SNES Code Injection — Flappy Bird in SMW


Welcome back, SethBling here. A little over a year ago, I became the first
person to complete a Super Mario World credits warp on the Super Nintendo console using a
route created by Jeffw356. Yesterday, I became the first human to do something much crazier
on console. I used a series of Super Mario World glitches to inject 331 bytes of processor
instructions into system RAM. It was the source code for Flappy Bird. I did this using standard
unmodded Super Nintendo hardware. While this kind of thing has been done before
by feeding prerecorded controller inputs into a console from a computer, no human has ever
completed this kind of exploit, until now. In this video, I want to explain how I pulled
it off. But first I want to give a huge thank you to p4plus2, who is well known in the Super
Nintendo hacking community. He wrote most of the assembly code and provided a ton of
technical information necessary to complete this exploit. He is the real brains behind
this operation. I also want to thank MrCheeze, who found the
arbitrary code execution setup that made this whole project possible, as well as suggesting
some vital improvements to my method. Now let me show you how it was done. To begin
with, I completed Yoshi’s Island 2 and 3, making sure to pick up Yoshi and Fire Power.
Next, I performed a glitch called ‘powerup incrementation’ 3 times. ‘Powerup incrementation’
is a glitch that takes advantage of Yoshi block duplication and some poorly written
spinning brown platform code to increment Mario’s powerup state. Normally Mario’s
powerup state takes on a value between 0 and 3, where 0 is small, 1 is big, 2 is cape and
3 is fire. By incrementing three times from Fire Mario, we arrive at powerup state 6,
which is normally unobtainable and has some odd behavior. Whenever you collect a powerup, the game looks
up a memory address, containing some code to run based on your current powerup state.
When you have an invalid powerup state like this, it can start running code from places
other than the game cartridge. By doing some specific memory manipulation tricks, and having
some extra controllers with taped-down buttons hooked up through multitab ports, we can get
this Super Nintendo to start executing instructions from the sprite x-coordinate table. By spitting
out red shells at specific x-coordinates, we can write a series of processor instructions
into this table, and then execute them by collecting a 1-up. In this case the processor
instructions told the game to set Mario’s powerup state to 22. Powerup state 22 behaves
a lot like powerup state 6, except we can trigger this arbitrary code execution glitch
using a mushroom rather than a 1-up, which was a lot more convenient because I could
repeatedly use the mushroom from my item bocks to execute the instructions. Next, I restarted the level and spat out shells
at x-coordinates corresponding to processor instructions that would add about 3 hours
onto the level’s timer, and by collecting the mushroom from my item box, I executed
those instructions. Without exiting the level, I did some sprite slot manipulation techniques
to help with the next stage of the the code injection, which is called the ‘bootloader’.
I spat out more red shells to send out more processor instructions. This time the processor
instructions were coded to write the x-coordinate of the P-switch to an address specified by
the x-coordinate of Yoshi. In this way, by moving Yoshi and the P-switch around and collecting
the mushroom from my item box, I was able to write byte after byte of arbitrary data
into some contiguous memory locations. The memory locations being written to were located
just after some code that’s run from RAM during each frame of gameplay. By doing this,
I was able to add my own code to the game’s code to be run every frame. The first 6 bytes
of code I impended created a so-called ‘coin display’, where Mario’s x-coordinate was
copied into the game coin counter. Up until this point, any pixel-perfect maneuvering
had to be done by judging Mario’s location relative to the level on a pixel-by-pixel
basis. With the coin display, I could then do pixel-perfect maneuvering just by comparing
the coin count to predetermined values in my notes, which made things a lot faster and
less error-prone. The next 26 bytes written to this portion
of memory completed the bootloader. With the bootloader complete, whenever I performed
a spin jump, Mario’s x-coordinate would be copied into a position of memory indicated
by a pointer, and that pointer would increment. That pointer’s offset from the beginning
of the Flappy Bird payload location was displayed as Mario’s score, ignoring the one’s digit.
By sequentially moving to the next coordinate and spin-jumping, I could write byte after
byte very quickly into an unused portion of system memory. The first 3 bytes written this
way overwrote some of the game’s pallet data, which messed up the colors, but it also
let me verify that the bootloader was working correctly. At this point, I iteratively wrote
331 bytes of processor instructions into unused RAM. Move to location, spin jump – move
to location, spin jump … 331 times. This payload was written by p4plus2, and it was
the source code for Flappy Bird. Finally, I performed the last spin jump, which
wrote the last byte, and made the game stop running Super Mario World’s code, and start
running the injected Flappy Bird code. p4plus2 went through a lot of trouble to make the
Flappy Bird payload as compact as possible, both to minimize the amount of time it would
require for me to inject it, and also to minimize the chance of error during the injection process.
Fortunately, he was able to make use of some of the existing Super Mario World code and
graphics to save some space. Even still, it took about an hour to complete the whole code
injection. In the end, I’m really proud of this project
and grateful to p4plus2 and MrCheeze for all the help they provided. There’s no way I
could’ve completed it without them. You may have seen TASBOT perform similar exploits
at a Games Done Quick speedrun marathon. TASBOT is a computer board that sends prerecorded
handcrafted inputs to the game’s controller port. Masterjun has written several code injection
exploits, intended to be run by TASBOT for this purpose. However, to my knowledge, this
is the first time anyone has ever completed this kind of large scale code injection by
hand on a videogame console. If you want to see the notes that I used during
the run, there’s a link to that document in the video description. I did the whole
thing in a live broadcast, so if you want to see the entire run, there’s a link to
the Twitch archive in the video description as well. That’s about it, thanks for watching.

100 thoughts on “SNES Code Injection — Flappy Bird in SMW

  1. "I AM THE FIRST HUMAN to inject Flappy Birds code inside Super Mario World"
    I couldn't get why you were so enthusiastic about the word "human". I was thinking that you put too much grandiloquence in your achievements. Now i understand that what you mean is that you are doing it by hand.

  2. An infinite number of monkeys at an infinite number of Super Nintendos will eventually program Flappy Bird.

  3. welcome back kids driver here today we are gonna make a field trip about museum.(5 hours later)
    and kids this is what sethbling without armor stand looks like

  4. Wouldn't you need to modify the source code to make the pipes & mario the sprites instead of the sprites that were used originally? How do you write in mario's/the pipes' sprites into the source code

  5. that's kool!! so the summary is that the code is injected from the controller… i kinda lost it at some point 😀

  6. Welcome back, Sethbling here. Today i recreated a cure for cancer by taking advantage of arbitrary code injections in Super Mario World

  7. The shit people spend their time on blows my mind…

    trots off to design his next abomination theme park

  8. Wow. They even managed to inject assets from Flappy Bird. Those look like the same pipes from Flappy Bird. ?

  9. WOAH I saw this in another speedrunning video and somehow didn't realize it was you. Good job on the first person to do that first run thing also. <3

  10. How did the payload physically get into the game? Obviously the glitches were to inject the payload, but you didn't write the code of. Where did it come from if you were using the physical console.

  11. Sethbling: I want to play Flappy Bird
    Proceeds to do frame perfect actions
    Sethbling: Now I can play Flappy Bird! Haha!

  12. Totally insane…

    …but I don't understand why spending time doing this…

    …dissasemble Screamer 2 for PC instead plz.

  13. Ok now the question is can this be performed with the SMW on the switch? And if so, can it take advantage of addresses outside of the game

  14. Imagine using a TAS tool to do this

    You could write the button inputs in the tas tool then watch as the tas writes the code for you.

Leave a Reply

Your email address will not be published. Required fields are marked *