Goal
Complete the FDS game All Night Nippon Super Mario Bros. as fast as possible through the use of any means necessary.
Background
FDS All Night Nippon Super Mario Bros., or All Night Nippon as I will now refer to it, was a ROM hack created in 1986 by the Nippon Broadcasting System as a promotion for their radio station All Night Nippon. The hack uses many elements of Super Mario Bros. and its successor, Super Mario Bros. 2 for the FDS. The first 31 levels consist of a mixture of Super Mario Bros. and Super Mario Bros. 2 levels, but most importantly the last level, 8-4, is taken almost directly from Super Mario Bros. 2 with a few minor edits. This is important because the level 8-4 in Super Mario Bros. 2 was found to have a method for Arbitrary Code Execution, or ACE, allowing for the game to be beaten faster than previously believed possible. As soon as we heard of this, KingKappa and I started working on this project in an effort to get ACE working in All Night Nippon.
The Run
Before we could worry about 8-4, we had to make sure we were getting there as quickly as possible. The Any% route takes a warp from 1-2 to 4-1 and another from 4-2 to 8-1, meaning only eight levels are played in total. Let's break down each level one by one.
1-1
A fireflower is needed to perform ACE in 8-4, requiring us to collect two powerups before the end of the run. We collect the first one at the beginning of 1-1 for a trick in 1-2 that will be explained later. Unfortunately, although this was the fastest place to power up, it was still not possible to get running speed after the powerup grab. In All Night Nippon, Mario's speed is grouped into three main segments, but only two of them matter in this situation. When his speed is between 0 and 24 (note that all speed values are in subpixels per frame), he is considered to be at walking speed. If Mario is on the ground and B (the run button) is held, his speed can continue increasing until it hits a hard cap of 40. However, if Mario is either in the air or B is not held, his speed cannot increase past 24 until both conditions are met. This means that after slowing down to 24 speed or lower, Mario cannot accelerate back up to 25 or higher until he touches the ground with B held. Collecting the mushroom from a block four blocks above Mario's head as small Mario is not possible without slowing down below 24 speed, which means that after grabbing the mushroom, he must fall slowly to the ground at 24 speed. This small slowdown is unfortunate but is sadly unavoidable. Moving through the rest of the level, taking the underground saves around 2.5 seconds over skipping it, and we are placed at the end of the level. The final trick in 1-1 is called a Flagpole Glitch, or FPG. In All Night Nippon, there is a sequence for ending levels triggered after Mario touches the flagpole that:
1. Moves both Mario and the flag down towards the base of the flag until either the flag touches the bottom or Mario does first, in which case the flag only falls to a slightly higher point.
2. Walks Mario to the right until he hits a solid block (this is almost always the invisible block right next to the door of the ending castle).
3. Snaps Mario behind the background and starts counting down the timer to end the level.
The first step has a slight exception that allows for a FPG to be possible. For an unknown reason, there is an explicit condition in the game that immediately triggers Step 2 if Mario's Y position is #$A2, or three pixels above the top of the flagpole base block, truncating Step 1 and preventing the flag from sliding down. It would normally never be possible to hit this point, as it is inside the flagpole base block, but there are many ways to clip into blocks and walls in this game with proper execution. When Mario hits a block, it sets his speed to 0, checks which direction he was moving, and ejects him out of the block with an opposing force. This works fine in normal conditions, but if left is pressed for a frame (as the NES/FDS framerate is 60.098813897441 fps, a frame is ~0.0166392635 seconds) right after his speed is set to 0, Mario actually has a tiny amount of speed moving to the left, and the block sucks him closer into it as a result, allowing Mario to get inside the flagpole base block and touch the flagpole at the special conditional point. This trick on its own saves 19 - 20 frames without extra frame save (EFS) and under the affect of powerups affecting the flag's Y subpixel (21 with EFS), but when moving to the next level, it saves 21 because of a concept known as framerules. Throughout the entirety of the game, there is an internal timer ticking down from 20 to 0 and wrapping back around after 0. After the level timer ticks down and a level is completed, there is another internal timer set to 6 that ticks down every time the global 21 frame timer hits 0. This effectively locks completing a level to a 21 frame window, as if you complete the level with 20 or 0 on the global timer, the level end timer will still have to wait for the global timer to hit 0. From now on, every level can only save time in increments of 21 frames, or about 0.35 seconds.
1-2
1-2 starts out with another trick called a fast accel. There are many different types of fast accels, and this is an underground fast accel, or UFA. Mario accelerates and decelerates faster when he is moving in a direction opposite to the one he's facing, a mechanic intended to allow Mario to come to a stop faster when he is sliding backwards on the ground. This is exploited in many places to gain an extra frame (or more, depending on the situation). The rest of the level is pretty standard until the end, where another type of wall clip is performed to get into the warp pipe to 4-1 faster. This clip is different from the one used in the 1-1 FPG, as instead of pressing left to avoid getting rejected, Mario crouches before jumping and lands right on the seam between two blocks, allowing him to uncrouch for a frame. Since for this frame his head is inside a block, Mario is allowed to walk freely inside the wall. The screen is scrolled just enough to load the warpzone before doubling back to the world 4 pipe. This clip is the reason a powerup was needed before entering 1-2, as it is only possible with big Mario and saves a framerule over any method possible with Small Mario.
4-1
4-1 has another powerup grab, but since we are big Mario now and have a larger hitbox, this one is possible to grab with running speed. Similar to in 1-1, it is not possible to grab this fireflower without slowing below 25 speed, but because of the larger Big Mario hitbox, it is possible to grab it with slightly more speed and get closer to 24 before the grab. This is very important because when grabbing a powerup in the air, Mario is considered as on the ground for one frame, meaning we can get to 25 speed and accelerate before touching the ground. At the end of the level is another flagpole glitch that works in exactly the same way as in 1-1.
4-2
This level starts off with another UFA to save a frame before clipping into a coin block. This clip is performed the same way as a flagpole glitch clip, by pressing left as soon as you hit the block, but is done for a completely different reason. Pipes in All Night Nippon don't have destinations individually assigned to them. All pipes are either enterable or unenterable, and if you could enter them all at the same time they would all point to the same place. To change destinations of a pipe, there is an invisible enemy loaded the same way a Goomba or Koopa is that tells all pipes to switch their destination to a specific area. Enemies are loaded when their object is within 3 blocks off screen and handled by the subroutine ProcessEnemyData. As Mario runs through a level, the screen doesn't scroll until he reaches 112 pixels from the left side of the screen, at which point it locks onto him and follows for the rest of the level. However, clips move Mario forward on the screen without scrolling, which can offset Mario from the screen position and move him farther forward. Since enemy loading is based on the screen position, Mario can now get into the pipe before the area change object is able to load and enter a pipe that normally takes you to the underground to be transported into the warpzone. Entering the world 8 pipe brings us to 8-1 and marks the halfway point of the run.
8-1
8-1 starts out with another fast accel to save 3 frames, known as either a TAS fast accel (TFA) or a double fast accel (DFA) depending on who you ask. I will use TFA. This accel saves 3 frames which when added to the 21 from the FPG saves 24 frames which saves a single framerule. Again, this FPG at the end is the exact same as the ones in 1-1 and 4-1.
8-2
8-2 starts with another TFA to save 3 frames. Enemies are strategically hit and left alone in order to manipulate the spawning of a bullet bill at the end of the level to set up another trick. I personally do not have a very in-depth knowledge of their behavior, but the basics can be understood through this from TASer Periwinkle.
For x = 2, 1, 0:
if enemy slot x is unoccupied:
check last 4 bits of address $(7A8+x) (before 5-3), or last 3 bits (after 5-3)
if this value corresponds to a currently active cannon slot (0-5):
if that cannon's timer is 0:
fire bullet bill and reset timer to 14
otherwise:
decrement the cannon timer
As I mentioned, this bullet is needed for another trick at the flagpole similar to the FPG. By bouncing on a bullet instead of jumping into the flag, we can get a lower bounce, and instead of snapping up onto the block and walking off, Mario doesn't have enough height and falls to the left of the block. This prevents the flag from coming down (Step 1 from earlier) as well as satisfying the conditions for Step 2 (this step required Mario to touch a solid block before triggering the timer countdown and ending the level). The trick saves 3 framerules, or 1.05 seconds, over no FPG and 2 framerules over FPG.
8-3
This level starts with another TFA to save 3 frames before finishing the level with another FPG, the exact same as in 1-1, 4-1, and 8-1.
8-4
Finally we have made it to 8-4, the main event. This level has a lot to unpack so I'll break it down into rooms, which there are 4 of.
Room 1
We start out with a special accel I call a castle accel. This is different because there is a block above Mario's head and this causes him to bonk it after his jump making it much more chaotic. This one is special because right after it Mario has to jump under a Podoboo while still landing on the platform after it. If we had done the accel normally, Mario would get hit by the podoboo as it is just slightly too low. To counteract this, we wait one frame before starting the accel for a very specific reason. In All Night Nippon, Mario can only interact with enemies every other frame, a mechanic we call cointoss. If we wait this extra frame at the beginning it switches Mario's cointoss and on a frame in which he would normally get hit by the podoboo, he cannot interact with it and by the next frame when he can interact with it, the podoboo is higher up and no longer contacting Mario, making the jump just barely possible.
Room 2
This room is a water room, the only one in the run. When he is between 11 and 24 speed, the fastest way to accelerate underwater is to hold left and Right on the controller at the same time. This is impossible on a real NES/FDS controller and banned from RTA runs but completely allowed for a TAS. L+R also creates the glitched sprite when swimming which can serve as an indication as to when it's pressed. After getting up to full speed, we do another clip similar to the one in 4-2 and for a similar reason. Underwater clips like this are quite a bit more lenient than on land but are still functionally the same. This one is done to offset Mario and move him farther to the right of the screen in order to slip under the firebar before it has time to fully rotate and hit him.
Room 3
We start with a TFA and a simple turnaround; nothing complex here.
Room 4
This is the last room of the TAS and where the ACE occurs. We begin with a TFA out of the pipe before fireballing a blooper, hitting a powerup, and running through a section full of enemies with a long firebar at the end. It may not seem like it, but this is vital for the ACE setup. There are 5 normal enemy slots (Slots 0-4) in All Night Nippon as well as one reserved for special items like powerups or the flag (Slot 5). There are 4 enemies in this section (2 different koopas, the piranha plant, and the moving platform) and hitting the powerup block fills the special slot 5. Long firebars and Bowser are actually so large they are made up of two different sprites put together. Both use a subroutine called DuplicateEnemyObj which when asked to load these two sprites in with only one open slot incorrectly writes the second sprite to an out of bounds slot 6. This does not affect anything for now other than setting up the next step. 8-4 is a maze level that loops if you do not take the correct route. We make use of this by purposefully taking the wrong route in order to reload the same section with the firebar. This time around, we don't fireball the blooper and keep him loaded. We slow down a bit to give him time to follow us and move farther to the right to prevent him from despawning while opening the powerup block. This is the current state of enemy slots:
Slot 0: Blooper
Slot 1: The piranha plant right after the blooper
Slot 2: The second plant
Slot 3: First Parakoopa
Slot 4: Second Parakoopa
Slot 5: Powerup
However, we need the firebar to load into slot 3 as well as a green koopa loaded somewhere (green koopas have the enemy ID #$00). The firebar needs to load into slot 3 because when ACE is triggered, the green koopa (#$00) is replaced with a different glitched enemy depending on the slot. For example, if the firebar was in slot 4, the enemy ID #$84 would replace the koopa. We want the ID #$83 meaning the firebar must load into slot 3. To allow for this, we fireball the Parakoopa in slot 3 to free up his slot while leaving the Parakoopa in slot 4 untouched. We bop the Parakoopa in slot 4 to turn him into a green Koopa with the ID of #$00 while firing off fireballs into the wall as we accel away. This is why we needed the fireflower for this run. The significance of the fireballs will be explained shortly. Now everything is set up for ACE. We move far enough to load the firebar which would normally crash the game, but it doesn't for now because Select + B is being held on controller 2. This happens because Select + B is represented as #$60 in the game, which is the 6502 opcode for RTS, or Return from Subroutine, effectively looping the crash and holding it off until the RTS is released or changed. After loading the firebar we have to turn around to get hit by the plant and trigger the ACE. This is all because of the core component of how this ACE works, so I'll start from the basics and explain from there up. In NES/FDS games, there is RAM (Random Access Memory) and ROM (Read Only Memory). The entire game is just ROM manipulating RAM over and over again. For this reason RAM is always changing and can be viewed as numerous variables that are constantly being edited. The ROM is the actual code written by the programmers and tells the RAM what to do. For example, ROM might say, "Did Mario die? If so, remove a life." This would be done by checking Mario's state in RAM and if it was a #$0, decrement the value in RAM that holds Mario's lives. When executing code, there is something called the Program Counter, or PC, that tells the game what is currently being read in ROM. The PC controls what is being executed and is always reading ROM in normal gameplay. Since ROM never changes and cannot be changed this means the game will always run the same no matter what. However, ACE is when a method is found to force the PC to start reading RAM instead of ROM. As we know, RAM is always changing and can be manipulated to make the game do whatever we want it to. When we loaded the firebar twice and DuplicateEnemyObj incorrectly wrote out of bounds to the sprite slots, the PC was forced to jump to $0747 in RAM (ROM starts at $6000). $0747 is a timer set to FF when Mario gets hit that counts down to #$CD before resetting to 00. This is used to time Mario's invincibility frames after getting hit by an enemy. $0748 is the amount of coins collected in the current level (8-4 has none so this will always be #$00), and $0749 is locked at #$00 and never changed. $074A and $074B are player 1 and 2 controller inputs and can be whatever we want them to be, allowing us to execute 2 bytes of code arbitrarily. This is the key to loading the credits. The only problem is any #$00 in RAM is the BRK opcode which results in a crash and will kill the run. Since $0748 and $0749 are locked at #$00, we need to set $0747 to something that will safely get past the next three RAM values and arrive at $074A. This is why we need to take damage, it allows us to insert an arbitrary opcode here. I use #$FD, which is a SBC or SuBtract with Carry. This function subtracts the A register by the values of the operand. In 6502 a command is made up of two parts. The opcode, which tells the game what will be happening, and the operand, which provides the data for the operation. For example a LDX or LoaD X register might look something like LDX #$44 where LDX is the opcode that tells the game "We are going to load something into X," and the opcode (#$44) tells the game "Load #$44 into X." This SBC we manipulated the game into running is a 3 byte long opcode, meaning it takes itself in addition to two other bytes in order to function. Since SBC subtracts whatever is given after it from the A register, and both $0748 and $0749 are always #$00, this subtracts #$0000 from A and moves us along to $074A without changing anything. Now that we are finally at $074A, we can use it along with $074B to write any two bytes we want. Additionally, $074C is locked at #$00. The subroutine to load the credits is located at $AA8D and we need to use either an absolute or indirect JMP or JuMP command to get there. An absolute JMP would be something like #$4C (JMP) #$90 #$40 ($4090, addresses are in little-endian format, so the second byte of an address is actually first). An indirect JMP would be something like #$6C (JMP) #$97 #$55 ($9755) but instead of jumping directly to $9755 it would read the contents of $9755. If $9755 contained a #$37 and $9756 contained a #$59, the game would jump to $5937. Since in our situation $074C is locked at #$00 and in little-endian format the second byte is the first part of the address, we can only jump to an address beginning with #$00. This is a problem since it doesn't allow us to jump to $AA8D where the credits sequence is. This is where the indirect JMP comes in. By writing #$6C #$8D #$00 at $074A $074B and $074C respectively (inputing Up + Down + Select + B on player 1 and Up + Down + Right + A on player 2), we can tell the game to indirectly jump to $008D, the position used to store the X position of Mario's fireballs. This means the PC will jump to whatever address is set by the values of $008D and $008E. That's the reason we fired two fireballs before triggering the ACE in a very specific spot and the reason we needed a fireflower in the first place. Since the fireballs despawned when they had a horizontal value of #$8D and #$AA, $008D is set to #$8D and $008E is set to #$AA, telling the game to jump to $AA8D. And now we have finally made it to the credits, completing the run in 5:10.855 TAS timing and 4:49.856 RTA timing.
Conclusion
Making this TAS was quite the ride and is a great demonstration of what can be done through hard work and resilience through adversity. This would have never happened if not for KingKappa and his amazing TASing work on this, as well as theorizing and advancing this project all the way. Additionally, thank you to Rosin for brainstorming with us on some ACE-related aspects of this project and NoSwear for providing invaluable feedback on this write-up. Finally, this TAS would not be possible without everyone watching it, so thank you to the All Night Nippon, Super Mario Bros., and Super Mario Bros. 2 communities as well as TASVideos for your support. Stay TASing, peace.