Yoshi’s Island Credits Warp on Canoe

1. Yoshi’s Island Credits Warp on Canoe
2.  
3. Poahr, tomoha
4.  
5. In the process of arbitrary code execution in Yoshi’s Island, the processor reaches $0370ED which is middle of the sprite table. The values contained in this area are: $42 $C6 $00 $08, which are interpreted as WDM; BRK #$08 on SNES. After these four bytes of codes the processor continues reading more bytes we write from $0370F1 because the processor immediately executes RTI ($40) at the break vector address.
6.  
7. WDM ($42) which stands for William D. Mensch, Jr, the designer of 65C816, is a multi byte opcode reserved for future expansion. This opcode aims for the future processor, so it actually does not do anything on W65C816S, the processor of SNES. In this point, WDM is the same as NOP ($EA) but WDM has a big difference from NOP. As I mentioned earlier, WDM is a multi byte opcode so it takes program counter (PC) forward to two bytes, which means the processor ignore one byte just after WDM. Though it is not true, we can think WDM takes one byte operand but it does not matter. In Yoshi’s Island ACE, because of WDM the processor skips $C6 after WDM and starts executing from $00, BRK for the next operation.
8.  
9. Canoe is a first party SNES emulator made by Nintendo which is used in Classic mini, Wii U Virtual Console, 3DS Virtual Console and Switch Online. Though Canoe is an official emulator by Nintendo, it has a lot of inaccurate emulation and mistakes on the process of implementation. SethBling et al. (2022) discovered four inaccurate emulation on Canoe: the behaviour of open bus, mystery RAM, program counter overflow and WDM.
10.  
11. As I said before, WDM takes the program counter forward to two bytes on SNES; however, on Canoe, WDM acts like the same as NOP, which means WDM takes the PC forward to only single byte. Due to this wrong emulation, the processor on virtual console does not ignore the byte after WDM and reads it as opcode. In Yoshi’s Island ACE, the program at $0370ED: $42 $C6 $00 $08 is interpreted as WDM; DEC $00; PHP on Canoe. The difference is DEC $00 and PHP. Actually, DEC $00 does not matter in this case, but PHP ($C6) plays a very important role in the crash of ACE on Canoe. PC finally reaches RTL ($6B) and tends to return to the main loop. RTL pulls three bytes pushed when the processor executes JSL from the stack to determine the return address. PHP pushes the value of P resister (i.e. processor flag) and this messes everything of ACE up on Canoe, which means when the processor reads RTL, it pulls three bytes and interpreted like the middle byte of the correct return address as the bank, the last byte of the correct return address as the middle byte and the P resister pushed by PHP as the last byte.
12.  
13. To avoid this, you must pull the P resister by the arbitrary code to keep the stack correct. You can use PLP ($28) or PLY ($7A) to pull out the unintended value. You can not use PLA ($68) because accumulator is 16 bit mode in Yoshi’s Island, or PLX ($FA) because it may loops the program counter.
14.  
15.  
16. References
17.  
18. Bruce Clark. (2015, September 28). 65C816 Opcodes. 6502.org.
19. http://www.6502.org/tutorials/65c816opcodes.html
20.  
21. SethBling, IsoFrieze, T.T, Mally, Tomoha & MrCheeze. (2022, March 18). Open Bus on Canoe (The SNES Virtual Console/SNES Classic Emulator).
22. https://docs.google.com/document/d/1my6JXPM0iHERHjsptm6453rDGIJENqTVJnK7UGuQlLo/edit
23.  
24. 倫葉. (2022, June 24). Canoe概論.
25. https://docs.google.com/document/d/1xWgAQsTTlaoPiwzEstM6IjskQXvmQEirBu5Pi69WCo4/edit?usp=sharing