Jump to content

FE: Awakening Hacking Topic


VincentASM
 Share

Recommended Posts

Continued from here.

New topic because there's been another major breakthrough and I suspect the resulting discussions will change.

RAM Hacking

This is a quick and easy way to edit the game's key files, which are stored in the memory. Of course, not every file is stored in memory, so you can't edit every file.

Dumping the RAM

Before you do anything, you should first dump a sample of your RAM.

[spoiler=Instructions]1. First, download the memory dumper in this topic. You must have a 3DS with firmware 9.0, but not higher than 9.5.0-22.

2. Place memdump.bin in the root directory of your 3DS's SD card (the first thing you see after accessing your SD card from your computer).

3. Disable your 3DS's wireless switch temporarily and open your 3DS internet browser. Bookmark this link: http://bit.ly/1EjNcdo. Finally, clear your browser history and cookies. After exiting the browser, enable the wireless switch again.

4. Open your 3DS and load FE: Awakening. Ideally, open up a save file, where you're either in battle or on the world map.

5. While your game is still active, open the 3DS internet browser and go to the bookmarked page in step 3. You should see three lines of code being executed and then the bottom screen will flicker wildly for several minutes. This is normal. Eventually, the browser will crash and tell you to exit your game, etc.

6. Power down your 3DS and check your SD card. You should have a new 128 MB+ file called FCRAM.bin in the root directory. If it's not there, you did something wrong.

Reading the memory dump

FCRAM.bin is a memory dump, but you don't edit it directly; it's just there for reference. Still, you need to know how to read the file. In this part, I'll tell you how to find character data.

[spoiler=Instructions]1. Open FCRAM.bin in a capable hex editor. It is a massive, 128 MB file after all. I recommend HxD, but there are other good ones out there.

2. Next is the tricky part. Because of various factors, such as region, DLC and/or SpotPass, the locations of all the relevant data can vary. What you need to do is "lock onto" some distinguishable data. Here are a few ways (just two, for now):

2.a. Skills. If a character has many skills or a unique combination, this is probably the easiest way. Skills are stored as single bytes separated by a single 00. You can find a list of skills here. So if Avatar has Veteran and Solidarity, you would search for 0D 00 25 00 (00 00 00 00 00 00).

2.b. Items. These are stored in sequence; each item consists of four bytes: item value, 00, current number of uses and 00 if unequipped/10 if equipped. Item values are here. Note that number of uses must be entered as a hexadecimal value. Example: an equipped Balmung with 20 uses looks like 15 00 14 10.

3. Once you've found your skills, the surrounding area is what we call a "character block". It is 0x110 bytes in length and looks a bit like this. Each character in the RAM has their own block.

Here's what's contained in each block, courtesy of someonewhodied.

BRYOotF.png

What you want to do is note down all the addresses of things that you want to change. For example, you want to change the first skill? In the above example, you want 0x134DE9C. Want to change the second skill as well? That's at 0x134DE9E.

Editing the RAM

So you can read the file, for the most part. How do you change the data?

Things like stats, items, skills and weapon ranks are easy to change. Stats and weapon ranks are just integers, while items and skills are value-based. Eg. 0D is Veteran.

Some things are stored as pointer however and they're a bit more complicated; they have to be edited very precisely or you will not get the correct results.

Pointers are what they name suggests; they point to something else--in this case, a position in the RAM. You can identify pointers as a string of four bytes, eg. E8 2F 34 15.

To read the pointer, reverse the bytes, then subtract 0x14000000 and convert the bytes to an address. In this above example, the pointer reversed is 15 34 2F E8. Then subtract to get 01 34 2F E8. Which gives a pointer to 0x1342FE8.

Reading pointers isn't always necessary though. If you know what a pointer does (eg. points to Lord class), you can replace the pointer with a similar pointer (eg. points to Conqueror class).

Warning: Pointers can vary between games. For example, a pointer to Chrom's class for me could be very different for you.

Once you know what you're changing, where and how, it's time to put your theory to practice.

[spoiler=Instructions]1. Go to this site.

2. Now convert your addresses to a cheat code.

If it's just one byte, you add a "2" to the address and " 000000XX" to the end. Eg. 0x134DE9C as a cheat code is 2134DE9C 000000XX.

For a string of two bytes, you add "1" and " 0000XXXX" instead. For four bytes, you add "0" to the front and " XXXXXXXX" to the end.

3. Then to actually change values, replace the XX(s) with the new value. So if it's Galeforce you want, the final cheat code should be 2134DE9C 00000054.

Note: If you're editing a string of bytes, you will need to enter the values in reverse order.

4. After inputting all your cheat codes, the site will give you a QR code.

5. Open up FE: Awakening again, then while the game is running, switch to the internet browser. Then scan the QR code you created.

6. The bottom screen will tell you the exploit is running and the browser will eventually crash. Your 3DS will tell you to power down again, but ignore it and return to your game. If successful, you should have edited the RAM and the changes will be instant.

References:

ROM Hacking

[spoiler=A quick(?) recap:]For a long time, nobody knew how to decrypt 3DS ROMs because of Nintendo's improved security, but this all changed around August 2014 with the release of Pokemon ORAS and Smash 3DS prompting hackers far and wide to finally bust open the 3DS once and for all.

That said, even though decrypting was possible, it was still difficult unless you had the right firmware, hardware and know-how. So it wasn't until October 2014 when the Awakening ROM was finally decrypted and its contents analysed.

Yet one major hurdle remained: It was impossible to repack the ROM properly because IS used Japanese filenames for some of the files, notably the portraits and the text. This causes the files to have garbage names when unpacked and some files to be lost. The only solution was to rename thousands of files back and forth.

Fast forward to today: After speaking to SciresM of Pokemon hacking fame, they were kind enough to help me solve the issue of the Japanese files not unpacking properly.

Without further ado, open SciresM's modified RomFS Extractor and select the decrypted FEA ROM as the target, then press "Go".

As I cannot currently run modified ROMs myself, I will have to rely on volunteers to test for me. So does anyone want to offer? : )

The first thing you can try is extracting the decrypted ROM, then repacking it (without making any changes or maybe making a small change) and seeing if it runs properly.

If the repacked ROM works, you can try inserting this test file: Test 3

(Replace static.bin.lz in /data/person/)

[spoiler=Change list]

  • Some characters have ridiculous stats so you can check the modifications are working.
  • Nearly everybody has a new initial class and can reclass to Tactician.
  • Chrom and Sumia can support everyone in the standard marriage pools.
  • Chrom can S rank with Lissa and Emmeryn (if you can S Rank Lissa, the support points are probably correct).
  • Logbook Avatars and DLC Marth can support, in theory.
  • Severa and Lucina have their parents swapped.

Or if you're feeling clever: Character Editor 1.1

[spoiler=Instructions]

You need the Nightmare program to use the modules. First decompress static.bin.lz in the /data/person directory (strip the first 4 bytes, then throw the file into Batch-LZ77 or Dsdecmp4).

Next, open the decompressed static.bin as the "ROM" in Nightmare and CharacterEditor.nmm as the "module".

After making your changes, use Dsdecmp4 to recompress the file, then add the initial 4 bytes back on.

Note that you shouldn't make the new file bigger than the old file--so no more than 12,996 bytes (if this happens, use similar numbers for stats, like all 7s for HP, STR, MAG, SKL, etc.) until the file size decreases.

Useful links

Edited by VincentASM
Link to comment
Share on other sites

  • Replies 877
  • Created
  • Last Reply

Top Posters In This Topic

You can hack digital versions; that's how people data mined the Pokemon ORAS special demo.

Here's one topic I found.

Not sure if you have the right tools/firmware though.

Wait, I get that I can download my digital copy, but can I upload it back on my 3ds too? That's what I thought that tutorial was saying, but I'm not sure.
Link to comment
Share on other sites

Are you trying to extract the ROM or decrypt it?

You need to run the tool on an already decrypted ROM and it will extract the contents.

If the ROM is already decrypted and you're getting that error, maybe it only works for the EU ROM?

Link to comment
Share on other sites

Why are you censoring your PC's user name XD

Anyway all this stuff really excites me and I wish I could jump on board this hacking Awakening thing but I don't think I have the right gear, let alone know-how.

I guess one can just dream of a day when a perfect 3DS emu will be around.

Link to comment
Share on other sites

Why are you censoring your PC's user name XD

Because I want to?

Anyways, I'm having trouble repacking the ROM.

When I decrypted and extracted, I see no banner.bin.

It's looking for that when I try to repack the ROM.

Link to comment
Share on other sites

I'm not sure. I was just following the instructions of the first post. If a separate tool is needed to decrypt the file first, can you link to that?

It's been a while since I decrypted my ROM, so I'm not sure if the process has been simplified now.

This was the tutorial I followed last time, I believe. I also have the xorpad for the American ROM already, but I'd need somewhere good to upload a GB file (not on SF).

Just a note, the tool actually opens romfs binaries, not ROMs -- "ctrtool -x --romfs=romfs.bin Decrypted_Game.3ds" should do.

Why, hello there! Welcome to the forums : )

Pardon my terrible terminology; I got a bit excited when writing up the post that I wasn't sure what to call the decrypted file.

Because I want to?

Anyways, I'm having trouble repacking the ROM.

When I decrypted and extracted, I see no banner.bin.

It's looking for that when I try to repack the ROM.

Hmm, I see. I'm not sure where to find it right now.

I've looked around and you might need to extract from exefs.bin, but I'm not having much luck there.

Edited by VincentASM
Link to comment
Share on other sites

If we can figure something more simple for decrypting, I can help out. I have a gateway and proper firmware for launching games, as far as testing goes. But I don't wanna sift through a bunch of stuff to decrypt a ROM just to help test out :<

Link to comment
Share on other sites

The alternative is RAM hacking; I guess I can bug SciresM about that if the ROM hacking doesn't move along as I anticipated.

If you can suggest a nice place to upload huge files, I can save you a lot of steps.

Link to comment
Share on other sites

I kept trying to figure out things by going through countless threads.

And then I decided to google a RomFS builder by SciresM.

https://github.com/SciresM/RomFS-Builder/releases

...well now.

However, I am having trouble repacking the ROM.

How does one do this with makerom, etc?

Edited by shadowofchaos
Link to comment
Share on other sites

I haven't tried, since I don't need to repack the ROM, but I assume you need to input this:

makeromfs romfs romfs.bin

Even then, you still need to rebuild the ROM/CIA, I believe.

Link to comment
Share on other sites

The alternative is RAM hacking; I guess I can bug SciresM about that if the ROM hacking doesn't move along as I anticipated.

If you can suggest a nice place to upload huge files, I can save you a lot of steps.

I use megaupload without problems for large files, if that helps out.

Also, does anyone know if you can do this same process for the dlc? I dunno if .cia has any real differences as far as decrypting would go.

Link to comment
Share on other sites

I'm sorry, I'm not sure if this is the right place to ask. But I've been reading the last thread for a while, and I saw you how you were able to take all those sprites and voice files etc. out of the game. So I was just wondering, is it at all possible to get Awakening's text font?

Link to comment
Share on other sites

I use megaupload without problems for large files, if that helps out.

Also, does anyone know if you can do this same process for the dlc? I dunno if .cia has any real differences as far as decrypting would go.

I'll look into it when I have time. My upload speed is atrocious, you see.

I believe so, essentially, but I spent several hours trying to figure it out to no avail. So I'll leave it to the experts...

I'm sorry, I'm not sure if this is the right place to ask. But I've been reading the last thread for a while, and I saw you how you were able to take all those sprites and voice files etc. out of the game. So I was just wondering, is it at all possible to get Awakening's text font?

Nah, it's the right place.

I think I know where the file is, but I dunno what file format it is. I thought I'd try throwing the file in Tile Molester, but nothing seems to be coming together.

Well, technically it does, but it's not very noob friendly when 3ds explorer or ctrtool doesn't correctly extract the exheader.

I can extract exheader.bin, but it's still encrypted if it matters.

TBH, I'm in the middle of a wild goose chase trying to figure things out.

Link to comment
Share on other sites

https://gbatemp.net/threads/tutorial-how-to-decrypt-rebuild-3ds-rom-run-oras-without-his-update.383055/

I'm gonna follow this once I get another chance to do things.

I can extract exheader.bin, but it's still encrypted if it matters.

No good if it's not the same ROM dump.

I dumped my own ROMs from my US and Japanese copies.

Besides, my 3DS explorer seems to be the problem when it comes to that.

Do you do it with ctrtool?

Just gonna follow the thing there.

Edited by shadowofchaos
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...