying a different entity slot this time?

That could be it, yeah

21:04

isn't there a lua script or something to display that? (edited)

NoSwear's Lua script is pretty good: https://github.com/TheNoSwearGuy/smb.lua-and-smas-smb.lua/tree/main/Default

smb.lua-and-smas-smb.lua/Default at main · TheNoSwearGuy/smb.lua-a...

NES and SNES emulator lua scripts for Super Mario All-Stars: Super Mario Bros., Super Mario All-Stars: Super Mario Bros.: The Lost Levels, Super Mario Bros. (NTSC and PAL), Super Mario Bros. 2J, Al...

why in the world is line 107 283,829 characters long on the bizhawk lua script.

Image attachment

kinda that this changed -1 from being the only level we could potentially do the actual ACE part in, to it being one of the only levels where we can't.

21:12

RNGmap                = {[0]=-1,-1,18790,-1,18789,-1,14695,-1,18788,-1,10600,-1,14694,-1,22374,-1,18787,-1,18279,-1,10599,-1,18663,-1,14693,-1,22997,-1,22373,-1,6505,-1,18786,-1,2410,-1,18278,-1,19238,-1,10598,-1,25958,-1,18662,-1,18902,-1,14692,-1,31941,-1,22996,-1,14184,-1,22372,-1,14568,-1,6504,-1,5695,-1,18785,-1,1600,-1,2409,-1,26581,-1,18277,-1,32759,-1,19237,-1,10473,-1,10597,-1,30876,-1,25957,-1,27846,-1,18661,-1,10089,-1,18901,-1,17311,-1,14691,-1,22247,-1,31940,-1,31082,-1,22995,-1,15143,-1,14183,-1,8732,-1,22371,-1,14807,-1,14567,-1,13588,-1,6503,-1,12546,-1,5694,-1,21863,-1,18784,-1,17768,-1,1599,-1,3854,-1,2408,-1,18536,

haha

An interesting choice for sure

okay, so here's what it was in the bizhawk run: (edited)

Image attachment

21:23

the new run:

Image attachment

if it needs to be slot 1, you'd just have to adjust which slots enemies are spawning into by moving at different speeds or killing things befre spawns

Kosmic kills most enemies on the way over. I assume if I remove some fileballs then that would load things in different slots

yeah should do, just adjust them so the slots change a bit

21:28

might need to slow down a bit but hopefully not

we're so back

Image attachment

1

21:37

woah, I'm pretty close to getting this without slowing down at all. The crash is happening 4 frames too late.

21:38

ahhh. I got it to the frame but the buzzle beetle despawns on the same exact frame, so I didn't actually get it.

full_ace_speed_luigi.fm2

461.09 KB

21:53

This is as optimally as I could get it

21:54

well- I got it in theory. I haven't checked the ppu cycle of the $2004 read

22:00

Yo, we once again have the really good ppu cycle that should work regardless of alignment.

22:02

resynced in bizhawk (I used this to check the ppu cycle of the $2004 read)

full_ace_speed_luigi.bk2

8.18 KB

22:02

the crash occurs on frame 19467 in bizhawk (19490 in FCEUX) (edited)

22:07

here's the parts I modified from Kosmic's run. The crash is also 15 frames earlier than Kosmic's TAS. (edited)

22:13

If I want to save another frame, I need to load the blooper earlier. And I can't load it too early, or the buzzy beetle unloads right before the crash. It's a delicate balance.

aha

Image attachment

1

time for a beat the game in every world tas!

heh

well done :) faster than 2-1?

Would be a fun playaround TAS

Simplistic

aha

If you share the inputs, I'll append these to my bizhawk TAS and we'll have a final time

threecreepio

well done :) faster than 2-1?

Faster than the 2-1 demonstrations from earlier, probably the fastest way to trigger ACE because of how cumbersome the 2-1 1up is

100th_Coin

If you share the inputs, I'll append these to my bizhawk TAS and we'll have a final time

For simplicity I did this from power on with cheats but I'll try to see how the inputs would line up from a soft reset

1

Because I made this in TAS editor I don't think it lets me play from soft reset but I believe these inputs should line up with a soft reset, if not the first frame I press B should be one frame before the title screen appears

3-1_ace_example.fm2

11.89 KB

1

full_ace_works.bk2

8.49 KB

1

it crashed on the replay?! one sec.

22:45

it works in TAStudio but not just playing the .bk2 file...

no I'm dumb, it just paused because the movie ended. it didn't crash at all. (edited)

Simplistic

aha

is this total control? I see the 30 or so inputs you are performing to make this happen, and I'm wondering what else we could do with this.

what's the time estimate looking like so far with 3-1

100th_Coin

is this total control? I see the 30 or so inputs you are performing to make this happen, and I'm wondering what else we could do with this.

Yeah we have total control, could do a lot of things from this entry point. All these inputs do is set $0750 to a value that corresponds to a 3 byte opcode, set $075F to 0x07, and set $0770 to 0x02. Could certainly optimize with better usage of zero page memory but I just wanted something that works (edited)

1

like what 4~ minutes to get setup entering 3-1?

5:32.569 is the duration of the .bk2 I recently sent (edited)

damn

Simplistic

Yeah we have total control, could do a lot of things from this entry point. All these inputs do is set $0750 to a value that corresponds to a 3 byte opcode, set $075F to 0x07, and set $0770 to 0x02. Could certainly optimize with better usage of zero page memory but I just wanted something that works (edited)

hold up- I gotta paste 5.8 million inputs real quick.

Bad Apple with custom CHR this time would go so hard

1

wow, that's a whole new optimization problem. Writing to CHR RAM is not a quick process.

23:11

16 writes per 8x8 pixel character.

23:11

granted, if it's just black and white, we could cut that down to a single bitplane. Just 8 writes per character. (edited)

yeah the 2J TC takes like 6 minutes of just a black screen while doing the inputs.. but you can of course just create a little bit of code that reads controllers repeatedly and jump over to that. (edited)

KingOfJonnyBoy

damn

Yeah if we want it faster we need it in quest 1. It's again, so close in several ways

100th_Coin

Click to see attachment 🖼️

Awesome!!! I'll have to verify this. Maybe we could tomorrow and all do a call again?

1

00:33

I'd also like to make a version that sync's from reset and is just the ending. I could work on that

Kosmic

Yeah if we want it faster we need it in quest 1. It's again, so close in several ways

It'd be ideal to be in quest 1 for it to be a new "category" anyway.. It's kind of weird that we do minus world ending beforehand lol

right? It's such a shame we need to beat the game first in order to beat the game, heh. (edited)

Even if you start timing from quest 2 movement that's still a little bit slower than minus world ending

00:37

Start timing from 3-1 movement kosmicBrain

kosmicBrain

Kosmic

Yeah if we want it faster we need it in quest 1. It's again, so close in several ways

is it possible to do it from 2nd quest start in general

00:40

NG+ the new META???

Kosmic

It'd be ideal to be in quest 1 for it to be a new "category" anyway.. It's kind of weird that we do minus world ending beforehand lol

tbh I'd be fine with a category called something like NG+ Any% on the mainboard, and renaming 2nd quest any% something like 2nd quest no ACE on the CE leaderboard, if it did turn out that by starting from 2nd quest you could do the ACE faster than any normal first quest completion

this is very much not RTA viable

00:46

then again, a set up could probably be found (edited)

00:46

y'all are doing FPG RTA and that still blows my mind. (edited)

100th_Coin

this is very much not RTA viable

never say that with jonnyboy in the channel

yeah i don't think finding a possible RTA-viable setup is too unlikely, people are pretty used to complicated setups.

as far as I'm concerned as long as you don't need to like L+R then nothing is really TAS only tbh

yeah and we should be fine without L+R for this

even for things that require like a precise screen scroll and such you can always do subpixel walks even after clipping past the flag pole in -1 (edited)

00:50

it'd waste a bit of time but if we're at 5:32 and that includes an entire first quest MWE completion, then you should have quite a bit of time to lose to still get like a mid-high 4 minute time

and you can do the earlier corner clip for -1, should just be a bit slower.

oh yeah for sure, I mean 5:30-3~ minutes

00:51

puts us at 2:30 if you start from 2nd quest

00:52

so like as long as we can find a setup that simplifies things while wasting less than 1.5 minutes even a sub 4 NG+ should be possible

this should also actually improve the "co-op"/2P TAS right (edited)

01:02

since you can beat first quest normally, and then start from 2nd quest as luigi

hm no idea what the tas time on 2 player mode is

KingOfJonnyBoy

since you can beat first quest normally, and then start from 2nd quest as luigi

you have to reselect 2 player game from the title screen to do that. Kinda weird you like, finish a run as mario and then start a new one

01:06

but i mean you also can spend 5.5 minutes setting up ace and then ace twice with both characters if thats what you want to do

what's the select mashing in 3-1 for?

01:08

honestly that seems like the only part of this that isn't like very setup findable

thats the payload of instructions to set up the ending sequence. In 2j you just need like 1 instruction to get the job done but smb1 is harder

gotcha, I mean I presume those inputs aren't super rigid right

01:14

because like in the TAS it uses L+D+U but creepio was saying simultaenous opposite directions shouldn't be necessary (edited)

01:14

idk if the selects themselves are all perfect though in which case that is pretty rough

01:15

although maybe doable with 1.5/2u rolling/flyheccing (edited)

it's definitely not optimized for rta

01:16

right now it's freely doing whatever inputs will work

yeah I'm mostly saying that because I wish I knew enough about this stuff to know what I could change without breaking it lol

KingOfJonnyBoy

yeah I'm mostly saying that because I wish I knew enough about this stuff to know what I could change without breaking it lol

right now it's a lot more than mashing select, theres a bunch of other inputs changing as well as p2 inputs changing. For rta, would need a solution with a permanent p2 hold + a very simple player 1 sequence

For RTA purposes you'd probably want to get a fire flower before triggering ACE so the fireball X positions set up an easy pointer and simplify ACE inputs. Doing ACE small only is faster for TAS but requires some extra work in the payload

10:14

Also I believe the 5:32 is from power on, starting from control of Mario in 1st quest 1-1 it should be more like 5:18

that sounds right. The powerup corruption crash is at ~5:09 and from there it's a few seconds to reset and 5 or so seconds to done

11:19

when does timing even stop. Haha

Easiest visual to work with is when the thank you text appears

Cut the payload down by 12 frames. Power-on movie but removing 678 frames from the start should line up with reset

26.84 KB

11:49

For 3-1 you'll want to replicate the exact scroll position these inputs do (40/0x28)

quest 2 wouldn't affect this sync'ing right

11:53

oh i guess you need it to pick 3-1

11:54

i want to try sync'ing it on console from a reset, but without running the powerup corruption

The inputs up until power up ACE are the same as the BizHawk TAS from last night if that helps

oh it's only the payload that changed

11:59

ill run through minus world ending to get hard mode, then try running it from a reset

11:59

to see if it syncs hitting the powerup block corner and stuff

11:59

and make a couple versions starting on slightly different frames

Simplistic

For 3-1 you'll want to replicate the exact scroll position these inputs do (40/0x28)

If there was any confusion I just said this in case you or anyone else wanted to work on movement optimization

12:00

I'm not as good with TASing movement (edited)

might be worth asking happylee if he wants to try the non ace stuff

yeah i have talked to happylee about the ace, haven't updated him on it since the big developments. could drag him in. just need to be sure it's not something that gets out of this group until the big reveal video, of course. :)

it looks like the tas probably sync's from reset, though i made a version with 1 frame taken off the start and it still hit the corner of the block

13:09

now we want to put simplistic's newest payload into the full_ace_works tas and see if we can console verify the entire thing (edited)

I can do that real quick

13:11

full_ace_done2.bk2

8.49 KB

Simplistic

Cut the payload down by 12 frames. Power-on movie but removing 678 frames from the start should line up with reset

could we save a frame by doing the fast l+r stuff at the beginning of 3-1? I'm not entirely sure how setting up this payload works. I just noticed 3-1 starts by just holding B and R. (edited)

that should save at least 3 frames

13:14

is the title screen optimized? Im guessing yes that's just how long it takes to select world 3

1

I did title screen as fast as I could, level movement is not optimized

100th_Coin

could we save a frame by doing the fast l+r stuff at the beginning of 3-1? I'm not entirely sure how setting up this payload works. I just noticed 3-1 starts by just holding B and R. (edited)

At least the way I'm doing it, what matters going into ACE is having $073A not be 0x02 so we don't get a crash, having $073F be 0x28 so the stack has a safe return address, and having $0755 be 0x60 so we safely return

1

Kosmic added HappyLee to the group. 2026-02-27 13:38

I showed happylee the tas and he's interested in working on optimization and entertainment

Hi, everyone. I'm honored to join the group.

Wave

Yo!

Kosmic changed the channel name: SMB1 ACE 2026-02-27 13:39

I'm not an ACE expert, but I think I'm good at optimization and entertainment. Also, I may have some good ideas in -1.

13:40

This certainly looks like an interesting TAS project to me, so I'm honored working with you all.

There's a lot of details with the ACE that I haven't learned about yet, but the part that I do know is that the blooper at the end of -1 needs to be in sprite slot 1, and at a specific Y position when the ACE exploit occurs.

I think the trickiest part will be optimizing the crash with the blooper + bowser. 100th coin generally seems to be the one to know how to meet the right conditions. And you need to do it on bizhawk for it to emulate properly

13:43

all the other parts should be pretty straightforward

100th_Coin

There's a lot of details with the ACE that I haven't learned about yet, but the part that I do know is that the blooper at the end of -1 needs to be in sprite slot 1, and at a specific Y position when the ACE exploit occurs.

oh I guess if we can check for all the perfect conditions in fceux then that works too, even if it doesnt work at the end on fceux

1

13:44

we're going to start doing "bizhawk verifications" now

it's a bit more complex than just the blooper being at the right Y position, since it relies on the correct data being in OAM at the time of the crash, and the blooper is shuffled into this slot of OAM every 3rd frame. But if address $2FD is 9C on the frame before the crash, then you're good.

13:45

We could also use an air bubble if that would be faster.

and for working on the 3-1 section, you can use these cheats to tas it on fceux

Image attachment

Image attachment

Simplistic

Cut the payload down by 12 frames. Power-on movie but removing 678 frames from the start should line up with reset

or rather you can turn on those cheats in order to play back this tas properly. And branch from there

Simplistic

For RTA purposes you'd probably want to get a fire flower before triggering ACE so the fireball X positions set up an easy pointer and simplify ACE inputs. Doing ACE small only is faster for TAS but requires some extra work in the payload

how would you do this without like breaking 3-1 screen scroll

15:30

just because like there isn't really anywhere to get fire in 3-1 that early, unless fireball x positions are carried over after a death in which case I guess you could just eat 2 deaths

KingOfJonnyBoy

how would you do this without like breaking 3-1 screen scroll

Doesn't have to be 3-1, could always do this in another level

Simplistic

Doesn't have to be 3-1, could always do this in another level

What are the exact requirements? I can do some testing.

These are the requirements here: https://discord.com/channels/@me/1453881597286809772/1477008456815874299

Kosmic pinned a message to this channel. 2026-02-27 16:29

He was mainly talking about the simplest plan for RTA there. For the TAS, 3-1 is already very fast. It's probably the earliest powerup that can work. But maybe there is a different approach

the only X-1 levels to look at are 2-1, 3-1, 5-1, 7-1, 8-1, because the background scenery is important. The hill & bushes background makes an opcode which crashes. Unless you could set things up to skip over that byte

16:40

5-1 and 8-1 only have stars which are far away then we need the EnemyObjectPageLoc to not be = 2, because that crashes. So the very early powerup in 2-1 doesn't work. That leaves: 2-1 1up, 3-1 mushroom, and 7-1 mushroom (edited)

16:41

of all of those 3-1 is the closest. It does need a little bit of enemy manipulation, but so do the others

16:41

and the other powerups are up high and slower

Worth mentioning that any of 0x08, 0x28, 0x68 for $073F seem to work for ACE, it's just that 0x28 is the value that works best for 3-1. Because $0750 contains 0x28 in 2-1 prior to the cloud bonus room's warp loading, more values for $073F are usable in this specific case (edited)

SMB_ACE_test1_1-1Mushroom_Also15039.fm2

338.11 KB

SMB_ACE_test1_1-2Mushroom_15039.fm2

338.11 KB

16:54

I've tested 1-2 Mushroom & Fireflower and 1-1 Mushroom & 1-2 Fireflower. Both end up the same time, which is 1 framerule faster than the previous test version.

16:55

So for entertainment, I think we should get the Mushroom in 1-1, and Fireflower in 1-2.

16:55

Also, I used this for -3: https://www.youtube.com/watch?v=IdbU_xgASfo

A Rare Wall Clip in -3 (SMB glitch)

YouTube video thumbnail

16:56

Never thought this would be useful one day.

ah because it's framerule and not frame based

16:56

awesome

Yeah the framerule in -3 was super safe, so we can do this rare clip, so this TAS would be different from "-3 stage ending" TAS, or "minus world" RTA.

Simplistic

Worth mentioning that any of 0x08, 0x28, 0x68 for $073F seem to work for ACE, it's just that 0x28 is the value that works best for 3-1. Because $0750 contains 0x28 in 2-1 prior to the cloud bonus room's warp loading, more values for $073F are usable in this specific case (edited)

It's the first time I notice $073F. I always used to watch $71C for the screen scroll. Is there a difference between those two?

In practice they're the same, but the game uses $073F for rendering and $071C for game logic

OK.

17:03

I'm testing -1 right now. It would be great if someone can give me an exact requirements for ACE to happen instead of crash. Thanks. (I can get crashes)

it always crashes, you need a specific crash

17:04

and you manually reset after the crash

(also FCEUX doesn't emulate the PPU register accurately, so it's difficult to verify if it worked.)

Even the new PPU won't work? I thought FCEUX's new PPU's pretty accurate...

correct

17:05

This is something that mesen gets wrong too. (edited)

17:06

It's very recent research.

Wow, so BizHawk works, and it works on real NES console, but won't work on FCEUX.

I had to modify bizhawk. (edited)

17:08

Basically, we need to crash the game on the frame after address $2FC has the value 9C. It doesn't matter how we set that value, with a blooper, or one of mario's air bubbles... but that's what we need. Then the jump to $2060 will hopefully read $9C at address $2064 on real hardware if the read happens on the correct ppu cycle. (edited)

17:09

Address $2FC would be the Y position of some object in OAM. (edited)

Who want to do a voice call to watch the tas console verify?

that'd be cool

okay let's just do the call and see who is around i guess haha

Ahh- I just started making dinner

oh np can do it after

1

i'll be around

yay

SMB_ACE_test1_-1Optimization_18668.fm2

419.57 KB

18:32

I did -1 optimization, adding my idea to this TAS.

Oooh!

Since I know nothing about OAM, I only did the part before loading the final crash so far.

ay very nice

wait i didnt know you could just swim over the flagpole lol

1

18:35

i knew you could get xpos from the earlier platform but thats funny

Yeah, that's why you need me in the project.

same :D

oh we need to adjust the bowser kill

18:38

this moves to the right too soon, so the RetainerObject doesn't spawn

18:38

that permanently occupies space in memory, we need that

18:38

at least, i think so?

Oh I can do that.

yeah the bottleneck is killing bowser asap, then moving to the right at full speed on the first frame the retainer object spawns

yeah it'd be needed

while maintaining 194 xpos

18:41

swimming straight over the flagpole is great, i didnt know how to avoid a very awkward swim to clip through the flagpole

OK. I'm adjusting the Bowser part now. (edited)

1

I've finished dinner, so whenever we have a TAS to console verify, I'm ready.

Lain started a call that lasted 112 minutes 2026-02-27 18:53

Bowser might be harder to optimize. Does this level have 21 framerule?

no it's just the frame we can crash at the next bowser

19:00

having only 1 fireball makes it awkward

No framerule, so every frame matters. This can be a bit hard.

19:00

Please give me more time. Need more time.

no rush

^

19:01

you have to delay to avoid loading the retainerobject, so its mostly about shooting fireballs as soon as possible. But it is tricky

Anyone know why only 1 fireball? It would be great if there were a way to have 2 fireballs.

your other fireball is busy being bowser

OK. I need to test the Bowser kill more. Anyone is welcome to help.

Here's the best I can do so far. Not sure if there's 1 more frame to be saved.

1

20:10

SMB_ACE_test1_18679_194.fm2

419.82 KB

20:10

Here's a slightly better one.

20:11

They are pretty much the same. Slightly better subpixels.

20:17

I don't know how to manipulate OAM, so I can't do the Blooper part. It would be great if someone can help me, or just do that part with great optimization.

Image attachment

20:30

9C

OK, every 3 frames.

$06E6 = E8

on the frame before the crash occurs

Yeah, let's adjust the load time of the Blooper.

20:39

Send it to the chat group if you like.

SMB1_Happylee_ACE.tasproj

342.09 KB

20:41

still in need of optimizing the blooper crash

OK.

I've met a problem... Since $2FC is determined by the Y position of the Blooper every 3 frames, how do you decide or move which one of those 3 frames? Like, I wanted it to be 9C on frame 19373, but it was on 19372.

SMB_ACE_test2_195_19375_9C.fm2

435.45 KB

04:47

Haven't figured it out myself. Here's a version that gets 9C on 19375, one frame before the crash.

04:48

It would be great if there's a way to get it on 19373, or get the crash 1 frame sooner.

Kosmic

5-1 and 8-1 only have stars which are far away then we need the EnemyObjectPageLoc to not be = 2, because that crashes. So the very early powerup in 2-1 doesn't work. That leaves: 2-1 1up, 3-1 mushroom, and 7-1 mushroom (edited)

3-1_ACE_test3_1172.fm2

26.56 KB

07:07

My optimized version of 3-1. Using what Simplistic said in the chat group.

07:10

Saving 11 frames in 3-1 than previous test version.

07:11

Before adding entertainment, let's make sure that it's fully optimized, and there aren't any faster approach. Thanks.

07:17

@100th_Coin Let's make another BizHawk verification. Thanks.

(edited)

HappyLee

I've met a problem... Since $2FC is determined by the Y position of the Blooper every 3 frames, how do you decide or move which one of those 3 frames? Like, I wanted it to be 9C on frame 19373, but it was on 19372.

It appears that we have no control over this because the alignment is reset on area transitions and the operation of the cycle resumes right before gaining control in -1, so changing the frame we exit 1-2 will not have any effect

I tried delaying 1 frame before entering -1, and it didn't change.

Simplistic

It appears that we have no control over this because the alignment is reset on area transitions and the operation of the cycle resumes right before gaining control in -1, so changing the frame we exit 1-2 will not have any effect

Thanks.

@HappyLee I have ran the new TAS you sent. We forget to mention that Mario needs to be on the ground when the crash occurs! Sorry about that! This is because when bowser spawns in, it will overwrite some byte in RAM that's currently 00, and that's Mario's state if he's on the ground.

Sorry, I didn't know that...

That's my fault for not mentioning that part.

Not your fault. That's OK.

12:09

I'm remaking a version now.

1

12:16

SMB_ACE_test1_194_19375_9C.fm2

435.45 KB

12:16

Would this be OK? Mario's on the ground this time.

One second. Running this in bizhawk...

12:20

It works

2

12:21

I'm still figuring out how to manipulate the ppu-cycle level timing of the read from $2064. I modified the final two frames so instead of l+r, it's just R. I think ~~mario~~ luigi facing to the right might change the exact timing of the reads, making it work. (edited)

12:22

the numbers are different because bizhawk loads the FDS game faster, but here's the changes:

Image attachment

A possible new method, with Mario instead of Luigi?

I meant Luigi, my bad

1

Didn't even call him Green Mario smh

Image attachment

12:24

it looks like the whole thing works!

Great. Is the final TAS time less than 5:30?

5:30.239

Good enough. It's probably the best I can do so far, based on current knowledge.

Thank you so much for contributing to this!

12:26

SMB_ACE_HappyLee_Optimized.bk2

9.1 KB

1

For Kosmic when we want to console verify this, here's the same TAS but with one more input changed so the read from $2064 and $2074 happen on a better ppu cycle.

SMB_ACE_HappyLee_Optimized_2.bk2

9.1 KB

1

I'll be adding entertainment to 1-1 and 1-2 first, in the next few days, since these two levels might be the safest.

1

12:38

Once -1 and 3-1 are confirmed to be 100% optimized, I can do entertainment to them both. I have some good ideas.

Yeah 1-2 seemed to be i think 6 frames from the next framerule. I didn't check 1-1 but I assume it's even farther

100th_Coin

5:30.239

Awesome, saved about 2 seconds

13:11

Rta timing it's about 21 seconds slower than any% now

13:11

Tas it's more because of fds bootup

Ok we just need to use Mario 3 to write a payload into RAM and skip Kyoudaku :)

That brings up a good point. What regions of RAM does the FDS BIOS clear/initialize? (edited)

i believe FDS bios clears out zero page and like.. 2 or 3 of the other pages. then SMB clears out most of the rest except some of the stack.

yeah, SMB1 clearing most of the RAM checks out (edited)

yeah i don't think we'll be making any use of RAM for the exploit. :)

Kosmic

Yeah 1-2 seemed to be i think 6 frames from the next framerule. I didn't check 1-1 but I assume it's even farther

The framerules in 1-1 & 1-2 are super safe. So unless someone invent a new way of getting power-ups, it should be perfect.

22:50

The goal of our TAS should be the fastest ACE game end (with clean & original ROM). (edited)

22:57

Doesn't really matter if it's slower than the normal any% TAS.

yeah i mean the important thing is that it's ACE, it's a bit unfortunate that it's slow, but whatever.

Yeah, we're doing a new thing that's almost impossible.

SMB_ACE_test3_196_19372_9C.fm2

435.39 KB

15:07

A 3-frame improvement in -1.

1

15:07

This is VERY HARD. Almost impossible. I think I've tried all the combinations, and only this one would work.

yeah it's almost like they didn't want ACE to happen in this game :/

Yeah, but I was talking about this 3-frame improvement.

ahh

-1 should be perfect by now. (unless we find new methods)

15:09

Also I got the Blooper kill in the end, which is kind of hard to manipulate.

15:10

I'll be going for the Blooper kill in the final version also.

SMB1_Happylee_ACE_Faster.bk2

8.98 KB

1

1

2

15:14

5:30.190

15:17

I also modified a single frame to make the ACE work. A single press of the R button to make Luigi face the right. I think flipping Luigi's sprite horizontally takes a different amount of cycles, and the read from $2064 happens at a really good time if he's facing right. (edited)

Image attachment

Cool. Very nice.

Another extremely close attempt at making ACE happen in quest 1... I figured out you can despawn this RetainerObject, by letting the earlier koopa fall off screen before scrolling too far, so the parakoopa is able to load in

Image attachment

1

12:55

this allows for the first overflow glitch at bowser with a slot open after the firebar goes offscreen! But it's instantly filled up by the retainerobject afterward

Image attachment

Image attachment

12:56

if it's possible to prevent the retainer object from spawning we would have it. I don't see how though

ahhh

if this bowser breathed fire we could do it. But only worlds 1-4 and world 8 bowser breathe fire.

(edited)

12:57

of course they checked for =8 and not >= 8

Other than the code moving from $8000 to $6000, some changes to set up FDS registers, and the minus world, what all is different in the FDS version?

regular gameplaywise i dont know of anything. But others might know more internally

Kosmic

this allows for the first overflow glitch at bowser with a slot open after the firebar goes offscreen! But it's instantly filled up by the retainerobject afterward

confirmed we could even get the slots set up correctly to have the later bowser go in slot 4 and create object 84, if there was someway to skip this retainerobject

Image attachment

could maybe try some funky stuff with xpos

the object going off screen to make room for the retainer is a firebar, so i dont think theres anything to do

I'm planning to redo entertainment of the first few levels as well. Anyone wants to test -2 with me, and find the most entertaining solution?

wish i could help but entertaining TAS'es is a bit outside of anything i'm capable of. :)

what life would be like if this firebar was ONE block to the right

Image attachment

Image attachment

Image attachment

01:50

would not even need powerups haha

01:51

though they might be a little bit faster than dying at the midway

01:51

well, you might not need that either

Finished redoing the minus world TAS except -2. It would great if someone could test -2 with me.

I have to be dedicated to finishing my video in the next week and a half, so I won't be able to help

10:55

-2 also sounds really hard to get the correct cheep at the end

What is it that needs fixing with -2? I can't say I'm super useful at TAS'ing.

SMB_ACE_TAS_before_Luigi.fm2

250.81 KB

12:36

Finished redoing entertainment before Luigi.

12:37

The new -2 should be better than before.

when we come through the next time i think it could be fun to swim under one of these platforms at the bottom, we rarely see swimming underneath in this game

Image attachment

12:40

-2 looks great. Thanks for doing this HappyLee

12:40

i like the skid before the cheep clip

Thanks.

12:42

I can finish the entertainment of the rest of the levels in a few days. In the meantime, it would be great if someone can help me confirm that there's no time improvement left in -1 and 3-1. Thanks.

did we optimize the height/yspeed of mario dying?

It probably doesn't matter. But it's a good question.

the framerule timer is frozen during the death animation

12:43

so we lose individual frames

Wow you're right. Somehow I missed that...

12:47

I thought there were a framerule in 1-1 before Luigi appears.

12:48

I'm changing the death part right now.

there is a framerule so your movement in 1-1 doesn't have to be perfect, but the exact length of the death animation matters

SMB_ACE_TAS_before_Luigi_2.fm2

435.28 KB

13:00

Death animation part fixed. This is 6 frames faster than the previous full test version.

1

13:00

Thanks for this important knowledge.

You're welcome!

Wait. There are faster ways.

13:03

Still not optimized.

how does optimizing it work? I guess we don't have a lot of control over Y position because it resets on jumps, but do you optimize subpixels from previous jumps?

sub 5:30 incoming!?

and if it's possible to have the ideal death "bounce", you would want to do it as close to the ground as possible

SMB_ACE_TAS_before_Luigi_3.fm2

435.26 KB

Y subspeed is the important factor for the speed at which mario bounces up during the death animation

One frame faster by even better death animation.

Y speed gets set to a fixef value but Y subspeed carries over

This should be the fastest death.

great work HappyLee and nice thinking Kosmic

7 frames faster than the previous full test version overall.

Im just glad fastest possible death is important. Great work!

Should be 5:30.074

oooh

Not sub 5:30, but close enough.

(edited)

the "bounce" length now looks similar to the one in the SMB2-J All Stages tas

13:19

Nice work

13:22

it looks 1 frame longer than that TAS, actually. But they die to a piranha which is up higher so maybe the same conditions are not possible?

13:23

https://www.youtube.com/watch?v=nRUCtp2vkhg&t=25m4s

Nobodycallsmetubby

[TAS] Super Mario Bros.: The Lost Levels "All Levels" in 34:35.48

YouTube video thumbnail

Not even using my TAS- oh wait

Kosmic

it looks 1 frame longer than that TAS, actually. But they die to a piranha which is up higher so maybe the same conditions are not possible?

Yeah it's not the same. Since Mario has to die to that Beatle anyway, there are very limited combinations of Y position & subspeed.

okay! Thanks

SMB_ACE_TAS_before_2nd_-1.fm2

337.98 KB

12:28

Entertainment before 2nd -1 is finished.

1

very nice! :)

What's the ideal time for us to release the TAS? Shall we wait for Kosmic's video, or shall we release it as soon as possible?

best to wait i think, the video should be coming out soon.

23:08

let it have as good of a chance of getting traction as possible. :)

Kosmic's video should be coming out in about a week? Or two weeks? And we release our TAS maybe 3 days after Kosmic's video?

i think it was in about a week, he'll have to answer that though. :)

yes it will come out on the 14th

23:29

It would be fun to release early the next week, with a twitch stream premiere if everyone is open to that

23:29

and any fun payloads people would like to prepare, I can reset and run them afterward as well

Kosmic

It would be fun to release early the next week, with a twitch stream premiere if everyone is open to that

Today's Thursday (or Friday in my country China), so would you like to release it before 14th?

'the next week' after the 14th would be like, the 16th. :)

oh, yeah sorry I mean a couple days after the 14th

Oh I see. March 17th sounds good to me.

00:07

So we'll have time to examine everything, and finish the TAS.

SMB_ACE_TAS_before_2nd_-1_2.fm2

337.98 KB

11:34

Updated the first -1. Added this:

11:34

Image attachment

11:35

Coins would be 2 less, but I think Kosmic's idea is worth a shot, because it's indeed rare to see.

oh nice!

11:56

You didn't want to do it the 2nd time through, with Fire Luigi?

Probably not, because I want to shoot that Bowser above.

sounds good

11:57

are you planning to kill it? If so I dont think that will work

To at least hit him 3 or 4 times.

great

11:58

it's too bad we cant have the slots right after killing him, because we could have fireworks going off near the staircase which would be fun

Yeah.

true that would have been great

uh- I haven't looked into this at all, but someone in my discord just sent this

Image attachment

2

hm are we sure they have no cheats on or something

16:36

i just finished the level with 1, 3, and 6 and none crashed... they'll need to provide some more context

right

if it is real and leads to something, what insane timing

16:37

find this in like 1 week please thanks

right?!

16:37

they might have cheats enabled

16:38

they had cheats enabled.

D:

haha

they found the ram jump location before the cheat haha

16:38

what cheats i wonder

16:38

as we have seen, 1 game genie code can be pretty powerful

would be very funny if someone after all this just found that like.. slow down a little in -2 and you get ACE.

they were using cheats that were supposed to work on the cartridge release of the game (edited)

Image attachment

like could you have waited a week

16:40

i mean i wont say they haven't, but, it'd be unfortunate

threecreepio

would be very funny if someone after all this just found that like.. slow down a little in -2 and you get ACE.

yeah i was thinking this with -1, like it's actually so easy to crash if you just slow down at certain spots. But uh we just play it at full speed in runs

100th_Coin

they were using cheats that were supposed to work on the cartridge release of the game (edited)

ooh

that sounds like a bad spot to change for stability :)

Image attachment

16:43

i think that RTS after starting the fireworks may be important..

Image attachment

yeah those two didnt seem to matter, this one did

Image attachment

oh i didnt see that cheat haha

16:44

i saw 4-4 and was like ah, it's messed up loading the 4-4 level

16:44

but thats not right ofc haha

threecreepio

that sounds like a bad spot to change for stability :)

well thats definitely fireworks

funny that it jumped to nearly the same location as the ACE

Anyway, I wouldn't have jump scared you all like that, I would've booted up the game and checked myself first, but I'm busy at the moment. Sorry for that!

haha don't worry about it

took a few days off our lives but it's all good

HA

just a lot months of effort nearly wiped out by a screenshot no big deal.

2 frame improvement on payload

3-1_ACE_1170.fm2

26.55 KB

1

1

ay nice!

Nice. 3 frames away from sub 5:30 (not that it's important or anything).

2 more frames ;)

3-1_ACE_1168.fm2

26.51 KB

1

Wow. Now it's really close.

10:03

Good job. Is our TAS time perfect by now, or will we find more improvements?

I don't know of any opportunities for further improvement so it's likely this is the ideal time, though I will provide details about the payload inputs in case anyone else wants to search for faster inputs

1

4 frames is really impressive, awesome work

Simplistic

I don't know of any opportunities for further improvement so it's likely this is the ideal time, though I will provide details about the payload inputs in case anyone else wants to search for faster inputs

I would love to take a look

By the way, I don't know if it's going to impact the payload, but I can stop the moving shell in 3-1 before the crash, and that's probably what I'll do for entertainment. It's probably not important, just want to mention it.

You just have to make sure that EnemyObjectPageLoc ($073A) becomes 03

Yeah it's already 03 before that.

Great

I wanted to mention it, only because I see a difference in the new payload (4 frames faster) with the moving shell.

The payload timesave should be just from different controller inputs, I think

Image attachment

12:18

The moving shell doesn't seem to hurt Mario (or at least as seen from the graphics).

12:18

I don't know why. Hopefully it's nothing important.

He's in victory mode, like walking to the castle

12:20

Only a hammer or firebar should hurt him at that point

As I remember, it's not like walking to the castle.

12:25

Image attachment

12:25

Normally, Mario should die from getting hit by a Koopa.

Oh, yeah you're right

12:25

He interacts with the blooper in -3 for example

Yes.

12:26

So I really don't know what Simplistic did. I see moving Piranha Plants and moving shells.

12:30

Image attachment

12:30

If I stop that shell, Mario would die.

12:30

That's really funny. Still no idea why.

Haha!

12:31

He falls down and it restarts the level, right?

No. It still counts as game end.

Oh wow

The music stops playing, but you can press button B to select a world.

12:32

Mario died, but not really died.

Schrodingers Mario

Image attachment

12:34

It's a really funny ending. I don't know if we should use this or the original one in which Mario doesn't stop the shell and lives.

12:35

Image attachment

12:35

There's also this one: Mario stops the shell, and gets killed by the moving shell.

12:36

This one has the winning music playing over and over again, but Mario's died.

12:36

And there's something like a QR code on the screen.

That last one sounds the most fun

Yeah the last one's the most funny one. It's game end glitch for sure, and Mario died from a shell, probably as a punishment for using ACE.

100th_Coin

I would love to take a look

STY $0090 -> $0090 = 0x2E
LSR $0090 -> $0090 = 0x17
LSR $008F -> $008F = 0x50
STA ($8A,X) -> $0750 = 0xFE
STY $008D -> $008D = 0x2E
LSR $008D -> $008D = 0x17
DEC $008C -> $008C = 0x5F
ISC ($87,X) -> $075F = 0x03
SLO ($87,X) -> $075F = 0x06
ISC ($87,X) -> $075F = 0x07
ASL $00D0 -> $00D0 = 0x06
INC $00D0 -> $00D0 = 0x07
ASL $00CF -> $00CF = 0x70
SLO ($CA,X) -> $0770 = 0x02

and this is controller 1 and controller 2 being read once per frame?

Yes, with the caveat that start and select lock the respective controller's input until there's an input with neither pressed so care has to be taken with what inputs are used

1

15:09

I pressed the enter key too early so I meant to send that with register values and such

15:09

A = 0xFE, X = 0x05, Y = 0x2E

Kosmic pinned a message to this channel. 2026-03-07 15:11

My previous approach to the payload was making a pointer to $074C in zero page, storing 0xFE there and shifting down to 0x1F, and then using absolute instructions for setting $075F and $0770 to the desired values; I couldn't think of a quicker way to set up the pointer and write a suitable value at $074C though so the latest 2 frame save came from ditching that and just making pointers for every address we need to modify

15:16

The plants and shell go crazy because the enemy X positions and Y positions seemed like the quickest values to make pointers with

oh lol the one that modifies the koopa looks crazy

15:21

thats really funny

Simplistic

STY $0090 -> $0090 = 0x2E
LSR $0090 -> $0090 = 0x17
LSR $008F -> $008F = 0x50
STA ($8A,X) -> $0750 = 0xFE
STY $008D -> $008D = 0x2E
LSR $008D -> $008D = 0x17
DEC $008C -> $008C = 0x5F
ISC ($87,X) -> $075F = 0x03
SLO ($87,X) -> $075F = 0x06
ISC ($87,X) -> $075F = 0x07
ASL $00D0 -> $00D0 = 0x06
INC $00D0 -> $00D0 = 0x07
ASL $00CF -> $00CF = 0x70
SLO ($CA,X) -> $0770 = 0x02

I noticed you make a 7 twice- can you not re-use the 07 for WorldNumber to build the 70 for opermode address? (edited)

15:26

might save 1 frame here skipping the ASL $00D0 + INC if you can just load it with the 07 straightup

Wouldn't be able to because I only get 1 instruction per frame; if I tried to load 07 from the world number, I wouldn't be writing to any RAM that frame and my work gets undone the next frame since I can't carry over the register value from the load

oh, okay i see. Can't save in register and would need more bytes to do it with ram in 1f (edited)

I do wonder if stopping the shell allows for setting an X position that could help with a faster payload

what is at address $07

Alternates between FF and 01, haven't tracked down where it gets the value from

oh, huh

15:36

if we store there does it get overwritten with one of those

think $7 had like the powerup timer in that routine..

I believe JumpEngine uses it as temp RAM so I doubt anything could be carried over

yeah it does

ok gotcha

15:37

same with 06?

yeah

15:38

could be interesting to track what predictable ram changes are happening per frame during the ace execution, if any of them are like, decrementing once per frame and we could set a value earlier to be useful. but, not sure how much that would matter.

is there a fm2 that runs on fceux that shows the full run including the ACE?

no, since FCEUX doesn't emulate the read from $2004 correctly

15:44

the ACE cannot be done in FCEUX

you have to run 2 separate ones to see the full thing, or watch the full thing in bizhawk

how do I run them seperately to make it work?

15:45

just run the fm2 to the crash and then run the 3-1 fm2? (edited)

you can set 7FC to 01, and 9C9D to 08 to run the 3-1 fm2.

ok ill try that thanks

does reseting right when you touch the axe in -3 work to get back to title screen faster?

16:24

would that still put you on quest 2? if so that should save a few seconds

16:27

nevermind I think it doesnt work

World select is enabled when you press B to go back to title so that wouldn't help unfortunately

https://www.youtube.com/watch?v=PG75pQps818 got my total control script working with it, fun. not a super exciting video unless you like minutes of black screen, it can ofc run much faster if it didn't wait a frame between reading inputs. :)

YouTube video thumbnail

there it is

03:26

amazing work haha

Simplistic

World select is enabled when you press B to go back to title so that wouldn't help unfortunately

g&w goated

Simplistic

STY $0090 -> $0090 = 0x2E
LSR $0090 -> $0090 = 0x17
LSR $008F -> $008F = 0x50
STA ($8A,X) -> $0750 = 0xFE
STY $008D -> $008D = 0x2E
LSR $008D -> $008D = 0x17
DEC $008C -> $008C = 0x5F
ISC ($87,X) -> $075F = 0x03
SLO ($87,X) -> $075F = 0x06
ISC ($87,X) -> $075F = 0x07
ASL $00D0 -> $00D0 = 0x06
INC $00D0 -> $00D0 = 0x07
ASL $00CF -> $00CF = 0x70
SLO ($CA,X) -> $0770 = 0x02

Thanks. I'm far from an ACE expert, but I've asked ChatGPT and studied for a few hours, and can't find an improvement over this payload. ChatGPT told me that if I can make $87 = 0x07 or 0x0F or 0x17 or 0x1F, one or two frames can be saved. But for this setup, I can only adjust $87 from around 42 to A8, very far from 0x07.

08:46

Also, $86 is far from 5F, so I can't do anything about that either.

threecreepio

https://www.youtube.com/watch?v=PG75pQps818 got my total control script working with it, fun. not a super exciting video unless you like minutes of black screen, it can ofc run much faster if it didn't wait a frame between reading inputs. :)

woa this crash allows for total control???

Kriller37

woa this crash allows for total control???

yeah the 2j one does too! though they are a bit different. (edited)

Just want to make sure, we can't do this with this opcode, right? LDY #$17 STY $0090 STY $008D Or something that changes Y to 0x17...

no we can't actually change the registers with the controller input approach. we can only run 1 opcode per frame. so we can change 'y' to another value, but we can't do anything with it after because it will be changed before the next frame.

1

Oh I see. Another idea (or stupid question, please forgive me): Since we've used the value 0x17 as a pointer twice, would it be possible to make it in one place, and change the other value to save a frame? (edited)

22:51

The other value should be 0x50 and 0x5F a few frames later, but we have a moving shell, don't know it's useful or not.

yeah not really looked into it, is the shell hitting those values?

Also we have this: ASL $00D0 -> $00D0 = 0x06 INC $00D0 -> $00D0 = 0x07 Which is like doing the same thing, to get an 0x17 or 0x07 as a pointer. Would it be possible to use only one or two of those instead of 3? That might save time.

threecreepio

yeah not really looked into it, is the shell hitting those values?

The X position of the shell can be a lot of values, from around 0x42 to 0xD0, I think.

22:58

Also it's moving, so it's changing itself.

23:00

I'm thinking something like changing $88 to 0x17, and just manipulate $87 (shell's X position) and see if we can save frames?

23:01

But I'm really no good at 6502, and ChatGPT seems to have given me lots of wrong answers yesterday...

haha yeah ai is not great at 6502.. thankfully.. :)

I can manipulate $86 $87 and $CE, so I'm thinking if we can use those to get faster pointer values.

Do we have to change $750 before everything else, or it would crash? I tried moving it later and it crashed.

no just changing areapointer shouldn't do anything

It's in the payload, changing $750 first. I searched the previous chat, but couldn't find anything about it.

23:23

So I assume it's to avoid crash.

but if you're going to step the world number up from 2 to 7 with the shell as the 5F, you're going to need to have several frames where the shell is at that X position.

threecreepio

but if you're going to step the world number up from 2 to 7 with the shell as the 5F, you're going to need to have several frames where the shell is at that X position.

Yeah that's a problem. The shell's moving 3 per frame, unless I stop it before.

so then it'd need to be stopped at 5F, then kicked to 50, which would also take time

23:26

and then it needs to become 70 :)

23:27

assuming you'd use the same 07 for all 3 addresses

Yes. I'm thinking of doing some calculation to $87 while the shell's moving, and use $88 to be 0x17 or 0x07.

23:28

I can kick the shell, or maybe stop the shell in the middle of the process.

23:28

Also, I can manipulate $86, $CE, $57, $9F to get the value we want.

According to my test, $750 needs to be changed before $75F or it won't work. I don't know why.

23:42

Also, $770 needs to be changed last, or inputs won't be read after victory mode.

yeah 770 should need to be last

One of my ideas: I think I can get $86 to 0x70 in the final frame, so can we get $87 to 0x07 or 0x17 or something else to save one or two frames?

well 87 is one of the koops, you can disable the enemy and move it, or try to find a way to get the value closer so it moves to the correct spot and then you disable it

$87 is the X position of the moving (or stopped) shell, so I think we can get it to 0x07 or 0x17 or something useful with one or two commends?

sure. if it's stopped you could do an stx + inc + inc to get a 7

Or maybe 0 commends? I don't know if values like 0x87 or 0xC7 would work.

you can do 07, 0F, 17 or 1F

Simplistic did something like this to other values: STY $008D -> $008D = 0x2E LSR $008D -> $008D = 0x17 I'm thinking that we can do the same with the stopped shell, changing $87 to 0x17. With $86=0x70, that should save a frame.

well you'd be shifting the bits, so, you want 00010111, doing an LSR on 00101110 or 00101111 will get you there, which is 2E or 2F. you can also shift left (ASL) from 00001011 (11) but then you'd need an INC after to set the low bit. then there are the unofficial/illegal opcodes which can combine some operations

00:19

ah right i get it, the 750 is changed to prevent a crash when you do two byte opcodes. makes sense that it crashes then. was wondering why that would need changing for the ending. :)

OK. I'm not familiar with shifting this, so my question is, can we change anything to 0x17 with something like these two lines: STY $008D -> $008D = 0x2E LSR $008D -> $008D = 0x17

yeah should be fine

Can anyone help me translate: STY $0087 LSR $0087 to FCEUX inputs? I've asked AI but they can't seem to do it (or maybe I'm asking the wrong way?). Thanks.

TAS 2
AUD|ADLR
BUDL|ADLR

should work i think (edited)

8C 87 4E 87 8C is A + Up + Down 87 is A + Down + Left + Right 4E is B + Up + Down + Left

Thanks.

before you've changed 750 you need to make sure to be using 3 byte instructions

Image attachment

2

01:20

Just a funny screenshot with a failed attempt...

01:25

Only 3 pixels away from success. So close... Trying more solutions...

3-1_ACE_1167.fm2

26.45 KB

01:36

Yeah! 1 frame improvement!

01:36

This means: sub 5:30!

2

01:40

It turns out, getting Mario's X position ($86) to 0x70 is harder than I thought. I'm not sure if it's possible if we somehow save another frame with the previous payload adjustment.

ay nice!

1

It's probably the best I can do, since I'm really no 6502 expert... Can't think of any improvement left.

wow that's a really fast payload

11:57

amazing work!

1

OK. So I'm pausing this project for now, and will be busy with my work and music for about two weeks. Meanwhile, we can check everything and see if we've missed anything.

1

1

@Simplistic Hi. I have a new idea that might save more time. You said a few days ago: Worth mentioning that any of 0x08, 0x28, 0x68 for $073F seem to work for ACE, it's just that 0x28 is the value that works best for 3-1. Because $0750 contains 0x28 in 2-1 prior to the cloud bonus room's warp loading, more values for $073F are usable in this specific case But I don't fully understand this... I just tested 0x08, and the same payload didn't work for 0x08. What's the other requirements for 0x08?

Is $073A still 0x02 when you're testing this? I wasn't able to get this value to change over to 0x03 until $073F > 0x20, so for 3-1 I haven't been able to make 0x08 usable

$073A is 0x03.

08:12

I was using cheats... I can't seem to get it either.

08:12

Can't seem to get 0x08 the normal way.

Upon further investigation it does seem like 0x08 would be unstable anyway since the return address would depend on the processor flags at the time of the instruction being executed, and it seems like the flags won't necessarily be the same every frame

OK, so I'll continue using 0x28 (can't seem to get 0x03 with 0x08 anyway)...

I apologize for not having said this earlier but marvelous work on the existing improvement, very nice to see the final time under 5:30

1

Nothing to apologize for. You're the expert, and your 3-1 payload is wonderful.

08:19

I'm trying ideas that might save another frame...

Need help: STA ($8A,X) -> $0750 = 0xFE Can we replace this line with something else that does similar things? To manipulate Mario's X position, I need inputs with more left presses (1P). Thanks.

Will left+right work? This needs to be an instruction with indirect addressing and those only end in 1 or 3, so it would seem right or left+right is required. DCP ($8A,X) would be an alternative, that is A+B+L+R on controller 1

L+R wouldn't work. L+D works.

Oh I forgot what value $0750 had, DCP wouldn't work even if those inputs were fine. The only idea I have is to delay the STA instruction, since it's only a prerequisite for the other indirect instructions the payload uses. The instructions responsible for creating the other pointers can come first

$750 was 0x42.

09:30

Need help with this (probably more important):

09:30

3-1_ACE_1168_test4.fm2

26.45 KB

09:30

I just got a crash I couldn't explain. I was trying this new idea, and copied the inputs I had last time, but it crashes in the middle, couldn't even set $750 right.

09:32

I was using cheats, to play the fm2 above, one has to settle $705 to 0xA0 at frame 1136.

It seems like $0755 was 0x5F at the time of ACE occurring, rather than 0x60

Image attachment

09:39

It should be 0x60.

09:40

$705 needs to be changed to 0xA0 at frame 1136.

09:40

I was too lazy to manipulate X subspeed beforehand, so I was using cheats.

Oh I understand what you mean now. Taking a look

09:49

My previous payload depended on you hitting the brick block to the right of the powerup to place a value of 0xA0 at address $008F

OMG... I didn't noticed this:

09:51

Block_X_Position = $8f

09:52

I never checked this before...

09:52

Thanks. I'll try if I can hit the brick block...

My idea trying to save a frame almost worked... Now all I need is more left press for Mario.

3-1_ACE_1168_test5.fm2

26.43 KB

10:34

The fm2 above is only half a pixel short for Mario.

10:35

It would have worked with only one more left press somewhere.

10:36

More left press, or less right press.

10:37

Most of the right press come from here: |0|RL...SBA|RLD....A ISC ($87,X) -> $075F = 0x03 |0|RL......|RLD....A SLO ($87,X) -> $075F = 0x06 |0|RL...SBA|RLD....A|| ISC ($87,X) -> $075F = 0x07

10:37

I wonder if it's possible to achieve similar things with no R press.

I saved a frame earlier by loading the Koopa a frame earlier. Trying to save another frame during the payload, but haven't succeed so far (one pixel short).

3-1_ACE_1168_test7.fm2

26.41 KB

12:11

I need help with 6502, trying to do more left presses, or less right presses.

12:12

Calling for 6502 experts, if anyone has time, thanks.

HappyLee

Most of the right press come from here: |0|RL...SBA|RLD....A ISC ($87,X) -> $075F = 0x03 |0|RL......|RLD....A SLO ($87,X) -> $075F = 0x06 |0|RL...SBA|RLD....A|| ISC ($87,X) -> $075F = 0x07

is just "R" any better than "L+R" here, or are they the same

They're the same.

12:14

I need more L presses, or less R presses.

12:14

One would probably be enough.

hm. So left presses are %0000 0010. There are a lot of read-modify-write instructions to zero page addresses with opcodes ending in 6. That's left + down. (edited)

1

ok, i know simplistic talked about needing indirect addressing, which ends in 1 or 3, so R or L+R required. But maybe we can change a different instruction besides these 3

Image attachment

for instance, 06 is ASL <ZeroPage, 16 is ASL <ZeroPage, X, 26 is ROL <ZeroPage ... (edited)

For example, we used these to change $75F to 0x07. Would there be something that can do the same, but with less R presses? |0|RL...SBA|RLD....A ISC ($87,X) -> $075F = 0x03 |0|RL......|RLD....A SLO ($87,X) -> $075F = 0x06 |0|RL...SBA|RLD....A|| ISC ($87,X) -> $075F = 0x07

Ah, I see the issue. 6502 assembly does not have a ASL (indirect), Y or INC (indirect), Y opcode.

Forwarded

Image attachment

Originally sent: 2026-03-10 13:56

13:59

I've tested all these. They all won't work for adjusting $87. Two of them were very close, just one pixel short. I don't think there are other commends left with left press.

14:00

threecreepio told me an idea of pressing Start before the level start, so we might have some new commends.

1

14:00

I'm not familiar with commends with Start. Would anything help to save a frame?

yeah we can run one instruction with a start press, since as long as you hold select or start the controller value we're using won't change. so you can prepare a single opcode (edited)

Basically, start adds $10 to the value, so we're getting a new list of addressing modes. Typically this changes from Absolute to Absolute, X or something similar. Instead of (Indirect, X) you get (Indirect), Y

and it also means you can press whatever other inputs you want on that frame

14:03

so if you want one less R press, and you can replace he first instruction we run from something that has an R press to something that has a start press, you can unpress the R even if it's needed for the opcode. (edited)

100th_Coin

Basically, start adds $10 to the value, so we're getting a new list of addressing modes. Typically this changes from Absolute to Absolute, X or something similar. Instead of (Indirect, X) you get (Indirect), Y

Oh I see... But that's mostly related to 2P input, so I guess it won't help us to do more L presses for Mario.

well you can switch the player 1 inputs to anything else and it won't affect the opcode that's running. so say if you needed to press L for another couple of frames on player 1s controller, and could find an instruction with select or start held that could be the first instruction in the payload, you could use those to get a little more movement freedom

the idea is with holding start, you can get the same opcode for frame(s) while changing mario's inputs

Yes. It would be helpful if we use the same commend twice, but I don't see it in the current payload.

14:19

So still can't think of a way to press L more.

it's not about using the same command twice, you can move mario without changing the command

14:21

you can hold the first instruction of the payload before the level loads in, and then as long as you keep holding start, that instruction is "buffered". Then you can press whatever you want for the other 7 buttons without changing the command (edited)

i'm not saying that will necessarily help your issue, just that it gives some more options.

it looks like the first frame of the payload currently does hold left. But the second frame doesn't. So maybe you can rearrange things and use the start press to get an extra frame of left in

14:25

|0|.L....BA|.L....BA||
|0|.LDU..BA|..DU...A||
|0|..DU...A|R.DU...A||
|0|.LDU..B.|R.DU...A||
|0|.LDU..B.|RLDU...A||
|0|..DU...A|....T..A||
|0|.LDU..B.|....T..A||
|0|..DU...A|RLD....A||
|0|R......A|.L.U...A||
|0|RL...SBA|RLD....A||
|0|RL......|RLD....A||
|0|RL...SBA|RLD....A||
|0|RL......|R......A||

(edited)

The second frame also has L press.

oh, the 3rd frame i guess

Here's the payload I've posted: |0|.LDU..BA|..DU...A |0|.LDU..B.|RLDU...A |0|.LDU..B.|RLD....A |0|..DU...A|R.DU...A |0|.LDU..B.|R.DU...A |0|..DU...A|....T..A |0|.LDU..B.|....T..A |0|R......A|.L.U...A |0|RL...SBA|RLD....A |0|RL......|RLD....A |0|RL...SBA|RLD....A |0|RL......|R......A

14:28

It's in test7.fm2

14:29

Sorry that don't know how to paste code in Discord.

three backquotes code block (edited)

Image attachment

okay sorry i was looking at test5 not 7

Thanks. test5 has Mario's X position half a pixel short, and test7 has shell's X position 1 pixel short.

14:33

I moved the commends with R presses all to the end. None of them can be used as the first or second commend, so I can't think of a way to save an R press.

what does the L+R right here do?

Image attachment

To get better acceleration. It can be replaced with R.

14:36

With R, the acceleration would be the same, but Mario's facing right.

Image attachment

14:48

I think I have a new idea. It's CRAZY...

14:48

I've never used something like this before.

sounds exciting

oh wow, haha im very curious

Wait a few minutes... This idea is hard to optimize...

Wow! I did it!

1

15:09

It should be 1165. (edited)

3-1_ACE_1165.fm2

26.41 KB

15:10

In total, I saved 2 frames from Simplistic's payload by manipulating Mario and the shell's X position. And another frame from loading the Koopa early.

15:11

The optimization is crazy. The X position & subspeed manipulate is extremely precise.

wow it's so clean!

ay very nice!

This is very hard. I think the payload should be perfect by now. At least I did my best.

now we have to decide what "BBM" means

1

3-1_ACE_1165_entertainment.fm2

26.41 KB

15:43

3-1 with entertainment.

15:43

Now it's BMM. Maybe better than BBM? I can't seem to make it anything else.

15:44

It's probably the Best Mario Movie?

doing the vine growing glitch at the midway in the minus world, I got PPU ace crash at the end with cheating to shoot 1 single fireball. The fireball is to kill a hammer bro, so that it moves faster to the right. There's a glitch koopa which inherits the X speed of the slot that it loads into. If you could get this koopa to inherit enough speed, without powerups, then that would be ACE in quest 1

Image attachment

2

16:00

now, let me check how fast it would be... probably very slow lol

There's a glitch Koopa before that? Wow I didn't know.

yeah there's an 04 enemy id thats underground

It only happens with a growing vine, right?

oh does it only spawn because of the page change object

16:04

as far as i can tell, it's right here. It must be the same situation as the green cheep cheep in 7-3?

Image attachment

16:07

This minus world takes over 2 minutes, but I think it would come out faster

16:07

You need to get Mario to 5-2 and Luigi to minus world

I've been doing a lot of research into reads from $2007 mid-visible scanline. It's complicated and required me to completely recreate how my emulator's PPU reads from memory. To make a long story short, I don't think I'll be able to modify bizhawk to correctly emulate that behavior, though if I finish adding support for the FDS in my emulator, I should be able to tell you what would be read from the mirrors of $2007.

16:09

I sincerely doubt it would be something we can manipulate, but it might be interesting to know. (edited)

How do we load this Bowser with only one empty slot?

Image attachment

16:49

Sorry that I haven't tested it before.

16:51

I always get 2 empty slots...

Did you grow the vine at the start here?

17:15

Or, at midway rather

Vine at midway.

I got the buzzy beetle to spawn by moving the screen forward when the first green koopa was next to the flagpole

17:17

So I had koopa + blooper + buzzy beetle + flag

Image attachment

17:18

I can get the Beatle just fine, but the Koopas would despawn.

I'll send a video soon

Nevermind, I got it.

I hacked 11 extra time on the timer at the end to reach bowser, but I'm sure it can be done. I didn't swim over the flagpole, and the time I spent to get the hammer bro in slot 4 should be able to be optimized a lot better. Especially if there's RNG where the blooper immediately swims to the right

I can load the Koopa with X speed = 8, but I haven't found another Bowser yet.

17:31

Can't see the enemy list.

I think this koopa does spawn from the page change object, like the green cheep. It must happen whenever the high nibble of the high byte is 0, or something?

Image attachment

Image attachment

Image attachment

yeah, it is from the page skip, afaik

HappyLee

I can load the Koopa with X speed = 8, but I haven't found another Bowser yet.

recording a vid now. I believe i got 16 speed from killing the hammer bro with a fireball. Thats why i needed fire

But getting Fire should be impossible with the vine.

17:36

I can only get a speed 8 Koopa.

Yeah that's the problem haha

17:36

I said if you could get it to inherit enough speed without powerups then it would work

17:37

I dont think anything moves fast enough without fire kiill

17:37

except hte bullet but it goes the wrong way and it goes off screen

So far still impossible, right? I was afraid that I had to redo the TAS, which would be very sad for me.

yeah not possible unless theres a way to speed up the koopa

17:44

doing rough calculation, i think this would actually be slower than our current tas

17:45

ill still post the video so people can see the idea

OK.

https://youtu.be/nSu5krKSvcU

Midway vine ACE idea (1 fireball away)

YouTube video thumbnail

17:50

i spent a long time at the start to get the hammer bro / "4" koopa object into slot 4, which im sure can be done faster. Then killing the hammer bro gave the glitch koopa 16 speed. Then i brought it past all the glitch objects and unloaded it as soon as it was past the last one

17:51

i think this would come out like, 10 seconds slower than our tas

17:51

if it could inherit +24 speed from a bullet bill or something then that would be the only chance

I'm happy as long as I don't have to redo the parts we've already done.

oh man, i made it without fireflower. But the bowser is in slot 2 and not 4 (edited)

1

Hmm? How?

oh wow

8 speed koopa, and then switching to using the moving platform

19:06

https://youtu.be/lB7KsKy-aWs

Late Bowser Overflow in Quest 1 (82 object.. need slot 4)

YouTube video thumbnail

Wow, that's very smart.

19:08

Does Bowser have to be loaded in slot 4 (or the 5th slot)? (edited)

there's something really goofy about the death music being played at 50% speed.

yeah he needs to be in the last regular slot (cant go in the powerup slot) so you get object ID 84 to load in

19:09

the second half of bowser has ID 80 through 84, depending on what slot the first half loads into

I think it's possible to get it in the 5th slot (or slot 4 as you call it) by just using this Koopa and the Beatle:

19:37

Image attachment

19:37

They have the walking speed of 8, just as the same, so not too slower.

i just made it to bowser with it in 4th slot, but im 11 or 12 clock ticks away

yeah you can get it into the slot, but, takes some time

save 12 clock ticks over this tas and this works

Image attachment

19:38

lol i think i got the 84 object, what do you think

Image attachment

1

I gotta go to work soon. I'll try this later and tomorrow.

https://youtu.be/6h30-vBz7Dc

84 object on later bowser in quest 1, but 12 IGT too slow

YouTube video thumbnail

19:43

i optimized loading and unloading things pretty well. All time saved would have to be near the flagpole getting the buzzy beetle to load or something. I used cheats to swim straight over the flagpole

19:44

ofc if these guys were on quest 2 they would move faster. But we can already ace in quest 2 lol

Looks like you slowed down about 6 in-game seconds near the flagpole. Maybe those can be saved through manipulating screen X position.

19:46

But still not near 12 IGT.

Kosmic

ofc if these guys were on quest 2 they would move faster. But we can already ace in quest 2 lol

why in quest 2 would this be slower than the normal one btw?

20:12

is it just that it takes the enemies too long or something

This one needs a vine at least.

I guess I was just thinking like 1:15 first mario segment, 1:45 luigi vine segment, and you'd still have like 2.5 minutes to beat the other route

20:14

possible I'm underestimating the length of the vine segment

20:17

okay seems like luigi vine segment should be doable in 1:50-2:00

20:18

maybe 1:30 for first mario segment, would be 3:30

20:18

given that that video is like 1:20 in first quest it should be even less in second quest (edited)

20:18

I'm struggling to see where this would lose like an entire extra minute over that (nvm I didn't realize the video used speed up for parts) (edited)

I'm confused Jonnyboy, what do you mean about 2nd quest? If you're already in 2nd quest then the other method is way faster

21:17

You don't need a vine or to run out the entire clock in the level. The only reason the other method is slow is because of needing 2nd quest

I think I roughly calculated it was like 1:35 for Mario to die in 5-2, 1:20 for Luigi to die halfway in -1, 15 or something seconds for Mario to die on the vine, then 2 minutes to ace from there. Plus 10 seconds to reset and ace in 3-1. So, 5:20ish (about 5:35 tas timing). Close enough it'd have to be tested for sure

Kosmic

I think I roughly calculated it was like 1:35 for Mario to die in 5-2, 1:20 for Luigi to die halfway in -1, 15 or something seconds for Mario to die on the vine, then 2 minutes to ace from there. Plus 10 seconds to reset and ace in 3-1. So, 5:20ish (about 5:35 tas timing). Close enough it'd have to be tested for sure

did a bit more accurate (still not perfect) math of how long it would take and it's ~15 seconds slower than our tas

ah yeah I thought the time would work out a bit closer

01:44

if not go the other way

what does go the other way mean?

figure he meant, he thought it would be faster with the vine than second quest.

oh I guess he is probably just saying do the other route that already works

01:48

but i thought he might still be confused about something with quest 2/what is happening exactly

it's interesting that it doesn't crash when i hit the PPU registers there. Execution finds an RTI at $208A and comes back to $E14D. Not sure exactly what the code here is, is it a mirror of somewhere earlier? (edited)

oh i forgot, fceux does this wrong

SMB_ACE_TAS_V2_test1_savestate.fm2

218.49 KB

00:39

I tested -1 with a vine. Got the same result as Kosmic's.

00:39

The fm2 above can be played without using cheats.

you can get about 20 pixels farther by walking on the moving platform. If you add that in, yours makes it 11 pixels farther than mine! Haha

00:48

8 frames saved, 280 to go

Oh I forgot to mention. My fm2 above isn't 100% optimized. You can squeeze 1 or 2 frames here and there.

00:49

I was mainly testing to see if there are new solutions, but I haven't found any.

00:49

Kosmic's previous video is already pretty good.

Yeah :/ it's another very close situation. But at least it was slower anyway

00:49

it would be cool to do it in 1st quest in some way though

00:50

and the vine glitch and enemy manipulation is very unique

It's a great idea. So close.

Kosmic

but i thought he might still be confused about something with quest 2/what is happening exactly

I thought the faster enemy movement in quest 2 might be able to make up the time differential between the 3-1 strategy and how long this would take in first quest

Is is normal that the game resets here automatically and return to the title screen?

Image attachment

15:32

Image attachment

15:32

Kind of different than the usual crash.

since FCEUX isn't running this properly, I'd say anything can happen.

which at least in fceux runs until it hits $6000 and resets

OK. I'm just asking to make sure that we're not missing anything important.

mm i don't know if there's anything that could be affected in there

Here's the fm2 with automatic reset.

SMB_ACE_TAS_crash_and_reset.fm2

444.83 KB

hm, that doesn't seem to reset here

It resets with my FCEUX 2.6.4 new PPU.

SMB_ACE_TAS-1_Entertainment.fm2

435.26 KB

3-1_ACE_1165_entertainment.fm2

26.41 KB

08:16

I think I've finished all the entertainment part of this TAS. So if everything's good, our TAS is finished.

1

08:17

I wonder if it's possible for @100th_Coin to make a final BizHawk version, and maybe a console verification today when everyone's awake?

@Kosmic Hi. Would a console verification be possible within 3 hours? If so, I can go to bed later. (it's 1 AM in China)

I won't be able to do console verification today, sorry!

1

OK. So maybe tomorrow or some other time.

I can do it tomorrow, earlier if that helps you not be up too late

I'm really not sure if my final version would play well on console.

Or I can just post a video of testing it at some point. Did you want to see it live

We can all watch it live around tomorrow this time.

12:57

I think it might be interesting.

Ok, @100th_Coin can you check how good the ppu alignment is in the meantime or try adjustments that are most likely to work

yeah

Thanks

you know, if you think about it. This is the fastest completion of the second quest.

13:08

zero changes needed

10.72 KB

1

13:10

Now here's a tough question. Which frame do we use as the suggested screenshot for the TASVideos publication? Here are some good ones. (edited)

Image attachment

Image attachment

Image attachment

I think the crash frame would be best

The frame count matches with the previous version (minus 14). 14 frames faster than the last bk2.

100th_Coin

you know, if you think about it. This is the fastest completion of the second quest.

I think quest 2 -> start in 8-1 is faster lol

Kosmic

I think quest 2 -> start in 8-1 is faster lol

Ahhhh

100th_Coin

Now here's a tough question. Which frame do we use as the suggested screenshot for the TASVideos publication? Here are some good ones. (edited)

Screenshot #1

world 8 takes about 2 minutes

Final time according to bizhawk, 5:29.957

1

1

Kosmic

I think quest 2 -> start in 8-1 is faster lol

You know that always bugged me in Both Quests rules

13:12

why is both quests warps 1-8 then 8 only but both quests warpless 1-8 then 1-8 again

should have a tab for both

13:13

i always ran it as playing the whole thing, doesnt feel like youre really accomplishing much starting in w8

13:13

but i mean, picking w8 in "warpless" would be even weirder

yeah that's like kinda ew

oh nevermind world 8 is 3 minutes not 2

13:14

this should be a little faster

it would be weird but you're not warping, we do allow a+start normally in warpless afaik?

this TAS is also funny since it only works with the current dev build of bizhawk. The $2004 fix isn't in the current release.

threecreepio

it would be weird but you're not warping, we do allow a+start normally in warpless afaik?

yeah but thats not skipping levels

sure just saying it's not a warp. :)

i kinda think it's a warp

grrr loopholes

i dont think the game has to tell you youre using a warpzone for it to be a warp haha

100th_Coin

this TAS is also funny since it only works with the current dev build of bizhawk. The $2004 fix isn't in the current release.

ha, that's gonna be interesting

the nesdev discord has made their own fork of Mesen, since Sour has been radio silent for 9 months. I've been contributing :)

Image attachment

100th_Coin

Final time according to bizhawk, 5:29.957

That's why console verification matters a lot.

100th_Coin

zero changes needed

is the first read likely to be good?

oh right- let me check

yeah thats kinda what happened last time Sour vanished too :)

13:18

novasquirrels fork or something

https://github.com/nesdev-org/Mesen2

Kosmic

is the first read likely to be good?

It looks like the first read is a 50-50 depending on clock alignment. If the read from $206F isn't problematic, we're safe on the second read at $2074.

13:24

I forget, did I even find a way to make the first read 100% safe? I know I tried finding ways to stall for a few cycles to push the read into the first cycle of sprite fetch, which would be 100% safe, but I don't recall finding a way to do that.

13:26

I did recently look into address $2007 reads during rending a whole lot, and there's a possibility I could figure out what gets read on $206F.

13:29

The read buffer would be set up on dot 259, which is a dummy nametable fetch. I'm not yet sure what will be read, but I know it's going to be consistent.

13:30

I think it's going to always read $24?

13:30

I could be wrong. let me double check how the dummy nametable fetches work.

13:32

Yeah, it's always going to be reading from VRAM address $2080, which is just a blank tile for the sky.

13:35

which means $2070 is going to be BIT <$24 and $2072 is going to be NOP <$44, so we should always run $2074, which will always be on a good cycle

13:39

~~oh actually, I think the reads from the dummy nametable fetch depend on the scanline. it might be reading from CHR RAM...~~ No, nametable fetches are always from $2000 to $2FFF (edited)

13:41

I'm not 100% certain this will work every time (there's still some analogue behavior surrounding half the reads from $2007 on visible scanlines, and I don't know exactly what Kosmic's console will do) but I'm feeling pretty good about this. (edited)

13:42

actually, Kosmic, if you aren't busy, can you run page 19, $2007 stress test and press select afterwards to show the debug screen? This could help me confirm if the analogue behavior around dot 259 would be problematic or not.

AccuracyCoin.nes

40.02 KB

13:43

If you are busy and it needs to wait until tomorrow, that's perfectly fine.

13:43

I wonder if I can run this TAS in mesen...

Looking forwards to watching it live on console tomorrow.

Image attachment

1

ah rats, the analogue behavior is making that a 50-50 as well.

14:01

let me check something. there's a chance that if one of the 50-50's is bad, then this one will be good, heh.

14:03

ooh? I think if the $2004 read is bad, then the $2007 read is good.

14:03

I'm still not saying it will work 100% guaranteed, but I'm pretty confident.

14:04

(I will be confused if it fails)

oh awesome, thats great news !

14:26

let's watch it tomorrow, can we pick an exact time? Is 13:00:00 okay?

that works for me

Good to me, too.

oh I actually meant to do 1 hour earlier. Either is fine I guess

14:27

is one better for you happylee, since it's so late there

I usually sleep late, so the time above is perfectly fine.

okay! And I would like to premiere my youtube video on march 28th at 12:30:00 , and then tell everyone at the end to go over to my Twitch stream for the TAS premiere. The video is close to an hour long, so around 13:30:00 for the tas premiere

1

1

Two hours to go.

I'm here.

As am I

hi, im just setting up a camera really quick!

2

probably gonna miss this but hope the console verification goes through!

Kosmic started a call that lasted 8 minutes 2026-03-19 13:05

Hmm... I can't watch the livestream yet...

13:08

It says my connection is off.

can you hear anything?

I can't hear anything...

try to disconnect and reconnect?

still can't hear?

I'm restarting Discord...

13:12

Restarted Discord, but still can't hear anything...

13:14

Strange... Last time at least I can hear and see...

let's try joining a private channel in my discord

13:14

everyone join one of the public voice channels and ill drag you into private one

if that all doesn't work perhaps you could check the default audio output device in discord's audio settings @HappyLee . sometimes that gets changed automatically to something different.

happylee can you join that voice channel again in my discord

13:17

i was rebooting discord so it took me a little bit to get there

13:17

but i have the other 2 in here now

13:17

if you can join again

Trying, but I can't get in...

oh, join one of the other ones

13:18

and i drag you in here

13:18

join general

13:20

stay in Super Not General when I drag you over

It says "my connection is off" everytime I try to get in.

13:21

But my microphone and sound works fine.

13:21

Could it be that I'm using VPN?

is it a vpn issue, can you cahnge locations

I did several minues ago. Changing again.

13:23

OK I've restarted VPN, but still can't get access to anything...

13:23

Can't watch anything, can't hear anything.

ok im going to stream to an unlisted youtube livestream

It's like Discord's banning me...

Kosmic started a call that lasted 92 minutes 2026-03-19 13:24

Still can't hear anything... Sorry for that. T_T

13:25

Didn't want to waste everyone's time.

Don't worry about it

just working on making the yt stream

I was fine last month, using the same VPN.

13:27

Can't log in Discord in China without VPN.

rtmp://a.rtmp.youtube.com/live2

13:32

sorry i dont stream on youtube a lot so im having a hard time haha

13:32

but im almost there. Just need the right link

13:32

https://youtube.com/live/Kg_yHDwg_pI?feature=share

YouTube video thumbnail

The crash screen in -1 doesn't look like the screenshot above... Probably something failed during the crash?

right

How was the console verification last month? Was it 100% successful every time?

Sometimes we needed to adjust things just slightly at the end before the crash to make it work

SMB_ACE_OffByOne.bk2

10.71 KB

What's that in 3-1... I really don't know...

Just have to get it to align. I'm dumping the adjusted tas now

How's the entertainment, guys?

1

It's great! I love the fireballs in minus world

I love the fireballs in 1-2

Hopefully I don't need to redo -1.

Nah it will only be tiny adjustments right before the crash

14:03

Image attachment

Yeah I didn't know 37 was a really special number... I just tried to maximize entertainment.

14:05

That would be OK, but it would be great to have a version that works on both BizHawk and console.

14:06

What's this version playing right now?

14:08

Does it automatically reset in the middle, or do you have to reset it manually?

SMB_ACE_OffByOneAgain.bk2

10.72 KB

About one year.

It was 3/28 my time when I sent the message

Yeah. Exactly one year.

Image attachment

14:19

Image attachment

A bit nervous. I'm not the expert of PPU, ACE and stuff. I don't know how to help.

14:22

What's the success rate of this version in theory? 50-50 or should be nearly 100%?

in theory, somewhere between 25% and 75%, depending on the console.

OK. But how did we get 100% success rate with the test version a month ago? I don't know the difference.

We either got lucky that it worked when we tested, or it was just better alignment for my console

14:24

Some alignments should work every time if we can get them, I think

right

14:25

Some alignments will work, some will fail. But when you power on / reset the console, the clock alignment is random. (edited)

@100th_Coin Maybe you can delete a fireball near the end of the crash in -1? For example, I shot 2 fireballs to kill the 2 Koopas.

SMB_ACE_234.bk2

10.72 KB

This one still didn't work? It looks exactly like the version a month ago.

14:39

I really hope we didn't miss anything. I love the solution now.

0/7 success today. I have no idea either.

14:54

0/8 success.

sometimes the crash doesn't look the same, and it still works

@100th_Coin Maybe try deleting one of the fireballs before the crash in -1, and see if it works?

I can try that. It would likely land on a different ppu cycle, though the issue is we've tried landing on both even and odd cycles, and one of those is supposed to work, while the other isn't. The fact that none of the runs today worked is suggesting there's another issue entirely that we're unaware of. It might still be reads from $2007, I don't know. I thought it would be fine, looking at the test results Kosmic ran for me, and my current understanding of how reading from $2007 on a visible scanline would work. I'm genuinely not sure what went wrong today.

The livestream stopped. Are we going to do more console tests today?

i have to work on my video, well have to see if they can figure out more ideas of how to make it work consistently

OK. Good luck with your video. It's perhaps out of my knowledge zone, so I don't know how I can help.

15:02

Going to bed now. Leave a message anytime if there's something I can do to help.

1

good night!

I missed the call earlier but hope it all went well!

It didn't go well, heh. We weren't able to get the ACE to work once.

uh oh....

We were definitely executing arbitrary code. There were times where we encountered new interesting crashes, but not what we were hoping to achieve.

I mean if we knew what code we were running, would it really be arbitrary?

I tried other cores of BizHawk in 2.9 and 2.10. QuickNES and QuickerNES all fails to open FDS, and SubNESHawk's game speed is horribly low. Only NESHawk can properly open FDS version of SMB.

06:43

I don't know if it's normal.

I also just tried the latest version of FCEUX (2.6.6) both old and new PPU. Nothing ACE-like happens. (just want to make sure)

Only 7 days to go. Any solutions, new ideas?

12:19

My idea is that, if we can't find out why from the theory, maybe we can do more console tests, like playing the same movie that supposed to work 8 or more times, and document the results, and see if we can find a pattern.

12:20

Each time playing should cost about 5 minutes, so 8 times probably won't take more than an hour.

alternatively, I could make an FDS rom that just sets up the state of RAM and VRAM to be exactly what it should be when the crash occurs, and then read from $2004 on the correct dot, so we can see what happens.

Yeah I can just make a rom to make testing the level a bit faster.

12:21

Mm that works too

(I've never made an FDS rom before, so I'd have to look into how it's different)

It’s not hard

Sounds like a good idea.

https://github.com/threecreepio/smb2j-disassembly/blob/master/fdswrap.asm this is just a basic fds thing for 2j with ca65

smb2j-disassembly/fdswrap.asm at master · threecreepio/smb2j-disas...

ca65 version of doppelgangers fantastic smb2j disassembly - threecreepio/smb2j-disassembly

1

12:23

pretty sure i have an smb1 fds version somewhere too..

I kept thinking about the console tests yesterday. The current movie (or the slightly adjusted version) was played 7 times, and 0 success. Was it 100% impossible, or did we just get unlucky, or something else went wrong?

12:25

And we played the previous version (a month ago) once, that one also failed. (edited)

very very possible to miss 7 times in a row.

1

12:26

and we also got different fail states, some of which might have been correct, but that the later registers are corrupting in other ways. which was always a risk with the PPU register path.

one time I was trying to run a test on a specific cpu/ppu clock alignment, and it took me resetting the console 37 times to get the alignment I wanted. it should be a 1/4. (edited)

that's kinda why i held off on looking at it, because i desperately wanted the second quest to lead to anything but this :)

Yes. We got 2 cases where it crashed in 3-1 or 2-1 when Mario's slightly scrolled the screen.

If it truely is alignment specific, I'm pretty sure we could verify alignment before running the TAS.

12:28

The reset button on famicoms doesn't change alignment. Only switching the power off.

That's why we need more console tests. I think we can all be more relaxed if we can see at least 1 successful case from the console.

mmm, you can cart swap from the everdrive and have a test there, it's a little shaky.

Only 6 days to go. When can we see more console tests?

I can test them when more versions to test are ready. Maybe 100th_coin could tell you what ideal conditions he's looking for, like landing on dot 257 or whatever is ideal. I'll be very busy with the video so I dont think I can take the time to set up a stream like we did last time- or at least without knowing it will work. Maybe if I test it and it works then i could stream it for everyone to see. Or just post the video of it.

13:25

@threecreepio also mentioned making a rom that would make testing faster

HappyLee

Only 6 days to go. When can we see more console tests?

it should be in 7 days, march 28th here might be after midnight so march 29th there...

OK. 7 days to go.

13:27

Thanks for the stream last time, Kosmic.

13:28

It's definitely helpful, or a video of it would be also helpful.

yeah we need either one that works very consistently, or one that can work 100% with certain alignments + a way to test what alignment i have on bootup

Right now I'm a bit worried that it may not work on console, or the success rate is even lower than 25%. If so, our whole project might fail, so it's very important.

13:29

Hopefully let's work together to fix it soon.

i didnt play some of the older versions during the stream, im sure those would have worked more consistently. I mainly kept playing the same one while waiting for adjustments, to see if it would work. But i think adjustments can make it better. Just have to figure out what the adjustments are

OK. I just asked ChatGPT about dot and alignment. ChatGPT says there are 4 alignments, and here's the suggestions (let's see if it's right?):

13:42

You cannot modify the ROM, but you can:

Use hardware quirks / undefined behavior as a probe That means: Different alignments → Same inputs → Produce different observable outcomes Your job is:

Use input to detect which alignment you're currently in

13:42

✔ What you should do Create a detection segment at the start of your TAS: Use a stable scene (e.g. early game frames) Trigger a $2004 read via gameplay Observe differences: Examples: Enemy position differs Sprite corruption Different game states (crash vs no crash)

13:43

Use sprite evaluation + $2004 glitch: Steps: Find a scene with many sprites Trigger sprite activity at a specific frame Observe:

Different alignments cause: Missing sprite Extra sprite Flicker differences

13:45

I don't know if ChatGPT's right about it. If so, can we maybe create a TAS to find out the alignment? Like, pausing on a certain frame with lots of enemies?

chat gpt can only know what people already know and have written online. And most emulators don't emulate it correctly so chatgpt isn't going to be accurate

13:46

creepio and 100th coin know enough to make test roms/ways to verify our alignment. The real thing we need to figure out is what alignments are good at the time of the crash, or figure out if other PPU reads after the first read(s) are ruining things

13:47

i think 100th coin can figure that out when they are available to do it

OK. Thanks. Hopefully we'll fix it soon.

yeah we can definitely speed up testing things, like, the actual tests need to run the whole TAS of course. but we can make roms to try to find out where we aren't matching console behavior.

13:49

and with just a rom that marks us as being in hard mode immediately, which we can do very easily, we would be able to skip running the MWE segment every time, and just do the Luigi part, so, that would shave off a good portion of time.

1

Do you happen to have a fdswrap file for SMB1? If not, can prepare it myself

i do but im not sure if i have it.. on this continent.

14:00

i can look

Sounds good, going to see if I can add a couple files to the disk so we skip the license screen and have RAM prepared to start off in the -1 Luigi segment

mm i was thinking we could probably just tack on a couple extra files at the end

The level transition between 1-2 and -1 might change things, so it might be risky to only start off in -1.

That's fair; if there isn't anything to gain from changing the 1-2 exit frame at this point though, it should be possible to set up the RAM to match your TAS

14:05

Worst case, starting on title screen with hard mode is easy and saves a lot of time

1

Just to clear up how the alignment thing works: There's a "master clock" for the console, and every 12 cycles of this master clock forms 1 cycle of the CPU, and every 4 cycles of the master clock forms 1 cycle of the PPU. Therefore the ppu runs three times as fast as the CPU. This upcoming explanation isn't 100% accurate, but it's helpful for understanding how the alignments work... Imagine a counter inside the CPU and PPU. Every master clock cycle, the counters increment. When the counter inside the PPU reaches 4, it runs one PPU cycle and resets the counter to 0. When the counter in the CPU reaches 12, it runs one CPU cycle and the counter is reset. However, when you power the console on, these counters could be at any position. They are not necessarily "aligned" such that the CPU and PPU cycles occur on the same master cycle. This forms the four alignments:

Alignment 0: The CPU and PPU cycle are synced to the same master clock cycle
Alignment 1: The CPU clock occurs 1 master clock cycle later than the ppu clock.
Alignment 2: The CPU clock occurs 2 master clock cycles later than the ppu clock.
Alignment 3: The CPU clock occurs 3 master clock cycles later than the ppu clock.

"Alignment 4" would just land in sync again, making it equivalent to alignment 0. Technically, there are more alignments. Again, the counter for the CPU could be anywhere from 0 to 11 at power on. This forms a 12-phase alignment between the CPU clock and the PPU's VBlank flag being raised for the first time. I'm pretty sure this is the alignment business that threecreepio has talked about the most in the past, as this alignment can result in "VBlank Suppression" occurring or not, resulting in an entire lag frame around power on. This would not affect our TAS though, as the way the replay device works is based on controller strobes, not by counting vblanks. Lag frames are not part of the .r08 file. (edited)

1

I should ask is this TAS for NESHawk or SubNESHawk?

Neshawk

Ok I'm gonna need to convert to subneshawk for the demo Kosmic wants me to do

However, the four alignments between the CPU clock and the PPU clock do have alignment-specific behavior. Reading from address $2004 will return the value from the OAM Buffer. This buffer changes during the PPU's sprite evaluation, and this value can change while the CPU is reading it. The CPU's read lasts approximately 1.875 PPU cycles, and it's the value at the end of this read that will stick with the CPU. Suppose the clocks are aligned. The cpu reads from address $2004, just before two ppu cycles have passed, we get the final value of the read from the OAM Buffer. But in every other alignment, the CPU is reading one master clock cycle later! Now the OAM Buffer will be different. This will read the later value. Same with alignments 2 and 3. So there's a single alignment where the value read from $2004 is different than the remaining 3 alignments.

@100th_Coin Thank you for the wonderful explanation. I wonder what's the best way to manipulate or observe alignment. You said reset won't change alignment, but would switching ROM change it?

There exist roms designed to identify alignment:

nes_reset_state_detect-letters_-_Copy.nes

32.02 KB

1

on a famicom we should be able to check for it with a test rom, and then like, cart swap to the fds

1

You can also reliably detect alignment using INC $2007, X where X equals zero. The issue is that different consoles behave differently. So while it's consistent for an individual console, you would need to first identify how your console behaves before making a rom designed for your console. (edited)

14:33

Notably, INC $2007, X works with the same data on my NES and my famicom, but my famicom has different results with just INC $2007. It's a whole can of worms that I have yet to look into.

14:34

So if I were to send that ROM over to Kosmic, it's unlikely that their console will also work with the values my console works with. Not impossible, but unlikely.

Simplistic

Do you happen to have a fdswrap file for SMB1? If not, can prepare it myself

Don't worry about this, was able to build a byte-perfect SMB1 FDS disk

alright, great

14:37

i've asked someone to go turn on my computer back in the old country but not heard back yet, so :)

there's also a visual bug that happens in SMB1 that only appears on certain alignments:

Image attachment

14:39

Though this might also vary from console to console which alignments it occurs on.

Wow, never seen that before. I guess the emulators always start on Alignment 0?

most emulators don't emulate this at all (edited)

1

14:40

I think alignment 0 is one where it should occur on

14:40

on my console at least, it occurs on alignment 0 and alignment 1.

HappyLee

Wow, never seen that before. I guess the emulators always start on Alignment 0?

oh- I should mention that the visual bug only lasts for a single frame.

14:47

you can see it in your warps TAS: https://youtu.be/T1Ps1O6sZX4?si=vIcxnP-HZ6VB4TlP&t=68

HappyLee's 04:57.31 Speedrun of Super Mario Bros.on a real NES

YouTube video thumbnail

14:47

(I also got the above screenshot from my emulator, running your TAS)

Cool. Never noticed that before. Thought it was a screen display glitch or something.

14:48

So our current theory is that our current TAS should work 25% of the time with random alignment. If that's so, it would be great to just play our TAS about 8 times on console and see what happens. Won't take too long I think.

Ideally we determine the alignment using the ROM I sent, then run the TAS with each alignment.

1

14:49

this would guarantee that we have tried all alignments, so if it still doesn't work, then it's back to researching what went wrong.

Simplistic

Don't worry about this, was able to build a byte-perfect SMB1 FDS disk

There's no such thing as a byte perfect image as there's variance in the headers!!!!!

Well it matches no intro dump so I'm gonna call that a win

I'm gonna be stubborn about this and you know it!

if you dont stop ill start calling it an fds rom.

OK OK IM SORRY IM SORRY

15:01

DONT CALL IT AN FDS ROM PLEASEEEEEE

15:02

HomuScared_MM

I have no idea about what happened above...

1

100th_Coin

zero changes needed

Hey do you have the project file for this? Trying to copy inputs over to your dev fork so I can sync the TAS with a hack I just made, but it seems like the dev build isn't liking the lack of FDS insert and eject columns

yeah, one sec

16:00

it should be this one

SMB_ACE.tasproj

473.59 KB

Getting an error on MovieClientSettings for some reason

with the newest dev build?

16:10

odd

I was building from your fork, since that's what I saw mentioned in an earlier discussion

I was just about to ask what if you used my fork. Strange that you're getting issues...

Here's the hack if you want to try syncing it yourself; this starts the game at the -1 lives screen as Luigi (edited)

16:17

Oh I made a really silly mistake, let me rectify that real quick

synced, the ACE works in bizhawk.

SMB_ACE_RomHack.bk2

4.46 KB

Simplistic

Oh I made a really silly mistake, let me rectify that real quick

oop

The problem is just that the resetting doesn't work because I bypass memory initialization on boot

16:19

Just need to overwrite the reset vector so the reset after the crash works

Fixed that, should be serviceable for quicker testing. Here's the hasty asm6 source if anyone wants to do better, I just added another boot file to set up RAM and skipped over memory initialization on power on

63.96 KB

556.77 KB

16:36

This is one of the fails we saw earlier right? This is what happens with the unaltered inputs

Image attachment

Image attachment

16:42

so that's an issue.

16:43

so there are three writes before it crashes here... (edited)

yeah.. unfortunately not too shocking

oh goodness, this TAS ends up returning to stable gameplay, and another frame runs before it actually halts

so the write is indeed successful, but more writes happen and cause issues?

so those writes would change the enemygfxhandler so it has a halt in it (edited)

i was talking with creepio and *on paper* one way to circumvent this could be to reset the console immediately after the first write happens, before anything else can be overwritten... but it sounds like TAS replay devices can't really do that right now

okay, I made a single input change at the end (I think) and this appears to crash the game on the correct frame, and only write to $9C9D.

Image attachment

16:59

SMB_ACE_RomHack_Good.bk2

4.48 KB

1

16:59

this runs the 3-1 stuff correctly

Good to know! I'll try running it on console tonight

1

1

SBDWolf

i was talking with creepio and *on paper* one way to circumvent this could be to reset the console immediately after the first write happens, before anything else can be overwritten... but it sounds like TAS replay devices can't really do that right now

It sounds like that's basically what the tas was doing, which is why it was working on bizhawk but not console

17:42

I bet the times I got the good crash screen but then resetting didn't work, that's what happened. Good alignment but later writes ruined things

that sounds very plausible, yeah

17:43

hopefully this new TAS just works though (edited)

Which would maybe help 100th coin feel more sane because we tried a lot of alignments/ppu cycles

yeah that's kinda what i figured too, hard to know, though.

Oh maybe that's why we got a "new" possibility with that weird crash in 3-1. It was multiple frames of instructions

Kosmic

lol i think i got the 84 object, what do you think

This one is super weird/interesting, it would usually just get a brief glitch screen and it'd write a number in the sky, then continue. I guess because the blooper is not there it's doing other stuff in ppu memory

17:47

I guess even if we prevented the crash it'd still be faster to reset instantly anyway

... i really need to jog my memory on how this tool works and get the tas converted to subneshawk

100th_Coin

okay, I made a single input change at the end (I think) and this appears to crash the game on the correct frame, and only write to $9C9D.

Hi. I'm interested in learning more about this. Why would adding a B press stop running another frame? It's because of PPU cycle or?

I have no idea

Also, is there a way to add reset to TAS playing device, or do we have to reset manually?

I just added inputs around to end trying to see if I could make the game crash in a way that doesn't update the other two addresses.

1

technically possible to wire up the reset button, not sure if anyone does though..

23:55

wont work with just the controller port anyway.

So those other two addresses caused the new crash in 2-1 & 3-1. Has anyone checked if the new crash is ACE accessible?

im not sure what is causing those exact writes at least, havent looked (edited)

1

well..

Ha ha ha...

at least now we have more buzzy beetles if we need them

i ran it again and this time nothing really seemed to happen

There shouldn't be a beatle there if the crash is right. It should only trigger power-up crashes.

interesting...

this is on the romhack, on fds key

the fact that it entered world 2 suggests that it didn't crash on the frame we wanted, but one frame later. (edited)

oh huh, let me try something

01:20

maybe on this hack i dont want to remove the 1 frame at the start like i normally do with these dumps

01:21

oh, okay nevermind that definnitely desync'd

01:21

it seemed like it was going pretty well

1

100th_Coin

the fact that it entered world 2 suggests that it didn't crash on the frame we wanted, but one frame later. (edited)

yeah thats really weird. I guess cycle differences could affect how far it goes after jumping to ppu

01:28

haha..

? (edited)

01:28

wait whoops thats the wrong one

01:29

1

hmm

we're getting multiple instructions and this time the powerup ace made it through?

looks like it.. if you reset in that rom does it take you the title? could run one of the 3-1 tas'es independently from reset after the ppu crash? (edited)

ah good idea

01:35

ive still got hte powerup ace (and enemy xpos bug lol) alive

01:36

1

1

ay

01:37

at least its still possible to ACE :)

Image attachment

Graphics looks more messed up. But still the power-ups are OK.

played 2 more times. Once was a pure grey crash screen with no lasting effects. One was the >32 pixel screen scroll crash

1

01:52

well like, the screen scroll crash but you can go farther than the 32 pixel one

01:54

next try got it! So, so far about 1/3 chance

01:55

for the record it has messed up enemies again

01:55

worst case we could figure out what alignment that is

01:55

ideally we dont mess up the enemy visuals haha

01:55

or the graphics

possible outcomes i've seen: enemy xpos, but no powerup glitch enemy xpos, with powerup glitch pure grey screen crash, nothing happens after resetting game loads the title screen after resetting, but it completely frozen 32px style screen scroll crash

1

02:06

arent there only supposed to be 4 possible alignments?

02:09

8 more with no powerup ace yet. My most common alignment seems to be xpos glitch but no powerup glitch. And then the screen scroll crash is next most common. Only seen the grey screen once. Seen completely frozen title a couple times

02:15

did a few more, didn't get it again. Got it 2/6 and now like 11 or 12 in a row without it. So with this alignment specific stuff yeah you definitely can just have long streaks of bad luck

02:15

the last one was a bit different than others. No graphical glitches on the crash, infinite blue screen on reset

fwiw, regarding CPU/PPU alignment, i remember running some tests regarding RNG in TMNT1 and the technodrome manip in that game (which is also dependent on CPU/PPU alignment), and on certain frames i was observing up to 6 RNG values iirc. i think the reason had to do with the alignment with the master clock rather than between CPU/PPU iirc.

Thanks for the console tests, Kosmic. It's super important. According to the current results, I guess none of the time it behaves exactly like the FCEUX or BizHawk 2.9 or 2.10 or the dev build. We've never seen enemy xpos glitch on emulators before, so it must have changed something other than $9C9D.

485.74 KB

@Kosmic lmk if it syncs up

Hi, @Kosmic . Could you test this on console when you have time? I'm curious to know if we can get ACE with this full movie. Thanks. (edited)

SMB_ACE_alt1.bk2

5.41 KB

01:22

I made this altered version that changed the ending of -1. It plays fine with the dev build of BizHawk.

01:22

It plays with the original FDS version, not the hack.

I think maybe it has a 25% success rate, or hopefully more. I'd be more relaxed if we can see at least one success with this full movie.

I'll try

1

11:05

What did you alter, HappyLee?

The last two frames, which should change PPU behavior, and added a bunch of empty frames before the reset (mainly for testing).

1

11:08

Also added 2 frames pressing B before pressing start, so it should start in 3-1 for sure, but 25% of the times might fail (for reasons unknown).

It fails 25% of the time on emulator?

It plays fine with the dev build of BizHawk.

I still think we should try verifying the alignment before running the TAS, and check all four alignments.

Yeah. It would be great if we can check the alignments.

100th_Coin

I still think we should try verifying the alignment before running the TAS, and check all four alignments.

so I use your rom on powerpak, then pull out the powerpak and insert the fds ram adapter, reset and play the tas?

yeah

11:23

nes_reset_state_detect-letters_-_Copy.nes

32.02 KB

got it, thanks ill try

it takes a couple seconds to finish running the tests and determine the alignment

11:24

but it should print PHASE 0, PHASE 1 PHASE 2 or PHASE 3 at the top

11:25

though on some consoles, you get occasional PHASE ? even after the test finishes. And on some consoles, alignment 3 prints PHASE 0

11:25

It's not perfect, but it's a pretty good ROM.

okay going to run happylee's latest tas, with phase 0 first test

Image attachment

2

Thanks, Kosmic.

the game looks weird after loading it this way...

Image attachment

woah

Strange... It might be changing game or PPU behavior...

ill try to do the cart swap again

1

I wonder if that ROM sets up RAM in a way that the FDS isn't expecting.

11:43

Oh- did you hold the reset button while swapping the carts?

11:44

Otherwise the console would likely end up in RAM, executing a BRK, starting an infinite loop of BRKs, destroying the stack. The Famicom Disk System uses some bytes at the top of the stack for some specific functionality, so I imagine that could be what happened.

oh ok i didntk now that

11:45

thanks

11:45

try 2

Image attachment

11:46

alright graphics look normal and tas is running

2

11:51

i had sound muted

1

Alignment 1 is usually the one that reads from $2004 different than the other alignments.

11:53

or at least, PHASE 1 according to the ROM.

11:53

I honestly don't know if the phases printed by the ROM correspond to the number of master clock cycles between the cpu and ppu clock.

here goes phase 3

Image attachment

Just to make sure, if you reset in that rom you are getting the same alignment every time? You should on a famicom afaik but probably good to verify

so far ive only gotten 0 and 3

11:54

and ?

That is, same until you actually power cycle

yeah i just reset about 5 times and got 3 every time

1

Kosmic

and ?

can you screenshot the ? one?

ok

Good good

Image attachment

Forwarded

I got a new famicom in the mail today. @Unknown Here are some interesting results. Phase 2 seems to have two different results

Image attachment

Image attachment

Image attachment

Image attachment

Image attachment

Originally sent: 2026-03-05 15:39

11:56

Here were the results on my famicom. Just for comparison.

11:56

interesting. ?GNT. I have no idea what alignment this would be, heh. My guess is phase 2, due to the T. (edited)

got the same result from phase 3

12:04

nothing happened

see if you can get phase 1.

At least this time there's no enemy X pos glitch.

12:05

Or the other glitch that crashes the game when the screen scrolls.

i think overall i'd prefer ACE with the X-pos glitch over no ACE and no X-pos glitch. :)

Image attachment

Well, it's probably harder to explain the xpos glitch. I'd prefer a result that's very similar to the dev build of BizHawk, so it would look consitant with average viewers.

Kosmic

Click to see attachment 🖼️

This also looks like it could be phase 2. It's hard to tell.

ok i havent seen phase 1 or 2

12:08

most of my ?'s are BGNT

So phase 1 might not be 25%, but could be much lower on Kosmic's console?

I could send another ROM that might help us out... The DRAW Alignment test is specifically set up with the values that work on my console, so it might not be accurate on yours. But running RMW $2007 should have unique results for each alignments. It will always say "PASS", so you would need to screenshot the debug menu.

AccuracyCoin_RejectedTests.nes

40.02 KB

at least in my experience these kinds of things vary a lot per console, but, i can be wrong. (edited)

Kosmic

8 more with no powerup ace yet. My most common alignment seems to be xpos glitch but no powerup glitch. And then the screen scroll crash is next most common. Only seen the grey screen once. Seen completely frozen title a couple times

I'm gonna guess that enemyxpos no powerup glitch = phase 0 screen scroll crash = phase 3 game loads title screen frozen = phase ? with BGNT working ace / other outcomes = other phase ?'s (edited)

100th_Coin

I could send another ROM that might help us out... The DRAW Alignment test is specifically set up with the values that work on my console, so it might not be accurate on yours. But running RMW $2007 should have unique results for each alignments. It will always say "PASS", so you would need to screenshot the debug menu.

this rom doesnt seem to work for me?

12:13

just getting a completely grey screen

weird...

that is true on fceux too

oh, powerpak might break this one

12:14

let me make a small change

12:16

Never mind, I have no idea why it isn't booting up

works in bizhawk but not in fceux

okay, try this one

AccuracyCoin_RejectedTests.nes

40.02 KB

12:18

and again, the results of DRAW Alignment are based off the results of RMW $2007 which are different for each console.

12:19

so DRAW Alignment probably wont print the right numbers for your console.

Image attachment

let me compare with my console real quick (edited)

12:20

that looks like Alignment 1 (edited)

our golden goose

12:20

should i reset and run the other rom and see what it says

Let's run a few more tests on this ROM. does DRAW Alignment actually say "1"?

it says 0

gotcha

12:21

let me see what I'm doing for that. I forget what I did, heh

12:22

that makes sense, I'm looking for the value 56 since that's what my console does, while yours writes 57 to VRAM.

hmm every other time im running it, it does 1255 and 55 instead

12:22

but the top ones stay 1156 56

oh wow, so your console writes an inconsistent value there, interesting.

only the first time

I still think this is alignment 1. If you power cycle, what other results do we get?

Image attachment

alignment 0 (edited)

Image attachment

alignment 2

i got the first one again, this time 1255 and 55. Weird that only that very first time did 57's

12:24

ok so we're just looking for 3 now right

alignment 3 should have a 0001 on the left edge of the screen, for the lower test results.

12:25

or something similar

3 was really common on that other rom, surprised i havent gotten it yet

12:27

alignment 1 with 56's this time

Image attachment

12:27

that one is probably responsible for the variable results

If you run $2004 stress test with alignment 1, what are your results?

12:27

my bad, I called it $2004 stress 2 here, heh

ok ill see when i get it again

12:28

getting 0 a lot which checks out

12:28

ok i got it

12:28

with 56's

12:28

Image attachment

1

does it accurately print Alignment 1 with the DRAW test right now? (edited)

it does

neat

nice

So let's play the full TAS and try to record it full?

Kosmic

Click to see attachment 🖼️

Can you run this test again with a different alignment?

sure

I'm actually getting inconsistent results on my own console with this test right now... I think I broke something with it.

alignment 2 but slightly different

?

Image attachment

12:31

1211 instead of 1201

1211 is what my console gets. I bet you could see it print Alignment 2 right now (edited)

Image attachment

1

yeah, I need to fix that test, whoops.

Image attachment

cool

12:32

anyway, let's get back to alignment 1 and run the TAS

1

alignment 0 is my most common and most consistent one so if possible to optimize for that, it would be ideal

1

12:33

very weird i havent gotten 3 yet

12:33

ok im on alignment 1

Image attachment

2

12:40

Argh

Hmm... It plays fine with the dev build of BizHawk, though...

12:41

So I don't know why it didn't read OAM and change $9C9D.

I guess we can still try alignment 2, but I was really hoping alignment 1 would work.

what is this

Image attachment

alignment 1

12:51

oh interesting, there isn't a 56 in the upper right area...

Kosmic

alignment 1 with 56's this time

oh, hm it looks so different from this one

yeah

if you run other tests first does it possibly mess thsi up

The lower half looks like alignment 1 while the upper half looks like alignment 0. I have no clue. These results are certainly a lot more interesting on your console than on mine, heh.

Kosmic

if you run other tests first does it possibly mess thsi up

no

ok now this is alignment 2 right?

Image attachment

yeah

running the tas

Me praying...

Well...

Probably my setup sucks, and only works in dev build of BizHawk...

im going to run the old tas that actually worked and check alignment

2

@100th_Coin Can you teach me maybe how I can improve the ending of -1 to get better success rate?

HappyLee

@100th_Coin Can you teach me maybe how I can improve the ending of -1 to get better success rate?

I've been pulling up the tracelogger for the frame where the crash occurs, and scroll down until you find the instruction on address 2064. Take the value from PPU Cycle and add 12, then modulo 341. That tells us what ppu cycle in a scanline this read was on. (edited)

So what's the best PPU cycle in theory that can increase console success rate?

the absolute best would be anywhere from cycle 320 to 340. I haven't been able to make that work. In theory cycle 257 would also be good.

13:06

Anywhere from cycle 192 to 256 has the 50% behavior, where the value is good on even cycles and bad on odd cycles.

13:07

let me look at the asm code for everything that happens between the sprite zero hit occurring and the jump to the PPU Registers. maybe we can get it to land from 320 to 340?

There are 2 versions of the old TAS: SMB ACE HappyLee Optimized.bk2 SMB ACE HappyLee Optimized 2.bk2 Do we remember which one worked the best on console?

we could scroll the screen by taking damage to load in bowser, could change things up maybe. not sure what exactly that would affect..

im running an old one right now to verify that it works

13:12

ill let you know

13:13

ok on alignment 0, it didn't work

13:13

ill try another one

13:14

Im pretty sure this is one of the ones that worked before. But i only ran it once

13:15

i reeeally need to focus on finishing my video though actually, it's unfortunate someone else can't test this

1

yeah if we would have known in advance, could have at least tried to get happylee set up with some replay things. :/ unfortunately not too easy for me to be useful from here.. even bizhawk runs at like 10 fps so it's miserable trying to do anything until i get home.

could someone convert this to run on the shorter ROM and see if it works

SMB_ACE_HappyLee_Optimized_2_1.bk2

9.1 KB

also doesn't help that the tracelogger crashes my bizhawk every time i stop it. :) miserable emulator.

wow. Well that was an interesting test.

wow

haha

Kosmic

could someone convert this to run on the shorter ROM and see if it works

I don't know if I made a mistake syncing it up, but bowser never spawned beyond the flagpole?

must have, otherwise it wouldn't have glitched out at all

oh, I got him to spawn this time.

13:29

I had the inputs off by a frame

which tas was this?

dangit i got alignment 2 but for some reason got the weird graphics again, even though i held reset

13:30

it's annoying trying to check alignments while being lazy (?) and not wanting to unplug the tas cables

13:31

running tases to go through the test rom

13:31

and pwoerpak menu

commendable to not have changed to everdrive by 2026, really loyal to that powerpak. :)

i have an everdrive pro, i cant use it with the famicom

ahh fair.. i have both versions of the everdrive pro for some reason..

13:32

i dont think i've ever even powered on the famicom version

Kosmic

could someone convert this to run on the shorter ROM and see if it works

Didn't work in bizhawk.

SMB_ACE_ROMHACK_Dot237.bk2

4.06 KB

threecreepio

i dont think i've ever even powered on the famicom version

i'll help you out and take it off your hands. Send it over with the snes debouncer. Thanks!

the blooper wasn't at the right Y position in this one

100th_Coin

Didn't work in bizhawk.

oh, huh. I wonder if this is one of the ones that we didn't expect to work in bizhawk, just on console

13:35

should've kept better track of which ones worked

Kosmic

i'll help you out and take it off your hands. Send it over with the snes debouncer. Thanks!

that's a personal attack and i don't like it.. :)

could probably find the very first one we console verified

threecreepio

that's a personal attack and i don't like it.. :)

haha i was just being unreasonable. Sorry for any trauma i caused

Does this ROM hack set up RNG to the way it was in the TAS?

ah after this whole PPU chat, any additional trauma is just being added to the pile.

I load in RAM from the .957 TAS so it should match, but I'll have to check if a mistake was made in having game state line up

1

ah, then the RAM would be different if we're trying to run a different TAS (edited)

Oh right, new TAS

right, running an older TAS in this ROM would get different results than the older TAS in the base game, assuming it took a different amount of time to reach -1

oh, ok

These altered versions all plays well on dev build of BizHawk. Checking PPU cycle might be too hard for me, so could someone please help me check if they match the PPU @100th_Coin was looking for? (edited)

SMB_ACE_alt4.bk2

5.41 KB

SMB_ACE_alt3.bk2

5.41 KB

13:40

50.65 KB

13:40

Here's a savestate that could save time.

13:41

I mainly changed the fireballs in the end of -1. I guess that should affect PPU cycle?

13:43

Going to bed. I'm sleeping early today because I need to go to the hospital tomorrow. Hopefully I can see some good news when I wake up.

13:43

Good luck to you all.

good night!

Oh I just found that alt5.bk2 was a mistake. Deleted it.

1

this one has consistently worked for me on console

Image attachment

13:54

it plays all the way through world 8 so it's really slow. Maybe we can try to recreate the conditions from this one though

have you tested it again now?

yeah i just ran it. It didn't get the purply crash screen but it got powerup ace

nice

previously it did get the purply crash screen and powerup ace.

it works on all alignments?

might be worth just letting it run a few times with the different alignments

so i think both reads are good

13:55

yeah this was alignment 2

13:55

ill try another

13:55

it takes forever to run though

13:55

but i wanted to start targetting one that definitely works ever (edited)

13:55

SMB1_Luigi.tasproj

608.53 KB

13:55

ill try alignment 0

13:55

2 and 0 seem to be relaly common

yeah. that's great, if we have something that at least consistently works, we can work from there.. just splice in the MWE inputs first, see if running just that luigi -1 works with the rest of the tas before it..

ok got alignment 0

13:56

report back in 8 minutes

14:00

interestingly, this tas does not include a reset in the tas file

14:00

i almost wonder if that is relevant somehow

14:00

i dont think the reset is stored anywhere in the .r08... idk

love that i can't copy/paste inputs in bizhawk either. this emulator is definitely a triumph of engineering..

pretty sure it's not in the .r08

14:01

??

Image attachment

14:01

you can though

i know it just does nothing, for whatever reason

are you using Paste or Paste Insert?

14:02

both are working on my end

tried both. i'm sure it's something i'm doing wrong.

14:03

i mean i also dont know why it crashes constantly. :) emulator may just hate me.

it does break if you try copying a set of inputs with some columns added/missing compared to the list of inputs you are pasting it in.

14:03

I think

hmm it worked with alignment 2 but not alignment 0

1

14:06

good to know

14:06

ill try 1

interesting

maybe taht will be purply screen + ace

and yeah i do have the same columns selected, but i have noticed that it gives me a different set of available columns to add on one of the tas'es i have compared to another one, for the same rom. who knows what's up with this thing. doesn't matter anyway. :) (edited)

huh. I got purply screen but no ACE

14:18

what the

14:18

i held reset and swapped back to powerpak and nowi t shows alignment 0

Huh... Why would the alignment change during a cart swap??

ill let it run on alignment 2, see if it works, swap back at the end

14:29

last time when it worked i think i had 1156, 56, 1211. This time i have 1156, 56, 1201. Wel'l see what happens

14:29

well nevermind. I got the weird graphics. I dont understand

14:30

oh i bet this is related to the powerpak

14:30

holding down reset on powerpak brings up this save battery prompt

14:30

i wonder if that affects the cycle too or, idk

ok so, swapping nes carts doesn't change the cycle, like i can take the powerpak out and in a billion times and that keeps the cycle. But putting in the FDS ram adapter changes the cycle

14:47

as well i can see on my tas replay device that it like reboots and is back at the top of the list of tases to select

14:48

https://www.youtube.com/watch?v=58ON_60MMTg

2026 03 23 12 29 00

YouTube video thumbnail

14:48

at the start of the vid i have alignment 2 with 1201, at the end i have 1211

14:48

but yeha i just tried this a bunch of times and ti changes as i swap back and forth between the fds and the powerpak

14:48

well, it doesnt change going from fds to powerpak. Just powerpak to fds

odd

so i can check which ones dont work afterward... but idk about before

that's pretty weird

oh i managed to swap it wihtout it resetting

14:49

or power cycling, whatever

14:49

and i think i did recall something being different sometimes when running the tests

14:50

im like huh why do i have to scroll down sometimes and not others

14:50

ok so kinda need to redo the tests. Lol

14:50

technically i think we know that cycle 0 and cycle 2 with 1211 dont work

14:50

maybe the time that it worked i had cycle 1 after a reset

14:50

oh ho... wait

14:51

Image attachment

14:51

these graphics are probably whenever it doesnt power cycle

you know something, i do remember this happening like, 6 years ago when i was tinkering with the fds

14:52

and this only happened to me when swapping carts without power cycling (edited)

ok i managed no power cycle and no bad graphics. I think wacky graphics are hodling reset for a long time triggering the powerpak save battery prompt, and then swapping

14:52

i think i just have to very gently insert the ram adapter...

ah yeah that definitely could be. when i was doing my swapping test for the castlevania ace stuff it was very easy to mess things up by being too careless with the ram adapter.

ace can still work even with hte messed up graphics. But alignment seems to change no matter what when switching to the fds

15:53

https://www.youtube.com/watch?v=_tE7TMzLZCc

15:53

i think ive confirmed that alignment 1 is what works with this ACE. I had one work then swapped back and it had alignment 1

1

15:53

im going to try getting alignment 1 then playing the tas from powerpak...

1

feeling a bit overwhelmed from all this. I can't really dedicate more time to this, I need to get the video done. If theres any more issues we might need to have our showcase a couple days after the video comes out or something

16:07

1

16:07

worked! Can probably guarantee ace will work with this method

I'll be busy for most of today, but I can try and recreate the conditions of that TAS with the optimized one (try and land on the same dot) later tonight. (edited)

1

1

sounds good! Maybe even do it with the romhack. Then i can test if it works on the romhack with alignment 1, then test if the full run works on alignment 1

1

ah very nice, is that still with the full 8-4 run?

yeah

16:25

weird thing is in the recording i have from when we console verified it, i got purple crash screen + powerup ace. These times im not getting that

16:25

must have chanced into some other alignment which also works but isn't very common

16:25

because i dont think alignment 0 or 2 worked here

16:26

cant say for sure, did have weirdness with switching to FDS

i just ran the tas again with alignment 1 and it didnt work

honestly after all hte time spent on this today, finishing on saturday seems really hard. I was already strapped for time as is. My video deadline now is the 31st, we might want to push it back to give more time to figure this out and so I can even finish the video at this point

Kosmic

i just ran the tas again with alignment 1 and it didnt work

My goodness. I really wish there was a consistent way to run this.

it might be from a reset vs. not

yeah i actually can't get it to work consistently. :/ been letting it run and it's hit or miss

19:23

alignment is consistent. Not sure at this point

19:23

unless it's a separate issue with being on powerpak now

tried running it on my nes with alignment 1 just to see what would happen

1

19:37

on everdrive pro

... neat.

we'll have to make a new plan or target the perfect dot range or.................. something. I have to really abandon any more time put into this, and probably need to push the tas reveal back so we can sort this out/even finish the video after the time lost from this

Yeah I mean unless we have something we know works in all alignments there will always be issues, that’s just what it’s like in a bunch of games like TMNT etc.

20:16

Would have been nice if we could have detected it and all but guess there are too many issues with that. NES would otherwise have the advantage that the the PPU does at least reset along with the CPU reset which may be relatively more consistent.

20:17

And yeah I wish I could test it myself :/

threecreepio

Would have been nice if we could have detected it and all but guess there are too many issues with that. NES would otherwise have the advantage that the the PPU does at least reset along with the CPU reset which may be relatively more consistent.

Can you explain more about the ppu/cpu reset thing on nes?

just that the front loader resets the CPU and PPU, while on the top loader or famicom it only resets the CPU and the PPU keeps running.

Oh I see. So what would that mean for us in the context of this ACE

not much, in theory it seems like the famicom should be better since you can reset without it changing the alignment.. but guess it's not that easy.

I definitely keep the same alignment, at least whatever the test rom is checking

21:26

So I don't know what's wrong with it at this point

Thanks for the console tests, Kosmic. Hopefully you'll finish your video in time, and let's keep the plan premiere on 28th.

I'm thinking, since our ACE setup requires reading $2004 & OAM, it might be fragile and unstable. But @threecreepio told me that the current $2004 fix version of BizHawk is more accurate in practice, and should be widely accepted. So our TAS should be widely accepted even if we can't get consistent console verification. It passed the most accurate emulator test. At this point, it would be great if we can change the end of -1 and increase the success rate. Worse case, even if the success rate is still low, we can record a full successful console verification, and play that during the premiere. If we can get one full success, that would be good enough.

5 more days to go. Anything is possible.

thats easy to say when you arent the one doing it

there's a difference between it being more accurate and stable/consistent, since this isn't a fully consistent thing on hardware.

Yeah, true, sorry for that... If the video got delayed again, April Fools Day is coming soon, and then the new SMB movie, so that's probably everyone's talking about in April.

hmm the movie...

But that's the thing... it should be more consistent than we're seeing. We can run the test in AccuracyCoin over and over and get the exact same results. So why would we be getting different results when running the TAS???

didnt think about that

100th_Coin

But that's the thing... it should be more consistent than we're seeing. We can run the test in AccuracyCoin over and over and get the exact same results. So why would we be getting different results when running the TAS???

yeah that is very fair.. especially when the powerup handler isn't breaking at all if it seems like it should, then it's breaking even at/before $2064.

The only thing I can think of, is inconsistent sprite zero hit timing. Which, might be the case, according to the nes_reset_state_detect_letters rom? I'd have to look into how that rom works, but I would be very surprised if sprite zero hit timing is the issue.

23:37

I know all of the tests in that ROM are based on sprite zero hits.

23:41

Actually, I know sprite zero hit timing changes based on alignment... There's a handful of tests by blargg about sprite zero hits that have different results depending on alignment.

23:41

Which means it's possible we're reading from entirely different cycles than planned

could try to get like a test rom that just tries to set everything up right near the moment of the crash. bit of effort, of course.

23:43

would that not still be picked up by the alignment test?

100th_Coin

Which means it's possible we're reading from entirely different cycles than planned

hm. That would make sense with seeing all these new possibilities?

23:44

or would it

it would explain why I can make two TASes, one with an even dot, one with an odd dot, and neither TAS works. The sprite zero hit timing in bizhawk is consistent, but on real hardware, alignment can change exactly when the CPU sees the sprite zero hit flag. This could result in an entire extra loop reading from address $2002 waiting for the sprite zero hit, making the read from the $2064 later than expected, and probably landing in the middle of sprite fetch, where it's a bad value.

So the real NES console might not be as deterministic as we thought, and our ACE payload with PPU might not be stable in practice. But since it's the only option we have so far, we'd have to go for it. I'd he happy to see at least one full success on console, and our TAS can be consistently played on the most accurate version of BizHawk, I think that'd be enough.

per the behavior used by bizhawk in my $2002 flag timing test it looks like bizhawk would be emulating alignment 2 or 3. (according to whenever the sprite zero hit flag would be set) It's possible the NMI timing in bizhawk doesn't match alignment 2 or 3, resulting in an "impossible" combination of when the NMI occurs and when the sprite zero flag is raised. I don't know if this has been looked into any.

HappyLee

So the real NES console might not be as deterministic as we thought, and our ACE payload with PPU might not be stable in practice. But since it's the only option we have so far, we'd have to go for it. I'd he happy to see at least one full success on console, and our TAS can be consistently played on the most accurate version of BizHawk, I think that'd be enough.

feels like when you get into these things, nothing's ever as simple as it seems.

unfortunately, I've been making dramatic changes to my emulator's PPU, and I'm not getting this stuff right on every alignment right now.

could things get one dot off based on the even/odd flag not resetting on a famicom? i may be wrong about that affecting things..

oh woah. I forgot entirely about that.

yeah should be skipped i imagine, since, the ppu doesnt reset..

All my tests for this sort of thing sync to a specific visible dot, then strategically toggle rendering so the skipped dot isn't an issue. The TAS would 100% be affected by that.

mm it seemed like something that could be able to throw this off

so that's just another 50% issue we need to deal with.

00:02

ahhhhhhhgh

our cointosses have cointosses.

oh maybe that could be why it still fails even with checking alignment

2

we almost need to make a rom hack of the FDS bios (in order to do this consistently). (edited)

why not, while we're anyways going.

threecreepio

could things get one dot off based on the even/odd flag not resetting on a famicom? i may be wrong about that affecting things..

does that change every reset?

Kosmic

does that change every reset?

on the NES it resets along with the PPU, on the famicom the PPU doesn't reset so it'll just be 50/50 depending on which frame you reset on. if it all runs just from power-on, it should be consistent.. (i think?)

It doesn't mean much to me if we get console verification success with a rom hack. We'd still have to do it with the original ROM and hardware in the end.

they mean for testing it

1

the idea of the ROM hack would be specifically just to force a specific ppu state, as opposed to it being a random 50/50 on reset.

1

threecreepio

on the NES it resets along with the PPU, on the famicom the PPU doesn't reset so it'll just be 50/50 depending on which frame you reset on. if it all runs just from power-on, it should be consistent.. (i think?)

ok so it's not something that could be checked and preserved after cart swap?

Kosmic

ok so it's not something that could be checked and preserved after cart swap?

no the cart swap should be what's causing an issue with it, since you reset after its started.

throwback

Image attachment

threecreepio

no the cart swap should be what's causing an issue with it, since you reset after its started.

you're saying it's 50/50 if alignment is preserved or?

00:10

it's not something that is shown in the alignment romhack right

Kosmic

you're saying it's 50/50 if alignment is preserved or?

alignment is the same, there's just also a slight difference between even and odd frames since the ppu started

ok gotcha

If you verify that you are on alignment 1, switch to regular AccuracyCoin and run the $2004 Stress Test, we could see if you have bit flips in the data. (edited)

every visible odd frame is like one dot shorter iirc (edited)

again if the tas replay device could reset for us, we could make it consistent

00:10

but instead i have to be frame perfect kosmicGO

kosmicGO

ill say im definitely not an expert at any of that and have not even bothered to look at the schematics for more than a few minutes so, if i say something different than 100th_coin i am going to be wrong. :)

what am i looking at here...

Image attachment

wow, that's unusal data.

please stop saying that it's making me uncomfortable

Where in the world is 78 coming from?!!??! You console behaves so very different from mine.

im back to normal

Image attachment

00:13

can the first bootup be really weird or something...

yeah (edited)

00:14

The PPU behaves a bit funny while it's still warming up.

oh ok thats it then

rather, analogue behavior is different when the ppu is cold

ok im on "normal" alignment 1 now

Image attachment

00:15

so ill switch to other test

2

00:15

Image attachment

00:20

sometimes my alignment 1 has 1156 instead of 1256, not sure whats up with that

00:21

here it is with 1156

Image attachment

the first one doesn't appear to have any bit flips. let me check the second image

1 more with 1256

Image attachment

I don't see any bit flips here

00:24

That's a nice change of pace. At least we don't need to worry about that on your console.

is it not possible i just lucked into it

00:25

do i need to do it like 10 more times

The bit flips are pretty consistent on my end, at least.

00:25

well, they only occur in alignment 1, but they are always present in that alignment. (edited)

oh ok, this is separate from resetting having a 50/50 i guess

right, this test syncs to a specific ppu cycle before running the test, so the 50/50 stuff isn't an issue here

I'm going to the hospital now. For Kosmic's video: a lot can be done in 5 days, especially with a deadline. Please don't give up too easily. We're with you all the way. Maybe try deleting parts that are less important or boring. If someone wants to learn more, they can get more information in the video description and comments. I can do the final HD encode & thumbnail of our TAS in the last day. Meanwhile, hope @100th_Coin find ways to increase the success rate. Sorry that I'm really not an expert on this.

I'm trying to make this more consistent. Looking through the assembly code to maximize the number of cycles between the sprite zero hit occurring and the read from $2064, the latest I was able to make the read occur was dot 290 (aiming for dot 320) Off by 10 CPU cycles. I think we could theoretically delay it by a maximum of 9 more cycles, depending on when exactly the CPU enters the wait-for-sprite-zero-hit loop, though it's likely not going to be close to 9 cycles, and it also wouldn't be enough anyway. Genuinely, the best case scenario here is one cycle off. So I'm going to look into manipulating the read from $2007. I'm pretty sure we're only going to get one of four (stable) outcomes depending on when the read from $2067 occurs. Perhaps one of those stable results would allow the read from $2074 to land on the good cycle with a 100% guarantee.

1

17:27

though I gotta be honest, my notes for this are getting a bit out of hand.

Image attachment

17:29

just putting this here in case it becomes relevant. This TAS would certainly not work, but here's the latest I could read from $2064.

SMB_ACE_Latest2064Read.tasproj

473.23 KB

1

100th_Coin

though I gotta be honest, my notes for this are getting a bit out of hand.

wow. Theres a screenshot for the video

haa

thanks for all the work you're putting in

okay, I'm pretty sure the only (stable) values from address $206F can be: $24 : BIT <zeroPage $24 again. $38 : SEC $0E : ASL Absolute Remarkably, all of these have different amounts of operands. That's a good start. (edited)

The plan: If the read at $2064 is wrong, then we should find a way to force the $2074 read to occur on the right cycle. The read from $2064 is either primary OAM (bad. value depends on the cycle) or secondary OAM (Good. always read $9C from the blooper.) Here's a list of the primary OAM addresses we can read by mistake, and which dot corresponds to which address:

193 : OAM1[00]
195 : OAM1[04]
197 : OAM1[08]
199 : OAM1[0C]
201 : OAM1[10]
203 : OAM1[14]
205 : OAM1[18]
207 : OAM1[1C]
209 : OAM1[20]
211 : OAM1[24]
213 : OAM1[28]
215 : OAM1[2C]
217 : OAM1[30]
219 : OAM1[34]
221 : OAM1[38]
223 : OAM1[3C]
225 : OAM1[40]
227 : OAM1[44]
229 : OAM1[48]
231 : OAM1[4C]
233 : OAM1[50]
235 : OAM1[54]
237 : OAM1[58]
239 : OAM1[5C]
241 : OAM1[60]
243 : OAM1[64]
245 : OAM1[68]
247 : OAM1[6C]
249 : OAM1[70]
251 : OAM1[74]
253 : OAM1[78]
255 : OAM1[7C]

18:02

let me see how many dots pass between the $2064 read and the PPU Read Buffer being updated from the $2067 read

18:04

19 ppu cycles

18:04

so reading $2004 on dot n corresponds to the ppu read buffer being updated on dot n+19

18:06

so if the $2004 read was from secondary OAM (an even dot) then the PPU Read buffer would be unstable. If the $2004 read was from primary OAM, then the PPU Read buffer would be stable. That's good.

will you always get the same dot, regardless of cpu/ppu alignment?

18:07

it's just whats IN oam that changes?

I'm pretty sure we cannot guarantee the dot we land on. We can assume a 3-dot window though. (unless we get super unlucky on the sprite zero hit timing, but that's a 1/27 chance of it being bad, and I don't want to think about that right now.) (edited)

18:09

(the 1/27 thing coming from the 27-ppu-cycle long loop it takes for the game to read from address $2002, check if a sprite zero hit occurred or not, then loop again.)

18:11

but I'm pretty sure we can assume it lands on a specific dot based on the TAS, which could be off by 1 due to the ppu's skipped dot every other frame making this occur one dot earlier... or perhaps later depending on if the emulator skipped that dot this frame or not. that won't be too difficult to figure out what the emulator did though. Then we can assume a single alignment will read from one dot earlier. (edited)

18:12

Hence my assumed 3-dot window. So I need to find 3 ppu cycles in a row that will be good (edited)

18:13

considering there's only 20 ppu cycles where we know the read from $2074 will be good, and half of those will have unstable $2007 reads, that leaves me with 10 cycles to check

18:14

no wait- this is more complicated than I thought. I need to see how long the instructions take between $206F and $2074 with the various values it could be (edited)

yeahh great

18:15

haha

I might just automate this. I really don't want to do this in my head, ha! My emulator doesn't have FDS support yet, but I can just do what I did last time and copy all this info from bizhawk into my emulator's RAM.

perfect pathing kosmicFocus

kosmicFocus

okay, I found two instances where there are 3 dots in a row that should work. dot 226, 227, and 228 should all be good. Dot 236, 237, and 238 should all be good.

19:35

let me see if the emulator is skipping the dot at the end of the pre-render line.

19:37

oh... bizhawk doesn't actually tell me this... it just prints the number of cycle since vblank began. that's really inconvenient.

19:37

that means this entire time I could have been off by one when determining the dot. that's... really annoying.

19:38

it also means I won't know for sure when making the TAS...

19:38

time to modify the tracelogger, my god.

fix it so it can show the illegal opcodes while you're in there. :b

19:41

maybe there's a setting for that or something i don't know..

I'm making a quick fix just to log the scanline + dot. I'm not planning to push this change

yeah i wasn't being serious

1

I honestly cannot tell if or how bizhawk is handling the even/odd frame dot skip.

20:03

okay, it passes the test for that... but how?! As far as I can tell, it's not doing that.

Image attachment

Image attachment

20:04

ah, I found it

20:10

okay, in the TAS I'm looking at, this is a frame that did not skip the dot.

20:10

Now I'm aiming for the read to occur on dot 228 or 238.

1

20:13

Dot 237... One away from the target. (edited)

SMB_ACE_Dot237.bk2

10.72 KB

well, I should have eaten dinner like, three hours ago. I'm gonna get some food, then keep trying.

20:22

This TAS should have a pretty decent chance of working. The one I just sent (edited)

so 238 would be better?

yes

gotcha

But I also just realized that the “coarse CPU/PPU alignment” might be a real issue here. Every frame with rendering enabled takes either 29870.33 CPU cycles, or 29780.66 CPU cycles. This alternates back and forth, and the two dots that it lands on could only change during a full frame with rendering disabled. So the first CPU cycle out of vblank could only land on 2 of 3 possible dots. Of course, if there’s an additional frame with rendering disabled, then that changes which two dots it could be.

21:10

so depending on VBlank Suppression while the game boots, we get a different set of two dots. (edited)

21:11

the two dots it could land on changes every time the game disables rendering, but it disables rendering for a consistent number of frames with the TAS.

21:13

So the TAS as it currently is in bizhawk has a CPU cycle on dot 236 and dot 237. Dot 238 would not be possible unless we had an extra frame of disabled rendering. (edited)

21:14

let me check if bizhawk encounters VBlank suppression while booting up the game. we could either gain or lose a frame here... (edited)

21:16

bizhawk does not get vblank suppression when booting the game (edited)

21:16

so a real console could fall behind by a single PPU cycle relative to the first CPU cycle out of vblank.

21:18

so yeah, 238 would have been ideal... The window for error just got larger, and there weren't any sets of 4 cycles in a row that were all good.

on a real fds we also have differing disk load times before the game even starts, would at least affect some things.

1

In theory I could get dot 228, but I'm not sure how to "lose" 3 CPU cycles here.

21:24

so, just to clarify, with the TAS I recently sent: (I think this is correct...) Odd frame + alignments 0, 2 or 3 + no VBS: Dot 237 Even frame + alignments 0, 2, or 3 + no VBS: Dot 236 Odd Frame + alignment 1 + no VBS: Dot 236 Even frame + alignment 1 + no VBS: Dot 235 Odd frame + alignments 0, 2 or 3 + VBS: Dot 236 Even frame + alignments 0, 2, or 3 + VBS: Dot 235 Odd Frame + alignment 1 + VBS: Dot 235 Even frame + alignment 1 + VBS: Dot 234 (edited)

21:26

in this case dot 234 is also good.

21:26

so we have 5/8 success rate?

21:26

Assuming I did all this correct.

have we tested kosmics exact rate of the alignments? not that it matters in the general case.

I don't believe we have. I also know people claim some alignments are more common than others, though I have not seen that with my consoles. I honestly think it's an even 25% for each.

21:29

at least, the "fine cpu/ppu" clock alignments seem to be 25% for my console?

fair enough. i can't run that rom on my system from here, so. :)

100th_Coin

so we have 5/8 success rate?

for clarification, if we could have landed on dot 238, I think it's a 7/8 success rate.

100th_Coin

Didn't work in bizhawk.

something to note: this run here was also dot 237.

21:36

but I guess that one didn't work for other reasons. Something to do with the ROM hack setting up RNG in different way than the non-rom hack run? I wonder if the original run was dot 237 on the vanilla game. (edited)

you know what would have been smart would have been to take notes of what actually happened per file. :D (edited)

100th_Coin

but I guess that one didn't work for other reasons. Something to do with the ROM hack setting up RNG in different way than the non-rom hack run? I wonder if the original run was dot 237 on the vanilla game. (edited)

This one was dot 239 in the vanilla game. (edited)

21:42

another 7/8? (edited)

21:42

no- 6/8 (edited)

21:44

So by complete coincidence, not knowing how much of a minefield this whole thing was, on a whim we got one of the best possible cycles on that early TAS. (edited)

haha

assuming each of the alignments have a 25% chance, Dot 237 has an 11/16 chance to work. Dot 238 has a 15/16 chance to work. Dot 239 has a 13/16 chance to work.

1

21:50

per my current understanding of the situation

what values near there have you gotten?

21:53

if you know

@100th_Coin Thank you for your efforts.

threecreepio

what values near there have you gotten?

I've got 240, which was one CPU cycle later than the 237 TAS. (edited)

21:54

that would be a 9/16

threecreepio

you know what would have been smart would have been to take notes of what actually happened per file. :D (edited)

phase 0 - fail phase 1 (1156, 56, 1256, 56) - fail (messes up marios sprite and doesnt crash??) phase 2 - (1156, 56, 1211) - fail

21:57

these are what notes i did take, but actually this was before i knew it was switching alignments when swapping to FDS so nevermind these dont mean anything

21:57

even on alignment 1 i could still get multiple outcomes though...

1

21:57

still catching up on everything

100th_Coin

Dot 237... One away from the target. (edited)

Would you be willing to run this TAS? In theory, this is the best shot I could get. (without doing some weird stalling, losing frames and stuff.) (edited)

1

100th_Coin

This one was dot 239 in the vanilla game. (edited)

the one ive been running with success is dot 235. Is that the one you're referring to, the early TAS?

22:01

the one that goes through 8-4

22:01

or at least thats what you said ti was back in the screenshot. Maybe that was wrong

Kosmic

could someone convert this to run on the shorter ROM and see if it works

this one was dot 239

ohh that one

22:03

that one did work for me that one time, yeah

22:03

ok ill dump this one you just made with dot 237

1

22:04

if i could guarantee an alignment, which alignment would be best?

22:04

or like, are certain ones advantageous

any alignment other than 1

oh ok sweet. And does the 50/50 from reset odd/even play into this

it does, yes.

22:07

We should have a 3/4 chance for a non-1-alignment to work. You would need both the even frame and the Vertical Blank Suppression at power on to throw it off. (edited)

ahh gotcha

I feel like I need to append "per my current understanding" after every one of these claims. We keep discovering more coin flips, ha!

1

the cycle I can guarantee by playing on flash cartridge and cart swapping. But we cant guarantee the other stuff

22:08

i also could guarantee cycle by restarting if i ever see artifacts in the sky? if that guarantees im not on cycle 1 kind of a thing

the whole process has reminded me of the silicon valley shows jerk algorithm (edited)

i need to run that test still for the artifacts in the sky

100th_Coin

I feel like I need to append "per my current understanding" after every one of these claims. We keep discovering more coin flips, ha!

are we up to our 100th coin flip yet?

heh

tell you what it's a lot faster to go through minus world for quest 2

annoying that you can get 238 on the frame after

1

oh can you

22:14

that might be good just for showcases, if it ups the chances

well it would put the bloober in a different spot, so

hm, I thought you could get 136 on the frame after.

15/16 is super good. That only fails if you lose 1/4 of even/odd and vblank?

1

22:15

but actually isn't 237 exactly as good if you can guarantee youre not on alignment 1

1

I think, yeah

even/odd should be consistent if you're running the whole thing from power-on without any resets. though if you get even or odd would depend on your fds

ohh, interesting

22:16

wait, because of loading?

yeah would figure so

that can vary by 1 or 2 frames even with the same drive

actaully, I think if you can garuntee you aren't on alignment 1, then you should get 100% on dot 238

so like the fdskey i guess is always consistent for everyone who has one

right that might be 100% consistent

22:17

which would be great for a showcase

22:17

im about to check the ppu 2000 glitch thing

dear lord see me through these bizhawk crashes

threecreepio

even/odd should be consistent if you're running the whole thing from power-on without any resets. though if you get even or odd would depend on your fds

well, if Vblank Suppression happens, the even/odd frames would be flipped. But yeah.

ahh yeah fair

if you have to lose both, then the even/odd thing is still fine

22:18

right

the even/odd would be consistent but the vblank cointoss is still there

1

22:19

if we can just gather up as many cointosses as possible that can become a neat part of the ace anyway. the least consistent console verifiable ace.

Kosmic

if you have to lose both, then the even/odd thing is still fine

uh. from power on, If you lose vblank suppression, then you lose both. From reset, it's still 50/50. Just the opposite if what it would have been if you didn't get VBlank Suppression.

oh hm i see

because this would be 238, right?

Image attachment

22:21

but on the next frame

threecreepio

because this would be 238, right?

it would be 238, correct. (edited)

22:21

let's aim for dot 260. You only get the ACE on alignment 1, when VBlank suppression occurs with the added 50/50 of the even/odd frame skipping the final dot of the pre-render line. (joke) (edited)

could have a big stream event seeing how many tries we can get between successes.

100th coin do you know what im supposed to do with this rom

Image attachment

22:22

will it look a special way on the right alignment

22:22

oh lol. I finally got it

22:22

Sorry, i tried several times but the very next time it worked

1

it looks like this on alignments 0 and 1 for my console.

Image attachment

ok i got the glitch and swapped to your test, im on alignment 1 right now

22:23

which checks out

22:23

let me try alignment 0

100th_Coin

I don't believe we have. I also know people claim some alignments are more common than others, though I have not seen that with my consoles. I honestly think it's an even 25% for each.

mine keeps switching which one is more common. Could just be true randomness. But for a while there it was like always 0, and now 1 is super common

22:25

and in Who Framed Roger Rabbit land, dave says he gets a certain alignment a lot

22:26

im at 10 alignment 1's in a row now

22:26

15.... might have to switcih to the NES for this ace tas man

22:27

huh is this rom broken or something

in what way?

i did the ppu 2000 test and it did not show the glitch, swapped to cycle test rom and it is still showing alignment 1

22:28

and i have gotten the same alignment 18 times in a row now

22:29

oooh finally something new

22:29

alignment 2 after 20 in a row

Well, we have determined that your console behaves differently with the RMW $2007 test than my console. It's possible your results for alignment 3 look a lot like alignment 1?

22:29

I don't think I've seen a screenshot from you with the alignment 3 results my console gets. (edited)

oh i see

22:30

i did get that one super weird one we didnt recognize

22:30

just the one time

22:30

that mightve been a first bootup weirdness

22:30

my alignment 1 is sometimes 56 and sometimes 57, so theres that

22:31

what is this..

Image attachment

wow, that's new

dude please, it's just all alignment 1 right now. Please give me 0

ah, it's also writing to address $2051. That makese sense.

i wouldnt dare run the ace on this right now

try running the other alignment detecting cart until you see 3 or 0.

22:33

I think my RMW $2007 test is going to continue being inconsistent and strange.

BGNT ?

I'm pretty sure you saw AGMS with alignment 0 before

looks like align 1 still, with 55's

Image attachment

100th_Coin

I'm pretty sure you saw AGMS with alignment 0 before

oh i meant i got "BGNT - Phase ?"

you are turning the console off and on again, not just pressing reset, right? I'm bewildered that you are getting alignment 1 this often. Maybe Threecreepio is on to something about some consoles getting some alignments more than others.

yeah im powering off

22:34

shall i stream it for you for proof

22:34

it's pretty crazy

If you want to

wish i could call just some of the people in here

22:35

and not bother others

22:35

i guess i can call you. Do you want to join creepio. Lol

we could hop in the VC in your discord

ehm sure

console verified (edited)

Image attachment

1

running on the NES instead of the famicom.

Image attachment

1

tas works

Image attachment

00:42

the main issue we have now is the game crashing during 3-1! Very strange

Image attachment

Image attachment

00:42

we can get the minus world powerup corruption ace to happen most of the time

It would appear that we're a lot more consistent with the -1 ACE. For some strange reason, the payload in 3-1 appears to be failing. Not sure what the cause is. The optimized 3-1 payload seems to get a lot of graphical garbage on the background, while the old 3-1 route seems to work better. No clue what the deal there is.

new payload vs old payload

Image attachment

Image attachment

1

100th_Coin

It would appear that we're a lot more consistent with the -1 ACE. For some strange reason, the payload in 3-1 appears to be failing. Not sure what the cause is. The optimized 3-1 payload seems to get a lot of graphical garbage on the background, while the old 3-1 route seems to work better. No clue what the deal there is.

Maybe it's because the new 3-1 requires more precise timing of pressing Start. If the Start press is one or two frames early, the time of Mushroom appearing would change, and the setup would fail. In the previous setup, Mario has a 2-frame window of moving to the right screen X position, and in the new setup, there's only 1-frame window.

Kosmic

and not bother others

Oh the way to start calls without calling everyone is by holding shift while starting a group chat call

1

1

HappyLee

Maybe it's because the new 3-1 requires more precise timing of pressing Start. If the Start press is one or two frames early, the time of Mushroom appearing would change, and the setup would fail. In the previous setup, Mario has a 2-frame window of moving to the right screen X position, and in the new setup, there's only 1-frame window.

Oh, that very well could be it actually

09:58

Because the payload worked fine when we stopped it at the crash and then ran it from a reset

Yes. Depending on the reset time, there might be one frame off, that would impact the whole payload in 3-1. (edited)

09:59

So we might need some luck in 3-1.

Frame counters should reset, why would it be luck based with the reset timing?

10:51

It's the powerup framerule that's important right?

10:52

Maybe the console replay tas just needs to be adjusted slightly

10:52

Maybe it starts 3-1 a frame late

Kosmic

It's the powerup framerule that's important right?

Oh, it sounds maybe more like it's coin toss with the koopa collision (edited)

It happens in the dev build of BizHawk, too. I can delete or add a frame before the reset after -1, and 3-1 won't work.

11:58

So I guess there's probably a cointoss there.

@100th_Coin told me that the fails in 3-1 happens at the end of 3-1, so it's probably not the reason I mentioned above. But at least -1 is pretty much solved, and the current success rate is good enough, so that's great.

12:23

The setup and payload in 3-1 is more tight, so there's very little room for change.

12:26

@Kosmic Do we have a full recording of our TAS played successfully on console? If something goes wrong during the livestream, I think it's more safe to play the full recording.

i just tried many times to get one

12:32

and i didnt get it a single time

1

1

12:32

i dont know what happened. It seems random like it was before and never working

12:33

i even got other results like crashing on title screen, blue screen after hitting reset, crashing after scrolling the screen a ways

12:33

last night it only ever did nothing, or we got powerup ace

12:33

i dont know whath appened

Sounds like different results from last night.

im even using powerpak to verify the alignment the last few times

Maybe wait a few hours and it goes normal again. I don't know if things like temperature would affect its behavior.

unless im getting REALLY unlucky. @100th_Coin in the cases where it fails even with correct alignment (from losing the 50/50's) would we expect different results on the failures?

If we fail the 50/50's then we wouldn't get powerup ACE. that should be the only change, as far as I am ware.

ok, this last time it just crashed on the title screen

12:37

and ive gotten a lot of weird stuff

At least we got 3 full success last night, so that's a relief.

you looked into getting the good reads @100th_Coin , but do we know where it crashes afterward? Maybe something is happening before it crashes?

I don't know exactly where it crashes. It's also worth noting that if we don't get the powerup ACE, then we probably write to the same address, but a different value. For instance, if we land on dot 235, we run INY before the SHY $9C9C, X, which would instead write the value 09 instead of 08.

HappyLee

@Kosmic Do we have a full recording of our TAS played successfully on console? If something goes wrong during the livestream, I think it's more safe to play the full recording.

for me, i dont think a recording is good enough for the showcase. I want to have a camera pointed at the tv, and i want to show off other payloads afterward like loading straight into 8-4, and the total control showcaser that Lain made

12:42

if we took a couple tries to get it thats ok and can be edited, but it's taking a lot more than a few tries right now... and i dont understand all the different results im getting

100th_Coin

I don't know exactly where it crashes. It's also worth noting that if we don't get the powerup ACE, then we probably write to the same address, but a different value. For instance, if we land on dot 235, we run INY before the SHY $9C9C, X, which would instead write the value 09 instead of 08.

I just tested with cheats, if we write 09, then the game won't crash, but the item would stop moving around, which would be a pretty good way to tell that we landed on dot 235.

ive never seen the powerup do that

12:46

is dot 235 if we lose the two coin flips (edited)

12:46

this last test crashed on the title screen again

Kosmic

for me, i dont think a recording is good enough for the showcase. I want to have a camera pointed at the tv, and i want to show off other payloads afterward like loading straight into 8-4, and the total control showcaser that Lain made

I would love that, too. But looking at the moment, I don't think we can dramatically increase the success rate with our current method. So we can maybe play it a few times live, and if unfortunately they all fail, then play the pre-recorded success.

i dont think it will be a good showcase that way. Would rather figure it out before doing the showcase

Kosmic

is dot 235 if we lose the two coin flips (edited)

it should be, yeah (edited)

hm ive never seen that happen. Only crash on powerup or nothing unusual

Which I guess suggests there's more variables than I thought, since we've never seen that, but we've failed the ACE. (edited)

it's crazy this never happened last night

12:51

is this expected to fail

Image attachment

uh... that one shouldn't be failing

12:52

wait- 00? I'm pretty sure I don't even check the value at that address. what would be causing it fail because of that?!

it passed on my famicom

12:53

i mightve pressed buttons during the test on nes, if that matters

oh, it prints the value of X, which is my index into the answer key look-up table. It's strange that it fails that test, there were several consoles tested, and this is the first one I've seen fail it.

12:55

can you show the debug screen results for that test?

will do that in a bit

1

12:56

right now im on famicom and seeing this pretty consistently......

12:56

Image attachment

78 My goodness. That value can apparently be anything.

is this that really weird one again

Image attachment

weird

it says AGMS phase 0

Strange that phase 0 is behaving like phase 1 on the INC $2007, X results.

the NES i was running the tests on was getting the same phase 2 values as your console and what worked last night though so idk

13:00

is agms normal for phase 0

yes

13:01

That's what my consoles show

ok. Im running it on famcom with this phase 0 just to see whath appens

13:10

nothing happened on powerup

13:10

Image attachment

13:10

this is NES

13:10

weird fluke idk

13:10

or maybe it's alignment specific

ran it on NES with alignment 0, got crash on the title screen. There has to be something else going on

13:22

the fact it worked so many times last night- yeah maybe analog conditions/temperature affect it. But it is not working at all now

13:23

I do have a recording of the full thing, but it has our voices talking in the call

1

I've asked everyone now, so, just for clarity - I plan to export the group chat up to this point around when we submit to TASvideos and have it just attached there so others can be exposed to this madness.. So go through and edit/remove/whatever anything to clarify things, make sure you do so before that! Nothing after this message will be included.