Tweet
Writing a level editor atop active code with the controller ports and 8KB of SRAM.
By Kyle Orland
The star of the show, and some of the men behind the robot.
DULLES, Va.— Regular watchers of the annual Awesome Games Done Quick (AGDQ) video game speed run marathon are probably intimately familiar with the power of TASBot (short for tool-assisted speed run robot).
Two years ago, the emulator-fueled bot used its controller-port interface to write a simple version of Pong and Snake on top of a running Super Mario World cartridge.
Last year, TASBot outdid itself by using a copy of Pokemon Red and a Super Game Boy to force a live, IRC-based Twitch chat through an unmodified Super Game Boy.
By now, simply taking over a game and replacing it with a brand new app was beginning to feel a little predictable. So this year, TASBot decided to show off a new skill. At the AGDQ marathon, the bot set out to edit new features onto a game that's still running in active memory. TASBot wanted to be magnanimous with its new capabilities, too, allowing human players (and live stream viewers) the opportunity to edit the game on the fly.
But just how did TASBot—and the team of coders behind it—intend to turn an old game of Super Mario World, running on a standard SNES, into a heavily editable game of Super Mario Maker? Luckily, we had a behind-the-scenes invite to the event and the opportunity to find out.
The setup
The archived Twitch video of TASBot's SNES "Super Mario Maker" exploit looks like magic; or at the very least the kind of thing that requires a hacked ROM or memory manipulation through a Game Genie style device. But it's important to remember that like in the past, everything TASBot does is technically possible on standard classic game hardware and software. That is, it's possible provided you have the superhuman ability to enter precisely timed controller inputs 60 times a second.
The first step to hacking up a level editor on top of Super Mario World is old hat for TASBot by now. The robot takes “total control” of the system through arcane in-game glitches. Next, it juggles items with pixel-perfect positioning and split-second timing to effectively write and execute a bit of assembly code through the system's active sprite management memory.
This year’s takeover uses a slightly different total control method than those in years past. The new route manages multiple in-game timers and creates an unholy merger between a Monty Mole enemy and a pink berry item to get the crucial memory code lined up just right. The end result is the same: TASBot tells the game to start reading controller inputs as raw, binary programming code at a rate of about 3.8KB/sec.
From there, it’s relatively easy for TASBot to use precisely timed button presses to essentially write a new program that lets it take “total control” of the SNES. The details involve first writing a block loader to a small, “safe” area of memory, then running that block loader to continually sample the controller inputs for new data (the process is described in much more detail in this write-up of the 2015 Pokemon Red/Super Game Boy exploit).
The total control process was made simpler for the TASBot team this time around by a handy Lua script that can recode arbitrary PC files into the appropriate controller inputs. “For 'Pokemon Plays Twitch,' when we wanted to test a new version of the payload we were reliant on Ilari to create a new movie file," TASBot organizer Allan Cecil (who goes by DwangoAC online) told Ars. "For this version, Ilari created a handy 'script kiddie' Lua script that allows us to specify a binary file to write to a particular location in memory based on its file name."
Cecil shows off TASBot during an on-stream interview before the live stage presentation.
MUCH, MUCH, MORE
By Kyle Orland
The star of the show, and some of the men behind the robot.
DULLES, Va.— Regular watchers of the annual Awesome Games Done Quick (AGDQ) video game speed run marathon are probably intimately familiar with the power of TASBot (short for tool-assisted speed run robot).
Two years ago, the emulator-fueled bot used its controller-port interface to write a simple version of Pong and Snake on top of a running Super Mario World cartridge.
Last year, TASBot outdid itself by using a copy of Pokemon Red and a Super Game Boy to force a live, IRC-based Twitch chat through an unmodified Super Game Boy.
By now, simply taking over a game and replacing it with a brand new app was beginning to feel a little predictable. So this year, TASBot decided to show off a new skill. At the AGDQ marathon, the bot set out to edit new features onto a game that's still running in active memory. TASBot wanted to be magnanimous with its new capabilities, too, allowing human players (and live stream viewers) the opportunity to edit the game on the fly.
But just how did TASBot—and the team of coders behind it—intend to turn an old game of Super Mario World, running on a standard SNES, into a heavily editable game of Super Mario Maker? Luckily, we had a behind-the-scenes invite to the event and the opportunity to find out.
The setup
The archived Twitch video of TASBot's SNES "Super Mario Maker" exploit looks like magic; or at the very least the kind of thing that requires a hacked ROM or memory manipulation through a Game Genie style device. But it's important to remember that like in the past, everything TASBot does is technically possible on standard classic game hardware and software. That is, it's possible provided you have the superhuman ability to enter precisely timed controller inputs 60 times a second.
The first step to hacking up a level editor on top of Super Mario World is old hat for TASBot by now. The robot takes “total control” of the system through arcane in-game glitches. Next, it juggles items with pixel-perfect positioning and split-second timing to effectively write and execute a bit of assembly code through the system's active sprite management memory.
This year’s takeover uses a slightly different total control method than those in years past. The new route manages multiple in-game timers and creates an unholy merger between a Monty Mole enemy and a pink berry item to get the crucial memory code lined up just right. The end result is the same: TASBot tells the game to start reading controller inputs as raw, binary programming code at a rate of about 3.8KB/sec.
From there, it’s relatively easy for TASBot to use precisely timed button presses to essentially write a new program that lets it take “total control” of the SNES. The details involve first writing a block loader to a small, “safe” area of memory, then running that block loader to continually sample the controller inputs for new data (the process is described in much more detail in this write-up of the 2015 Pokemon Red/Super Game Boy exploit).
The total control process was made simpler for the TASBot team this time around by a handy Lua script that can recode arbitrary PC files into the appropriate controller inputs. “For 'Pokemon Plays Twitch,' when we wanted to test a new version of the payload we were reliant on Ilari to create a new movie file," TASBot organizer Allan Cecil (who goes by DwangoAC online) told Ars. "For this version, Ilari created a handy 'script kiddie' Lua script that allows us to specify a binary file to write to a particular location in memory based on its file name."
Cecil shows off TASBot during an on-stream interview before the live stage presentation.
MUCH, MUCH, MORE
Comment