This is a small romhack for restoring original Japanese voices in BlayzBloo: Super Melee Brawlers Battle Royale.
Nothing really special, it’s mostly a proof that DSiWare romhacking is possible.
I haven’t seen any bugs so far, so I decided that it can be released.
You must use CFW that patches TWL_FIRM’s sig checks to run undubbed game.
By the way, it is almost perfectly playable with NO$GBA 2.8b:
Game was also patched to region free, even though it doesn’t really matter these days.
I will upload patched game on both iso and chaos sites later, but you can also patch it yourself.
Instruction:
1. Download attached .rar with required apps and IPS patch, extract it;
2. Get clean game somewhere else, you should be able to find it in NDS format;
3. Alternatively, download the game as CIA using something like FunKeyCIA or CIAngel,
and place CIA into the folder you extracted provided .rar in (CIA must be named “000480044b425a45.cia”).
4. You’ll have to edit “extract.bat”: replace all “x” after “--titlekey=” with decrypted title key, make sure it is not encrypted one.
Save and run .bat file. This should give you “out.0000.00000000” file. Its hash must match this one:
SHA-256: 5CAE65190B16B332B39608391B4EEA551AD37F30D25FE2224E783F376E1CFBC7
5. Rename “out.0000.00000000” file to “BlayzBloo.nds” and apply the patch using Smart IPS:
Hash of patched file:
SHA256: 4D4E96E21F096E8D91BB187897440B19FC53F3857602AD2339829BA3192BC2AC
6. Run “cia.bat” and you should get “BlayzBloo.cia” ready to install.
About this romhack:
As you may know, content of any DSi rom is verified by hashtables to protect it from modifications.
Checks performed by game itself, not by console, that’s why patched TWL_FIRM can’t help here.
You can find more info about digests on DSiBrew and GBATEK.
Naturally, I can’t even dream about patching actual checks in game’s code, so I simply recalculated all hashes.
But I won’t go into details, because the method I used was dirty as hell. Quite inconvenient too.
That method would be unfitting for any serious romhacking that would require a lot of testing.
I really hope that someone will be interested in making a tool for quicker and easier hash recalculating.
You can read the idea of what has to be done under spoiler.
I want to thank everyone involved in hacking of both DSi itself and TWL side of 3DS.
I don’t put actual names because I could forget someone.
It wouldn’t be possible without all their hard work.
Nothing really special, it’s mostly a proof that DSiWare romhacking is possible.
I haven’t seen any bugs so far, so I decided that it can be released.
You must use CFW that patches TWL_FIRM’s sig checks to run undubbed game.
By the way, it is almost perfectly playable with NO$GBA 2.8b:
Game was also patched to region free, even though it doesn’t really matter these days.
I will upload patched game on both iso and chaos sites later, but you can also patch it yourself.
Instruction:
1. Download attached .rar with required apps and IPS patch, extract it;
2. Get clean game somewhere else, you should be able to find it in NDS format;
3. Alternatively, download the game as CIA using something like FunKeyCIA or CIAngel,
and place CIA into the folder you extracted provided .rar in (CIA must be named “000480044b425a45.cia”).
4. You’ll have to edit “extract.bat”: replace all “x” after “--titlekey=” with decrypted title key, make sure it is not encrypted one.
Save and run .bat file. This should give you “out.0000.00000000” file. Its hash must match this one:
SHA-256: 5CAE65190B16B332B39608391B4EEA551AD37F30D25FE2224E783F376E1CFBC7
5. Rename “out.0000.00000000” file to “BlayzBloo.nds” and apply the patch using Smart IPS:
Hash of patched file:
SHA256: 4D4E96E21F096E8D91BB187897440B19FC53F3857602AD2339829BA3192BC2AC
6. Run “cia.bat” and you should get “BlayzBloo.cia” ready to install.
About this romhack:
As you may know, content of any DSi rom is verified by hashtables to protect it from modifications.
Checks performed by game itself, not by console, that’s why patched TWL_FIRM can’t help here.
You can find more info about digests on DSiBrew and GBATEK.
Naturally, I can’t even dream about patching actual checks in game’s code, so I simply recalculated all hashes.
But I won’t go into details, because the method I used was dirty as hell. Quite inconvenient too.
That method would be unfitting for any serious romhacking that would require a lot of testing.
I really hope that someone will be interested in making a tool for quicker and easier hash recalculating.
You can read the idea of what has to be done under spoiler.
1. Get starting offset for NTR region at 0x1E0 and its length at 0x1E4;
2. Calculate HMAC SHA-1 hash for each sector of said NTR region, sector size usually would be 0x400 bytes.
HMAC key has the size of 0x40 bytes and can be found in the rom itself, first values are “2106C0DEBA…” and last value is “24”;
3. Get starting offset for sector hashtable at 0x1F0 and its length at 0x1F4, replace that hashtable with the one that has been calculated in previous step.
Note: original hashtable would be longer than the one we calculated, that’s because it also includes hashes for TWL region with decrypted ARM9i /ARM7i areas.
Regular romhack should not touch TWL region, so those last hashes should stay unchanged;
4. Calculate HMAC SHA-1 hash for each block of whole sector hashtable, block size usually would be 0x280 bytes;
5. Get starting offset for block hashtable at 0x1F8 and its length at 0x1FC, replace that hashtable with the one that has been calculated in previous step;
6. Calculate single master HMAC SHA-1 hash for entire block hastable and replace original master hash that starts at 0x328 and has size of 0x14 bytes.
2. Calculate HMAC SHA-1 hash for each sector of said NTR region, sector size usually would be 0x400 bytes.
HMAC key has the size of 0x40 bytes and can be found in the rom itself, first values are “2106C0DEBA…” and last value is “24”;
3. Get starting offset for sector hashtable at 0x1F0 and its length at 0x1F4, replace that hashtable with the one that has been calculated in previous step.
Note: original hashtable would be longer than the one we calculated, that’s because it also includes hashes for TWL region with decrypted ARM9i /ARM7i areas.
Regular romhack should not touch TWL region, so those last hashes should stay unchanged;
4. Calculate HMAC SHA-1 hash for each block of whole sector hashtable, block size usually would be 0x280 bytes;
5. Get starting offset for block hashtable at 0x1F8 and its length at 0x1FC, replace that hashtable with the one that has been calculated in previous step;
6. Calculate single master HMAC SHA-1 hash for entire block hastable and replace original master hash that starts at 0x328 and has size of 0x14 bytes.
I don’t put actual names because I could forget someone.
It wouldn’t be possible without all their hard work.
Last edited by redunka,
