1 2 3 4 5 6 7
Editor, Player (69)
Joined: 1/18/2008
Posts: 663
Was this ever verified to run on console?
true on twitch - lsnes windows builds 20230425 - the date this site is buried
Post subject: Yet another status update (I must be addicted to them)
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
True wrote:
Was this ever verified to run on console?
Yes, I tried a test run from TASEditor - it seemed to desynch on the Multireplay board, but I was also having lots of problems with my SD card at the time. I got it to sync at least once on the older replay board, but even there I seem to recall it didn't work the first time I tried it. I'll be doing some more extensive testing to make sure it's reliable once I get the Multireplay board back. Regarding phrase ideas, I'm feeling super lame on what to suggest for phrases. To clarify, you need two answers, and either answer an have ANY\WORDS\IN\LIST? About the best I can come up with is something lame like "FranerZ eats TRIPe" or something equally stupid. This is a good time to reminder you, oh reader, that we're still looking for someone to feed TASEditor twitch memes, because I'm clearly not great at it. :) (OK, I could probably do better than that, but I'm hoping someone with some linguistic creativity and a dictionary can step up to help out.) In other news, we're still daily pushing forward with trying to get the total control run going. I have to again thank Ilari, true, Nach and now padz (from the Pokemon ROM hacking community) for their contributions of time, experience, and patience with me as I keep oscillating on what the path of least resistance of the day seems to be. We've almost all been online every day (or night) chatting about what to do and trying various tests. One thing I tested and ruled out is the Select+Start+B+A soft reset - Pokemon Red will not respond to that while saving, so there's no way to use it to save glitch. Because we thought we wouldn't be able to use the save glitch I pursued the fastest method that wouldn't use it which would be on red, but we've since determined that the non-save glitch method on Red would be substantially identical to the realtime run which is something we want to avoid if possible. Because of all that, I'm now leaning back toward a save glitch with either Pokemon Yellow or the same general kind of save RAM glitch on Red. While it would be nice to do it on Yellow just to represent a different game it might be best to use Red because at the moment Yellow is not behaving right with lsnes + SGB + Gambatte core and can't even be started (and even Red, while at least playable, isn't coming up with the same trainer ID and I know we'd all feel a lot better if the accuracy were good enough to get it to match). Ilari is at the end of what he can do without more data about real hardware, so I've purchased a GB EPROM PCB board and shipped it to true and padz has volunteered to write a couple of tests we can run on raw hardware. Back when I thought we were doing Pokemon Red normally without the save RAM glitch I talked true into buying a copy (which he groused about amusingly :) so at the moment it makes the most sense to try to re-create the save glitch there since both of us will now have a copy. I got far enough with Pokemon Red to confirm that the save glitch is possible to the point of getting all items in inventory but I did it with a hardware reset as expected, and that's still something we need to build and test. The latest information from padz and others is that it *should* be around a 20ms or so window and it's possible for even humans to get it with 10 or 15 attempts, so we'll boldly forge forward. If we absolutely must it's possible to reset the SNES through the Ext port on the bottom of the console, but that's getting into territory where it might look like we've modified the console so I'd rather have an actual reset solenoid on the reset button if the timing can be repeatable enough. If anyone is willing to step up and test/build this please let me know! ...and that was a *lot* more information than I anticipated putting in this post but I wanted to let everyone know that there is at least some momentum, even if it's been easy to feel a bit worn down by all the failed concepts. Thanks to everyone for the support and I'll check back in once we've made some more progress. Until then, happy TASing!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: Potential progress
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
A few minutes ago, on my real Pokemon Red cartridge that is currently in the save glitch state (more on that in a second), I was able to carefully walk through FractalFusion's Pokemon Yellow arbitrary execution instructions by hand and I was able to get the player character to disappear. There's a *whole lot* more to that sentence than meets the eye, so let me back up a bit. First, I was able to create a movie file in lsnes + Gambatte core on Pokemon Red that recreated the behavior of FractalFusion's Pokemon Yellow run. It took a lot of work as everything in memory is offset on Red by +1 compared to Yellow and lsnes doesn't show GBBUS in the memory tool but I was able to find the same memory values by looking at GBWRAM and subtracting 0xC000. It is thanks to FractalFusion's careful notes that I was able to recreate the exact memory values needed. Because I don't yet have a solenoid method working I manually hit the reset button while saving the game and i managed to recreate the glitch state on my Pokemon Red cartridge after 3 or 4 attempts. I'm now reticent to erase it so I attempted to craft a new movie that starts from after the reset but it kept desynching. It wasn't until tonight that I was confident it could work after I make some timing adjustments. This means that the path forward now is to ensure I can really, truly execute arbitrary code on the emulator (rather than just getting the player character to disappear and getting the memory values to match). That will require one more fix from Ilari who has continued to tirelessly chip away at emulation inaccuracy issues. As soon as that fix is in and I'm able to confirm I can do some kind of arbitrary execution on the emulator I'll dump the file again and see if I can tweak everything enough to get it to play back through the bot on the console. These are exciting times! In less good news we're having problems with Family Feud desynchronizing in random ways on real hardware. We have not yet determined if some kind of other factor is being used for RNG creation or what the issue could be but for some reason button presses are not registered by the console and answers show up with the wrong letters pressed. I need to try again when true sends his updated Multireplay board to me. In better news, I was able to hack together a pinball flipper coil (solenoid) with the correct windings and a 6.5v power supply to move a rod about 3/8ths of an inch, or enough to trigger the reset button on an SNES. I still need to sort out some way to mount it, get a transistor on it to act as a button, and work with true to get it connected to the bot so we can script it some way, but there's some definite potential. The timing is apparently not too sensitive as I got it by hand on about the 4th try so I'm overall optimistic. This is all extremely exciting progress, but i can't help but feel that the clock is ticking. I've given myself until December 9th to completely finish everything except the final arbitrary execution payload and I'll be hard-pressed to have everything done by then but I think it might be possible if things go well. As always, this progress couldn't happen without the help of a lot of talented people - thanks to all who have supported, and if I haven't mentioned your name in any of these update posts, have no fear because I'll be doing a full credits listing both here in the forums and during the TASBot block.
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: So F5 needs to be F8, easy, right? Apparently not.
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
Based on FractalFusion's extremely thorough writeup and help from Mothrayas I've been able to work out what we need to do. Except it seems neigh impossible to do at the moment with Pokemon Red. Here's the issue: In the exploit for Yellow, the rival was named (space) (female) (PK) (END). Memory in D343 at that point is:
D343: 00 00 00 00 30 00 7F F5 E1 50 00
In Pokemon R/G/B/Y, items are stored with an identifier followed by their quantity (Pokered has extensive information about the layout of RAM but I find the less accurate but still useful Datacrystal RAM layout page to be a bit more accessible for this bit of information). To make a long story short, you can toss quantities of items to change their value in RAM but you can't change the identifier. In this case, the value that matters the most is that F5, which happens to be the female symbol that was used for the rival's name and is aligned as an item identifier which can't be altered through tossing items. In Pokemon Yellow, that F5 is used to point at the address where controller input resides, but in Pokemon Red those values are shifted and we need to have it point to F8 instead. Now, we could just change the name, but the problem is that the character that is stored as F8 in memory is the number 2, and numbers are not selectable as names. This means we have to alter the value some other way, likely by swapping Pokemon around. Having said that, I have not yet found a way to swap Pokemon in a way that does not cause utter destruction in other areas of RAM that need to stay intact. The path forward is still very unclear to me. I've spent substantial time on Pokemon Red. Ilari has spent substantial time on the new lsnes + Gambatte core. The new core is more accurate, but Pokemon Yellow has some strange characteristics that cause it not to start and we have not yet been able to determine why. To abandon Pokemon Red *and* the Gambatte core seems like an affront, and there is no guarantee that even with extremely conservative button presses that Pokemon Yellow in the older, far less accurate bsnes core will synchronize on a console (whereas I have Pokemon Red working on real hardware right now). To that end, I'd really like to figure out a way to make Pokemon Red work, but it may take a lot more work to find a new solution as the copy-and-paste from Yellow falls through in the one important memory value we need to change. Without the help of people like padz, Ilari, Mothrays, Nach, true, p4plus2, micro500, and others I'm positive I wouldn't have been able to get this far. Things may be looking a bit rough with the Family Feud TAS not wanting to synchronize and the arbitrary exploit TAS still not yet working right but I know we'll pull through one way or another. Thanks to everyone who has helped out!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: Pokemon Red save glitch memory modification sequence
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
The path forward is becoming potentially more clear. Here's the modified set of steps, with large swaths of content lifted from FractalFusion's post, but using lsnes GBWRAM addresses for Pokemon Red (offset by - 0xC000 compared to GBBUS addresses as used in VBA and offset by an additional -1 or -3 in various places compared to Pokemon Yellow). The target payload ultimately needs to reside at 0x1367 in GBWRAM, and for Pokemon Red it needs to be:
0x1367: 22 00 76 00 F0 F8 D4 50 D3
To get there, things will generally follow the same pattern as what FractalFusion did in Pokemon Yellow. The player's name can be set to anything (Note: someone needs to claim the Donation Incentive coordinator position and turn this into a donation incentive by finding someone to write an autoname script!). Every action will have an impact on memory, as noted below by showing its old value followed by the new value on a new line.
  1. Set the rival's name to (space) (female) (PK) which writes 75 F5 E1:
    0x1344: 00 00 00 00 30 00 00 92 8E 8D 95
    0x1344: 00 00 00 00 30 00 7F F5 E1 50 00
    Or, if setting the rival's name to (space) - hereafter ignored, but mentioned for later reference:
    0x1344: 00 00 00 00 30 00 7F 50 00 00 00
  2. Reset during saving:
    0x1163: 00 FF 00 00 ... 00 00 (to 0x12F6)
    0x1163: FF FF FF FF ... FF FF (to 0x12F6)
  3. After restarting, switch the 1st Pokemon (or any through the 9th) with the 10th Pokemon:
    0x12F7: 00 00 00 00 ... 00 00 (to 0x1322)
    0x12F7: FF FF FF FF ... FF FF (to 0x1322)
  4. Switch the 17th Pokemon with the 20th Pokemon:
    0x1327: 30 00 00 00 00 00
    0x1327: 30 00 7F F5 E1 50
    Anchored from here on out from the beginning of the item list (2 bytes per item as ID/quantity):
    0x131E: FF FF FF FF FF 00 00 00 00 30 00 00 00 00 00 00
    0x131E: FF FF FF FF FF 00 00 00 00 30 00 7F F5 E1 50 00
  5. Toss 00 of the 2nd item to discard it, shifting everything by two bytes at 0x1322:
    0x131E: FF FF FF FF 00 00 00 30 00 7F F5 E1 50 00 00 00
  6. Toss 14 of the 5th item (which was previously the 6th) to decrement 0x1325:
    0x131E: FF FF FF FF 00 00 00 22 00 7F F5 E1 50 00 00 00
  7. Toss 9 of the 6th item to decrement 0x1327:
    0x131E: FF FF FF FF 00 00 00 22 00 76 F5 E1 50 00 00 00
  8. Toss 13 of the 7th item to decrement 0x1329:
    0x131E: FF FF FF FF 00 00 00 22 00 76 F5 D4 50 00 00 00
  9. Toss 45 of the 8th item to decrement 0x132B:
    0x131E: FF FF FF FF 00 00 00 22 00 76 F5 D4 50 D3 00 00
  10. Switch the 9th item with the 8th to switch the last two pairs of bytes:
    0x131E: FF FF FF FF 00 00 00 22 00 76 F5 D4 00 00 50 D3
  11. Switch the 8th item with the 7th to switch the two pairs of bytes starting at 0x1328:
    0x131E: FF FF FF FF 00 00 00 22 00 76 00 00 F5 D4 50 D3
  12. Toss 16 of the 7th item to decrement 0x1329:
    0x131E: FF FF FF FF 00 00 00 22 00 76 00 F0 F5 D4 50 D3
  13. Switch the 19th Pokemon with the 17th:
    0x131E: FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
    As a side note, everything interesting is moved to 0x133B:
    0x133B: 22 00 76 00 F0 F5 D4 50 D3 
  14. Switch the 12th Pokemon with the 11th:
    0x1367: 22 00 76 00 F0 F5 D4 50 D3 
This section now has 33 bytes of 00 before it. After closing the menu the game will do a few things better explained by FractalFusion resulting in a jump to 0x1350 which will contain the value 0x50 at 0x136E. After a few other things happen 0x1351 will be written to with the byte value of the combination of buttons being pressed as read from GBHRAM 1F5... and herein lies the rub. On Pokemon Yellow, 1F5 contains the input from the first controller, meaning whatever buttons are pressed is what gets copied into 0x1351 and following addresses. Unfortunately, Pokemon Red is offset a bit and the address needs to be GBHRAM 1F8 instead, meaning that the F5 we inherited from the female symbol in the rival's name needs to change. I did a bunch of testing and determined that it is safe to swap the 16th Pokemon with the 17th which will offset F5 from being an item ID to being an item quantity which can then be decremented, but because I have to go *up* I have to start with a value higher than F8 (like 00, which can wrap around because the game decrements quantities first before checking if the quantity is 0, meaning we can toss 8 to get F8). There are no values higher than F8 that can be selected for the name, so the other solution is to name the rival with a single space as noted above. This causes a trickle-down effect as now all those 00's (most importantly, E1) have to later be decremented to the desired values. I think this can be resolved by tossing the correct number of items after shifting the 16th Pokemon with the 17th and then reversing the change but it will require a fair bit more testing. This can possibly be thought through without actually consulting the game if someone is brave enough to try it. :) More to come but any help with the various things left un-done would be appreciated. Thanks, all!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: Pokemon Red ACE! Except...
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
With a lot of work in a sleep-deprived state over the last week I'm happy to say that arbitrary code execution is now possible on Pokemon Red (thanks to help from Masterjun, Ilari, padz, p4plus2, and a few other people I'm forgetting). The long and the short of it is we had to completely rework FractalFusion's item and Pokemon switching and renaming to get a value of F8 and the previous post's memory addresses are more or less useless at this point because the new input is so different; I may create a new post in the same vein at some point, but I've mostly just been talking to myself as of late in this thread so I'll hold off for the moment. :) With said help, I've created a pair of lsnes + Gambatte movie files (which can be found in my static TAS storage page), one that starts from creating a character and does a reset and the other that starts Pokemon Red with that existing (corrupted) GB SRAM state that contains the player character RED, the rival name xAxA(Pk), and FF in *just* the right place to allow further exploitation. As noted, the second movie file uses input suggested by Masterjun based on FractalFusion's work to execute arbitrary code, which it does very well. One minor caveat: I've discovered with help from Ilari and padz that D+U and L+R (representing bit values 128, 64, 32, and 16 respectively) are canceled out by the SGB BIOS meaning FractalFusion's payload can't be written as it contains the value 0xD3. This movie file contains a bunch of input at the end that softlocks the game in an interesting way but doesn't yet do exactly what we want it to. Still, it shows arbitrary code execution on Pokemon Red, which is good. I'll consult with the experts and work out a plan as quick as I can. For anyone in the SF bay area, I'll be presenting my take on the anatomy of an arbitrary code exploit at NBLUG on 2014-12-09 at 7:30 PST at the O'Reilly campus in Sebastopol, CA. Hopefully I'll be able to make some more progress over the next couple of days so I have a bit more I can show. Thanks again to all who helped!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: Re: Pokemon Red ACE! Except...
Site Admin, Skilled player (1257)
Joined: 4/17/2010
Posts: 11541
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
dwangoAC wrote:
I may create a new post in the same vein at some point, but I've mostly just been talking to myself as of late in this thread so I'll hold off for the moment. :)
We're just used to post when we have some stuff to post here, everyone seems to be feeling shy to post HOORAY GOD HELP YOU without anything actually helpful, but it doesn't mean no one is following or trembling to see the progress.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Editor, Skilled player (1540)
Joined: 7/9/2010
Posts: 1319
For those who want to help with FF can pick up questions from the Triple Round and create some funny answers for each answer. I can hopefully luck manipulate the selected question into the movie. There's an alternate site with answers which contain rules and multiple answers, but it isn't sorted by rounds. Use the search function from your browser to find the question you picked. You can send me your answers by PM.
Favorite animal: STOCK Gt(ROSA)26Sortm1.1(rtTA,EGFP)Nagy Grm7Tg(SMN2)89Ahmb Smn1tm1Msd Tg(SMN2*delta7)4299Ahmb Tg(tetO-SMN2,-luc)#aAhmb/J YouTube Twitch
Emulator Coder, Player (75)
Joined: 10/4/2005
Posts: 197
I have been working with Weatherton to finish the setup movie for MK64. I wrote a multitrack lua script for N64Hawk that should make creating a multiplayer N64 TAS easier. After I finish tweaking it and clean it up I will release the source code, and hopefully others will get some use out of it.
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
Extremely brief update to at least get a data dump of the current state out there. There's a lot of bad news, although there is a bit of good news. First, p4plus2 (a talented SNES ROM hacker) came over and we walked through what was going wrong with Family Feud. The answer is... something deep and very ugly causes completely different lag frame patterns than on an emulator and we cannot come up with any solution to counter the problem because getting the correct "round" of questions to appear in the first place can get thrown off. Regrettably, unless some miracle happens, Family Feud will not be console verifiable. On the good news front, we've made substantial progress on Pokemon Red and it is now possible to execute arbitrary code on lsnes + gambatte. I spent many, many hours tweaking the Pokemon Red movie file I adapted from a movie file Masterjun created for GB in BizHawk. It was extremely time consuming to get it to the item quantities to match on the emulator but I finally got it after many iterations. Ilari hacked together this .lsmv file for Pokemon red (for lsnes + Gambatte core): http://www.elisanet.fi/ilari_l/pokered-with-visuals.lsmv as something I could use to see if the effect worked on a real console. Unfortunately, despite the fact that everything seems to work for stage 1 (the payload we write by switching Pokemon and items or decrementing items) we can't easily get stage 2 to synchronize. This has a lot to do with the fact that SGB drops or duplicates input every 56/57 frames due to clock slew. I haven't heard back on trying to get an SGB2 and with not a lot of time left (less than three weeks!) it might not make sense to try that route. Which means I'm brute-forcing everything trying to get the clock slew to happen at a time where it won't cause problems, except I have to do it entirely blind. And I've been sick the last couple of days, so that's not been helping either. Oh, and I've been supporting lab work going on in India and my sleep schedule has been a wreak, so thinking straight has been difficult. That part is over but I'm a little concerned I won't be able to get everything done in time at this pace. We're also having some difficulties with our intended (still secret) payload, mostly dealing with the fact that the SNES really is a fairly limited platform in comparison. We're in talks about workarounds and alternative methods, but it's been a discouraging time. I'm still optimistic we can do something, it's just a matter of if what I've worked on will pan out or not or if we'll have to abandon this and do something else instead. More updates to come but thanks for any encouragement or help you could send toward Ilari, Masterjun, p4plus2, or myself, A.C. ******
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Editor, Skilled player (1540)
Joined: 7/9/2010
Posts: 1319
No intense FrankerZ freakout in the Twitch chat. :-( So help is not needed anymore for Family Feud answers.
Favorite animal: STOCK Gt(ROSA)26Sortm1.1(rtTA,EGFP)Nagy Grm7Tg(SMN2)89Ahmb Smn1tm1Msd Tg(SMN2*delta7)4299Ahmb Tg(tetO-SMN2,-luc)#aAhmb/J YouTube Twitch
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
TASeditor wrote:
No intense FrankerZ freakout in the Twitch chat. :-( So help is not needed anymore for Family Feud answers.
Sadly, no. This is most unfortunate, as i know you've put some work into it. You may consider posting what you have the day-of, or completing it as a standard TAS on a newer emulator that can obsolete the existing run. Maybe this is even donation incentive material. In other words, just because the game has some characteristic that makes it lag unpredictably and thus difficult to console verify doesn't mean that your work has been entirely in vein. I do want to take this opportunity to thank you for the time you put in, and I hope that you'll be able to do something with what you've created. If you're willing to finish off the game in time for the marathon, please let me know. I think the final questions can be a little less Twitch chat oriented if you need them to be, and since I won't be actively presenting it you can probably get away with a bit more leeway with content. Regardless, thanks for your efforts!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: Finally, some good news - PokeRed arbitrary code on console
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
I have good news - after many hours of effectively testing blind, I was able to puzzle out what changes to make to get a movie file to synchronize on a real console. If you want to grab the movie file you can find it at: http://acbit.net/static/tas/PokeRedV16DoubledMoreButtonsTitlescreenJumpShifted.lsmv (You can try this yourself with lsnes + Gambatte in Linux, after following the.. er.. mostly straightforward instructions to compile from source; there is also a not-yet-ready-for-primetime Windows build of lsnes + Gambatte created by Ilari that I'm not yet sure if I can share if you need it - ask me or Ilari on IRC as needed, but I digress) The above movie file triggers a series of opcodes that resets the game to the title screen but leaves the player sprite present. It emulates the same way on the console as it does on the emulator, more or less, but the clock skew is still an issue for longer payloads. The payload I tested was only 4 bytes long but what we need to write is more like 40, and because we can only read a nibble (four bits) per frame it takes us over 80 frames to write the payload meaning we hit at least one 56/57 clock skew window where input is messed up, and the point after where it is messed up could require adjustment by another extra lag frame in addition to simply offsetting the bad section to occur where it won't cause damage. This is basically my way of saying that the next step will require substantial blind testing unless we can figure out a way to sniff the clock. Since we can now execute short sections of arbitrary code perhaps there's something we can do to suss it out, or perhaps I'll borrow a logic analyzer and a scope from work and try my hand at some hardware hacking. Either way, this is finally some hope in what has been a downright unpleasant time (where everything from very long hours at work to getting sick to having a tree fall on our house has happened). I'll post more after I make some additional progress, but it could be a few days. Thanks for the support all and I hope to have good news again soon.
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Site Admin, Skilled player (1257)
Joined: 4/17/2010
Posts: 11541
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Looks like you may need to hack the game the same way notaz did: make the game display some important number you need to verify sync, then just compare how it looks in emulator and TV, and adjust stuff accordingly. Must be something unheavy, to not add more skew.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Post subject: Success! Now on to the secret payload.
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
I've spent many hours testing but I've finally perfected a payload that executes an epilepsy-inducing flashing pattern crafted by Ilari on a real console, executing code in SNES space. I'm going to stop here for just a second and again say that Ilari has put in a lot of time and effort on this and I really appreciate all of the work he's done. So, without further ado, if you have lsnes + Gambatte core running you can watch the result here: http://acbit.net/static/tas/PokemonRedSuperGameBoyEpilepticDemo.lsmv If you own one of true's replay devices you can play this back on your SNES + SGB + Pokemon Red: http://acbit.net/static/tas/PokemonRedSuperGameBoyEpilepticDemo.frame.r16m The final bit of tinkering involved determining when the "slip" frame occurred on a real console. I took a portion of a jump sequence of 3E 32 CD 6D 3E (LD A, 0x32 \ Call 0x3E6D) and split it in two; since the first part is a small load opcode that's only two bytes long I split that off and wrote the other three bytes at the end of the time period where we could write bytes. As noted earlier, since we can't press U+D or L+R at the same time we're writing at a speed of only 4 bits per frame (1 nibble), so the above two-byte sequence of 0x3E followed by 0x32 took four frames to write. I was able to move this section around and determine the exact offset where the slip frame occurred, down to the exact frame; this is because the slip frame offset was when I needed to enter the first nibble for the next frame, allowing me to get down to single-frame accuracy. Ilari then found a modification to the payload with a nearby section where the byte 00 could be inserted. We got that movie to synchronize on the emulator then dumped it and... it was oddly off by 7 frames on the console. So, by making the game exit the menu 7 frames faster, the movie file now synchronizes on real hardware using true's original replay board. This is the state I had hoped to be at before the 9th and ideally hoped to be at two months ago, but considering the hurdles we had to overcome this is a huge success. There's a lot more work to be done, however; we still need to find some way to reset the console (either through a solenoid or through the expansion port), we need to get the MultiReplay board to support this movie file type (difficult, as true is currently distracted due to various circumstances), we need to figure out a payload (something Masterjun and p4plus2 are working on now), and it would be nice if we could get ROB flashcodes working (effort started by p4plus2 but that's something that is hard to test without a CRT and a ROB). There are other nice-to-haves such as getting the visualization boards working, but we might not be able to get that in time. This is a good time to say that my involvement with AGDQ 2015 has expanded to organizing getting pinball machines set up for attendees. It's still a bit early but things are looking promising. I hope to post more in the coming days. Finally, I'm on the hook to get some nice pictures of ROB so we can get a bumper made. I'm a bit behind on that (it's been a hectic week, a tree fell on our house and it was a bit of a mess there for a while) but I hope to get that done tomorrow now that we've made it past the arbitrary code execution on the SNES processor. Thanks again to everyone for the support and I'll post updates as they happen. It's a tight schedule to get everything done but we'll do what we can.
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Post subject: The final push
Moderator, Senior Ambassador, Skilled player (1130)
Joined: 9/14/2008
Posts: 1014
I had hoped months ago to have everything done by the 9th so there wouldn't be a mad scramble but various circumstances have made that dream not come true and I'm now in the mad scramble to finish everything but progress looks good: - micro500 and Weatherton are solid on the MK64 run - With a small firmware change from true I was able to get SNES reset working - Resetting Pokemon Red to glitch the savegame now works 100% of the time - Masterjun finished taking p4plus2's mystery game and doing good things with it - The Pokemon Red total control preparations continue to march on with mild risk - I've been able to make a PR contact to seed an interview / article on the TASBot block - I've found a way to make the visualization boards function, albeit currently inverted The highest risk remains the Pokemon Red total control payload. We have almost all of the individual pieces done but still need to integrate everything and it's going to be tight. If we *do* pull off getting the full payload working, I guarantee we will have people chatting about it! ;) I fly to AGDQ 2015 on Saturday and we are still on for a 8:05 PM EST start on Sunday. If this is my final post before the event (which hopefully it won't be) here's hoping everything goes well!
I was laid off in May 2023 and became too ill to work this year and could use support via Patreon or onetime donations as work on TASBot Re: and TASBot HD is stalled. I'm dwangoAC, TASVideos Senior Ambassador and BDFL of the TASBot community; when healthy, I post TAS content on YouTube.com/dwangoAC based on livestreams from Twitch.tv/dwangoAC.
Site Admin, Skilled player (1257)
Joined: 4/17/2010
Posts: 11541
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Since it all have succeeded, I'm downloading the entire TAS block right now, in order to trim it and send to TVC.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
feos wrote:
Since it all have succeeded.
It didn't all succeed. They ended up skipping using twitch input to break out of the twitch chat and into the environment to do more crazy.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Spikestuff
They/Them
Editor, Publisher, Expert player (2680)
Joined: 10/12/2011
Posts: 6472
Location: The land down under.
feos wrote:
I'm downloading the entire TAS block right now,
You might want to wait a bit 30mins has only been processed so far.
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
GhostSonic
He/Him
Joined: 3/14/2013
Posts: 61
I guess the bot wasn't immune to the *GDQ stage fright. Whatever you got working though was awesome.
Joined: 11/11/2006
Posts: 1235
Location: United Kingdom
Nach wrote:
feos wrote:
Since it all have succeeded.
It didn't all succeed. They ended up skipping using twitch input to break out of the twitch chat and into the environment to do more crazy.
It didn't all need to succeed. The concept of "Pokemon plays twitch" to a chat room full of twitch users watching was all that was needed. Even if it wasn't 100% successful, I want to congratulate all those involved in getting a standing ovation from the room :)
<adelikat> I am annoyed at my irc statements ending up in forums & sigs
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
Raiscan wrote:
Nach wrote:
feos wrote:
Since it all have succeeded.
It didn't all succeed. They ended up skipping using twitch input to break out of the twitch chat and into the environment to do more crazy.
It didn't all need to succeed. The concept of "Pokemon plays twitch" to a chat room full of twitch users watching was all that was needed.
You wouldn't say that if you saw the rest. Further the last part was to knock the socks off our TASers specifically.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
NESAtlas
He/Him
Player (57)
Joined: 7/4/2010
Posts: 115
Location: Gales Ferry, CT
Thank you all for blowing my mind again :) Not sure how it's possible to top this for 2016, but somehow I know it will happen.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
AndyDick wrote:
Thank you all for blowing my mind again :) Not sure how it's possible to top this for 2016, but somehow I know it will happen.
Don't worry, we're already in the planning stages for it.
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Former player
Joined: 1/17/2006
Posts: 775
Location: Deign
All this prep and I still had to spot you a controller Kappa
Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign aqfaq Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign Deign
1 2 3 4 5 6 7