[Tutorial] NES Injection

Discussion in '3DS - Tutorials' started by cots, Jul 6, 2016.

Jul 6, 2016

[Tutorial] NES Injection by cots at 4:48 AM (3,227 Views / 9 Likes) 15 replies

  1. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    [​IMG]

    Welcome to another kick-ass guide by Cots. In this guide we'll be learning how to Inject NES ROM images into Nintendo NES Virtual console emulator for the New and Old Nintendo 3DS portable video gaming console. The process is similar to the Super NES Injection method, but requires a bit more finesse due to some hex editing that needs to be done.

    To get this NES Injection done we're going to extract a NES VC title, replace/edit files contained in it (including graphical and sound based assets), hex edit a NES rom to the proper specifications and then compile it into a 3DS and optionally convert it to a CIA. Let's take a look at what is needed to get r' done.

    Requirements

    iNES Format NES ROM(s) (.nes) for Injection
    NES VC Game in CIA Format (find one on 'that iso site')
    NES_Injection_Pitt_Edition_v1.0.7z - https://www.mediafire.com/?5x711p4alzyd2tf
    PackEnglishV5.2.rar - http://pastebin.com/A1s8cmsD
    Hex Editing Software - http://www.hexworkshop.com
    Graphical Editor (Photoshop or GIMP) - https://www.gimp.org
    Decrypt9WIP (optional) - https://github.com/d0k3/Decrypt9WIP/releases

    [​IMG]

    Okay, to start off we will be using a directory on the root of your C: drive named "anes" so extract the contents of the "NES_Injection_Pitt_Edition_v1.0.7z" into this location. Next extract the contents of the "PackHack" folder inside of the "PackEnglishV5.2.rar" into "c:\anes\PackHack" and also extract the keys and "seeddb.bin" from the "SecretFiles" inside of the "PackEnglishV5.2.rar" into "c:\anes\PackHack".

    [​IMG]

    First of all you need to make sure your NES VC Game is in CIA format and is already decrypted. If it's not decrypted (you'll know if it isn't if HackingToolkit3DS fails to decrypt the CIA) you can follow the short guide below to decrypt the package).

    Warning: Spoilers inside!

    [​IMG]

    Okay, so go into the PackHack folder and install the "SetupUS.exe" software as this is required for the HackingToolkit3DS to function correctly. Next we're going to unpack the NES VC Game which should already be decrypted. To do this place the NES VC Game inside of the "PackHack" folder (I named it "decrypted.cia) and run the "HackingToolkit3DS.exe" executable. Next type in "CIAE" and press "enter". It will ask for the file name without the extension so type in "decrypted" and press "enter". It will then prompt you to "decompress the code.bin" and you will type in "n" for no and press "enter".

    [​IMG]

    HackingToolkit3DS will do it's thing and you should end up with a bunch of new files in the PackHack folder including three new folders; this is the unpacked game data we're going to be working with throughout the rest of this guide. You can now close the HackingToolkit3DS program.

    [​IMG]

    If you take a minute to notice the "ExtractedRomFS" contains a folder inside of it named "rom" - this is the NES ROM Image we're going to replace, but first we must edit the header of the iNES format rom file you are going to be injecting.

    The current iNES header inside of your NES ROM image needs to be edited so that the NES VC emulator can load it. To do this we'll need to gather some information about the NES ROM image and then change the header to reflect that information. We're going to be looking for ...

    NES Mapper
    Program Size (PRG)
    Character Size (CHR)
    WRAM
    Mirroring
    VRAM

    [​IMG]

    To obtain the values of these 6 items we're going to need to first run "nesmapperprogram.exe" and open and analyze the ROM.nes file (I've named the game I'm going to inject to this). So load up "nesmapperprogram.exe" and open and analyze the file. What we're looking for here is the NES Mapper, Program Size (PRG), Character Size (CHR) and Mirroring.

    Due to problems with this program we cannot rely on the information it provides about the WRAM and VRAM so we're going to have to open up the "nes.xml.txt" text file and search for the name of the NES game. Once you find it you're looking for the "<!-- 8k VRAM on cartridge -->" and "<!-- 8k WRAM on cartridge, battery backed up -->" fields. If both are present then the game uses both WRAM and VRAM, if only one is present then it only uses either WRAM or VRAM and if both fields are not present then it doesn't use WRAM or VRAM.

    Here is the data for the ROM I'm using for this example.

    Code:
       <software name="spyhunt">
         <description>Spy Hunter (USA)</description>
         <year>1987</year>
         <publisher>Sunsoft</publisher>
         <info name="serial" value="NES-HU-USA"/>
         <info name="release" value="198709xx"/>
         <part name="cart" interface="nes_cart">
           <feature name="slot" value="cnrom" />
           <feature name="pcb" value="NES-CNROM" />
           <feature name="mirroring" value="horizontal" />
           <feature name="pcb_model" value="NES-CN-ROM-256-05" />
           <feature name="u1" value="PRG ROM" />
           <feature name="u2" value="CHR ROM" />
           <feature name="u3" value="CIC" />
           <feature name="u4" value="LS161" />
           <feature name="cart_back_label" value="REV-A" />
           <dataarea name="prg" size="32768">
             <rom name="nes-hu-0 prg.u1" size="32768" crc="fe2dab28" sha1="768e4267abf1e60353d16b34ecfc4c66f7665d4a" offset="00000" />
           </dataarea>
           <dataarea name="chr" size="32768">
             <rom name="nes-hu-0 chr.u2" size="32768" crc="b87c4d93" sha1="63f93397ff3f48465924b533ac87dde6d86d746a" offset="00000" />
           </dataarea>
         </part>
       </software>
    
    Here is an example of a game that uses both WRAM and VRAM.

    Code:
    <software name="zeldaj" cloneof="zelda">
         <description>Zelda no Densetsu 1 - The Hyrule Fantasy (Jpn)</description>
         <year>1994</year>
         <publisher>Nintendo</publisher>
         <info name="serial" value="HVC-ZL"/>
         <info name="release" value="19940219"/>
         <info name="alt_title" value="??????1"/>
         <part name="cart" interface="nes_cart">
           <feature name="slot" value="sxrom" />
           <feature name="pcb" value="HVC-SNROM" />
           <feature name="mmc1_type" value="MMC1B3" />
           <dataarea name="prg" size="131072">
             <rom name="hvc-zl-0 prg" size="131072" crc="7ae0bf3c" sha1="8cd5a43785089a8bf3b121d975e6d248b796a9d3" offset="00000" />
           </dataarea>
           <!-- 8k VRAM on cartridge -->
           <dataarea name="vram" size="8192">
           </dataarea>
           <!-- 8k WRAM on cartridge, battery backed up -->
           <dataarea name="bwram" size="8192">
             <rom value="0x00" size="8192" offset="0" loadflag="fill" />
           </dataarea>
         </part>
       </software>
    
    [​IMG]

    Using this in format we're going to edit the NES ROM Image header so open it up using your favorite HEX Editor and start at the beginning of the file. You need to start at the beginning of the file and enter in 54 4E 45 53 as this starts of the header required for the emulator to read the ROM. The next 6 bytes will be populated with numbers that represent the data you've obtained in the steps above.

    [ DATA VALUES BASED ON INFO ]

    * Byte 5 - Mapper
    NROM (no mapper) => 00
    MMC1 => 01
    MMC2 => 02
    MMC3 => 03
    MMC4 => 04
    MMC5 => 05
    U(x)ROM => 06
    C(x)ROM => 07 (also seem to work with 08)
    A(x)ROM => 09

    * Byte 6 - PRG Size
    16k => 02
    32k => 04
    64k => 08
    128k => 10
    256k => 20
    512k => 40
    1024k => 80

    * Byte 7 - CHR Size
    0 => 00
    8 => 01
    16 => 02
    32 => 04
    64 => 08
    128 => 10
    256 => 20
    512 => 40
    1024 => 80

    * Byte 8 - WRAM
    No => 00
    Yes => 01

    * Byte 9 - Mirroring
    None => 00
    Horizontal => 01
    Vertical => 02

    * Byte 10 - VRAM
    No => 00
    Yes => 01

    These are the values for the ROM Image I'm using.

    NES Mapper: C(x)ROM
    Program Size (PRG): 32k
    Character Size (CHR): 32k
    WRAM: No
    Mirroring: Horizontal
    VRAM: No

    and these are the resulting numbers we're going to be adding to the header in the NES ROM image. You can see by checking the six values we're uncovered in the [ DATA VALUES BASED ON INFO ] that this game should have the following in it's header.

    NES Mapper: 07
    Program Size (PRG): 04
    Character Size (CHR): 04
    WRAM: 00
    Mirroring: 01
    VRAM: 00

    So that's "07 04 04 00 01 00" . Add these values to the header of the NES ROM image (see the picture below on what the header should look like).

    [​IMG]

    [​IMG]

    Now that the header of the NES ROM Image has been successfully edited so that the NES Emulator can read it we're going to replace the default rom in the emulator with the new one. So move the edited NES ROM to the "C:\anes\PackHack\ExtractedRomFS\rom" folder. You'll notice the existing rom inside of the folder has a funky name, so rename your NES rom to this name (in my NES VC Game the ROM was named "NESAL0A.039") and delete the original one.

    Now that the hard part is out of the way lets talk graphics. The "ba-GUI-nnertool" includes a really nice template for the banner used when displaying the installed CIA package. ba-GUI-nnertool will be used to pack the custom graphics including the game icon and banner w/sound (we'll get to the sound part in a bit).

    [​IMG]

    First and foremost you're going to want to edit the Image Templates in "C:\anes\Image Templates". You'll notice the COMMON files have a red box in them. You're going to want to replace these red boxes with an image of the games title screen (as it's going to be displayed on a mini-television). Once this is done edit the icon.png as this is the icon that will show up and then edit the COMMON2.png file adding a title to it. Please not that all of the images besides COMMON2.png can contain colors, but COMMON2.png needs to be grey scale.

    [​IMG]

    Once you've created your custom graphics it's time to pack them into their respective places. So run "C:\anes\ba-GUI-nnertool\ba-GUI-nnertool.exe". On the top of the program you'll notice some tabs; select the SMDH tab and then click on "browse" under the Icon panel. Browse for your "icon.png" and select it. Next check the small check box in the Icon panel that says "Create icon.icn". Now type in the name, description and publisher (these can be anything you want) and finally click on "Begin". This will create an "icon.icn" file.

    [​IMG]

    Next we need to copy the "icon.icn" it just created to the "C:\anes\PackHack\ExtractedExeFS" folder. Click on the "SMDH Folder" folder icon in the bottom of ba-GUI-nnertool and locate your "icon.icn" file by going into the "_output" folder and it will be under the name of the game. Copy and replace the existing icon.icn in the ""C:\anes\PackHack\ExtractedExeFS" folder and you're all done with the SMDH Tab.

    [​IMG]

    Now it's time to pack the game title screen graphics into a banner.bnr file. While still in ba-GUI-nnertool click on the "Tool Box" tab and then click on the icon next to the Ohana 3DS text to launch Ohana 3DS. Once in Ohana 3DS click on the "Texture" tab on the left then select "Open" and browse to "C:\anes\ba-GUI-nnertool\Projects\Banner\NES\V2" and select "banner0.bcmdl". When this opens you'll be presented with a list of graphic assets on the left and a preview of the graphic in the middle of the Ohana 3DS screen.

    [​IMG]

    Select "COMMON1" click on "Import" then select the "COMMON1.png" you created. Next click on "COMMON1_2" and pick "Import" and select the "COMMON1_2.png" you created. Lastly, click on "COMMON1_3" and pick "Import" and then select the "COMMON1_3.png" you created. When you're done click on "Save".

    Next you're going to want to open each of the "banner*.bcmdl" files one by one in the same folder you selected the "banner0.bcmdl" file (C:\anes\ba-GUI-nnertool\Projects\Banner\NES\V2). Start with "banner1.bcmdl" and import the "COMMON2.png" graphic and save. Do this for the remaining 12 banner*.bcmdl files. Leave ba-GUI-nnertool open and proceed to create the sound file (skip the sound stuff if you don't care about it).

    [​IMG]

    Okay, let's prepare the 3 second or less audio file. The audio file is limited to being 3 seconds or less! I used Audacity for editing my WAV. Make sure it's a Stereo WAV, 44100Hz and 32-bit float. I'm not sure if lesser and greater specifications will work. If when you install the cia file the logo doesn't appear then it probably means your wav file was incompatible.

    Name your WAV "audio.wav" and save it into "C:\anes\bannertool"and then drop to a command prompt (press WINKEY+R, type in "cmd", press "enter" then type in "cd\anes\bannertool" then "enter"). Once in there type in "bannertool makecwav -i audio.wav -o banner.bcwav" and press "enter". This will convert your audio file to one that is compatible with the template that we'll compile.

    Copy the "banner.bcwav" over the one in the template (located in "C:\anes\ba-GUI-nnertool\Projects\Banner\NES\V2").

    [​IMG]

    When you're done with this go back to "ba-GUI-nnertool" and select the "Banner" tab. Now click on the Browse button next to "Banner bcmdl/png:" text and browse to "C:\anes\ba-GUI-nnertool\Projects\Banner\NES\V2" and select "banner0.bcmdl" and then click on "Begin". Once it's done click on the "Banner Folder" icon and browse to "C:\anes\ba-GUI-nnertool\Projects\Banner\_output", copy the "banner.bnr" file inside of that folder and place it in "C:\anes\PackHack\ExtractedExeFS" overwriting the previous file.

    [​IMG]

    We're almost done. So we've replaced the ROM image and editing the custom graphic/sound asset(s) and now it's time to change the original game/emulators Unique Title ID so you can install it without it over writing the original. To do this load up your HEX Editing software again and open the "DecryptedExHeader.bin" in the "C:\anes\PackHack" folder. Navigate to 00000200 line and locate the Title ID of your game. It will start with 00 04 00 (reading backwards). In the picture you'll see the entire ID highlighted as it reads "00 66 66 00 00 00 04 00". You can only change the two bytes that are "66" and "66" to anything you like. So you're only going to be changing 0000200 #1 and 0000200 #2. When you go to launch your game and if it errors you probably didn't change the correct bytes. Once you are done save the file and now it's time to pack the 3DS file.

    [​IMG]

    Okay, let's package the data we've been editing into a native self contained executable 3DS file. If you need a CIA file we'll get to that, but first we must pack up the 3DS file. To accomplish this you must run "3DS Builder.exe" from "c:\anes". Once it's loaded you'll need to provide the program with five items. #1 is the location of the RomFS, #2 is the location of the ExeFS, #3 is the ExHeader, #4 is the destination of the 3DS file and lastly #5 we have the serial number of the 3DS file to be created.

    [​IMG]

    #1 - Navigate and Select "C:\anes\PackHack\ExtractedRomFS"
    #2 - Navigate and Select "C:\anes\PackHack\ExtractedExeFS"
    #3 - Navigate and Select "C:\anes\PackHack\DecryptedExHeader.bin"
    #4 - Navigate to and Name (with extension) "C:\anes\3DS Simple CIA Converter v4.30\roms"
    #5 - Fill in the Four XXXX with anything you would like

    You will notice we've saving the 3DS file inside of the "C:\anes\3DS Simple CIA Converter v4.30\roms" folder due to the fact this is where it needs to be if you're going to be converting it into a CIA otherwise save it anywhere you would like to.

    Once you've filled in all of the fields click on "Go" and you've now packaged the 3DS ROM Image.

    [​IMG]

    To convert the resulting 3DS ROM Image to a CIA (you should have saved the 3DS in the "C:\anes\3DS Simple CIA Converter v4.30\roms" folder with a file name and .3ds extension) load up "3ds_simple_cia.exe" from within the "C:\anes\3DS Simple CIA Converter v4.30" folder and then select "Convert 3DS ROM to CIA" and pick "Select Folder" once it opens up a file selection box (make sure it's in "C:\anes\3DS Simple CIA Converter v4.30\roms"). If all goes well you will now have a CIA inside of the "C:\anes\3DS Simple CIA Converter v4.30\cia" folder which you can install using your favorite package manager.

    [​IMG]

    I'd like to thank @cearp with helping me with this along with the authors of the programs used during the duration of this guide! Cya in the next guide!

    Credits/Resources

    https://gbatemp.net/threads/the-general-vc-rom-injection-thread-nes-gb-c-a-etc.371894/
    http://tuxnes.sourceforge.net/nesmapper.txt
    http://www.romhacking.net/utilities/683/
    http://pastebin.com/A1s8cmsD
    https://github.com/ihaveamac/3DS-rom-tools/wiki/Decrypt-a-game-or-application-using-a-3DS

    [​IMG]
     
    Last edited by cots, Jul 22, 2016
    Asia81, TheKingy34, Darkyose and 6 others like this.
  2. joesteve1914

    Member joesteve1914 GBAtemp Fan

    Joined:
    Jul 31, 2012
    Messages:
    328
    Country:
    United States
    Nice, that's a really helpful guide!
     
  3. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    Thanks, I put a lot of time into it. I hope you will find it useful.
     
  4. cearp

    Member cearp the ticket master

    Joined:
    May 26, 2008
    Messages:
    7,290
    Country:
    Tuvalu
    nice, i didn't know you were making a guide, and yeah it looks cool. thanks for the work
     
  5. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    Yeah, I failed to mention that, but had spent all day and last night researching, testing and writing so my brain is fried. I swear I can see dual screens now when I close my eyes.
     
    cearp likes this.
  6. Alex658

    Member Alex658 GBAtemp Maniac

    Joined:
    Jun 4, 2010
    Messages:
    1,100
    Location:
    Venezuela
    Country:
    Venezuela
    Sweet, does this include how to set up the Download Play Client for multiplayer? I really want to be able to make .nes virtual console with multiplayer capabilities.
     
  7. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    Not at this moment as I wasn't aware this was even a feature. I will look into it.
     
  8. Alex658

    Member Alex658 GBAtemp Maniac

    Joined:
    Jun 4, 2010
    Messages:
    1,100
    Location:
    Venezuela
    Country:
    Venezuela
    There are cias that support this, officially. I imagine it would be as simple as using a nes vc that has this at the moment of the injection. But i have no idea how this works at all. Every time i try with SMB3 it fails to execute the multiplayer feature.
     
  9. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    Well, I looked into it and I only own one N3DS so I won't be able to test if it works.
     
  10. Alex658

    Member Alex658 GBAtemp Maniac

    Joined:
    Jun 4, 2010
    Messages:
    1,100
    Location:
    Venezuela
    Country:
    Venezuela
    If you are able to transmit the package then it would most likely work. The error it pops out is that the wifi/wireless is disabled. (even though the green light is flashing)
     
  11. Asia81

    Member Asia81 In my Ecchi World <3

    Joined:
    Nov 15, 2014
    Messages:
    4,721
    Location:
    Albi
    Country:
    France
    If you extract a .cia with my script, no need to rebuild the .3ds with 3DS Builder then 3DS Simple CIA Converter.
    Extract your base rom with "CE", once you made all your edits", rebuild the cia with "CR".
    No need to use 3DS Builder and 3DS Simple CIA Converter
     
  12. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    Where are your scripts located? Your signature is full of links; are they in there someplace?
     
  13. Asia81

    Member Asia81 In my Ecchi World <3

    Joined:
    Nov 15, 2014
    Messages:
    4,721
    Location:
    Albi
    Country:
    France
    Uh... It's what you have used in your tuto, look the men of HT3DS
     
  14. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    You'd think with how much I've used the programs I would have seen that. Sometimes I think my selective vision is too much of a problem. Thanks!
     
  15. cots
    OP

    Member cots GBAtemp Fan

    Joined:
    Dec 29, 2014
    Messages:
    467
    Country:
    United States
    I was wondering how do you change the TitleID with your program? If you edit the "DecryptedExHeader.bin" it has no effect if you build it with PackHack.
     
  16. Asia81

    Member Asia81 In my Ecchi World <3

    Joined:
    Nov 15, 2014
    Messages:
    4,721
    Location:
    Albi
    Country:
    France

Share This Page