Teaching Mario to Play Pong and Snake Through Innumerable Exploits

mario-full
This is the coolest classic Super Nintendo Entertainment System (SNES) hack we’ve seen in quite a while. What you’re seeing is called “Super Mario World (Total Control)” by [Masterjun]. Our first recommendation is that you watch the video, then come back here for an explanation. Similar to what we saw for Pokemon Yellow on Gameboy, [Masterjun] created entire Pong and Snake clones within Super Mario World. He also created a menu and ending screen, along with his trademark smiley face graphic. Even more amazing is that this was unveiled live on a real SNES running an unmodified game cartridge. [Masterjun] actually used dual multitap cables, effectively connecting 8 controllers to a SNES. This gave him enough bandwidth to quickly download his new binary through the controller ports alone.

Welcome to the world of Tool Assisted Speedruns (TAS), where emulators and scripts are used to create high-speed runs through video games. The runners often work frame by frame, painstakingly inputting commands to create the perfect run. Game bugs and glitches are often exploited in these speed runs. In fact, in runs such as this one, the speed run takes second place to showing off the exploit. The output of speed run creation is a script file of control inputs which can be executed on an emulator to “re-run” the TAS at any time. This script can also be saved to a PC or Raspberry Pi and played back into the controller port of a real game system. A PIC based hardware translator is used to convert the data to NES or SNES controller format. As one might expect, these scripts run open loop. With no feedback from the running game, they can and do become desynchronized due to differences in console hardware, such as the tolerance of the oscillator crystal. When everything is in sync and does work , the results are awesome.

Comments

  1. Polaczek says:

    Haha, wtf did I just watch with the super mario clip.
    Talk about glitching the hell out of it. Comedy gold!

  2. jebbus says:

    Oh my jebbus thats the crazy glitching I’ve ever seen of that game lol

  3. matt says:

    This is rather impressive. I wonder what these guys could do if they applied themselves to a project which had a actual useful purpose.

    • true says:

      I designed the bot used in this run.

      I do apply myself to projects which have actual useful purposes. This one is no exception. Perhaps you have a more strictly un-fun, strictly capitalistic view of “useful.” I had fun, and I have console verified other games (like Zelda on NES), so I think what I did was useful.

      • Mike Szczys says:

        I’m glad you stood up for yourself.

        Pulling something off like this is useful just in what you learn along the way. Observation, response, and testing get honed to a frighteningly fine edge with this type of thing. Respect!

      • jpnorair says:

        From a strictly monetary perspective, you made yourself known by doing this work, and that might even lead to a good opportunity for some type of work — for example, a lot of engineering managers like hiring hackers (myself included). So it may well have been financially gainful in the long term.

        Also, as a technicality, the “Though Police” are always fascists and communists. Capitalists don’t give a damn what you do in your own time. :)

        • true says:

          Re: money, I already have a day job and make good money there, and come home and hack on projects and make fun money there. Electronics is only a relatively recent hobby. I’ve seen others turn hobbies into work and end up hating it…

          Re: capitalists not caring what you do, you wouldn’t know that by listening to conservative radio :)

        • default_ex says:

          Wouldn’t capitalists really care about what you do in your own time? You know so they could find a way to capitalize off it by providing a good or service that fits what you do in your own time? I’m no capitalist but this seems to make some sort of sense to me.

          I don’t know what whoever called this not useful is thing. Bending a machine to your will simply with careful button input and recycling behavior it’s already got loaded seems incredibly useful in a world surrounded by electronic devices. Especially in security where one needs to occupy a threat’s interest while it’s being dealt with to minimize damage.

      • matt says:

        Care to explain how exactly this project is “usefull”

    • JunkJet says:

      The second video was from this year’s AGDQ, a donation drive they do (iirc) twice annually. This years AGDQ raised over $1,000,000 for charity http://tinyurl.com/owmlzvw

      Seems that’s a pretty useful purpose to me

  4. This was demonstrated the other day on SDA’s AGDQ for charity. If you are unfamiliar, check out Awesome Games Done Quick, and Speed Demos Archive.

  5. Hephaix says:

    The AGDQ stream is also restream in french: http://www.twitch.tv/mistermv
    MV salow

  6. true says:

    Just some fixes for the article:

    The MCU is a PIC32. Just reading “PIC” I am inclined to think PIC18 or something :)

    Also, the playback is not open loop. When a latch or clock pulse is detected from the console, data is prepared and sent. The console actively asks for data and is given data in the exact order specified in the input file. What can cause desyncs are things like external interference, inaccurate emulation, or differences in randomness (like memory state at power on). Games that initialize memory before use or don’t have many random elements are good candidates for sync. Console crystal deviation also should not matter (at least in NES case, probably the same for the SNES case).

    (As for the Gradius desync at AGDQ, right now the guess is that microphone cables draped over the replay cables caused enough interference to cause desync.)

    • Gdogg says:

      The desync was at the exact same point in both attempts. My guess is it was something else (like not testing on this console/an inaccurate emulator)

    • jpnorair says:

      Out of curiosity, what is running the Lua scripts?

      • true says:

        The lua scripts are run in the emulators (FCEUX for NES, lsnes for SNES) along with the game and the movie file to “prepare” input for the bot (stripping out useless frames). The resulting files are used with the replay script.

        The main replay script is a python script, which parses a dump file created by the lua scripts.

        • jpnorair says:

          Cool. I’m a fan of Lua, mostly because it is one of the only scripting languages that is truly suitable for production-grade real-time embedded (it’s fast, popular, and stable). So I like to know about the user communities.

  7. Erik Johnson says:

    Now that’s the kind of glitching I expect from an 80-90’s hacker film!

  8. Krusty says:

    Now all someone has to do is work out a way to beat QWOP!

  9. TacticalNinja says:

    That Mario head on snake just looks so wrong, hahaha.

  10. Voxnulla says:

    How does that pong and snake thing work? Are they saying that through the controller input they actually added/changed running binary code in memory?

    • true says:

      Pretty much.

      All the events leading up to the game looking like it was freezing were intentional and were used to set up a spawn of an invalid item, which resulted in a jump to memory to execute the controller button status as instructions. Obviously manipulating the buttons at this point results in arbitrary code execution. Code for the loader/controller handler was then sent, then the game code was sent and jumped to.

  11. Sonny_Jim says:

    Hey True, cool to see you featured on hackaday. Have you managed to get this to work with anything else apart from SMW yet?

    • true says:

      Hey.

      For NES, I have verified a growing number of titles, and have recorded verification videos as seen on youtube (youtube.com/user/trueamx). I made an input display board so runs going forward will show controller input in addition to the game being replayed.

      For SNES, there aren’t many runs made with a more accurate emulator yet. I do have Actraiser 2 that I will eventually get to verifying. More games will require waiting for runs to be made…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s