Hacking #FEGecko: Trainer GUI for Tokyo Mirage Sessions #FE

[MiMiCAX]

Some of you may know XCXGecko. Well, I've begun some work towards a similar tool for #FE, called SFEGecko. You can get the latest release here (look for version number starting with sfe###, e.g. sfe0.2).

Q: how to run this?
A: please read through forum posts on XCXGecko

Q: does this work with / without Loadiine?
A: I had successfully tested it with Loadiine v3 and GX2 v0.3 on 5.3.2. GX2 version on 5.3.2 will require a different offset (0x1140 I think). It SHOULD work with disc too (but see next Q).

Q: why are the codes not working?
A: you will need to choose an appropriate offset for all code address that works for your Wii U OS + Loadiine version + game region. There's a 'Offset:' dropdown combobox in the top toolbar where you can choose different offsets.

Q: but what if none of those offsets work?
A: You can use "Global Address Offset" tab or another tool like Gecko.NET to find the appropriate offset for your setup. See instructions here.

Q: can you make a code for X?
A: maybe... I have limited time these days, so it'll be better if you PM me the code for X and I can add it to the list.

Q: I want to help you add more codes
A: PM me and we can talk

Q: I added an item/performa item/clothing, but it's not working with Tiki / showing a blank icon?
A: you need to get at least 1 of said item legally in-game first.

Q: what are your planned features?
A: I'll try to implement some of the following features every weekend:
- actual character tab (like XCXGecko)
- fix Melmark
- find max legit value for Stage Rank Exp
- mapping out all items/performa items/key items
- look for ways to obtain weapon, increase their +#, and update their experience
- accessories

Enjoy!

 

[Deleted User]

Woah this is pretty awesome Not if I only had a SD card big enough to hold Tokyo Mirage. There only needs to be a Sm4sh trainer now.

 

[Mandikiri]

So these codes do work, yes?

Because I connected with Gecko.NET and the editor, but I can't see to get the codes to activate. I pick them, but when I look into the game. I see no changes made.

Maybe I am doing something wrong?

 

[MiMiCAX]

So these codes do work, yes?

Because I connected with Gecko.NET and the editor, but I can't see to get the codes to activate. I pick them, but when I look into the game. I see no changes made.

Maybe I am doing something wrong?

You probably need to adjust the global address offset for all codes (see "Payload: [...]" dropdown at top of GUI + "Global Address Offset" tab).
The default offset assumes WiiU OS 5.3.2, Loadiine v3, and US version of game.
If you don't have this setup, then you will need to find the offset for your version. Here's one way how:

1. load into your save game on #FE
2. find how much Yen (money) you have by going into the main menu
3. on SFEGecko, click on the "Global Address Offset" tab
   
4. if you have US/EU version of the game, set the "Scan From/To" fields to 0x49000000 and 0x49FFFFFF; if you have the JP version, set them to 0x4E000000 and 0x4EFFFFFF
5. in the "Current Value" field, enter the amount of Yen that you see in game
6. press the "Scan" button (magnifying glass)
7. wait for a while, until the table in the GUI populates with entries (if you use a smaller memory range it'll go faster, but you might not find the proper offset)
8. if there is one entry, click on it, then click on the "Accept" button (checkmark, near the bottom-right corner of the window)
9. if there are more than one entry, find a way in-game to change your money amount (e.g. buy/sell at He Ho Mart / win fight), then go to step 5
10. if there are no entries, then you need to choose a different memory scanning range

Some of the codes do not change what's displayed on-screen immediately, so you should enter battle / exit and re-enter menu / re-talk to Tiki / etc. to see it being reflected

P.S.: I thought that the Gecko code handler on the Wii U only accepts one client connection at a time, so I'm not sure what you meant when you said you "connected with Gecko.NET and the editor"

 

[Mandikiri]

You probably need to adjust the global address offset for all codes (see "Payload: [...]" dropdown at top of GUI + "Global Address Offset" tab).
The default offset assumes WiiU OS 5.3.2, Loadiine v3, and US version of game.
If you don't have this setup, then you will need to find the offset for your version. Here's one way how:

1. load into your save game on #FE
2. find how much Yen (money) you have by going into the main menu
3. on SFEGecko, click on the "Global Address Offset" tab
   
4. if you have US/EU version of the game, set the "Scan From/To" fields to 0x49000000 and 0x49FFFFFF; if you have the JP version, set them to 0x4E000000 and 0x4EFFFFFF
5. in the "Current Value" field, enter the amount of Yen that you see in game
6. press the "Scan" button (magnifying glass)
7. wait for a while, until the table in the GUI populates with entries (if you use a smaller memory range it'll go faster, but you might not find the proper offset)
8. if there is one entry, click on it, then click on the "Accept" button (checkmark, near the bottom-right corner of the window)
9. if there are more than one entry, find a way in-game to change your money amount (e.g. buy/sell at He Ho Mart / win fight), then go to step 5
10. if there are no entries, then you need to choose a different memory scanning range

Some of the codes do not change what's displayed on-screen immediately, so you should enter battle / exit and re-enter menu / re-talk to Tiki / etc. to see it being reflected

P.S.: I thought that the Gecko code handler on the Wii U only accepts one client connection at a time, so I'm not sure what you meant when you said you "connected with Gecko.NET and the editor"

Alright. I will try those steps you mentioned. I do have the disc version, but thanks for showing me those steps. I'll try it and see if it works.

Regarding the connecting to two clients. I meant it in the sense that I first connect to Gecko.NET to see if it connected and then disconnect to then connect to the editor.

 

[Mandikiri]

So I tried the steps that you mentioned, but when I get to the part that I have to hit the scan button, I get this error; "Specified upper bound (0x49FFFFFF) must be within 4-multiple of orig. code address".

Sorry for the bother, but I do appreciate lots the help you're giving me.

 

[MiMiCAX]

So I tried the steps that you mentioned, but when I get to the part that I have to hit the scan button, I get this error; "Specified upper bound (0x49FFFFFF) must be within 4-multiple of orig. code address".

Sorry for the bother, but I do appreciate lots the help you're giving me.

Ah that's right, I added that check. Okay, first try these ranges:
US/EU: 0x49AE0000 to 0x49B00000
JP: 0x4C200000 to 0x4C400000

If those don't work, try the following (wider) ranges:

US/EU: 0x49000000 to 0x4A000000
JP: 0x4C000000 to 0x4D000000

 

[Mandikiri]

Ah that's right, I added that check. Okay, first try these ranges:
US/EU: 0x49AE0000 to 0x49B00000
JP: 0x4C200000 to 0x4C400000

If those don't work, try the following (wider) ranges:

US/EU: 0x49000000 to 0x4A000000
JP: 0x4C000000 to 0x4D000000

Thank you for the reply.

Well I entered the first ranges and although they didn't give me the error that I was getting, it couldn't find any candidates.

Now the second ranges ended up giving me the error of "READ BLOCK failed: timed out". Not sure what that one means.

 

[ness151]

Thanks for creating this tool, however, I'm unable to search any of the address ranges you recommended for the offset I need for my setup. They either find 0 results or time out during the search period..

 

[MiMiCAX]

Those address ranges were merely my guesses. I have a 5.3.2 US WiiU, with all regions of the game available, so if you have a compatible setup then let me know and I can try to find the address offset.

However, I know that most people probably are on 5.5.1. In that case, ideally you should use gecko dot net or jgeckou to scan for the yen code's address within the entire memory range (0x10000000-0x50000000 at least; beware that depending on setup the WiiU might crash around 0x4B000000, in which case you should stop scanning before that.)

I'm dead certain that regardless of the WiiU os or pygecko setup or loadiine vs disc, the yen value will be stored somewhere in memory (since we are all using the same game code, but our memory blocks are possibly shifted compared to each other). To get the offset value, subtract your yen address from the one in sfegecko (labelled Base Addr in Global Address Offset tab), and convert the result into a signed hex value.

If you find the yen address or offset for your setup, please share it here along with details of your setup: WiiU OS, disc or eshop or loadiine, loadiine version, game region, pygecko payload type, ...

 

[Laucian]

Well I entered the first ranges and although they didn't give me the error that I was getting, it couldn't find any candidates.

Now the second ranges ended up giving me the error of "READ BLOCK failed: timed out". Not sure what that one means.

I'm having the same issue.

use gecko dot net or jgeckou to scan for the yen code's address

I've tried this as well, even if I search the entire memory it comes back as "0 results". People are having the same issue over here. For reference my setup is:

WiiU OS: 5.5.1
disc or eshop or loadiine: Loadiine
loadiine version: Gx2 v0.3
game region: US
pygecko payload type: I'm not sure how to find this, I just use the one that runs through Loadiine.

 

[sleepymanakete]

Going to use. Thank you for this tool ^^
WiiU FW: 5.5.1
disc or eshop or loadiine: Disc
loadiine version: Not sure
game region: US
pygecko payload type: N/A

 

[ness151]

Those address ranges were merely my guesses. I have a 5.3.2 US WiiU, with all regions of the game available, so if you have a compatible setup then let me know and I can try to find the address offset.

However, I know that most people probably are on 5.5.1. In that case, ideally you should use gecko dot net or jgeckou to scan for the yen code's address within the entire memory range (0x10000000-0x50000000 at least; beware that depending on setup the WiiU might crash around 0x4B000000, in which case you should stop scanning before that.)

I'm dead certain that regardless of the WiiU os or pygecko setup or loadiine vs disc, the yen value will be stored somewhere in memory (since we are all using the same game code, but our memory blocks are possibly shifted compared to each other). To get the offset value, subtract your yen address from the one in sfegecko (labelled Base Addr in Global Address Offset tab), and convert the result into a signed hex value.

If you find the yen address or offset for your setup, please share it here along with details of your setup: WiiU OS, disc or eshop or loadiine, loadiine version, game region, pygecko payload type, ...

I'm on WiiU 5.3.2 spoofed to 5.5.1. I'm using the same Loadiine setup you are, the only difference is I'm using the reincarnation patch.

 

[sleepymanakete]

I got it connected but it says "time out" when I scan. I used both US ranges.

 

[MiMiCAX]

@ all: the offset address scan feature in #FEGecko is very primitive (I coded it up in less than 1h). This is probably why it fails when a large memory range (since it's asking pyGecko to return a single char array containing all the bytes in that range, as opposed to multiple smaller-sized chunks). Therefore, you should consider scanning for the code initially using Gecko.NET or JGeckoU.

@ness151: I'm also using the reincarnation patch... Try using an offset of +0x1140 or -0x1140 (enter it on the bottom field in the "Global Address Offset" tab, click on the checkmark button, then try to read the value of some of the codes in the "Other Codes" tab.

I continue to firmly stand by my belief that the only difference between different WiiU OS versions is a single, static memory offset. Nevertheless, there is a small chance that this offset is not word-aligned. Here are the steps to test out this theory:

1. load save game, and buy items until you have less or equal to 255 yen
2. in Gecko.NET, specify a wide memory range, then scan for your money amount as an 8-bit value
3. in the game, buy/sell items / fight enemies until you have a different money amount, but is still <= 255
4. repeat steps 2-3 until you find a single address
5. if you don't find the address, go back to step 2 and try a different / wider memory range (widest being 0x10000000 to 0x50000000)
6. when you find the address, convert hex to decimal, minus 3 (bytes), convert back to hex, and that will be the code address for your setup
7. the offset to use in SFEGecko is computed as [your address] - 0x49AEF468, specified as a signed hex value
8. share your success by replying to this thread

 

[sleepymanakete]

@ all: the offset address scan feature in #FEGecko is very primitive (I coded it up in less than 1h). This is probably why it fails when a large memory range (since it's asking pyGecko to return a single char array containing all the bytes in that range, as opposed to multiple smaller-sized chunks). Therefore, you should consider scanning for the code initially using Gecko.NET or JGeckoU.

I did in jGecko, the search said "Not implemented" and doesn't do anything.

 

[Laucian]

Here are the steps to test out this theory:

Just tried it, after the second "Refine" it came back as no results.

I did in jGecko, the search said "Not implemented" and doesn't do anything.

Try using the TCPGecko Client, not jGecko U.

 

[MiMiCAX]

Just tried it, after the second "Refine" it came back as no results.

Well that's a big bummer... I'm not willing to upgrade from 5.3.2 (maybe even more so now), so here are some possibilities that I can think of:

a) it's stored elsewhere in memory? e.g. 0x01000000, ... (see http://wiiubrew.org/wiki/Cafe_OS)

b) it's not byte-aligned? validating this theory would require more complex set of test sets, e.g. to test if code is 1-bit rshifted, only scan when money changes by a multiple of 2; also this may require searching via inequalities (e.g. "Greater or Equal to") rather than only "Equal to"

c) I have to accept the possibility, no matter how small, that memory is truly different between 5.3.2 and 5.5.1; perhaps this game has some memory obfuscating techniques that is only applicable on 5.5.1

Here's an interesting request for some1 with 5.5.1 and US version of game: start a new game, play until the VERY FIRST instance that you can save, save, then and make a memory dump between 0x10000000 to 0x4B000000 (or 0x50000000 if it doesn't crash your game). Zip it and upload it somewhere, so I can compare against my own dump. Please also specify some key in-game stats: yen amount, Itsuki's lvl, max HP, max MP, str, ..., remaining exp to next lvl.

 

[MiMiCAX]

Tokyo Mirage Sessions #FE
Jgecko U Memory viewer values US version

Yen
value-4C3305A8
change-05F5E0FF

Itsuki
exp value- 4C327260
change (max level)-0013BD20
stage rank
value-4C32725C
change (max rank)-00002707
Tsubasa
exp value- 4C3275C0
change (max level)-0013BD20
stage rank
value-4C3275BC
change (max rank)-00002707
touma
exp value- 4C327920
change (max level)-0013BD20
stage rank
value-4C32791C
change (max rank)-00002707
kira
exp value- 4C327C80
change(max level)-0013BD20
stage rank
value-4C327C7C
change (max rank)-00002707
elenora
exp value- 4C327FE0
change (max level)-0013BD20
stage rank
value-4C327FDC
change (max rank)-00002707
mamori
exp value- 4C328340
change (max level)-0013BD20
stage rank
value-4C32833C
change (max rank)-00002707
yashiro
exp value- 4C3286A0
change (max level)-0013BD20
stage rank
value-4C32869C
change (max rank)-00002707

Seems like these codes might be from 5.5.1 OS w/ US version. Try scanning the range 4C3305A8-4C3305AC, or a bit broader, like 4C330000-4C340000

 

[Laucian]

Here's an interesting request for some1 with 5.5.1 and US version of game: start a new game, play until the VERY FIRST instance that you can save, save, then and make a memory dump between 0x10000000 to 0x4B000000 (or 0x50000000 if it doesn't crash your game). Zip it and upload it somewhere, so I can compare against my own dump. Please also specify some key in-game stats: yen amount, Itsuki's lvl, max HP, max MP, str, ..., remaining exp to next lvl.

Ask and yea shall receive: LINK I made 2 dumps, one at the very start of the game(with only a yen value) and one after the first fight(with some other stats). There's a file with the values in the zip.