Hacking Does anyone have an ips patch of the Wii U version of MMBN5?

Bryon15

Well-Known Member
OP
Member
Joined
Aug 9, 2010
Messages
1,282
Trophies
0
Age
39
Location
united states
XP
1,896
Country
United States
Look at this:

http://forums.therockmanexezone.com/topic/8947437/1/

I was able to patch those megaman battle network games and then convert them to cia format and install them in my 3ds. They work great. Unfortunately they don't have battle network 5, because nintendo fixed the exploit that was used to obtain these in the newest Wii U system software, so it's no longer possible to do this yourself unless you have a Wii U on version 5.3.2 or lower. Does anyone here have it?
 

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,600
Trophies
4
Location
Another World
Website
www.gbatemp.net
XP
25,218
Country
Canada
It's $8. And no I don't need both. I'd prefer the team colonel version. But it doesn't really matter.
I'll get it, unless someone else do it before me.

Let's wait for tomowwor though.
 

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,600
Trophies
4
Location
Another World
Website
www.gbatemp.net
XP
25,218
Country
Canada
Ok, I got the rom.

It seems like some change made it not working as is.

By reverting some of the bytes from the original GBA version, I got the rom to boot. but that's to be investigated. I have no idea if it works or not that way, I have little to no GBA hacking knowledge.
The four bytes at 0x6084 seem to be the key to making it boot


so, I'll just post the IPS patch out of the raw GBA rom dump from my WiiU.

https://mega.nz/#!ep9SQRQR!OT5qUhtaD8cG4v_qtTvfKOomKDU0R2FUQY0DBOSTcT4

Apply over "2032 - Megaman Battle Network 5 Team Colonel (U).gba"

Please note: It'll not work as is.
 

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,600
Trophies
4
Location
Another World
Website
www.gbatemp.net
XP
25,218
Country
Canada
Awesome job man. Thank you. I'll try it out in a little bit. :)
Please note that something is making the rom non working. It needs a bit of patching it seems. I hope that a gba hacker could tell what it is.
 

Prof. 9

Well-Known Member
Member
Joined
Jun 17, 2008
Messages
324
Trophies
1
Location
The Netherlands
Website
twitter.com
XP
853
Country
Netherlands
I can probably answer this one.

Here's what the four bytes they changed at 6084 do:
Code:
08006084    F1C1F8BC    bl    81C7200h
This instruction hooks into a function that is called on every screen transition to do... something. If we follow it to its destination we find the following function that was added to the ROM at 1C7200:
Code:
081C7200    4650        mov    r0,r10
081C7202    213C        mov    r1,3Ch
081C7204    B430        push    r4,r5
081C7206    4C06        ldr    r4,=2002944h
081C7208    8824        ldrh    r4,[r4]
081C720A    2C00        cmp    r4,0h
081C720C    D003        beq    81C7216h
081C720E    2400        mov    r4,0h
081C7210    2500        mov    r5,0h
081C7212    E825        ????
081C7214    E002        b    81C721Ch
081C7216    2400        mov    r4,0h
081C7218    2501        mov    r5,1h
081C721A    E825        ????
081C721C    BC30        pop    r4,r5
081C721E    46F7        mov    r15,r14
081C7220    02002944

The first two lines just perform the same function as the instructions that were originally at 6084. After that, the game loads a halfword from 02002944 -- which appears to be the values for the current area and sub area -- and compares them to 0x0000, which happens to be the ACDC Town overworld map. It then loads 0 into r4 and either 0 or 1 into r5 depending on whether you are in the ACDC Town map, and executes the instruction encoded as 0xE825. However, this is actually an invalid CPU instruction (hence the ????) so the emulator doesn't know what to do with it and crashes.

It just so happens that the Virtual Console version of MMBN5 applies a motion blur/frame blending effect to the screen when you are in the ACDC Town map. I have no idea why they did that, my best guess would be because of the flickering helicopter shadow sprite that shows up near the end of the game. Virtual Console versions of games tend to patch out certain effects that could possibly be seizure inducing.

In any case, since 0xE825 is not a valid instruction I'd wager a guess that it actually tells the Virtual Console emulator how to apply the motion blur effect (with r4 and r5 being the parameters). Ideally I suppose the GBA emulator would replicate this effect or simply ignore the instruction, but either way we can simply patch it out.

So to make the game function correctly in conventional emulators, write two bytes 00 00 to 1C7212 as well as to 1C721A.

Now if you don't mind, I'll go ahead and add this patch to the topic that was linked in the first post. :)
 
Last edited by Prof. 9,

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,600
Trophies
4
Location
Another World
Website
www.gbatemp.net
XP
25,218
Country
Canada
I can probably answer this one.

Here's what the four bytes they changed at 6084 do:
Code:
08006084    F1C1F8BC    bl    81C7200h
This instruction hooks into a function that is called on every screen transition to do... something. If we follow it to its destination we find the following function that was added to the ROM at 1C7200:
Code:
081C7200    4650        mov    r0,r10
081C7202    213C        mov    r1,3Ch
081C7204    B430        push    r4,r5
081C7206    4C06        ldr    r4,=2002944h
081C7208    8824        ldrh    r4,[r4]
081C720A    2C00        cmp    r4,0h
081C720C    D003        beq    81C7216h
081C720E    2400        mov    r4,0h
081C7210    2500        mov    r5,0h
081C7212    E825        ????
081C7214    E002        b    81C721Ch
081C7216    2400        mov    r4,0h
081C7218    2501        mov    r5,1h
081C721A    E825        ????
081C721C    BC30        pop    r4,r5
081C721E    46F7        mov    r15,r14
081C7220    02002944

The first two lines just perform the same function as the instructions that were originally at 6084. After that, the game loads a halfword from 02002944 -- which appears to be the values for the current area and sub area -- and compares them to 0x0000, which happens to be the ACDC Town overworld map. It then loads 0 into r4 and either 0 or 1 into r5 depending on whether you are in the ACDC Town map, and executes the instruction encoded as 0xE825. However, this is actually an invalid CPU instruction (hence the ????) so the emulator doesn't know what to do with it and crashes.

It just so happens that the Virtual Console version of MMBN5 applies a motion blur/frame blending effect to the screen when you are in the ACDC Town map. I have no idea why they did that, my best guess would be because of the flickering helicopter shadow sprite that shows up near the end of the game. Virtual Console versions of games tend to patch out certain effects that could possibly be seizure inducing.

In any case, since 0xE825 is not a valid instruction I'd wager a guess that it actually tells the Virtual Console emulator how to apply the motion blur effect (with r4 and r5 being the parameters). Ideally I suppose the GBA emulator would replicate this effect or simply ignore the instruction, but either way we can simply patch it out.

So to make the game function correctly in conventional emulators, write two bytes 00 00 to 1C7212 as well as to 1C721A.

Now if you don't mind, I'll go ahead and add this patch to the topic that was linked in the first post. :)
Glad to know that I and @daxtsu weren't too far from your explanation :)

In my end, reverting those bytes to their gba release counterpart made the rom booting in my end, so I guess I was in the right path xD

Thank you for the explanation, this is greatly appreaciated :)
 
  • Like
Reactions: daxtsu

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,194
Country
Antarctica
In any case, since 0xE825 is not a valid instruction I'd wager a guess that it actually tells the Virtual Console emulator how to apply the motion blur effect (with r4 and r5 being the parameters).

That's what I suspected, but I don't know ARM assembly, so I could only speculate as well. Thanks for clearing that up.
 
  • Like
Reactions: VinsCool

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,600
Trophies
4
Location
Another World
Website
www.gbatemp.net
XP
25,218
Country
Canada
Bumping this thread, I made more patches :)

Megaman Battle Network 3 White: Apply over "1080 - Megaman Battle Network 3 White (U).gba"
Megaman Battle Network 4 Red Sun: Apply over "1554 - Megaman Battle Network 4 Red Sun (U).gba"
Megaman Battle Network 6 Gregar: Apply over "2427 - Megaman Battle Network 6 Cybeast Gregar (U).gba"
Megaman Battle Network 6 Falzar: Apply over "2436 - Megaman Battle Network 6 Cybeast Falzar (U).gba"


Also;
Megaman Battle Network 5 Team Protoman is still missing, but I'll get this one eventually too ;)

Have fun!

@Prof. 9 @Hiccup @Bryon15 @Bjnido35
 

Attachments

  • Megaman Battle Network Patches.zip
    4.5 KB · Views: 282
Last edited by VinsCool,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • impeeza @ impeeza:
    @Xdqwerty yes, when you are installing Windows on the first steps you are asked for your current location, you MUST to select «international» so no bloatware is installed, because the bloatware is location based. if this night I have some time I will setup a VM and take screenshots.
    +2
  • BigOnYa @ BigOnYa:
    User Gates "Disliked" your answer.
    +3
  • Psionic Roshambo @ Psionic Roshambo:
    Damn cleaned up 348GB's of crap I wasn't using with that lol
    +2
  • BigOnYa @ BigOnYa:
    But can it completely remove RealPlayer? Lol jk
    +3
  • Psionic Roshambo @ Psionic Roshambo:
    I remember at one point it being pretty much labeled as malware lol
  • Psionic Roshambo @ Psionic Roshambo:
    I think my favorite one was that dancing purple gorilla... I uninstalled that thing from sooo many machine people would be like "Why is my computer so slow?" lol because this thing is using like 30% of your system resources.....
    +1
  • Psionic Roshambo @ Psionic Roshambo:
    This one lady... her son kept installing Kazaa... OK no problem the issue is he would download DBZ movies and they where amazing usually like 2-8KB in size lol can't remember how many times I had to format and reinstall windows over his stupidity. I even explained to him about file sizes multiple times...
    +1
  • Psionic Roshambo @ Psionic Roshambo:
    yeah Bonzi buddy was malware sort of... It was borderline lol
  • Psionic Roshambo @ Psionic Roshambo:
    At minimum it was nothing anyone should have ever installed lol
    +1
  • SylverReZ @ SylverReZ:
    @BigOnYa, RealPlayer is spyware too.
    +2
  • SylverReZ @ SylverReZ:
    @Psionic Roshambo, Yeah, BonziBuddy was both spyware and ad-ware. It collected children's personal information without consent as well as display fake Windows popups.
    +1
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, atleast bonzi got discontinued
    +2
  • SylverReZ @ SylverReZ:
    @Xdqwerty, The people who created Bonzi now owns a company called 2KDirect; an advertising firm. https://www.ipromote.com/
    +1
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, atleast they get slightly cleaner money
    +1
  • BakerMan @ BakerMan:
    guys, hot take
    +2
  • Psionic Roshambo @ Psionic Roshambo:
    So Bonzi buddy was an evil version of Alexa lol
    +2
  • BakerMan @ BakerMan:
    the legal drinking age here in the US is 21, as some of you may know, but i think either it should be 18 or the age you're an adult should be 21.
    +2
  • BakerMan @ BakerMan:
    and i know what you may be thinking, "why become an adult at 21? doesn't that mean that banging an 18 year old would be illegal?"
    first of all, being in a relationship with someone who's 18 is technically ok, as long as it started when they were 18, but the age gap is still weird depending on how old you are. besides, the age of consent differs between different states
    BakerMan @ BakerMan: and i know what you may be thinking, "why become an adult at 21? doesn't that mean that banging...