FE10: Radiant Dawn Hacking Notes

[Aleph]

All of the executable code should be in a single file, or group of files, such that it is distinguishable from non executable code, which would help immensely. This way it would be known that treating the entirety of such files as code is correct, where in games without file systems that lump everything together, you have to treat everything as code, including the data that isn't, to get a full disassembly, which seems like it could cause problems. Or you'd have to have the code be traced; something like an emulator taking every possible branch in the code to ensure that only actual code is disassembled would be involved (this has actually been attempted with moderate success for a SNES game; probably Super Mario World).

If indeed it's easy to differentiate code from data via the file system then it should greatly simplify the process of taking just the disassembly of actual code and recreating references to what is not code for building purposes. If you get to a point where you can pass the result to an assembler and have it actually build a working ISO (presumably no different than the original game down to the last bit, or at least precisely the same functionally) then you can do what I mentioned and wrap all of the assembly code with a higher level language and start rewriting confusing functions in that language or add your own functions (also in that language, though if you're kinky and awesome you could write it in assembly anyway for optimization purposes!). At that point, you've become a god of that game, at like, Nintendo's level.

Or perhaps that's some twisted, far-fetched fantasy of mine. *shrug*

Funny side note, I'm also the guy who considered writing assembly code for NSMBWii to communicate over WiFi and design a simple interface for sharing input between remote consoles for purposes of online multiplayer.

[VincentASM]

If you've looked within NSMBWii, then do you have a good idea if the code and data is easy to differentiate (at least for that one game)? Or is there some hurdle that I'm missing (like, wildly guessing here, knowledge of the assembly code)?

In any case, I tried what you suggested a while back and expanded one of the individual files. I've only checked the chapter of the file that I changed, so not sure if the the next chapter works, but it seems expanding is completely fine (so the pointers don't mess up or anything). I managed to make one of the shops point to the expanded space ^^

Also, this means I managed to figure out scripting in the end (well, editing the script files). It turns out I was reading some of the pointers wrong it's always the easy stuff that you get wrong. I'll probably try and break apart the Epilogue of FE10 before posting some results.

EDIT

Notes for the CFINAL.cmb file found in the /Script directory.

------------------------------------>

68 03 -> 7C 03 -> DFSET_FINAL

90 03 -> A4 03 -> DFSET_FINAL_SANAKI

D8 03 -> EC 03 -> DFSET_FINAL_PELLEAS

0C 04 -> 20 04 -> DFSET_FINAL_SENERIO

48 04 -> 5C 04 -> STARTUP

68 04 -> 7C 04 -> BEFOREEPILOGUE

08 05 -> A

5C 05 -> B

AC 05 -> C

00 06 -> D

50 06 -> E

A0 06 -> B4 06 -> CHECKEPILOGUE_SEN

E8 06 -> F

3C 07 -> 50 07 -> AFTEREPILOGUE

A4 07 -> B8 07 -> GRANDFINALE

------------------------------------>

7C 03 -> DFSET_FINAL

88 03

38

00 00 -> DDEXTRAFLAGAMLITAON

00 20 45

------------------------------------>

A4 03 -> DFSET_FINAL_SANAKI

B8 03

1C

14 -> DF_人物ミサハ

38

00 22 -> DDFLAGON

01 20

1C

2B -> DF_関係ミカヤミサハ祖母

38

00 22 -> DDFLAGON

01 20

1C

43 -> DF_関係サナキミサハ祖母

38

00 22 -> DDFLAGON

01 20

1C

5B -> DF_関係サナキミカヤ姉妹

38

00 22 -> DDFLAGON

01 20 45

------------------------------------>

EC 03 -> DFSET_FINAL_PELLEAS

00 04

1C

73 -> DF_関係アシュナードアムリタペレアス親子？

38

00 9D -> DDFLAGOFF

01 20 45

------------------------------------>

20 04 -> DFSET_FINAL_SENERIO

34 04

1C

73 -> DF_関係アシュナードアムリタペレアス親子？

38

00 9D -> DDFLAGOFF

01 20

1D

00 A7 -> DF_関係アシュナードアムリタセネリオ親子？

38

00 22 -> DDFLAGON

01 20 45

------------------------------------>

5C 04 -> STARTUP

64 04

45

------------------------------------>

7C 04 -> BEFOREEPILOGUE

8C 04

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20

38

00 EA -> BLACKOUT

00 20 19 01 19 4B 19 00

38

00 F3 -> BGMSETVOL

03 20 07 00

1D

00 FD -> RID_外観-ベグニオン2

47 01 00

38

01 12 -> RECTBUILD

01 20 1A 05 DC

38

01 1C -> FADEIN

01 20 01 00 19 01 19 00 19 00 1A 01 F4 27 1A 17 70

38

01 28 -> RECTSETCURVE

06 20 1A 17 70

38

01 35 -> WAITM

01 20

1D

01 3B -> MS_GED_01

38

01 45 -> TALKEVENT

01 20 01 00

38

01 4F -> RECTKILL

01 20 19 01 19 64 1A 07 D0

38

00 F3 -> BGMSETVOL

03 20 1A 01 F4

38

01 35 -> WAITM

01 20

38

01 58 -> ENABLESKIP

00 20 45

------------------------------------>

08 05 -> A

20 05

...

63 01 -> PID_PELLEAS

6F 01 -> PELLEASISALIVE

...

37 02 20

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

01 7E -> MS_GED_PEL

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19 00 39

------------------------------------>

5C 05 -> B

74 05

...

89 01 -> PID_CAINEGHIS

97 01 -> 00

...

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

01 98 -> MS_GED_02

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19 00 39

------------------------------------>

AC 05 -> C

C4 05

...

A2 01 -> PID_SANAKI

97 01 -> 00

...

37 01 20

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

01 AD -> MS_GED_03

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19 00 39

------------------------------------>

00 06 -> D

18 06

...

B7 01 -> PID_TIBARN

97 01 -> 00

...

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

01 C2 -> MS_GED_04

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19 00 39

------------------------------------>

50 06 -> E

68 06

...

CC 01 -> PID_ERINCIA

97 01 -> 00

...

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

01 D8 -> MS_GED_05

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19 00 39

------------------------------------>

B4 06 -> CHECKEPILOGUE_SEN

C8 06

1D

01 E2 -> PID_SENERIO

38

01 EE -> CHECKUNITLIVEORPARTYBYPID

01 3E 00 09

1D

02 08 -> G_MS_0308_BT_SEN

38

02 19 -> GET

01 3E 09

1D

02 1D -> G_MS_0315_BT_TAU_SEN

38

02 19 -> GET

01 39

------------------------------------>

E8 06 -> F

00 07

...

E2 01 -> PID_SENERIO

32 02 -> CHECKEPILOGU_SEN

...

37 03 20

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

02 43 -> MS_GED_SEN

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 19

------------------------------------>

50 07 -> AFTEREPILOGUE

60 07

1D

02 4E -> PID_ERLAN

38

02 58 -> UNITCHECKLIVEBYPID

01 29 3D 00 03 45

38

00 D1 -> GAMEGETROUND

00 19 02 31 3D 00 07

38

00 DE -> DISABLESKIP

00 20 19 01 19 4B 1A 01 F4

38

00 F3 -> BGMSETVOL

03 20

1D

02 6B -> MS_GED_ERLAN

38

01 45 -> TALKEVENT

01 20 19 01 19 64 1A 03 E8

38

00 F3 -> BGMSETVOL

03 20

38

01 58 -> ENABLESKIP

00 20 45

------------------------------------>

B8 07 -> GRANDFINALE

C4 07

37 00 20

38

00 DE -> DISABLESKIP

00 20 1A 07 D0

38

01 35 -> WAITM

01 20

38

02 76 -> STAFFROLL

00 20

38

02 80 -> FADENONE

00 20 1A 03 E8

38

01 35 -> WAITM

01 20

38

02 89 -> FINEFFECT

00 20

1D

02 93 -> BGM_ED_SCORE1

38

02 A1 -> BGM1START

01 20 19 05

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20 19 06

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20 19 07

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20 19 08

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20 19 09

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20 19 0A

38

02 AB -> DISPPRELOADWHOLEFORCE

01 20

38

02 C1 -> WARRECORD

00 20 19 05

38

02 CB -> DISLOADWHOLEFORCE

01 20 19 06

38

02 CB -> DISLOADWHOLEFORCE

01 20 19 07

38

02 CB -> DISLOADWHOLEFORCE

01 20 19 08

38

02 CB -> DISLOADWHOLEFORCE

01 20 19 09

38

02 CB -> DISLOADWHOLEFORCE

01 20 19 0A

38

02 CB -> DISLOADWHOLEFORCE

01 20

38

02 DE -> UNITRANKING

00 20

38

02 EA -> BGM1_FADEOUT_WAIT

00 20

38

01 58 -> ENABLESKIP

00 20 45

------------------------------------>

For some reason, these files use a mixture of reversed and non-reversed pointers. Reversed pointers (GBA/DS style) seem to be the norm and point straight to the address without any extra offsets (eg. B8 07 points to 0x7B8). Non-reversed pointers seem to be called by a 38 or 1D byte and point an address offsetted by +2C (eg. 01 58 points to 0x184.

Most of the labelled commands are pretty easy to work out, although I don't have the patience to work out how the scripts are laid out exactly.

From what I can make out, it seems Soren doesn't need to be alive to see his special Epilogue (he just needs to be recruited). Pelleas's survival also doesn't seeem to matter. I haven't really looked into the arguments in great depth though.

Interestingly, it seemed Soren was going to fight Tauroneo in Part 3 Chapter 14. I think they swapped that with Pelleas in Chapter 13 though.

Edited January 15, 2010 by VincentASM

[VincentASM]

Thanks to shadowofchaos, I managed to get a hacked copy of FE10 working. Unfortunately my good PC just died again, so I didn't get to do much testing : /

Some stuff that I got to work...

Changing the army data proved pretty easy. I couldn't get Wiiscrubber to replace a file larger than the original though, maybe I need to erase some useless files first.

However, I did get to mess around with different characters, classes and weapons. For some reason, Edward as a Sniper doesn't seem to work properly; During battle, he stands like he's crucified and doesn't seem to attack the enemy o__o

Also, for randomness, I made Alondite an E Rank sword and gave it to Cleric!Mist.

Next, I tried to change the pacifist tables so the bandits wouldn't attack Micaiah and Edward. That didn't seem to work. It did work when I changed Micaiah's pacifist table to stop her attacking the bandits though. How odd.

Didn't get time to see if the Biorhythm, Terrain and Weapon Triangle editors work.

Edited January 20, 2010 by VincentASM

[VincentASM]

Completed the notes. I'll probably make a downloadable version later.

[Aleph]

The strange pattern of endianness/offsetting going on with the pointers, if I had to guess, is related to the different cores of the Wii. The direct little endian pointers might be being passed to the Starlet, which I'm fairly certain does the IOS stuff (like handling disc reads), and considering that it's an ARM core like what the GBA/DS use, I would expect the Starlet to be little endian. The Wii's main processor, the PowerPC, is big endian. I'm not sure what you're looking at here, but if the little endian pointers are pointing to data that is loaded in the RAM and the big endian pointers are to data within a file such that the whole thing will already be in the RAM when it is utilized, then there's your explanation: data coming off the disc needs little endian pointers and data already off the disc needs big endian pointers.

Though it's entirely possible Intelligent Systems or whoever designed a wonky struct to hold array indices and treat the files as byte arrays (as any file pretty much is one), and these indices are stored as big endian as they are not actually "pointers" (which could then be stored with a different endianness as they are a different data type? Although that's still weird). The offsetting is confusing me too, though. I can only think it would do that to point past meta data; i.e. the first 0x2C bytes are actually related data, but not the data itself; rather, data about the data that follows. Or perhaps 0x2C bytes at the beginning of a block of data/file is where the meta data is and the offset is applied with 0x2C as the base address as such. Something to look into.

I've only ran NSMBWii with my USB Gecko active. I didn't dump the file system or do any ISO hacking.

[VincentASM]

I think you're right that the offset might be do with meta deta or something similar. The relevant data appears to start after 0x2C. I've noticed a similar case with some other FE9/10 files (which are typically offset by 0x20 instead).

The little and big-endian pointers can be found in the same files. It does seem a little wonky o__o

I forget which endianess is which, but the non-reversed pointers (in the script files) point to stuff within the "database". The reversed pointers point to labels at the very top (the header?) (as opposed to labels at the bottom for non-reversed pointers).

[VincentASM]

Been messing around with FE9 a little.

I was using GameCube Rebuilder. which seems to work a bit better than GCTool for editing files. The best part is that once you've rebuilt a ISO, you can also replace files with larger ones (up to a limit of 2KB per file, but that's enough for the files I'm working with).

I haven't done anything too complicated yet, just swapping classes and items. Annoyingly the army/disposition data is compressed (unlike in FE10/11), but I suppose it's just one more step...

Female Bishop (Elincia)

Female Heron (Leanne)

Generic Heron (discoloured palette)

There's a lot of unused stuff compared to FE10/11, but most of them don't fully work (which is to be expected) or most people already know about them (eg. the S Rank weapons, Bright Bow, Devil Axe).

I can't remember right now if there were any FE9 mysteries to solve. Maybe I could test Lethality (again) to see if it runs off Critical/2.

Edited January 27, 2010 by VincentASM

[Aleph]

Formulas for damage, defense and probable things like criticals and assassinations are best defined by interpreting actual game code. Do you not have a way of doing that?

If the little endian (reversed) pointers point to within the header, that header might well be meta data for that file used by the file system which I guess would be on the Starlet. The fact that the pointer has a leading byte that isn't actually part of the pointer would hint that the related bytes are passed as a command/argument(s) style byte string to the IOS, perhaps. Much like how reading from the NDS card involved writing B7 AA AA AA AA 00 00 00, with the AAs as the address, to the MAC I/O registers to get data from that address on the card into related MAC I/O registers, which can then be polled to copy data from the card to the RAM. I could be completely wrong, but I've done some work that made the IOS less transparent back when I was trying to make my own version of what turned out to be Gecko OS, and I've seen how the IOS very closely resembles the DS's system for accessing separate media.

I guess I shouldn't say "the" IOS as the IOS used by a Wii game varies from game to game, and even based on how the user is running their application (it seemed to me that the USB Loader works by overriding the game's desired IOS with one that causes disc reads to become USB reads).

Relevant link - confirms my understanding of the IOS, too.

2 Kilobytes seems like a strange and measly limit for expanded files.

Edited January 27, 2010 by Xeld

[James Bond]

Does anyone know where are the pointers to the forging items (Iron Sword,Steel Sword,etc...) in the shopitem.bin, please?

[VincentASM]

Formulas for damage, defense and probable things like criticals and assassinations are best defined by interpreting actual game code. Do you not have a way of doing that?

Nah, I'm afraid I don't. The best I can do is rely on (semi) large-number statistics, like hitting bandits 50-100 times.

2 Kilobytes seems like a strange and measly limit for expanded files.

Well, I suppose it's only the first version of the program. From what I can tell, what they did was space every single file in the ISO by 2 KB. Probably not the most elegant method, but they did mention it was only good for minor edits.

Does anyone know where are the pointers to the forging items (Iron Sword,Steel Sword,etc...) in the shopitem.bin, please?

Could you upload the file? I'm using the JP version, which you might not be using. Forging data varies per chapter, so you're going to be looking at a lot of pointers.

If you're not in a hurry, I'll probably look into it tomorrow.

[James Bond]

I am not in a hurry really you can do it whenever you are able to...thanks...

[James Bond]

We ll I managed at last here it is.

[VincentASM]

Oh yeah, are there any specific chapters you want to edit?

[James Bond]

The final chapter of the 1st part and the 3rd chapter of part 3(If it is possible)...thanks again...

Edited January 27, 2010 by roxas210

[VincentASM]

Alright, instead of actually modifying the separate pointers in the forge, it's probably more convenient to re-point Chapter 1-F and 3-3's forges to a later forge in the game (I assume you just want to have all available weapons to forge).

I'm not sure at which point you get to forge every weapon, but I'm guessing Chapter 4-5 (the last chapter before entering the tower) should be okay.

If this is all you want to do, then:

Go to the address 0x11EA4 and change the pointer 00 00 4E CC to 00 00 97 EC. This will change the Chapter 1-F forge to use the data from Chapter 4-5.

Go to the address 0x11EEC and change the pointer 00 00 68 1C to 00 00 97 EC. This will change the Chapter 3-3 forge to use the data from Chapter 4-5.

Unfortunately I don't have a far enough save to test that this works. I'm fairly confident that it should though. Also, remember that this probably only affects the forge in (NA) Easy mode.

If you want to try different chapters, scroll down to 0x123CC and look up their labels (bearing in mind the Prologues are counted as 01, so Chapter 1 is 02 and etc.). Then locate the beginning of the label, convert that address into a pointer and subtract 123CC from it (this only applies for the bottom half of the file). Eg. FSHOP_ITEMS_C0406 (FSHOP stands for forging shop I guess) starts at 0x12676, so the pointer for it is 12676 - 123CC = 00 00 02 AA. Run a hex search for the pointer, and the pointer to the left of it should point to the forging data (in this case it's 00 00 97 EC).

Edited January 28, 2010 by VincentASM

[James Bond]

Thank you very much...What I also have in mind is to find a way to forge blades like Alondite and Ragnell(although that may be impossible...:P)...also I tried to change Micaiah's class in dispos_n.bin, but when the cutscene of Micaiah and Edward is about to begin the game freezes...it seems like you can't change the class of characters like Micaiah and Ike(but I am not sure, maybe I did something wrong...)

Edited January 28, 2010 by roxas210

[VincentASM]

I managed to change them to their promoted classes and it worked fine. It might not be a good idea to change them to classes they can't normally be (this seems to be okay for generic enemies though).

Maybe you need to press Start to skip the cutscenes?

If none of those work, tell me what you tried and I'll see if I can figure out what's wrong. I should have the NA dispos files me.

EDIT

Forging non-forging weapons does seem a bit shaky. When I get far enough into the game (still on Chapter 1 of my hacked run) I might try it myself.

Although you could just hack the weapon stats. Unless the main reason was to change the colour and names.

Edited January 28, 2010 by VincentASM

[James Bond]

Well actually I am using the PAL version of the game...And one more thing I used both a non-promoted and a 2nd-tier class change for her but the result was the same, I also tried to go through the cutscenes and yet, and the forging modification didn't really work, in fact it crushes when I go to the forge option, just to let you know.

[VincentASM]

The forge hack was probably a little hopeful. I'll have to see what's wrong with it later : o

I'm assuming most of the files don't differ much for the NA and PAL versions, but you can upload your dispos file if you want. I'm really puzzled as to why it's not working.

[James Bond]

Well it's ok don't worry so much...Here's also the file

[VincentASM]

I just checked and the dispos file you uploaded is from the debug map (bmap0000). If you messed up the game by editing this file, then there's something really wrong since the game shouldn't even load this map (at least I don't expect it to). The Part 1 Prologue map is in bmap0101.

I also compared it to the NA version and the files matched exactly, which isn't really surprising.

In any case, I'm going to see if I can hack some magic swords into FE10. I wonder if there's some way to reconvert TPL data...

[James Bond]

This one is extracted exactly from the iso so I believe it should work fine...next thing I am trying to see is to make some weapon(if not all) have infinite use. as far as tpl files are concerned do you mean convert them to some format like jpg or png and then import them?

[VincentASM]

This one is extracted exactly from the iso so I believe it should work fine

I'm not sure what you're trying to get across here. The dispos file is from a chapter that you can't access without hacking. You're not really intending on editing it are you? o__o

...next thing I am trying to see is to make some weapon(if not all) have infinite use.

There should be a flag of infinite uses. However, the weapon probably needs to have some existing flags for you to overwrite.

as far as tpl files are concerned do you mean convert them to some format like jpg or png and then import them?

Sort of. It would be cool to edit some of the graphics. I've been playing around with swapping texture files, although I haven't gotten any to work properly ^^;;;

Edited January 29, 2010 by VincentASM

[Ether]

I just checked and the dispos file you uploaded is from the debug map (bmap0000). If you messed up the game by editing this file, then there's something really wrong since the game shouldn't even load this map (at least I don't expect it to). The Part 1 Prologue map is in bmap0101.

I also compared it to the NA version and the files matched exactly, which isn't really surprising.

In any case, I'm going to see if I can hack some magic swords into FE10. I wonder if there's some way to reconvert TPL data...

Did you know i love you Vincent?

[James Bond]

About the dispos file yes I am not really on editing it...Well I remember that there used to be a program to convert tpl to jpg(or png not sure) but I am not sure if it could convert back to tpl.