How Zelda Fans Changed the Ending of Ocarina of Time on a Vanilla N64
Shortly after our guide to Summer Games Done Quick 2022 went live, the event hosted an amazing demo of a classic video game, which has since invaded the answers for this Ars article. If we want to split hairs, it goes through the 1998 classic N64 Legend of Zelda: Ocarina of Time isn’t a “speedrun,” but it’s another example of the “TASBot” concept transforming games in ways we never dreamed of 24 years ago.
The team of fans and programmers responsible for this week’s “Triforce-percent” demo have since revealed how they pulled off the feat with nothing more than a stock N64 and an original. Ocarina retail cartridge – though the secret involves controller inputs so fast and precise they can only be made by a computer.
Nothing stale in this race
The 53-minute demo (embedded at the end of this article) opens with an exploit previously discovered in late 2019, which the community dubbed “Stale Reference Manipulation”. This exploit takes advantage of a vulnerability in the original 1.0 version of the game, which allowed players to manipulate numerical values assigned to specific objects in the game’s memory. The simplest explanation for this complicated technique can be found in a YouTube video from early 2020 (embedded above), as it spells out the different numerical values assigned to each object in the game, such as their X-, Y-, and Z-axes and their rotation.
Savvy gamers can make the values overlap or overwhelm the original game code so they can be manipulated as they see fit. The technique we see in this week’s run requires Link to pick up a boulder while traversing a “loading zone”, a hallway used to hide loading breaks on N64 gear, and do so in a way that the game was not designed to handle .
Initially, this exploit was a speedrunning tool, as it could trick the game into loading the final credits sequence and technically count as a “completion” in just a few minutes. But the Triforce-percent race goes much further.
Ramming new content in a classic game
By picking up and dropping specific objects, then making the game’s hero Link move and performing maneuvers in a specific order, the TASBot team opens a Pandora’s box of so-called arbitrary code execution, the type of vulnerability used by hackers around the world to trick a closed computer system into executing the code it wants. Additionally, the TASBot motion and command chain begins telling the N64 to accept button input from all four N64 controllers as if it were a code.
At this point, a computer takes over the four ports of the N64 controller and sends out a rapid series of button presses, as if it were a multi-fingered superhero equivalent to The Flash. The glitch out Ocarina cartridge instructed the N64 to accept each button press in a way that matches specific code strings. Once enough of this payload has been sent, the team can return normal control to the “player one” port, so that a real person can play through a whole new sequence of content, all being dumped into the N64’s random-access memory (RAM) by the incredibly fast input of the other three controllers.
These on-the-fly patches can do many amazing things that, combined, look like a fully blown ROM patch to a cartridge, though the TASBot team is limiting itself to changes that apply specifically to the Console RAM: Small changes to existing code, total file replacements, or commands to tell the game to ignore content it would normally load from ROM. As a result, this exploit may crash or crash if players stray from the expected path this exploit is optimized for.