Teaching Mario To Play Pong And Snake Through Innumerable Exploits

This is the coolest classic Super Nintendo Entertainment System (SNES) hack we’ve seen in quite a while. What you’re seeing is called “Super Mario World (Total Control)” by [Masterjun]. Our first recommendation is that you watch the video, then come back here for an explanation. Similar to what we saw for Pokemon Yellow on Gameboy, [Masterjun] created entire Pong and Snake clones within Super Mario World. He also created a menu and ending screen, along with his trademark smiley face graphic. Even more amazing is that this was unveiled live on a real SNES running an unmodified game cartridge. [Masterjun] actually used dual multitap cables, effectively connecting 8 controllers to a SNES. This gave him enough bandwidth to quickly download his new binary through the controller ports alone.

Welcome to the world of Tool Assisted Speedruns (TAS), where emulators and scripts are used to create high-speed runs through video games. The runners often work frame by frame, painstakingly inputting commands to create the perfect run. Game bugs and glitches are often exploited in these speed runs. In fact, in runs such as this one, the speed run takes second place to showing off the exploit. The output of speed run creation is a script file of control inputs which can be executed on an emulator to “re-run” the TAS at any time. This script can also be saved to a PC or Raspberry Pi and played back into the controller port of a real game system. A PIC based hardware translator is used to convert the data to NES or SNES controller format. As one might expect, these scripts run open loop. With no feedback from the running game, they can and do become desynchronized due to differences in console hardware, such as the tolerance of the oscillator crystal. When everything is in sync and does work , the results are awesome.

30 thoughts on “Teaching Mario To Play Pong And Snake Through Innumerable Exploits

    1. I designed the bot used in this run.

      I do apply myself to projects which have actual useful purposes. This one is no exception. Perhaps you have a more strictly un-fun, strictly capitalistic view of “useful.” I had fun, and I have console verified other games (like Zelda on NES), so I think what I did was useful.

      1. From a strictly monetary perspective, you made yourself known by doing this work, and that might even lead to a good opportunity for some type of work — for example, a lot of engineering managers like hiring hackers (myself included). So it may well have been financially gainful in the long term.

        Also, as a technicality, the “Though Police” are always fascists and communists. Capitalists don’t give a damn what you do in your own time. :)

        1. Re: money, I already have a day job and make good money there, and come home and hack on projects and make fun money there. Electronics is only a relatively recent hobby. I’ve seen others turn hobbies into work and end up hating it…

          Re: capitalists not caring what you do, you wouldn’t know that by listening to conservative radio :)

        2. Wouldn’t capitalists really care about what you do in your own time? You know so they could find a way to capitalize off it by providing a good or service that fits what you do in your own time? I’m no capitalist but this seems to make some sort of sense to me.

          I don’t know what whoever called this not useful is thing. Bending a machine to your will simply with careful button input and recycling behavior it’s already got loaded seems incredibly useful in a world surrounded by electronic devices. Especially in security where one needs to occupy a threat’s interest while it’s being dealt with to minimize damage.

  1. Just some fixes for the article:

    The MCU is a PIC32. Just reading “PIC” I am inclined to think PIC18 or something :)

    Also, the playback is not open loop. When a latch or clock pulse is detected from the console, data is prepared and sent. The console actively asks for data and is given data in the exact order specified in the input file. What can cause desyncs are things like external interference, inaccurate emulation, or differences in randomness (like memory state at power on). Games that initialize memory before use or don’t have many random elements are good candidates for sync. Console crystal deviation also should not matter (at least in NES case, probably the same for the SNES case).

    (As for the Gradius desync at AGDQ, right now the guess is that microphone cables draped over the replay cables caused enough interference to cause desync.)

      1. The lua scripts are run in the emulators (FCEUX for NES, lsnes for SNES) along with the game and the movie file to “prepare” input for the bot (stripping out useless frames). The resulting files are used with the replay script.

        The main replay script is a python script, which parses a dump file created by the lua scripts.

        1. Cool. I’m a fan of Lua, mostly because it is one of the only scripting languages that is truly suitable for production-grade real-time embedded (it’s fast, popular, and stable). So I like to know about the user communities.

    1. Pretty much.

      All the events leading up to the game looking like it was freezing were intentional and were used to set up a spawn of an invalid item, which resulted in a jump to memory to execute the controller button status as instructions. Obviously manipulating the buttons at this point results in arbitrary code execution. Code for the loader/controller handler was then sent, then the game code was sent and jumped to.

    1. Hey.

      For NES, I have verified a growing number of titles, and have recorded verification videos as seen on youtube (youtube.com/user/trueamx). I made an input display board so runs going forward will show controller input in addition to the game being replayed.

      For SNES, there aren’t many runs made with a more accurate emulator yet. I do have Actraiser 2 that I will eventually get to verifying. More games will require waiting for runs to be made…

Leave a Reply to trueCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.