Hacking How to patch the NSMB image to get NEWER

[Wiimm]

This is a first idea. I have no time or interests to do it, but I 'll show you a way, how it could be done.


How to:

1. Extract image: wit extract nsmb.wbfs nsmb.d
2. Replace and copy new files to nsmb.d/files/... following the instructions of the XML file.
3. Patch main.dol (see below).
4. Patch the loader (see below).
5. Create a new image with:
   wit copy nsmb.d -ovv newer-smb.wbfs --id=K --name "Newer SMB"

Patch main.dol

First we look inside main.dol, using "wit DUMP" (wit is more than an image tool):

Spoiler

# wit dump fst/nsmb.d/sys/main.dol

Dump of file fst/nsmb.d/sys/main.dol

  File size:            354b00/hex =    3492608 = 3411 KiB
  File type:        DOL

  Memory map of DOL file:

    :  off(beg) ..  off(end) :   size : info
    ----------------------------------------------------------
    :         0 ..       100 :    100 : DOL header
    :       100 ..      27c0 :   26c0 : text section #0
    :      27c0 ..    2e9d20 : 2e7560 : text section #1
    :    2e9d20 ..    2e9d80 :     60 : data section #0
    :    2e9d80 ..    2e9de0 :     60 : data section #1
    :    2e9de0 ..    2ea0c0 :    2e0 : data section #2
    :    2ea0c0 ..    2ea0e0 :     20 : data section #3
    :    2ea0e0 ..    2fa7a0 :  106c0 : data section #4
    :    2fa7a0 ..    34da80 :  532e0 : data section #5
    :    34da80 ..    34ffa0 :   2520 : data section #6
    :    34ffa0 ..    354b00 :   4b60 : data section #7
    :    354b00 ..    354b00 :      0 : --- end of file ---

  Memory map of DOL image:

    :  off(beg) ..  off(end) :   size : info
    --------------------------------------------------------
    :  80004000 ..  800066c0 :   26c0 : text section #0
    :  80004050 ..  80004050 :      0 : entry point
    :  800066c0 ..  80006720 :     60 : data section #0
    :  80006720 ..  80006780 :     60 : data section #1
    :  80006780 ..  802edce0 : 2e7560 : text section #1
    :  802edce0 ..  802edfc0 :    2e0 : data section #2
    :  802edfc0 ..  802edfe0 :     20 : data section #3
    :  802edfe0 ..  802fe6a0 :  106c0 : data section #4
    :  802fe6a0 ..  80351980 :  532e0 : data section #5
    :  80351980 ..  8042ff1c :  de59c : bss section
    :  80427980 ..  80429ea0 :   2520 : data section #6
    :  8042b360 ..  8042fec0 :   4b60 : data section #7

The second table shows the virtual addresses of a loaded/running image, divided into sections. The first table shows the related offsets of the file.

Let us analyse a singe <memory> tag (PAL):

<memory offset="0x800E4E84" value="38600000" original="3863330C" />

800E4E84 lays in "text section #1" at offset 800E4E84-80006780 = DE704. The first table says, the file offset is 27C0+DE704 = E0EC4. Let us look into a hexdump of main.dol:

e0ec0: 3c 60 80 2f  38 63 33 0c  48 1f 29 19  38 60 00 3f  :<`./8c3.H.).8`.?:
		    ^^^^^^^^^^^

We find the value of attribute "original=" at the offset. Replace it by 38600000, and this single patch is done.

Now do this patch with all memory tags.


Patch the loader

The only problem, I see is:

<memory offset="0x80001800" valuefile="Loader.bin" />

I don't know, what to do with this. it is loaded before main.dol. Is it the IMGLOADER.BIN? The file "Loader.bin" is available in the newer distrib.

 

[Treeki]

Loader.bin is just a small thing which detects the game version, reads the appropriate files containing code+binary patches from the "disc" (well, in Riivolution's case they're not on the disc, but whatever) and applies them. It's VERY important for Newer to work at all.

The included version is built to be loaded at 0x80001800, so you've got to place it there... not sure if you're able to do that with the .dol format though.


If someone really wanted to, they could move it to another address, edit the code inside loader.bin (it's just a blob of PPC ASM with a few strings at the end) to fix the lis/ori addresses and change the memory patch that writes 80001800 to a pointer to the new loader location.

I wonder if anyone with enough knowledge to do it will actually do it and release it, though

Also, don't expand the .dol sections. If you do that, the load address of the .rels will change and it'll totally screw up the new code.

 

[secretchaos1]

I really wish I had knowledge on asm to take a stab at this, but I'm afraid I probably wouldn't be able to figure out much of anything without a lot of learning. Hopefully someone comes by with the right know how to make it work, since it seems like you guys have really laid out most of the instructions for them. It's great to see that there's actual attempts being made towards making this happen instead of just arguments.
Looking forward to playing Newer soon as well, it looks like you guys put together a better sequel than the bland looking ones Ninty has rolled out lately.

 

[Hoowahman]

Has anyone attempted this? Seems promising!

 

[Wiimm]

That's the stuff Treeki and damysteryman talk about in the other thread, where you have posted a few minutes ago.

 

[SifJar]

If someone really wanted to, they could move it to another address, edit the code inside loader.bin (it's just a blob of PPC ASM with a few strings at the end) to fix the lis/ori addresses and change the memory patch that writes 80001800 to a pointer to the new loader location.

Just to see if I've got this right - so something like this:

 164:    3f e0 80 00    lis    r31,-32768 ;0x8000
168:    63 ff 18 04    ori    r31,r31,6148 ;0x1804

refers to the offset 0x4 within the file, so if loader.bin was going to be located at, say, 0x80001700, the above would become something like this:

lis        r31,-32768 ;0x8000
ori        r31,r31,5892 ;0x1704

And this would have do be done for all lis/ori pairs?

(I couldn't really be bothered following through with this, just curious if I'm on the right tracks)

 

[Treeki]

Just to see if I've got this right - so something like this:
[...]

(I couldn't really be bothered following through with this, just curious if I'm on the right tracks)

Yes, that sounds about right

 

[JasonP27]

ok so the Newer Summer Sun PAL xml - first memory tag
memory offset="0x800E4914" value="3C600140" original="3C600120"
800E4914-80006780 = D E194
27C0 + D E194 = E 0954
but at the PAL main.dol offset E 0954 there is no value of 3C600120
it's all 00000000
so what am I doing wrong?

 

[SifJar]

ok so the Newer Summer Sun PAL xml - first memory tag
memory offset="0x800E4914" value="3C600140" original="3C600120"
800E4914-80006780 = D E194
27C0 + D E194 = E 0954
but at the PAL main.dol offset E 0954 there is no value of 3C600120
it's all 00000000
so what am I doing wrong?

That's the JPN offset. The PAL one is 0x800E4A84, so offset in DOL is 0xE0AC4

 

[JasonP27]

oh duh ... thanks

edit: yeah got it now... about to test it out

edit2: crashed at the wiistrap screen

 

[SifJar]

oh duh ... thanks

edit: yeah got it now... about to test it out

edit2: crashed at the wiistrap screen

Have you modified and inserted loader.bin, and changed the memory patch which patches the address of loader.bin? If not, it's not going to work...

 

[damysteryman]

I have built and released a package that can easily build a ISO of Newer once you provide it with the Newer files, and a valid NSMBW ISO, currently only the PAL/EURv1 NSMBW ISO is supported atm, but I would like th add support for USA and JPN versions too.

I just posted it over on the other "main" Newer Released thread.
Original post here.

 

[JasonP27]

Have you modified and inserted loader.bin, and changed the memory patch which patches the address of loader.bin? If not, it's not going to work...

no I figured that out after re-reading Treeki's post... I know where I want to place loader.bin, but can't figure out how to get the offset to add to the values in loader.bin, and how to edit loader.bin... I assume with IDA and set the processor to PPC but it asks about where it starts and press C and I'm just lost lol.

@damysteryman - I saw it in the other thread... great work ... I'm trying to do the Summer Sun one now but not quite knowledgeable enough to modify the loader.bin

 

[SifJar]

no I figured that out after re-reading Treeki's post... I know where I want to place loader.bin, but can't figure out how to get the offset to add to the values in loader.bin, and how to edit loader.bin... I assume with IDA and set the processor to PPC but it asks about where it starts and press C and I'm just lost lol.

@damysteryman - I saw it in the other thread... great work ... I'm trying to do the Summer Sun one now but not quite knowledgeable enough to modify the loader.bin

You don't need to use IDA, you can do it with free tools (objdump, as, objcopy; all supplied as part of devkitPro).

To disassemble the .bin, this is the command:

powerpc-eabi-objdump -D -b binary -m powerpc -EB Loader.bin > Loader.S

That'll get you a .S file with all the ASM. Inside look for lis and ori commands, like the ones I posted above. Once you've worked out what to change them to, create a new .S file with contents like this:

lis        r31,-32768 ;0x8000
ori        r31,r31,5892 ;0x1704

Then compile this smaller .S file with this command:

powerpc-eabi-as -mregnames -be example.S

This will generate a file "a.out", we just want the binary code, so after the above run:

powerpc-eabi-objcopy -O binary a.out a.bin

a.bin will (in the above example) now be an 8 byte file containing the two commands above. Open with a hex editor, copy these 8 bytes and overwrite the original 8 bytes in Loader.bin.

Repeat for each lis & ori pair.

There are probably simpler ways to do it, but this should work.

EDIT: Oh, all commands should be run from the "devkitPPC\bin" directory within devkitPro's install directory.

 

[JasonP27]

... Inside look for lis and ori commands, like the ones I posted above. Once you've worked out what to change them to...

Yeah that's the part I'm stuck at. I'm not sure how to work out the translations.
Thanks for the info. Installing devkitPro as I write this.

 

[damysteryman]

Ok, I have managed to acquire .dol files for USA v1 (I think, just trying to double check atm), and for USAv2. So that, along with my EURv1, is 3 versions out of 6 (I think).
I have also gotten the files for Cannon Bros, Another, Summer Sun, and Newer Holiday Special.
So I should hopefully be able to convert more of these within the next few days or week or so.

 

[JasonP27]

Ok, I have managed to acquire .dol files for USA v1 (I think, just trying to double check atm), and for USAv2. So that, along with my EURv1, is 3 versions out of 6 (I think).
I have also gotten the files for Cannon Bros, Another, Summer Sun, and Newer Holiday Special.
So I should hopefully be able to convert more of these within the next few days or week or so.

Well I was gonna definitely do "Another" and maybe the Holiday Special. I'm trying to do Summer Sun too but might not get it right. I'll let you know what I do so you don't have to do them all lol.

edit: if I want to place loader.bin at 34 43C0, how do I work out the translation to change the addresses in loader.bin?

 

[SifJar]

Yeah that's the part I'm stuck at. I'm not sure how to work out the translations.
Thanks for the info. Installing devkitPro as I write this.

Well, with objdump, the numbers are given in decimal. convert to hex and you'll get a 4-digit hex number ("32-bit" number). combine a lis and the subsequent ori and you get a 64-bit number (8 digits) which gives a memory address. Most (all?) of those addresses refer to locations within Loader.bin as it would be loaded in memory. By default it is loaded at 0x80001800, so all addresses should be within 2408 bytes of that (size of Loader.bin). To get the offset within Loader.bin, obviously you just subtract 0x80001800. Then you add the address you're placing Loader.bin at to the offset within Loader.bin to get the new address, and that's the address you use in your modified Loader.bin.

But are the memory patches etc. actually different in whatever mod it is you're using, or is it just the resources are different? Because if it's just the resources, there's no point re-doing what damysteryman already did with the PPF patch for the DOL...

 

[JasonP27]

There are different memory patches in Newer Summer Sun... much much less patched. However if the loader.bin just loads the same type of patches and the patches do the rest... perhaps the same loader.bin will suffice, and I can copy the changed loader.bin from his pre-patched .dol to my .dol with xml memory patches to form a Summer Sun dol ?

 

[damysteryman]

@JasonP27:
Ah ok, either way, just looked at Another, and looks like it also has a Loader, but it is actually inside of the .xml instead of being its own file. Thanks THe more you do the less I have to do myself

As for the Loader, you have to find out where it will sit in memory. Do you mean the loader will sit at 0x803443C0 in memory, or is 0x3443C0 an absolute offet in the main.dol file itself?