Skip to main content

How Zelda: Ocarina of Time speedrunners break the N64 in incredible new ways

ReSpec is normally a column about the wonderful, technical world of PC gaming, but occasionally there are topics that are too good to pass up. The Legend of Zelda: Ocarina of Time is universally acclaimed as one the best Nintendo 64 games ever made, and while it’s not a PC title, the highest-level, most technical speedruns of the game expose how games work on a fundamental level. More importantly, these incredible feats are only possible with a lot of community effort.

Ocarina of Time is a game that would take a normal player around 30 hours to beat; the most skilled speedrunners, who aim to play the game as fast as possible, can beat it in around three hours and 40 minutes without glitches. But the Any% category of the game, which tasks players with completing the game regardless of the methods used, is down to three minutes, 54 seconds, and 566 milliseconds. And yes, those milliseconds matter. The second-place record holder is less than a full second behind the world record.

Ocarina of Time game for the Nintendo 64.
Image used with permission by copyright holder

Even with being such a remarkable feat, that’s not all Ocarina of Time speedruns bring to the table. At Summer Games Done Quick 2022, a semiannual speedrunning marathon for charity, there was a showcase that highlighted a group of speedrunners reprogramming the game on the fly to display new graphics, play new music, and even run a Twitch chat overlay. And all of that was done on a stock copy of the game with no preprogramming.

The Ocarina of Time speedrunning community has continued to break the game in seemingly impossible ways. I reached out to two of the leading minds in the community to find out what makes the classic Nintendo 64 game tick, and it all comes down to one exploit: Arbitrary Code Execution.

Far from arbitrary

Nintendo 64 console and games.
Rob Tek/Shutterstock

Arbitrary Code Execution, or ACE, sounds a lot more intimidating than it actually is. It’s a term thrown around in cybersecurity that basically means running code (or a program) that shouldn’t be run. That’s how dannyb, a speedrunner for Ocarina of Time who holds the second-place record in the Any% category, described ACE in Ocarina of Time: “Arbitrary Code Execution in OoT is an exploit whereby a player can use in-game actions to arrange a bunch of data in memory to mimic game code, and then manipulate the location where the game is looking to run code to be the place where we just did that arranging.”

With the right actions, dannyb says players are able to “essentially run any code we like from within the game, and cause the game to do things it was not programmed to do.” These actions include things as seemingly useless as the name you enter when you start the game. That’s exactly the action that has allowed Ocarina of Time to be beaten so quickly.

In a game like Ocarina of Time, the game checks its memory for a certain requirement to be met in order to beat the game. The goal in an Any% speedrun is to rearrange the memory to look at your character’s name instead of where it would typically look. This is called Stale Reference Manipulation, or SRM, and dannyb says the exploit is what cracked Ocarina of Time speedruns open in a major way.

[Former World Record] OoT Any% Speedrun in 3:55.300!

“ACE in any video game always needs those two things: fine-tuned control over some region of memory such that the player can make the data there mimic code, and the ability to change location of code execution to be the place where the custom code lies. In 2019, a glitch called Stale Reference Manipulation was discovered in OoT, which opened up the second requirement in a big way,” dannyb said.

In the case of a normal Ocarina of Time run, seemingly random actions add up to trick the game into checking areas (such as your character’s name) for completion requirements when they shouldn’t. It’s a two-part process. Create a data payload, such as your character’s name, and manipulate memory with SRM to point toward that payload.

Hacking on the fly

OoT Triforce Percent ACE Showcase: TASBot brings us Here Together at SGDQ 2022! (Beta + new content)

That’s how speedrunners beat Ocarina of Time in just a few minutes, but it doesn’t fully explain how the lovingly named Triforce% showcase was able to add new texture, models, music, code, and even a Twitch overlay to the game without any modification to the cartridge. Savestate, one of the minds behind this yearslong project, explained that it’s all about priming the Nintendo 64 console to understand controller data as game data.

It’s a showcase that’s only possible due to TASBot, which is able to execute inputs at inhuman speeds. As Savestate explains, “We modify an instruction in memory to start reading controller data as N64 instructions. Normally, this would crash, but thanks to TASBot, he is able to simulate controllers and manipulate them at inhuman speeds to look like N64 instructions so that the game executes the controller data as a set of predetermined instructions.”

The runners are able to add any code they want to the game just through controller inputs.

In short, the Triforce% showcase is using ACE and SRM like a normal Ocarina of Time speedrun, but it’s specifically changing how the Nintendo 64 console understands instructions. With that setup, the runners are able to add any code they want to the game just through controller inputs. Savestate continued: “There is no modification of the game cartridge. To get custom data into memory, we use a glitch that allows us to start adding and modifying stuff in memory with the help of TASBot while only interfacing with the N64 console through its controller ports.”

Controller port on the Nintendo 64.
Image used with permission by copyright holder

These exploits aren’t just randomly discovered, either. Savestate explained that the Ocarina of Time community has developed tools to look at how memory is arranged in the game, as well as programs to simulate different memory arrangements. Emulators like Project64 help a lot, allowing runners and tool developers to go through how the game executes code step-by-step.

Ocarina of Time is one of the most iconic games ever made, and the robust, dedicated speedrunning community has allowed the game to thrive with new developments for decades after it was originally released. Exploits like the one that powers the fastest Ocarina of Time speedruns trivialize the challenge normally associated with beating a game as fast as possible, but they also highlight the incredible technical expertise and community effort that goes into dissecting and analyzing beloved games.

The community is aware of this balance, too, according to dannyb: “OoT’s Any% speedrun category is the only one on our main leaderboards which allows ACE as a valid way to complete the goal. For everything else, we ban ACE in order to preserve the uniqueness which brought those categories to life in the first place.”

This article is part of ReSpec – an ongoing biweekly column that includes discussions, advice, and in-depth reporting on the tech behind PC gaming.

Jacob Roach
Lead Reporter, PC Hardware
Jacob Roach is the lead reporter for PC hardware at Digital Trends. In addition to covering the latest PC components, from…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more