Kodewerx :: View topic - AR F-Code Memory Dumper

923d629a 00000400 //X Button starts code
D3000000 023CDD40 //Set the Offset (I am using this with MKDS as a test)
FA000000 00000400 //Memory Dump (1024 Bytes)
d2000000 00000000

Memory Dumper -> GBA SRAM *UNTESTED*
023FE4D8 0A000003 ; Kenobi's "DB Code Type Fix"
94000130 FCFF0000 ; L+R to begin dumping
D3000000 02000000 ; Set dump source; Address to dump from (0x02000000)
C0000000 00010000 ; GBA SRAM is only 64KB is size (dump 64KB at a time)
DB000000 00000000 ; Load byte from dump source
D8000000 08000000 ; Store byte to GBA SRAM and increment dump source (***SEE NOTE***)
D2000000 00000000 ; End

***NOTE***
The second half of this line *MIGHT* have to be changed if you change the dump source. (Which you probably will!) To determine how to change it, subtract your dump source from 0x0A000000 to get the new 'store offset' for this line. Mathematically:
n = (0x0A000000 - source)

On the other hand, it might be safe to leave this line alone if your dump source is a multiple of 64KB. (Meaning the last four digits of the address are '0000' -- Which it should be!) I am currently unable to test this code, because I do not own an Action Replay. But experiment with this code, and let me know what works and what doesn't.

94000130 FDFF0000 //L Button activator
D3000000 02000000 //Load an offset
C0000000 00010000 //Should dump 128K since GBA Flashcart bus is 16 bits wide
DA000000 00000000 //Copy half-word into memory
D7000000 06000000 //Store half-word at 0x08000000
D2000000 00000000 //Loop

mov r1, #0x08000000 @m3 unlock
ldrh r0, [r1, #0x0]
mov r2, #0x08E00000
ldrh r0, [r2, #0x2]
ldrh r0, [r1, #0xE]
mov r2, #0x08800000
add r0, r2, #0x1F00
ldrh r0, [r0, #0xFC]
add r0, r1, #0x1000
ldrh r0, [r0, #0x4A]
add r0, r2, #0x600
ldrh r0, [r0, #0x12]
ldrh r0, [r1]
add r0, r2, #0x1b00
ldrh r0, [r0, #0x66]
ldrh r0, [r2, #0x4]
ldrh r0, [r1]
ldr r2, =0x09FFEFFE @ enable write
ldr r0, =0xAA55
strh r0, [r2]

inline void XROMUnlockSequence() {
*(vu16*)0x08001554 = 0xAAAA;
*(vu16*)0x08000AAA = 0x5555;
}

void xrom_erase(u32 addr, u32 size) {
int i = 0;

while (i < size) {
   *(vu16*)0x09000000 = 0x8000;
   *(vu16*)0x09000000 = (0x8400 | (addr >> 17));

   XROMUnlockSequence();
   *(vu16*)0x08001554 = 0x8080;

   XROMUnlockSequence();
   *(vu16*)0x08000000 = 0x3030;

   while ((*(vu16*)0x08000000 & 0x8080) != 0x8080);

   i += (128 * 1024);
   addr += (128 * 1024);
}
}

void xrom_write(u32 addr, u16 *buffer, u32 size) {
int i = 0, j;

while (i < size) {
   *(vu16*)0x09000000 = 0x8000;
   *(vu16*)0x09000000 = (0x8400 | (addr >> 17));

   XROMUnlockSequence();
   *(vu16*)(0x08000000 | (addr & 0x0001FFFF)) = 0x2525;

   *(vu16*)(0x08000000 | (addr & 0x0001FFFF)) = 0x1F1F;

   for (j = 0; j < 32; j++) {
      *(vu16*)(0x08000000 | (addr & 0x0001FFFF) | (j << 1)) = buffer[(i >> 1) + j];
   }

   *(vu16*)0x08000000 = 0x2929;

   while ((*(vu16*)(0x08000000 | (addr & 0x0001FFFF) | (31 << 1)) & 0x8080) != (buffer[(i >> 1) + 31] & 0x8080));

   i += 64;
   addr += 64;
}
}

Author:	dexter0 [ Tue Feb 06, 2007 9:38 pm ]
Post subject:	AR F-Code Memory Dumper
I'm trying to create a make-shift memory dumper using the F type code. In theory it should dump X number of bytes to the GBA Flashcart RAM. It works, but only for very small numbers of bytes. If I try to dump 1024 (Might be a lower number) or more bytes, nothing gets dumped or the DS hangs indefinitely. Any Ideas? Code: 923d629a 00000400 //X Button starts code D3000000 023CDD40 //Set the Offset (I am using this with MKDS as a test) FA000000 00000400 //Memory Dump (1024 Bytes) d2000000 00000000

Author:	Parasyte [ Tue Feb 06, 2007 11:01 pm ]
Post subject:
The F code type copies words at a time. The GBA SRAM bus is only 8-bits wide. Try using the 'C' loop code type to create a generic 8-bit memory copy. Also, it will only work if the ARM7 is running the code engine. (Or you can change the GBA bus access I/O register to allow ARM9 to do the copy.)

Author:	kickenchicken57 [ Wed Feb 07, 2007 6:04 am ]
Post subject:	Re: AR F-Code Memory Dumper
dexter0 wrote: I'm trying to create a make-shift memory dumper using the F type code. In theory it should dump X number of bytes to the GBA Flashcart RAM. It works, but only for very small numbers of bytes. If I try to dump 1024 (Might be a lower number) or more bytes, nothing gets dumped or the DS hangs indefinitely. Any Ideas? Code: 923d629a 00000400 //X Button starts code D3000000 023CDD40 //Set the Offset (I am using this with MKDS as a test) FA000000 00000400 //Memory Dump (1024 Bytes) d2000000 00000000 Very interesting work, I hope to hear more about this. I Have an EZFA 256 card so I could use this.

Author:	Dualscreenman [ Wed Feb 07, 2007 6:08 am ]
Post subject:
I as well would be very interested in having a RAM dumper for hacking work. Here's a question; how will I retrieve the dumped data from the SRAM?

Author:	Parasyte [ Wed Feb 07, 2007 7:11 am ]
Post subject:
Use the SRAM backup tool that came with your GBA flash cart. Here's my version of this code: Code: Memory Dumper -> GBA SRAM UNTESTED 023FE4D8 0A000003 ; Kenobi's "DB Code Type Fix" 94000130 FCFF0000 ; L+R to begin dumping D3000000 02000000 ; Set dump source; Address to dump from (0x02000000) C0000000 00010000 ; GBA SRAM is only 64KB is size (dump 64KB at a time) DB000000 00000000 ; Load byte from dump source D8000000 08000000 ; Store byte to GBA SRAM and increment dump source (*SEE NOTE) D2000000 00000000 ; End NOTE* The second half of this line MIGHT have to be changed if you change the dump source. (Which you probably will!) To determine how to change it, subtract your dump source from 0x0A000000 to get the new 'store offset' for this line. Mathematically: n = (0x0A000000 - source) On the other hand, it might be safe to leave this line alone if your dump source is a multiple of 64KB. (Meaning the last four digits of the address are '0000' -- Which it should be!) I am currently unable to test this code, because I do not own an Action Replay. But experiment with this code, and let me know what works and what doesn't.

Kodewerx https://www.kodewerx.org/forum/

AR F-Code Memory Dumper https://www.kodewerx.org/forum/viewtopic.php?f=2&t=677	Page 1 of 1

Author:	Dualscreenman [ Wed Feb 07, 2007 8:24 am ]
Post subject:
I tested out the code. The game stuttered slightly and glitched a tiny bit graphically for a second or so. I have no way of seeing how the dump looks since the drivers for my cart are Windows only. Perhaps later today I can see if it works.

Author:	dexter0 [ Wed Feb 07, 2007 8:25 pm ]
Post subject:
The new code works great. Thank you Parasyte. It is very fast too (~1-2 seconds). Even better, the GBA cart can be removed in the middle of the game without a crash allowing for multiple backups without powering off

Author:	Dualscreenman [ Wed Feb 07, 2007 9:49 pm ]
Post subject:
Yes, this is very nice. I can hack all my legit games now. ROMS, on the other hand are limited to the size of my old NAND cart. Fucking Supercard people. I smell a rant coming on.

Author:	dexter0 [ Wed Feb 07, 2007 10:07 pm ]
Post subject:
I seem to have run into a problem. The code works, but only for a base offset of 02000000. Any higher and it writes nothing. (The next value up I tried was 02001000 and then 020d14df). I have been testing this with DKR and I am going to try it with a different game. EDIT 1: Only seems to work at 02000000 for MKDS too.

Author:	Parasyte [ Wed Feb 07, 2007 10:49 pm ]
Post subject:
Read the *NOTE*

Author:	Dualscreenman [ Thu Feb 08, 2007 6:30 am ]
Post subject:
As long as you follow the note you can dump fine. However Yoshi's Island does not want to be hacked. I will conquer!

Author:	dexter0 [ Thu Feb 08, 2007 7:08 am ]
Post subject:
Sorry about that. Works great now.

Author:	kickenchicken57 [ Thu Feb 08, 2007 7:28 am ]
Post subject:
Which card are you guys using? I have the EZFA 256Mb and have not had a chance to test yet. And also, do you need to have something loaded onto your cart with save enabled to be able to dump your memory onto your card? I assume mine does, because the only way to get the save area off of my card is to flash it with a game and then enable saving.

Author:	Dualscreenman [ Thu Feb 08, 2007 7:45 am ]
Post subject:
If you have the means of getting .sav files of the card, you can use any GBA card that has SRAM. I am using a Smart Card. Besides whatever computer software you need for the flashcart, no secondary software is necessary. It comes with a burner that can read saves off of both the Smart Card and legit carts.

Page 1 of 1	All times are UTC - 8 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/

Author:	dexter0 [ Sat Feb 17, 2007 8:51 am ]
Post subject:
My apologies for reviving this old thread however starting a new one seemed a waste of space for talk of the same subject. Since my GBA Flashcart uses the GBA as the transfer medium between cart and computer, and therefore the GBA is doing all the writing to cart, I thought that perhaps I could write to my cart from the DS by running a modified version Parasyte's code. Here is what I came up with: Code: 94000130 FDFF0000 //L Button activator D3000000 02000000 //Load an offset C0000000 00010000 //Should dump 128K since GBA Flashcart bus is 16 bits wide DA000000 00000000 //Copy half-word into memory D7000000 06000000 //Store half-word at 0x08000000 D2000000 00000000 //Loop When run, the game does freeze up for a second or two however nothing seems to get dumped. This may not work at all since most GBA Carts are read only. Perhaps the client program the runs on the GBA and interacts with the computer program writes to the cart a different way.

Author:	loading [ Sat Feb 17, 2007 1:38 pm ]
Post subject:
the way you write to your flashcard depends on the card. most have some unlock sequence (like read adress x, y, z, write a to address b.) so you will want too lookup this information about your card. for example if you want to write to an m3 type card (i never used my f2a for such things so i only know how to do it with m3) Code: mov r1, #0x08000000 @m3 unlock ldrh r0, [r1, #0x0] mov r2, #0x08E00000 ldrh r0, [r2, #0x2] ldrh r0, [r1, #0xE] mov r2, #0x08800000 add r0, r2, #0x1F00 ldrh r0, [r0, #0xFC] add r0, r1, #0x1000 ldrh r0, [r0, #0x4A] add r0, r2, #0x600 ldrh r0, [r0, #0x12] ldrh r0, [r1] add r0, r2, #0x1b00 ldrh r0, [r0, #0x66] ldrh r0, [r2, #0x4] ldrh r0, [r1] ldr r2, =0x09FFEFFE @ enable write ldr r0, =0xAA55 strh r0, [r2]

Author:	dexter0 [ Sat Feb 17, 2007 2:11 pm ]
Post subject:
Thank you loading. I will search for this documentation for my XROM, although XROM documentation seems to be scarce on google.

Author:	Parasyte [ Sat Feb 17, 2007 9:29 pm ]
Post subject:
I worked on some of the XROM software during its initial release, and still have my prototype XROM board. This is the C source I wrote for accessing XROM flash. Code: inline void XROMUnlockSequence() { (vu16)0x08001554 = 0xAAAA; (vu16)0x08000AAA = 0x5555; } void xrom_erase(u32 addr, u32 size) { int i = 0; while (i < size) { (vu16)0x09000000 = 0x8000; (vu16)0x09000000 = (0x8400 \| (addr >> 17)); XROMUnlockSequence(); (vu16)0x08001554 = 0x8080; XROMUnlockSequence(); (vu16)0x08000000 = 0x3030; while (((vu16)0x08000000 & 0x8080) != 0x8080); i += (128 * 1024); addr += (128 * 1024); } } void xrom_write(u32 addr, u16 buffer, u32 size) { int i = 0, j; while (i < size) { (vu16)0x09000000 = 0x8000; (vu16)0x09000000 = (0x8400 \| (addr >> 17)); XROMUnlockSequence(); (vu16)(0x08000000 \| (addr & 0x0001FFFF)) = 0x2525; (vu16)(0x08000000 \| (addr & 0x0001FFFF)) = 0x1F1F; for (j = 0; j < 32; j++) { (vu16)(0x08000000 \| (addr & 0x0001FFFF) \| (j << 1)) = buffer[(i >> 1) + j]; } (vu16)0x08000000 = 0x2929; while (((vu16*)(0x08000000 \| (addr & 0x0001FFFF) \| (31 << 1)) & 0x8080) != (buffer[(i >> 1) + 31] & 0x8080)); i += 64; addr += 64; } } Usage is fairly simple, just erase as much as you need with xrom_erase(). (Block size is exactly 256KB, so your erases will be aligned to 256KB blocks.) Then you may begin writing your buffer to flash with xrom_write(). The 'addr' input argument to both functions is a relative address, NOT absolute. In other words, you will pass 0x00000000 as the first address, not 0x08000000. This code can be converted to ARM assembly and run that way. Some problems to watch for: 1) XROM has two 256mbit AMD NOR flash chips. They are rather slow, and will take a few minutes to complete a full erase/write cycle. (As with all NOR flash chips, you must erase before you will be able to write.) 2) AR's code engine runs on ARM7, which is only half as fast as the ARM9. The write cycle will especially be slow if you use something like Kenobi's ASM hack on the code engine. 3) If you want to use the ARM9 instead for faster writing, you will have to first patch the ARM9 executable in some way to get the ASM running, then you must enable ARM9 access to the GBA bus using the 16-bit I/O register at 0x04000304. (ExMem Control) Then you may finally begin erasing the flash, and finally writing.