ROM Hack [REAL!] Play all tracks in MKDS online!

[raypou]

Guess no one else has cared to post this yet, but over at GSCentral, Parasyte has found how to select any track for MKDS online mode

description of how he did it: http://gscentral.org/bb/viewtopic.php?p=9944#9944

When I have time, I'm going to look into doing this for myself...

 

[Squiffy]

Nice, I like the part about playing different tracks to your opponents.
I'm guessing all your opponents have to have the hack for this to work properly.

 

[raypou]

actually, i believe that is not the case, as all the carts already have the tracks on them, its more a matter of in the track selection, you pick one that isn't in the list, and if it randomly chooses that one, all the carts know to. That's at least what I gather from what i've read...

 

[Squiffy]

Nope, don't think so:

...Instead, the other racers were placed on the track chosen globally for them, meanwhile my NDS had locally chosen whatever track I wanted. This lead to a fascinating discovery; I was able to race around on my track, while everyone else raced on theirs. We were all in the same 'virtual space' but on different tracks. (You could see them passing by, flying through the air going in some random direction, for example.) However, laps still progressed as normal. Learning this, I decided to locally load Baby Park and select some long track (Rainbow Road, etc) for the others to run on. And in under a minute, I would win the match...

 

[754boy]

Read that....looks like we're gonna get a surge of wi-fi hackers who are gonna do this to pad their stats. If u racing on a track alone and at the same time ur opponents are on a totally seperate track, you automatically win on the track you selected and one of them wins on the other track.

Next thing we'll probably see is an aimbot for the all the items (not including the red shells and blue shell of course).....imagina a banana peel landing directly on top an opponent everytime.... lol

 

[memyselfandi]

cool, but i cant do it myself...

 

[raypou]

That quote is from the beginning of the discovery process, not when he actually just changed the track selection in the screen. There, he changed the whole track he was racing on, while the others loaded the chosen track. the other way, if he picks it in the list and it is randomly chosen, everyone loads the same track. He was playing the past few days hosting tracks for people with unmodified games, and it was working...

 

[Eruonen]

In the tournement this is conciderd as cheating right?

 

[IxthusTiger]

  .section  ".init" 
 .global   _start 
 Â
 @.align 
 @.arm 
 .code  32 
 Â
@--------------------------------------------------------------------------------- 
_start: 
@--------------------------------------------------------------------------------- 
 b  rom_header_end 

 .fill  156,1,0         Â@ Nintendo Logo Character Data (8000004h) 
 .fill  16,1,0         Â@ Game Title 
 .byte  0x30,0x31        @ Maker Code (80000B0h) 
 .byte  0x96         Â@ Fixed Value (80000B2h) 
 .byte  0x00         Â@ Main Unit Code (80000B3h) 
 .byte  0x00         Â@ Device Type (80000B4h) 
 .fill  7,1,0         Â@ unused 
 .byte  0x00         Â@ Software Version No (80000BCh) 
 .byte  0xf0         Â@ Complement Check (80000BDh) 
 .byte  0x00,0x00          @ Checksum (80000BEh) 

@--------------------------------------------------------------------------------- 
rom_header_end: 
@--------------------------------------------------------------------------------- 




#define ARM9_ENTRY_ORIGINAL Â Â Â Â Â Â0x02000800 
#define  ARM7_ENTRY_ORIGINAL      Â0x02380000 

@  bl  DisableInterrupts 
 Â
 Â
 @ Boot ARM9 with: *(volatile unsigned int *)0x027FFE24 = 0x02004000; 
 ldr  r2, =ARM9_ENTRY_ORIGINAL 
 ldr  r4, =ARM7_ENTRY_ORIGINAL 
 ldr  r3, =0x027FFE24 
 str  r2, [r3]     @ redirect ARM9 
 Â
 ldr  r0, =0x400000 
delayLoop: 
 nop 
 subs  r0, r0, #1 
 bgt  delayLoop 
 Â
 Â
 @ New Courses on WFC 
 ldr  r0, =0x02153A4C 
 adr  r1, CourseList 
 mov  r2, #12 
listLoop: 
 ldrb  r3, [r1],#1 
 str  r3, [r0],#4 
 subs  r2, r2, #1 
 bgt  listLoop 
 Â
 Â
  Âmov  pc, r4     @ redirect ARM7 
 Â
infin: 
 b  infin 
 Â
 Â.pool 
Â
CourseList: 
 .byte 0x0C, 0x0F, 0x11, 0x13, 0x17, 0x18, 0x1A, 0x20, 0x21, 0x23, 0x25, 0x26 
 .align 2  Â
 Â


////////////////////////////////////////////////////////////////////////////// 
// DisableInterrupts 
////////////////////////////////////////////////////////////////////////////// 

DisableInterrupts: 
 // disable IRQ/FIQ interrupts 
 mrs   Âr0, CPSR 
 orr   Âr0, r0, #0xC0 
 msr   ÂCPSR_fsxc, r0 
 mov   Âpc, lr 



 .align 
 .pool 
 .end

Based on this code, what bytes of the ROM should I patch?

For people with a PassMe, www natrium42 com/downloads/mktest.ds.gba
Run that from a flashcart with MK in the PassMe and you can pick the non-wifi tracks.

 

[Renegade_R]

Great...now this is gonna lead to a surge of online cheaters which will also lead to more Online ROM protection on Nintendo WFC. When hackers begin to take advantage of the online experience, it will hurt Nintendo financially as people no longer want to play online. And because of that, Nintendo will then improve the protection on ROMs.

It may be a breaking discovery for many.

To me its a very very sad day.

 

[cruddybuddy]

Agreed. This is very bad news.

 

[Heran Bago]

I would guess this part...

CourseList:
 .byte 0x0C, 0x0F, 0x11, 0x13, 0x17, 0x18, 0x1A, 0x20, 0x21, 0x23, 0x25, 0x26
 .align 2 Â

But thosre are the courses Parasyte specifically said do not work. Hmm.

How would I dissasemble the ARM9 executable? Is there a program or easy way?

 

[Hitto]

Don't fret over this. You won't meet that many hackers, and sooner or later, big N will silence them.

 

[Heran Bago]

This doesn't make sense though. The guy claims the table is at $02153A4C in the ROM, but the ROM ends at $02000000. I can't find a tool to decompress the ARM9 executable either.

 

[raypou]

that's the same problem I had, I don't think there is yet a program to decompress the arm9. Also, I believe that address could be a virtual address, modified in RAM, but I can't confirm that yet, just a suspicion.

I don't think online cheaters will be much of an issue, but I could be dead wrong. At least parasyte won't himself release any tools for this.

 

[IxthusTiger]

I'm not too worried about cheaters. Parasyte said he won't release anything that will allow cheating, and natrium (who wrote the code above) is also an upstanding sort. The way people would cheat is by setting a short course for themselves while eveyone else races a long course. Hopefully this is what is kept under wraps. Even so, cheaters can be combatted by dropping out. Not by turning off your DS, but by disrupting your wifi connection, for example unplugging your dongle.

I just wanna race on the non-wifi courses

It doesn't put anyone at an advantage or disadvantage, it's just cool.

 

[Heran Bago]

Memory Map

Yea, He's probably reffering to a location in the RAM. But you need to either be able to dissasemble ARM9, or make a ROM loader to proform this, or any similar hack.

 

[raypou]

whoa, this definately works, just played with 2 other guys on shroom ridge with all the cars and such, no lag at all, about to play a few more gamew with friends

 

[shaunj66]

** USE THIS COMPLETELY AT YOUR OWN RISK - I/WE WILL NOT TAKE ANY RESPONSIBILITY FOR DAMAGES OR ISSUES CAUSED BY USING IT! **

It's been released!!!

I'll post info for everyones information:

A compiled version has been released, I've tested it; and it works a charm!

Just finished playing Airship Fortress and Shroom Ridge with Luse.

Wasn't buggy at all, except one red shell seemed to disapear as soon as I fired it. The rest was flawless.

Equipment you need:

• Mario Kart DS (legit cart)
• Any kind of PassMe (FlashMe and WiFiMe DO NOT WORK)
• A GBA flash cart capable of .nds.gba files.

** USE THIS COMPLETELY AT YOUR OWN RISK - I/WE WILL NOT TAKE ANY RESPONSIBILITY FOR DAMAGES OR ISSUES CAUSED BY USING IT! **

Download this small .nds.gba file: http://gbatemp.net/shaunj66/mktest.ds.zip
And flash it to your GBA cart in GBA mode. (No NDS loaders required!).

Insert a copy of MKS into your PassMe device, and insert both the PassMe and the GBA flash cart in your DS.

Boot your DS and wait for the PassMe to load from the flash cart. You'll see two white screens that will last for 2-3 seconds, then it will boot just like normal into MKS. Now in WFC mode, you'll be able to select from any course!

** USE THIS COMPLETELY AT YOUR OWN RISK - I/WE WILL NOT TAKE ANY RESPONSIBILITY FOR DAMAGES OR ISSUES CAUSED BY USING IT! **

 

[Luse]

It's brillant, and while we only got to play two of the tracks, it worked just as fine as any other, except for the one off glitch with the red shell shaun mentioned, everything else was fine.. All the bats/bullets and crazy stuff on Airship Fortress was there, and all the cars in Shroom Ridge were there...

Calling this fucking awesome is an understatement...