Aurich Lawson
Earlier this year we shared the story of the classic NES tetris player hit the game’s “kill screen” for the first time, triggering a crash after an incredible 40-minute performance with 1,511 lines. Now some players are using this kill screen – and some sophisticated memory manipulation it allows – to code new behaviors into versions of tetris runs on unmodified hardware and cartridges. We’ve covered similar “random code execution” issues in games like Super Mario World, Paper Marioand The Legend of Zelda: Ocarina of Time in the past. And the main method of entering external code into the NES tetris has been publicly theorized since at least 2021 when players were examining decompiled game code (HydrantDude, who delved into tetris crashes in the past, also says the community has long had a privately known method of how to take full control of tetris‘ RAM).
Displaced Gamers explains how to reprogram the NES tetris within the game.
But a recent video from Displaced Gamers takes the idea from private theory to public execution, going into meticulous detail about how to get your hands on an NES tetris to start reading the game’s highscore tables like machine code instructions.
Fun with controller ports
Picking up a copy of the NES tetris is mostly possible due to the specific way the game crashes. Without going into too much detail, crash on the NES tetris happens when the game score handler takes too long to calculate a new score between frames, which can happen after level 155. When this delay occurs, some of the control code is interrupted by the new frame writer routine , causing it to go to an unwanted part of the game’s RAM to look for the next instruction.
Typically, this unexpected interrupt causes the code to jump to the very beginning of RAM, where garbage data is read as code and often results in a quick crash. But players can manipulate this jump thanks to a little-known quirk of how tetris handles potential inputs when running on the Japanese version of the console, the Famicom.
Unlike the American Nintendo Entertainment System, the Japanese Famicom has two controllers hardwired to the device. Players who want to use third-party controllers can plug them in via an expansion port on the front of the system. The tetris the game code reads inputs from this “extra” controller port, which can include two additional standard NES controllers through the use of an adapter (this is true even though the Famicom received a completely different version of tetris by Bullet-Proof Software).
As it happens, the area of RAM that tetris used to handle this additional controller input is also used for the memory location of that jump routine we discussed earlier. That way, when that jump program is interrupted by a crash, that RAM will store data representing the buttons that are pressed on those controllers. This gives players a potential way to control exactly where the game code goes after the crash is triggered.
Coding in the high score table
For Displaced Gamers’ jump control method, the player must hold down “up” on the third controller and right, left, and down on the fourth controller (the latter combination requires some controller play to allow simultaneous left and right aiming). In this way, the skip code is sent to an area of RAM that contains the names and scores for the game’s highscore list, giving an even larger surface area of RAM that can be manipulated directly by the player.
By putting “(G” in the target portion of the B-Type highscore table, we can force the game to switch to another area of the high score table, where it will begin reading the names and scores sequentially as what Displaced Gamers calls “bare metal” code, with the letters and numbers representing opcodes for the NES CPU.
Unfortunately, there are only 43 possible characters that can be used in the name input field and 10 different digits that can be part of a high score. This means that only a small fraction of the available NES opcode instructions can be “encoded” into the high score table using the available attack surface.
Despite these limitations, Displaced Gamers was able to code a short proof-of-concept code snippet that could be translated into high-scoring spreadsheet data (A name of '))"-P)' and the second place score of 8,575 in the A-Type game is a big factor, in case you were wondering). This simple routine puts two zeros in the upper digits of the game score, reducing the time to process the score, which would otherwise cause a crash (although the score will eventually re-enter the crash “danger zone” as the game continues).
Of course, the lack of a battery-saving system means hackers have to hit those high scores manually (and type in those complicated names) every time they power up tetris stock NES. The limited high-score table space also doesn’t leave much room for directly coding complex programs on top tetristhe actual code of. But there are ways around this limitation; HydrantDude writes about a specific set of high-scoring names and numbers that “build[s] another bootstrapper that builds another bootstrapper that provides full control over all RAM.”
With that kind of total control, a top-level player could theoretically recode the NES tetris to fully fix crash errors. This can be extremely useful for players struggling to get past level 255, where the game basically reverts back to the serenity of level 0. In the meantime, I guess you could always just follow the guide at Super Mario World speedrunners and transformation tetris in Flappy Bird.
