@@MrCheeze Probably 7-1 ACE in Mario 3 could do it, but it'd probably be pretty tedious, time-consuming, and really easy to mess up. And it'd almost certainly be slower than just playing Mario 1 normally.
To be honest, one of the most fascinating things about this for me was seeing a version of 8-4 that didn't have loops in it. Kinda cool how it actually flows pretty seamlessly.
Extremely cool find! Love me some payloads stored in uninitialized ram. Honestly, I'm surprised this could exist without being found already... SMB1 is one of those games known for being so well studied that undiscovered ACE couldn't possibly exist. (Admittedly, most people were probably not checking for logic that runs only in out-of-bounds world numbers and requires uninitialized RAM setup.) Anyway, great work!
I discovered this exploit several years back. Indeed, needing to rely on initialized RAM as well as inaccurate emulation were both rather discouraging for most people to pursue actually running a useful payload.
Now, you can recreate Marionaires's create account TAS using arbitrary code execution, where you will create an account on Super Mario Bros., play World 0, and start playing the game revealing the hidden locations.
I knew something like this was possible, good job! I believe glitch enemies in some worlds let you execute arbitrary code, I remember playing a glitch level and getting far enough resulted in jumping to somewhere in work RAM and I think I remember it jumping to open bus as well, so this could be even faster
The way this is worded kinda implies that "open bus" is a sort of state that the CPU can be within. But as far as I know, *the* open bus is any memory region that isn't mapped, and this is what happens when you jump there. Its kinda like saying "during unmapped memory, such and such happens"
Ah, good catch. My choice of words was a bit poor. I was trying to find the best way to phrase "During an instance where the PC is located at an unmapped address" and assumed "During open bus" would be a pretty good umbrella for that. Perhaps I meant to write "During open bus execution".
This is awesome! I doubt much is possible in SMB1 with ACE, given the amount of memory you can access, but, at least, you can use it to legitimately force things to be interesting! I kind of want to see a proper analysis for exactly what happens, instruction by instruction, in the game's code, as you stall for time with conflicting button inputs and when the IRQ interferes. I infer that the SRE instruction shifts the bits of a target byte in the zero page.
Retro Video Game Mechanics has a pretty good video on how an open bus works: ua-cam.com/video/cPdlFUfENok/v-deo.html It's part of a larger video about a Super Mario World glitch but it's still a very solid 15-minute explanation. The best tl;dr summary I can give is that CPU is asking for memory that doesn't exist. Instead of getting an actual response, it merely sees an echo of the memory request itself or the response to a previous request.
Oh hey, sorry I took two months to reply. This was console verified by Alyosha before I even uploaded my own video. If I recall, this might be an earlier version of the TAS, but it still executes the payload, thus completing the game in 8-4. ua-cam.com/video/_Qs0G_gLEyk/v-deo.html
Well that is utterly insane. Congrats on getting this accomplished. Is this the first smb1 ACE? Now, fingers crossed for an ACE without a cart swap.. though that might be a very tall order.
I've been playing around with ACE in SMB3 for a while, so I decided to look for ACE in SMB1. I knew killing Bowser beyond world 8 could lead to game crashes, and I decided to investigate it. As it turns out, Negative7 did a lot of research on this topic and found that killing bowser in world $FC jumps to address $3D0. That region of RAM is far too useless to manipulate into a meaningful payload (or even a jump instruction to somewhere better) so I decided to chart every world in the game to see what killing bowser would do. At the time I started this, I wasn't very familiar with open bus, but I found that world $16 (world N) jumped there. I left it as a comment and moved along. I was modifying bizhawk at this time to allow for cart swapping mid-TAS. I had the goal of making a stop 'n' swop tas for TASVideo's april fools shenanigans. The original idea was just going to start the game in world 8 by playing Tennis, but I really wanted to see if I could use ACE to some degree. After learning a bit more about open bus, I took another look at world N, and to my surprise, I could easily manipulate an RTI instruction into existence, and this jumps to uninitialized RAM. All I needed to do was initialize it, and that's where my SMB3 TAS comes in. I figured the fastest way to initialize that would be through subframe inputs. I think this takes about 2 seconds? On a bit of a tangent, I've been considering making a stop 'n' swop TAS of dragon quest 3. You have a really good video about that run, and it would be cool to see it TASed.
The game changing from N-2 to 8-4 was the entire purpose of running the arbitrary code (which happened by killing Bowser in world N). This was achieved by storing a value of 7 in address $75F (This sets the game in world 8), a value of 3 at address $7FC (This sets the game in level 4), and running JSR $865A, as the code at $865A updates the HUD to display the current world-level.
A non L+R TAS of this could certainly exist. For this TAS specifically, I only did the series of SMB3 inputs at the start of the video, as optimal SMB1 gameplay isn't my strong suit, and some friends of mine in the SMB speedrunning discord (Seraphmlll and Mizumaririn) did the SMB1 inputs. If I were to make that TAS myself it would likely be suboptimal.
The first two seconds of this TAS happen inside Mario 3. There's some wild exploits where you press mismatched inputs 100 times in a single frame leading to an ACE exploit 11 frames after the console boots. I use that to write the payload that is executed in SMB1, as well as set up RAM so SMB1 will start in world 'N'.
You need to put the elements of your video above the timeline that UA-cam puts at the bottom of the video when paused. I am having trouble reading the text behind the controls at the bottom-right corner of the video.
That's definitely something I hadn't considered when I made this video, and something I'll be making an effort to fix in future videos. Thanks for the feedback!
I initially submitted a less optimized version on April first, and it seemed to have some incredibly positive feedback. It failed console verification, which lead to us discovering the open bus inaccuracy in the current release of Bizhawk (2.9). That's been fixed for the next release, so I'll probably try submitting this after Bizhawk's next release? There is still the issue of swapping carts in the middle of the TAS. My current modification to Bizhawk to make cart swapping work is a little sloppy, so I doubt that pull request will go smoothly.I'll be asking the judges of TASVideos what to do before I submit, that's for sure.
Cartswap TASes are really cool. Unfortunately you still need an exploit in both games; I guess you could write enough code to patch around the initialisation routine and achieve more control that way, but that seems sketchy.
i have a french keyboard (azerty keyboard) and due to that the , key works but the . key dosen't since french keyboards use shift+; for the . character, so due to that i can't frame advance forward, if anyone with a azerty keyboard can tell me how to frame advance then please reply to this comment with the answer.
And how could you use ACE in SMB3 before evwn starting the game? Normally in SMB3 ACE you would clear 1-1 and 1-2 normally, grab the 2 warp whistles in 1-3 and 1-Fortress, warp to world 7, enter 7-1, place some Koopa shells in very specific spots, and clip into one of the pipes, entering it from the wrong direction, leading to you going Out of Bounds and with a few more inputs warp to the credits,
At SGDQ 2016, there was a TAS showcased that completes Mario 3 in 2 seconds. In 2018, Masterjun made improvements (so the credits don't softlock) and submitted a TAS beats the game in 0.78 seconds. I optimized that further down to 0.22 seconds. It's a lot to explain (and I plan to explain how those work in a future video) but to summarize: A hardware issue can lead to DPCM audio samples corrupting the data read from the controller. SMB3 uses DPCM audio for drums in the music, so the developers needed a way to prevent the samples from corruptign the controller. Their solution is to read the controller in a loop until two consecutive reads match. If any of them don't match, it's assumed to be because the DPCM audio bug occurred, but in the world of TASing, I could maliciously mas hthe A button so fast that it never matches for two consecutive reads. Due to the order of events in the NMI of SMB3, an IRQ is scheduled for 193 scanlines, ROM banks are swapped out for updating graphics, the controllers are read, then the banks are swapped back. If the IRQ occurs before the banks are swapped back, a jump to address $A826, expecting bank 24, but bank 26 is loaded instead. An RTS instruction pulls unrelated data off the stack and we begin executing RAM from address $0001. The game stored the buttons held + newly pressed buttons in address $17 and $18, and addresses $F5 through $F8. Using those bytes that I can control, I can create instructions for the CPU to process. In my 13 frame TAS, these instructions are TAX (X now equals $F4), TSX (I need the stack pointer to be greater than $30), JSR $0000, JSR $9000. In my TAS that sets things up for ACE in SMB1, I use the btyes I can manipulate to write a function that gives me more control, then I use that to write everything I need before swapping carts. This function is mostly written by loading X with whatever byte I need, then storing it somewhere. I can't use the A or Y registers, since lots of other bytes on the zero page will change the values, but the X register can remain unchanged between frames, allowing me to swiftly LDX and STX to write code.
You do know TAS timing ends when Mario touches the axe and not on the last input for both SMB and SMB2J, right? Those two games are the only exceptions to the "timing ends on the last input" rule. This TAS is actually a 1:15.725, not a 1:15.442
Question, when jumping, the "A" being showed on execute load screen being pressed, - is the reason why there is a Line of A's is because its a button being held down the whole time, or is it being pressed every time its shown on the execute load? I've never programmed a TAS b4, so this coding is new to me.
in the Bizhawk emulator, under "View" is an option for "Display Input" which shown on screen the buttons being pressed. It's not very intuitive to display inputs like that for a subframe TAS though, as there are hundreds of inputs per frame.
Sure! I mention in the description, that the TAS was made in a modified version of bizhawk. This was done for 2 reasons: Cartridge swapping, and fixing incorrect open bus emulation. The solution for console verification was to send two separate TAS files. They can be found here: SMB3 Inputs: tasvideos.org/UserFiles/Info/638160503431898737 SMB1 Inputs: tasvideos.org/UserFiles/Info/638179553100801346 The SMB3 run sets up the RAM, then the SMB1 run begins from a "savestate" that boots the game with the RAM the SMB3 TAS ends with. Keep in mind, if you are using the current latest version of bizhawk (2.9) the SMB1 run will have incorrect open bus behavior, leading to the game rebooting at the end of the movie. If you would prefer to have a single TAS file, that requires compiling my custom fork of Bizhawk that adds cart swapping. Let me know and I can link you to my fork of bizhawk, along with a single TAS file.
Ah, my bad. The colors on the thumbnail are mimicking the "TAStudio" icon's color palette. In hindsight, as my channel grows, fewer and fewer people would get that reference. I've started to just leave the thumbnails with normal colors, since more people would understand. Sorry for the confusion.
![[TAS] SNES Super Mario World "warps" by BrunoVisnadi in 09:54.35](http://i.ytimg.com/vi/OMNsL7deKlk/mqdefault.jpg)
The words "open bus" trigger PTSD I didn't know I had
Good to know i'm not the only one (joke)
It's not the same bus!
@@CristianConsonni I was referring to Super Mario World.
Imagine an open bus...
Imagine an `void open(*bus)`.
I love how cheeky this ACE is. I also love how hilariously useful SMB3 is for making payloads. You literally couldn't ask for better.
Well, except for RTA viability. Not sure whether there even exists any setup game that would be any good for RTA or not.
@@MrCheeze 'shell code' in SMW comes to mind, off the top of my head I'm not sure if there's an NES game that good
@@MrCheeze Probably 7-1 ACE in Mario 3 could do it, but it'd probably be pretty tedious, time-consuming, and really easy to mess up. And it'd almost certainly be slower than just playing Mario 1 normally.
To be honest, one of the most fascinating things about this for me was seeing a version of 8-4 that didn't have loops in it. Kinda cool how it actually flows pretty seamlessly.
Extremely cool find! Love me some payloads stored in uninitialized ram.
Honestly, I'm surprised this could exist without being found already... SMB1 is one of those games known for being so well studied that undiscovered ACE couldn't possibly exist. (Admittedly, most people were probably not checking for logic that runs only in out-of-bounds world numbers and requires uninitialized RAM setup.) Anyway, great work!
Alternative comment:
This really puts the N in Stop 'N' Swop.
I discovered this exploit several years back. Indeed, needing to rely on initialized RAM as well as inaccurate emulation were both rather discouraging for most people to pursue actually running a useful payload.
It's amazing seeing such a thing become possible in a game that most people consider completely ripped apart already. Entertaining stuff!
this is amazing work. its cool how simply it recovers from executing in open bus. awesome
Legendary acomplishment for smb1 even though it's with a cart swap. Amazing video and amazing find! :)
This is amazing congrats! So cool to see ACE in this game
"Use < and > to look at explanations"
Me using a phone: 💀
just connect a keyboard to your phone, simple.
Same
Lucky, I mostly use console and only have wired keyboards and mouses.
@@tonyacatlett3683 mad respect
I just put it at 0.25 speed and did quick play/pauses lol
Now, you can recreate Marionaires's create account TAS using arbitrary code execution, where you will create an account on Super Mario Bros., play World 0, and start playing the game revealing the hidden locations.
I knew something like this was possible, good job! I believe glitch enemies in some worlds let you execute arbitrary code, I remember playing a glitch level and getting far enough resulted in jumping to somewhere in work RAM and I think I remember it jumping to open bus as well, so this could be even faster
Wow! Never would have thought of this. Great work!
The way this is worded kinda implies that "open bus" is a sort of state that the CPU can be within. But as far as I know, *the* open bus is any memory region that isn't mapped, and this is what happens when you jump there.
Its kinda like saying "during unmapped memory, such and such happens"
Ah, good catch. My choice of words was a bit poor. I was trying to find the best way to phrase "During an instance where the PC is located at an unmapped address" and assumed "During open bus" would be a pretty good umbrella for that. Perhaps I meant to write "During open bus execution".
this is friggin awesome i have been waiting for smb1 ace for as long as i remember
This is awesome! I doubt much is possible in SMB1 with ACE, given the amount of memory you can access, but, at least, you can use it to legitimately force things to be interesting! I kind of want to see a proper analysis for exactly what happens, instruction by instruction, in the game's code, as you stall for time with conflicting button inputs and when the IRQ interferes.
I infer that the SRE instruction shifts the bits of a target byte in the zero page.
Pov: todd rodgers most accurate speedrun
I was not ready for that onslaught of explanations in the first second. Nice and detailed though.
Retro Video Game Mechanics has a pretty good video on how an open bus works: ua-cam.com/video/cPdlFUfENok/v-deo.html
It's part of a larger video about a Super Mario World glitch but it's still a very solid 15-minute explanation.
The best tl;dr summary I can give is that CPU is asking for memory that doesn't exist. Instead of getting an actual response, it merely sees an echo of the memory request itself or the response to a previous request.
Great work! I hope you get to perform it with a tas-bot sometime 🙂.
Oh hey, sorry I took two months to reply. This was console verified by Alyosha before I even uploaded my own video. If I recall, this might be an earlier version of the TAS, but it still executes the payload, thus completing the game in 8-4. ua-cam.com/video/_Qs0G_gLEyk/v-deo.html
Wow amazing, congrats on ACE’ing a new game!
Well that is utterly insane. Congrats on getting this accomplished. Is this the first smb1 ACE?
Now, fingers crossed for an ACE without a cart swap.. though that might be a very tall order.
As far as I am aware, this is the first time ACE has been used in SMB1.
FUN FACT: In this TAS, Mario is doing the Mario. ~swing your arms from side to side...~
ACE in smb1??
Open bus manip combined with a variant of the Tennis x Mario glitch??
This game hasn't been totally torn apart yet it seems!
Whoa cool, i understood that ASM ^^ Awesome job!
Very cool!
Amazing work as always 100th coin!!!!!
Very nice! If you press B then you go to regular "second quest" or something different happens?
It's a valid completion of the game. Going to the second quest works as usual.
i don’t understand anything you said but i feel smart reading it
I wonder if this concept could be used with OOT/SM64 to start SM64 with the upstairs key and go straight to the final Bowser.
This is amazing, what gave you the idea to try this?
I've been playing around with ACE in SMB3 for a while, so I decided to look for ACE in SMB1. I knew killing Bowser beyond world 8 could lead to game crashes, and I decided to investigate it. As it turns out, Negative7 did a lot of research on this topic and found that killing bowser in world $FC jumps to address $3D0. That region of RAM is far too useless to manipulate into a meaningful payload (or even a jump instruction to somewhere better) so I decided to chart every world in the game to see what killing bowser would do. At the time I started this, I wasn't very familiar with open bus, but I found that world $16 (world N) jumped there. I left it as a comment and moved along.
I was modifying bizhawk at this time to allow for cart swapping mid-TAS. I had the goal of making a stop 'n' swop tas for TASVideo's april fools shenanigans. The original idea was just going to start the game in world 8 by playing Tennis, but I really wanted to see if I could use ACE to some degree. After learning a bit more about open bus, I took another look at world N, and to my surprise, I could easily manipulate an RTI instruction into existence, and this jumps to uninitialized RAM. All I needed to do was initialize it, and that's where my SMB3 TAS comes in. I figured the fastest way to initialize that would be through subframe inputs. I think this takes about 2 seconds?
On a bit of a tangent, I've been considering making a stop 'n' swop TAS of dragon quest 3. You have a really good video about that run, and it would be cool to see it TASed.
This is incredible.
How does it change from N-2 to 8-4 at around 1:15?
The game changing from N-2 to 8-4 was the entire purpose of running the arbitrary code (which happened by killing Bowser in world N). This was achieved by storing a value of 7 in address $75F (This sets the game in world 8), a value of 3 at address $7FC (This sets the game in level 4), and running JSR $865A, as the code at $865A updates the HUD to display the current world-level.
I’m going to make an fnf chart of those controller inputs
Can you make a non L+R TAS of this?
A non L+R TAS of this could certainly exist. For this TAS specifically, I only did the series of SMB3 inputs at the start of the video, as optimal SMB1 gameplay isn't my strong suit, and some friends of mine in the SMB speedrunning discord (Seraphmlll and Mizumaririn) did the SMB1 inputs. If I were to make that TAS myself it would likely be suboptimal.
@@100thCoin Ah, ok. I was only wondering because I wanted to see what the best run could be.
0:02 super Mario 3 intro?
The first two seconds of this TAS happen inside Mario 3. There's some wild exploits where you press mismatched inputs 100 times in a single frame leading to an ACE exploit 11 frames after the console boots. I use that to write the payload that is executed in SMB1, as well as set up RAM so SMB1 will start in world 'N'.
You need to put the elements of your video above the timeline that UA-cam puts at the bottom of the video when paused. I am having trouble reading the text behind the controls at the bottom-right corner of the video.
That's definitely something I hadn't considered when I made this video, and something I'll be making an effort to fix in future videos. Thanks for the feedback!
Im 100% sure kosmic is talking about this TAS is his latest video
The video also included my total control "Travelling Salesman" TAS, in case you needed a bit more confirmation.
@@100thCoin alright, thank you
legendary
you could do the save state thing to save the second it takes to walk to the axe
niftski has competition
Are you planning to submit this to TASVideos? Hopefully switching games is allowed, because this TAS is awesome 🤞
I initially submitted a less optimized version on April first, and it seemed to have some incredibly positive feedback. It failed console verification, which lead to us discovering the open bus inaccuracy in the current release of Bizhawk (2.9). That's been fixed for the next release, so I'll probably try submitting this after Bizhawk's next release? There is still the issue of swapping carts in the middle of the TAS. My current modification to Bizhawk to make cart swapping work is a little sloppy, so I doubt that pull request will go smoothly.I'll be asking the judges of TASVideos what to do before I submit, that's for sure.
Cartswap TASes are really cool.
Unfortunately you still need an exploit in both games; I guess you could write enough code to patch around the initialisation routine and achieve more control that way, but that seems sketchy.
i have a french keyboard (azerty keyboard) and due to that the , key works but the . key dosen't since french keyboards use shift+; for the . character, so due to that i can't frame advance forward, if anyone with a azerty keyboard can tell me how to frame advance then please reply to this comment with the answer.
late reply, but try the Windows On-Screen Keyboard. you should be able to toggle to QWERTY layout on that.
@@Roro_2338 i still remember this video and thank you for the answer, i might try that soon to be able to step frame by frame.
so if we get ace we can skip to bowser and win in less than a minute
Bro what, I don’t know what else to say that just what
This is insane, so far beyond me
And how could you use ACE in SMB3 before evwn starting the game? Normally in SMB3 ACE you would clear 1-1 and 1-2 normally, grab the 2 warp whistles in 1-3 and 1-Fortress, warp to world 7, enter 7-1, place some Koopa shells in very specific spots, and clip into one of the pipes, entering it from the wrong direction, leading to you going Out of Bounds and with a few more inputs warp to the credits,
At SGDQ 2016, there was a TAS showcased that completes Mario 3 in 2 seconds. In 2018, Masterjun made improvements (so the credits don't softlock) and submitted a TAS beats the game in 0.78 seconds. I optimized that further down to 0.22 seconds.
It's a lot to explain (and I plan to explain how those work in a future video) but to summarize:
A hardware issue can lead to DPCM audio samples corrupting the data read from the controller. SMB3 uses DPCM audio for drums in the music, so the developers needed a way to prevent the samples from corruptign the controller. Their solution is to read the controller in a loop until two consecutive reads match. If any of them don't match, it's assumed to be because the DPCM audio bug occurred, but in the world of TASing, I could maliciously mas hthe A button so fast that it never matches for two consecutive reads.
Due to the order of events in the NMI of SMB3, an IRQ is scheduled for 193 scanlines, ROM banks are swapped out for updating graphics, the controllers are read, then the banks are swapped back. If the IRQ occurs before the banks are swapped back, a jump to address $A826, expecting bank 24, but bank 26 is loaded instead. An RTS instruction pulls unrelated data off the stack and we begin executing RAM from address $0001.
The game stored the buttons held + newly pressed buttons in address $17 and $18, and addresses $F5 through $F8. Using those bytes that I can control, I can create instructions for the CPU to process. In my 13 frame TAS, these instructions are TAX (X now equals $F4), TSX (I need the stack pointer to be greater than $30), JSR $0000, JSR $9000.
In my TAS that sets things up for ACE in SMB1, I use the btyes I can manipulate to write a function that gives me more control, then I use that to write everything I need before swapping carts. This function is mostly written by loading X with whatever byte I need, then storing it somewhere. I can't use the A or Y registers, since lots of other bytes on the zero page will change the values, but the X register can remain unchanged between frames, allowing me to swiftly LDX and STX to write code.
You do know TAS timing ends when Mario touches the axe and not on the last input for both SMB and SMB2J, right? Those two games are the only exceptions to the "timing ends on the last input" rule. This TAS is actually a 1:15.725, not a 1:15.442
acctually, tases have the same time rule for all games, time starts when the console or emulator is powered on/started and ends on the last input
@@nehuensio TAS timing is different for SMB and SMB2J. For those two games, TAS timing ends when the player touches the axe
Holy shit.
Question, when jumping, the "A" being showed on execute load screen being pressed, - is the reason why there is a Line of A's is because its a button being held down the whole time, or is it being pressed every time its shown on the execute load? I've never programmed a TAS b4, so this coding is new to me.
If the A Button is shown multiple times in a row, you can think of it as being held down.
@@100thCoin Thank you, thought so, but wasn't 100% sure.
cool cool
How do I display keystrokes?
I would like to see it displayed in Bad Apple videos as well.
in the Bizhawk emulator, under "View" is an option for "Display Input" which shown on screen the buttons being pressed.
It's not very intuitive to display inputs like that for a subframe TAS though, as there are hundreds of inputs per frame.
@@100thCoin tysm
Can i download the TAS file?
Sure! I mention in the description, that the TAS was made in a modified version of bizhawk. This was done for 2 reasons: Cartridge swapping, and fixing incorrect open bus emulation.
The solution for console verification was to send two separate TAS files. They can be found here:
SMB3 Inputs: tasvideos.org/UserFiles/Info/638160503431898737
SMB1 Inputs: tasvideos.org/UserFiles/Info/638179553100801346
The SMB3 run sets up the RAM, then the SMB1 run begins from a "savestate" that boots the game with the RAM the SMB3 TAS ends with.
Keep in mind, if you are using the current latest version of bizhawk (2.9) the SMB1 run will have incorrect open bus behavior, leading to the game rebooting at the end of the movie.
If you would prefer to have a single TAS file, that requires compiling my custom fork of Bizhawk that adds cart swapping. Let me know and I can link you to my fork of bizhawk, along with a single TAS file.
1:15 in smb1 was possible?
rta viable when? with like... tennis or smth idk
Oh wow
impress
Question: where are the < and > keys *on a phone?*
there is none, sorry
Bro why are people so hung up on 4:54 being the limit? Haven’t they seen this! /j
see guys it is possible to get below 4:54
smb1 ACE :0
some of us are stuck on mobile.
WHAT?!
So the thumbnail was a lie no blue mario😢
Ah, my bad. The colors on the thumbnail are mimicking the "TAStudio" icon's color palette. In hindsight, as my channel grows, fewer and fewer people would get that reference. I've started to just leave the thumbnails with normal colors, since more people would understand. Sorry for the confusion.