SMW on Wii U VC ACE Technical Explanation

1. No ACE setup has previously worked on the Wii U Virtual Console. This is because they all rely on the specific behavior of the open bus on SNES hardware. The Virtual Console does not correctly implement that behavior, and so all previous setups crash. The following setup executes up to 7 bytes of arbitrary code without ever attempting to access open bus.
2.  
3. When Mario is in powerup state 36 ($7E0019 = $24), and collects a 1-up by touching it, execution jumps to $010300. This is the x coordinate of the OAM slot $40. By running left, jumping, tapping right, then holding left again, while holding a shell in Mario's hand, the x-coordinate of this OAM slot is temporarily set to $80. Since the OAM tile is then hidden, the y-coordinate is $F0 thereafter. The instruction at $010300 is $80 $F0, or BRA -$10, putting execution at $0102F2.
4.  
5. This is within a set of OAM tiles for the white "splat" animations. $0102F2 contains one of the GFX indices for an 8x8 section of the splat graphic, $7C. $0102F3 contains the properties for the OAM tile, $20. $0102F4 contains the x-coordinate of a different OAM tile. This value is set to $18 by kicking a shell up (or left) near the left edge of the screen. The instruction at $0102F2 is JMP ($1820,x). Since the 1-Up being touched is in the 9th sprite slot, x is $09, and we jump to the address contained in $1829. This address contains y-velocities for minor extended sprites. We fill up these two values by spawning the 1-up egg, which creates four minor extended sprites, one for each of the shell fragments when it breaks. One of the fragments naturally despawns with a velocity of $42, the other is despawned early by going off the right side of the screen because of how we've set up the screen's scroll position, at a value of $18. Address $011829 contains the word $4218. Execution jumps to $014218.
6.  
7. This is the joypad auto-read register for the first controller. Just before collecting the 1-up, we press L, down, select, Y and B, which sets $014218 to $20 and $014219 to $E4. Since the second controller isn't plugged in, $01421A is empty, and contains $00. The instruction at $014218 is JSR $00E4. Execution jumps to the sprite x-coordinate low-byte table.
8.  
9. My sample code in the sprite x-coordinate low-byte table was LDA #$1C; STA [$3D]; PLA; PLA; RTS. This sets the game mode to $1C, which is the beginning of the enemy cast screen.
10.  
11. The two PLA instructions are necessary because of the JSR from the joypad auto-read registers. By holding down select and Y on the second controller, you could set $01421B to $60 (RTS), which would allow the instructions contained in the sprite x-coordinate low-byte table to also end with RTS, taking up less space and allowing for more bytes of arbitrary code.