NES Game Genie Technical Notes

The Mighty Mike Master
NES Game Genie Technical Notes
by The Mighty Mike Master
with thanks to Cheatmaster for helping me figure out the NES Game Genie codes.

The NES Game Genie from Galoob is a device that allows a player to enter a variety of codes into a Nintendo Entertainment System game in order to cause the game to do things it would not normally do, e.g., grant the player extra (or fewer) lives at startup, give the player extra items, change the gameplay, or just cause crazy things to happen.

The NES Game Genie works by allowing the player to plug an NES game cartridge into it and then plug the Game Genie into the NES console in place of the cartridge. The Game Genie then allows the player to enter a code which consists entirely of letters. The codes come in two flavors: 6- and 8- character. The codes translate into addresses and data in a game's program space (upper half of address space, 0x8000-0xFFFF) which the Game Genie fools the CPU into using rather than the byte which is supposed to be there. Because of this method, there is no limit to the number of Game Genie codes that can be discovered.
6-Character Codes
6-character NES Game Genie codes translate into a 15-bit (not 16-bit) address and an 8-bit data byte. The address is 15-bit because address bit 15 is always set to 1 in order to reference the top half of the CPU address space. When the CPU attempts to read the memory address specified by the Game Genie code, the Game Genie apparently intercepts the read and substitutes the byte from the Game Genie code in place of the actual ROM byte.

To decode an NES Game Genie code, first translate each character into its hexadecimal equivalent using the following table:

        A  0x0
        P  0x1
        Z  0x2
        L  0x3
        G  0x4
        I  0x5
        T  0x6
        Y  0x7
        E  0x8
        O  0x9
        X  0xA
        U  0xB
        K  0xC
        S  0xD
        V  0xE
        N  0xF

Then comes the tricky part. There is a lot of convoluted bit shifting that occurs in order to get the address and data from a Game Genie. This is probably to make the Game Genie codes seem more magical. After all, given 2 Game Genie codes, one that granted 5 lives on startup and another code that granted 9 lives, and the only difference between the 2 codes was one character, even a novice player could probably figure out that modifying that one character to any of the acceptable letter characters would grant between 1 and 16 lives on startup.

In order to decode the 6-character NES Game Genie code, name the 6 characters/hex values [n0 .. n5]. Follow the pseudocode (which assumes you know the C-style operaters for bitwise AND (&), bitwise OR (|), and the << and >> bit shift operators):

        address = 0x8000 + 
              ((n3 & 7) << 12)
            | ((n5 & 7) << 8) | ((n4 & 8) << 8)
            | ((n2 & 7) << 4) | ((n1 & 8) << 4)
            |  (n4 & 7)       |  (n3 & 8);

The algorithm simply combines the lower 3 bits from one 4-bit nibble and the top bit from another nibble and puts the resulting nibble somewhere else. Here is the data algorithm:

        data =
             ((n1 & 7) << 4) | ((n0 & 8) << 4)
            | (n0 & 7)       |  (n5 & 8);

Example: The code is GOSSIP (amazing coincidence that it happens to also be an English word). This works in Capcom's Ghosts 'n Goblins to start your player with a really funky weapon. Work through the code by hand to see if understand the decoding algorithm.

           n0   n1   n2   n3   n4   n5
           G    O    S    S    I    P
          0x4  0x9  0xD  0xD  0x5  0x1
         0100 1001 1101 1101 0101 0001

         address = 0xD1DD, data = 0x14

Therefore, whenever the CPU reads from address 0xD1DD, the Game Genie will intercept the read and return the byte 0x14.
8-Character Codes
8-character NES Game Genie codes are similar to the 6-character variety except that there is also a compare byte value that needs to be decoded as well. This is most likely due to the fact that many games use memory mappers in order to increase the amount of code and data they can use. Since the game might be swapping program (PRG) banks in and out of the CPU address space, the Game Genie can't just return the code data value when the CPU reads from a particular address. Instead, when the CPU reads from the cartridge, the Game Genie checks if the address in the cartridge equals the compare value and returns the code data value if it does; otherwise, it returns the real value in the cartridge.

The algorithm for decoding the address of an 8-character code is the same as decoding the address for a 6-character code. The algorithm for decoding the data byte changes a little:

        data =
             ((n1 & 7) << 4) | ((n0 & 8) << 4)
            | (n0 & 7)       |  (n7 & 8);

And the algorithm for decoding the compare value is as follows:

        compare =
             ((n7 & 7) << 4) | ((n6 & 8) << 4)
            | (n6 & 7)       |  (n5 & 8);

Example: The code is ZEXPYGLA. This works on Dr. Mario in order to clear a row or column with only 3 colors in a line, rather than 4. Work through the code by hand to see if understand the decoding algorithm.

           n0   n1   n2   n3   n4   n5   n6   n7
           Z    E    X    P    Y    G    L    A
          0x2  0x8  0xA  0x1  0x7  0x4  0x3  0x0
         0010 1000 1010 0001 0111 0100 0011 0000

         address = 0x94A7, data = 0x02, compare = 0x03

Therefore, when the CPU reads from address 0x94A7 and the real byte at that address is 0x03, then the Game Genie will return 0x02 instead of 0x03. If the byte is something other than 0x03, then that byte will be returned.

- The Mighty Mike Master