The Rare Witch Project Forums

The Rare Witch Project Forums (
-   Banjo Theories & Stop 'n' Swop (
-   -   SNS the truly true way. (

runehero123 24th April 2008 03:20 AM

SNS the truly true way.
Recently I posted evidence that you were given the sandcastle code's in Banjo-Tooie, used them in BK to open secret area's and collect items, then Cold-Swap(while power off) back to Banjo-Tooie to recieve the secret item's in your inventory. I then posted that the only way this could be wrong is if any flag-data set by banjo-Tooie was somehow calculated together with the SNS data in EEPROM. You can read about that here:

Note: I only have shark-food island raised here.

Anyways, I have found what seems to confirm 100% that any data written to the sandcastle code on startup come's directly from EEPROM(save-chip on cart) without any additional calculations being done.

Let's start with the evidence found in the Assembly code that write's to the SNS Address.


8026Fc04 LWR T9, 0x0007(T6) `Loads sns value from 8026CFC8 BEQ R0, R0, 0x8026CFE0

80285da8. The opcode before this 8026FC00 LWL T9, 0x004(t6) also loads from this address.

8026FC08 SW T9, 0x004(T7) `Stores the sns value to address 0x8027BC2C

8026FC3C LBU T4, 0x002c(T4) `Loads the SNS VAlue from address 0x8027BC2C to register T4

8026FC40 SB T4, 0x0000(T5) `Stores the SNS value to sns address 0x80283400

If you don't understand Assembly language, then allow me to explain it clear and simple. This is all you need to know: "The SNS Variable is initially written to 8026FC05 in RAM(Random Access Memory)"

Okay good, so we have our SNS Variable sitting in memory at 8026FC05. But let's see what happens before it was written to that spot in memory...

So look at the command that the arrow is pointing to. This is the last command called before the SNS value is written to the SNS Address. Now if you don't understand ASM that command is telling the system to store the value in T9(0x1fc007c0) to address T0+0x4(0xA4800004).

Now, 0xA4800004 sure isn't an address in RAM. I believe it is an address in the tiny SPMEM. Anyway's the point here is that apparently the SNS Value doesn't appear to be loaded from RAM. If that's the case, then it has to be loaded directly from EEPROM -> 0x8026CFC8 in RAM. Leaving little question of any Flag data being calculated with that value.

However if Subdrag, Icemario, or Coolboyman had a quick look(just to be safe) that would be great.

Evidence 2:

If you try to change the initial value written to the SNS Address, the code will revert to 0 meaning that you wouldn't have any of the areas unlocked or items collected.

This tells me two things. One, that there is some sort of Checksum which means that if the SNS Value being written to RAM isn't the same as the data in EEPROM, then the N64 flags that data as corrupt and clears it from RAM and EEPROM. Two, it would probably be impossible for flag data to combine with EEPROM because it would fail the checksum by having the new data differ from the data found in EEPROM.

Evidence 3:

Finally, I have figured out where SNS data is stored to in the EEPROM file.

First, take a look at this picture:

The addresses I'm showing here can be found in the EEPROM file (.sav in nemu). I'm showing two different instances here, the top image show's SNS data with Sharkfood Island Raised, and bottom shows both sharkfood island raised and pink sns egg collected.

The green value is our SNS variable and it appears the same as it does in RAM. More importantly, in the red is our check-sum values. Again, the SNS Value will need to match the Check-sum values or the check-sum will fail and all SNS data will be deleted.

Also, I can confirm that the flag data set by Banjo-Kazooie(starts at 0x803fff00 in ram) uses the same type of check-sum value technique. That way, Banjo-Tooie wouldn't use any corrupt flag data on startup.

So there you have it, I'm pretty much confirming it as 99.9% fact that Stop N Swop was only a One-way swap process. Now Rare just needs to admit it :p .

Here is how it truly worked:

1)Obtain sandcastle codes in BT
2)Enter Code in BK, open secret area
3)Collect secret Item
4)Cold-swap with Banjo-Tooie which would utilize BK flag data.
5)Have item's in inventory.

If I'm correct, then we should finally have all the info we need to successfully re-create our own version of Stop-N-Swop. The only problem is, we would need some type of re-writable N64 cartridge to store a patched version of Banjo-Tooie on. I don't know a great deal of rom-hacking but if someone can make a four-player ocarina of time patch, then it's possible for someone to patch Banjo-Tooie to read and utilize flag data set by Banjo-Kazooie, I'm just not sure how possible :p

Hylian1 24th April 2008 03:33 AM

But is there enough SNS code left in Banjo-Tooie for it to pick up the items from B-K?

runehero123 24th April 2008 03:39 AM


Originally Posted by Hylian1
But is there enough SNS code left in Banjo-Tooie for it to pick up the items from B-K?

There is none as far as I'm aware. However, when I have the time I'll mess around with ASM in BT and see if I can get it to read data from the "Flag area" to put the Egg's and key in your inventory. Not that you could actually swap data from BK-BT unless Nemu or PJ64 could emulate Cold-Swapping.

jumbo mumbo 24th April 2008 03:41 AM


could someone dumb down what he said for me so I can understand it better?

I somehow managed to read the whole thing and am really confused. Something about just swapping from BK to BT and not vice versa, but that's all I could understand.

runehero123 24th April 2008 04:03 AM

There is no chance that "Flag data"(see Rare's data sharing patent) could be written to the SNS address(this is the code you use to have all sns items) without data in the EEPROM (this is the save chip on your n64 cart. Everytime you save your game data is written here, don't confuse with memory card.) overwriting it.

dmoss 24th April 2008 04:08 AM

...nice job, runehero! ^_^

jumbo mumbo 24th April 2008 04:17 AM


Originally Posted by runehero123 (Post 310115)
There is no chance that "Flag data"(see Rare's data sharing patent) could be written to the SNS address(this is the code you use to have all sns items) without data in the EEPROM (this is the save chip on your n64 cart. Everytime you save your game data is written here, don't confuse with memory card.) overwriting it.

Oh ok I think I get it now.

runehero123 24th April 2008 04:21 AM


Originally Posted by Dmoss
...nice job, runehero!

Thanks :) .

and it's all backed up in patent.


Originally Posted by Rare Patent
In accordance with yet other further aspects of the invention, the first program alternatively contains instructions that when executed by the processor specifically identifies information for sharing with the second program and provides a code that is associated with this identified information to a user of the first program via a display coupled to the control unit. In this instance, the code is provided instead of storing the identified information to the memory. In this regard, the second program alternatively contains instructions that when executed by the processor ask the user to provide a code, if any, and then utilize the information associated with the code in the implementation of the second program.

Banjo Tooie gives you the sandcastle codes.


Originally Posted by Rare Patent
Upon retrieval of the identified information, another test is made to determine the validity of the retrieved information at a step 28. Primarily, the second program is checking to specifically determine that the data is of the correct type; that it is whole and complete within itself; that there is no corruption in whole or in part; and that the data is suitable for use by and is acceptable to the second program. This validity test can be accomplished by conventional error checking techniques which could, for example, include checking data. Even further, extra data can be incorporated alongside or within the data to be transferred. This extra data can be calculated by a program from the data to be transferred. In this regard, the calculation method used could be a simple addition of all of the data, or it could be a more complicated algorithm which generates what is conventionally understood to be an error checking code like a checksum.

As I mentioned, this error checking code exist's within EEPROM and Banjo-Kazooie's flag data


Originally Posted by Rare Patent
It will also be appreciated by those skilled in the art and others that more than one checksum may be needed to confirm the validity, integrity and acceptability of the data.

This seems to be the case for EEPROM data. There are two Checksum addresses as I mentioned above.

Klungo 24th April 2008 05:36 AM

Cold swapping uses the memory pak, right?

Some_wierdGuy 24th April 2008 07:54 AM

no, cold swap is have BK in, turn off N64, take BK out and put BT in, turn back on

as oppose to a hot swap, which is have BK in, leave N64 on and take BK out, and but BT in

so hot swap means swap carts while on, cold means swap carts while off

Articerile 24th April 2008 09:24 AM

Surely in order to do that you just need some overwritable ROM for it? And i'm pretty sure it's fairly easy to get hold of, since people use it all the time for custom computers and such.

But would it be the same spec as the N64? I'm not sure, i've never ripped open any of my carts to look inside, since all my N64 games are good.

If I can find a cheap cruddy N64 game i'll probably have a look.

BanjoPL 24th April 2008 10:01 AM


I have question.
When and where we would cold swapping?
Just after collecting SNS item or in area that exist in BT too like Banjo House,Spiral Mountain or entrance in Grunty's Lair?


Originally Posted by slaphappy (Post 13061)

In my mind, one final question remains, though. Did Rare actually have enough time to remove the SNS code from BT? There was the infamous statement from the Rare employee claiming the connection between the games was still there. Rare claims he was misquoted. Maybe, maybe not. The clean up effort appears to have been a little sloppy. Blackeye still has the Pink Egg portraits all around him. Remnants of Bottles Revenge remain. The Base Egg being left in the NTSC version of Tooie.

So, I am holding on to the final remaining glimmer of hope. Assuming SNS does still exist, one would need a pre-1999 N64, the NTSC version of BK, and the NTSC version BT to find it. If this, however unlikely, is true, it creates a tough position for Rare. Is SNS still there? No, well yes, well kind of. I wouldn't comment on the subject either. I also wouldn't have taunted everyone with the chalkboard in GbtG either, but hey, Rare will be Rare.


Gregg Mayles said that he is very close to true.
For me(based on slaphappy's theory and Gregg's response) it looks like that small part of SNS still exist and can activate Bottles' Revenge in Banjo-Tooie.
I have pre-1999 Nintendo 64 so Stop 'N' Swop would be possible on my system.I will test some ideas...

glitchman 24th April 2008 05:59 PM


Originally Posted by BanjoPL (Post 310199)
I have pre-1999 Nintendo 64 so Stop 'N' Swop would be possible on my system.I will test some ideas...

i also have a pre-1999 N64, alas i live in britain :(

yamibakuragod 25th April 2008 03:11 PM


Originally Posted by BanjoPL (Post 310651)
Rune think that cheato pages would give you sandcastle codes in BT.
I have another idea.Maybe characters would tell you codes:

Madame Grunty-Cyan Egg
Captain Blackeye-Pink Egg and Red Egg
Gobi-Blue Egg and Yellow Egg ?
Loggo-Green Egg
Boggy-Ice Key

why must you spam every one of these types of theories with yet another idea of what the eggs equaled. No one cares. All you ever do is come up with some random set of things the eggs equal. This isn't about what the got or who you received them from, it's about how SNS physically work. Seriously stop with this garbage, it's spam and no one cares, please make your own topic next time rather then derail someone elses.

BanjoPL 25th April 2008 03:19 PM mistake.Bad post was removed...
Rune said that he will test some BT's stuffs so i hope so that he will back with great news.

All times are GMT. The time now is 11:23 PM.

Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2022, vBulletin Solutions, Inc.