Hacking Nintendont

[KungBore]

So, I went ahead and tested Metroid Prime's brightness settings on Nintendont and it worked fine, even with deflicker OFF. Are there other games that disable effects if I set Deflicker to OFF? I mean, is it safe to just leave it OFF for every GameCube game, without worrying about missing effects? I know that USB Loader GX uses a SAFE setting to avoid problems in Wii games and I understand that a couple of GC games might reset the filter even when forcing it to OFF, but in the case of Nintendont's implementation, it's just ON or OFF, so I'm a little concerned it might cause issues.

 

[NoobletCheese]

is it safe to just leave it OFF for every GameCube game, without worrying about missing effects?

Yeah you won't lose any effects as Nintendont doesn't disable the GXSetCopyFilter function (if it did, it would have worked for Soul Calibur and Starfox).

It's possible that touching the brightness slider in a game might actually re-instate the vfilter, if the game doesn't calculate the new brightness setting based on the patched vfilter string.

 

[KungBore]

I think I've found another game that doesn't accept turning the filter off: Star Wars Rogue Squadron III: Rebel Strike. To me, it looks very soft, specially comparing to Rogue Squadron II.

 

[NoobletCheese]

I think I've found another game that doesn't accept turning the filter off: Star Wars Rogue Squadron III: Rebel Strike. To me, it looks very soft, specially comparing to Rogue Squadron II.

I also observe Nintendont cannot remove the filter from Rogue Squadron III.

I cannot find any known vfilter strings/signatures in start.dol which the game actually uses.

I cannot find either of the 2 known versions of GXSetCopyFilter in start.dol as referenced here.

Therefore I think the game was compiled with the "SN Systems ProDG" version of GXSetCopyFilter, since that is the only remaining version we don't know about according to Swiss (ignoring the debug version which is probably not found in a retail game).

We should be able to use Swiss to find its offset, however I lack the tools to do this.

@Extrems, are you able to run this title with Swiss in debug mode to make it print the offset where it found GXSetCopyFilter? Once we know the offset, we can find its binary and manually patch it.

 

[NoobletCheese]

@Extrems

Swiss patcher.c

FuncPattern GXSetCopyFilterSigs[5] = {
{ 567, 183, 44, 32, 36, 38, ... },  // Debug version (probably not in retail games)
{ 138,  15,  7,  0,  4,  5, ... },  // gx.a version (known)
{ 163,  19, 23,  0,  3, 14, ... },  // SN Systems ProDG version (unknown -- used by Rogue Squadron III?)
{ 130,  25,  7,  0,  4,  0, ... }   // Dolphin.a version (known)
};

// First array element is length in instructions, not bytes.

GXSetCopyFilter gx.a

Spoiler

94 21 FF B0 54 60 06 3F BE E1 00 2C 41 82 01 28 88 04 00 01 88 64 00 07 54 1E 20 36 89 04 00 00 88 04 00 13 54 79 20 36 89 44 00 06 51 1E 07 3E 89 64 00 02 88 E4 00 0D 51 59 07 3E 55 7B 40 2E 89 24 00 08 88 64 00 0E 55 3A 40 2E 8B 84 00 03 53 DB 06 3E 89 24 00 10 54 F7 20 36 89 84 00 0C 88 E4 00 15 54 78 40 2E 51 97 07 3E 8B A4 00 12 54 00 20 36 53 A0 07 3E 89 04 00 14 57 9C 60 26 8B E4 00 09 53 7C 05 3E 8B A4 00 04 52 F8 06 3E 89 44 00 0F 55 17 40 2E 89 84 00 0A 53 3A 06 3E 88 64 00 16 55 59 60 26 8B C4 00 05 50 17 06 3E 88 04 00 17 57 FB 60 26 89 64 00 0B 89 04 00 11 57 A4 80 1E 54 E7 60 26 55 8A 80 1E 53 5B 05 3E 54 6C 80 1E 52 E7 05 3E 53 84 04 3E 57 C3 A0 16 53 19 05 3E 55 29 80 1E 53 6A 04 3E 50 83 03 3E 50 EC 04 3E 54 67 02 3E 55 63 A0 16 51 43 03 3E 54 64 02 3E 55 03 A0 16 53 29 04 3E 51 23 03 3E 54 00 A0 16 51 80 03 3E 54 63 02 3E 54 00 02 3E 64 E8 01 00 64 87 02 00 64 69 03 00 64 0A 04 00 48 00 00 24 3D 00 01 66 3C E0 02 66 3C 80 03 66 3C 60 04 66 39 08 66 66 38 E7 66 66 39 24 66 66 39 43 66 66 38 80 00 61 3C 60 CC 01 98 83 80 00 54 A0 06 3F 91 03 80 00 98 83 80 00 90 E3 80 00 98 83 80 00 91 23 80 00 98 83 80 00 91 43 80 00 41 82 00 68 88 06 00 00 88 66 00 01 64 05 53 00 88 06 00 04 88 86 00 02 54 A7 06 A6 54 65 30 32 88 66 00 05 7C E7 2B 78 64 08 54 00 88 A6 00 03 88 06 00 06 54 E6 05 1A 54 84 60 26 7C C6 23 78 55 04 06 A6 54 63 30 32 7C 83 1B 78 54 C6 03 8E 54 A4 90 1A 54 63 05 1A 54 00 60 26 7C C6 23 78 7C 67 03 78 48 00 00 14 3C 80 53 59 3C 60 54 00 38 C4 50 00 38 E3 00 15 38 A0 00 61 80 6D 8F 88 3C 80 CC 01 98 A4 80 00 38 00 00 00 90 C4 80 00 98 A4 80 00 90 E4 80 00 B0 03 00 02 BA E1 00 2C 38 21 00 50 4E 80 00 20

GXSetCopyFilter Dolphin.a

Spoiler

94 21 FF B8 54 60 06 3F BF 01 00 28 41 82 00 F8 88 04 00 06 38 E0 00 00 89 04 00 00 38 60 00 00 50 07 07 3E 89 24 00 0C 51 03 07 3E 39 00 00 00 88 04 00 12 51 28 07 3E 39 20 00 00 89 44 00 01 50 09 07 3E 88 04 00 13 89 64 00 0D 51 43 26 36 8B 64 00 02 50 09 26 36 8B 24 00 07 89 44 00 14 51 68 26 36 89 84 00 0E 53 63 45 2E 8B 84 00 03 51 88 45 2E 8B A4 00 04 53 83 64 26 88 04 00 05 53 A3 83 1E 8B 04 00 08 53 27 26 36 8B 24 00 0F 50 03 A2 16 8B C4 00 09 38 00 00 01 8B E4 00 0A 51 49 45 2E 8B 44 00 15 50 03 C0 0E 89 84 00 0B 53 07 45 2E 89 64 00 10 53 C7 64 26 89 44 00 11 8B 64 00 16 53 E7 83 1E 53 28 64 26 88 84 00 17 51 68 83 1E 53 49 64 26 53 69 83 1E 38 00 00 02 51 87 A2 16 50 07 C0 0E 38 00 00 03 51 48 A2 16 50 08 C0 0E 38 00 00 04 50 89 A2 16 50 09 C0 0E 48 00 00 24 3C 60 01 66 3C E0 02 66 3D 00 03 66 3C 80 04 66 38 63 66 66 38 E7 66 66 39 08 66 66 39 24 66 66 39 40 00 61 3C 80 CC 01 99 44 80 00 54 A0 06 3F 38 00 00 53 90 64 80 00 38 60 00 00 50 03 C0 0E 99 44 80 00 38 00 00 54 38 A0 00 00 90 E4 80 00 50 05 C0 0E 39 63 00 00 99 44 80 00 38 05 00 00 91 04 80 00 99 44 80 00 91 24 80 00 41 82 00 40 88 86 00 00 88 66 00 04 50 8B 06 BE 88 86 00 01 50 60 06 BE 88 E6 00 02 50 8B 35 32 88 86 00 05 88 A6 00 03 50 EB 63 A6 88 66 00 06 50 80 35 32 50 AB 92 1A 50 60 63 A6 48 00 00 2C 38 80 00 00 38 60 00 15 50 8B 06 BE 50 8B 35 32 50 60 06 BE 50 6B 63 A6 38 60 00 16 50 80 35 32 50 80 63 A6 50 6B 92 1A 38 C0 00 61 80 62 8C 08 3C A0 CC 01 98 C5 80 00 38 80 00 00 91 65 80 00 98 C5 80 00 90 05 80 00 B0 83 00 02 BB 01 00 28 38 21 00 48 4E 80 00 20

 

[NoobletCheese]

Ok I don't think it's SN ProDG as I ran an ahk script to find all functions of length 163x4 = 652 bytes, and there are none in Rogue Squadron III's start.dol. Using epilogue/delimeter "4E800020".

 

[NoobletCheese]

So I searched for all functions of the lengths defined in Swiss's sigs, and the only ones I found in RS3 are two of length 138 which corresponds to the gx.a version. Inside those 2 I tried patching every instance of "4182" to "4800" one at a time, which produced either a crash or black screen in Dolphin.

So I don't think even Swiss would be able to patch RS3

 

[Extrems]

That function is in a zlib-compressed DOL that's part of the data section at 0x80200000. I have a proof-of-concept for patching this, but I haven't polished it enough yet. The game will base its vfilter off the GXRenderModeObj regardless.

 

[NoobletCheese]

The game will base its vfilter off the GXRenderModeObj regardless.

Do you mean the one inside the compressed dol? Just curious to know if my sigs for detecting GXRenderModeObj's and lone vfilter strings are insufficient.

 

[NoobletCheese]

Oh, if it's compressed, that means it's uncompressed into memory at runtime yeah? In that case could we patch it with a gecko code?

 

[NoobletCheese]

According to Dolphin memory dump it's using the dolphin.a version of GXSetCopyFilter. No luck patching it with gecko code so far...

 

[NoobletCheese]

Here are 2 Gecko codes working for Rogue Squadron III NTSC, but I've only tested them in Dolphin emulator.

Won't get around to testing them on console until tomorrow, maybe @KungBore could test?

# code 1 - patch GXSetCopyFilter @ 0x801b3ccc
281b3ccc 00009124
061b3ccc 00000008
91248000 48000040
e0000000 80008000

# code 2 - patch GXSetCopyFilter @ 0x80518ccc
28518ccc 00009124
06518ccc 00000008
91248000 48000040
e0000000 80008000

Not sure if you need both of them, in Dolphin either one suffices.

Edit from 6 days later: don't use these codes on Wii hardware as it will patch random bytes due to different memory mapping on Wii hardware! It will cause the game to do weird things and randomly crash.

 

[Extrems]

Do you mean the one inside the compressed dol? Just curious to know if my sigs for detecting GXRenderModeObj's and lone vfilter strings are insufficient.

You just need to hook VIConfigure and replace it from there.

 

[Extrems]

Here are 2 Gecko codes working for Rogue Squadron III, but I've only tested them in Dolphin emulator.

Won't get around to testing them on console until tomorrow, maybe @KungBore could test?

# code 1 -- patch GXSetCopyFilter @ 0x801b3ccc
061b3ccc 00000008
91248000 48000040
e0000000 80008000

# code 2 -- patch GXSetCopyFilter @ 0x80518ccc
06518ccc 00000008
91248000 48000040
e0000000 80008000

Note sure if you need both of them, in Dolphin either one suffices.

These addresses seem wrong. They should be in virtual memory (0x7F000000).

 

[NoobletCheese]

These addresses seem wrong. They should be in virtual memory (0x7F000000).

Hmm, Dolphin debugger is saying they are at those addresses. Here is the entire function dumped from Dolphin...

Spoiler

94 21 FF B8 54 60 06 3F BF 01 00 28 41 82 00 F8 88 04 00 06 38 E0 00 00 89 04 00 00 38 60 00 00 50 07 07 3E 89 24 00 0C 51 03 07 3E 39 00 00 00 88 04 00 12 51 28 07 3E 39 20 00 00 89 44 00 01 50 09 07 3E 88 04 00 13 89 64 00 0D 51 43 26 36 8B 64 00 02 50 09 26 36 8B 24 00 07 89 44 00 14 51 68 26 36 89 84 00 0E 53 63 45 2E 8B 84 00 03 51 88 45 2E 8B A4 00 04 53 83 64 26 88 04 00 05 53 A3 83 1E 8B 04 00 08 53 27 26 36 8B 24 00 0F 50 03 A2 16 8B C4 00 09 38 00 00 01 8B E4 00 0A 51 49 45 2E 8B 44 00 15 50 03 C0 0E 89 84 00 0B 53 07 45 2E 89 64 00 10 53 C7 64 26 89 44 00 11 8B 64 00 16 53 E7 83 1E 53 28 64 26 88 84 00 17 51 68 83 1E 53 49 64 26 53 69 83 1E 38 00 00 02 51 87 A2 16 50 07 C0 0E 38 00 00 03 51 48 A2 16 50 08 C0 0E 38 00 00 04 50 89 A2 16 50 09 C0 0E 48 00 00 24 3C 60 01 66 3C E0 02 66 3D 00 03 66 3C 80 04 66 38 63 66 66 38 E7 66 66 39 08 66 66 39 24 66 66 39 40 00 61 3C 80 CC 01 99 44 80 00 54 A0 06 3F 38 00 00 53 90 64 80 00 38 60 00 00 50 03 C0 0E 99 44 80 00 38 00 00 54 38 A0 00 00 90 E4 80 00 50 05 C0 0E 39 63 00 00 99 44 80 00 38 05 00 00 91 04 80 00 99 44 80 00 91 24 80 00 41 82 00 40 88 86 00 00 88 66 00 04 50 8B 06 BE 88 86 00 01 50 60 06 BE 88 E6 00 02 50 8B 35 32 88 86 00 05 88 A6 00 03 50 EB 63 A6 88 66 00 06 50 80 35 32 50 AB 92 1A 50 60 63 A6 48 00 00 2C 38 80 00 00 38 60 00 15 50 8B 06 BE 50 8B 35 32 50 60 06 BE 50 6B 63 A6 38 60 00 16 50 80 35 32 50 80 63 A6 50 6B 92 1A 38 C0 00 61 80 6D B3 98 3C A0 CC 01 98 C5 80 00 38 80 00 00 91 65 80 00 98 C5 80 00 90 05 80 00 B0 83 00 02 BB 01 00 28 38 21 00 48 4E 80 00 20

 

[Extrems]

You're likely just finding the physical backing for the virtual memory pages. These addresses will be random.

 

[NoobletCheese]

You're likely just finding the physical backing for the virtual memory pages. These addresses will be random.

I see... well, it seems gecko codes can only write to the range 0x80XXXXXX.

It's definitely working in Dolphin to disable the filter, but then the game crashes some time after the intro sequence... not sure if it would work on an actual console.

 

[NoobletCheese]

Ok the crashing in Dolphin is resolved on my system by unticking "enable dual core" just for this game (the crash error message said to try this).

 

[NoobletCheese]

Rogue Squadron III NTSC appears to be using the half-strength vfilter 04041010100404 (same as Donkey Kong) at address 0x802Ca07f.

For some reason searching the string 04041010100404 in Dolphin debugger doesn't find it. But dumping RAM from Dolphin to mem1.raw file and then searching in a hex editor finds it and its offset relative to 0x80000000. Pasting that offset address back into Dolphin debugger reveals 0404101010404 is in fact at that address, which seems to indicate Dolphin's search function is somehow broken.

Patching GXSetCopyFilter with the cheat codes via ULGX Ocarina seems to be working, however the game sometimes crashes. Also the game has really long load times (black screen for up to 20 seconds) regardless of whether cheats are enabled. I don't think this game plays nice with Nintendont due to its compression discovered by Extrems. I tried disabling the read speed limit in Nintendont and it still crashed.

I think a better solution will be patching only the 04041010100404 string at 0x802Ca07f.

 

[NoobletCheese]

I think a better solution will be patching only the 04041010100404 string at 0x802Ca07f.

Can't get this to work, Dolphin just crashes.

If I enclose it inside an "if" statement like this...

282CA07F 00000404    // if 2 bytes at 0x802ca07f  = 0404
062CA07F 00000007    // write the following 7 bytes to 0x802ca07f
00001516 15000000    // 00 00 15 16 15 00 00
e0000000 80008000    // end of code

...then it doesn't crash, but Dolphin memory debugger shows 0x802Ca07f hasn't been patched and is still 04041010100404.

Which means Gecko didn't find it in memory at the time Gecko code was executing -- perhaps something to do with the way this game decompresses and reloads itself at runtime after Gecko code executes?

However the same is not true of the GXSetCopyFilter patch -- Gecko patches the bytes and Dolphin debugger shows the patched bytes in memory.