More NES Password Madness

I was perusing my old Nintendo Power issues today, as I am wont to do for no good reason, and I stumbled upon a forgotten bonus that the magazine shipped to its subscribers once upon a time– Top Secret Passwords:


Top Secret Password Guide cover
Click for a larger image, and to guess which game is covered by the level 8 password on the sticky note

Now I’m playing with power. They put a tremendous amount of work into that cover. Passports for not only the Principality of NES but also the Republic of SNES. I guess in the early 1990s, nothing said “top secret” quite like a portable phone. Luckily, the book features passwords for Solar Jetman, the present object of my password infatuation. I wonder if the official password validator accepts the secret password comprised of all ‘Q’s, or if that’s handled by a special case.

Not only is Solar Jetman covered in the book but when I opened the book a carefully folded piece of paper slid out. It contained a number of very neatly written passwords, including ones for every world in Solar Jetman! It doesn’t look like my handwriting, plus the paper includes passwords for games that I never would have been caught dead playing. What a mystery. It’s almost like someone meant for me to find these clues and take up the cause of researching these ancient Nintendo password systems.

The password book contains passwords for a number of games where the only information carried in the password is what level the player was on. For a number of such games, I did a quick string check through the respective ROM data for the passwords. It looks like no coders bothered to use straight string comparison techniques for password validation.

One can only guess what sort of international espionage thrillers influenced the book’s artists, but their conceptualization of incognito (and airplane markings) involved a lot of pink:


Codename: Pink
Click for larger image of Codename: Pink Gamer

One thought on “More NES Password Madness

  1. VAG

    That wacky ‘Q’ passwords is fully legal. As well as any other, constructed in form
    aaaaaabbbbbb (where a may be (or may be not) equal b). However, some checks additionally performed, rejecting many passwords where a or b greater than Q (Q forms ‘9’ nibble and many state variables may not exceed 9).
    This all works due to weak checksum checking, performed as

    checksum = scratch[0];
    checksum ^= scratch[1];
    checksum += scratch[2];
    checksum ^= scratch[4];
    checksum += scratch[5] // + extra carry here, not shown

    if(scratch[3] == (checksum & 0xFF)) {accepted}

    As you can see, supplying scratch[] filled with same bytes will cause this check always pass.
    If you still curious, search rom dump for A2 05 BD F4 06 hex sequence – it’s the beginning of the password verification routine.

Comments are closed.