Homebrew Regionthree modification: need help loading from sd card.

shutterbug2000 · Feb 6, 2015

Wierd thing here.

When I load a value bigger than 0x00000200 into r2(for PID), it crashes. Anything under causes a lockup, because nothing of that exists on the sd. Any ideas?

WeedZ · Feb 7, 2015

Loading rom from sd card? Heh?

shutterbug2000 · Feb 7, 2015

WeedZ1985 said:
Loading rom from sd card? Heh?

Well, right now I'm trying to load a game I OWN off the sd card, simply as a test.

WeedZ · Feb 7, 2015

Im with you. Just saw your other thread. I was going to try this as well but my laziness won me over.

Hope it works, been looking forward to it actually.

Raugo · Feb 7, 2015

What are you trying to run a 3ds or a installed cia?

shutterbug2000 · Feb 7, 2015

Right now, I'm trying to run an eshop game. I'm just trying to experiment at the moment.

AquaX101 · Feb 7, 2015

shutterbug2000 said:
Right now, I'm trying to run an eshop game. I'm just trying to experiment at the moment.

cia?

WeedZ · Feb 7, 2015

Here was my theory. Not 100% sure it's how it works but here goes. There are two instances of the gamecard. One for mediatype which a value of 1 should be the sd. The other is the PID which I would think is the game title. It also looks in game cart, possibly a particular partition sense it skips fw check. Now if you simply switch mediatype to sd. It's going to look for PID but never find it because its contained in a rom file and not the sd itself. There should be another line to tell it to look in a particular rom. Or if the sd was formatted and cloned of a cartridge it might load with just media type changed. But hey, Just a theory as I said.

Shubshub · Feb 7, 2015

http://3dbrew.org/wiki/EShop would this be of any help at all?

Raugo · Feb 7, 2015

I have run the digital version of Fire Emblem modifying the code of regionthree. You need to edit the lower word PID and the upper with the titleid of the game and change mediatype to 1 .

This is the code for the 4.x firmware edited to load Fire Emblem Awakening:

;This goes at 0x12000 in the launcher.dat
.nds

.create "spider_rop_4x.bin",0x0

;define constants
DLPLAY_CODE_LOC_VA equ 0x00192800
DLPLAY_CODE_LOC equ (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
DLPLAY_HOOK_LOC equ (0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
DLPLAY_NSSHANDLE_LOC_VA equ 0x001A5200

SPIDER_GSPHEAPBUF equ 0x18410000
SPIDER_ROP_LOC equ 0x08F01000

spiderRop:
;copy code to dlplay
;copy patch
.word 0x0029C170 ; LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF ; r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode ; r1 (src)
.word dlplayCode_end-dlplayCode ; r2 (size)
.word 0xDEADC0DE ; r3 (garbage)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x0029BF64 ; memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE ; r4 (garbage)
.word 0xDEADC0DE ; r5 (garbage)
.word 0xDEADC0DE ; r6 (garbage)
.word 0xDEADC0DE ; r7 (garbage)
.word 0xDEADC0DE ; r8 (garbage)
.word 0xDEADC0DE ; r9 (garbage)
.word 0xDEADC0DE ; r10 (garbage)

;flush data cache
.word 0x0029C170 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x00344C2C ; GSPGPU_FlushDataCache

;send GX command
.word 0x002AD574 ; pop {r0, pc}
.word 0x003F54E8+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand ; r1 (cmd addr)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x002CF3EC ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

;sleep for a bit
.word 0x002AD574 ; pop {r0, pc}
.word 500000000 ; r0 (half second)
.word 0x00269758 ; pop {r1, pc}
.word 0x00000000 ; r1 (nothing)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x002A513C ; svc 0xa | bx lr

;copy gsp interrupt handler table to linear heap
;flush data cache
.word 0x0029C170 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x00344C2C ; GSPGPU_FlushDataCache

;send GX command
.word 0x002AD574 ; pop {r0, pc}
.word 0x003F54E8+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 ; r1 (cmd addr)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x002CF3EC ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

;sleep for a bit
.word 0x002AD574 ; pop {r0, pc}
.word 500000000 ; r0 (half second)
.word 0x00269758 ; pop {r1, pc}
.word 0x00000000 ; r1 (nothing)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x002A513C ; svc 0xa | bx lr

;copy gsp interrupt handler table back to dlplay after patching it
;patch table
.word 0x0029C170 ; LDMFD SP!, {R0-R4,PC}
.word SPIDER_GSPHEAPBUF+0x90 ; r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook ; r1 (src)
.word dlplayHook_end-dlplayHook ; r2 (size)
.word 0xDEADC0DE ; r3 (garbage)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x0029BF64 ; memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE ; r4 (garbage)
.word 0xDEADC0DE ; r5 (garbage)
.word 0xDEADC0DE ; r6 (garbage)
.word 0xDEADC0DE ; r7 (garbage)
.word 0xDEADC0DE ; r8 (garbage)
.word 0xDEADC0DE ; r9 (garbage)
.word 0xDEADC0DE ; r10 (garbage)

;flush data cache
.word 0x0029C170 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003B643C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x00344C2C ; GSPGPU_FlushDataCache

;send GX command
.word 0x002AD574 ; pop {r0, pc}
.word 0x003F54E8+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00269758 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 ; r1 (cmd addr)
.word 0x002D6A34 ; pop {lr, pc}
.word 0x0010DB6C ; lr (pop {pc})
.word 0x002CF3EC ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

;trigger spider crash to return to menu
.word 0xFFFFFFFF

; copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 ;command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF ;source address
.word DLPLAY_CODE_LOC ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused

; copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 ;command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC ;source address
.word SPIDER_GSPHEAPBUF ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused

; copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 ;command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF ;source address
.word DLPLAY_HOOK_LOC ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused

.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA ; ns:s handle location
ldr r0, [r0]

mrc p15, 0, r1, c13, c0, 3
add r1, 0x80
ldr r2, =0x00100180 ; NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 ; flag
str r2, [r1], #4
ldr r2, =0x0009F100 ; lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00040000 ; upper word PID
str r2, [r1], #4
ldr r2, =0x00000001 ; mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 ; reserved
str r2, [r1], #4
ldr r2, =0x00000000 ; flag
str r2, [r1], #4

.word 0xef000032 ; svc 0x32 (sendsyncrequest)

;sleep forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a ; svc 0xa (sleep)

.pool
dlplayCode_end:

.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:

.Close

shutterbug2000 · Feb 7, 2015

Raugo said:
I have run the digital version of Fire Emblem modifying the code of regionthree. You need to edit the lower word PID and the upper with the titleid of the game and change mediatype to 1 .

This is the code for the 4.x firmware edited to load Fire Emblem Awakening:

Stupid question: How do I compile regionthree? I usually modify Duke-srg's version, but that doesn't seem to work for this.

Jayro · Feb 7, 2015

Does this mean we'll eventually be able to run eShop games from SD on an unmodified system without a flash cart?

WeedZ · Feb 7, 2015

Jayro said:
Does this mean we'll eventually be able to run eShop games from SD on an unmodified system without a flash cart?

Lol

Raugo · Feb 7, 2015

shutterbug2000 said:
Stupid question: How do I compile regionthree? I usually modify Duke-srg's version, but that doesn't seem to work for this.

You need armips https://github.com/Kingcom/armips. I uploaded a compiled version. Drag the spider_rop.s to the exe. Then rename the spider_rop.bin to ROP.dat and put it in the root of the SD.

Xenon Hacks · Feb 7, 2015

WeedZ1985 said:
Lol

Shutup mugen it was a serious question

Shubshub · Feb 7, 2015

Any luck yet? shutterbug?

shutterbug2000 · Feb 7, 2015

Shubshub said:
Any luck yet? shutterbug?

Sort of.

Shubshub · Feb 7, 2015

shutterbug2000 said:
Sort of.

Care to share your findings?

WulfyStylez · Feb 7, 2015

As has been said in the other thread you posted about this, it's not really useful. Remember you're at the mercy of NSS:RebootSystem, and that can't load from SD. Heck, if anything you'd need to image your 3DS rom to your SD card, not just throw it on a filesystem.

Other titles (installed games, etc) can be loaded from RebootSystem because that's literally how the menu loads them.

WeedZ · Feb 7, 2015

WulfyStylez said:
As has been said in the other thread you posted about this, it's not really useful. Remember you're at the mercy of NSS:RebootSystem, and that can't load from SD. Heck, if anything you'd need to image your 3DS rom to your SD card, not just throw it on a filesystem.

Other titles (installed games, etc) can be loaded from RebootSystem because that's literally how the menu loads them.

That's been said here too bro

Homebrew Regionthree modification: need help loading from sd card.

Cubic NINJHAX!

Possibly an Enlightened Being

Cubic NINJHAX!

Possibly an Enlightened Being

Well-Known Member

Cubic NINJHAX!

Well-Known Member

Possibly an Enlightened Being

The Shubinator

Well-Known Member

Cubic NINJHAX!

MediCat USB Dev

Possibly an Enlightened Being

Well-Known Member

Attachments

Well-Known Member

The Shubinator

Cubic NINJHAX!

The Shubinator

SALT/Bemani Princess

Possibly an Enlightened Being

Similar threads

Popular threads in this forum