Hacking WiiU VC game injection working on 5.3.2

[the_randomizer]

FYI, you can dump ROMs. I just dumped Super Mario Kart and tested it on SNES9X. It seemed to have some audio issues, but that is prob due to the emulator. Files looked the same in a hex editor. More testing to come to compare them.

1) Find out how large the game you want to dump is
2) Find out where the start of the ROM is: we know this... SNES (and I believe NES?) games start at 10502250
3) Find out where your ROM ends... Google 0x10502250 + 0xYOURROMSIZE for easy calculation
4) TCP Gecko Client -> Tools -> fill in Memory Dumping Start and End
5) Hit Dump

Ex: Super Mario Kart is 512KB, or 0x7FFF0
ROM starts at 0x10502250
ROM ends at 0x10502250 + 0x7FFF0 = 0x10582240
Put 10502250 and 10582240 in and dump it for all 512KB games
Rename to .sfc to load into emulator

For Snes9x, you need to change the API to XAudio2 and audio buffer size to 160 ms or so Just a heads up, and the sampling frequency to around 31850 Hz should help too. That's cool, didn't know that could be done, but I still feel like I've been wasting everyone's time, I don't know for sure, but thanks for that info, man

I assume you loaded the VC game then ran TCP Gecko?

 

[PhyChris]

FYI, you can dump ROMs. I just dumped Super Mario Kart and tested it on SNES9X. It seemed to have some audio issues, but that is prob due to the emulator. Files looked the same in a hex editor. More testing to come to compare them.

1) Find out how large the game you want to dump is
2) Find out where the start of the ROM is: we know this... SNES (and I believe NES?) games start at 10502250
3) Find out where your ROM ends... Google 0x10502250 + 0xYOURROMSIZE for easy calculation
4) TCP Gecko Client -> Tools -> fill in Memory Dumping Start and End
5) Hit Dump

Ex: Super Mario Kart is 512KB, or 0x7FFF0
ROM starts at 0x10502250
ROM ends at 0x10502250 + 0x7FFF0 = 0x10582240
Put 10502250 and 10582240 in and dump it for all 512KB games
Rename to .sfc to load into emulator

well there you go!

edit: don't forget MD5 on header-less

 

[fiveighteen]

Ah.. there ARE differences!

1) 0x2C4400C to 0x2FA9003 is different.
2) 0x3800007 to 0x3D44002 is different.

The dumped ROM's difference parts were filled with PCMF between random bytes... only thing I could find similar is HERE. Seems to be related to my sound issues on PC.

 

[VinsCool]

FYI, you can dump ROMs. I just dumped Super Mario Kart and tested it on SNES9X. It seemed to have some audio issues, but that is prob due to the emulator. Files looked the same in a hex editor. More testing to come to compare them.

1) Find out how large the game you want to dump is
2) Find out where the start of the ROM is: we know this... SNES (and I believe NES?) games start at 10502250
3) Find out where your ROM ends... Google 0x10502250 + 0xYOURROMSIZE for easy calculation
4) TCP Gecko Client -> Tools -> fill in Memory Dumping Start and End
5) Hit Dump

Ex: Super Mario Kart is 512KB, or 0x7FFF0
ROM starts at 0x10502250
ROM ends at 0x10502250 + 0x7FFF0 = 0x10582240
Put 10502250 and 10582240 in and dump it for all 512KB games
Rename to .sfc to load into emulator

Ah.. there ARE differences!

1) 0x2C4400C to 0x2FA9003 is different.
2) 0x3800007 to 0x3D44002 is different.
3) The dumped ROM had an extra 0x10 on the end... "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"

For 1 and 2, the dumped ROM's difference parts were filled with PCMF between random bytes... only thing I could find similar is HERE. Seems to be related to my sound issues on PC.

Donkey Kong 64 dump and .z64 rom is a prefect match though.

 

[fiveighteen]

The differences in mine appear to be only for PCM (pulse-code modulation) audio files. Maybe it's an SNES thing. If anyone else can dump their ROM's it would help to verify

 

[VinsCool]

The differences in mine appear to be only for PCM (pulse-code modulation) audio files. Maybe it's an SNES thing. If anyone else can dump their ROM's it would help to verify

I forgot to specity.

the rom file from VC files, the rom from ram, and the .z64 are all perfect match

 

[fiveighteen]

I forgot to specity.

the rom file from VC files, the rom from ram, and the .z64 are all perfect match

Well the ROM from RAM and the ROM in the VC files are literally the same thing.

--------------------- MERGED ---------------------------

Oops. Just realized a big mistake.... 512KB isn't 0x7FFF0.. it's 0x80000!!! I misinterpreted that a long time ago and never double checked it. So the dumped ROM didn't have an extra 0x10, it was missing 0x10 lol.

 

[the_randomizer]

Well the ROM from RAM and the ROM in the VC files are literally the same thing.

--------------------- MERGED ---------------------------

Oops. Just realized a big mistake.... 512KB isn't 0x7FFF0.. it's 0x80000!!! I misinterpreted that a long time ago and never double checked it. So the dumped ROM didn't have an extra 0x10, it was missing 0x10 lol.

May I ask how you calculated the ROM size in hex like that? I tried to Google it, but to no avail, I don't even know how to actually about dumping it like this, esp since I'm using HxD to look at the ROM's code. I admit it, I'm really lost now on what's going on, aside from the fact the ROMs used in Nintendo's VC have different byte values; I'd like to dump them, I would, the question is though, will this lead to better compatibility?

Sorry if I sound like a noob, I just don't know how you calculated the ROM size or actually did what you did. I suck at this stuff

Edit: *Sigh* Who am I kidding, this stuff might be out of my league.

 

[fiveighteen]

512KB * 1024 bytes in a kilobytes = 524288 bytes.

524288 decimal = 80000 hex.

 

[the_randomizer]

512KB * 1024 bytes in a kilobytes = 524288 bytes.

524288 decimal = 80000 hex.

Huh, okay, simple enough, I should have known that already lol. Do you think though at some point, we can figure out why ROMs work well with one VC WAD but not when injected in another? I'm curious as to what causes that, it seems their Snes emulation isn't all that perfect as it seems to be. Some games like Earthworm Jim 2 have missing sound effects. Thanks

 

[fiveighteen]

Huh, okay, simple enough, I should have known that already lol. Do you think though at some point, we can figure out why ROMs work well with one VC WAD but not when injected in another? I'm curious as to what causes that, it seems their Snes emulation isn't all that perfect as it seems to be. Some games like Earthworm Jim 2 have missing sound effects. Thanks

I have no crystal ball lol. All we can do is keep testing stuff and maybe a pattern will emerge.

Try dumping EJ2's ROM and comparing it to a downloaded ROM. Maybe that has the PCM audio stuff too? Does injecting the downloaded ROM fix the sound issues?

 

[the_randomizer]

Try dumping EJ2's ROM and comparing it to a downloaded ROM. Maybe that has the PCM audio stuff too? Does injecting the downloaded ROM fix the sound issues?

The problem is that EWJ2 isn't available on the Snes VC, only on the Genesis/Megadrive VC I'm afraid. Unfortunately, there's no way for me to compare it; I only injected it into Donkey Kong Country. Most, if not all the ROMs I tested are not on the Snes VC download page on the eShop. Maybe that's the fatal mistake right there, I don't know for sure. Crap. I'll load up my Wii U later and list the Snes VC games I currently have:

Breath of Fire 2
Super Castlevania IV
Super Metroid
DKC 1-3
Contra 3
Super Mario World
F-zero
Kirby's Dreamland 3
Kirby's Super Star

Those two SA-1 games do not make good VC bases to go off of, very low compat. I can't remember the list of what I have off the top of my head, will update tomorrow DKC and Super Metroid seem to be the best bases for my tests.

 

[fiveighteen]

The problem is that EWJ2 isn't available on the Snes VC, only on the Genesis/Megadrive VC I'm afraid. Unfortunately, there's no way for me to compare it; I only injected it into Donkey Kong Country. Most, if not all the ROMs I tested are not on the Snes VC download page on the eShop. Maybe that's the fatal mistake right there, I don't know for sure. Crap. I'll load up my Wii U later and list the Snes VC games I currently have:

Breath of Fire 2
Super Castlevania IV
Super Metroid
DKC 1-3
Contra 3
Super Mario World
F-zero
Kirby's Dreamland 3
Kirby's Super Star

Those two SA-1 games do not make good VC bases to go off of, very low compat. I can't remember the list of what I have off the top of my head, will update tomorrow DKC and Super Metroid seem to be the best bases for my tests.

Ohhh. I misunderstood, my bad. So yeah, we need to be comparing the VC dumped ROMs with the downloaded ROMs to see what the differences are. That could potentially help us make other games more compatible.

Let me know if you need help with the hex addresses to dump them based on their different filesizes, or help doing file comparisons.

 

[the_randomizer]

Ohhh. I misunderstood, my bad. So yeah, we need to be comparing the VC dumped ROMs with the downloaded ROMs to see what the differences are. That could potentially help us make other games more compatible.

Let me know if you need help with the hex addresses to dump them based on their different filesizes, or help doing file comparisons.

Awesome, yeah, I'll only dump the games I own and compare them using HxD (if that's even a good program to use for comparison). And I made a huge derp moment, apparently, the Windows 7 calculator has a Programmer Calculator mode. So I multiply the file size x 1024 KB then click on "hex" and converts it for me

512 KB 524288 decimal = 80000 hex
1024 KB 1048576 decimal = 100000 hex
1280 KB 1310720 decimal = 140000 hex
1536 KB 1572846 decimal = 180000 hex
2048 KB 2091752 decimal = 200000 hex
2560 KB 2621400 decimal = 280000 hex
3072 KB 3145728 decimal = 300000 hex
3360 KB 3440640 decimal = 348000 hex
4096 KB 4194304 decimal = 400000 hex
6144 KB 6291456 decimal = 600000 hex

I hope these are right And thank you again, for you help, so just to get this process clear:

- Run the OSDriver (exploit)
- Run the TCPGecko Client (which I assume is on Fix94's host where I run the exploit)
- Open the VC game and then dump?

Or do I open the VC game then run the TCP Client, but after running the exploit? That part I'm not clear, when to actually initiate the dump, and I also assume the dumped ROM will go to a folder somewhere? That part also doesn't make sense to me, where does the dumped file go?

Unless it uses the IP.txt in Fix94's snesinject app.

 

[pedro702]

The problem is that EWJ2 isn't available on the Snes VC, only on the Genesis/Megadrive VC I'm afraid. Unfortunately, there's no way for me to compare it; I only injected it into Donkey Kong Country. Most, if not all the ROMs I tested are not on the Snes VC download page on the eShop. Maybe that's the fatal mistake right there, I don't know for sure. Crap. I'll load up my Wii U later and list the Snes VC games I currently have:

Breath of Fire 2
Super Castlevania IV
Super Metroid
DKC 1-3
Contra 3
Super Mario World
F-zero
Kirby's Dreamland 3
Kirby's Super Star

Those two SA-1 games do not make good VC bases to go off of, very low compat. I can't remember the list of what I have off the top of my head, will update tomorrow DKC and Super Metroid seem to be the best bases for my tests.

So injecting other sa\ chip games on kirby dream land or super star doesnt work? very wierd.since the rom is fused with the executable maybe the executable is hardcoded for those games, did you try chnaging the header of an sa1 game to match kirby dream land 3 and inject it on kirby dream land 3?

 

[fiveighteen]

I hope these are right And thank you again, for you help, so just to get this process clear:

- Run the OSDriver (exploit)
- Run the TCPGecko Client (which I assume is on Fix94's host where I run the exploit)
- Open the VC game and then dump?

Or do I open the VC game then run the TCP Client, but after running the exploit? That part I'm not clear, when to actually initiate the dump, and I also assume the dumped ROM will go to a folder somewhere? That part also doesn't make sense to me, where does the dumped file go?

Unless it uses the IP.txt in Fix94's snesinject app.

Those calculations look correct.

There's a difference between the TCP Gecko Application and the TCP Gecko Client. App gets installed on the Wii U (even though you can't see it). Client is what runs on your computer.

1) WiiU: OSDriver
2) WiiU: codehandlertcp/pyGecko (I think they're the same thing?) <---- this is the application
3) PC: Gecko dNet.exe and connect to your Wii U <---- this is the client
4) PC: Tools tab -> input start and end ranges -> dump

The dump will go into the same folder as Gecko dNet.exe unless you click Browse and specify elsewhere. I think default is named DUMP#.BIN, but you can change it before dumping.

 

[the_randomizer]

So injecting other sa\ chip games on kirby dream land or super star doesnt work? very wierd.since the rom is fused with the executable maybe the executable is hardcoded for those games, did you try chnaging the header of an sa1 game to match kirby dream land 3 and inject it on kirby dream land 3?

Wouldn't know anything about that, truth be told. The next step is Summersett wanting us to extract VC ROMs, as posted here http://gbatemp.net/threads/n64-ds-vc-game-injection-working-on-5-3-2.395930/page-19#post-5663838
so we can figure out patterns on how ROMs work, why some do and some don't, etc

Those calculations look correct.

There's a difference between the TCP Gecko Application and the TCP Gecko Client. App gets installed on the Wii U (even though you can't see it). Client is what runs on your computer.

1) WiiU: OSDriver
2) WiiU: codehandlertcp/pyGecko (I think they're the same thing?) <---- this is the application
3) PC: Gecko dNet.exe and connect to your Wii U <---- this is the client
4) PC: Tools tab -> input start and end ranges -> dump

The dump will go into the same folder as Gecko dNet.exe unless you click Browse and specify elsewhere. I think default is named DUMP#.BIN, but you can change it before dumping.

Uh, I don't think I have that folder anywhere...where can i download Gecko Dnet? I have the Wii U IP address, so I can use that too, I also assume, heh. Yeah, Fix94's host calls GeckoInstaller or something to that effect, thanks again

 

[pedro702]

Wouldn't know anything about that, truth be told. The next step is Summersett wanting us to extract VC ROMs, as posted here http://gbatemp.net/threads/n64-ds-vc-game-injection-working-on-5-3-2.395930/page-19#post-5663838
so we can figure out patterns on how ROMs work, why some do and some don't, etc


Uh, I don't think I have that folder anywhere...where can i download Gecko Dnet? I have the Wii U IP address, so I can use that too, I also assume, heh. Yeah, Fix94's host calls GeckoInstaller or something to that effect, thanks again

i doubt the info for them to work in on the rom reallly, the "configs" are probably hardcoded on the excecutable not the rom makes no sence for them to edit the rom.

 

[the_randomizer]

i doubt the info for them to work in on the rom reallly, the "configs" are probably hardcoded on the excecutable not the rom makes no sence for them to edit the rom.

Well, summersett seems to know what he's doing, and progress will surely be made, just saying. We don't know unless we try, please try to have a little more faith. Why are you trying to shoot down our idea? We sure as heck weren't getting anywhere before, were we?

 

[fiveighteen]

i doubt the info for them to work in on the rom reallly, the "configs" are probably hardcoded on the excecutable not the rom makes no sence for them to edit the rom.

I'm just curious what other differences there could be besides the PCM changes. Idk what other possibilities there are, but don't know until somebody has a look. I agree that it doesn't make a lot of sense for them to change much in the ROM itself, though, and "configs" should be in the executable.

EDIT: I also don't know where in the executable they be, what range that includes, or how we'd be able to extract or read them. :\

Uh, I don't think I have that folder anywhere...where can i download Gecko Dnet? I have the Wii U IP address, so I can use that too, I also assume, heh. Yeah, Fix94's host calls GeckoInstaller or something to that effect, thanks again

The Definitive Guide to Wii U Hacking -> TCP Gecko Client