playing manipulable cutscene data post wrong warp - OoT glitch

1. In OoT, wrong warps are performed by changing the entrance index that is being used when loading into a cutscene. (If you don't know anything about wrong warp, I recommend this video https://m.youtube.com/watch?v=Bgq3aiulecM). As it expects you to be loading into a cutscene, it is looking for cutscene data upon its arrival in the scene, and there are two cases which can occur:
2. The destination scene has a cutscene defined already, so the former cutscene pointer is not used and a new cutscene pointer writes over it instead.
3. This is what occurs for Ganonless speedruns, for example. Lon Lon ranch with cutscene 3 has a cutscene associated with it. After arriving in ranch, the cutscene pointer overwrites to be the correct ranch credits cutscene pointer, and the game uses the credits cutscene data located at the cutscene pointer to play the credits cutscene.
4. The destination scene does not have a cutscene defined already. In this case, it uses the last watched cutscene as where it expects the cutscene data to be.
5. This is what occurs in almost every other wrong warp case.
6. For example, in Ganondoor, there is no cutscene associated with collapse, so it plays the data last used. Which is Deku Tree Intro cutscene data.
7.  
8. A full list of these two cases can be found here:
9. https://www.zeldaspeedruns.com/oot/wrongwarp/warp-results-by-scene
10. Additionally, here is a table of common cutscene pointers.
11.  
12. One important consideration for wrong warping is what data is present at that former cutscene pointer. For example, for Ganondoor, you cannot just save warp in Deku tree and then wrong warp, as your last cutscene pointer becomes the title screen, and the data located at that pointer in Deku will crash/lock. Instead, you can save warp in Links house, then pause, because pausing links house lines up the pause screen object (graphical and animation data) with the data at the title screen cutscene pointer.
13. More details on specifically this here:
14. https://pastebin.com/WEkVWVWt
15. More details on this later.
16.  
17.  
18.  
19. Another consideration for wrong warping is that some cutscenes originate from the scene, (the map you have loaded), whereas some originate from actors (NPCs)
20. Actors in OoT are dynamically allocated, so every playthrough can shift their location around a little bit. This results in their cutscene pointer changing depending on the actors loaded when you spawn that NPC.
21. This is a major concern for routes which wrong warp from Jabu Jabu, as Ruto meeting cutscene is an actor cutscene. This means the pointer for it will shift up and down depending on your actions beforehand, but what it also means when combined with the previous paragraph is that where the game is looking for a cutscene will now change up and down on the actor heap, which is the space where actors allocate, and after Ruto is unloaded, any variety of data can load into where she used to be, meaning the data there will change depending on player actions.
22. This is exactly why runners had to create a specific set of actions to avoid crashing the game with bad cutscene data.
23. You may have heard of runners being concerned about the breaking the Shaboms (bubble enemy) and it is for this reason.
24. This also manifests for 1080 wrong wap after song sparkle cutscene, as that is also an actor. You may have heard of "you have to quick spin on the fire elevator" or "you can't quick spin on the fire elevator" in reference to this.
25. One such specific exanple: https://m.youtube.com/watch?v=K_KfsPMU7U0
26.  
27. Therefore, all wrong warps to non cutscene scenes strategically plan for what data is located at the cutscene pointer and manipulate this data. Most of the time, we manipulate it so the cutscene terminates immediately and we gain control frame 1.
28. This is done by taking ensuring the first two words present at the start of the cutscene data are negative.
29. These two words are the cutscene header and are defined as s32 totalEntries and s32 csFrameCount.
30.  
31. The code contains these variables in Cutscene_ProcessScript where:
32.  
33. The game stops parsing the commands if the command being run is > totalEntries;. Also, if it hits CS_CMD_STOP, stop.
34.  
35. The game stops running the cutscene at all if the curFrame is greater than the csFrameCount;
36.  
37. The list of command entries is being processed every frame within the frame.
38. There is some additional stuff on this later.
39.  
40. The vast majority of speedruns manipulate data to lineup such that both of these are negative and therefore the cutscene stops immediately, but if you were around for the early wrong warp days some Ganondoor backups (Ocarina cutscene) had a positive frame count, so we had to wait out the frames for a few minutes. This never made it into any runs, though. We are however not limited to just these two words.
41.  
42. As an example of wrong warp which spells out more than just the cutscene header,
43. We have a working use case from r0bd0g:
44. https://m.youtube.com/watch?v=_xhpW8DkPhM&pp=ygUdQ2FuYWRpYW5zdGlja2RlYXRoIHdyb25nIHdhcnA%3D
45. In this case, our last cutscene pointer was Dins Fire,
46. 80378C00 on 1.0.
47. For the natural cutscene, this is reading Fairy Fountain scene data. However, if you look at this list you will notice something:
48. https://www.zeldaspeedruns.com/oot/wrongwarp/cutscene-pointer-values
49. Immediately following Dins Cs pointer is Learn Song of Time cutscene pointer, at 803783A0. This means the data for Gerudo Valley cutscene in the Gerudo Valley scene is similarly located to where the data for Song of Time cutscene is located in ToT scene data. As r0bd0g shows, if you load Temple of Time, and wrong warp without passing through a scene which is large enough to overwrite that data (different scenes are different sizes in memory), then that data from Temple of Time is still there and reading cutscene data from a little bit earlier than usual passes over a few safe junk commands and into the natural cutscene. Boss rooms are very small scenes, but Deku Tree is not, so you have to use FW on B to travel to a boss wrong warp without overwriting that stale data. However, as it is located in scene data, it had to rely on the cutscene pointers being similar in location and the junk commands not crashing in-between.
50.  
51. After r0bd0g succeeded with this, Exodus wanted to do something similar, but instead of lining up data such that we ran a few junk commands and then landed on a natural scene cutscene commands, we run our own manipulable commands on the actor heap using actor cutscenes and actor data.
52. https://m.youtube.com/watch?v=m2Q3TnHg560
53. Specifically, he wanted to run command 000003e8 which is CS_CMD_DEST (in decomp) which warps you somewhere and each destination has a seperate hard-coded set of actions to run when warping. See below
54. Or check out z_cutscene_commands.h / z_cutscene.h
55. define CS_DESTINATION(destination, startFrame, endFrame) \
56. CS_CMD_DESTINATION, 1, CMD_HH(destination, startFrame), CMD_HH(endFrame, endFrame)
57. Notice this is actually spread out over three seperate words, which is quite challenging.
58.  
59. For example, in the video,  he edits actor data at cutscene pointer to spell CS_DEST_FIRE_MEDALLION
60. 0x1E */ CS_DEST_CHAMBER_OF_SAGES_FIRE_MEDALLION
61. When running this command, we get these effects
62. case CS_DEST_CHAMBER_OF_SAGES_FIRE_MEDALLION:
63.                 play->nextEntranceIndex = ENTR_CHAMBER_OF_THE_SAGES_0;
64.                 play->transitionTrigger = TRANS_TRIGGER_START;
65.                 play->transitionType = TRANS_TYPE_FADE_WHITE;
66.                 Item_Give(play, ITEM_MEDALLION_FIRE);
67.                 gSaveContext.chamberCutsceneNum = CHAMBER_CS_FIRE;
68.                 break;
69.  
70. However, it is very difficult to manually spell actor commands on the actor heap, because a command requires several fully manipulable words in memory directly next to one another. The structure of commands can be found in z_cutscene_commands.h or
71. https://wiki.cloudmodding.com/oot/Cutscenes
72. Some cutscene commands use two words, others use three, or four or five.
73. At minimum, you would need some level of control over 2 words for the header, then three additional words for CS_DEST. Additionally, the structure of valid cutscene commands does NOT resemble realistic floats, so you would be unable to use actor floats to form this data. It is also especially difficult to get data at any specific alignment in memory, as the majority of actor cutscene pointers end in x0, but most conveniently manipulable data in actors is not x0 aligned. The actor cs pointers with non x0 alignment are also not convenient to get and are not relocatable.
74.  
75.  
76. Recently, this has been revisited with this difficulty in mind. It was noticed that in the default case for cutscene commands, which will run for anything not specifically defined by the switch case as a command, the code does the following:
77.  
78. default:
79. MemCpy(&cmdEntries, script, 4);
80. script += sizeof(cmdEntries);
81.  
82. for (j = 0; j < cmdEntries; j++) {
83. script += 0x30;
84. }
85. break;
86.  
87. You can ignore exactly what the code is doing, just see that it adds a x30 skip for every command entry.
88.  
89. Effectively this means, that if you have an invalid command, for example, 00000000 00000000 is an invalid command with 0 entries, so it will jump by 00000000*x30, which results in essentially just skipping over only the 00000000 00000000, and immediately picking up the cutscene again. Negative entries are treated the same as zero. Positive entries skip entries*x30. So, if we produce an invalid cutscene command with positive controllable entries, we can skip forward an amount of x30 that we choose. This removes the need for immediate consecutive cutscene command entries, which was a major challenge. With this skip, with a large enough invalid entry, it can skip all the way from the actor heap onto the scene data, where cutscene data is already written out, meaning we can essentially combine r0bd0g and exodus ideas. This greatly reduces what we need to spell out in an actor.
90.  
91. What we actually ended up going with is the following:
92. (totalEntries, csFrameCount) (invalid, invalid) (invalid,controllable)
93. Effectively, this can be simplified to
94. (Positive, positive) (invalid, (negative or zero)) (invalid, controllable)
95. This was satisfied by the first few words of the Actor struct which reads:
96.  
97. typedef struct Actor {
98. /* 0x000 */ s16 id; // Actor ID
99. /* 0x002 */ u8 category; // Actor category. Refer to the corresponding enum for values
100. /* 0x003 */ s8 room; // Room number the actor is in. -1 denotes that the actor won't despawn on a room change
101. /* 0x004 */ u32 flags; // Flags used for various purposes
102. /* 0x008 */ PosRot home; // Initial position/rotation when spawned. Can be used for other purposes
103.  
104. Which for one example bombchu is 00DA03FF 00000050 Xcoordinate Ycoordinate Zcoordinate XrotYrot Zrot0000
105. The first two words are already positive which we want, so all we need to do is get a negative or zero Y coordinate on the spawn, 0 X and 0 Z rotation, and our Y rotation is the amount we want to skip by. However, an additional concern is that the csFrameCount is quite low, but by dropping the bombchu onto the floor, its flags become 0x00080000 which is more than enough for pretty much any natural cutscene.
106. The means we need to create a heap setup where a bombchu allocates exactly at our cutscene pointer, which is accomplished with the following steps:
107.  
108. begin with gohma defeated, and FW in 231 room
109. savewarp in jabu to load title screen
110. load second room
111. break both boxes and kill the octorok
112. load ruto room - cutscene pointer to 801f6cd0
113. game over
114. load second room
115. kill the octorok (collect drops if necessary)
116. enter bubble room
117. spawn bugs, fish, first bombchu (in that order) to use heap space
118. spawn a second bombchu at 801f6cd0 with angle XXXX, put it down to set its actor flags to a high number
119. recollect the fish
120. return to FW and wrong warp from gohma's lair to collapse
121.  
122. Sidenote: game over specifically is needed for this heap as it loads things slightly differently due to the game loading and immediately unloading nayrus love for 1 frame on game over load.
123.  
124. This process has two considerations: cannot overwrite the cutscene data present in the bombchu anywhere we travel afterwards, and we cannot overwrite the scene data we are using in any scenes we pass through since hyrule field (title screen).
125. In the hyrule field scene, the flashback cutscene is located at 80365750 on GCJ. This needs us to use Gohmas warp and WW to collapse specifically to have the appropriately sized scene where this data isn't overwritten. This is also convenient as 801f6CD0 is high enough in memory to not be overwritten by 231/ Gohma room/collapse actors.
126. Sidetracking a bit to explain this:
127. The scene allocates from the bottom upwards. After the scene is the object space, which has a fixed size of xFA000 for the majority of scenes (much of it will be unused space and not overwritten). See more info here: https://wiki.cloudmodding.com/oot/RAM_Map
128. This means it's not always about the absolute size of the scene, but it's also about where specifically the cutscene data is in the scene, and where it falls relative to this uninitialized memory.
129.  
130. So, what ends up happening is the cutscene post wrong warp starts processing at 801F6cD0, continues until 801F6ce8, and skips x30*Yrot. This means we need this to land on any cutscene command before the flashback ends. There are a variety of angles which work for this, including:
131. 79B8
132. 7A25
133. 7A27
134. 7A3D
135. 7A41
136. 7A42
137. 7A44
138. 7A45
139. 7A66
140. Not every angle works because cutscene commands are varying lengths, so in the natural cutscene only some commands are starting at allignment x8, and for others x8 is halfway through a command, leading it to read entirely junk. Additionally, these angles were filtered to exclude cutscene commands which set Links position, as the cutscene coordinates are OoB in collapse, causing Link to void out before the cutscene finishes.
141.  
142. For LACS, this is the latest into the cutscene we can wrong warp with this, as the cutscene in Temple of Time relies on Zelda actor to give you the light arrows, so if you tried to WW later, it would just play Zelda's speech in collapse but do nothing without Zelda present. It also would not set any ages or entrances if you warped to the very last part.
143. This technique is not limited to LACS cutscene. It works for any cutscene data which isn't overwritten in the scene. For example, with this heap and Hyrule Field, you can also use these:
144. Credits (Epona):
145. 7ABB
146. 7AE6
147. credits (Zelda in the sky):
148. 7B09
149. 7B0A
150. 7B14
151. 7B1D
152. 7B1E
153. 7B1F
154. 7B23
155. These angles will change depending on the cutscene pointer you start with and where in the scene cutscene you want to go.
156. These were originally manually brute forced by looking for the nearest working angles to LACS cs pointer.
157.  
158. This technique is also not limited to using scene data for it, which can be a big issue for scenes where the scene data is always overwritten when wrong warping. Instead of scene, we can jump from our first actor to a second actor. However, it has significantly stricter requirements for heap, at least for the cases I have currently found.
159. Also, alignment is still an issue as invalid commands can only skip from x8 to x8 or from x0 to x0, meaning x4 and xC manipulable actor data isn't able to be used freely. This is work-around-able as explained later.
160.  
161. For example, if you wanted to learn a song, you would use:
162. CS_TEXT_OCARINA_ACTION
163. This is actually just a type of text entry,
164. #define CS_TEXT_OCARINA_ACTION(ocarinaAction, startFrame, endFrame, messageId) \
165. CS_TEXT(ocarinaAction, startFrame, endFrame, CS_TEXT_OCARINA_ACTION, messageId, CS_TEXT_ID_NONE)
166. Which means cs text ocarina action must be prefixed by #define CS_TEXT_LIST(entries) \
167. CS_CMD_TEXT, CMD_W(entries)
168.  
169. In numbers, this means you want 00000013 0000xxxx to start a text list of xxxx size, and within that text list you need an entry with yyyyzzzz zzzz0002 zzzzzzzz, where Y corresponds to the song and z doesn't matter. For example, if we choose ZL, we want need 0017zzzz zzzz0002. This is a bit of a struggle to get 4 words manipulable in one actor, so I planned to do so across two actors. The grass actor, En_Kusa has
170. 0x0150 */ ColliderCylinder collider;
171. /* 0x019C */ s16 timer;
172. /* 0x019E */ s8 requiredObjectSlot;
173. } EnKusa; // size = 0x01A0, where the collider has
174. Vec3s hitPos; //( Point of contact in its bump collider) just before its timer, leaving us with 2.5 words we have control over (x194 x198 x19c) 0000xxxx yyyyzzzz tttt0aQQ. Because the data at x19F is not initialized, we actually can control that prior at some point, giving us 2.75 words we can control. However, due to alignment of cs pointer and our invalid jumps being limited to x0 and x8, we only have 1.75 words (yyyyzzzz tttt0aQQ). This still is enough to start the text list command, leaving us x0AQQ text entries (where QQ is stale uninitialized data) to form a valid ocarina action. This needs to be at either the xC or x0 alignment as text entries are 3 words long. Spin attack actor En_m_thunder conveniently has 0x014C */ ColliderCylinder collider which ends up in having position shorts alligned xC.
175. So, our flow would look like
176. Cutscene pointer-> actor (chu) rot ->kusa pos->spin attack pos
177. Because text entries have an odd number of words, this can also be used solely for the purpose of changing the alignment in memory. You can treat it as an xC*entries skip. You can use this to point to another actor to spell out a CS_DEST which is not obtainable in scene data.
178. I have NOT properly scanned every actor struct, and it is quite possible that there are better aligned or more controllable data to perform this with.
179.  
180. One last note:
181. Due to how it iterates ,
182. Both the overall command processing
183. for (i = 0; i < totalEntries; i++) {
184. MemCpy(&cmdType, script, sizeof(cmdType));
185. script += sizeof(cmdType);
186.  
187. if (cmdType == CS_CMD_STOP) {
188. return;
189. }
190. And the command sub entry processing
191. default:
192. MemCpy(&cmdEntries, script, 4);
193. script += sizeof(cmdEntries);
194.  
195. for (j = 0; j < cmdEntries; j++) {
196. script += 0x30;
197. }
198. break;
199. Both have this effect where
200. s16 i;
201. s32 totalEntries;
202. s32 cmdEntries;
203. s16 j;
204. Due to the data size differences, neither i nor j are capable of successfully incrementing to totalEntries or cmdEntries in every case. If cmdEntries is 00008000, in s32 this is a positive number, but in s16 it is a negative number, meaning when it counts i++ or j++ it can never meet the condition to stop, and gets stuck in a loop. For command processing, this isn't a big issue as there are two safeguards in place: you either hit a cmd stop cutscene terminator, or your frames exceed the frame count, and it stops. But for within commands themselves, if your cmdEntries are 00008000 to 7fffffff then it will get stuck in a perpetual loop. As mentioned earlier, command processing is happening every frame, but this would get stuck mid frame, meaning the frames would not advance and this is a true lock. Conversely, cmdEntries of 80000000 to 00000000 would all meet the condition as when trying to meet that goal is passes thru 8000 and FFFF. This limits the effective skip, as well as the effective pretty much every cutscene command, to have x7FFF entries.
205.  
206. TLDR:
207. We can redirect where the cutscene engine is looking for cutscenes based on the bombchu angle, and then either form our own cutscenes or skip memory to the game's natural scene cutscenes to play them post wrong warp.
208. -natalyahasdied