Some common Q&A's I've noticed in the comments! 1. Will this work with the SMB+Duck Hunt cartridge? It will not, since the game selection screen clears all of memory before you can get to Mario. However, the SMB+Duck Hunt+World Class Track Meet 3-in-1 cartridge doesn't clear memory, so it will work on this version! 2. Doesn't this only work on the Famicom? Nope, it will work on the original NES as well! This is a common misconception. The trick was originally found by Japanese players, so a lot of the information came from players using a Famicom. Like the video states, even with the CIC that flips the power on and off, power to the system's memory is retained, which allows the trick to still work.
A small correction, the CIC doesn't flip the power on and off, it flips the reset signal. The NES is using SRAM, not DRAM, so the lack of a refresh signal is also not an issue. As such, the RAM contents are safe, unless the CPU overwrites any of it, potentially from reading glitched data as a memory write instruction.
@@Sonictheoofhog4 you could do this for authenticity I guess, but if you were making a ROM hack anyway you could just make a simple unlimited world selection at the title screen. From Kosmic's latest video it seems you can even do this with just a couple of Game Genie codes.
Yea I would have actually went through and played all the levels just to try them vs. warping to 4 and 8 to just beat it as quick as we could. Mario 3 gave ridiculous amounts of extra lives so at least you could enjoy the game when you were little.
As a kid, I remember cartridge swapping from some other game to 3D World Runner. It immediately played the ending to the game. I was amazed by it, but I could never reproduce it again. It's really great to know existing RAM values from the first game must've been the reason.
This reminds me of that crazy "Stop 'n Swop" method of performing Arbitrary Code Execution in Paper Mario. It uses some glitches in Ocarina of Time to setup RAM, and then swaps the cart over to Paper Mario quickly enough that the prepared RAM doesn't decay. Cool to see a similar trick used here, and get a technical explanation of it.
@@ZetaPyro Dk64 too, it was planned for 5 Rareware games to have unlockables using that trick though only 3 are known Dk64 and Banjo getting the most implementation of it before getting the stop notice from Nintendo.
@@ZetaPyro The whole "Stop and Swap" idea was based on the specs of a prototype N64, where the memory regions required to make it work wouldn't "decay" for 5 seconds or so. The intended release console had the same areas "decay" in a much faster time frame (something like half a second) instead, so Rare had to abandon the idea as unworkable.
I know this has little relevance, but I strongly desire to see an Ocarina of Time ACE where the entirety of the NES game Dr. Jekyll and Mr. Hyde is written as arbitrary code, executed, and then when it's done it skips to Ocarina of Time's normal ending except instead of "CURSE YOU" Ganondorf is openly questioning what just happened. To be even funnier about it, make it a sprite hack of Dr. Jekyll and Mr. Hyde where Dr. Jekyll is Link and Mr. Hyde is Ganondorf.
I didn't know you could do this with an Nes but the Sega Master System and Genesis...oh yes. My favorite thing to do was plug in Altered Beast in my Genesis, starting it up, waiting for the blue Sega logo to appear, pulling the cartridge from the console, inserting Space Harrier 2, and getting 50 lives at the beginning of the game! I have so many more stories of this kind of thing happening that I could be here all night. Neat episode!
I remember hearing that this glitch was rather famous in Japan and that magazines had Famicom BASIC listings that would let you setup a cartridge swap manually. I don't remember if American magazines cottoned onto it or not. Also, I'm pretty sure this particular glitch is why the SNES and Game Boy both had physical interlocks to prevent you from swapping cartridges with the power on. I imagine Nintendo also got PTSD flashbacks when Rare said "hey what if you could swop cartridges to move items between two games".
I was a Playstation kid growing up. I remember doing this for GTA 1. If you were loaded into a city, remove the disc and insert a music CD of your choice. The radios now play the CD tracks.
Same thing happens in Ridge Racer. Although, I'd assume it's because the game is loaded into the PS1's RAM, because the disc only spins after the loading screen to read the music during gameplay.
The technical explanation is good and makes sense, would never have guessed the correlation between the two games to trigger the glitch though. Look forward to the next episodes on this!
I'm glad I finally got an answer on why this happens. I remember hearing about this years ago (I think it was on an episode of "PopFiction"?), but they really didn't go super in depth on why it happens. In fact, I think they said it's random where you go. But since it's based on number of foot step sounds, that sounds actually pretty easy to control. Nice video! Looking forward to part 2.
That's the best part about computer programs. Since they are deterministic by nature, every little quirk can be explained and recreated sooner or later
Unless that memory degredation plays a part. If that's a natural process and can be replicated it might make for a useful element for a randomiser. Possibly even use the degraded value as a seed number.
@@kri249 Memory loss on power out is both too predictable and not predictable enough. It doesn't fade out gradually, it'll go whole chip at a time. And when power comes back it's not really random what data is there. It'll be different from chip to chip, but they'll usually come back with the same or similar values each time (maybe a few bits here and there will change, but not enough to be properly random). This is why games that need randomisation will often do things like count the number of times you've pressed a button, or taken a step etc. In fact, that's probably the real reason that Tennis is counting the number of steps, it's just a minor bug that it only counts when it makes the noise. That's the 8/16 bit era approach to randomisation anyway. On modern consoles there's enough going on internally (as well as a battery-backed up clock) that they can generate a pseudo-random number that isn't directly linked to player input (which makes RNG manipulation in TAS runs impossible)
From your explanation of what all the bytes do, it seems entirely plausible that there exists some game that writes directly to the "enable world select" byte without corrupting the score or the A5 magic number. If so, it may have never been discovered because enabling world select is a much less flashy effect than loading glitchy worlds. Alternatively, maybe cycling the power will occasionally cause the "world select" byte to decay to nonzero without yet corrupting the A5 on some consoles!
I was able to get Mickey Mousecapade to start Mario at world 2 instead of 1, but that's as far as I got with my research, it was pretty monotonous scanning through the entire NES library manually!
Besides, this also keeping in mind that, even after doing all this, people might just press Start in Super Mario Bros. anyway, starting back at world 1-1 and undoing the glitch. In this scenario, the player might not even have realized SMB was glitched to begin with.
Some bugs are found out by debugging ("Hey, SMB1 differenciates between a cold and warm reset! I wonder if other games do that and what I can manipulate between different games by swapping cartridges out?") considering that the circumstances are so rare, it's practically impossible to notice them by pure accident.
@@MarioFanGamer659 True, but since this one was also known when the game was released, it's more likely that a dev or tester noticed and told a magazine rather than a hacker finding out in an emulator.
I used to do this quite a lot with Sega Genesis games. One particularly useful trick was to transfer the much easier Sonic 2 level select and debug unlocks to Sonic 3, as Sonic 3's cheat code was VERY difficult to get working. Just unlock them in Sonic 2, swap cartridges with the power on and press Reset - it works because all Sonic games use the same memory addresses for variables like this!
I just watched Kosmic’s video playing with this glitch, and was super curious how the memory structure worked. Excited to see the next segment, since the level alterations are honestly the oddest part
Honestly, what bothers me is why hasn't he, or any other SMB runner for that matter, thought of using that particular glitch to just wrong warp to world 8 and beat SMB any% faster than ever before.
2:30 I guess that explains why Dr Mario on my 260-in-1 cart would glitch if i abused the power button, and went to select the game everytime. Everytime i did that, there was a chance all menu cursors would be in invalid positions, letting us load glitched levels, speeds, and songs. And it would also set something in there that would allow viruses to spawn more than twice in a row, in rows or columns. The game would crash often because of a too high combo due to this.
@@resiseven7407 glitchy. Some of them are even random in some way... and some of thembwill have varying tempo depending on the progress of the menu song. For example, quickly going to the main game while the menu song is playing those four "hits" at the start, the glitch songs will have a high tempo. If i do another "glitch" video, Dr Mario will have a ton of content, including glitched cutscenes, which was also possible with the real console.
@@clay1086 I do have ways now to directly record from my NES, assuming it would work, so i just might do that. No promises, since it could have also been a faulty NES i had back then.
What a fascinating topic and execution. This is the kind of stuff I'm here for. Love to see how your style and animations are progressing - everything is looking top tier as heck these days! Great stuff!! :)
I first saw this trick mentioned in an issue of Tips & Tricks magazine. What's fascinating is that in Japan this glitch is as popular as the Minus World, if not more so. It also inspired World 9 in Super Mario Lost Levels.
This channel is so good because the concepts are explained so well and are applicable to many other areas of low level programming outside of video games.
Profound explanation and visuals! Could you shed some light on what tools you use to make your animations? Especially on how you sync up the memory values to what is going on on screen? how do you dump the values from the emulator?
2:33 This reminds me of the way how SNES9x initialises RAM where the default value is 0x55, though the real values are more or less random which causes some bugs which appear out of nowhere in some SNES games due to non-initialised memory.
Hey, I don't know if you'll read this but I'll put it out there anyway. Your videos are beyond superb and I really enjoy them. I am not a programmer myself but I am very interested in the ins and outs of old school software. The way you present information is so concise and well written that I can somehow manage to grasp it despite my programming knowledge only spannning some really elementary C in highschool and some simple html and css in college. Keep up the good work and I look forward to more videos.
Your videos are always awesome to watch. There are very few channels where I'm actually excited when they upload something new, but yours is definitely one of them!
Thanks for the fantastic video and explanation! The biggest shocker for me is that you can continue on the same world after dying by holding down A and pressing start after dying. I would have loved to know that back in the 80’s. Did anyone know about it back then? I thought I knew all the “cheat codes” back then, but this one is huge and so simple.
A different but somewhat related trick was actually the lesser known (and significantly easier) of two ways to access the stage select screen in Sonic 3 (by itself, *not* when locked-on to Sonic and Knuckles). You'd need a copy of Sonic 2, enter the level select code on that game (go to the sound test in the options menu, and enter 19, 69, 09, 17 and press start), then remove the cartridge without powering off the Genesis, put Sonic 3 in, press reset and when the title screen came up, pressing down twice would reveal a "Sound Test" option, which just so happened to have the level select. IIRC some of the S&K stages were listed as well but you couldn't actually select them.
You can also access glitch worlds by simply inserting the NES Super Mario Bros. cartridge incorrectly/crooked. I did this a bunch of times back in the day for crazy level layouts and even levels where the graphics & enemy placements would change mid-way along the screen as it scrolled and sometimes terrain didn't even correlate with collision detection. All our other games would straight up crash or trigger the copy protection thing in the NES (boot loop) when inserted incorrectly.
I remember reading about this exact thing in some Gaming Monthly Magazine in the 90s/00s. It was a tips n' tricks entry on the bottom of some other game review. Wish I could find it again. So fun to see it on TH-cam.
The live RAM view as you play the games is really helpful. I’m curious how they decided to lay out memory for these games - it just uses a byte here, a byte there. Overall an excellent explanation, thanks.
On most assemblers you just ask for it to reserve some RAM, and you get a nice label for that address. So the allocation of memory is fixed per-game but effectively random otherwise. You CAN manually pick out RAM addresses, of course, but I'm not sure why you would want to do this.
@@SuperSmashDolls Oh there's lots of reasons to manually pick out RAM addresses on the NES. Reading/writing from the first 256 bytes of ram is fastest, followed by accesses within the same 256-byte block from the last read. Yo u can save a lot of cycles by laying out your memory structures efficiently.
@@SuperSmashDolls But on assemblers/linkers that I'm familiar with, they won't randomly assign non-contiguous bytes. Generally the linker will put the data sections of object files in consecutive order. Of course I don't know how it worked with their 1984 toolchain, but it looked more manual to me. In embedded systems, it is not uncommon to manually define the linker script to select specific memory addresses or at least regions, and consoles of this type are effectively embedded systems.
I feel so smart when I watch these videos! Like, the tech isn't simple, but it is put in clear words and graphics that I can follow easily! I'm looking forward to the rest of this series!
All of your videos are such a treat. I never knew of this coincidence, nor did i know anything before this video about Super Mario Bros's implementation, but just hearing your explanation makes me so intrigued and invested in the topic and I love it ahhaha
I actually remember a while back mentioning this to some friends a while back, but with Tetris instead of Tennis. They didn’t believe me and whenever I tried finding it I never could. Thank you for this man
I immediately knew it had to be some kind of RAM Manipulation trick, your breakdown made it really easy to see how all of this works and how other games might have similar phenomena.
Interesting thing, I've see this on other video before this. SMB1 must be inserted first, that will write A5 to 07FF, then player could use Tennis to adjust 07FD value by walking around, continue world=step+1. Now I can see your more detail explaining, good work!
The CIC doesn't flip the power on and off. It just toggles the /RESET line, which is normally at +5v and resets the CPU when it goes low. The power LED on the NES is on the /RESET line, not the +5v line.
Nice discovery! I had found something like this with Street Fighter II: Championship Edition & Super Street Fighter II on the Genesis using a similar cartridge swap technique decades ago. It took away all random elements so that enemies were more predictable and it reset controller mappings so that attacks could be performed merely by moving the character.
THANK YOU! When I was a kid I called a 976 game hot line and heard this trick and did it all the time with my friends in the neighborhood. I moved about a year later and lost my Tennis game in that move. Since then NO one believed me when I explained this “hack”. Thank you for proving to everyone at Boiling Springs Jr High I wasn’t lying
Reminds me of how some Konami MSX games could be combined with another cart in the second slot to unlock secrets. You could even unlock a secret final level in Salamander by combining it with Gradius 2/Nemesis 2. Of course, that was all intentionally programmed in.
A great video! I could watch this as background audio and still manged to understand every detail. Not many videos are capable of doing this, so great work!
this is interesting! the results are just 'remixed' versions of already existing levels. even though it's a glitch, it would've been cool to see this actually added into the game in a similar way worlds A & B were in Lost Levels
Very interesting video! 🤩 I had a multi-game cartridge, something like 99 in one. By disconnecting the slot contacts one by one from the cartridge board during the game selection screen (don't ask me why 😂), I discovered a situation where the list of games increased to several thousand. And there you could select glitch levels directly from the list. And it was reproducible, so I just attached a button to the cartridge that disconnects that same contact and could enter the “extended” list at any time 😎
I hope you cover the 8F item in generation one Pokémon sometime. Given it's a cheats-free accessible glitch item that allows you to *_literally reprogram_* not just Pokémon R/B/Y, but also _other games,_ I dare say it's one of the craziest things out there, and very worthy of a look.
I love how because of just how much in-house development happens with Nintendo, there's a plethora of games that are way too comfortable playing in the deep recesses of the hardware and they keep breaking all DRM in Nintendo consoles and games.
@@PosthumanHeresy It has nothing to do with that. 8F is an unintended glitch item that, like any item, executes code when you use it - it just executes it from an unintended address. Namely, from things you can manipulate (bag contents and such) - therefore allowing you to effectively decide what code 8F ends up running. Yes, this sounds incredibly stupid, like the most insane oversight that no developer would ever let slip, but it's real. A dude on TH-cam once reprogrammed Pokémon Red into Pong using it, and you can even make 8F pause code execution to allow you to quickly switch cartridges to different games, and then run the rest of the code - so you can even run code in _any_ GameBoy game using it.
@@AniGaAG Oh I believe it's real. But do you know the history of Nintendo hardware jailbreaking? Nintendo _keeps doing this_ over and over. So many different Nintendo games have a glitch that allows you to execute arbitrary code and do whatever the hell you want to the entire machine. For some reason, Nintendo has had a decades-long problem with games being able to do this across pretty much every platform they release.
@@AniGaAG Several links down a chain of ownership that goes back to Nintendo. It's corporate consolidation. Businesses owning businesses that own businesses. Game Freak is currently in the same building as Nintendo EPD Tokyo, Nintendo PTD Tokyo, HAL Laboratory and 1-Up Studio.
It makes me wonder if A5 might mean anything significant like how MZ (the "Magic Number" at the beginning of any DOS EXE or the DOS Stub of most Windows EXEs) are the initials of Mark Zbikowski. I also own another NES game that performs a "Warm Start Check" when the console is reset - Rad Racer (when you press the Reset button after the title screen, it takes you to the Car select screen).
Interesting that this works, as all of the other guides I'd seen always acted like this was only possible on the Famicom (or the JP carts on the top loader). I thought it had to do with the Reset button actually resetting the memory, or the CIC chip causing it to fail.
Funny thing is, they could have prevented this with AND #7 to mask off the invalid worlds, you'd still be able to do the cartridge swap trick but you'd be limited to the "real" worlds only.
I remember having some problems with this on MiSTer, because some of those cores don't clear parts of the memory on game load. Some games would totally glitch out weirdly, and then you'd have interesting effects like being able to load your Pokemon Ruby save file in Pokemon Emerald.
Upcoming Nitpicks: My experience with SRAM (as used on the NES) is that the instant the power goes out, the contents is lost (or something in the realm of milliseconds). The CIC only toggles RESET which is connected to the power LED. DRAM however retains its data in exactly the way you were explaining. Fun fact: Use a Commodore C16 (which uses DRAM), write a program to draw some graphics, turn off the machine, wait a second, turn it back on and enter graphics mode without clearing the screen. Your drawing will still mostly be there. After two seconds, it's heavily corrupted but still recognizable.YMMV.
It’s actually really interesting to see how these old systems work. Also when you explained how RAM worked and how it could be used to transfer data from one game to another it got me to think about the N64 and how rare tried to use the RAM in the N64 to transfer data between banjo kazooie and it’s sequel banjo tooie. I don’t know how much you know about The N64 but it would actually be a cool idea to do a video on that system and how it would have actually worked and what the challenges would have actually been if they have fully implemented it. The only thing I know is that they scraped it because newer versions of the N64 cleared RAM a lot faster then the original version of the console did. But I actually don’t know anything else about how that system worked or how it would have been implemented.
I remember (idk which game) if u overflowed a certain game too much at a point it would read the extension pack, except the game didint use it, so what people did was load another game and put data onto the extension pack, then go back into that game, overflow it and then it would read the extension pack and run custom code, including going to the end of it.
@@SOTP. I think I heard about that! If I remember correctly it had something to do with Zelda and paper Mario but I don’t remember the details! I do remember watching a video about it like a year or two ago!
The CIC isn't cycling power but instead it is cycling the reset line of the CPU. Keeping the console on while swapping carts means the RAM stays powered and thus retains its data. The NES uses SRAM for the system RAM which is basically sets of logic gates with one of two states held by the voltages in the memory cells. When powering off the voltage reference of the chip will drop to zero, and alongside it all the voltages being held in the "on" cells. While SRAM is known to have extremely low quiescent current, since it is tied to all the other chips during power off it will have plenty of paths to discharge its voltage and thus quickly lose its memory.
6:10 0xA5 (along with 0x5A) is a "special" value you'll often find as placeholder or magic numbers in embedded development. Why? Because A5A5A5A5... is 1010101010 in binary, 5A5A5A5... is 01010101, so: 1- you can instantly create a recognizable pattern, and one you can easily memorize 2- 0xA5 and 0x5A have a maximum Hamming distance, i.e. 0xA5 = NOT 0x5A 3- Exactly half the bits are 1s and half are 0s, so it has less chance of having the special properties of 0xFF or 0x00 (reset values, etc.) 0xDEADBEEF, 0xDECACAFE, 0xBAADBEEF, etc. are similarly 'special' values often used as placeholders.
How does one even find this? I just imagine it went like this: “Hmmmm im getting bored of Mario, I’ll play tennis” _about 1.5 seconds later_ “I’m bored of tennis now I’m gonna go back and play Mario” “Ok lemme pick up where I left off an- WHAT WORLD 9!?!? Why did this happen?” *…* “Good thing I’m a coding mastermind and know what every single bit of every NES game does!”
8:04 nice I had no idea this was possible on an NES. I'm also kinda sad you didn't bring up how this was kind of a big deal in Japan and all the guidebooks that got published showing all the different worlds you can visit.
This is really interesting, I never thought of the possibility of messing up games' RAM values by just changing games without powering off the console first
I kinda did this with a Game Boy Advance game once, I popped out the SEGA SmashPack during I think Golden Axe and put in Mario Pinball Land, and it just started to play though all of Pinball Land's voice clips and samples.
Very interesting. I was familiar with the basic mechanics at play (hello OoT/PM stop n swop) but I didn't know what exactly allowed it here. Out of curiosity, I see that in the highlighted range, there's one unexplained byte that's changing. Do you happen to know what it corresponds to? Given that it looks like it's oscillating in a small range, I assume it's some sort of animation number?
A5 is 10100101, so it might make sense for it to be a resting state, but it seems more likely to be a sentinel value. Specifically, it reminds me of the fact that the last two bytes of an x86 bootloader have to be AA 55 (10101010 01010101) in order to be recognized
Three questions: 1. What do you do for a living besides youtube or is this your main gig? 2. Did you go to school after high school and what was your major? 3. How did you come across this "hack"? Very interesting video. Thanks for sharing and I hope to not get buried in the comments lol
The Sega Genesis does something similar. I used to put in Golden Axe then swap it for Thunderforce IV (Lightening Force here in the U.S.). The swap would give you invulnerability in TFIV. I used it to beat the game.
Imagine some kid who was really bored, started up mario, decided he'd rather play tennis, 30 seconds in thought he'd rather play mario, and then spends the next 4 hours trying to replicate the secret code he put in to get to the secret world.
It's nice to get an explanation of how this happens technically but this strange behaviour has been known about for quite a while, I wonder how it was first discovered.. maybe somebody was too lazy to switch their nes off between games?
Some common Q&A's I've noticed in the comments!
1. Will this work with the SMB+Duck Hunt cartridge?
It will not, since the game selection screen clears all of memory before you can get to Mario. However, the SMB+Duck Hunt+World Class Track Meet 3-in-1 cartridge doesn't clear memory, so it will work on this version!
2. Doesn't this only work on the Famicom?
Nope, it will work on the original NES as well! This is a common misconception. The trick was originally found by Japanese players, so a lot of the information came from players using a Famicom. Like the video states, even with the CIC that flips the power on and off, power to the system's memory is retained, which allows the trick to still work.
A small correction, the CIC doesn't flip the power on and off, it flips the reset signal. The NES is using SRAM, not DRAM, so the lack of a refresh signal is also not an issue. As such, the RAM contents are safe, unless the CPU overwrites any of it, potentially from reading glitched data as a memory write instruction.
Time to make a Super Mario Bros and Tennis ROM hack for Super Mario Bros, Duck Hunt, and Track Meet so this can be easily done on a emulator
was the amount of coins being 69 in the start + a example intentional
Is this possible on the model 2 top loader or just the original nes? Great video 🤘
@@Sonictheoofhog4 you could do this for authenticity I guess, but if you were making a ROM hack anyway you could just make a simple unlimited world selection at the title screen. From Kosmic's latest video it seems you can even do this with just a couple of Game Genie codes.
Never knew holding "A" when you pressed start let you continue from the last world. That would have been handy as a kid when it came out lol.
I KNOW!!!
I'm so pissed. Wtf was old games issue with telling you info?
Yeah.. if I knew that back then!
Not sure why Nintendo Power never shared this tip! I have never heard of this. It would have radically changed my enjoyment of the game
Yea I would have actually went through and played all the levels just to try them vs. warping to 4 and 8 to just beat it as quick as we could. Mario 3 gave ridiculous amounts of extra lives so at least you could enjoy the game when you were little.
As a kid, I remember cartridge swapping from some other game to 3D World Runner. It immediately played the ending to the game. I was amazed by it, but I could never reproduce it again. It's really great to know existing RAM values from the first game must've been the reason.
I hated 3d world runner, and am still amazed the amount of hours I spent on it
This reminds me of that crazy "Stop 'n Swop" method of performing Arbitrary Code Execution in Paper Mario. It uses some glitches in Ocarina of Time to setup RAM, and then swaps the cart over to Paper Mario quickly enough that the prepared RAM doesn't decay. Cool to see a similar trick used here, and get a technical explanation of it.
Yeah, and Banjo-Kazooie and Banjo Tooie planned to use this as a designed feature too, but it was too unreliable and was scrapped
@@ZetaPyro Dk64 too, it was planned for 5 Rareware games to have unlockables using that trick though only 3 are known Dk64 and Banjo getting the most implementation of it before getting the stop notice from Nintendo.
@@ZetaPyro The whole "Stop and Swap" idea was based on the specs of a prototype N64, where the memory regions required to make it work wouldn't "decay" for 5 seconds or so. The intended release console had the same areas "decay" in a much faster time frame (something like half a second) instead, so Rare had to abandon the idea as unworkable.
Exactly what I was thinking.
I know this has little relevance, but I strongly desire to see an Ocarina of Time ACE where the entirety of the NES game Dr. Jekyll and Mr. Hyde is written as arbitrary code, executed, and then when it's done it skips to Ocarina of Time's normal ending except instead of "CURSE YOU" Ganondorf is openly questioning what just happened.
To be even funnier about it, make it a sprite hack of Dr. Jekyll and Mr. Hyde where Dr. Jekyll is Link and Mr. Hyde is Ganondorf.
I didn't know you could do this with an Nes but the Sega Master System and Genesis...oh yes. My favorite thing to do was plug in Altered Beast in my Genesis, starting it up, waiting for the blue Sega logo to appear, pulling the cartridge from the console, inserting Space Harrier 2, and getting 50 lives at the beginning of the game! I have so many more stories of this kind of thing happening that I could be here all night. Neat episode!
I would like to hear some of them!
this story sounds like the beginning of action replay
IIRC, I used Altered Beast to get 91 lives with Thunder Force 2.
@@ironbowtie
Yes! I remember that. ;)
Some more stories please
I remember hearing that this glitch was rather famous in Japan and that magazines had Famicom BASIC listings that would let you setup a cartridge swap manually. I don't remember if American magazines cottoned onto it or not.
Also, I'm pretty sure this particular glitch is why the SNES and Game Boy both had physical interlocks to prevent you from swapping cartridges with the power on. I imagine Nintendo also got PTSD flashbacks when Rare said "hey what if you could swop cartridges to move items between two games".
why is everyone saying ‘sw**o**p’ is that literally what it was called?
@@tauon_ Stop & _Swop_
@@kellymountain so it is literally called swop then
weird
@@tauon_ It's a cartridge swap, unless you're talking about Banjo & Kazooie, in which case it's a cartridge sw*o*p.
Technacally if ur fast enough u can just turn it off, swap and turn on again.
2:18 I LOVE how you accurately pointed out which pins are used for receiving power. Fine details like that get my nerd juices going.
I was a Playstation kid growing up. I remember doing this for GTA 1. If you were loaded into a city, remove the disc and insert a music CD of your choice. The radios now play the CD tracks.
Same thing happens in Ridge Racer. Although, I'd assume it's because the game is loaded into the PS1's RAM, because the disc only spins after the loading screen to read the music during gameplay.
That was on purpose if I recall
Its a feature tho
Won’t be surprised if that was done on purpose
The technical explanation is good and makes sense, would never have guessed the correlation between the two games to trigger the glitch though. Look forward to the next episodes on this!
I'm glad I finally got an answer on why this happens. I remember hearing about this years ago (I think it was on an episode of "PopFiction"?), but they really didn't go super in depth on why it happens. In fact, I think they said it's random where you go. But since it's based on number of foot step sounds, that sounds actually pretty easy to control. Nice video! Looking forward to part 2.
That's the best part about computer programs. Since they are deterministic by nature, every little quirk can be explained and recreated sooner or later
Unless that memory degredation plays a part.
If that's a natural process and can be replicated it might make for a useful element for a randomiser. Possibly even use the degraded value as a seed number.
@@kri249 Memory loss on power out is both too predictable and not predictable enough. It doesn't fade out gradually, it'll go whole chip at a time. And when power comes back it's not really random what data is there. It'll be different from chip to chip, but they'll usually come back with the same or similar values each time (maybe a few bits here and there will change, but not enough to be properly random). This is why games that need randomisation will often do things like count the number of times you've pressed a button, or taken a step etc. In fact, that's probably the real reason that Tennis is counting the number of steps, it's just a minor bug that it only counts when it makes the noise.
That's the 8/16 bit era approach to randomisation anyway. On modern consoles there's enough going on internally (as well as a battery-backed up clock) that they can generate a pseudo-random number that isn't directly linked to player input (which makes RNG manipulation in TAS runs impossible)
@@TheRabbitPoet not necessarily! I think it was... a proton? That caused a speedrunner to upwarp in Mario 64 and nobody was able to recreate it
Wow PopFiction is a throwback.
From your explanation of what all the bytes do, it seems entirely plausible that there exists some game that writes directly to the "enable world select" byte without corrupting the score or the A5 magic number. If so, it may have never been discovered because enabling world select is a much less flashy effect than loading glitchy worlds.
Alternatively, maybe cycling the power will occasionally cause the "world select" byte to decay to nonzero without yet corrupting the A5 on some consoles!
I was able to get Mickey Mousecapade to start Mario at world 2 instead of 1, but that's as far as I got with my research, it was pretty monotonous scanning through the entire NES library manually!
Besides, this also keeping in mind that, even after doing all this, people might just press Start in Super Mario Bros. anyway, starting back at world 1-1 and undoing the glitch. In this scenario, the player might not even have realized SMB was glitched to begin with.
Some bugs are found out by debugging ("Hey, SMB1 differenciates between a cold and warm reset! I wonder if other games do that and what I can manipulate between different games by swapping cartridges out?") considering that the circumstances are so rare, it's practically impossible to notice them by pure accident.
@@RGMechEx of COURSE it'd be Mickey Mousecapade
@@MarioFanGamer659 True, but since this one was also known when the game was released, it's more likely that a dev or tester noticed and told a magazine rather than a hacker finding out in an emulator.
I used to do this quite a lot with Sega Genesis games. One particularly useful trick was to transfer the much easier Sonic 2 level select and debug unlocks to Sonic 3, as Sonic 3's cheat code was VERY difficult to get working. Just unlock them in Sonic 2, swap cartridges with the power on and press Reset - it works because all Sonic games use the same memory addresses for variables like this!
this was a fun explanation :) looking forward to part two!
oh hey, you're that one youtuber that makes very interesting videos and also music for some reason (it's good music tho)
You are the most person here
Why am I not surprised that jan Misali would be here
also verified! Nice!
@@parnikkapore Why am I surprised that jan Misali would be here?
@@infiniteplanes5775the person of all time
You were right it was interesting! Always loved cartridge swapping, tilting and the other things you weren't supposed to do with them
1 day ago!?
@@SoyLuciano yeah how did he comment for a day on something that was released 45 minutes ago. Unless this is an edit
@@Clarence_13x Patreon
@@rebane2001 it just doesn’t seem ethical. It paints a picture of an alternative integrity.
@@Clarence_13x You think supporting a creator monetarily and getting to watch the video a day early as a reward is unethical??
I just watched Kosmic’s video playing with this glitch, and was super curious how the memory structure worked. Excited to see the next segment, since the level alterations are honestly the oddest part
i think the level oddities are the basis for that backrooms thing
Honestly, what bothers me is why hasn't he, or any other SMB runner for that matter, thought of using that particular glitch to just wrong warp to world 8 and beat SMB any% faster than ever before.
2:30
I guess that explains why Dr Mario on my 260-in-1 cart would glitch if i abused the power button, and went to select the game everytime.
Everytime i did that, there was a chance all menu cursors would be in invalid positions, letting us load glitched levels, speeds, and songs.
And it would also set something in there that would allow viruses to spawn more than twice in a row, in rows or columns.
The game would crash often because of a too high combo due to this.
this is a pretty cool glitch
You should try to recreate and record that fr
what were the glitched songs like?
@@resiseven7407 glitchy.
Some of them are even random in some way... and some of thembwill have varying tempo depending on the progress of the menu song. For example, quickly going to the main game while the menu song is playing those four "hits" at the start, the glitch songs will have a high tempo.
If i do another "glitch" video, Dr Mario will have a ton of content, including glitched cutscenes, which was also possible with the real console.
@@clay1086 I do have ways now to directly record from my NES, assuming it would work, so i just might do that. No promises, since it could have also been a faulty NES i had back then.
I love these technical explanations man, you're really rocking it out of the park.
What a fascinating topic and execution. This is the kind of stuff I'm here for. Love to see how your style and animations are progressing - everything is looking top tier as heck these days! Great stuff!!
:)
I'm so amazed at how deep and technical your knowledge is on the console, thank you so much
I first saw this trick mentioned in an issue of Tips & Tricks magazine.
What's fascinating is that in Japan this glitch is as popular as the Minus World, if not more so. It also inspired World 9 in Super Mario Lost Levels.
This channel is really a gem and deserves more recognition!
0:47 Can we appreciate the coin counter on top of the screen
Nice
This channel is so good because the concepts are explained so well and are applicable to many other areas of low level programming outside of video games.
Profound explanation and visuals! Could you shed some light on what tools you use to make your animations? Especially on how you sync up the memory values to what is going on on screen? how do you dump the values from the emulator?
After Effects! I have a video on the channel about some of my video editing processes.
I was just wondering that myself.
2:33 This reminds me of the way how SNES9x initialises RAM where the default value is 0x55, though the real values are more or less random which causes some bugs which appear out of nowhere in some SNES games due to non-initialised memory.
Hey, I don't know if you'll read this but I'll put it out there anyway. Your videos are beyond superb and I really enjoy them. I am not a programmer myself but I am very interested in the ins and outs of old school software. The way you present information is so concise and well written that I can somehow manage to grasp it despite my programming knowledge only spannning some really elementary C in highschool and some simple html and css in college. Keep up the good work and I look forward to more videos.
Amazing! Memory usage in retro games has always fascinated me.
Your videos are always awesome to watch. There are very few channels where I'm actually excited when they upload something new, but yours is definitely one of them!
Thanks for the fantastic video and explanation! The biggest shocker for me is that you can continue on the same world after dying by holding down A and pressing start after dying. I would have loved to know that back in the 80’s. Did anyone know about it back then? I thought I knew all the “cheat codes” back then, but this one is huge and so simple.
If I was shown this as a kid, it would blow my mind. Thanks for sharing this, nice to see that we can still find new hidden secrets with old games.
A different but somewhat related trick was actually the lesser known (and significantly easier) of two ways to access the stage select screen in Sonic 3 (by itself, *not* when locked-on to Sonic and Knuckles).
You'd need a copy of Sonic 2, enter the level select code on that game (go to the sound test in the options menu, and enter 19, 69, 09, 17 and press start), then remove the cartridge without powering off the Genesis, put Sonic 3 in, press reset and when the title screen came up, pressing down twice would reveal a "Sound Test" option, which just so happened to have the level select. IIRC some of the S&K stages were listed as well but you couldn't actually select them.
Love this kind of content. No better way to learn new stuff than to learn how the stuff you loved as a kid works.
You can also access glitch worlds by simply inserting the NES Super Mario Bros. cartridge incorrectly/crooked. I did this a bunch of times back in the day for crazy level layouts and even levels where the graphics & enemy placements would change mid-way along the screen as it scrolled and sometimes terrain didn't even correlate with collision detection.
All our other games would straight up crash or trigger the copy protection thing in the NES (boot loop) when inserted incorrectly.
This is a fascinating insight into how memorry addressing works. Thank you for this!
Was looking forward to this one. I knew about this but never really understood why it happened. Expecting amazing quality as always!
I remember reading about this exact thing in some Gaming Monthly Magazine in the 90s/00s.
It was a tips n' tricks entry on the bottom of some other game review. Wish I could find it again. So fun to see it on TH-cam.
Neat! I love the way you explain and illustrate things in your videos so it's easy to understand. Thank you!
It is the first time I understand everything you explain. Thank you for this relaxing time
Thats nuts. I remember seeing some wild cart-swapping tricks for the genesis in Gamepro back in the day.
The live RAM view as you play the games is really helpful. I’m curious how they decided to lay out memory for these games - it just uses a byte here, a byte there. Overall an excellent explanation, thanks.
On most assemblers you just ask for it to reserve some RAM, and you get a nice label for that address. So the allocation of memory is fixed per-game but effectively random otherwise.
You CAN manually pick out RAM addresses, of course, but I'm not sure why you would want to do this.
@@SuperSmashDolls Oh there's lots of reasons to manually pick out RAM addresses on the NES. Reading/writing from the first 256 bytes of ram is fastest, followed by accesses within the same 256-byte block from the last read. Yo u can save a lot of cycles by laying out your memory structures efficiently.
@@SuperSmashDolls But on assemblers/linkers that I'm familiar with, they won't randomly assign non-contiguous bytes. Generally the linker will put the data sections of object files in consecutive order. Of course I don't know how it worked with their 1984 toolchain, but it looked more manual to me. In embedded systems, it is not uncommon to manually define the linker script to select specific memory addresses or at least regions, and consoles of this type are effectively embedded systems.
This video keeps things very simple, especially in comparison to the second. Thank you for that, it makes this comprehensible to a noob like me!
I feel so smart when I watch these videos! Like, the tech isn't simple, but it is put in clear words and graphics that I can follow easily! I'm looking forward to the rest of this series!
All of your videos are such a treat. I never knew of this coincidence, nor did i know anything before this video about Super Mario Bros's implementation, but just hearing your explanation makes me so intrigued and invested in the topic and I love it ahhaha
These videos are so patiently and expertly explained. Excellent work.
i love binge watching these videos while understanding absolutely nothing
I actually remember a while back mentioning this to some friends a while back, but with Tetris instead of Tennis. They didn’t believe me and whenever I tried finding it I never could. Thank you for this man
I immediately knew it had to be some kind of RAM Manipulation trick, your breakdown made it really easy to see how all of this works and how other games might have similar phenomena.
Interesting thing, I've see this on other video before this. SMB1 must be inserted first, that will write A5 to 07FF, then player could use Tennis to adjust 07FD value by walking around, continue world=step+1. Now I can see your more detail explaining, good work!
Looking forward to the next episode! This was super informative. Very fun to see how and why the tricks we know and love actually function
The CIC doesn't flip the power on and off. It just toggles the /RESET line, which is normally at +5v and resets the CPU when it goes low. The power LED on the NES is on the /RESET line, not the +5v line.
Always a joy to see new RGM uploads!
I was like "woah, so it's a three-part'er! Gonna watch the other two quickly!" And it's a 20hrs old video. You got me there!
Nice discovery! I had found something like this with Street Fighter II: Championship Edition & Super Street Fighter II on the Genesis using a similar cartridge swap technique decades ago. It took away all random elements so that enemies were more predictable and it reset controller mappings so that attacks could be performed merely by moving the character.
THANK YOU! When I was a kid I called a 976 game hot line and heard this trick and did it all the time with my friends in the neighborhood. I moved about a year later and lost my Tennis game in that move.
Since then NO one believed me when I explained this “hack”.
Thank you for proving to everyone at Boiling Springs Jr High I wasn’t lying
Reminds me of how some Konami MSX games could be combined with another cart in the second slot to unlock secrets. You could even unlock a secret final level in Salamander by combining it with Gradius 2/Nemesis 2. Of course, that was all intentionally programmed in.
A great video!
I could watch this as background audio and still manged to understand every detail.
Not many videos are capable of doing this, so great work!
this is interesting! the results are just 'remixed' versions of already existing levels. even though it's a glitch, it would've been cool to see this actually added into the game in a similar way worlds A & B were in Lost Levels
Very interesting video! 🤩 I had a multi-game cartridge, something like 99 in one. By disconnecting the slot contacts one by one from the cartridge board during the game selection screen (don't ask me why 😂), I discovered a situation where the list of games increased to several thousand. And there you could select glitch levels directly from the list. And it was reproducible, so I just attached a button to the cartridge that disconnects that same contact and could enter the “extended” list at any time 😎
I hope you cover the 8F item in generation one Pokémon sometime.
Given it's a cheats-free accessible glitch item that allows you to *_literally reprogram_* not just Pokémon R/B/Y, but also _other games,_ I dare say it's one of the craziest things out there, and very worthy of a look.
I love how because of just how much in-house development happens with Nintendo, there's a plethora of games that are way too comfortable playing in the deep recesses of the hardware and they keep breaking all DRM in Nintendo consoles and games.
@@PosthumanHeresy It has nothing to do with that. 8F is an unintended glitch item that, like any item, executes code when you use it - it just executes it from an unintended address. Namely, from things you can manipulate (bag contents and such) - therefore allowing you to effectively decide what code 8F ends up running. Yes, this sounds incredibly stupid, like the most insane oversight that no developer would ever let slip, but it's real. A dude on TH-cam once reprogrammed Pokémon Red into Pong using it, and you can even make 8F pause code execution to allow you to quickly switch cartridges to different games, and then run the rest of the code - so you can even run code in _any_ GameBoy game using it.
@@AniGaAG Oh I believe it's real. But do you know the history of Nintendo hardware jailbreaking? Nintendo _keeps doing this_ over and over. So many different Nintendo games have a glitch that allows you to execute arbitrary code and do whatever the hell you want to the entire machine. For some reason, Nintendo has had a decades-long problem with games being able to do this across pretty much every platform they release.
@@PosthumanHeresy This wasn't Nintendo though, it was Game Freak.
@@AniGaAG Several links down a chain of ownership that goes back to Nintendo. It's corporate consolidation. Businesses owning businesses that own businesses. Game Freak is currently in the same building as Nintendo EPD Tokyo, Nintendo PTD Tokyo, HAL Laboratory and 1-Up Studio.
"world 9, what?!?" has the same meme energy as "parallel universes"
...I didn't even know you could continue after a game over...
BRB, gonna finally beat Super Mario Bros.
It makes me wonder if A5 might mean anything significant like how MZ (the "Magic Number" at the beginning of any DOS EXE or the DOS Stub of most Windows EXEs) are the initials of Mark Zbikowski.
I also own another NES game that performs a "Warm Start Check" when the console is reset - Rad Racer (when you press the Reset button after the title screen, it takes you to the Car select screen).
Interesting that this works, as all of the other guides I'd seen always acted like this was only possible on the Famicom (or the JP carts on the top loader). I thought it had to do with the Reset button actually resetting the memory, or the CIC chip causing it to fail.
A5 and its friend 5A are most unlikely resting states; and that's why you get 55AA on the end of boot sectors.
Surprisingly simple explanation. Thank you for this video.
Funny thing is, they could have prevented this with AND #7 to mask off the invalid worlds, you'd still be able to do the cartridge swap trick but you'd be limited to the "real" worlds only.
35 years later... Hold A and press start.
Really looking forward to the next video.
I've been wondering how levels are stored ever since first hearing an explanation of "minus" world.
I think I may have just found my new favorite youtube channel, this was super interesting and I can't wait for part 2!
Mario was so late to his deadline to be the referee for the tennis match that he accidentally fell into a lake 😂😂😂😂😂
I remember having some problems with this on MiSTer, because some of those cores don't clear parts of the memory on game load.
Some games would totally glitch out weirdly, and then you'd have interesting effects like being able to load your Pokemon Ruby save file in Pokemon Emerald.
Fantastic explanation, you always do a great job of clearly explaining things with your visuals! (and voice, of course)
Upcoming Nitpicks: My experience with SRAM (as used on the NES) is that the instant the power goes out, the contents is lost (or something in the realm of milliseconds). The CIC only toggles RESET which is connected to the power LED.
DRAM however retains its data in exactly the way you were explaining. Fun fact: Use a Commodore C16 (which uses DRAM), write a program to draw some graphics, turn off the machine, wait a second, turn it back on and enter graphics mode without clearing the screen. Your drawing will still mostly be there. After two seconds, it's heavily corrupted but still recognizable.YMMV.
This was excellent - really looking forward to part 2!
hell yes, i cant wait for the next episode! I've always wondered how the map data works in smb1
It’s actually really interesting to see how these old systems work.
Also when you explained how RAM worked and how it could be used to transfer data from one game to another it got me to think about the N64 and how rare tried to use the RAM in the N64 to transfer data between banjo kazooie and it’s sequel banjo tooie. I don’t know how much you know about The N64 but it would actually be a cool idea to do a video on that system and how it would have actually worked and what the challenges would have actually been if they have fully implemented it. The only thing I know is that they scraped it because newer versions of the N64 cleared RAM a lot faster then the original version of the console did. But I actually don’t know anything else about how that system worked or how it would have been implemented.
I remember (idk which game) if u overflowed a certain game too much at a point it would read the extension pack, except the game didint use it, so what people did was load another game and put data onto the extension pack, then go back into that game, overflow it and then it would read the extension pack and run custom code, including going to the end of it.
@@SOTP. I think I heard about that! If I remember correctly it had something to do with Zelda and paper Mario but I don’t remember the details! I do remember watching a video about it like a year or two ago!
@@The_hot_blue_fire_guy same but i literally have no idea about what game it was
YOU CAN HOLD A TO RESTART THE WORLD AFTER A GAME OVER?! THIS WOULD'VE BEEN HELPFUL 25 YEARS AGO
You're not the only one.
Who knew "tennis" had some of the best content on the NES
The CIC isn't cycling power but instead it is cycling the reset line of the CPU. Keeping the console on while swapping carts means the RAM stays powered and thus retains its data.
The NES uses SRAM for the system RAM which is basically sets of logic gates with one of two states held by the voltages in the memory cells. When powering off the voltage reference of the chip will drop to zero, and alongside it all the voltages being held in the "on" cells.
While SRAM is known to have extremely low quiescent current, since it is tied to all the other chips during power off it will have plenty of paths to discharge its voltage and thus quickly lose its memory.
If anything this even further disproves the common belief that the CIC in the first revision of the NES makes this not work.
Fun trick! It'd be cool to see an NES homebrew in the vein of Sonic 3 & Knuckles on Genesis. That'd be a massive cart stack though, haha.
6:10 0xA5 (along with 0x5A) is a "special" value you'll often find as placeholder or magic numbers in embedded development. Why? Because A5A5A5A5... is 1010101010 in binary, 5A5A5A5... is 01010101, so:
1- you can instantly create a recognizable pattern, and one you can easily memorize
2- 0xA5 and 0x5A have a maximum Hamming distance, i.e. 0xA5 = NOT 0x5A
3- Exactly half the bits are 1s and half are 0s, so it has less chance of having the special properties of 0xFF or 0x00 (reset values, etc.)
0xDEADBEEF, 0xDECACAFE, 0xBAADBEEF, etc. are similarly 'special' values often used as placeholders.
How does one even find this? I just imagine it went like this:
“Hmmmm im getting bored of Mario, I’ll play tennis”
_about 1.5 seconds later_
“I’m bored of tennis now I’m gonna go back and play Mario”
“Ok lemme pick up where I left off an- WHAT WORLD 9!?!? Why did this happen?”
*…*
“Good thing I’m a coding mastermind and know what every single bit of every NES game does!”
8:04 nice
I had no idea this was possible on an NES. I'm also kinda sad you didn't bring up how this was kind of a big deal in Japan and all the guidebooks that got published showing all the different worlds you can visit.
You explain this so well, all this is super complicated and it reminds me of sonic 3 and sonic e knuckles, where you can do this too.
This is really interesting, I never thought of the possibility of messing up games' RAM values by just changing games without powering off the console first
I kinda did this with a Game Boy Advance game once, I popped out the SEGA SmashPack during I think Golden Axe and put in Mario Pinball Land, and it just started to play though all of Pinball Land's voice clips and samples.
We want more! I don't know how you did it but you made something that would seem boring exciting! Great job
Very interesting. I was familiar with the basic mechanics at play (hello OoT/PM stop n swop) but I didn't know what exactly allowed it here.
Out of curiosity, I see that in the highlighted range, there's one unexplained byte that's changing. Do you happen to know what it corresponds to? Given that it looks like it's oscillating in a small range, I assume it's some sort of animation number?
Amazing!!!
I dont play old games but it's amazing to see these glitches / hidden menus or levels!
A5 is 10100101, so it might make sense for it to be a resting state, but it seems more likely to be a sentinel value. Specifically, it reminds me of the fact that the last two bytes of an x86 bootloader have to be AA 55 (10101010 01010101) in order to be recognized
Three questions: 1. What do you do for a living besides youtube or is this your main gig? 2. Did you go to school after high school and what was your major? 3. How did you come across this "hack"? Very interesting video. Thanks for sharing and I hope to not get buried in the comments lol
The fact that this is possible is fascinating! The tchnical stuff behind this magic is very interesting!
The Sega Genesis does something similar. I used to put in Golden Axe then swap it for Thunderforce IV (Lightening Force here in the U.S.).
The swap would give you invulnerability in TFIV. I used it to beat the game.
Due to how tennis' music jingle affects memory, when you warm start SMB; would selecting 2 player show Luigi's coin count to be messed up?
Unfortunately not, the game is smart enough to zero out all the coin counts and scores (other than top score) when a new game starts.
Imagine some kid who was really bored, started up mario, decided he'd rather play tennis, 30 seconds in thought he'd rather play mario, and then spends the next 4 hours trying to replicate the secret code he put in to get to the secret world.
May you review the Threed Tent Glitch? I always wondered how its random results work.
It's nice to get an explanation of how this happens technically but this strange behaviour has been known about for quite a while, I wonder how it was first discovered.. maybe somebody was too lazy to switch their nes off between games?
Ah yes, my favorite world in Super Mario Bros.: World top left corner of pipe - 1
Always wondered why this happened, good video as per usual!
Great explanation. Thanks for the video!