Navigation
Grotto Overlay SRM
Discovered by MrCheeze
Offset 0x5F6 in the grotto (actor 0x55, Door_Ana) overlay is the entry in the global grotto exit list that contains the entrance index for a generic grotto (0x1440). By using the lower half of the X coordinate (offset 0x26) of a Stale Reference, we can overwrite this with any arbitrary entrance index. By jumping into a generic grotto in the same scene, we will get sent to the new entrance. This is the first occurrence of a true Wrong Warp Anywhere glitch in Majora's Mask that does not require ACE.
Types of Grottoes
The code for the grotto actor decides to set your entrance in one of three different ways depending on the actor parameters of the given grotto.
| Type | Set bits in Params | Exit List Used | Exit List Index | List of Grottos |
|---|
| 1 | Both bits in 0x0300 | Current Scene | Low 5 bits of Params | All 5 Deku Palace Grottos, Deku Playground |
| 2 | At most one bit in 0x0300, at least one bit in 0x7000 | Grotto Overlay | High 4 bits of Params - 1 | N/A |
| 3 | At most one bit in 0x0300, no bits in 0x7000 | Grotto Overlay | Initial Z rotation + 1 | Every non-Deku grotto in the game |
Note that there are no Type 2 grottoes in MM, but the code to interpret them in this way remains. This means if we ever SRMed a grotto's parameters, we could cause a new type of entrance setting not naturally used anywhere in the game. However, doing so would actually be somewhat detrimental.
Type 2 and Type 3 grottoes both use the exit list in the grotto overlay. The biggest difference between them is that Type 2 grottoes can only access actual table entries (and one index prior to the table) due to the 16 available indices, whereas Type 3 grottoes can index up to 65,521 entries past the table itself into an unintended region of memory.
Exploiting this ability Type 3 grottoes have would be massively inconvenient, because the Exit List Index is set in the initial Z rotation which is offset 0x18 of the actor. This means we'd have to SRM with the upper half of the Y coordinate which is the least manipulable field of all. Furthermore, we'd be accessing memory that is highly dependent on the current state of the heap, which would add a massive amount of complexity to looking for heap manips. As such, we do NOT use this method.
Instead, we SRM the overlay's exit list itself, then jump into any non-Deku grotto to get our desired warp.
List of All Grottoes
In order to do Grotto Overlay SRM, the grotto must not be Type 1, and it must be in a scene with multiple rooms. The following is a list of all the grottos in the game, whether they are usable based on this criteria, and whether the scene has special requirements.
| Scene | Grotto | Type | Has Multiple Rooms | Is Usable | Special Requirements |
|---|
| Purified Southern Swamp | Generic | 3 | YES | YES | Need Zora since human is too short to carry a stale reference through the water |
| Ikana Canyon | Generic | 3 | YES | YES | Requires Zora Fin SRM against a water current, extremely difficult |
| Deku Palace | JP Vines (front-right) | 1 | YES | NO | N/A |
| Deku Palace | JP Flat (back-right) | 1 | YES | NO | N/A |
| Deku Palace | Magic Bean Seller | 1 | YES | NO | N/A |
| Deku Palace | JP Vines (front-left) | 1 | YES | NO | N/A |
| Deku Palace | JP Flat (back-left) | 1 | YES | NO | N/A |
| Termina Field | Bio Baba | 3 | NO | NO | N/A |
| Termina Field | Bay Gossips | 3 | NO | NO | N/A |
| Termina Field | Dodongo | 3 | NO | NO | N/A |
| Termina Field | Peahat | 3 | NO | NO | N/A |
| Termina Field | Swamp Gossips | 3 | NO | NO | N/A |
| Termina Field | Mountain Gossips | 3 | NO | NO | N/A |
| Termina Field | Business Scrub | 3 | NO | NO | N/A |
| Termina Field | Canyon Gossips | 3 | NO | NO | N/A |
| Termina Field | Generic (pillar) | 3 | NO | NO | N/A |
| Termina Field | Generic (grass) | 3 | NO | NO | N/A |
| Termina Field | Cow (hidden) | 3 | NO | NO | N/A |
| Great Bay Coast | Cow | 3 | NO | NO | N/A |
| Great Bay Coast | Generic | 3 | NO | NO | N/A |
| Zora Cape | Generic | 3 | NO | NO | N/A |
| Road to Southern Swamp | Generic | 3 | NO | NO | N/A |
| Graveyard | Generic (hidden) | 3 | YES | YES | No additional requirements |
| Poisoned Southern Swamp | Generic | 3 | YES | YES | Need Zora since human is too short to carry a stale reference through the water |
| Road to Ikana | Generic | 3 | NO | NO | N/A |
| Spring Mountain Village | Generic | 3 | YES | YES | No additional requirements |
| Path to Snowhead | Generic (hidden) | 3 | NO | NO | N/A |
| Winter Path to Goron Village | Hot Spring Water | 3 | NO | NO | N/A |
| Winter Path to Goron Village | Bay Gossips (sky) | 3 | NO | NO | N/A |
| Winter Path to Goron Village | Generic (hidden) | 3 | NO | NO | N/A |
| Spring Path to Goron Village | Generic (hidden) | 3 | NO | NO | N/A |
| Spring Path to Goron Village | Hot Spring Water | 3 | NO | NO | N/A |
| Woods of Mystery | Generic | 3 | YES | YES | Must be Day/Night 2 for the room with the grotto to be loadable |
| North Clock Town | Deku Playground | 1 | NO | NO | N/A |
Usable Grottoes for Speedruns
To summarize, these are the grottos that are likely to be usable in a speedrun context. Ikana Generic grotto, while technically possible, is not included due to the extreme difficulty of SRMing it.
- Graveyard Generic (hidden)
- Southern Swamp Generic
- Spring Mountain Village Generic
- Woods of Mystery Generic
Conveniently, every usable grotto happens to be generic. This means they all share the same entry (index 0x5) in the grotto overlay exit list. As such, we can use the exact same methodology to warp from any of the four locations. Namely, we will write any arbitray entrance index to exit list entry 0x5 in the grotto overlay by using the lower half of the X position of a stale reference.
Unlike Deku Palace SRM, we are writing raw entrance indices here. This means that for the first time in Majora's Mask history, we can quite literally wrong warp to anywhere in the game (from any of the four above locations).
Entrance Index Table
Discovered by Rylie
There are 2^16 = 65536 possible entrance indices in Majora's Mask. A table of all such indices is provided here. The raw entrance calculator this and subsequent spreadsheets are based on is also provided.
X Position Setups Tables
Discovered by Türkenheimer, Rylie
X position setup tables for Ikana Graveyard and Woods of Mystery have also been generated using a combination of Lua scripts and spreadsheet formulas.
Background on Entrance Indices
In order to follow the above spreadsheets, it is important to understand how the game decides which entrance to send you to. The game uses two separate entrance indices for this, one for the initial load of the scene, and one for reloads of the scene.
The entrance index for the initial load of the scene is set when entering a loading zone, and then is promptly zeroed out. This means you can only warp once using this entrance index.
Once the initial scene is loaded, the game sets a second entrance index to be used for reloads of the scene. It computes this by zeroing the "spawn" portion (middle field) of the regular entrance index. Common ways to trigger a reload include playing SoDT on versions other than Japanese N64, dying, and voiding. This warp can be used as many times as you want until the next time you enter a loading zone.
One additional quirk is that day transitions are a special type of reload. They will zero the "offset" portion (last field) of the reload entrance index (which already has the "spawn" portion zeroed). Once you get a day transition, you can continue to do either type of reload to end up at the same place indefinitely. However you will not be able to recover the original reload entrance index from before the day transition.
These three ways the game uses the entrance index enables us to do up to 3 wrong warps in succession without returning to a usable grotto. Wrong warping 2 or more times in a row is called a chain wrong warp. Note that in order to chain wrong warp, we must not enter any loading zones. Doing so will completely overwrite the reload entrance index, thus killing the possibility to chain warp, and returning the game to a state of "normal" death/voidwarps.
Proof of Concept
Discovered by MrCheeze
By hacking Link's held actor pointer to be the address of the grotto overlay + 0x5D0, throwing the stale reference to some random X position, then entering the grotto, MrCheeze was able to wrong warp, thus demonstrating the viability of grotto overlay SRM.
Heap Manip for US
Discovered by fullgrowngaming
A heap manip that allocates the grotto overlay 0x5D0 after Link's held actor pointer, and also does not result in Link dropping hands (the update function pointer at offset 0x138 is not null) was found. This heap manip achieves the second condition by allocating an overlay immediately after the grotto overlay. The only way this arrangement could result in Link dropping hands is if the instruction at held actor offset 0x138 happened to be a NOP, which while possible, is not terribly likely, so it's a good condition to simulate for.
Warping to the Moon (Moonwarp 3)
Discovered by fullgrowngaming, MrCheeze
For the first time in Majora's Mask history, we have a way to wrong warp to the actual moon! Moonwarp 1 sent us to Majora's room, and Moonwarp 2 sent us to Goron Trial, but now, thanks to arbitrary wrong warps enabled by Grotto Overlay SRM, we can go to the moon itself as well.
