It is currently Fri Oct 20, 2017 12:14 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sat Nov 26, 2016 10:20 pm 
Offline
User avatar

Joined: Sat Oct 01, 2016 2:20 am
Posts: 40
Location: Australia, the land of British 50hz and obscure sports games.
Hi, i just wanted to ask a question about if it's possible to use real hardware to physically damage or destroy a NES cartridge. Like exploiting bugs to potentially fry hardware inside the cart? There were reports of a dangerous bug in 'Metroid' where the password ENGAGE RIDLEY MOTHER F*CKER would break the game so bad that the cart and even the system could be bricked. The 3DS virtual console version could brick the system itself apparently.

Are there any examples of this happening in other games? If so, can they damage flashcarts or emulators?


Top
 Profile  
 
PostPosted: Sat Nov 26, 2016 11:57 pm 
Offline
Site Admin
User avatar

Joined: Mon Sep 20, 2004 6:04 am
Posts: 3470
Location: Indianapolis
Frying hardware through a software bug, I don't think so. It seems very unlikely. I think it may be possible for a Codemasters cart to damage itself with it's lockout defeater circuit, if it was used in a top-loader. But the cart has a switch on the back to disable it.

The only cartridge I've ever run into more than one non-working copy (that cleaning couldn't fix), has been Mike Tyson's Punchout.

In theory, it could be possible for a game that uses battery-backed RAM to be corrupted in a way that makes it unplayable. And that would be fixable by removing the battery, or depending the mapper, cycling the NES's power enough times until it corrupts the memory again. The way I could see this happening, is if the memory was corrupted in way that it passes it's own self-checksum while still having some kind of bad data that the game would choke on. This is possible, but still very unlikely.

From reading about that Metroid password, it sounds like on the 3DS you just have to cycle the power, no permanent damage. And I'm sure plenty of people have tried it on NES, doesn't seem to be any mention of it being dangerous (with my brief search anyways).


Top
 Profile  
 
PostPosted: Sun Nov 27, 2016 1:17 am 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 5718
Location: Canada
If it's a flash based cartridge (like a lot of homebrew manufacturers use), it's technically possible for the flash ROM to be erased via the CPU, which could "brick" the cart until reflashed with a working ROM. That's quite possible, but it would require a very serious mistake on the part of the game's author.

If it has a battery backed save, there's lots of ways to corrupt a save, and in some cases a bad save could potentially crash a game on the load screen or startup or something. In this case it could probably be remedied by removing the battery temporarily. (In general, games with saves are programmed with the expectation that the battery can die or be disconnected, and should be able to recover.) You can also get corrupt saves by doing stuff like resetting during a save operation, etc.

Otherwise, if a read-only cartridge is properly wired, no I don't believe it's really "possible" to damage the cart or the NES through standards-compliant input. (I'm using quotes because there's probably some obscure case.)


Doing things like inserting or pulling out a cartridge while the NES is powered on might potentially damage stuff (though I've actually done this hundreds of times and have yet to notice a problem). Connecting improper voltages to the inputs, or other abuses might do stuff, but I think you were specifically excluding all of that.

TR3KT wrote:
There were reports of a dangerous bug in 'Metroid' where the password ENGAGE RIDLEY MOTHER F*CKER would break the game so bad that the cart and even the system could be bricked. The 3DS virtual console version could brick the system itself apparently.

It seems unlikely, but if the 3DS emulator had some unintentional security flaw it's plausible it could have strange problems in response to an unexpected state. (This kind of thing does happen occasionally.) On the NES though? No, I sincerely doubt this has ever happened on an NES.


Top
 Profile  
 
PostPosted: Sun Nov 27, 2016 10:00 am 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
TR3KT wrote:
There were reports of a dangerous bug in 'Metroid' where the password ENGAGE RIDLEY MOTHER F*CKER would break the game so bad that the cart and even the system could be bricked.

Absolute utter nonsense.


Top
 Profile  
 
PostPosted: Sun Nov 27, 2016 1:12 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 5718
Location: Canada
The 3DS emulator crashing in response to that password appears to have been a real thing 5 years ago, but even that didn't seem to do any harm to the system, just crashed it and required a reboot? (Presumably they've fixed their emulator since?)

Metroid has lots of known crash/glitch passwords, but none of them are going to set fire to your TV.

I could have sworn there was a thread about invalid Metroid passwords about a year ago and their behaviours, but I can't seem to find it.


Top
 Profile  
 
PostPosted: Sun Nov 27, 2016 3:58 pm 
Offline
User avatar

Joined: Tue Jul 03, 2007 1:49 pm
Posts: 968
The PPU master/slave bit is supposedly directly connected to either ground or power (I can't remember). And doesn't use a pull up/down resistor. In theory setting the bit wrong will cause that output to short circuit, which is bad. (excess heat, damaging the output, or potentially even the chip)


Top
 Profile  
 
PostPosted: Sun Nov 27, 2016 4:47 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 10:59 pm
Posts: 1389
Jeroen wrote:
The PPU master/slave bit is supposedly directly connected to either ground or power (I can't remember). And doesn't use a pull up/down resistor. In theory setting the bit wrong will cause that output to short circuit, which is bad. (excess heat, damaging the output, or potentially even the chip)

Setting the PPU to Slave mode makes it try to output pixel values to pins 14-17, but in the NES those pins are connected directly to GND, so any attempts to output non-background pixels would result in bus conflicts (outputting +5V against GND) which could possibly cause bad things to happen.

_________________
Quietust, QMT Productions
P.S. If you don't get this note, let me know and I'll write you another.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 1:52 am 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 5718
Location: Canada
Hmm, so let's say you find some sort of arbitrary code execution exploit, use it to set that bit in the $2000 register, and set up graphics so that it's outputting palette 3 as much as possible.

What's the consequence? Extra heat generation somewhere in the NES? Would it be enough heat to cause damage, or would it be more like "wearing it out faster than normal"?

It seems like it shouldn't do anything directly to the cartridge, unless maybe the NES gets hot enough to burn?


Of course, you don't need to exploit a game to do it, I was just remaining in the OP's hypothetical frame, but you could just write software that does this directly. Has anyone tested it? Does anyone want to risk it? :P (I suppose this question has been asked before: thread.)


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 1:56 am 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
I've tested the ENGAGE RIDLEY MOTHER FUCKER code on an actual NES (I forget when I did this, but I'm certain it involved nesdev folks -- I think it might've been on EFnet IRC?), but because it was done using a PowerPak, the resulting behaviour differs slightly from that of a real cartridge.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 2:08 am 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 5718
Location: Canada
I asked about the PPU slave heat thing on IRC (#nesdev/efnet), kevtris didn't think it would be significant enough to do damage, just slightly hotter and a slight waste of power (his off the cuff estimate was 30-40ma and 2-3 degrees C).

I'd almost be willing to leave my NES on for a while running a test, if I weren't at a kind of critical point in my life where I absolutely need a working NES right now, and it's not worth taking a small risk to prove a point like this. :P


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 2:47 am 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 5718
Location: Canada
rainwarrior wrote:
I could have sworn there was a thread about invalid Metroid passwords about a year ago and their behaviours, but I can't seem to find it.

koitsu wrote:
I've tested the ENGAGE RIDLEY MOTHER FUCKER code on an actual NES (I forget when I did this, but I'm certain it involved nesdev folks -- I think it might've been on EFnet IRC?), but because it was done using a PowerPak, the resulting behaviour differs slightly from that of a real cartridge.

This made me realize I was thinking of an exchange that happened on IRC, and not the forums.

I found it in my logs of #nesdev from March 16, 2015. A user named Buddybenj came into #nesdev and asked users to test ENGAGE RIDLEY MOTHER FUCKER on hardware. Myself (rainwar), koitsu, and Ulfalizer took a look at it.

I could share the log I have, but there's not much of interest in it anyway, other than just noting that a few of us investigated this particular password on that occasion.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 10:17 am 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 3943
000000 00000B
000000 00000B
This is pretty much an equivalent password and is much easier to enter.
FCEUX encounters a KIL instruction and stops.
VirtuaNES, Nestopia, Nintendulator (and even Nesticle) proceed to the graphically glitched non-scrolling Brinstar.
PocketNES and Metroid Zero Mission's NES emulator resets.
Don't know what NES Metroid does, I don't actually have that cartridge.

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 11:08 am 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
From the IRC log in question (yes, I save IRC logs), quoting myself, testing an actual Metroid cart on an actual NES (i.e. not PowerPak, not AVS, etc.) (and thanks for giving a date, rainwarrior, that helped immensely):

Quote:
[14:43] > so actual cartridge behaviour is consistent, with power-cycles between each attempt: black screen, console effectively locks up. i also tried on the last attempt hitting reset (which brought me back to the intro) and re-entering the same password, same result as between power-cycles.

The whole log does have rainwarrior, myself, Ulfalizer, and some other folks going over it. It happens with "invalid" or "bogus" passwords (i.e. passwords which are accepted because syntactically or whatever they're permitted, but they trigger bugs as a result). At least in the case of ENGAGE RIDLEY M0THER FUCKER, an MMC1 PRG switch happens (sta $8000) and the PRG bank it swaps in happens to be "wrong", so the next PC instruction that runs after (or shortly after) the sta $8000 ends up being an invalid opcode (specifically opcode $02, a.k.a. kil). There are others like the one Dwedit provided, as well as BBBBBB BBBBBB / BBBBBB IIIIII, and I'm sure several more. I don't know what makes people think that these types of passwords are completely flawless/fail-safe?

On the PowerPak, rainwarrior saw behaviour where ENGAGE RIDLEY M0THER FUCKER would result in you being kicked back to the title screen, but in one case he got a black screen for a short period of time, and *then* got kicked back to the title screen:
Quote:
[14:18] <rainwar> anyhow, inconsistent
[14:18] <rainwar> first time, black for a few seconds then title
[14:18] <rainwar> second time hang on black
[14:19] <rainwar> third time hang on black

The general theory about the behaviour differing in emulators and PowerPak is that whatever's triggering the problem may relate to RAM or ZP variables having different contents vs. an actual cart. This is par for the course/understandable, not too exciting.

The original claim was the following (and it's completely invalid -- there is no "sub-frame timing" or anything else we can't figure out going on):

Quote:
[14:18] <Buddybenj> Well like I said this either relies on sub-fram timing or very low level hardware quirks, so it would be nice if someone could test on a real cartridge at least three times

It's like one of those old wives tales that is completely unfounded, yet it continues to proliferate through social means, commonly by people who don't have any idea what they're talking about, and it'll continue to proliferate until the end of time. The "nude Samus" rumour I'd put in the same category too -- and the debunk is still my most popular YT video, which says something (to me) about the state of people and their "secret NES game rumours/tricks".

Note: the "O" in MOTHER is actually a zero, not a capital-oh. Though I'd mention that.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 12:30 pm 
Offline

Joined: Thu Mar 02, 2006 12:30 pm
Posts: 168
According to this blog, the issue breaks down to an invalid start location in the password.

_________________
Read my blog! The Incoherent Ramblings of a Lowly Geek


Top
 Profile  
 
PostPosted: Mon Nov 28, 2016 1:09 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19104
Location: NE Indiana, USA (NTSC)
It's a letter O, at least in the screenshot in the linked article on minimaxir. Capital O is squarish with a dot, and digit zero is an octagon with a black line down the middle.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group