Skip to main content

How Zelda: Ocarina of Time speedrunners break the N64 in incredible new ways

Jacob Roach in a promotional image for ReSpec
This story is part of Jacob Roach's ReSpec series, covering the world of PC gaming and hardware.

ReSpec is normally a column about the wonderful, technical world of PC gaming, but occasionally there are topics that are too good to pass up. The Legend of Zelda: Ocarina of Time is universally acclaimed as one the best Nintendo 64 games ever made, and while it’s not a PC title, the highest-level, most technical speedruns of the game expose how games work on a fundamental level. More importantly, these incredible feats are only possible with a lot of community effort.

Ocarina of Time is a game that would take a normal player around 30 hours to beat; the most skilled speedrunners, who aim to play the game as fast as possible, can beat it in around three hours and 40 minutes without glitches. But the Any% category of the game, which tasks players with completing the game regardless of the methods used, is down to three minutes, 54 seconds, and 566 milliseconds. And yes, those milliseconds matter. The second-place record holder is less than a full second behind the world record.

Ocarina of Time game for the Nintendo 64.
Image used with permission by copyright holder

Even with being such a remarkable feat, that’s not all Ocarina of Time speedruns bring to the table. At Summer Games Done Quick 2022, a semiannual speedrunning marathon for charity, there was a showcase that highlighted a group of speedrunners reprogramming the game on the fly to display new graphics, play new music, and even run a Twitch chat overlay. And all of that was done on a stock copy of the game with no preprogramming.

Recommended Videos

The Ocarina of Time speedrunning community has continued to break the game in seemingly impossible ways. I reached out to two of the leading minds in the community to find out what makes the classic Nintendo 64 game tick, and it all comes down to one exploit: Arbitrary Code Execution.

Far from arbitrary

Nintendo 64 console and games.
Rob Tek/Shutterstock

Arbitrary Code Execution, or ACE, sounds a lot more intimidating than it actually is. It’s a term thrown around in cybersecurity that basically means running code (or a program) that shouldn’t be run. That’s how dannyb, a speedrunner for Ocarina of Time who holds the second-place record in the Any% category, described ACE in Ocarina of Time: “Arbitrary Code Execution in OoT is an exploit whereby a player can use in-game actions to arrange a bunch of data in memory to mimic game code, and then manipulate the location where the game is looking to run code to be the place where we just did that arranging.”

With the right actions, dannyb says players are able to “essentially run any code we like from within the game, and cause the game to do things it was not programmed to do.” These actions include things as seemingly useless as the name you enter when you start the game. That’s exactly the action that has allowed Ocarina of Time to be beaten so quickly.

In a game like Ocarina of Time, the game checks its memory for a certain requirement to be met in order to beat the game. The goal in an Any% speedrun is to rearrange the memory to look at your character’s name instead of where it would typically look. This is called Stale Reference Manipulation, or SRM, and dannyb says the exploit is what cracked Ocarina of Time speedruns open in a major way.

[Former World Record] OoT Any% Speedrun in 3:55.300!

“ACE in any video game always needs those two things: fine-tuned control over some region of memory such that the player can make the data there mimic code, and the ability to change location of code execution to be the place where the custom code lies. In 2019, a glitch called Stale Reference Manipulation was discovered in OoT, which opened up the second requirement in a big way,” dannyb said.

In the case of a normal Ocarina of Time run, seemingly random actions add up to trick the game into checking areas (such as your character’s name) for completion requirements when they shouldn’t. It’s a two-part process. Create a data payload, such as your character’s name, and manipulate memory with SRM to point toward that payload.

Hacking on the fly

OoT Triforce Percent ACE Showcase: TASBot brings us Here Together at SGDQ 2022! (Beta + new content)

That’s how speedrunners beat Ocarina of Time in just a few minutes, but it doesn’t fully explain how the lovingly named Triforce% showcase was able to add new texture, models, music, code, and even a Twitch overlay to the game without any modification to the cartridge. Savestate, one of the minds behind this yearslong project, explained that it’s all about priming the Nintendo 64 console to understand controller data as game data.

It’s a showcase that’s only possible due to TASBot, which is able to execute inputs at inhuman speeds. As Savestate explains, “We modify an instruction in memory to start reading controller data as N64 instructions. Normally, this would crash, but thanks to TASBot, he is able to simulate controllers and manipulate them at inhuman speeds to look like N64 instructions so that the game executes the controller data as a set of predetermined instructions.”

The runners are able to add any code they want to the game just through controller inputs.

In short, the Triforce% showcase is using ACE and SRM like a normal Ocarina of Time speedrun, but it’s specifically changing how the Nintendo 64 console understands instructions. With that setup, the runners are able to add any code they want to the game just through controller inputs. Savestate continued: “There is no modification of the game cartridge. To get custom data into memory, we use a glitch that allows us to start adding and modifying stuff in memory with the help of TASBot while only interfacing with the N64 console through its controller ports.”

Controller port on the Nintendo 64.
Image used with permission by copyright holder

These exploits aren’t just randomly discovered, either. Savestate explained that the Ocarina of Time community has developed tools to look at how memory is arranged in the game, as well as programs to simulate different memory arrangements. Emulators like Project64 help a lot, allowing runners and tool developers to go through how the game executes code step-by-step.

Ocarina of Time is one of the most iconic games ever made, and the robust, dedicated speedrunning community has allowed the game to thrive with new developments for decades after it was originally released. Exploits like the one that powers the fastest Ocarina of Time speedruns trivialize the challenge normally associated with beating a game as fast as possible, but they also highlight the incredible technical expertise and community effort that goes into dissecting and analyzing beloved games.

The community is aware of this balance, too, according to dannyb: “OoT’s Any% speedrun category is the only one on our main leaderboards which allows ACE as a valid way to complete the goal. For everything else, we ban ACE in order to preserve the uniqueness which brought those categories to life in the first place.”

This article is part of ReSpec – an ongoing biweekly column that includes discussions, advice, and in-depth reporting on the tech behind PC gaming.

Jacob Roach
Lead Reporter, PC Hardware
Jacob Roach is the lead reporter for PC hardware at Digital Trends. In addition to covering the latest PC components, from…
Get ready: Google Search may bring a pure ‘AI mode’ to counter ChatGPT
AI Overviews being shown in Google Search.

It is match point Google as the tech giant prepares to introduce a new “AI Mode” for its search engine, which will allow users to transition into an atmosphere that resembles the Gemini AI chatbot interface.

According to a report from The Information, Google will add an AI Mode tab to the link options in its search results, where the “All,” “Images,” “Videos,” and “Shopping” options reside. The AI Mode would make Google search more accessible and intuitive for users, allowing them to “ask follow-up” questions pertaining to the links in the results via a chatbot text bar, the publication added.

Read more
I tested Intel’s new XeSS 2 to see if it really holds up against DLSS 3
The Intel logo on the Arc B580 graphics card.

Although it technically arrived alongside the Arc B580, Intel quickly disabled its new XeSS 2 feature shortly after it was introduced. Now, it's back via a new driver update, and with a few fixes to major crashes issues. I took XeSS 2 out for a spin with the Arc B580, which has quickly climbed up the rankings among the best graphics cards, but does XeSS 2 hold up its side of the bargain?

XeSS 2 is Intel's bid to fight back against Nvidia's wildly popular DLSS 3. The upscaling component at the core of XeSS is the same, but XeSS 2 includes both a Reflex-like latency reduction feature and, critically, frame generation. The latency reduction, called XeLL, is enabled by default with frame generation.

Read more
Windows PCs now works with the Quest 3, and I tried it out for myself
i tried windows new mixed reality link with my quest 3 alan truly sits in front of a pc and adjusts virtual screen while wear

Microsoft and Meta teamed up on a new feature that lets me use my Windows PC while wearing a Quest 3 or 3S, and it’s super easy to connect and use. I simply glance at my computer and tap a floating button to use Windows in VR on large displays only I can see.

Meta’s new Quest 3 and 3S are among the best VR headsets for standalone gaming and media consumption. When I want more performance or need to run one of the best Windows apps that aren’t yet available in VR, I can connect to a much more powerful Windows PC.
Setting up Mixed Reality Link
Scanning Microsoft's Mixed Reality Link QR code with a Meta Quest 3 Photo by Tracey Truly / Digital Trends

Read more