DS Hacking 101 By /dexter0

[dlevere]

Trainer Toolkit Tutorial

DS Hacking 101
An Intro to DS Game Hacking
Last Updated: 1/4/08

By /dexter0

Why I Wrote This

To this day, I have not seen any complete guide on Nintendo DS hacking. With the release of Datel's Trainer Toolkit, DS hacking has been made available to the masses. I intend this guide to be a place where people can point beginners to.

Quick Note

DO NOT PM me with questions regarding the material in this text or DS hacking in general. If you want to know why this is bad, read this. I recommend that those seeking help visit one of the various forums dedicated to Nintendo systems hacking.

Introduction

Congratulations on your $50 plunge into the world of game hacking. This tutorial is designed to take you from n00b to hacker with a focus on using Datel's latest technology, the "Trainer Toolkit". If you have not purchased one of these devices, you can still get something from this tutorial.

You may opt to use Parasyte's Kuwurdi, although Kuwurdi will not be covered here. Another alternative is the good old emulator. Nintendo DS Emulation technology has made leaps and bounds since it first appeared. Leading the pack is NO$GBA by Martin Kroth. At the time of this writing it is at version 2.5c, and able to run most commercial games provided you have the nds bios and firmware. If you plan to use an emulator, you will also need a memory viewing program such as Imaha486's hasteDS, or the recommended Renegade64 by Viper.


Box shot of Datel's Trainer Toolkit

This Tutorial

As stated above this tutorial will focus on Datel's "Trainer Toolkit". But don't get it out yet! We have a few things to cover before you even turn your DS on. Before we start hacking codes, we will talk about the hexadecimal numbering system, and the ARDS code types (language). Codebreaker will not be discussed here. Let's begin.

Counting with 16

An Introduction to Hexadecimal

What Is Hexadecimal

If you passed grade school, you can probably count to 10; perhaps higher? You start at 0 and count 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. To get the next number, you start back at 0 and insert a 1 in as the second digit to get 10. Simple, right? What you are counting in is know as a base-10 number system, also called decimal, because there are 10 different numbers per digit. Before we talk about hexadecimal, we should mention a little bit about the number 0.

If I asked you to count to 4 you would probably count: 1.. 2.. 3.. 4.. However, if I asked a computer to count to 4 it would say: 0.. 1.. 2.. 3.. 4.. See the difference. When you work with computers, 0 is just as important as the other numbers. All computer counting counting starts at 0 unless it has been told otherwise. This becomes important when you deal with loops.

Now that you hopefully understand decimal and what it is, lets move to hexadecimal. Hexadecimal, also know as hex, is a base-16 numbering system. That's right, 16 different numbers per digit. So, counting in hex works like this: 0.. 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. A.. B.. C.. D.. E.. F.. There you have it, 16 different numbers per digit. That means that we can represent and number from 0 to 15 with a 1 digit number instead of just 0 to 9 like in decimal. So what if we want to write 16 in hex? Well, it's just like writing 10 in decimal. You reset the first digit back to zero and tack on a 1 in front. So 16 in decimal is actually 10 in hex.

So how do I convert between hex and decimal? Simple! On your computer go to Start > Run > calc.exe. Switch it into scientific mode. Now click the radio button that says hex, type a number in, then click the radio button that says decimal. Done. You may also perform the reverse to convert from decimal to hex. So how do I add, subtract, etc? Don't worry, the calculator does all that for you too! It also will perform bitwise operations, although bitwise operations are beyond the scope of this tutorial.

So when do I use hex? All the time in game hacking! Everything is in hex from the values in memory to the codes you will soon create! You may be wondering why the "ancient creators of the computer" decided not to keep things simple and just use decimal. While all that is history and beyond the scope of this tutorial. I will say that is has to do with machine conversion of binary (The 1's and 0's used by machine hardware) to a more "human readable" form. After all which looks more confusing: 0100 1010 or 0x4A ) BTW, The 0x is just notation to let people know that the number is in hex. 0x4A is the same as just 4A. It is good habit to prefix hex with a 0x.

Bits and Bytes

Many people often use the two words interchangeably however they do not mean the same thing. A bit is a 1 or a 0 (base 2 numbering system) When 8 bits are put together they form a byte as you can see in the example at the end of the last paragraph. Every set of 4 bits makes up 1/2 of a byte or a nibble which is 1 digit of the byte. So from the above, 0100 represents 4 and 1010 represents A. How the conversion is done is beyond the scope of this tutorial, but I will show you why there are only 16 different numbers per digit in hex. To understand this you should know some basic statistics. Each bit can be only 1 of 2 different numbers and there are 4 bits per nibble. So 2x2x2x2 or 2^4 = 16. Don't worry if this does not make sense, the only thing you need to know about bits to hack is how big of a hex number they make which we will discuss next.

8 Bit hex numbers are the smallest hex numbers you will be working with during this tutorial. An 8 bit hex number is two digits and looks this 0x4A or just 4A. If you were paying attention above you should know why it is an 8 bit hex number. Because it is made up of 8 bits. Simple! Now let's see if you were really paying attention. How big of a number (in decimal) can an 8 bit hex number hold? Think about how many numbers are in a single hex digit and how many digits are in an 8 bit hex number. The answer to part 1 is 16 and the answer to part 2 is 2. So if you take 16^2, you get 256. So an 8 bit hex number can store anything from 0 - 255. But what if you need to store a larger number? Read on to find out.

16 Bit hex numbers are the next size up. They are 4 digits and can store anything from 0 - 65535. Not much else needs to be said about them.

32 Bit is the largest sized number you will deal with in your hacking. You can hold anything from 0 - 4,294,967,295! That's huge! You can get bigger then 32 bits but I doubt you will ever need to. 24 bit hex numbers are not used for game hacking in case your wondering where they are.

Endianess

This is the last important concept with hexadecimal. Endianess is also know as the "byte order". Just like the name says, "byte order" determines the order of bytes in memory. Take this 32 Bit number for example. 0xF5 43 AE 01 (I have spaced the individual bytes apart for your convenience). In a "Big-Endian" system, the number would be written as 0xF5 43 AE 01. In a "Little Endian" system, the number would be written like 0x01 AE 43 F5. See the difference? "Little-Endian" flips the byte order so the least significant byte comes first. It is very important to note however that Endianness does NOT affect individual bytes or 8 Bit hex numbers. The Nintendo DS is a "Little-Endian" system.

ARDS Code Types

Speaking The AR Language

A Note About DS Memory

Since this guide is geared at absolute beginners, you may be asking yourself what is memory? For our purposes dealing with the Nintendo DS, memory is used to store the decompressed executable along with game data and game variables. We will not concern ourselves with the executable or game data, aside from pointers which will be discussed later. The game's variables are our primary focus. Variables are storage containers for game information that reside in memory. Variables on the DS can be 8, 16, or 32 bits in size. They store information such as how much health you have, how many bullets are in your gun, your kart's speed, and your position on the map. Almost all codes revolve around manipulating the game's variables to achieve effects such as infinite health, ammo, or super speed. How we do this will be discussed later. Nintendo DS memory ranges from 0x02000000 to 0x02400000. There is actually more memory beyond this range but it is used by the DS hardware to draw to the screen, check buttons, play sounds, etc. If you look into DS Homebrew, you'll find out what the rest of the memory is for.

All About Codes

You have probably seen an Action Replay code at some point. They look something like this: 220D54AF 00000001. REMEMBER! EVERYTHING IN AN AR CODE IS IN HEX! Most AR codes contain 3 parts. The first digit of the code is the code type (in this case the 2). The code type tells the Action Replay what to do and how to use the rest of the numbers in the code. In most code types, the second part of the code (in this case 20D54AF) is the address or the location in memory the code will be working with. If you have been paying close attention you may be wondering why the address part of the code is only 7 digits while memory ranges listed in the last paragraph are 8. Because there is no location in the DS's memory that requires a 1 in the first digit to address it, the AR uses that spot for the code type and hence the 0 is implied. The last 8 digits are, in most codes, the value. What the value does depends on the code type. We will discuss the AR code types next. Kenobi was nice enough to release the information about all the different code types long before the Trainer Toolkit came out. You can also find information about all the different code types in the Trainer Toolkit manual too.

RAM Write Codes
There are three different RAM Write Codes. Which one you use depends on what size of a value you need to write. Thats right, we have codes for 8, 16, and 32 bit values. RAM Write codes are the most basic and are the foundation for many complex codes. As their name implies, when run, they will constantly write a value to the RAM. This can be useful for keeping your health full and your gun always loaded.

0XXXXXXX YYYYYYYY
This is the 32-bit value write. 0 is the code type, XXXXXXX is the address you want to write to, and YYYYYYYY is the value you want to write. Remember that all action replay codes are 16 digits long. This means that if you want to write 8D6 to 0x20D54AF your code will look like this: 020D54AF 000008D6, not this: 020D54AF 8D6.

1XXXXXXX YYYYYYYY
This is the 16-bit value write. Like its 32-bit counterpart, it too must be padded if the value you need to write does not fill up all 8 digits which it always will since 16-bit values are only 4 digits long.

2XXXXXXX YYYYYYYY
This is the 8-bit value write. You should know the drill by now with these.

Conditionals
The purpose of a conditional is to check a condition. They add a little logic to your code. Every conditional can only return 2 different outcomes: true or false. There are 4 conditions that can be checked by conditionals on the Action Replay. They are: == (Equal to), != (not equal to), > (greater than), < (less than). Also, for those of you have may have programmed before, unlike conditionals in programming which can check a bunch of things at once, AR conditionals can only check one thing per conditional. This is what a conditional looks like in AR form:

320D54AF 00000002
020D54AF 000008D6
D0000000 00000000

By now you should know what the second line in this code does. The first line is the conditional. We will discuss the last line a little later. Lets look at the first line. Obviously, the 3 is the code type. Specifically, the 3 code type is a 32 bit > (greater than) conditional. The next 7 digits is the address who's value will be compared. The last 8 digits are the value that the conditional is comparing the value at address 0x020D54AF to. So in English this conditional will: "Check to see if the value 0x00000002 is greater than the value at 0x020D54AF." Pretty straightforward, right? All AR conditionals behave this way.

So now you may be wondering what happens depending whether the conditional returns true or false. If the conditional returns true, the AR will execute all codes that follow until it reaches a D0 or D2 code type (Don't worry about there being two digits for the code type, we will discuss it later.) Now if the conditional returns false, the AR will skip all of the codes that follow until it reaches a D0 or D2 code type. Everything after the D0 or D2 will be executed no matter what. So now that you know how conditionals work, lets see what each of the 8 different conditionals do.

3XXXXXXX YYYYYYYY
This is a 32-Bit > (greater than) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is greater than the value at address XXXXXXX.

4XXXXXXX YYYYYYYY
This is a 32-Bit < (less than) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is less than the value at address XXXXXXX.

5XXXXXXX YYYYYYYY
This is a 32-Bit == (equal to) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is equal to the value at address XXXXXXX.

6XXXXXXX YYYYYYYY
This is a 32-Bit != (not equal to) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is not equal to the value at address XXXXXXX.

7XXXXXXX ZZZZYYYY
This is a 16-Bit > (greater than) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is greater than the value at address XXXXXXX.

8XXXXXXX ZZZZYYYY
This is a 16-Bit < (less than) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is less than the value at address XXXXXXX.

9XXXXXXX ZZZZYYYY
This is a 16-Bit == (equal to) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is equal to the value at address XXXXXXX.

AXXXXXXX ZZZZYYYY
This is a 16-Bit != (not equal to) conditional. It will check if the 32-Bit value you specify in YYYYYYYY is not equal to the value at address XXXXXXX.

Thats all the different conditional codes. By know you probably are wondering two things: How do you compare 8-Bit values and what are the Zs for? To compare 8-Bit values we use a technique called masking. In other words we to tell the 16-Bit conditional codes to ignore the first two Ys by inserting values into those Zs. I am not going to go into the details of bit masking but you can make an 8-Bit compare by inserting 00FF for the Zs then making the first two Ys zero. The last two Ys become your value. The reason why we mask out the lower byte is because the DS memory is little endian and therefore is flipped. That's all you need to know in order to make 8-Bit conditionals and thus concludes our section on conditionals.

The Offset
Like about everything else here, the offset is just what its name implies, an offset. You will find the offset probably the most important feature of the AR when making codes. So what does it do? The offset is a value that is added to the address value of other codes. By default it is 0x00000000. So lets see an example. Let's look at this code: 020D54AF 000008D6. By itself it will write 0x000008D6 to 0x020D54AF because the offset is 0 by default. So now if we had an offset of 0x00000001, then the code would write 0x000008D6 to 0x020D54B0. See the difference? The value in the offset has been added to the address that code will write to. So what would happen if I had a code like this: 00000000 000008D6? Where would it write 0x000008D6 to? The answer: 0x00000001. Simple! The offset value will affect the address portion of all these code types:

0,1, 2, D6, D7, D8, D9, DA, DB, DC, E, F

By default the offset does not affect the conditional codes, however Kenobi has made a fix for that. There are two different ways to get a value loaded into the offset.

BXXXXXXX 00000000
This code will take the 32-Bit value at XXXXXXX and make it the offset. There is no code to make a 16-Bit or 8-Bit value the offset as this is not necessary. Another thing to note is that if the value at XXXXXXX changes, so will the offset.

D3000000 YYYYYYYY
This code will take the 32-Bit value that you enter in YYYYYYYY and make it the offset.

To clear the offset, simply insert a D2000000 00000000 into your stack of codes (Probably at the end). If you fail to reset the offset, it can affect other codes in undesired ways.

Special Codes
There are three special codes. You have already seen two of them and the third will not be discussed.

D0000000 00000000
This is your 'end-if' code. It is used to end the scope of a conditional. Basically, it tells the AR where the codes that only should run if the conditional returns true stop and where the rest of the codes (that run no matter) start.

D2000000 00000000
This is your clean-up code. It will clear any temporary data such as the offset (along with other things that won't be discussed). It also can be used as an 'end-if' code although it will perform its other cleanup functions too. Unless you know what your doing, you need to insert this code at the end of your stack whenever you modify the offset or have conditionals that are not terminated with a D0 code type.

Hacks
Kenobi has made a couple great hacks for the Action Replay itself (hacking the hacking device) The ones we are going to concern ourselves with are those that add offset support to the conditionals. It is very important to note two things when using Kenobi's AR Hacks. First, for the moment they will not work on the latest AR firmware which, if you can boot up the Trainer Toolkit, you have. Second, they can not be used if the game has a master code. Here they are:

Code Type 3 :
Enable Offset support :
023FE20C E5933000
Disable Offset support :
023FE20C E5903000

Code Type 4 :
Enable Offset support :
023FE224 E5933000
Disable Offset support :
023FE224 E5903000

Code Type 5 :
Enable Offset support :
023FE23C E5933000
Disable Offset support :
023FE23C E5903000

Code Type 6 :
Enable Offset support :
023FE254 E5933000
Disable Offset support :
023FE254 E5903000

Code Type 7 :
Enable Offset support :
023FE26C E1D320B0
023FE270 E1E03004
Disable Offset support :
023FE26C E1E03004
023FE270 E1D020B0

Code Type 8 :
Enable Offset support :
023FE290 E1D320B0
023FE294 E1E03004
Disable Offset support :
023FE290 E1E03004
023FE294 E1D020B0

Code Type 9 :
Enable Offset support :
023FE2B4 E1D320B0
023FE2B8 E1E03004
Disable Offset support :
023FE2B4 E1E03004
023FE2B8 E1D020B0

Code Type A :
Enable Offset support :
023FE2D8 E1D320B0
023FE2DC E1E03004
Disable Offset support :
023FE2D8 E1E03004
023FE2DC E1D020B0

Stacking
Hopefully by now you understand that codes can be stacked. Codes can be stacked from top to bottom like in Example 1 or from left to right like in Example 2. The execution flow (order codes are run) is from the top to the bottom or left to right depending on how you stack.

Example1
320D54AF 00000002
020D54AF 000008D6
D0000000 00000000

Example2
Each code is separated by a space.
320D54AF 00000002 020D54AF 000008D6 D0000000 00000000

Wrap up

Hopefully this gave you a good insight into your available options for making AR codes. There are more code types which I did not discuss here mainly because this guide is aimed at beginners. How to arrange code types to do what you want is a topic that can not easily be put into words (at least by me). Hopefully though you will get an understanding of how to do this in the next section as we hack our way through some examples.

[dlevere]

Real World Examples

Using The Toolkit

Congratulations on actually reading through all of the stuff above, and not just skipping it. If you did skip it, "Boo to you" and I highly recommend you scroll all the way back up and read this whole document, unless you already know hex and the AR code types. We are now going to actually hack some games with our Trainer Toolkit in order to get a hands on example of what we just learned, and to understand some concepts used to hack certain codes. I highly recommend that you follow along with your Trainer Toolkit. If you are using an emulator and Renegade, don't shy away now! You can still join the fun as long as you know how to operate your software, since we will be focusing on using the Trainer Toolkit's interface. Ready? Let's get started!

Example 1 (Infinite Lives)

We are going to hack a game that almost everyone bought with their DS, Super Mario 64 DS (Game ID: ASME aea63749).

Getting Started

1. Connect your DS to its charger. This is not necessary but the Trainer Toolkit is an energy hog and will drain your battery faster than normal.

2. Connect the Trainer Toolkit to the USB linker cable and insert it into the GBA slot of your DS.

3. Insert your Action Replay DS into the DS Game slot on your DS.

4. Power up your DS. You should eventually see a screen that says "Insert Game Card...". If you don't, check that the Trainer is all the way in and your AR DS has the latest firmware.

5. Remove your ARDS and insert Super Mario 64 DS.

* There are currently 2 versions of Super Mario 64 DS. I will be hacking the first version (ASME aea63749). If you have the newer version, don't fret. You can still follow along with your game. Just note that the codes I come up with will not look the same as yours. Our addresses will be different.

6. Tap the screen to get started.

7. When the game loads, select Adventure and choose a record (preferably one that is not new) and begin the game.

8. Now, on your PC, open up the Trainer Toolkit software.

9. Go to tools and click "Show search results". Repeat for "Watched Locations" and "Runlist".

Know Your Tools

*The Search Window

The search window is where it all begins. Basic hacking involves performing many searches against the values of the memory in the game. You will come to understand this in a moment when we start hacking the game.

*Search Results

The search results window displays the results of all your previous searches. Each search will appear as a pink square which can be expanded to reveal a square for each range in memory you searched. You can double click on the text next to these squares to see the results of the search. You can also right click on the text next to the pink squares to "rollback" to that search. We will discuss and demo that later.

*Watched Locations

This a very useful feature which allows you to keep an eye on a location in memory. We will use this in later examples. NOTE: Renegade does not feature this window or any like it.

*Run-List

This is like having our own Action Replay that we can update with new codes in the middle of the game! We will use this to test our codes. It also will break down your codes and tell you what they are doing in the right pane.

Creating The code

This is probably one of the most easy codes to hack and so we will start here. The first thing you need to do is go somewhere in the game that you can loose lives. How about level 1 (Bomb Battlefield)? Go there. I am going to play as Yoshi, but it does not matter who you use. Select the first star and go.

Once the level has loaded, we need to start searching memory to find what address holds the number of lives. Turn your attention back to the Trainer Toolkit software. Let's start a "New Search". When you start a new search a window will pop up asking for the parameters of the search. I am guessing this game will allow you to have 9999 lives max. This means that lives must be a 16-bit value. It is also must be an unsigned value since lives are never negative. (Signed values can hold negatives). So select "Unsigned 16-bit". Now for the memory ranges. By default there will be two that appear. Select "Work RAM" and click "Delete". Nothing of interest is has ever been found in that memory range, so it is safe to always remove it. Click "OK" to start the search. You will notice the audio of the game slows down.


The "New Search" Button in the Trainer Toolkit Software

Now that we have our base search, the next search we do will be compared to our base search. Searches are always compared to the last. You will note the 6 different search options in the Search window. Because the game is nice enough to print out how many lives we have on the screen, we know that the address containing how many lives we have must be that value on the screen (It should be 4 providing you have not lost any). This means that we should start off with a search for all memory locations that contain 4. However, be sure to note that the value printed on your screen is in decimal while the value in memory is in hex. We need to be sure that when we convert the number of lives to hex before searching for it. In this case it is easy because 4 in decimal is just 4 in hex.

The Trainer Toolkit is picky about how you enter numbers. It wants them in proper hex format with the 0x in front. There is also another thing we need to consider. Our initial search was for a 16-Bit value. This means we should format all of our subsequent searches in 16-Bit form. Since 16-bit numbers are four digits we simply tack on three zeros in front of the 4. Our final output is 0x0004. In the search window, uncheck "Previous value" and enter 0x0004 into the box. As mentioned above, we want to search for all memory locations that contain 0x0004 so we will use the "Equal to" search option. Select "Equal to" and click "Search again".

Yikes! That's a lot of results. We need a way to narrow it down to 20 results or less. Since the memory location that contains how many lives we have will change values to correspond with our current number of lives, let's change how many lives we have and perform another search to see what addresses of memory have changed values to reflect our new number of lives. To start off, lets gain a life. Go over to the patch of flowers that is surrounded by coins. Collect all the coins to make a life appear and get it! We now have 5 lives. Let's go back and perform another search for memory locations containing the value of 5. Remember to make it a 16-Bit hex number. So enter our value of 0x0005 in the box and click "Search again". Now we are left with a very manageable 3 results. Lets try and lower it to 1 result.


Yoshi collects coins to get a life.

Make your character loose a life so that we are back at 4 again. Once you die, you will be kicked out of the level. Don't bother going back in since the number of lives applies to the game as a whole. Do another search for the number of lives you have, in this case 0x0004. Now you are left with 1 result. If you are using the older version of SM64 like me, you should be left with 0x020973ec. To find this, click the little + sign next to "Search #3" and double click on "1 result.....". The window contains the address and all of its values over your past few searches.


The results window shows us our address.

Now we just need to make it into a code. We are going to use a RAM Write code to constantly write a value of 0x0063 (99 in decimal) to 0x020973ec. If you know your code types you should come up with this: 120973ec 00000063. Remember that 1 is our code type since we are writing 16-bit values, 20973ec is our address, and 0063 is our value padded with four extra zeros. Enter that code into the run list and click "Upload". If you glance back at your DS you will notice that you now have 99 lives. Because the AR continuously executes codes, it will keep running your code. This means that even if you loose a life, it will bump you right back to 99.

Wrap Up

You may be wondering why I choose to perform 16-bit searches when the max lives you have is only 0x63, an 8-bit number. Basically I took a gamble. I guessed that lives would be a 16-bit number. So, once I found the address the next logical step was to plug in the max value a 16-bit number would allow, 0xFFFF. However, this awarded me 35 lives. Common sense told me this was wrong since the maximum number of lives you may have usually contains only 9s. So I tried plugging in 0xFF (the largest 8-bit number). This too gave me 35 lives. The next logical step was to try 0x2705 (9999 in decimal). This resulted in 15 lives. So, I finally tried 0x0063 (99 in decimal) and it worked.

Technically, this code could be an 8-bit write. Codejunkies used a 32-bit write. For this code it does not matter. I could have written this example to have you hack the 8-bit code instead of 16-bit, but it was a good opportunity to explain what I just explained. As you can see, it takes a little bit of common sense and experience to know what to do next. Sometimes you will hit a wall and have to backtrack as I will demonstrate later. With that said, this code is concluded.


The runlist with our new code.

More To Come (Maybe)

Thanks for reading my hacking guide. If you have found an error, please let me know. If you are a beginner who is reading this, please let me know how you enjoyed it. I might write some more examples later.

-/dexter0