Fizzi
Smash Ace
Background
I started work a while ago on a project which I hoped would be capable of getting game information directly out of Melee such that it could be passed on to the outside world via bluetooth, WiFi, or otherwise. I'm far more knowledgeable in the hardware side of these things so I set my sights on building a prototype rig that could read messages being sent to the memory card, decipher whether they were meaningful, and if so use that data for something. In short - I succeeded. The trouble came when it came to actually passing the data I wanted to the memory card turned device.
The current hardware prototype. Inserted into the Wii is a memory card breakout board which is wired to a memory card board (left). The data is then sniffed by an FPGA development board (middle), and relevant data is passed to an Arduino Due (right).
The original plan I wanted to go with was the following:
So in working on the project I've learned a bit about melee hacking but I'm still very much a novice. I was able to find memory locations that contained things like the last move a player connected with and start to build a list of which IDs matched to which moves. To be completely frank though I just don't have a lot of free time and it's difficult to commit it to struggling to understand the memory card stuff.
The major thing that I need right now to get something working is a way to write data to the memory card in an un-encrypted fashion. I'll describe a bit more about what I know about how data is transferred in the information section.
I'm also open to help extracting information out of the game that would serve for interesting statistics.
Technical Information
The Gamecube communicates with the memory card via a 27 MHz EXI bus. The EXI protocol is basically an SPI protocol with some extra lines. SPI is constantly bi-directional. This means that even when the game is reading from the memory card, it is still sending "bogus" data at the same rate it is reading from the memory card. The result of this is that it might be possible to safely send data to my device by triggering a read operation to a special memory address and filling the "bogus" data with good, unencrypted data.
Here is a small sample of real data being read from the memory card:
Count|MOSI|MISO|MOSI ASCII|MISO ASCII
0|82|127|R|
1|0|128|#NUM!|?
2|32|255| |ÿ
5|222|71|Þ|G
6|186|71|º|G
7|58|71|:|G
8|58|71|:|G
9|71|71|G|G
10|71|65|G|A
11|71|76|G|L
12|71|69|G|E
13|122|48|z|0
14|26|49||1
15|117|255|u|ÿ
16|232|2|è|
17|71|83|G|S
18|65|117|A|u
MOSI = Master out, Slave in (Gamecube to memory card)
MISO = Master in, Slave out (memory card to Gameubce)
The count is used to keep track of what the current bytes mean. When count = 0, the byte refers to the command being issued to the memory card. In the above case, the command being written is 82 (0x52). If you look at the dolphin source code, you can find that this command is called "cmdReadArray", basically it's a read operation. I ran dolphin using Visual Studio to debug and add breakpoints to help me understand how data is actually transferred.
Achilles referred me to this post which describes the known memory card functions http://smashboards.com/threads/patc...racters-stages-and-hats.405623/#post-19378526 . Perhaps it might be possible to use one of these to pass data over?
Potential Uses
I started work a while ago on a project which I hoped would be capable of getting game information directly out of Melee such that it could be passed on to the outside world via bluetooth, WiFi, or otherwise. I'm far more knowledgeable in the hardware side of these things so I set my sights on building a prototype rig that could read messages being sent to the memory card, decipher whether they were meaningful, and if so use that data for something. In short - I succeeded. The trouble came when it came to actually passing the data I wanted to the memory card turned device.
The current hardware prototype. Inserted into the Wii is a memory card breakout board which is wired to a memory card board (left). The data is then sniffed by an FPGA development board (middle), and relevant data is passed to an Arduino Due (right).
The original plan I wanted to go with was the following:
- During a match I would write interesting information to unused memory. This includes things like what move a person killed with, what percentage and stock counts both players were at when a stock was taken, etc.
- After the match had ended I would write the data back to the memory location from which the game reads when saving to the memory card. This would be in a location that wouldn't corrupt any important memory card information - such as after the name tag list.
- The device would look for the address where it knows the data will be written, read it, and pass it on to somewhere.
What do I need?So in working on the project I've learned a bit about melee hacking but I'm still very much a novice. I was able to find memory locations that contained things like the last move a player connected with and start to build a list of which IDs matched to which moves. To be completely frank though I just don't have a lot of free time and it's difficult to commit it to struggling to understand the memory card stuff.
The major thing that I need right now to get something working is a way to write data to the memory card in an un-encrypted fashion. I'll describe a bit more about what I know about how data is transferred in the information section.
I'm also open to help extracting information out of the game that would serve for interesting statistics.
Technical Information
The Gamecube communicates with the memory card via a 27 MHz EXI bus. The EXI protocol is basically an SPI protocol with some extra lines. SPI is constantly bi-directional. This means that even when the game is reading from the memory card, it is still sending "bogus" data at the same rate it is reading from the memory card. The result of this is that it might be possible to safely send data to my device by triggering a read operation to a special memory address and filling the "bogus" data with good, unencrypted data.
Here is a small sample of real data being read from the memory card:
Count|MOSI|MISO|MOSI ASCII|MISO ASCII
0|82|127|R|
1|0|128|#NUM!|?
2|32|255| |ÿ
5|222|71|Þ|G
6|186|71|º|G
7|58|71|:|G
8|58|71|:|G
9|71|71|G|G
10|71|65|G|A
11|71|76|G|L
12|71|69|G|E
13|122|48|z|0
14|26|49||1
15|117|255|u|ÿ
16|232|2|è|
17|71|83|G|S
18|65|117|A|u
MISO = Master in, Slave out (memory card to Gameubce)
The count is used to keep track of what the current bytes mean. When count = 0, the byte refers to the command being issued to the memory card. In the above case, the command being written is 82 (0x52). If you look at the dolphin source code, you can find that this command is called "cmdReadArray", basically it's a read operation. I ran dolphin using Visual Studio to debug and add breakpoints to help me understand how data is actually transferred.
Achilles referred me to this post which describes the known memory card functions http://smashboards.com/threads/patc...racters-stages-and-hats.405623/#post-19378526 . Perhaps it might be possible to use one of these to pass data over?
Potential Uses
- Statistics - Extract data out of the game and push it to a website for archiving
- Live match overviews - if being used on non-streaming set ups the data could be browse-able by fans and they could keep track of how matches are going even if they can't see them
- Automatic match reporting - Match results can be pushed automatically to a website and selected/confirmed by a TO
- It may be possible to get interesting information from the internet and change the actual game state based on that. For example, each device can have an ID number linked to a station ID. It can then find out whether a tournament match has been scheduled for itself and pass a flag to the game telling it to lock the set up. It then might also be possible for the station to only become unlocked when one of the players in the match comes up to the station and scans his ID badge, or types in his username/password.
- Using special codes it might be possible to increase the amount of data that can be loaded from a memory card. Data could be loaded from an SD card for example and this might allow things like loading a bunch of custom models into a real system.
- Achilles: For answering my questions and pointing me in a helpful direction related the memory card stuff
- Dan Salvato: For answering my questions and helping me understand a bit quicker how the data is transfered
Last edited: