Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
MUGG wrote:
To answer your question, in order to be able to buy #1 Trousers from the Bean clothing shop, you have to defeat Mom Piranha or Trunkle or Popple & Birdo, or collect all 4 star bean pieces.
Thanks, I also figured it out a few hours ago that you needed to defeat Mom Pirahna in order to unlock the #1 Trousers, but yours is way more helpful. We planned to do Mom Pirahna, Birdo & Trunkle early on anyway. This is how the route looks so far for All Bosses: 1. Tolstar 2. Hoohooros 3. Dragohoho 4. Queen Bean 5. Popple & Rookie (I) 6. Mom Pirahna 7. Birdo 8. Trunkle 9. Popple (Solo) 10. Wiggler 11. Chuckolator 12. Cackletta 13. Popple & Rookie (II) 14. Hermie III 15. Chucklissa And now we're trying to figure out the optimal boss order for Bowser's Castle. We have 2 ways to look at it; the first would be to play through the castle as "normal" (meaning, no Castle Skip to reach Bowletta and doing Iggy first and Fawful last). The first thought we had was to do them in this order: *Note: Since we're going to do Bowletta and Cackletta last no matter what they are not going to be in the list below. - Iggy - Roy (using teleports to reach him early) - Ludwig - Lemmy - Morton - Wendy - Larry - Fawful The other way we could do it is to just do them in the intended order. This would mean, Iggy, Morton, Lemmy, Ludwig, Roy, Wendy. Larry, Fawful, but I think that may be slower than the previous order. Finally, there is also the possibility to do the bosses in the reversed order; this would imply doing Castle Skip to reach Fawful and fight him first, then work your way backwards to Iggy and then perform Castle Skip again to fight Bowletta. We're not sure if you can defeat the Koopalings after you defeat Bowletta and Cackletta by skipping Prince Peasly's cutscene with a teleport. That will have to be tested in the near future.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
MUGG wrote:
You can manipulate RNG without losing time or with losing only very little time, by optimizing the camera (having entities be active or inactive at different frame counts, thus causing a different advancement of RNG), but it is very time-consuming and tedious.
How do you exactly know when entities go offscreen? This information would be very helpful for future TASes.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
How do you exactly know when entities go offscreen? This information would be very helpful for future TASes.
It is probably possible to visualize it by luascript. For my own projects I've only relied on trial and error. RNG values aren't advancing if the entity has gone offscreen too far (= it has gone inactive).
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
For future reference, a list of battle backgrounds by ID. When entering battle, $24BA (IWRAM) will tell which background to use and $4204 (IWRAM) and $654E (IWRAM) will be set to the same value subsequently. You can poke a different value to $24BA to get a different background. Also see here. 0 - Test (unused) 1 - Peach Castle 2 - On Koopa Cruiser 3 - Stardust Fields 4 - Hoohoo Mountain 5 - Hoohoo Mountain Top 6 - Beanbean Outskirts cave 7 - Inside Koopa Cruiser 8 - Beanbean Outskirts (same as 11) 9 - Beanbean Outskirts South 10 - Beanbean Beach 11 - Beanbean Outskirts (same as 8) 12 - Beanbean Castle Sewers 13 - Beanbean International Airport 14 - Chateau de Chucklehuck 15 - Chucklehuck Woods 16 - Chucklehuck Woods South (Towards Snail Game) 17 - Chuckolator room 18 - Gwarhar Lagoons 19 - Seabed 20 - Woohoo Hooniversity 21 - Woohoo Hooniversity Library 22 - Woohoo Hooniversity Green Floor 23 - Woohoo Hooniversity Cackletta room 24 - Woohoo Hooniversity Purple Floor with stars (unused) 25 - Woohoo Hooniversity Basement 26 - Beanbean Castle 27 - Teehee Valley Underground 28 - Guffawha Ruins 29 - Teehee Valley 30 - Oho Oasis Fire Temple 31 - Oho Oasis Thunder Temple 32 - Joke's End Inside 33 - Joke's End Outside 34 - Woohoo Hooniversity Barrel Section 35 - Bowser's Castle 36 - Bowser's Castle Lava 37 - vs. Final Cackletta 38 - vs. Final Fawful 39 - vs. Bowletta 40 - (crash) 41 ...
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
MUGG wrote:
For future reference, a list of battle backgrounds by ID. When entering battle, $24BA (IWRAM) will tell which background to use and $4204 (IWRAM) and $654E (IWRAM) will be set to the same value subsequently.
How would this help though?
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
This is for documentation. Useful if anyone or I wants to make a video fighting enemies in unusual places. I'm really only trying to improve upon that atlas script you gave me, though.
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
Okay, so I've been trying to do teleports in different places on English just to see if we're able to skip cutscenes or reach loading zones that were not doable without the usage of teleports. Here are my results: • With 2 precise teleports you can actually reach the Popple (Solo) fight in Chucklehuckle Woods early; one to get past the big koopa blocking the door to the cave section, and one to get past the NPC to skip having to do the minigame for 500 coins to reach Popple's room. You then need to do another teleport to get past the NPC on your way back as well. With some careful Follow Path positioning I was able to get all 3 teleports. This enables us to do Popple early if we want to for All Bosses, and we thought about it carefully, since he gives lots of coins and EXP. We'll see if we want to forgo doing him as early as possible over doing him later when you have more mush damage. • Also in the Chucklehuckle Woods, you can do a 136 warp to go past Chuckroot without getting into his cutscene at all. Even though we are forced to switch more often since 136 gets overwritten very quickly, those switches obviously pay off if we can reach Chuckolator early. RTA used to do something similar on the Japanese version; they'd warp into a wall and then jumped with Luigi high in the air to make Mario clip past Chuckroot, and then they emerged with Luigi to enter the loading zone. What we do for TAS is obviously faster than what RTA does. We have been trying to come up with a way to 1 cycle Chuckolator, without letting him do any attacks using #1 Trousers, but that involves getting Mario to 59 speed, and that requires a LOT of level ups. We are going to further investigate if it's worth doing. • The door in University that gets us to Cackletta can be barely teleported into. It seems like at Z 57344 there is actually another loading zone for this door that we can enter by letting the walls push us into it. But how do you even get to Z 57344? Well, you teleport into a wall, then use emerge. While emerging, the walls will launch Luigi in the air 57344 units upwards in a single frame. This skips having to hit the last switch to open the door which saves a lot of time. • If you don't defeat Chuckolator, there is a door inside Beanbean Castle that doesn't unlock unless you defeat him and play the cutscene of resurrecting Queen Bean. But at this point I wouldn't have talked about it if it wasn't possible to skip it. So, yes, you can skip it, but not in the same way the University door was skipped. You will need to do a 136 warp instead of a 256 one by teleporting from the ledge where the door is standing on. If your Follow Path Y is perfectly set up to be the exact Y coordinate of the loading zone behind the door, and if your Follow Path X is also between certain coordinates, you can barely manage to get inside. This means we don't have to do Chuckolator early, but we will still probably do it, mainly to skip having to teleport past the guards to get to Cackletta and to teleport past the rocks that block us from reaching the East side of Beanbean Town, which are also unlocked after you defeat Chuckolator. I will test some more areas of the game, probably Joke's End and Bowser's Castle, to see how much more can be skipped.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
I'm sorry I just disappeared for half a year without saying anything. Surely you are disappointed that I didn't help you out with your WIPs or with the overlay. I'm too burned out. There are countless projects that I had left over the years, abandoned, that I really wished I could finish but I never could. It pains me. Somehow after all these years of TASing and glitch hunting and documenting, it felt like I had to do a hard break. At this point I lost all fun and it felt like the "reward" for putting work in is not enough, or not worth my life time anymore. I have certainly hit a stage where I can say I have done what I could. And I have done a lot for this community.
Post subject: All Bosses - First preview
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
Thought I'd leave them here too. Link to video Link to video
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Post subject: PAL version
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
So a few weeks ago Sjorec found out that the PAL version doesn't lag as much when using Void Barrel, and most importantly (for RTA at least) it also lets you change Mario's action command so you can hammer out of the Void Barrel. It's estimated to save about 10 seconds in Any% for RTA, and perhaps it could be slightly faster than the English version for TAS as well, but I'm wondering if there's anything else that's different in the PAL version. Link to video
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Post subject: All Bosses TAS reveal
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
I am proud to present to you my newest TAS of this game: the All Bosses TAS. Reveal will be once again on my YouTube channel and this time I will try my best to also release the commentary for it. Don't know the date though.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Post subject: All Bosses TAS
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
Glitchless TAS will be premiered today at 1:30PM EST on my YouTube channel. Link to video
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
So, it was just a normal day yesterday when I suddenly got the idea to try and mess around in Peach escort room 4, the infamous room where Mugg got the credits warp back in 2014 that was deemed impossible to replicate outside of the VBA emulator. But back in 2022, RETIRE figured out that it's possible to do it on mGBA, although it requires memory editing to change the byte at $2336 in IWRAM to 10 in order for the game to load the credits sequence. Up until now, based on the attempts that were made to pull off the credits warp legit, the result always ended up being one of the scripts being played, and the script loaded stayed mostly consistent every time it was loaded, so it was pretty much assumed that this game only had Arbitrary Script Execution to work with. Below is a list with all the scripts that could be played by changing the byte at $2336.
Byte valueOutcome
05Mario turns into his form when he ingests water
07Warp to room ??? (room ID: 128)
08Warp to room ??? (room ID: 128)
09Start minecart minigame
0AStar amimation from when entering a battle (softlocks the game)
0BOpen suitcase menu
0COpen save menu
0DOpen map (area selection screen)
0EOpen shop selling items menu
0FTrigger death warp (respawn screen)
10Trigger credits sequence
11Warp to test room (room ID: 0, unused)
12+No effect, game simply softlocks
The byte at $2416 is responsible if the game crashes when Luigi breaks out or hops off a barrel. Throughout the game, this byte is set to 0 most of the time but a few rooms, like room 4 of Peach escort or Chuckroot's room, change it to 22 instead if Luigi is in a barrel which triggers the crash to happen. However, when Luigi breaks out of the barrel (or when Mario hops off the barrel), as soon as both bros are on the ground, the game always sets the byte at $2336 to 0A which corresponds to the star animation being played. This caused the progress to stop dead in its tracks, since we realised this value is most likely not useful for us if we want to make credits warp a reality in real time. It was already established for years that the bros' position in the room and what action command Mario had in the back could lead to different scripts being played, but yesterday I decided that I wanted to try to trigger as many of these scripts as I could and make input files for them in order to maybe analyze them and potentially figure out why they happen when they happen. I was able to trigger some of these events, as well as some other events that couldn't be achieved by editing $2336. But probably the most interesting result that I got during my testing session was this: This is the shop selling menu, a script that is by no means a rare script to trigger, in fact I managed to trigger it dozens of times before. However, this instance of the script was special because it had this glitched badge at the bottom (which I was able to actually sell and not softlock the game), something which never appeared in any of my other instances of triggering the shop menu. I am not sure why this badge was generated but my assumption is that it had to have read some garbage parameters from somewhere when it was loading the items, which got my hopes up a bit that actual Arbitrary Code Execution might be possible to do in this game. I have yet to figure out how it happened but this might a good step in the path to discovering ACE.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
This is an update to the post I made yesterday, because we have made a lot of progress during the last 24 hours.
when Luigi breaks out of the barrel (or when Mario hops off the barrel), as soon as both bros are on the ground, the game always sets the byte at $2336 to 0A which corresponds to the star animation being played. This caused the progress to stop dead in its tracks, since we realized this value is most likely not useful for us if we want to make credits warp a reality in real time.
In the previous post I mentioned that trying to modify $2336 in IWRAM was established to not actually be useful for pulling it off legit, however we discovered that $2336 is not the only value that handles what scripts are being run or what events are being triggered. The memory address $2337 handles which minigame you are currently into; when you are not inside of a minigame, the game simply sets this byte to FF, and when you are inside the game changes this byte to one of these values, depending on which minigame you are in.
Byte valueMinigame entered
00Minecart minigame (Hoohoo Mountain)
01Geno minigame (Little Fungitown)
02Border jump (Stardust Fields)
03Barrel minigame (Cruise Ship)
04Winkle minigame (Chucklehuck Woods)
05+All entities disappear, game softlocks
This value is also not very useful for us since it stays as FF while doing the crash, but it was something to work with. What is useful to us, however, is that there is another address that changes what script you trigger, located at $2339. This byte is responsible for the shop menu and which one you open (the menu for buying items, the menu for selling items, and the menu for buying clothing gear & badges). It is usually set to 02 for the EU version and 00 for the US version, and after you talk to a shop NPC the game sets it to one of these values, depending on which shop you enter and if you want to buy/sell.
Byte valueShop menu entered
01Item shop (selling menu)
03Item shop (buying menu)
07Badge shop (Beanbean Town)
0FBadge shop (Little Fungitown)
One reason why this byte is useful for us is that we can actually enter all of these menus from room 4 in Teehee Valley, but the main reason that makes it especially useful is because of this line inside of the game's code, which looks like this after being simplified:
03002339 = 03002339 & 0xee;
The game takes the value at $2339 and ands it with 0xEE, and this process is looped however many times you close out of a script. Then, the game runs this code with the result:
addr_02339 = (addr_0220C + 0x12d);
  if ((addr_02339 & 1) != 0) {
    FUN_08027740(addr_0220C);
    FUN_080254b6();
  }
  if ((addr_02339 & 0x10) != 0) {
    FUN_08028160(addr_0220C);
    FUN_080254b6();
  }
  if ((addr_02339 & 0x20) != 0) {
    FUN_08028f08(addr_0220C);
    FUN_080254b6();
  }
The first check is for the shop menu script, whether or not it's the script that is active. After this check is done it sets bit 0 if it is active, then it ands it with 0xEE once you close out of the shop and then bit 0 is removed. The second check is for whether or not this script is active, and if it is, it sets bit 4. The third check is for whether or not the script for the credits sequence is active. If it is, it sets bit 5. Past 0x20, the majority of values will yield us a credits warp, and since bit 0 is always removed no matter what script you close, this means that the conditions for a credits warp to happen would be to set any value that has bit 5 set but not bit 4. So now, all we have left to do is figure out which process is writing to here.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Potato
He/Him
Editor, Active player (283)
Joined: 3/7/2020
Posts: 62
Location: Mars
This document contains all the useful information that we have found so far.
MLSS Any% TAS out! (link)MLSS All Bosses TAS out! (link)MLSS Glitchless TAS out! (link)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
I explored the possibility of savegame corruption. General info Checksum is 1 byte at $0016 (SRAM) for file 1, $0016+0x6F8 for file 2, $0016+0x6F8*2 for file 3. The checksum is the sum all bytes at $0010 ~ $0013 and $0018 ~ $0707. (Add 0x06F8 for file 2 and 0x06F8*2 for file 3) When saving a file, at the very start, checksum is written to $0016 and then all the values are written over the previous savegame. When booting the game, the game checks if the checksum is indeed the sum of all bytes inside the savegame, otherwise the savegame is invalid and will be treated as empty. If you hard-reset in the middle of saving and the sum of all bytes still matches the checksum, the savegame will be treated as valid. Demonstration bk2 input file My luascript can show savegame values and checksum, but it is very old. I only managed to make v0.11 r4 of my script run in Bizhawk 1.13.2 (mGBA core) and had to modify the script so the "auto apply checksum" feature would run every frame while the client is paused, rather than "every second or so". https://tasvideos.org/UserFiles/Info/638628517930104241 https://youtu.be/mzqw3qauXBA This is from a bare-bones playthrough which used the luascript's "run event" feature to directly go to Little Fungitown. I gave myself 256 items and 0 coins. At the beginning of the movie, I save the game, then go to sell my items. When saving, I did a bit of trial and error, since things like Mario and Luigi's pixel position are saved, too, and can mess with the checksum calculation... First, I save and see what checksum the game writes to the savegame at $0016 (SRAM) at the beginning of the saving procedure, then I repeat (saving at the same positioning) and let my script's modified "auto-apply checksum" feature run. At the frame the coins are written to the savegame, I check if the new calculated checksum matches the previous checksum. If not, I try to save at a different positioning and repeat the above steps. If yes, success - I repeat without the "auto-apply checksum" feature and hard-reset at the frame the coins are written. The savegame will show up in the file select screen. The movie demonstrates that I gained coins but kept my items. Possible uses In theory this could be used for: - Advancing in the game and reset flags later (blocks could be hit again, events could take place again, etc.) - You could gain stats while staying at current level - Visiting test rooms 0x00 and 0x01 (US or EU version only) - Visiting room 0x00 to trigger the opening cutscene (JP only) but game soft-locks after the cutscene. - You can set your pants and badges to 0, which makes it so you can select glitched pants or badges in your inventory. Possibly applies for coffee items, too. I did not explore hard-resetting while copying a savegame yet. But in theory, some shenanigans are possible. E.g. - Save in slot 1 in room A - Copy slot 1 to slot 2 - Continue and save to slot 1 in room B - Delete slot 1 (hard-reset at the beginning of the procedure to avoid actually setting everything to 0) - Copy slot 2 to 1 and hard-reset - You are now in room A with things accomplished from slot 2. (I was thinking about this as a timesaver to go to Hoohoo Mountain Base during the endgame quicker, but it looks unlikely and slow.) I had no success when deleting a savegame. Even with the "auto-apply checksum" feature, savegame would not show up... For speedrun purposes, since room id gets wiped first, it would not be useful since room id 0 is intro cutscene (JP) or test room (US/EU). Order of values in savegames While saving, values are written from top to bottom in chunks. Roughtly speaking, at the very top is the room id, followed by Mario and Luigi's position and "who is active" flag, then stats (first the experience, then the level, then the stats), then money( + all types of mushrooms, nuts and super nuts - all in the same frame) then rest of items, then flags (who learned what move, which blocks you hit in each room etc.). The ingame time is saved at the very end. Subframes? I shall mention that in theory, you could reset at subframes so you have more precision when to interrupt the saving procedure. But I have no experience with this. Maybe you can come out with new values if you reset in the middle of saving a value (such as in the middle of the CPU instruction). For example, resetting while the value for the room id gets written to come out with a new room id. (Room 30, 455, 478 and 479 are good for reaching the ending cinematics.)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
Some pieces of information:
  • While the game is being saved, values get written in chunks of 8 bytes per frame and this process takes a few seconds.
  • However, it seems all needed values are already fetched on the first frame after confirming that we want to save our game. For example, when editing mushrooms count any time after confirming the saving and before the value actually gets written to SRAM, the game will still only save the old mushroom count. I don't know where the game keeps the fetched values.
  • I'm interested in finding out what CPU opcode is responsible for the writes to SRAM but I found that it is not possible to set a breakpoint for registering any writes to SRAM memory addresses. So as an alternative, I tried setting breakpoints for EWRAM where the values are fetched. When setting 02004338 as a breakpoint (read) - flags for "have highjump", "have spinjump" etc. - the breakpoint triggers on that first frame after confirming the saving. However, other flags addresses such as 02004339 (read) - "have fire", "have thunder", "can firedash" etc. - didn't trigger the breakpoint for some reason.
  • I'm a noob and don't understand anything about the ARM CPU in GBA.
The main idea is that there must be an opcode responsible for writes to SRAM, particularly the room id value, and that the execution of this opcode could (at least in theory) be interrupted by a subframe reset. As far as I understand, opcodes take execution time (i.e. a certain number of cycles) and a value isn't written in one go but bit by bit, hence why I theorize that we could come out with new values, if the game is reset at the correct time. As I pointed out in the previous post, there are a number of room IDs that would allow ending the game as soon as the corrupt savegame is loaded. Does anyone know opcodes responsible for writes to SRAM? Can anyone confirm my theory (about interrupting the execution of an opcode) is correct or false?
Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Is there documentation on the save file structure for this game? Like what every single byte does in SRAM for Mario and Luigi? I had a thought that maybe if you find all the corresponding addresses in EWRAM responsible for each byte in SRAM, then checking which addresses failed to trigger the breakpoints. Maybe there's something special about them, like some pattern on why it wont.
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
@jlun2 The old luascript (version 0.12.6) already shows values in savegames, but it doesn't seem to run on Bizhawk newer than 1.13.2 I will release a new version of my luascript soon which will be possible to run on newer Bizhawk and add item addresses to savegames. I just found out something. When savegames are deleted, everything gets set to 0x00, but when the game is loaded fresh with empty savegames, everything is 0xFF. With my current knowledge, that means you could set anything inside savegames to 0xFF (using delete and hard-reset & copying and hard-reset). I'm testing what that means if we could get such a savegame to load.
  • Going to room 512 (a map screen, you can only go to room 0 from here.)
  • Level 256 (no meaning on its own)
  • HP/BP/stats can be set to 65535. Will be treated as signed, negative values. The brother who has these values (glitched brother) will not get a turn in battle, but still try to defend the other brother (if they pass out). The glitched brother will still not get a turn. When getting hit by the enemy, the game crashes.
  • For items, 0xFF just means "you don't have it", so no uses there.
  • All flags set (in theory. Needs testing, but I guess you could go directly to Bowser's Castle without having to do Mountain, Sewers, Birdo, etc.)
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
Nevermind, I guess the discovery I explained in my previous post is not going to work, unfortunately. As it turns out, the game has a measure to prevent uninitialized savegames to be loaded. At the very end of the savegame is the in-game time (4 bytes). Right before that, regardless whether the checksum is correct, if any of the 4 bytes right before the in-game time are non-zero (and an unitialized savegame does have 0xFF there), the game will treat this as invalid and bring up an empty save. In other words, the game will only start treating savegames as valid once they were completely saved over once. So it is not possible to obtain any 0xFF on any values. There actually is a flag that checks if we are running from Bowser's Castle, that actually gets saved to the savegame. It may have been possible to skip Cackletta (end boss) altogether. But this will remain a dream. Last question is if there is any measure that sets the game back to "fresh from factory" state? EDIT: This Mario & Luigi Superstar Saga guide on GameFAQs claims:
Other controls: --------------- Delete all saved game data: At the start menu, press Start, Select, A, B, L, and R. Confirm your selection. You can't get it back, so be careful.
I tried pressing and holding, pressing and letting go, or pressing everything at once, on the BIOS screen, logo screens and title screen but nothing works... EDIT: I found a more reliable source, the game's instruction manual:
To clear all the game memory, turn the Game Boy Advance ON and simultaneously press and hold SELECT, the A Button, the B Button, the L Button, and the R Button. By choosing YES on the ensuing menu, you can clear your data and restart the game. Please note that when you clear the game memory you will lose all game records and will not be able to retrieve them.
I tried this method and it works. But just like the normal deletion procedure, it sets everything to 0x00, so it is not useful.
Editor, Player (95)
Joined: 5/27/2006
Posts: 240
MUGG wrote:
Does anyone know opcodes responsible for writes to SRAM?
It probably uses a DMA transfer (which I believe can prevent read breakpoints from triggering). https://problemkaputt.de/gbatek.htm#gbadmatransfers
Editor, Expert player (2372)
Joined: 5/15/2007
Posts: 3940
Location: Germany
@BioSpark Thank you. But I guess I'm not experienced enough to understand it. Anyway, as it turns out, the 4 bytes before the in-game timer are actually not counted towards the checksum... (!!!) That means, happy glitch run. I don't see how it should not be possible now. Unless it turns out those 0xFF (unitialized values) are not going to be considered legitimate somehow. I'm asking about it here. In the meantime, I will be investigating and then doing a testrun. After that, perhaps the other MLSS runners will agree to collaborate on a run? There are three main problems. 1) Bad flag we don't want There is one flag in between that makes it so your action commands are X'd and you can't use them. In SRAM, this flag appears somewhere after the "can travel to Bowser's Castle" flag and "fleeing from Bowser's Castle" flag. 2) Stupid invisible wall When entering Bowser's Castle while the "fleeing from Bowser's Castle" flag is active, you will not arrive there properly. We need to talk to the dino but we are stuck in an invisible wall... There doesn't seem to be a way to bypass it. I tried both the US and JP version. You could theoretically go to Mountain Village and go to the room with the dino as single Mario and single Luigi, then travel to Bowser's Castle as single Mario. This somehow makes it so Luigi is in position 0,0 so you can easily talk to the dino. But traveling as single brothers in green pipes hangs the game and there is no way to split up the brothers in the Mountain area. Update: I found a way to talk to the dino. In the initial stuck position, Mario has to be behind and use Spin Jump. Mario will zip upwards. Then pause and unpause. This somehow makes Mario fall down and Luigi can walk forward and talk to the dino. 3) Game-over unless we "bring" an event time In case we enter Bowser's Castle while the "fleeing from Bowser's Castle" flag is active, the event timer needs to be non-zero or we are getting a game-over. You could use the Hohooros minigame or anything else really (you could go anywhere from Stardust Fields, since we can set the green pipe flags). -------------- EDIT: Current plan: Luckily, the game-over in Bowser's Castle doesn't happen in certain areas. Set the "Can visit Bowser's Castle" flag without setting the "fleeing from Bowser's Castle flag" (this is possible) Advance through the castle via glitches, to near a room that has a block that starts the event timer. Save there, use copy/hard-reset shenanigans to set the "fleeing from Bowser's Castle" flag. Hit that timer block and exit. Although it is stupid we can't talk to the dino (see screenshot above), this seems to be the next best way to do it. You could use the green pipe to get barrel command quickly or you could use the firedash glitch on the Japanese version, to skip ahead through Bowser's Castle. This plan is obsolete, see the update in 2) Just make sure to find any timer event before entering Bowser's Castle. Out of these that I can think of, we need to figure out which ones are possible and which one is the fastest: --> Green pipe to beach, surf guy minigame (needs green pipe flag) --> Hohooros (bridge flag must be set) --> Green pipe to Gwarhar Lagoons, timer block (green pipes flag must be set, block flag must be 0, various flags to reach the block must be 1) --> Green pipe to L. Fungitown, jump game in Guffawha Ruins (green pipes flag must be set, should try to set the Peach arrival flag, the Guffawha Ruins minigame guy flag must be 0) --> ???
Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
MUGG wrote:
@BioSpark Thank you. But I guess I'm not experienced enough to understand it. Anyway, as it turns out, the 4 bytes before the in-game timer are actually not counted towards the checksum... (!!!) That means, happy glitch run. I don't see how it should not be possible now. Unless it turns out those 0xFF (unitialized values) are not going to be considered legitimate somehow. I'm asking about it here. In the meantime, I will be investigating and then doing a testrun. After that, perhaps the other MLSS runners will agree to collaborate on a run?
If I understand right, you want to start a game where the save file is all 0xFF, except for the 4 bytes before the timer? What are those bytes for? Do they ever change when saving in game?