Go Back   Project64 Forums > General Discussion > Open Discussion

Reply
 
Thread Tools Display Modes
  #1  
Old 9th February 2017, 03:37 AM
mzxrules mzxrules is offline
Junior Member
 
Join Date: Jun 2010
Posts: 2
Default Need help understanding an obscure Zelda64 glitch

There's this "simple" glitch in Ocarina of Time and perhaps Majora's Mask where for whatever reason the first 8 bytes at address 0000 0000 or 8000 0000 seem to become corrupted by some data. I'm wondering if anyone knows why this address is being corrupted, and what logic is behind the corruption.

What makes this glitch somewhat important to understand is that with the help of the infamous "wrong warping" glitch in Ocarina of Time, we're able to access a loadout of the Shooting Gallery which lacks a command used to define where the game's exit points lead to, thus address 0000 0000 becomes the exit lookup table. When leaving a map from "exit 0", the intended value will always crash, but due to the corruption, the "exit 0" of a map either ends up being 0x0000 or 0x0010, taking you to the Deku Tree or Water Temple main entrances.

This NTSC 1.0 (J or U, doesn't matter) code should null the exit table pointer for the currently loaded area, simulating the missing command. The "exit 0" of a map is usually located by the intended first entry point into a map (i.e. Dungeon Main entrance, Temple of Time main entrance, Kakariko from Hyrule Field).

Code:
D01C84B5 0010
811DA2A4 0000
D01C84B5 0010
811DA2A6 0000
I vaguely remember asking someone to test this glitch out on real hardware once, and I think it worked, but I'm not 100% confident they weren't just playing on Wii VC.

One oddity that I've observed is that in older emulators (Nemu/PJ64 1.6) rather than newer ones (RetroArch with I think ParaLLel/PJ64 2.3), the corruption only happens when spawning into one of the pre-rendered maps.

One last thing I don't fully understand is what purpose address 8000 0000 serves. I do know that it's suppose to be an exception vector, but I don't understand what scenarios would result in this one being called.
Reply With Quote
  #2  
Old 10th February 2017, 07:01 AM
HatCat's Avatar
HatCat HatCat is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Feb 2007
Location: In my hat.
Posts: 16,148
Default

I never looked that deep at it. I just played around with both Zelda's to find where I could write the world map values and warp to places at. It was a little harder to do with Zelda OOT for some reason, because there were a lot of skipped values or scene IDs that would crash.

I was particularly thorough with my research on Zelda Majora's Mask; essentially every contiguous map code takes you somewhere valid and unique. The same is true for the exit codes; there were no exit 0 combinations that crashed as far as I remember.

OOT wiping the first 64 bits of RDRAM (or the virtual address 8000 0000 if that's what you meant) for the pre-rendered scene maps only might have something to do with that excess icon that pops up at the top-left of the entire frame buffer when you toggle the map on with L. It goes away when you hit L again...also something that doesn't happen in MM.
Reply With Quote
  #3  
Old 5th March 2017, 10:03 AM
mzxrules mzxrules is offline
Junior Member
 
Join Date: Jun 2010
Posts: 2
Default

Quote:
I never looked that deep at it. I just played around with both Zelda's to find where I could write the world map values and warp to places at. It was a little harder to do with Zelda OOT for some reason, because there were a lot of skipped values or scene IDs that would crash.
I wrote a program that dumps level data for both games; this is how I was able to detect the missing exit command. Actually initially wrote that program to understand the wrong warp/"beta quest" stuff.

The dungeon entrance icon doesn't seem like a likely culprit since the minimap can't be enabled in houses. Furthermore, the corruption occurs while initializing the next area, and not during normal play.

Something odd that I've discovered just now (though possibly unrelated), is that in Link's House at least (and possibly others) the game is generating an 0xFD G_SETTIMG instruction with an image address of 0.

Edit: Actually it looks like this is data for a different instruction

Last edited by mzxrules; 5th March 2017 at 08:07 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 07:44 PM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.