PDA

View Full Version : Banjo-Tooie no frameskip gameshark code!


Pages : [1] 2

retroben
18th July 2013, 09:56 PM
I have found the code that sets the frameskip in Banjo-Tooie (U).

Here it is.

No Frameskipping
8007913C 0080

You can find it by searching equal to... 0/4 before/after getting hurt in the cloud-cuckooland cheese room.

I used this cheat in the emucr leaked v1.7.0.50 b23 (yes,I know 2.0/2.1 is out).

Edit:IT ALWAYS WORKS!!!!!

UPDATE:Many new codes!

master
81092BE0 0804
81092BE2 8000
81120200 03E0
81120202 0008

Never Slide On Slopes
81120000 3C0E
81120002 0000
81120004 AC8E
81120006 07C8
Requires the master code.

Other codes that require the master code like this one are on pages 12 and higher.

HatCat
18th July 2013, 10:16 PM
Frame skipping?

Like, that option in Rice's Video Plugin that says "Skip frame", for skipping every other video drawing frame?

I'm amazed you can actually have a GS code for something like that lol, if I'm reading you properly.

retroben
19th July 2013, 12:52 AM
Frame skipping?

Like, that option in Rice's Video Plugin that says "Skip frame", for skipping every other video drawing frame?

I'm amazed you can actually have a GS code for something like that lol, if I'm reading you properly.

Banjo-Tooie has an internal frame skipper,which means it gets choppy in large levels.
This crappy frame skipping is well known on the actual physical game in your N64 console when talon trotting in jinjo village with Super Banjo enabled.

This code's hex address is very close to the beta devil bottles code found by RWP.
If you ever entered the CCL cheese room on PJ64,you would notice very fluid skipless animation,at least until you get hurt on the spiked onion,which causes the frame skip to be set to four (how I found the code).

I recommend using the old 1.5.2 Jabo D3D plugin for flawless 60fps.
The code also works on v1.6 of PJ64,it runs even smoother than 1.7.
Add/enable the cheat in the BT's edit cheats context menu then start the game,and you will notice how smoothly the title sequence moves.
It will also be extremely noticable in Banjo's house,and whenever you get launched by a CCL flower.

If you want to,you can set it to any higher number like 9 to make it look like your computer sucks at emulation.

This code improves the overall playability of Banjo-Tooie.

I would love to see someone make a YouTube video of this Gameshark code in action on an actual N64 console,if there is anyone that has Banjo-Tooie and an N64 gameshark willing to make that video.

Or at least someone make a video of it in action in PJ64.

HatCat
19th July 2013, 01:14 AM
Also have you tried setting the pointed address value to 0x99999999, or 0x9999, instead of just 9 at the lowest byte, to make sure the cheat code is targeting only an 8-bit field instead of maybe a 16-bit one?

retroben
19th July 2013, 03:41 AM
???

I think 09 would make it skip nine frames in one digit.

I am sure there is only one digit space for this code to work on since the next byte on the right is normally an eighty like so--->04 80 ## ##

LOL byte,and right
I am rhyming!

*me making dummy voice*--->duugh me coonfewsd uhbowte poynter theeng yuu arr tawlkeeyng uhbowte.

All I can say is that the code works perfectly fine for me in its current state.

Please tell me about your experiences with it after you try it out.

To me,with the code on,it looks like
a high end,fast motion w/machine guns,First Person Shooter game.

I can't think of any specific game with smooth high speed gameplay.

Fact?:Banjo-Kazooie does not have BT's frame skipping issue.

Tasoulis
19th July 2013, 09:18 AM
Wow... this actually works indeed! I just put that code in PJ v2.1 with Glide and checked fps counter to see the exact frame rate and... BAM! 60fps! (in fact, fps counter isn't needed, anyone can see it with his own eyes how smooth it actually is)

Problem is, my computer is a Pentium 4 3.0ghz so after the title screen (which runs at 60fps) the rest of the game runs in slow motion and my CPU at 100% but i still get 40-50fps from the game. Which means if my computer was faster, i would definitely get 60fps.

This is awesome and i wonder if this can be done in other games. I know that Goldeneye and Perfect Dark can be run at 60fps using 1964 ultrafast, so i am thinking that maybe something similar can be done with a gameshark code? And what would happen if someone sets this code on a real N64? I don't think it would work since the frame limit was there in the first place because the console can't handle smoother frame rate with this game and its there to maintain the frame rate at a steadier, but lower frame rate with no huge ups and downs. Also, do you know if this messes up the timing in the game overall (time limit games, etc)?

Anyway, great job Retroben. This is indeed very interesting.


I can't think of any specific game with smooth high speed gameplay.
You mean on the N64? At 60fps? F-Zero X is the only one i know.

HatCat
19th July 2013, 01:52 PM
???

I think 09 would make it skip nine frames in one digit.

I am sure there is only one digit space for this code to work on since the next byte on the right is normally an eighty like so--->04 80 ## ##

LOL byte,and right
I am rhyming!

*me making dummy voice*--->duugh me coonfewsd uhbowte poynter theeng yuu arr tawlkeeyng uhbowte.

I don't mean from left-to-right.

I mean from right-to-left.

MIPS is a big-endian machine, so your code:
8007913F 0000
writes 8 bits, 0x00, to *(DRAM + 0x07913F).

However, this is an un-aligned byte address.
It's very likely that 0x7913E is also part of the data segment you're writing to.

So if you set 0x07913F to 0x00, it does not always guarantee frame skip is set to 0.
If you set 0x07913E to 1, 2 or whatever, then it's 256 TIMES the value at ...3E, plus whatever you put in 3F.

I haven't had a chance to try out the code yet since I'm not at my home computer, but I'll try it eventually. Good work regardless.

retroben
19th July 2013, 05:04 PM
If you know how,you can search for a cheat with PJ64 debugger in Goldeneye and/or Perfect Dark.

If you can't switch between two different areas immediately,you will have to manipulate save states.

All you have to do is first go to a point in the game where it skips frames,make a savestate,go to a place that the game runs with less/no frames skipped,and make a different savestate.

Now to find the cheat,you search in unchanged,then changed after you load each savestate over the other one.

You could also progress into another area normally and load back if you know the next area is more/less choppy than the previous one.

If you know of an area in the game that can run flawlessly with no choppy speeds,you can search for equal to zero in this area to shorten your search.

If you run out of cheats to find,after your first search,look at the 50000th/last result's address,you can put this part in the "start addr." box for your next search.
(e.g 50,000--->8007653C:0078--->this would be the highest possible found address in your search limit,put this in the starting address to search further down.)

Warning:the 2.0/2.1 versions of PJ64 crash on memory search for an unknown reason,you will have to use 1.6/1.7/or some other clean 1.7 version for it to search without immediately crashing.

EDIT:I have just encountered a non mapped space error when getting to file select on PJ64 v1.6 if you run the game with "no frameskip" already enabled before starting emulation.

This crash does not happen in 1.7 versions,at least not in the beta 23 emucr leak.

HatCat
19th July 2013, 05:23 PM
Well I finally got around to trying the code out. :p

It seems your update about using offset - 3 was correct.
This is actually a sign-extended 32-bit word.

So doing *(INT32 *)(DRAM + 0x07913C) = 0x80000000 .. 0xFFFFFFFF implies a negative skip.
It would be the same thing as just zeroing it like you tried to do.

If we add the following line before yours in the code, your method should fail to zero the frame skip:

8107913C 7FFF
8007913F 0000


I would suggest zeroing the upper immediate of the register, just to make sure in case the game might try to write to there later.


8107913C 0000 // if you set this to 0x8000 to 0xFFFF it's negative,
// and the game seems to just treat that as if you set it to 0 instead, so, same
8107913E 0000

HatCat
19th July 2013, 05:27 PM
If you like you could also make this into a user-modifiable cheat code.

Try:

8107913C 0000
8107913E ????


And on the "Options <value><label>" box on the right, give the user some values to pick from when they double-click your cheat so they can plug them in.

I guess I would do:

0000 skips no frames
0001 skips 1 frame
0002 2 frames
0003 3 frames
0004 4 frames
0008 8 frames
0010 16 frames


But I haven't thoroughly enough tested this code to know if maybe there might be some other values more useful than those you might find.

Anyway nice code, glad you found out about it.

Wally123
20th July 2013, 01:33 PM
I have found the code that sets the frameskip in Banjo-Tooie (U).

Here it is.

No Frameskipping
8007913F 0000

You can find it by searching equal to... 0/4 before/after getting hurt in the cloud-cuckooland cheese room.

I used this cheat in the emucr leaked v1.7.0.50 b23 (yes,I know 2.0/2.1 is out).

Edit:IT ALWAYS WORKS!!!!!

Did you try Right Clicking on the game, clicking on Edit Game Settings, and then uncheck the box next to "Fixed Audio Timing"? That might dissolve the frame skipping issue a bit.

Tasoulis
20th July 2013, 05:12 PM
Did you try Right Clicking on the game, clicking on Edit Game Settings, and then uncheck the box next to "Fixed Audio Timing"? That might dissolve the frame skipping issue a bit.
"fixed audio timing" and all the other options and settings in the menus, help a game to reach its maximum VI/s. When you reach the maximum VI/s (60 for US and 50 for PAL roms) you get the maximum frame rate a particular game has (the frame rate you get on the real N64). Most games have maximum frame rate of 30fps (so you get 30fps at 60VI/s). Only F-Zero X runs at 60fps (60fps at 60VI/s). Some run lower than 30, like the Zelda games (20fps at 60VI/s). Banjo Tooie also runs at a sub 30fps with some ups and downs. Normally, you can't increase the maximum frame rate a game has.

This particular gameshark code however does exactly that for Banjo Tooie. It changes the game's default behavior and actually unlocks the maximum frame rate so you can actually run it at 60fps (60fps at 60VI/s) if your PC can handle it, in the same way F-Zero X runs at 60fps normally. Its the only code i've seen that has such a huge effect in any game. Normally, i believe that you need to heavily mod a rom in order to achieve something like that or use a hacked emulator to exploit a couple of games that have their frame rate unlocked (like Goldeneye and Perfect Dark). You can play these games at 60fps using 1964 ultrafast.

The only other option i know that slightly improves frame rates is counter factor. By setting it to "1" some games will benefit and have a steadier frame rate. But still, it wont increase the maximum "locked" frame rate, it only improves slowdown a bit, mostly on RARE's games.

If you want to check a game's actual frame rate (not VI/s) you can enable the option in the Glide graphics menu.

retroben
20th July 2013, 11:03 PM
I know that smash bros. 64 has 60fps in the info bar on pj64,but I am unsure if it truly runs at 60fps.

I think it runs perfectly smooth as it is.

Also,the code only uses one byte
obviously--->8007913F 00xx
xx=number of frames skipped

Has anyone that can run BT at a constant 60fps
with Jabo 1.5.2 D3D6 tried using Daddy T-Rex in Terrydactyland yet?

My computer only has one core and has been through a lot.

Compaq Presario Desktop
2GB RAM
Nvidia Geforce nforce 430
AMD Sempron Processor

I have registry speedhacks (RAM access speed hack,program open time speedhack,and etc.),overclocked RAM chip,overclocked Processor,and slightly overclocked GPU driver.

All of this gets me perfect full speed 60fps/60VI on Banjo-Tooie.

I still hope to see someone post an HD YouTube video of a Banjo-Tooie cartridge running in an actual N64 while using the no frame skipping code in a gameshark cartridge preferably using any analog/non-digital television (analog TVs have smoother/skipless response time than most digital TVs according to Game Grumps).

If anyone knows anybody with these things that can make this video please tell them about it so we all see how much more awesome Banjo-Tooie can really be.

I just hope it works on the console.
If not,you can get a button activator and hold it the entire time after getting past the save files.

Otherwise,I will have to search for a decent "the game is playing" code to use as an activator.

This is a long reply,I have some other codes that I will post in a bit.
I found two codes that tell the game to instantly pause/unpause physically/visually.
You can even have it "paused and still unseeingly move banjo to another spot while it is "paused" LOL.

I also once found an action modifier,but sadly it is a pointer code that needs the not yet made pointer or pointer engine.

If someone is good at making gameshark pointers or pointer engines on N64 games mainly BT,you could help out after I find some well known action numbers and list them on here so they can be easily found again and again in debugger memory search.

Tasoulis
20th July 2013, 11:12 PM
I still hope to see someone post an HD YouTube video of a Banjo-Tooie cartridge running in an actual N64 while using the no frame skipping code in a gameshark cartridge preferably using any analog/non-digital television (analog TVs have smoother/skipless response time than most digital TVs according to Game Grumps).

If anyone knows anybody with these things that can make this video please tell them about it so we all see how much more awesome Banjo-Tooie can really be.

I just hope it works on the console.
I don't think its possible to work on the console, it will probably just make the frame rate less consistent. The N64 really isn't fast enough to run the game at higher frame rate, if it was they wouldn't need to implement the frameskip in the first place.

It works on emulators because a PC can be hundreds of times more powerful than a N64.

retroben
21st July 2013, 03:02 AM
Pause on
80132DCB 0000
80132DCD 0000
Somewhat useless since it makes the screen black.

Pause off
80132DCB 0001
80132DCD 0001
This is frickin awesome because you can move around while in the pause menu.
You can even see yourself walking if the emulator correctly freezes an image instead of being solid white/black.

Oops I meant to say animation modifier.

It is easy to find with 9 then 5 on the end of the addresses.
The following two addresses are a perfect example.
Here is my latest random addresses in jinjo village.

Animation Mod
801A2019 00xx
801A2035 00xx
values:
00=Body movement test?
01=Crouching
02=Sneaking (he looks creepy)
03=Walking
04=Sad walking Banjo falls over
05=Ground Ratta-tat Rap
06=Ledge Hanging
07=Beginning Talon Trot
08=Jump?
09=Fell from a high place
0A=Climbing ladder
0B=Sneak walk
0C=Run
0D=Beginning ledge attack
0E=Turning around after running
0F=Backflip?
10=??? animal action
11=Gold feather run
12=Climbing onto ground
13=Unused ledge animation?
14=Underwater damage
15=Talon Trotting
16=Entering Talon Trot
17=Flutter Jump
18=End of Flutter Jump?
19=Airborne Ratta-tat Rap
1A=End of airborne Ratta-tat Rap
1B=Gold feather jump
1C=Kazooie Z+B Attack
1D=Beginning Beak Buster
1E=Ledge attack
1F=FLYING JINJO WTF (Banjo is high)
20=Pulling out Kazooie gun
21=??? I have no idea
22=Beginning gold feather
23=Gold feather standing
24=Banjo got high again
25=Bouncy size T-stance
26=Talon Trot standing
27=Talon Trot jump
28=Holding invisible object (e.g Targitzan Statue)
29=Yuh oh fall
2A=Spit egg
2B=Lay egg
2C=T-stance
2D=T-stance waving??
2E=BK Collect Jiggy (leftover from Banjo-Kazooie)
2F=Jinjo help dance
30=unkown Jinjo animation?
31=animal action
32=Snowball rolling?
33=Snowball damage?
34-37=T-stance
38=Flying pose
39=Swimming on water
3A-3B=T-stance
3C=Double swim
3D=Kazooie shoes?
3E=Crash landing
3F=Kazooie swim stroke
40=Swamp Boots get
41=Swamp Boots stand
42=Swamp Boots walk
43=Fly attack start
44=Running Shoes
45=Taking off to fly
46=*OW* face first
47=End of Kazooie swim stroke
48=Begin Shock Spring jump
49=Continue SS jump
4A=T-stance
4B=Z+A Backflip
4C=Floating down after backflip
4D=Take Damage
4E=T-stance
4F=Forward Roll Attack
50=Being talked to
51=Ledge Hanging
52=Ledge Kazooie looking down
53=T-stance with growing nose
54=Bouncy T-stance
55=Ledge Banjo looking down
56=Ledge kazooie head peck (Banjo almost falls)
57=Water surface stride
58=Water surface stride
59=Unknown water animation?
5A=Banjos dead
5B=Kazooie pokes out (standing pose)
5C-5D=T-stance
5E-5F=Swollen T-stance
60=T-stance
61=Beak Drill
62=Stony walk
63=Stony stand
64=Stony bash
65=Getting squished
66=Talon Trot Damage
67=T-stance
68=Falling
69=Sidling ???
6A-6E=T-stance
6F=Standing pose
70=Swimming pose for talking/warp pad
71=Banjo swim
72=Holding object
73=Walking with object
74-75=T-stance
76=Strange pose?
77=Failing a mission
78=Weird animation?
79=Weird T-stance
7A=Shrink and grow T-stance
7B=Strange wobble jump/walk T-stance
7C=Rapid shrink and grow T-stance
7D=animal action?
7E=Twitchy head while laying back?
7F=Weird shrunken flying T banjo
80=animal looking around?
81-82=T-stance
83=Grab pack pose
84=Floppy nose T-stance
85=Bounce leaning left/right T-stance
86=Talon Trot talked to
87=Bouncing up/down T-stance
88=Low priority T-stance
89=Banjos arm flapping T-stance
8A=Banjos faster arm flapping T-stance
8B=Perfect T-stance
8C=Banjo thinks he is a honeycomb?
8D=Glitchy Banjo
8E=T-stance
8F=Animated T-stance
90=Twitchy animated T-stance
91=Saiyan T-stancer
92=Super Saiyan T-stancer
93=T-stance
94=Banjo long neck?
95=Kazooie Torturing Banjo
96=Weird hovery T-stance thing
97=Swollen airplane banjo
98=Stretch into the ground
99=Banjo's torso try escape legs!
9A=Banjo's torso punched backward!
9B=Sideways T-stance
9C=Banjo on all fours
9D=Flappy arms floating on back
9E=T-stance effects
9F=Banjo laughs at you in T-stance
A0=Always trying to use kazooie
AF=Pack Whack

The worst part about this code is that it can change its address location immediately without even entering/exiting into a different area.
Remember to search from 001A0000 to find the two addresses more easily.

I did once find an action modifier code but I have no more time to look for it today.

retroben
21st July 2013, 09:57 PM
Here it is,the action modifier!
The last address it was on for me is 801C4247.

Action Modifier (d-pad down)
D1081084 0400
801C4247 00xx
Values:
01=Stand
02=Sneak
03=Walk
04=Run
05=Jump
06=Ratta-tat Rap
07=Crouch
08=Talon-Trot Action?
09=Spit egg
0A=Lay egg
0B=Action Glitcher
0C=Slide Turn (infinite jumps)
0D=Jiggy out after Z+B Attack
0E=Take Damage
0F=Beak Buster
10=Flutter Jump
11=Airborne Ratta-tat Rap
12=Z+A Jump/Land
13=Z+B Attack
14=Enter Talon-Trot
15=Talon-Trot Stand
16=Talon-Trotting
17=Exit Talon-Trot
18=Always rising fly
19=Hold to fly sorta
1A=Enter Gold feather
1B=Gold Feather Stand
1C=Gold Feather Run
1D=Gold Feather Jump
1E=Exit Gold Feather
1F=Invincible Slowfall (infinite jumps)
20=Land after jump
21=Shock Spring
22=Shock Spring Jump
23=Take Flight
24=Flying
25=Get Swamp Boots
26=Swamp Boots Stand
27=Swamp Boots Walk
28=Swamp Boots Jump
29=Sticky Action
2A=Fly Attack
2B=Glitch Maker Action
2C-2E=Cancel Actions
2F=Normal Fall
30=Action Cancel
31=Roll
32-33=Washing Machine
34=Cancel Actions
35-36=Washing Machine
37=Get Stuck
38=Washing Machine
39=Slide forward while held
3A-3C=Action Cancel
3D=High Falling (funny to use)
3E=Washing Machine
3F=Action Cancel
40=Get stuck
41=Short Bounce after jump (get stuck)
42-43=Get stuck
44=Dance Bow from Banjo-Kazooie (press during beak buster)
45=Talon-Trot Action?
46=Get stuck
47-4D=Kazooie Alone Actions (instant play as)
4E=Floaty action?
4F=On pole/vine
50=Climbing pole/vine
51-53=Action freezer
54=Death
55=Swamp Boots??
56=Action freezer
57=Ended Fly Attack
58=Death By Crash Landing?
59=Possible Beta Flying
5A=Action freezer
5B=Cutscene auto-walk
5C=Unload Banjo
5D-5E=Action freezer
5F=Banjo Alone Z+C Down action
60=Action freezer
61=Snooze Pack
62=Action cancel
63=Action freezer
64=TNT
65=Action cancel
66=Action freezer
67-68=Kazooie action?
69-6A=Stuck Stand
6B=Standing?
6C=Action freezer
6D=Action cancel
6E=Action freezer
6F=Crashes game
70=Standing?
71=Talon Trot action?
72=High Fall Damage
73-75=Action cancel
76=Beta Fly?
77=Action cancel
78=Swim action
79=Talon trot?
7A=Action cancel (infinite jumps)
7B=Talon trot?
7C=Action freezer
7D=Sack Race Mode
7E=Sack Float water?
7F=Swim
80=Sack Float water
81-82=Pack Whack?
83=Submarine
84=Swim Pose
85-88=Beejo
89=Action freezer
8A=Death?
8B=Bee Taking Flight
8C-8D=Bee Flying
8E=Action freezer
8F=Action cancel
90=Glide forward
91=Beta flight?
92-93=Action cancel?
94=Action freezer
95=Debug Ground movement???
96=Action cancel
97=Kazooie alone
98=Zoom In
99=Beta flight?
9A=Talon Trot?
9B=Swamp Boots?
9C=Springy Step Jump
9D=Action cancel??
9E=Climb Something?
9F=Action cancelish
A0=Kazooie takes a look
A1=Crash into blackness
A2-A3=Action freezer
A4=Mutual Gold Invincibility
A5=Enter/Exit Gold Feathers
A6=Ledge Hang
A7=Ledge Move
A8=Midair Ledge Hangable
A9=Ledge Attack
AA=Ledge Climb
AB-AC=Action freezer
AD-AF=Stonyjo (HE LOOKS FUNNY!)
B0=Action freezer
B1=Action cancel
B2-B3=Stonyjo (infinite jumps)
B4=Action freezer
B5=Stony/action freezer
B6=Beak Drill
B7=Landing/glitch
B8=Separation Pad
B9=Kazooie keeps looking around
BA-BE=Kazooie Alone action
BF=Swim action
C0=Bee action
C1-C2=Kazooie alone action
C3=Kazooie alone SS Jump
C4=Kazooie wing spin
C5-C6=Action freezer
C7=Kazooie alone action
C8=crashes game
C9=Banjo visibility
CA=Break point crash
CB=invisible banjo

Action un-stuck code (d-pad up)
D1081084 0800
801C4247 0001
Sets action to stand to free up movement.

This is the most elusive code to find because it changes so frequently.

I managed to get banjo to fly in jinjo village.

The code's universal address type is 801xxxx7<-
by this I mean that it can always have all but the X numbers.
This will make it easier to find and set start addr. with 001B0000.

Another thing that is kinda awesome is that you can make a savestate to retain the code's current address position if it moves randomly.

If I can,I will attach the 1.24MB savestate if anyone wants it.

ExtremeDude2
22nd July 2013, 09:47 PM
That's some nice work you've done :p

HatCat
23rd July 2013, 02:24 PM
Also,the code only uses one byte
obviously--->8007913F 00xx
xx=number of frames skipped

No, the segment is 32 bits wide, not eight, and it is going to continue to use 4 bytes until you actually reverse-engineer the code properly next time.

Valid values for the frame skipper are 0x00000000 to 0x7FFFFFFF, not 0x00 to 0xFF. The fact that you think the opposite is true only proves your laziness.

So if a game tries to write past the lower 8 bits of the frame skipper to set a higher frame skip than 0xFF, your code will fail to apply its effect. However, why in the hell would a game use a frame skip of 256 or higher? Why not just be lazy and do it the incomplete way?
It's certainly not my problem; I can tell you that much.

Also, 1.7 hacked sucks. Hopefully the cheats/memory searching crashes were all fixed in 2.1, but I haven't tested. They said something about fixing those things; I just don't know how much.

retroben
23rd July 2013, 09:55 PM
All that matters is that it works for its intended purpose of no frame skipping.
I've noticed every time you enter another area,frameskip turns back on.
It would be quite easy to use with a real N64 on an activator.
If it is going too slow,you can go between two areas to enable skipping again.

No frameskip (L)
D1081084 0020
8007913F 0000

I would at least like to hear someone's experience with it on a real N64 console.
For now,I'm gonna try and find some more codes like the action mod.

Edit:I found the egg modifier code again,remember,this is merely at the last address it was at for ME.

current egg type
801C4CA5 00xx
xx values:
00=Blue eggs
01=Fire eggs
02=Grenade eggs
03=Ice eggs
04=Clockwork Kazooie eggs
05=Invisible eggs?
FF=Invisible eggs with unusual counter (2)

Just remember my short guide to find these kind of codes again,and that you can exploit savestates to retain a location.

801xxxx5=universal location numbers
xxxx=address numbers to find

Edit2:Now i've just found the gold egg code.

Activate unlimited Gold eggs (d-right)
D1081084 0100
801C2B94 0002
This code is obviously one byte less than the current egg type code.

retroben
25th July 2013, 05:33 AM
DP

I noticed with the activator based no frameskip code,whenever you enter a launch
plant in Cloud Cuckooland,it resets the frames to skip immediately.

When I was searching for banjo-tooie stuff on google and I found a really old topic.
In this topic on December 22nd 2008,someone wanted to see hailfire peaks with no lag.
I think we should spread news about the no frameskip code so
more people can enjoy playing Banjo-Tooie at perfectly full speed on PJ64.

Maybe someone can create a topic on Rare Witch Project and/or Rareware Central
telling everyone about this awesome code.

... Ironically,I also made a no frameskip code for Sonic Classic Collection
a few months ago that can be found on the gbatemp forum.

HatCat
25th July 2013, 04:30 PM
All that matters is that it works for its intended purpose of no frame skipping.

Actually what matters is that it "always" works for its intended purpose of no frame-skipping.

Sort of like what you just admitted in the next text block about trying to make the code always work when changing room.

And it will "never" always work if you refuse to write the correct number of bits, because in that process, you only assume it works.

I would never distribute a code in that form.
The correct no-frame-skip cheat is:

8107913C 0000
8107913E 0000



I've noticed every time you enter another area,frameskip turns back on.

Probably because of another buffer overwriting the read location in DRAM that you specified with the first cheat.

So there could be more than one address storing the frame skip value, and you weren't writing to the one of the highest priority.
Or, you need to (conditionally) write to multiple addresses to force its persistence.


Just remember my short guide to find these kind of codes again,and that you can exploit savestates to retain a location.

801xxxx5=universal location numbers
xxxx=address numbers to find

I see no reason why this should be a universal pattern.

There are plenty of cheat codes writing to data not aligned to xxxx5 or in the 1xxxxx block.

In fact, when I started to notice this pattern when hacking codes out of Zelda Majora's Mask, it went over something like the 0x100000 page-relative block, into 0x200000, so it was not crammed in to a single data segment in the way you suggest.

Edit2:Now i've just found the gold egg code.

Activate unlimited Gold eggs (d-right)
D1081084 0100
801C2B94 0002
This code is obviously one byte less than the current egg type code.

It looks good. I always wanted gold eggs.
But I would use the GS cheat button instead of a N64 button.

Partly for portability. Which address reads the controller button presses varies based on the region of the game, which game, etc.

So you could in theory merge both of those:

D1081084 0100
801C2B94 0002


Into a single, more portable, universally compliant cheat code:

D81C2B94 0002


Only difference being, instead of the D-pad right button being used to activate the code, you use the built-in GameShark cheat button, which is emulated on Project64 as the F9 key by default.

retroben
26th July 2013, 03:22 AM
Banjo-Tooie codes that are stored in the 80070000 range never shift locations.
The no frameskip code only requires the one byte to be fully functional.
If you remember,I said that whenever getting hurt from the onion in the cheese wedge,the frameskip gets changed to 4 frames,and this is the only byte that changed.
When I set that one byte to 0,it ran smooth again instantaniously.

You misunderstand the area sentence,it is about the activator version of the code.
I placed an activator on it so it can easily be tested on a real N64.
That is what I was talking about when enter/exiting another area.
Also,whenever a heavy event occurs,the frameskip kicks in immediately (CCL flowers).

I also noticed that certain areas unusually lag and jitter while at 60fps like the western witchyworld entrance even when the no frameskip code is enabled (no activator).
I am not sure why some areas refuse to run smoothly even at zero frames skipped.

On another note,I found out what makes the pause menu and temple puzzle work properly.
Enable it when you use what is essentially the move while paused code in order to see yourself and access the pause menu at the same time.
You can check out your item status while walking around and attacking enemies.
You have to enable the self rendered textures option in the ROM specific graphics plugin settings to make them work.
When it is enabled,everything that uses it directly,except pause,causes the game to run at 20-30fps,and around 10fps on temple puzzles.
The quiz show screen/credits don't need this option,but it also lags when self rendering is enabled.

HatCat
26th July 2013, 08:14 PM
The no frameskip code only requires the one byte to be fully functional.
If you remember,I said that whenever getting hurt from the onion in the cheese wedge,the frameskip gets changed to 4 frames,and this is the only byte that changed.
When I set that one byte to 0,it ran smooth again instantaniously.

Jesus Christ.
And how many bytes does it take to store the number 4?

Does 4 require 32 bits of storage?
16 bits?
A byte?

4 is just a number.
The fact that the emulator reported to you that only a single byte changed is INCIDENTAL.

If 0x00000000 got changed to 0x00000004, or if 0x00000004 got changed to 0x00000000, do you really think that automatically proves that the cheat code is only one byte long?
I don't think so.

Set the upper byte to any nonzero value, and your cheat code will break because of your careless assumption.
I've already tested that myself, so why haven't you?

HatCat
26th July 2013, 08:21 PM
I have found the code that sets the frameskip in Banjo-Tooie (U).

Here it is.

No Frameskipping
8007913F 0000

Hey, guess what!

Your code no longer works because of three reasons:
8007913C 0001
or,
8007913D 0001
or,
8007913E 0001

Which totally proves that your ability to observe that the emulated CPU updated only a single byte, and if you change that byte, it automatically defines the entire cheat code to be 8 bits wide, is automatically a fact.


Not.....

It's a 32-bit value, woman, not 8 bits.
Cry me a bridge and get over it.

retroben
27th July 2013, 12:37 AM
Mr. Krabs:He cries you a sweater of tears...then you killem.

This may have been confusion between bit byte terms.
A byte normally contains 8bits,which is the ironically what the search memory had when I searched for and found the code.
When I said one byte,I meant 8007913F 00xx
xx=one byte for me

If I understand correctly,the 8bits are:1,2,4,8,16,32,64,and 128.
I could be going entirely the wrong direction here.

The code itself responds to any number you throw at it like 3.

I tested the code since I first found it in the cheesewedge.
I am not mad,because I am mostly right.
When I set it to four in the gameshark cheat list while in some other area,it ran with high frameskipping,and the higher number you choose,the more devastating the effect gets.

It's pointless for you to bicker on about it when it works fine as it is (at least on my end).
Do not forget that the best plugin for this code is Jabo 1.5.2 D3D6 since it has decent compatibility with overwhelming speed.

One thing you may have overlooked the whole time (not saying you did).
It is on an odd address but set to write only one byte,which means it is fully functional.

Skip four frames
8007913F 0004

Example:8007913F 0004--->The 80 prefix writes four to 07913F without writing the other byte "0" into the other position.

Like I have said before,only PJ64 v1.6 crashes on the file select when the code is already activated beforehand,while v1.7 and up continue to run fine.

On v1.6,you will have to wait until after file select before enabling the code.

Now to reply my realization.

Ohhhhhhhhh,so that's what you meant.

It changes different address offsets depending what room you enter,then again,I had almost no trouble with it at all.
Considering the western witchyworld (Humba Wumba location) still had frame skipping.

The weird thing is that it is only partial frame skips because it still gets really smooth in certain corners of western HuWu in witchyworld while the code is on despite the circumstances.
It also has minor skipping problems with Jolly Rogers Lagoon.
The point is that for most of the game,it fully works while some areas still skip.

And for proof that it works,another user on a previous post claimed that it actually works.

If it will make you happy,I will look more into it when I get the chance.

Sorry for all the frustration I put you through FatCat.

Long post is long.

retroben
27th July 2013, 06:11 PM
Now I got a code I like to call Benny Hill mode.

Unlimited FPS (pj64 shows as 60VI/s)
8007913B 003A
Banjo Tooie can run fast as F@%K after all,it acts just like Super Mario 64.

True Benny Hill Mode
8007913B 007E
SevenEff causes fail to load word.

Full-fledged Unlimited FPS
81079138 7EFE
8107913A 7EFE

Edit:You were kinda right about the no frameskip code using four >slots< because I just made the full no frameskip code

No Frameskip v2.0
8107913C 8000
8107913E 0000
It freezes on jiggy cutout at startup,so you will have to enable this version just after starting it.
If You put 01 on 8007913E only,it gets so extremely slow you can hit 1999VI/s on the VI counter.

HatCat
28th July 2013, 01:39 PM
Yes, so each >slot< was a byte, like you said.

Usually like on MIPS, an instruction slot is an aligned 32-bit segment.

So if you tell Project64 to search for 8-bit slots that changed, it will only show you byte values that were changed.
If you tell pj64 cheats to search for 32-bit slots that changed, it will show you 32-bit segments that changed.

All in all I wouldn't really just see that a single byte changed and assumed it's the entire data segment for the cheat code. :)

You can figure the rest out if you want. I'm done explaining this shit lol

HatCat
28th July 2013, 01:42 PM
No Frameskip v2.08107913C 8000
8107913E 0000


That was just optional.

In this case it doesn't really matter, but 0x80000000 means you're making it hugely negative, but it doesn't matter because the game clamps all negatives up to zero and treats them all alike.

Forget it, it will take you a million years to check and verify anything I try to explain anyway. You'll understand it someday independent of what I offer. :D

retroben
28th July 2013, 08:26 PM
Here is an even better choice for no frameskipping.

No Frameskip v2.1
8007913C 0080

This sets frameskip to the most negative number below zero,also allowing address 8007913F to set its value correctly while still not skipping a single frame.
The three bytes before 8007913F never show up as changed results when using memory search.
I also found out the three bytes get reset to zero every time 8007913F changes.
In case of confusion,the byte on C is at the left on the other code because that is how 81 codes work,they put C on the left and D on the right respectively.
If C=72 and D=A4 the other code would read 8107913C 72A4.

PJ64 v1.6 still crashes on the file selection.

It works better than the original No Frameskip,so its still better.
It seems to have less drag on performance.

Here is the Saucer of Peril current score mod.

Saucer of Peril Score Mod
811275C8 xxxx
01F5=Above 500 to win.
If you set 801275C9 individually to FE,you can get extreme/negative points.
Peril of Saucer said this.
"You need more than 32766 points to beat your current score."
That is only one point below the maximum possible score LOL!

retroben
28th July 2013, 11:10 PM
This deserves a new post.

If you use the no frameskip code on PJ64 v2.1 "20MB memory size mod",it will run flawlessly at full 60fps (in exception of computer limitations).

Remember to use Jabo D3D6 1.5.2 for the best speed.

Obviously,make sure the memory size is set to 20MB.
Be careful and set the other settings correctly in "Edit Game Settings" for the best results.

The mod can be found at smwcentral.

h;'ttp://www.smwcentral.net/?p=viewthread&t=63820

He also gives you the instructions for memory size.

Now its in a zip file instead of the installer exe.

And here is the download link of Tarek's PJ64 mod.

h;'ttp://dl.smwcentral.net/4929/Project64%202.1%20Fruit%20Edition%201.0.zip

Remove the " ;' " to get the links.

Edit:I have just found out something even more awesome.

All you need to do for the perfect fps in 1.7,1.7.0.50 b23,and other versions is change VI refresh rate to 2200.
And now for best Banjo-Tooie Config (to me anyway).

Only "Delay SI Interrupt" and "Use TLB" should be checked.
In the Recompiler tab,all but "TLB unmapping" and "Protect Memory" should be checked.

For me,it changes around 40-60fps in Jinjo Village.

retroben
29th July 2013, 01:21 AM
This truly deserves the tripled post.

Here is the no frameskipping code for Banjo-Kazooie!

Banjo-Kazooie 1.0 (U)
No Frameskip
802808DF 0000
It is just like Banjo-Tooie's code.

Because of that,here is the better one for Banjo-Kazooie.

No Frameskip v2.1
802808DC 0080
Unlike Banjo-Tooie,it actually runs on 1.6 without crashing on startup in the file selection.

Remember to also change the VI refresh rate to 2200 in "Edit Game Settings" for perfect fps.

Warning(I'm serious!):If you easily get motion sickness,I advise you to only use the no frameskip code at "1 frames skipped" for Banjo-Kazooie because it looks really trippy compared to Banjo-Tooie.
Banjo Kazooie v1.0 (U)
Always Skip One Frame
802808DF 0001

Edit:I also have more codes for Banjo-Kazooie.

Scale Termite strength hills (L)
D0281251 0020
8037C287 00FF
Hold L and you don't slide down,just sliding in place,and allows you to jump your way up.

Faster on Slopes
8037C279 0000
You can zip up steep slopes.
It even allows you to use Talon-Trot to zip up the grey mountain without Termite.

Torture Banjo
8037C1C3 0000
8037C1C7 0009
This is a rather interesting code,whenever you jump,banjo slams into the ground and takes no damage.
You can change the zero to increase damage (e.g 7=seven health).
You can bounce against an enemy after getting hurt by said enemy.

Keep Speed on Slippery Slopes
8037C1D3 0001
You still slide down.

Face Climb
8037C4A3 0002
Allows you to go up any slope without Talon-Trot/termite.

Walking Direction
8037C0E7 000x
01=Banjo
02=Kazooie (Talon-Trot)
Using the opposites will make you moonwalk LOL.

Air effects? (R)
D0281251 0040
8037BF60 0000
Hold R and move forward after jumping.
You can do multiple air moves at ground level as long as you hold R.

Camera Mod
8037DB40 000x
00=debug camera?
01=Focused
02=Free
03=Centered/Zoomed out
04=Zoomed
05=Normal (allows zoom controls)
06=Normal (no auto turning)
07-08=Strange Spycam?

Hill Cling
8037C4A3 0006
You can hold up/forward to stop sliding on slippery slopes and scale your way up.
You can also sway left/right if you are sliding while sitting.

Update:Benny Hill code for Banjo-Kazooie.

Banjo-Kazooie 1.0 (U)
Unlimited FPS
802808DB 003A

True Benny Hill Mode
802808DB 007E

Full-fledged Unlimited FPS
812808D8 7EFE
812808DA 7EFE

retroben
30th July 2013, 02:59 PM
I want someone to make some videos for YouTube of Banjo-Kazooie/Tooie using the no frameskip codes,just to show how awesome they are.
If your performance levels out correctly,you can set the recording program to above normal priority to get the perfect recording.
It should probably be made in TAS style 240p resolution with the smoothest 60fps capable recorder you can get.
TAS videos have the best quality I have ever seen in a 240p resolution video.
The YouTube videos should perform better/smoother in fps with 240p resolution.

Maybe you can even get Grant Kirkhope to go watch these YT videos if you ask him on his quite active twitter.

You don't even have to credit me for the codes if you do not want to.

I just want to see someone have them running at an entirely constant 60fps on a high-end computer.
From the last time I used no frameskip on Banjo-Tooie,it only had 40fps issues in Jinjo Village so far.
I only have a crappy-by-comparison single core computer,so that's why I cannot record it myself.

(Also,maybe I will find Banjo-Kazooie's benny hill code in a few days.)

HatCat
30th July 2013, 03:12 PM
No Frameskip v2.1
8007913C 0080

That means frame skip is now 0x80??????, depending on what you set 7913D, E and F to for the ?s, but it does not matter, because the sign bit is set.
So your code there forces a 32-bit signed underflow exception, which the game will clamp up to 0 instead of attempting a "negative frame skip".

So, you can confuse yourself that way if you prefer, I guess.


The three bytes before 8007913F never show up as changed results when using memory search.

Doesn't matter.
If we're writing 0x00000000 to a 32-bit storage, from ...C to F, and that 32-bit storage already contains 0x00000004, then the three upper bytes are all still 0x00. So in that sense, no they're not "changed", but they're still overwritten.

I also found out the three bytes get reset to zero every time 8007913F changes.

Only because the game is writing values less than 256.

If you set...
...C to 7F,
D to FF,
E to FF,
F to FF,

you have a frame skip of +2,147,483,647.

The game sets the frame skip to 0.

Replace 2147483647 with 0x00000000 and what do you get?
The three bytes you mentioned get resets to 0. :)

Duh. So what you said if anything only proves my point that all 4 bytes are read and written as the same data value.

retroben
4th August 2013, 11:21 PM
Got bored and found the no frameskip code for V1.1 of Banjo-Kazooie.

Banjo-Kazooie v1.1 (U)
No Frameskip
8027F71F 0000

No Frameskip 2.1
8027F71C 0080

I also found out that the PJ64 Fruit Edition mod most definitely runs faster/much smoother than other pj64 versions when 20MB RDRAM is set.

ExtremeDude2
5th August 2013, 12:30 AM
I also found out that the PJ64 Fruit Edition mod most definitely runs faster/much smoother than other pj64 versions when 20MB RDRAM is set.

I assume you mean with the code

retroben
5th August 2013, 01:41 AM
Yep,when I ran Banjo-Tooie in PJ64 Fruit Edition with 20MB of RDRAM,and "no frameskip" enabled,it maintained a stable balance of 60fps with less slowdown in jinjo village.
The slowdown is likely caused by loading data and the room name whenever you enter another area.
It is much more aggressive in the normal PJ64 when compared to Fruit Edition.

Also,you can really notice the difference of speed in Banjo-Kazooie with no frameskip.
First,all enemies move like they are on steroids.
Then you'll see how much smoother areas like TreasureTrove Cove,and the Gobi's Desert entry room run (normally the Gobi room really lags a lot with a larger frameskip).

Apart from all this,it makes the game much more challenging since enemies can dart right into you before you can do anything about it.
I got hit four consecutive times by the same TTC Crab while trying to beak bust it because of its stealthy circling technique.

Tasoulis
5th August 2013, 10:02 AM
I bet most games from RARE have a no frameskip option hidden somewhere.

dsx_
5th August 2013, 02:10 PM
enemies can dart right into you before you can do anything about it

so basically its just increasing the speed of the game...that's not "no frameskipping"

Tasoulis
5th August 2013, 04:48 PM
so basically its just increasing the speed of the game...that's not "no frameskipping"
I tested the frameskip code in both games. For me, it just increased frame rate, it didn't make them faster. The enemies look the same as before, they didn't move faster, maybe the increased responsiveness makes it look like that.

The only thing that was fast forward for me was the "attract mode" in Banjo Kazooie (the scripted demonstration scenes, before you press start)

dsx_
6th August 2013, 05:27 AM
sweet :D he made it sound like that wasn't the case

retroben
6th August 2013, 07:47 PM
If you've seen it first hand,the enemies actually do move faster with "No Frameskip" enabled.
This happens because they normally move slower due to lagging along with frameskip itself (apparently,frameskip also slows the game down).

This is kinda similar to DK64 running faster whenever there is enough objects onscreen (performing the orange bomb speed glitch to phase through walls).

Edit:I just did some testing with Banjo-Tooie's "No Frameskip" code,and I got down to 35FPS/VI flying in Hailfire Peaks Lava Side.

Also without flying,I managed to get 33FPS/VI near the oil rig in Hailfire Peaks Icy Side.

And this is when using the 1.5.2 plugin.

These are the only serious limitations when using "no frameskip" in Banjo-Tooie.
It must be caused by the really far draw distance.

retroben
9th August 2013, 09:10 PM
I went and found the Kazooie model routine lines for Banjo-Kazooie 1.0 (U)
You can make Banjo look silly when Kazooie is disabled.

Kazooie Model Loaders (1=on/0=off)
8037D234-8037D239

4=??? used with 37D238
5=Eggs from behind
6=Talon-Trot Legs
7=Running Shoes
8=Head/Wings/Torso
9=Swamp Boots

retroben
11th August 2013, 10:03 PM
How do I make my 80x80 animated GIF work as my avatar?

Whenever I upload it,the stupid engine resizes it to 79x79,making the animated GIF no longer work.

I even tried loading the album/picture URL from within the URL loader after uploading it into an album,but it says file invalid.

I sure hope I can get it to work.

Here is the GIF actually working in my album...

htt?"?p://forum.pj64-emu.com/album.php?albumid=34

http://forum.pj64-emu.com/picture.php?pictureid=100&albumid=34&dl=1376258065&thumb=1

You can apparently peer into other member's personal albums by changing the ID number,which I think is an awful flaw in forum design.

Edit:Cool,the image URL worked,and with animation as well.

Also,why do posts only count when posted in another user's topic?

Can some admin/moderator please grant me access to URL posting early?

ExtremeDude2
11th August 2013, 10:58 PM
I'm pretty sure you don't get posts at all in the cheats section

HatCat
14th August 2013, 04:56 AM
No idea why it resizes your GIF by one pixel,

But you need to make sure that both limitations are not exceeded.

Using animated GIF is possible but you need to comply with both rules.
a) It needs to be < 80x80 px
b) It needs to be less than 19.5 KB or whatever it was for this forum

Only way out to use an interface besides the standard User CP to do the avatar upload, like the modcp that Gent used to put his avatar up long before zilmar gave in to the zombie requests on this forum to let users have their own avatar too and not just Gent.

You can apparently peer into other member's personal albums by changing the ID number,which I think is an awful flaw in forum design.

I never used vBulletin features much.

My ideal forum lets me basically just post raw text whenever I want, and maybe throw in a few obnoxious smilies and images.

A password and e-mail feature might also be nice.
A register feature probably useful also
I might be forgetting some other basic things.

I use the avatar/profile features to be an ass.
That's about all I can think of right now. :)

retroben
5th November 2013, 10:16 PM
THANK YOU MUDLORD!

I have Mudlord's Rice Video 6.1.4 running Hailfire Icy with no frame skipping at a consistent 50-60fps in the laggiest spot above the oil rig where the biggest draw distance is.

With the Jabo D3D6 1.5.2 plugin,it only goes 29-31fps.

I even get 60fps when viewing the entire map flying high in Mayahem Temple.

retroben
6th November 2013, 08:30 PM
I have some neat Banjo-Tooie codes,but I need someone like that guy who made the master and size modifier codes to create the pointer codes for them.

I found the individual Banjo-Kazooie/Banjo alone size modifier's common placement value which is FF 01 for normal and FF 02 for Talon Trot.

Just search 16bit in hex 0xFF01 starting at 0x001A0000 to find an address with 00xxxxx0 and right click to view in memory until you find the 3F80 value in x8 and x9 which is where the size modifier is.

Common position in 001A0000-00220000 is 00xxxxx0.
The size modifier is at 00xxxxx8 and 9.

I wish that I knew how to make my own pointer codes.

Now for the common offsets when you find the correct FF 01 address.

-0281=action conditions?

-0279=on/off ground conditions?
06=on ground (freeze for Shock Spring anywhere) 00=in air

0000=feet/talons value=FF 01/FF 02
You moonwalk when set to Talon while walking or Feet while Talon Trotting.

+0151=Main Separation Pads flag 0=off 1=on
Soft freezes on usage.

+0152=Separation Pads flag 0=off 1=on
When on,you can separate from anywhere in the level,too bad the addresses frequently change.

+03E8=slope height
0000=walk on slippery slopes! 3F80=always sliding

NEW!

+09D7=action modifier
01=stand
05=jump
74=Banjo waiting in swap
Works as Banjo with and without Kazooie.
You can set Banjo's 74 to 01 to control Banjo simultaneously while Kazooie.

Use 01 and 05 for an extremely easy way to find the action modifier address.

retroben
15th November 2013, 08:09 PM
Just asking again for someone to try the Banjo-Kazooie and Banjo-Tooie no frameskip codes on an actual console while recording it with a high speed camera or capture card then post it on YouTube,making sure to prevent the YouTube frame loss glitch.

Maybe when GSCentral gets their site back on its feet,I can request them to make videos for the no frameskip codes.

I really wish I knew someone with the power to reach Grant Kirkhope,showing him
Banjo-Kazooie and Banjo-Tooie both running with a lossless 60FPS.

Mumbo for Grant Kirkhope:oh my god oh my god oh my god...
OOH ME KNOCKAH!

retroben
19th November 2013, 11:43 PM
I have some values that you can use to find kazooie's animation addresses.
The addresses are like Banjo's by using 9 and 5 distanced at 20.

Kazooie animation values:
A4=standing
A5=pecking ground
A6=sneaking
A7=walking
A8=crouch?
A9=jump
AA=in flight
AB=flightpad
AC=biting wings?
AD=flapping wings

retroben
24th November 2013, 11:41 PM
The animation modifier actually has two bytes for animations,not just one.

8 and 4 distanced at 20

Some Banjo-alone animation values.
0124=Store pack standing
0125=Store pack jump
0128=Puts away store pack
0129=Pull out thing in store pack

The highest moving animation I found so far is 0540.
It freezes the game at 0901 and higher.

Edit:Kazooie Gun
0310=Kazooie twists in then cocks like a gun.
0386=Kazooie's adorable kick

More Kazooie value
21=Breegull Bash
I am tripping out with this one.

retroben
26th November 2013, 01:51 AM
Here is my offset data for the animation modifiers.

+D0D0=
and it=anims modifier base Kazooie
+D0F0=
A4>Stand
A9>Jump
00A4 01Ex

-11040
and it=anims modifier base Banjo-Kazooie
-11020
6F>Stand
08>Jump
006F 01Ex

-479D0
and it=anims modifier base Banjo
-479B0
006F 01Ex

You're better off just searching 32bits in hex starting at 0x00180000 for the
four bytes at the bottom of each of the offsets.
The extra two bytes are the sub-status of your current action (standing).
Don't forget to only use any non-2.x PJ64 version,as the 2.x versions crash on memory search.

Edit:My bad,the stupid last two bytes can be slightly different.

To save some trouble,it might be very different in other levels,I was in the Plateau.
Just try 01E0,01E1,and 01E2 in the last two bytes to find only one address being the animation first half.
The actual code is from the zero at the +20 (hex) and +4 location of your result with the matching first two bytes.
Memory view is extremely helpful in pointing that out.

retroben
1st December 2013, 11:33 PM
Banjo-Kazooie (U) (1.0)

Animation Mod
801671DB 00xx
D8=Banjo likes what he sees (crouch)
F0=Banjo Laughing
FF=Better Banjo likes what he sees
Just because of that one value's (D8) hilarious effect.
Most values are the same as Banjo-Tooie,in exception of animals.

retroben
19th December 2013, 02:05 AM
Back with a new offset.

FF01 at 80xxxxx0=Base Address

0000=Talon trot position.
Values:
FF01=Banjo
FF02=Trot

+0710-+0717=Banjo's Unused/Kazooie's Rotation ^/v
x0=current
x4=next
You can rotate Banjo who never rotates in-game unless Talon Trotting.
It is some kind of floating point.
Eight zeros is normal,4100 0000 is barely forward,4200 0000 is more,4280 0000 is a bit more,and 4300 0000 is a lot more.
You get it (I hope so).
Also,4380 0000 is backwards.

Edit:Hey,look,I found the other rotation code!

+0818-+081F=Banjo's Unused/Kazooie's Rotation </>
x8=current
xC=next
Same as the other rotation code,but sideways.

+0870=Shading Color 2byte=0101
x0 values:
00=brightest
01=default
02=brighter

+0874=Green
43=Normal
50=Green

Both 874 and 878 combined=Blue

+0878=Red
43=Normal
50=Red

+0884=Shoes (invisible)
00=Strut Walk
01=Normal (Banjo)
02=Normal/Talon Trot (Kazooie)
03=Running (needs infinite timer)
04=Climbers
05=Spring Step (the jump works)

+0885=Infinite Shoe Time
00=off
01=on

retroben
19th December 2013, 09:56 PM
+0020=Follow your shadow
00=Normal
40-44=Follow Distance

+0028=Sink into ground
00=Normal
40-44=Sink Distance

+0030=Shadow adjacent position ^/v
00=Normal
44=Madness ensues

+0038=Shadow adjacent position </>
00=Normal
44=Madness ensues

+003C=Camera Position </>
00=Normal
43=off-center
xx=other positions? (too lazy)

+00F8-+00FC=Texture Corrupt
Changing this once makes you look strange.

+0234=Running Shoes/Visibility Enabler
00=off
01=on
Combinable with the "Infinite Shoe Time" code.

+0238=This address "Kills"
00=Alive
01=Death

+025C=Springy Step/Visibility Enabler
00=off
01=on

+0330=Collision Width
45=Can jump through walls.

+0334=Collision Height
40=Clip through some walls.

+0368=Repeater Jump!
00=off
01=on

+036E=Sink Through Floor (Repeater Jump minus Repeater)
00=off
01=on

+03C9=Current Character
Press B at a Warp Pad or a sign to physically change.
01=Banjo and Kazooie
02=Snowball
04=Wide Angles??? Cutscenes etc.
05=FREEZE
06=Bee
07=Washing Machine
08=Stony
09=Just finished 1st person
0A=Banjo
0B=Kazooie
0C=Submarine
0D=Mumbo
0E=Golden Goliath
0F=Detonator
10=Truck
11=Clock
12=T-Rex Baby
13=T-Rex Daddy

+0BE0=Swim Flag
00=off
01=Swim

+0BE2=Stand Flag
00=off
01=stand

+0C94=Walk Slant
00=Normal
40=Slanted

Too lazy.

+0C9C=Walk Tilt
00=Normal
40=Tilted

retroben
20th December 2013, 01:40 AM
Edit:I just found the best search value for the animation modifiers.

80 08 C4 DC

0x8008C4DC in Hex 32bits

The only two addresses found are right next to the first animation values for both Banjo and Kazooie (when active).
Go to the base position of the found addresses which is x0.
And that is when starting from all zeros address!

retroben
20th December 2013, 01:52 AM
-0290=Move Multiplier
A funny acting code that multiplies move uses like eggs fired.
Address at the 80xxxxxF position
00&01=one egg
02=two eggs
09=nine eggs
3C=SIXTY EGGS!

retroben
24th December 2013, 02:13 AM
I have another offset method for Kazooie's animation as a base address.
You'll always need a 1.7 version of PJ64 to use memory search crash-free.
Somebody please make a mod of the open source 2.1 that fixes memory search.

Search at 0x00180000 for A4 while standing,then A9 while jumping.

-0030=Shoot many eggs at once (freeze value).

-0028=Animation length (freeze value)
Uses floating point.

0000=Base

+0004=Kazooie's Animation

Just find the real animation line in x5 and go to the x0 position in memory view.

Maybe I will find even more awesome offsets!
I wish someone could make a good pointer code and explain how to easily change the offset position effected.
At least a working cheat engine pointer so I could easily use it instead.

retroben
3rd January 2014, 01:21 AM
I have found a solution for shadows in Mudlord's Rice 6.1.4 Plugin!

The settings are in current game's tab when Banjo-Tooie is running.
Just set "N64 Frame Buffer" and "Rendering To Texture" to "None" for shadows.

Edit:I also found an interesting oversight with separation pads in Styracosaurus cave as well as WitchyWorld train-to-tent.
The problem is they are event sensitive,so if you complete the boggy event and the sick dinosaur event,you can't do it.
If you use taxi pack to kick out a heavy character,you can push Kazooie off of her separation pad.
You have to be at the right distance to push her correctly.
The most interesting detail of this oversight is the swap anywhere glitch caused by it.
If you quickly place the heavy character on top of kazooie's swap pad so she is no longer on it,join together,and separate again,you will get "swap anywhere" for Kazooie within the Styracosaurus Cave!
Just don't step on her pad again,or it will wear off.

retroben
27th January 2014, 09:49 PM
Here is the walk on slippery slopes code for Banjo-Kazooie

Banjo-Kazooie (U) (V1.0)

Walk on slippery slopes
8137C2E4 0000
8137C2E6 0000
This includes the insane slopes for termite-jo.

HatCat
27th January 2014, 11:40 PM
retroben do you think you could find a code that always (or upon request) shines light out of Link's mirror shield in Zelda MM?

retroben
28th January 2014, 01:26 AM
I can always try!

It should be a lot easier than making it look like the Hero's Shield.

Edit:The emulator dickishly froze right in the mirror shield room on the first go.
I had to save at the nearby owl statue,exit/re-enter the emulator,then savestate my way through it.

Despite the time it took to get the shield manually (best known area for an immediate light source)...

DAYUM I'M GOOD!

Here is the always shining mirror shield code!

Mirror Shield Always Shines
81415154 3F66
81415156 6666

Edit:Sadly it only works in that mirror shield room ONCE. (GAMMIT!)
Stupid pointer related code.

At least it exists.

Here is an easy way to find it randomly.

value:0x3F666666=light reflecting
value:0x00000000=no light

search in 32bits for the two values with PAddr Start of 0x00400000

HatCat
28th January 2014, 04:29 AM
Interesting.

I remember trying to find this code years ago (like 2008) with someone else who came up with the idea. We couldn't get it to remember it...

I'll see about unifying the pattern you found.

Despite the time it took to get the shield manually (best known area for an immediate light source)...

I wouldn't go down that far.
The place where you get the Mirror Shield is a very, very long journey just to find a light reflection spot to use the shield in.

There are some easier places.

Try entering the Ancient Castle of Ikana directly through the hole by the valley with the Music Box House, then strike the glass switch on your left with the sword. Fast, instant light for you to play with.

There are also some places in Stone Tower Temple, the kingdom castle, and that boss fight with Majora's Mask where it shoots fire beams out at you and you can reflect them with the Mirror Shield (though since that's not actually light specifically that might just be an entirely different cheat code to do :( , damn, I want to fire laser beams at everyone all the time!!).

retroben
28th January 2014, 04:35 AM
...that boss fight with Majora's Mask where it shoots fire beams out at you and you can reflect them with the Mirror Shield (though since that's not actually light specifically that might just be an entirely different cheat code to do :( , damn, I want to fire laser beams at everyone all the time!!).

I seriously did not know you could do that.
I would usually just beat the SHI-sh out of him in every form,especially if I use Fierce Deity.

I will try to find that mirror laser shot at the next chance I can get which probably would be tomorrow.

RPGMaster
28th January 2014, 05:32 AM
Since I'm bored and love to do reverse engineering, I'm down to try this out. It's fun learning new things and doing stuff no one else has done :) .

I have bad memory, so I'll need some advice on where to go. In the meantime I'll search some GS codes to help me out, since I only have a basic save file with hardly anything unlocked besides songs.

HatCat
28th January 2014, 08:34 PM
It's a pretty hard code to do lol. It might just bore you out of your mind.
I haven't tried to mine it out since '08.

The purpose is to make light shine out of Link's mirror shield always or whenever you want.
If not that, then at least make the game think that it is, even though you can't see light coming out, so that your Mirror Shield is still a weapon against the undead (gibdos, etc.). So if you raise your shield up against a Re-Dead, Gibdo etc. and see them die, you know your code works. :)

RPGMaster
28th January 2014, 10:00 PM
Self Modifying code makes this code more difficult :( . I'll keep trying new ideas though :) .

HatCat
28th January 2014, 11:07 PM
To do this code directly would probably take some MIPS hacking.

I'm sure the game stores different integers for different map coordinates of the game...I once levitated over the underground gate beneath Clock Tower (where the water wheel directs the flow of the water) and magically started swimming in mid air when I should have been walking on ground foot (or at least, judging by appearances).

Likewise, my guess is that the game stores integers for certain ground areas where if you stand there, your Mirror Shield will reflect light.

So the game's logic is probably, if (area_property == MIRROR_SHIELD_LIGHT) make_Links_shield_shine();

Now, a damn good code would hack the MIPS branch-on-equal (or BNE or w/e) instruction to include other values so that Link's Mirror Shield would shine light out more often. (Of course it might not be even that simple, as if assembly hacking ROMs isn't tedious enough, since it might not be any direct branch comparison at all but a look-up table of static values, etc.)

Just rambling I guess. :D

RPGMaster
28th January 2014, 11:24 PM
I'm pretty good at n64 assembly hacking. My best bet is to either modify the rom itself and see if I can find a pattern, or try out different areas with light. I guess I will mess around with speed hack, moon jump, and teleport locations, to find travel to as many places as I can since I don't remember much about the game lol.

So far I've tried the Ancient Castle of Ikana. My issue is that when I left the area, the assembly code that checks the mirror light completely changed. I'm not too good with pointers so I wasn't able to find the pointer address for that mirror light value. I tried seeing if maybe the code moved to a new address, but I couldn't find it. Unfortunately, I wasn't even able to find the code that determines whether light shines or not. The only successful code I was able to make was so that it stores a value from a different floating point register.

I think this would be easier if I had a huge list of addresses like I do for other games I play with. For instance, in Super Smash Bros 64, I know the pointer address to Player 1, which helps a lot.

HatCat
28th January 2014, 11:52 PM
You probably have more experiences with it than I do.

Last time I did MIPS hacking of a N64 ROM was when I was reversing the Mario64 EEPROM save.

Someone pointed out to me that the EEPROM magic number was "HI" and later on, "DA" (in 16-bit hex). So he wanted me to make the game read a different magic number, so I used NIEW64 MIPS disassembler to find all instances of "DA" (as a 16-bit hex) and the MIPS ADDIU instruction opcodes, since loading a fixed 16-bit immediate was usually generated by GCC as an ADDIU $reg, $zero, 0x???? instruction. I had a few results to poke through and by process of elimination made the game write and read a different EEPROM magic number.

Any other N64 ROM assembly hacks I did I've long since forgotten, lol, but it sounds like you've done tons of shit.

I guess I will mess around with speed hack, moon jump, and teleport locations, to find travel to as many places as I can since I don't remember much about the game lol.

Honestly, I can only think of a few places at the top of my head that have light-reflection spots.

Two of them are right next to each other in Stone Tower Temple. If you warp to Stone Tower, enter Stone Tower Temple from across the owl statue there, pass through the right door after the entrance, shoot a Light Arrow at the golden sun block, you'll see a mirror for reflecting light from further down the hall. At the end of the hall is a locked door (need a Small Key) behind which there's a whole shitload of mirrors for you to shine your shield at.

There's also another room in the temple but tl;dr.

Also in the Ancient Castle of Ikana, if you Moon Jump over to the top of the castle, there's a cracked spot where you can drop a Powder Keg as Goron Link. This will allow light to shine through to below it where you can use your shield to destroy the ReDead beneath said hole.

Also to the left of the main castle and at the end is a hole where you can climb down the ladder and exit the "Ancient Castle of Ikana" area into "Beneath the Well". There might be another golden sun block in the way; if so just shoot a light arrow at it. There's a big spot of light where you can shine it.

That's probably it lol...for like, the entire game? As far as places where you can reflect light. (There's one other room but again, tl;dr I don't even remember off hand how to get there it's in Stone Tower Temple.) :D

I think this would be easier if I had a huge list of addresses like I do for other games I play with. For instance, in Super Smash Bros 64, I know the pointer address to Player 1, which helps a lot.

I have no idea how one might go about this but I am sure there is an alternative approach.

If you could somehow disable the light-reflection property from spots in the game where, when un-hacked, your Mirror Shield emits light, then you'd know the flag/integer mask that tells the game to treat that exact spot on the floor as Mirror-Shield-reactant. That would give you the value to search for and compare to the shield, but again, this is probably an even harder method to search for...doesn't strike me as natural, guess I felt like mentioning it anyway though lol.

retroben
29th January 2014, 12:20 AM
Due to unforeseen circumstances of the weather outside being frightful,I can't look for the code yet because of the change of my routine.

RPGMaster
29th January 2014, 12:43 AM
Alright, I'll try out some other areas. If my other ideas don't work, I'll try out that reflection suggestion. I usually look for pointers using cheat engine. One thing that does help is that I add the variable in cheat engine, then I click on find out what accesses or writes, then after that I click on one of results and click on show disassembler. Then I right click that line of code in disassembler and click on find out what addresses this instruction accesses. With this method, say I find player 1 hp in a game, I could then find the addresses for every other enemy so long as it's using the same code to determine their hp. I think I found a lead on the mirror light, but it's quite confusing tbh.

Honestly I only have ~1 year of experience with this stuff. I just spend hours at a time when I have ideas to try out, then I take long breaks and do other things. The key to success is being creative and trying new things. I love when I discover new ways to find things. Piggybacking off other people's work is a big time saver, like the teleport code by you and the value of the mirror light posted by Retroben.

retroben
31st January 2014, 12:05 AM
Just in case,I was referencing "Let It Snow" because I had snow in my state.

I can try to find the code now.

I think we need an "anything goes" topic for anyone trying to get any code for any game.

I will make that said topic VERY soon.

RPGMaster
31st January 2014, 08:36 AM
Lol so I decided to look into hacking other n64 games. How did you originally find this no frameskip code? I'd like to try hacking games like Goldeneye and maybe even Zelda.

retroben
31st January 2014, 10:23 AM
I found the code near a beta element address (Devil Bottles Mode).

I was in the cheese wedge in Cloud Cuckooland.
I found that the best way to find the code was to initially enter the room,and search with compare base/changed before and after touching the spiky onion.
I came up with zero (0x00) before and four (0x04) after getting hit.
It gets laggy after getting hurt while being perfectly smooth beforehand.

I have yet to succeed in finding it for any other game besides Kazooie and Tooie.
I found the Banjo-Kazooie version by entering/exiting
the hub for Gobi's Valley (laggiest room).

RPGMaster
31st January 2014, 10:31 AM
That's pretty impressive, I must say. Did you have knowledge of the game, to make it easier to find? What I mean is, was it known that different parts of the game have different frame skip values? That sounds like a very challenging thing to find since you don't know what the values are. I guess I will debug Banjo Tooie to learn more about this.

retroben
31st January 2014, 08:40 PM
I usually take advantage of existing address locations that match certain codetypes like the "gameplay status" location for have items or infinite items,and any other types the same way.

For the code,I reacted on visual cues,such as jaggy framerates in different locations/moments.

Have you seen my SM64 equivalent speed codes for Banjo-Kazooie/Tooie that I named Benny Hill Mode?

RPGMaster
31st January 2014, 10:23 PM
Those are some good tips :) . I should pay attention to address locations more often from now on. It would have saved me a lot of time in other games including Zelda MM.

What I will do is collect info about certain games like known areas where it lags more. I heard in Mario Kart, in some parts of a level, the game will speed up to make up for the extra lag.

No I havent seen your SM64 speed codes. I'll check that out too. Lol I just realised how many n64 games I bought that I hardly played :( . I forgot I even had Banjo Kazooie and Tooie.

HatCat
31st January 2014, 10:28 PM
I heard in Mario Kart, in some parts of a level, the game will speed up to make up for the extra lag.

Would this happen to be D.K.'s Jungle Parkway with multiplayer mode?

That course runs really fast, like 2x normal framerate or something. It's a known "bug" in the game. I don't know the details of its cause.

RPGMaster
31st January 2014, 10:34 PM
Honestly lol, I haven't played Mario Kart 64 multiplayer in several years, so I never noticed these things. I did see comments about D.K.'s Jungle Parkway in multiplayer speeding up. People say it was probably implemented to anticipate extra lag since N64 couldn't handle everything at full speed.

retroben
4th February 2014, 12:36 AM
Imagine the Live and Learn final boss song from SA2B.

Banjo Kazooie (U) (v1.0)

Banjo Running Speed
81364D80 43FA
I recommend 447A.

Talon-Trot Speed
81364A94 442F
I recommend 44C0.

You could imitate the Super Banjo cheat from Banjo-Tooie.

Edit:another one

Golden Feather Run Speed
81364AD4 43D4
80385F73 0009
I recommend 44A0.
It is combined with infinite Gold Feathers.

Swamp Boots Running Speed
81364A44 43FA
I recommend 442F.

Running Shoes Speed
81364A9C 447A
I recommend 4500.

EDIT2:LOL for death in the Rusty Buck Bay demo.

EDIT3:MORE CODES!

Termite Speed
81364964 43FA

Crocodile Speed
81364B04 43BB

Walrus Speed
81364DC4 43C8

Pumpkin Speed
81364CF4 43FA

Bee Speed
813649E4 43BB

RPGMaster
4th February 2014, 03:22 AM
I haven't gotten around to testing out either Banjo game, but with Goldeneye, the fps was 60 when not much was going on, so this means that the game isn't capped at a lower fps. Is there any frame skipping in Goldeneye? I'd like to investigate this in various games, because I think patching roms will enhance the fun of old games. This week, I'll take a look at the Banjo games. Hopefully they run well in Nemu.

Also, does anyone have any cheat engine tables for any of the Banjo games or even other Rare titles like Goldeneye & Perfect Dark? It would save me quite a bit of time. If not, I'll just collect gameshark codes and work from there. One thing I love about cheat engine is that I can see the values of many different variables in real time, and I have a habit of playing in window mode anyway :) .

retroben
4th February 2014, 04:40 AM
Did you see my list of running speed codes?

Here's MORE!

Surface Swim Speed
81364D44 4396

RPGMaster
4th February 2014, 11:29 AM
Did you see my list of running speed codes?
Yes I saw them. I just haven't gotten around to playing yet. I figure I might as well ask for as much stuff as I can to save time before I begin testing stuff this week.

retroben
4th February 2014, 10:06 PM
Now for some different kind of codes.

Physical Animation Speed
81147B90 40B0
81147B92 0000
40B0-0000=Idle Standing

Edit:And thus begins a new offset list.

search in 0x00140000 for 32bits value 0x40B00000

0000=Physical Animation Speed
+0010-0012=Animation Timers
+001B=Current Animation

retroben
5th February 2014, 11:11 PM
I found a Banjo-Kazooie color mod.

Level Color Mod
8138237C xxxx
8138237E xxxx
Values:
FFFFFF00=Default
C8505000=Kirkhope's Knockah
FF00FF00=Creepy Colors

Edit:Funny pause code.

Melting Pause Menu
803835E3 0001
Will look different on other GFX plugins.

retroben
11th February 2014, 01:55 AM
I forgot one detail.

When having Mudlord Rice 6.1.4 with Banjo-Tooie for 60fps,use OpenGL for no lag.
Set the type to OpenGL Fragment.

DirectX cannot handle the larger views,especially Hailfire Peaks (Icy side) in the Oil Pump heights,resulting in lower framerates.

hellbringer616
12th February 2014, 04:52 PM
Although i don't think it frameskips so much as caps...
But any chance there is a way to port the no frameskip/60FPS code to the Zelda games? Cause i'd love to play those at 60FPS, or hell even 30, that 20FPS really messes with me haha.

RPGMaster
12th February 2014, 09:14 PM
Although i don't think it frameskips so much as caps...
But any chance there is a way to port the no frameskip/60FPS code to the Zelda games? Cause i'd love to play those at 60FPS, or hell even 30, that 20FPS really messes with me haha.

Although I haven't taken a look at it yet, I'm fairly certain it's totally different. I'm pretty sure different programmers worked on Zelda.

Good news is that if someone is dedicated enough, they should be able to find this frame cap. I wouldn't even begin to know where to look for frame mechanics. If I had clue, I'd try it myself.

Edit: After playing OOT in frame by frame, I confirmed that it works like the speed setting in training mode for SSB64. The input delay is really slow lol. If you were to increase the fps, you would also increase the speed of everything. So in my opinion, the game would be too fast. I wish I knew more about how frames work. I took a look at the training mode speed in SSB64, 0 = 1/1 speed, 1 = 1/2 speed, 2 = 1/3 speed, 3 = 1/4 speed. I'm guessing the regular frame count variable is 1, so you add the speed reduction variable with the regular frame count variable (1), and that determines the frame rate. Every 1/60 seconds, a counter adds 1, then compares with (speed reduction + 1). I hope what I said makes sense. The coding aspect for frame cap is different from the training mode example I mentioned though.

hellbringer616
13th February 2014, 04:10 PM
So in short it's impossible, Bummer. was really hoping for it, Ah well. keep up those hacking skills :D

HatCat
13th February 2014, 04:21 PM
I took a look at the training mode speed in SSB64, 0 = 1/1 speed, 1 = 1/2 speed, 2 = 1/3 speed, 3 = 1/4 speed.

Heh, so what would negative one (0xFFFF...F?) be? :D

retroben
13th February 2014, 05:42 PM
If I can get the time,I will try to find it again.

RPGMaster
13th February 2014, 09:11 PM
So in short it's impossible, Bummer. was really hoping for it, Ah well. keep up those hacking skills :D
It's not impossible, just very difficult. I think the biggest challenge will be slowing everything else down after increasing the fps. I'd imagine it would even effect sound effects and music. I could be wrong about the sound and music though :) . The movement and animation speed would definitely be faster though.
Heh, so what would negative one (0xFFFF...F?) be? :D
Lol it works very weird. It plays normal speed for a few seconds, then you freeze for a few seconds.

retroben
13th February 2014, 11:04 PM
Sorry guys,I just can't find anything! :(

RPGMaster
13th February 2014, 11:44 PM
Sorry guys,I just can't find anything! :(
Take your time man :) . These things aren't something that can be accomplished by hard work alone. It takes creativity / knowledge, so just try things when you come up with new ideas or when you learn something new. I wasted so many hours trying to do things I had no idea what I was doing.

Lol I still haven't looked at the banjo codes ;/ . I should probably do that soon :D .

retroben
16th February 2014, 11:13 PM
Continue discussing the Zelda framerate in the general thread.

I found an even easier way to get Banjo's pointer-based status address.
It should even work on the 2.x versions of PJ64.

Use "Memory Viewer" to enter 0x80135490 as your location.

There will be a value like "801BC550" or anything in the 0x##18#### range.
Type your value into the address location.
Add xxxxx3E0 to the address to get Banjo's status values.
My result is 0x801BC930.

Add only x300 to get the camera zooming distances/heights.

Camera Zooming:
00 00 04 B0 - 00 00 01 C2 - 3F 80 00 00 - 3F 80 00 00

I will try to find the one for "Kazooie Alone" next.

retroben
16th February 2014, 11:29 PM
YEEEEEEAAAAAAAAAHHHHHHHHHH!!!!!!!!!!!!!!!!!!

Kazooie's address is right next to Banjo's address.
This makes it perfectly easy to reach both players at any time,even in 2.x of PJ64.

Use "Memory Viewer" to enter 0x80135494 as your location.
Type your value into the address location again.
Add xxxxx3E0 to the address to get Kazooie's status values.

As you can see,Kazooie's status values are also found by adding x3E0 to it.

Edit:I just finished playing around with Banjo's and Kazooie's values in the memory viewer on 2.x of PJ64.

RPGMaster
16th February 2014, 11:31 PM
Quick question. Is there any advantage to using pj64's memory viewer over cheat engine? I find pointer addresses to be very convenient with Cheat Engine. It's a shame hardly anyone makes tables for n64 games.

retroben
17th February 2014, 12:56 AM
It only views the game's memory while excluding the emulator itself.
Cheat Engine reads the entire emulator with the game,and it lacks the familiar 80xxxxxx address format.

Memory Viewer obviously lacks built-in searching.

I wish someone would make a fixed version of PJ64 that fixes memory search.

RPGMaster
17th February 2014, 01:24 AM
Lol unfortunately, you won't be able to set the memory address to 80xxxxxx, but you can set it to a number like 40xxxxxx. You just have to either hex edit the public version of pj64, or edit the source code and compile it yourself. I wouldn't bother trying to hex edit, unless the exe isn't packed. I beleive pj64 1.6 was packed, so you had to recompile that version if you wanted static addresses for pj64 1.6. I ended up setting the address offsets to 10020000 just so that I can use the same cheat engine table for Nemu. 1964 uses 20xxxxxx if you're interested in using that number.

Still one flaw with cheat engine is that everything is in little endian instead of big endian. If you can get used to the endian difference, cheat engine is definitely worth using. Having the option to use pointer addresses for variables is sooooo helpful!

I haven't messed with pj64 2.1 yet as far as this address stuff goes, so I'll have to look into that.

retroben
17th February 2014, 04:14 AM
If we can find an expert for N64 pointer codes,we can get them to make some for the Banjo and Kazooie status locations so anyone can finally modify current actions,animations,and various other conditions in real-time without dealing with constant address changes.

I once found the real levitate code of B-T for Banjo in the pointer related address range.
Instead of bouncing after reaching a certain height,you could levitate freely...until the address changed randomly.

I tried messing around with the repeater jump code in hopes that I could adjust it work for the status codes.

I also found an alternate repeater jump in the pointer related range.

If I could at least find a way to stop the game from changing the address locations,or force it to stay at a certain spot of my choosing.

So if Ice Mario and/or SubDrag would join in and help us,that would be awesome!

retroben
17th February 2014, 11:52 PM
I wish I knew how to make a code that reads the 32bit value and writes to +3E0 of said addresses value so I can make the status codes work in real-time.

By this I mean...

Always take the current value from the 0x80135490 or 0x80135494 address and make it the address to write to +3E0 or higher for all other address locations.

+3E0-3E1=FF 01

An example is to always be able to change Banjo's or Kazooie's transparency at any time because the other lines would detect where the address moves to in real-time and write to it successfully.

Edit:just adding another offset value.

+0630=Potential Moonjump

HatCat
18th February 2014, 12:43 AM
+3E0-3E1=FF 01

3E0 - 3E1 is just 0 - 1.
It's negative one, not FF 01. Idk wtf you got that from.

retroben
18th February 2014, 12:51 AM
I toyed around with the theoretical moonjump and got it to go far beyond the limits of the original Banjo-Tooie levitation code.

retroben
18th February 2014, 05:50 AM
@HatCat:
It is context sensitive.

It is sensitive to context.

That is a dash,not a minus sign.
It is the length between the pointing addresses I found and the transparency strength.
This includes the walking/talon trot byte as well.

Offset from pointed address:
3E0 and 3E1

Values of resulting address:
FF and 01
Transparency and Walking Style

A style of 03=Kazooie Alone's B attack while moving.

HatCat
18th February 2014, 01:43 PM
All the less reason for it to make sense.

Why would you want GameShark to use offsets?
You already have to use absolute RDRAM addresses in the codes anyway, and you have more than enough space for doing so. There's no need for secret, hidden offsets like +3E0; just put the complete address in.

The only part about your wish that made sense was reading in a whole 32-bit value for comparison, which obviously can be done in effect.

retroben
18th February 2014, 07:03 PM
Because in this situation,the address it writes to constantly changes its location. *DUH!*

To prevent more confusion,the green offset was for the original code.

0000=Transparency and Walk Style
+0630=Jump Gravity

At least you got the jist of what I was going on about.

If you are familiar enough with Cheat Engine's pointer codes on games like SADX,Sonic Heroes,and SA2BHD, then you should know exactly what offsets are used for.

I want to read the occasionally changing 32bits value from 0x80135490 as the address to write into,but I need it to read my +3E0 offset to properly write a value to the current transparency strength address regardless of where the original position of that address was.

For the other things like action modifier and levitation,I would just add the other offset to the +3E0 offset,making the combined total of +A10 for writing to the current "Levitation" address location.

I hope you understand this correctly.

HatCat
18th February 2014, 07:08 PM
You don't need offsets for anything.
135490 + 3E0 is 135870, so just use that.


"pointer codes?"
"transparency strength address?"

Where do you come up with such artificial terms?
Basically any cheat code targeting an effective address, offset or otherwise, *IS* a "pointer" code.

retroben
18th February 2014, 07:57 PM
So you thought I was writing to 0x80135490,a static address?

That is not the address to write to,that is the address to read the 32bit value from.
The value is not the exact address to write to.
I need offsets so I can write to the address that I want to,which is xxxxx3E0 higher than the 32bit value found in 0x80135490.

Example:

Address to read from.
0x80135490

32bits Value found in 0x80135490
80 1C 52 70

Current address to offset from.
0x801C5270

801C5270+3E0=801C5650

The address 0x801C5650 would be the current location of Banjo's transparency and walking style "2bytes" FF 01.

Changing FF into a low number will make it possible to see through Banjo.
Changing it to 00 would make Banjo invisible with the model still intact.

If the address changes,so will the value in 0x80135490,which is what I am counting on with a code that constantly reads the 32bit value of that address and uses it as the base address to add my offset to.

The offset value is always the same,but the address changes along with the value in 0x80135490.

Addresses in the 80180000-80330000 range or possibly higher are the constantly changing ones that can't be normally used because they are not static addresses like the instant Banjo Image modifier which is always in the same address locations of 0x80117DDA and 0x80117DEA.

I found out that 0x80117DDE and 0x80117DEE are the Banjo-Dragon image modifiers.
So if you have Dragon Kazooie,the normal code doesn't work,and if you are Banjo-Kazooie,the xE addresses will not change you.
If you have Dragon Kazooie,you will have to use the xE addresses to change your image instead of the xA addresses.

Why two addresses,you ask?
One is the hi-res Banjo,while the other one is the low-res Banjo when zooming out.

Edit:to clarify everything,the existing size modifier code runs on a pointer engine which changes Banjo's,and Kazooie's size whenever you are playing as that character,meaning that it may even change mumbo's size when playing as him.
I can't figure out how to change the code's position so it affects the transparency or walking style of the currently active character.
I wish that I could though.

HatCat
18th February 2014, 08:08 PM
I never said that.
I said 135490 + 3E0 is 135870, which is the exact address.
I didn't say anything about 135490 being the exact address. You just add 3E0 to it like I said.

I need offsets so I can write to the address that I want to,which is xxxxx3E0 higher than the 32bit value found in 0x80135490.

So add 0x0003E0 to 0x135490, and what do you get?

retroben
18th February 2014, 08:38 PM
*palms face with a headache caused by frustration*

READ

MORE

CAREFULLY

------------------------------------------------------------
FOUND "in" 0x80135490

I want to add 0x0003E0 to 0x1C5270 or whatever the number currently is to get the intended code to always work.

The 0x80135490 tells me where to find Banjo's status codes.
The byte I want to modify is always 3E0 above 0x1C5270 or whatever the number currently is.

That is why I want a code that checks the value in 0x80135490 and uses that 32bit value (val=801C5270 or whatever it currently is) as my base address while using another command to add the desired amount (+3E0) to the base address (801C5270 or whatever it currently is).

HatCat
18th February 2014, 08:44 PM
Ah, well, why didn't you say so in the first place?

You're not talking about adding 3E0 to a raw address.
You're talking about adding 3E0 to a 32-bit value stored at base memory location.

You just kept saying 0x80?????? something without even specifying that it was really data contained by an address, not a virtual address its self.

Either way, the feature sounds pretty trivial to me.

retroben
18th February 2014, 09:01 PM
Here is the size modifier code copy/pasted from BSFree.

81120000 3c0e
81120002 xxxx
81120004 ac8e
81120006 03e8

I can't figure out how to change this to the other locations for stuff like the "action modifier" or "better levitate" codes.

...WAIT!!!!

Is "3E8" WHAT I THINK IT IS!

If so,then "I am sofa-king we todd edd"!

It actually is that,but the stupid thing freezes the value infinitely,even after disabling the code.
I affected the transparency and the jump gravity by changing 03E8 to 03E0 and 0A10.

retroben
18th February 2014, 10:43 PM
I broke Banjo!
81120000 3C0E
81120002 FF03
81120004 AC90
81120006 03DF

Sorry,forgot to add the master code that's stupidly missing from bsfree.

master
81092BE0 0804
81092BE2 8000
81120200 03E0
81120202 0008

Edit:And here is the never slide on slopes code for Banjo-Tooie!

Never Slide On Slopes
81120000 3C0E
81120002 0000
81120004 AC8E
81120006 07C8
Requires the master code.

Change the 0000 to 3F80 to always slide everywhere.

retroben
18th February 2014, 11:44 PM
Here is another version of repeater jump.
It may be more stable than the original.

Repeater Jump (D-^/D-v)
81120000 3C0E
81120002 0000
D1081084 0800
81120004 AC92
D1081084 0400
81120004 AC8E
81120006 074A
Requires the master code.

This version is more consistent,as it stays on even after entering another area!

Edit:Why does every code like this refuse to work at a certain height!

It kicks in after getting low enough.
When I disabled it at extreme heights,I suddenly fell down after floating low enough.
If someone can figure out how to fix this bug,I will be very happy.

Edit 2:I don't know why the other positions like 8-A-C-E or 10-12-14-16 work,the stupid thing keeps causing break points.
You are stuck using only one of the codes at a time.

Edit who gives a fu-*shot*:At least you can swap between them immediately.
I just used repeater to get on a slippery slope,and I swapped it after disabling rjump so I would not slide off.

They stop working whenever you are too far away from the relative-to-the-ground distance limit.

HatCat
19th February 2014, 01:22 AM
Why do they call it Moon Jump anyway?

Huh? Why? Tell me. Why huh?!

Is it that kind of thing where some old granny moons you out on the street, and you just jump it?

retroben
19th February 2014, 02:20 AM
LOL Granny-Butt Vaulting!

Because you move upward slowly like the moons low gravity.

This one is repeater jump/walk through walls.
You stand in midair while falling at BF800000 speed,and can jump your way upward as well as walk through walls.

I managed to walk around on the higher parts of massive slippery surfaces by quickly switching to never slide after landing and disabling repeater jump.

RPGMaster
19th February 2014, 08:21 AM
Well, today I'll see if I can find some pointers. What version of PJ64 do you use for Banjo? If I am successful, I can post a table if anyone wants.

retroben
19th February 2014, 06:01 PM
It is quite hard to find since it is...

1.7.0.50b23

This version is the one just before the change to 2.0 versions.
To answer another question,it is the fastest version for Conker's Bad Fur Day.
I completed Conker's BFD with 1.7.0.50b23 of PJ64.

Hint:there is a "desc" for emulation with a "descargar" of this version.

Just google PJ64 "1.7.0.50 ver23" to find a desc that shares twice.

twosherred download

Edit:you will know you have the right one if it says "ThemejorDe64" after opening it.

Remember,mine was from the Emucr leak.
I trust the site that I hinted about has a safe copy of it.

I hope that one mirror I hinted about is actually still available.

retroben
19th February 2014, 09:11 PM
I just got it from there,and installed it with the .exe file.
It is the same as mine.

This one is chock full of goodies like several plugins and even a massive cheat list!

Just remember to google that exact thing including the quotation marks,and remember the hints.

YES!!!

The massive cheat list is the very same one that WAS lost to the older version of the site called emudigital.

retroben
19th February 2014, 09:58 PM
Got another code!

Running Shoes Power
81120000 3C0E
81120002 0303
81120004 AC8E
81120006 0C64
Requires master code.
Run fast in Talon-Trot and cancel it by pressing B as usual.
Kazooie Alone can't attack with this on.
To turn it off,change AC8E to 2400.

Claw Clamber Power
81120000 3C0E
81120002 0404
81120004 AC8E
81120006 0C64
Requires master code.
Hovering Kazooie FTW.

Springy Step Kazooie
81120000 3C0E
81120002 0505
81120004 AC8E
81120006 0C64
Requires master code.
Kazooie is being so silly! BOING! BOING! BOING!

retroben
19th February 2014, 10:51 PM
If it matters,I found the 0x80135490 address in Cheat Engine.

Address----∣ Value (current)
4F655490 --- 801E29F0

You can change Cheat Engine's memory viewer "Display Type" by right clicking on the addresses.
If you set it to 4 Byte hex,it arranges the values properly.

Or you could just easily press ctrl+3 (above qwerty) to change it to 4 Byte hex.

Edit:I have shoe power codes on Page 12.

Edit 2:Here is a color modifier!

Color Mod ReGr
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0C54
Requires master code.
437F=Default
4400=Red
447F=Redder
4300=Green
427F=Greener
Higher and lower numbers make you even more red/green.

Color Mod LiPi
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0C58
Requires master code.
437F=Default
4400=Lime
447F=Limer
4300=Pink
427F=Pinker
Higher and lower numbers make you even more lime/pink.

Color Mod BlYe
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0C5C
Requires master code.
437F=Default
4400=Blue
447F=Blue-er
4300=Yellow
427F=Yellow-er
Higher and lower numbers make you even more blue/yellow.

See first post on page one for the master code.

retroben
20th February 2014, 12:46 AM
Now for rotated players.

Rotation R/L
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0BF8
Requires master code.
0000=Default
4200=Right
C200=Left

Rotation U/D
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0AF0
Requires master code.
0000=Default
4200=Up
C200=Down

RPGMaster
20th February 2014, 12:58 AM
If it matters,I found the 0x80135490 address in Cheat Engine.

Address----∣ Value (current)
4F655490 --- 801E29F0

Unfortunately, by default Pj64 lets the OS determine the starting address for N64 memory. I have been able to change this, but I can't do it on public builds because it's packed. If you know how to unpack it or are willing to use an unpacked version, I could help you make the addresses static like they are on other emulators.

retroben
20th February 2014, 01:04 AM
Oh well,

Here is a golden egg code,FINALLY!

Golden Eggs
81120000 3C0E
81120002 000C
81120004 AC8E
81120006 0554
Requires master code.
0000=Blue
0001=Fire
0002=Grenade
0003=Ice
0004=Clockwork
000C=Golden
Go in first person mode for rapid fire.

Edit:I found a camera code!

Camera Modifier
81120000 3C0E
81120002 xx00
81120004 AC8E
81120006 02DC
Requires master code.
Go in and out of 1st person to affect the camera.
00=Normal
01=Frozen
02=Cull?
03=Fly Camera
04=1st person (weird)
05=Follow Cam
06/07=Frozen
08=Swim Camera
09=Frozen
0A=Close-up (door camera)
0B=Frozen
0C=Map Center
0D-11=Frozen
12=Centered Follow
13=Far View
14=Klungo Battles?
15=Rotate-to-focus
16=Analog-less Cull
17=Kazooie's Glide
18=Lower Cam (R lowers)
19=Another Camera

retroben
20th February 2014, 04:44 AM
It took me forever,but here is the Egg multiplier.

Eggs Shot (from behind)
81120000 3C0E
81120002 00xx
D3081084 2004
81120004 2400
D1081084 2004
81120004 AC8E
81120006 015A
Requires master code.
0-255=Eggs Shot
Set it to any number to shoot that amount every time.

You can switch between the egg type code to shoot more than one golden egg.

Edit:there was one defect to this code,you couldn't do other actions properly because you got stuck.

EDIT:Fix'd for the funnier one only.
You can even cancel out the remaining eggs with C-Down!

Here is the other one

Egg Shot (normal)
81120000 3C0E
81120002 00xx
D3081084 2008
81120004 2400
D1081084 2008
81120004 AC8E
81120006 015A
Requires master code.
Machine Gun Kazooie!

Don't use Clockwork eggs with these.

retroben
20th February 2014, 09:31 PM
Hilarious codes!

Follow/Lead Your Shadow
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0400
Requires master code.
This code can have adverse affects on your camera and hitbox.
0000=Default
4300=Follow
4400=Stalk
C300=Lead
C400=Avoid
Try using the drill move for laughs.

Underground/Above Ground
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0408
Requires master code.
0000=Default
4300=Digged
4400=Buried
C200=Hover
C300=Float
Banjo used Dig.

Can someone tell me if Kazooie makes the sound every time when shooting nine or more eggs from behind?

retroben
20th February 2014, 09:56 PM
Hank Hill *pointing at Banjo*:

YOU'RE A LOSER!
81120000 3C0E
81120002 0100
81120004 AC8E
81120006 0618
Requires master code.
You will keep losing at the game automatically.

Always Win
81120000 3C0E
81120002 0100
81120004 AC8E
81120006 061A
Requires master code.
VICTORY!...VICTORY!...
This is the leftover remnants from Banjo-Kazooie of 10 Jiggies/opening a note door.

retroben
20th February 2014, 10:52 PM
Instant Char. Mod
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 07B8
Requires master code.
0101=Banjo-Kazooie
0202=Snowball (no killbox)
0303=Freezes
0404=Freezes
0505=Freezes
0606=Bee
0707=Washer (Z+^=WTF?)
0808=Stony
0909=CRASHES
0A0A=Banjo
0B0B=Kazooie
0C0C=Submarine (no torpedo killbox)
0D0D=Mumbo (freeze on two room changes)
0E0E=Mayahem Statue (unusable)
0F0F=TNT (no killbox)
1010=Van (no killbox)
1111=Clockwork (unstable)
1212=Baby T-Rex
1313=Daddy T-Rex
Use 1st person,get hit,or slide down a slope to activate.
You can change it back to 01 to get past the Humba Wumba message.

Edit:Turns out it uses two bytes for the full character effect,so I fixed the code for that.
Edit2:I am only half right,the effects are level specific apparently,Damn it!

retroben
20th February 2014, 11:15 PM
Midair BeakBuster
81120000 3C0E
81120002 0100
81120004 AC8E
81120006 060C
Requires master code.
Not sure how this one works,but you finish the move in the air.

Torture Banjo
81120000 3C0E
81120002 0001
81120004 AC8E
81120006 0600
Requires master code.

Fly Pad/Shock Pad
81120000 3C0E
81120002 FPSP
81120004 AC8E
81120006 0603
Requires master code.
0000=off
0100=Fly Pad
0001=Shock Pad

retroben
21st February 2014, 12:19 AM
No Clipping
81120000 3C0E
81120002 xx00
81120004 AC8E
81120006 0714
Requires master code.
42=off
00=on
This code lets you go through walls while still being able to stand on things.

The action mod

Action Modifier/Unstuck (D-^/D-V)
81120000 3C0E
81120002 0xxx
D3081084 0800
81120004 2400
D1081084 0800
81120004 AC8E
81120006 0DB2
D1081084 0400
81120004 AC8E
D1081084 0400
81120002 00B1
Requires master code.
The action modifier is a little unstable.
001=Stand
002=Sneak
003=Walk
004=Run
005=Jump
006=Ratta-tat Rap
007=Crouch
008=Talon-Trot Action?
009=Spit egg
00A=Lay egg
00B=Action Glitcher
00C=Slide Turn (infinite jumps)
00D=Jiggy out after Z+B Attack
00E=Take Damage
00F=Beak Buster
010=Flutter Jump
011=Airborne Ratta-tat Rap
012=Z+A Jump/Land
013=Z+B Attack
014=Enter Talon-Trot
015=Talon-Trot Stand
016=Talon-Trotting
017=Exit Talon-Trot
018=Always rising fly
019=Hold to fly sorta
01A=Enter Gold feather
01B=Gold Feather Stand
01C=Gold Feather Run
01D=Gold Feather Jump
01E=Exit Gold Feather
01F=Invincible Slowfall (infinite jumps)
020=Land after jump
021=Shock Spring
022=Shock Spring Jump
023=Take Flight
024=Flying
025=Get Swamp Boots
026=Swamp Boots Stand
027=Swamp Boots Walk
028=Swamp Boots Jump
029=Sticky Action
02A=Fly Attack
02B=Glitch Maker Action
02C-02E=Cancel Actions
02F=Normal Fall
030=Action Cancel
031=Roll
032-033=Washing Machine
034=Cancel Actions
035-036=Washing Machine
037=Get Stuck
038=Washing Machine
039=Slide forward while held
03A-03C=Action Cancel
03D=High Falling (funny to use)
03E=Washing Machine
03F=Action Cancel
040=Get stuck
041=Short Bounce after jump (get stuck)
042-043=Get stuck
044=Dance Bow from Banjo-Kazooie (press during beak buster)
045=Talon-Trot Action?
046=Get stuck
047-04D=Kazooie Alone Actions (instant play as)
04E=Floaty action?
04F=On pole/vine
050=Climbing pole/vine
051-053=Action freezer
054=Death
055=Swamp Boots??
056=Action freezer
057=Ended Fly Attack
058=Death By Crash Landing?
059=Possible Beta Flying
05A=Action freezer
05B=Cutscene auto-walk
05C=Unload Banjo
05D-05E=Action freezer
05F=Banjo Alone Z+C Down action
060=Action freezer
061=Snooze Pack
062=Action cancel
063=Action freezer
064=TNT
065=Action cancel
066=Action freezer
067-068=Kazooie action?
069-06A=Stuck Stand
06B=Standing?
06C=Action freezer
06D=Action cancel
06E=Action freezer
06F=Crashes game
070=Standing?
071=Talon Trot action?
072=High Fall Damage
073-075=Action cancel
076=Beta Fly?
077=Action cancel
078=Swim action
079=Talon trot?
07A=Action cancel (infinite jumps)
07B=Talon trot?
07C=Action freezer
07D=Sack Race Mode
07E=Sack Float water?
07F=Swim
080=Sack Float water
081-082=Pack Whack?
083=Submarine
084=Swim Pose
085-088=Beejo
089=Action freezer
08A=Death?
08B=Bee Taking Flight
08C-08D=Bee Flying
08E=Action freezer
08F=Action cancel
090=Glide forward
091=Beta flight?
092-093=Action cancel?
094=Action freezer
095=Debug Ground movement???
096=Action cancel
097=Kazooie alone
098=Zoom In
099=Beta flight?
09A=Talon Trot?
09B=Swamp Boots?
09C=Springy Step Jump
09D=Action cancel??
09E=Climb Something?
09F=Action cancelish
0A0=Kazooie takes a look
0A1=Crash into blackness
0A2-0A3=Action freezer
0A4=Mutual Gold Invincibility
0A5=Enter/Exit Gold Feathers
0A6=Ledge Hang
0A7=Ledge Move
0A8=Midair Ledge Hangable
0A9=Ledge Attack
0AA=Ledge Climb
0AB-AC=Action freezer
0AD-0AF=Stonyjo (HE LOOKS FUNNY!)
0B0=Action freezer
0B1=Action cancel
0B2-0B3=Stonyjo (infinite jumps)
0B4=Action freezer
0B5=Stony/action freezer
0B6=Beak Drill
0B7=Landing/glitch
0B8=Separation Pad
0B9=Kazooie keeps looking around
0BA-0BE=Kazooie Alone action
0BF=Swim action
0C0=Bee action
0C1-0C2=Kazooie alone action
0C3=Kazooie alone SS Jump
0C4=Kazooie wing spin
0C5-0C6=Action freezer
0C7=Kazooie alone action
0C8=crashes game
0C9=Banjo visibility
0CA=Break point crash
0CB=invisible banjo
15C=Kazooie Flutter

I am having trouble on what value the unstuck address should be.

Edit:Sorry for all of the changes to the action modifier,I have it at its best now.
Press D-pad up/D-pad down for action/unstuck.

HatCat
21st February 2014, 02:47 AM
Hmm. Late question as I only just now thought of asking you this.

What do you think about having a Banjo-Tooie save editor?
Something equipped enough to edit all the bits and pieces of progress in the Banjo-Tooie EEPROM?

I know your information in this thread will help me make one, once someone (probably bryc) figures out the 64-bit checksum it uses, but, conversely, perhaps the information put into the save hacker, could also help you find more cheat codes, or beta things in ROM.

Well, you're probably "meh" about it after all the work you've done, but I guess I thought I'd ask anyway.

retroben
21st February 2014, 03:35 AM
Hmm. Late question as I only just now thought of asking you this.

What do you think about having a Banjo-Tooie save editor?
Something equipped enough to edit all the bits and pieces of progress in the Banjo-Tooie EEPROM?

I know your information in this thread will help me make one, once someone (probably bryc) figures out the 64-bit checksum it uses, but, conversely, perhaps the information put into the save hacker, could also help you find more cheat codes, or beta things in ROM.

Well, you're probably "meh" about it after all the work you've done, but I guess I thought I'd ask anyway.

What do I need to do exactly?

I don't know where to begin on the "has x cheat in list" for the Cheato list in the Mayahem Code Chamber.

Also,the action modifier at the bottom of Page 13 is finished.

Edit:I hope everyone finds some hilarious glitches like I did while using the action modifier code.

One of those glitches is using unstuck at the right point of "Breegull Bash" to have kazooie flailing about the whole time!
It even stays after you use the swap pads to become Kazooie Alone.

HatCat
21st February 2014, 03:53 AM
"I know your information in this thread will help me make one,"

When I said that, I didn't specifically mean you'd need to consciously take further steps to help out.

Making a save editor uses some information you already posted in this thread for a few of the codes. At least, that's been my experience with the other saves.

Conversely, EEPROM save hackers shed some light on new GameShark codes as well, since a whole variety of things to make codes for is all packed into one buffer imported from an organized 16-kilobit set of datum.

retroben
21st February 2014, 04:05 AM
okay.

I found another funny glitch.

I unstuck a full "Snooze Pack" and recombined with Kazooie.
Then I used Breegull Bash,and the backpack disappeared!
It makes Banjo look so funny when doing actions that use Kazooie.
Especially when you use Wonderwing,which makes Banjo look like he is sadly running away crying.

retroben
21st February 2014, 11:22 PM
Currently,my primary intention is to have a universal animation modifier much like the Action Modifier I have already produced.

The major problem of this is that the animation modifier is located in a completely different offset matrix than the status data,if you know what I mean.

Kazooie's animation address can be in 801Cxxxx while Kazooie's status data is in 8024xxxx.
This is undeniable proof of the issue I am dealing with.

I need a code like the master code which writes to the "current" character's status data,but with the primary location close to character animations.
I don't know how the master code works at all.

An example of the master code with the original size modifier code set to 4080 results in a larger Banjo-Kazooie.
If you use the swap pads,you will notice that Kazooie is at normal size.
But upon swapping,Kazooie changes to that 4080 size while Banjo remains at that size as well.

If Kazooie jumps into death,Banjo will return to normal size.

I have also found out that the numbers at 0x80135490 and 0x80135494 switch out after dying for some reason.
I guess it makes Kazooie the main player if you die as her.

retroben
23rd February 2014, 09:44 PM
Has anyone got that version of PJ64 I mentioned yet?

The 1.7.0.50b23 version which has so many unique differences when compared to all other versions.

Remember that I downloaded that one myself and it is completely safe.

I even scanned it with MalwareBytes Anti-Malware before installing it.
No random browser addons,adware,malware or anything else nasty.

RPGMaster,I want to know how 1.7.0.50b23 and its memory search works for you.

HatCat
23rd February 2014, 10:21 PM
I only downloaded that version because zilmar put it up on the beta page for "Project Supporter" group, 4 years ago.

What piracy site leaked it out to you, or what you want to use to spread outdated releases to everyone else is none of my concern.

retroben
23rd February 2014, 10:38 PM
Don't you remember me mentioning EmuCR having it shortly,and that I got it before it was removed.

Now it is on the desc that shares twice.

Edit:got another nice code.

Banjo's Run Animation Speed
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 01C0
Requires master code.
0000=Ice Skating
3F80/3FC0=Default?
3E80=Fast
3E00=Faster
3C00=Too Fast!
3B00=Dimensional Distrortion!
BF00=Reverse Running
BF80/BFC0=Reverse Walking
Only partially affects Kazooie.

HatCat
23rd February 2014, 11:54 PM
Don't you remember me mentioning EmuCR having it shortly,

Nope, who's EmuCR? :3

and that I got it

World's smallest violin.

before it was removed.

EmuCR actually deleted their own upload of a cracked/pirated emulator?

Now that is interesting.

retroben
24th February 2014, 12:10 AM
Kazooie's Run Animation Speed
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 01C8
Requires master code.
3F80=Slower
4448=Default
It behaves very differently.

Drill Beak Speed
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0170
Requires master code
4400=Slower
4480=Slow
44BB=Default
4500=Fast
4600=Faster

Edit:
FINALLY!

I finally got that one address to work correctly.

Tranparency
81120000 3C0E
81120002 00xx
81120004 AC8E
81120006 03E1
Requires master code.
00=Invisible
80=Half Visible
FF=Default
Other values in 00-FF are incrementally different.
You can even see Banjo inside his backpack.
Any value 00-7F makes Kazooie's wings disappear!

RPGMaster
24th February 2014, 01:04 AM
Has anyone got that version of PJ64 I mentioned yet?

The 1.7.0.50b23 version which has so many unique differences when compared to all other versions.

RPGMaster,I want to know how 1.7.0.50b23 and its memory search works for you.
I haven't tried it. Is there any reason why you use that specific version of 1.7 when there are newer versions of 1.7?

I also prefer cheat engine rather than using a built in memory search. I also prefer using a version I compiled (so that I can make any changes I want to the emulator). I wish 1.7 was open source. Since it's not, I use 1.6. The reason I use 1.6 is because it seems to work better on my computer than 2.0 & 2.1, and I like the coding style better. Lol I still haven't played Banjo yet... I get distracted too easily xD. Hopefully this week, I'll start playing. Another problem is my controller is kinda broken :( . The wire got cut so it sometimes stops working.

retroben
24th February 2014, 04:06 AM
I have been using 1.7.0.50b23 the whole time for finding and making various codes.

There is only one newer 1.7 build according to the list.

I can't find that 1.7.51.51 build anywhere.
Must be because it was never leaked.

I just found another interesting action modifier glitch!
It makes you have up to six Kazooie clones!!!

First,go to the plateau to use the swap pads,and then reunite.
Use B3 as your action and crouch while using it.
Keep using the action six more times to rack up seven "functional" Kazooies!

You can find the locations of their status datas at the same place as Banjo and Kazooie in 0x80135490,but four digits higher for each additional clone.

0x80135498=First Clone
0x8013549C=Second Clone
0x(you know the rest)

retroben
24th February 2014, 11:16 PM
A strange code.

Rotate Calculation
81120000 3C0E
81120002 00xx
81120004 AC8E
81120006 0C22
Requires master code.
00=None
01=Default
02=Locked
03=Default
04=Instant
05=Mirrored
06=Submarine?
07=???
Yes there is two defaults.

Edit:I forgot to mention it,but some of these codes have misaligned addresses for some reason.

Forever Banj-lone
81120000 3C0E
81120002 0000
81120004 AC8E
81120006 0EC0
Requires master code.
You have all of Kazooie's powers without her ever appearing.
Banjo:HOW COULD THIS HAPPEN TO ME?

Here is one that works more decently.

81120000 3C0E
81120002 0x0x
81120004 AC8E
81120006 0EBF
R m c.
xx00=Kazooie-less
xx01=Kazooie
00xx=Bootless?
01xx=Power-less Swamp Boots

R m c.=Requires master code.

retroben
25th February 2014, 01:31 AM
Yay for awesome code find!

Breegull Bash Image Mod
81120000 3C0E
81120002 0xxx
81120004 AC8E
81120006 020A
Requires master code.
Unfortunately,the full image list is too massive to post.
0609=Baby T-Rex (violent)
060B=Snowball
060C=Washing Machine
060D=Daddy T-Rex (EPIC!)
060E=Clockwork Kazooie
060F=Jiggy
0613=Bee
061C=Kazooie (default)
061D=Stony
0623=TNT
0624=Truck
0626=Submarine
0628=Bottles!
062A=Banjo
062B=Banjo
0631=Nintendo
0632=Rare
0640=GAME OVER
0642=THE END
0643=White Jinjo
0648=Mumbo's Skull
064F=King Coal's Head
065E=Flying Pterydactyl
0665=Mumbo
0669=Muscley Jinjo?
0671=Green Uggers
0673=Golden Goliath
06A9=Chuffy The Train
06B7=Boggy's Wife
06C5=Big Fish
06D4=Captain Blackeye
06FC=UFO
0707=Klungo (one eyed)
0776=Boxing Glove
0804=Green Ulcer
0812=N64!
0829=Banjo's Arms (goro)
0855=Lo-fi Kazooie
0859=Rareware Logo
085A=P R E S S S T A R T
0862=Banjo's Hand (voodoo magic LOL)
0867=Mumbo's Hut [Inferno]
0890=Fireball (YUM!)
0891=Iceball
0896=King Dingaling
0897=Zombie King
08A8=Game Title
08AC=Dolby Surround Logo
08AE=Mumbo [cutscene]
08B0=Banjo [cutscene]
08B2=Poker Table
08B5=Bottles Playing Cards
08B7=Cuckoo Clock
08BD=Blobbelda abusing her cat :(
08BE=Grunty
08C1=Blue Sky
08E0=Mumbo's Skull
08E1=Mumbo's Icy Skull
08FA=Gloop
090C=Beaten-up Klungo
090E=Angel Bottles
090F=Devil Bottles
0911=Targitzan Statue
0913=Green Targitzan Statue
091A=Goggles with DK Plush
0990=Gruntilda
0993=White Kazooie
09A1=Tower Of Tragedy title
09B4=Party Klungo
09B5=Grunty's Head

retroben
25th February 2014, 02:53 AM
Breegull Bash Size
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 021C
Requires master code.
3E80=Smaller
3F00=Small
3F80=Default
4000=Large
4080=Larger
It even affects the hitbox!

retroben
26th February 2014, 10:17 PM
Player Image Modifier
81120000 3C0E
81120002 0xxx
81120004 AC8E
81120006 03D8
Requires master code.
0607=Banjo/Banjo-Kazooie
0609=Baby-T-Rex-Jo
060B=Snowball-jo
060C=Washing Machine-jo
060D=Daddy T-Rex-jo
0613=Bee-jo
061C=Kazooie (glitchy as Banjo)
061D=Stony-jo
061F=BK Style Banjo
0623=TNT-jo
0624=Truck-jo
0626=Submarine-jo
062E=Dragon Kazooie (skin?)
0665=Mumbo
06BF=White Stony-jo
06C0=White TNT-jo
06C1=White Truck-jo
06C2=White Submarine-jo
0829=Banjo's Arms
083A=Dragon Kazooie (glitchy as Banjo)
0853=Lo-Fi Banjo!
0854=Lo-Fi Mumbo
0855=Lo-Fi Kazooie!
0858=White Snowball-jo
0992=White Banjo-Kazooie
0993=White Kazooie
0998=White Submarine-jo
This code is unstable and easily crashes on most other images.
The blue is for not using it as Kazooie.

Using 0607 while playing as Kazooie (or anyone else other than Banjo apparently) crashes it.
If you use the opposite Kazooie that you are playing as,the textures will be splotched.
Almost all other images have splotched textures.

Why is Banjo's status image number using one of the Baby T-Rex slots instead of a Banjo slot?

Examples for what works with both players...
0671=Green Ugger
0804=Green Ulcer
0990=Normal Grunty (multiplayer)

retroben
27th February 2014, 04:37 AM
I feel like I am running out of source material to make these codes with.

Initial Running Speed
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0A4C
Requires master code.
3E80=Slower
3F00=Slow
3F80=Default
4000=Fast
4080=Faster
BE80=Moonwalk
BF80=Reverse
C080=Never look back
Works as any character!

Edit:Maybe I will find an "initial jump height" code sometime soon.

retroben
28th February 2014, 03:54 AM
YAY! Another code!

Kazooie's Neck (B/eggs)
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 089C
Requires master code.
3280=Short
3F80=Default
3FC0=Long
4000=Longer
4080=Too Long
4280=OW MY NECK!
BF80=Ouch
C000=NO GOD WHY?!

retroben
28th February 2014, 04:33 AM
Collectable/Shoes/Enemy Hitbox
81120000 3C0E
81120002 xxxx
81120004 AC8E
81120006 0CD0
Requires master code.
0000=Barely Hittable?
3F80=Default
7F00=Hit Anywhere?

Nocta
1st March 2014, 11:36 PM
That's really an amazing thing to be able to play those games with good framerate, thanks a lot retroben!
I'm wondering though because I'm new to this emulator and I see people using the v1.6 or v1.7, why not using PJ64 v2.x?

retroben
2nd March 2014, 09:59 PM
Because newer versions of things can tend to be less good sometimes.
In my case,the latest version can run Banjo-Tooie at a near constant 60fps with Rice 6.1.4 while using the no frameskip code.

My main problem is that 2.x's memory search causes an eventual crash instead of working correctly.

@Everyone:You might see me have a hilarious new animated profile pic soon.

Edit:_Did I lie?...about the "profile" pic being animated.
Check my profile to find out.
(it is)

Avatar limits can suck my dick SO HARD!

retroben
3rd March 2014, 12:02 AM
I accidentally all your stuff.

Banjo-Kazooie (U) (V1.0)

Game Speed
81371E20 xxxx
3E80=Slower (mid-air beakbuster)
3F00=Slow
3F80=Default
4000=Fast
4080=Faster
4480=How?
BE80=The game implodes LOL. (not crashing)
BF80=The game implodes. (be careful/reset to normal quickly)
It is similar to the Zelda "game execution speed" code,but much weirder.
And I found this by complete accident! WTF!

How is 4480 able to go even faster up to 120+VI.

Anyone with a BEAST of a PC could run it at 120VI with 3F00 and get even smoother FPS while using No Frameskip.

And here is a control-enhanced version for using BE80 in style.

Speed Control (R)
D2281251 0010
81371E20 3F80
D0281251 0010
81371E20 xxxx
It conveniently only writes the normal speed when not pressing R.

EDIT:It acts just like the rewind button in GensPLUS REWIND!
Too bad it does not work 100% properly.

Can someone please tell me if this affects the sound as well?

retroben
3rd March 2014, 03:23 AM
I just made a fun combination.

I call it...

Viewtiful BanJoe!

Fast (R)
D2281251 0010
81371E20 3F80
D0281251 0010
81371E20 4040

Slow (L)
D0281251 0020
81371E20 3EC0

The "fast" code is larger because of a regulator line to keep it running normal speed when neither button is pressed.

JUST GO FOR IT!

retroben
3rd March 2014, 08:56 PM
What do you think about my new animated avatar?

I hope everyone enjoys the "game speed" code for Banjo-Kazooie.

Edit:New Banjo-Kazooie code.

Endless Ratta-tat Rap
8137D370 3F80
You can stop it by landing on a slope.

retroben
5th March 2014, 03:16 AM
Banjo-Tooie

A neat static address that changes you between Banjo's movesets.

Moveset Mod
801354F8 000x
01=Banjo-Kazooie
02=Banjo Alone

Edit:YOU CAN CLONE KAZOOIE!!!

After separating,walk off of Banjo's swap pad,set the code to 01,get back on and use a BK move on Banjo's pad (Talon-Trot),then you immediately mash A until another Kazooie pops out!

ExtremeDude2
5th March 2014, 02:48 PM
Edit:YOU CAN CLONE KAZOOIE!!!

After separating,walk off of Banjo's swap pad,set the code to 01,get back on and use a BK move on Banjo's pad (Talon-Trot),then you immediately mash A until another Kazooie pops out!

Cool stuff, I'll have to try that sometime :p

retroben
6th March 2014, 04:22 AM
Got a new image modifier!
This one changes Banjo's Backpack image on every "Banjo Alone" attack.

Backpack Image Mod
81120000 3C0E
81120002 0xxx
81120004 AC8E
81120006 020A
Requires master code.
0609=Baby T-Rex
060A=Sack Pack
060B=Snowball
060C=Washing Machine
060D=Daddy T-Rex
0613=Bee-jo
0615=Beehive
061B=Shack Pack
061D=Stony-jo
0621=Pack Whack
0623=TNT-jo
0624=Truck-jo
0625=Taxi Pack
0626=Submarine
0628=Bottles
0631=Nintendo Cube
0632=Rare Logo
0831=Snooze Pack
Some combinations may freeze or crash the game.
If you ""Snooze" Pack" you lose.

Use the Shack Pack move for the best stability.

I can't post the entire image list.
I don't have enough time to post that many working values.

retroben
6th March 2014, 05:07 AM
Unlimited Feather Flap
81120000 3C0E
81120002 0000
81120004 AC8E
81120006 0612
Requires master code.
Only works with Kazooie Alone.

Unlimited Arial Wing Whack/Pack Whack/Ratta-tat-rap
81120010 3C0E
81120012 0000
81120014 AC8E
81120016 0608
Requires master code.

FINALLY!
I got two of these to work in tandem!

retroben
13th March 2014, 01:39 AM
More sound modifiers for BK.

Values by Ice Mario.

0000 - boil
0001 - Ubanaka (mumbo)
0002 - swipe
0003 - thunder
0004 - beak barge
0005 - splash foot
0006 - hard foot
0007 - gravel foot
0008 - sand foot
0009 - squeak (grunty doll?)
000A - squelch
000B - high grass foot
000C - begin to fly "swish"
000D - crunch
000E - boing
000F - splash
0010 - tread water
0011 - sticks clattering
0012 - splash
0013 - Beak Bash
0014 - PUNG!
0015 - Hit snowmans hat
0016 - hit ??
0017 - jinjo whistle
0018 - falling down slop
0019 - falling off small ledge
001A - ??
001B - Explosion
001C - Alarm clock
001D - hit enemy
001E - enemy hit floor
001F - ??
0020 - cauldron
0021 - wood pop
0022 - Conga
0023 - Conga
0024 - Conga
0025 - flush
0026 - bridge foot
0027 - jinjo help
0028 - ??
0029 - Grublin - "Na-ha-ha"
002A - tick "as in tick-tock"
002B - Bull
002C - stretch
002D - Chair boing
002E - Bull gallop
002F - Conga orange splat
0030 - ??
0031 - Banjo falling
0032 - Banjo " Gu-hah"
0033 - Banjo - shock spring
0034 - Banjo - "uh-hey"
0035 - Banjo - "Uhww"
0036 - Banjo - "duur"
0037 - Banjo - "doowhh"
0038 - Banjo - "Owww"
0039 - Banjo - "Goww"
003A - Banjo - "Huww"
003B - Banjo - "Djaah"
003C - Bull snort
003D - tock "as in tick-tock"
003E - Egg fart
003F - Cauldron squeak
0040 - Cauldron squeak
0041 - Mumbo annoyed at being awoke
0042 - Rat-a-tat
0043 - Beak barge
0044 - Kazooie cry
0045 - Kazooie
0046 - Kazooie - Let out an egg
0047 - Kazooie
0048 - Kazooie - Bree
0049 - Kazooie - trot
004A - Click Clock Bird
004B - Banjo swallow
004C - Slurp
004D - ??
004E - Kazooie - "BRREE"
004F - Banjo - "Yahoo"
0050 - Beak Bomb
0051 - Tick "as in tick-tock"
0052 - Banjo " Uh-oh"
0053 - Banjo "Wheeee"
0054 - Banjo jump
0055 - Banjo jump
0056 - Banjo jump
0057 - Kazooie
0058 - Chimpy
0059 - Chimpy
005A - Chimpy
005B - ??
005C - ?? (same as 5B but delayed)
005D - Mumbo snore
005E - Mumbo snore (whistle part)
005F - Mumbo cast spell
0060 - Mumbo skid
0061 - Dragon fly falling into pond
0062 - Mumbo annoyed at being awoke
0063 - Banjo falling
0064 - Concert bull gallop
0065 - ?? sword being removed from holder
0066 - ?? something dying
0067 - ??
0068 - Click Clock bird dying
0069 - Wood strain
006A - board wobble
006B - chest opening
006C - chest slamming
006D - Chomp
006E - Mr Vile
006F - Bottles scratch head
0070 - footing
0071 - foot
0072 - footing
0073 - foot
0074 - SHHH
0075 - SHHH
0076 - Landing on wooden platforms
0077 - wooden foot
0078 - ?? something dying
0079 - squeak voice ???
007A - squeak voice ???
007B - Twinkly smash
007C - In Stinkpot
007D - ratchet ???
007E - creak
007F - Slam
0080 - snap
0081 - snorkel ??
0082 - metal gate hitting floor
0083 - Blubber crying
0084 - Conga ????????
0085 - Cough
0086 - Owww ???? voice
0087 - UURGHH - Hit someone ?
0088 - Wozza
0089 - ???? voice
008A - squawk
008B - Squawk
008C - Blubber - "Wa-hay"
008D - Blubber - "Uh-no"
008E - Blubber - "Ooof"
008F - Snowball
0090 - switch
0091 - ????
0092 - flush
0093 - fog horn
0094 - cogs
0095 - Banjo talking
0096 - Hiss
0097 - Burp
0098 - Drum
0099 - metal pad foot
009A - Metallic ring
009B - Explosion
009C - Explosion
009D - Explosion
009E - hit
009F - ???
00A0 - cough
00A1 - Banjo " Gu-huh"
00A2 - Banjo " Uh-huh"
00A3 - Banjo " Uh-huh-uh-huh"
00A4 - Banjo " Uh-huh" delayed
00A5 - Steam
00A6 - Cauldron warp
00A7 - SHHH
00A8 - Blubber crying
00A9 - Blubber crying delayed
00AA - Wall knocked down
00AB - Wall knocked down
00AC - Feather voice
00AD - Squeak voice
00AE - Honey voice
00AF - Banjo breath
00B0 - hisss
00B1 - boggy,soggy,groggy crying
00B2 - boggy,soggy,groggy happy
00B3 - squelch
00B4 - Bottles voice
00B5 - thunder
00B6 - Glass smash
00B7 - Glass smash
00B8 - Glass smash
00B9 - Glass smash
00BA - Glass smash
00BB - Glash smash
00BC - Bottles voice
00BD - Bottles voice
00BE - water flow
00BF - ?? voice
00C0 - ?? voice same
00C1 - Dragonfly soaring past on intro
00C2 - Grublin hood
00C3 - ?? voice
00C4 - GRRR
00C5 - pop
00C6 - Bottles - mouth quiver
00C7 - Ziiiiiip
00C8 - Bull chomping
00C9 - Pause
00CA - Banjo drown
00CB - Banjo drown
00CC - menu change
00CD - menu change
00CE - speech bubble in
00CF - speech bubble out
00D0 - Nintendo cube need oiling
00D1 - Snorkel
00D2 - ???
00D3 - scratch
00D4 - scratch
00D5 - BLAARGH
00D6 - ??
00D7 - LOW GROWL
00D8 - crane
00D9 - Sticks clattering
00DA - Sticks clattering
00DB - Stick clattering
00DC - tread water
00DD - voice ??
00DE - creak open
00DF - Kazooie voice
00E0 - Kazooie voice
00E1 - Kazooie voice
00E2 - Kazooie voice
00E3 - Conga voice
00E4 - Conga voice
00E5 - Conga voice
00E6 - Mr jiggy voice
00E7 - Mr jiggy voice
00E8 - Tooty voice
00E9 - Tooty voice
00EA - Grunty laugh
00EB - Grunty lingering laugh
00EC - Grunty voice
00ED - Grunty voice
00EE - Grunty voice
00EF - voice
00F0 - Page turning ?
00F1 - ???
00F2 - Cuckoo clock
00F3 - Histupp
00F4 - click
00F5 - Burp
00F6 - Burp
00F7 - Burp
00F8 - Burp
00F9 - GRRR
00FA - AHH
00FB - RRAAH
00FC - Rubee voice
00FD - Rubbe voice
00FE - UHH?? voice
00FF - UUH ?? voice
0100 - UUH ?? voice
0101 - Fart
0102 - Buzz
0103 - Fart
0104 - fart
0105 - Banjo yawn
0106 - click
0107 - Cauldron activated
0108 - Cauldron activated
0109 - pan
010A - gleam
010B - voice ??
010C - Mozhand voice
010D - Ancient one voice
010E - pins stips
010F - Boggy voice
0110 - Eating a twinkly?
0111 - Eating a twinkly?
0112 - Standing on a jiggy podium
0113 - Activate a cauldron
0114 - Skittles knocked down?
0115 - Bird
0116 - Thump
0117 - Smashing a skeleton
0118 - Skeleton regenerating
0119 - ARRGH
011A - Sea Grublin - "Ahoy"
011B - pipe
011C - pipe echoed
011D - pipe echoed
011E - pipe echoed
011F - pipe echoed
0120 - pipe echoed
0121 - owwwh
0122 - tooty's voice
0123 - metal grid foot
0124 - audience cheer
0125 - audience cheer
0126 - audience boo
0127 - audience boo
0128 - ??
0129 - ??
012A - Grunty getting hit
012B - bong
012C - choosing a square (GFF)
012D - camera angle up
012E - camera angle down
012F - "Thank You" - flower pots in MMM
0130 - Grunty falling
0131 - Grunty hit
0132 - Grunty hit
0133 - Grunty hit
0134 - bone shaker
0135 - richochet
0136 - Game boy
0137 - GB synth
0138 - GB synth
0139 - GB synth
013A - Banjo going thru' the window
013B - Grunty falling
013C - Grunty falling delayed
013D - Grunty falling delayed
013E - Grunty falling delayed
013F - Grunty falling delayed
0140 - Grunty falling delayed
0141 - Converyor belt?
0142 - Grunty cackle during fight
0143 - GRUNT
0144 - Camera picture taken sound ??BETA??
0145 - Camera picture taken sound delayed ??BETA??
0146 - Grunty's fireballs
0147 - Grunty's fireballs
0148 - Grunty's fireballs
0149 - HI! Low sound voice ??BETA??
014A - HI! Low sound voice ??BETA??
014B - Grunty flying past in fight
014C - Gruntilda voice
014D - Shiver ??BETA??
014E - CRASH
014F - Fireball whistling
0150 - Clatter
0151 - Cat (when banjo crashes out of house)
0152 - Broomstick Splutter
0153 - Broomstick splutter delayed
0154 - Broomstick splutter delayed
0155 - Broomstick splutter delayed
0156 - Broomstick splutter delayed
0157 - Broomstick splutter delayed
0158 - Broomstick splutter delayed
0159 - Broomstick splutter delayed
015A - Broomstick splutter delayed
015B - Broomstick splutter delayed
015C - Broomstick splutter delayed
015D - Broomstick splutter delayed
015E - Broomstick splutter delayed
015F - Broomstick splutter delayed
0160 - Broomstick splutter delayed
0161 - Broomstick splutter delayed
0162 - Back fire
0163 - Grunty scared at Jinjonator
0164 - Grunty?? voice scared
0165 - thunder
0166 - thunder delay
0167 - thunder delay
0168 - thunder delay
0169 - thunder delay
016A - thunder delay
016B - thunder delay
016C - thunder delay
016D - thunder delay
016E - thunder delay
016F - thunder delay
0170 - thunder delay
0171 - thunder delay
0172 - thunder delay
0173 - thunder delay
0174 - thunder delay
0175 - thunder delay
0176 - "JINJO" Jinjonator
0177 - "JINJO" Jinjonator
0178 - "JINJO" Jinjonator
0179 - "Euughh"
017A - Electric charging
017B - Flying past
017C - Grunty falling
017D - Grunty falling
017E - Mumbo transformation
017F - Mumbo transformation
0180 - Mumbo transformation delayed
0181 - Mumbo transformation delayed
0182 - Mumbo transformation delayed
0183 - Mumbo transformation delayed
0184 - Mumbo transformation delayed
0185 - Mumbo transformation delayed
0186 - Mumbo transformation delayed
0187 - Mumbo transformation delayed
0188 - Mumbo transformation delayed
0189- Mumbo transformation delayed
018A - Mumbo transformation delayed
018B - Mumbo transformation delayed
018C - Voice saying MAMA
018D - Sexy grunty voice
018E - Sexy grunty voice
018F - Record scratch
0190 - slurp
0191 - water ski ?

Banjo Kazooie (U) (V1.0)

After Flap Sound Modifier
812A29FE 0xxx
0047=Default
That sound from holding A when using Feathery Flap.

Edit:A lucky find!

Crash Landing Kazooie Sound Modifier
812A4816 0xxx
008B=Default

Crash Landing Banjo Sound Modifiers
812A478A 0xxx
812A4846 0xxx
812A49B2 0xxx
0036,0038,0036=Defaults

Edit:A reward for drowning?

Drowning Sound Modifier
812A807A 0xxx
812A8122 0xxx
00CA,00CB=Defaults

retroben
13th March 2014, 03:20 AM
NEWLY FOUND SOUND VALUES!!!:D

Try them on any easier to use move like the egg from behind sound modifier.

03E6=Removes Sounds
03E7=game freezes for 3 seconds
03E8=game freezes for 1 second
03E9=Refilled Air
03EA=Banjo Guh-Huh
03EB=Banjo Lost
03EC=Falling Sand???
03ED=Swim Bubble
03EE=Jinjo
03EF=Urrrwwh!
03F0=Ribbit
03F1=???BETA?
03F2=Swamp Boot Bounce
03F3=Organ
03F4=Ghost
03F5=Snowman Laugh
03F6=???Something Gobi's
03F7=Snake
03F8=Snake
03F9=Gobi Wallbreak
03FA=Bee Flight
03FB=Conga Chest
03FC=Dragonfly Laugh
03FD=RBB Whistle 1
03FE=RBB Whistle 2
03FF=RBB Whistle 3
0400=Engine???
0401=EEKUM-BOKKUM!
0402=KUM-BOKKUM! delay
0403=BOKKUM! delayed
0404=KUM! delayed
0405=Sliding?
0406=Metallic Kink
0407=Mumbo gum
0408=Mumbo um
0409=Mumbo op
040A=Mumbo oh
040B=Mumbo yo
040C=Glass sound
040D=Banjo Pluck instr.
040E=Bell
040F=Ant Talk
0410=Crickets
0411=Fast Crickets
0412=Water Drop 1
0413=Water Drop 2
0414=Honey Dropped
0415=Beauty Machine Static
0416=Beauty Machine Zap
0417=Health Refill?
0418=Beep?
0419=Bat
041A=Loud Beep?
041B=Whole Beauty Transform Sound
041C-0426=Pieces of 041B
0500=Bird Ambience
0501=WTF? Ambience
0502=A Haircut? NOT NOW!

retroben
13th March 2014, 03:26 AM
Fall Sound Modifier
812B1E3E 0xxx
0052=Default

Falling Sound Modifier
812B1E9A 0xxx
0063=Default

Fell Sound Modifier
812B4682 0xxx
0038=Default

Banjo Breath Sound Modifier
812B581E 0xxx
00AF=Default

Banjo Roll Sound Modifier
812B6B2E 0xxx
0032=Default

Speech Bubble Sound Modifier
81317ACE 0xxx
00CF=Default

Ghost Death-poof Sound Modifier
8135B24A 0xxx
0030=Default

retroben
13th March 2014, 05:01 AM
Punch 1 Sound Modifier
812AB4BA 0xxx
0002=Default

Punch 2 Sound Modifier
812AB4EE 0xxx
0002=Default

Punch 3 Sound Modifier
812AB506 0xxx
0002=Default

Feathery Flap Sound Modifier
812A29B2 0xxx
004E=Default

retroben
14th March 2014, 01:34 AM
Zoom Out 1 Sound Modifier
81290F7A 0xxx
012E=Default

Zoom Out 2 Sound Modifier
81290FDE 0xxx
012E=Default

Zoom In Sound Modifier
81290F9A 0xxx
012D=Default

retroben
14th March 2014, 02:27 AM
Uhhhhhh uh uh Ohhhhhhhhhhhhhhh...

WHAT IS THIS!

WHAT IS THIS!

Beak Buster Animation Mod
8129FC96 0xxx
001D=Default

I never made a list of BK animations.

I might make the list if I can find the time to.

EDIT

BackFlip Animations Mod
812A2E9E 0xxx
812A312E 0xxx
004B,004C=Defaults

EndFlip Animation Mod
812A31C6 0xxx
0061=Default

retroben
14th March 2014, 03:13 AM
Beak Bomb Animation Mod
812A43BA 0xxx
0047=Default

Ratta-Tat Rap Animations Mod
812A6786 0xxx
812A6876 0xxx
0019,001A=Defaults

ShockSpring Jump Animations Mod
812A69D6 0xxx
812A6E92 0xxx
0048,0049=Defaults

SwimStroke Animation Mod
812A775E 0xxx
003F=Default

Talon-Jump Animation Mod
812A934E 0xxx
0027=Default

Golden Jump Animation Mod
812AA9A2 0xxx
001B=Default

Exit Golden Animation Mod
812AAC82 0xxx
0022=Default

Holding Orange Animations Mod
812AAF4A 0xxx
812AB05E 0xxx
0072,0073=Defaults

retroben
14th March 2014, 04:37 AM
Jump Animation Mod
812B11F6 0xxx
0008=Default
FINALLY!

Air End Animation Mod
812B16EE 0xxx
00B0=Default

Damage Animation Mod
812B201E 0xxx
004D=Default

Choke Kazooie Animation Mod
812B4F1E 0xxx
00F6=Default
The idle animation at the end while standing in place.

Roll Animation Mod
812B6A7E 0xxx
004F=Default

00=Test Animation
01=Crouch
02=Sneak
03=Walk
05=Punch
07=Landing
08=Jump
09=Death
0A=Climbing
0B=Slow Run
0C=Run
0E=Turn Slip
0F=End Beak Buster?
11=WonderWing Run
15=Talon Trotting
16=Enter Trot
17=Feathery Flap
18=Begin Flap?
19=Ratta-tat Rap
1A=Begin Rap?
1B=Wonderwing Jump
1C=Beak Barged
1D=Beak Buster
22=Enter WonderWing
23=WonderWing
26=Talon Stand
27=Talon Jump
28=Termite Damage
29=Termite Death
2A=Egg Spit
2B=Egg Fart
2D=Jinjo Waving
2E=Jiggy Lunch
2F=Jinjo Needs Help
38=In Flight
39=Dog Paddle Swim
3C=Submerging
3D=Swamp Jump
3E=Crash Landing
3F=Underwater Breaststroke
40=Acquire Swamp Boots?
41=Swamp Boots
42=Swamp Walk
43=Beak Blast
44=Turbo Running
45=Take Flight
47=Beak Blasting
48=ShockSpring
49=ShockSpring Jump
4B=Backflip
4C=After Backflip
4D=Getting Hit
4F=Roll
51=Conga Looking
52=Conga Got Hit
53=Conga Beaten
54=Conga Orange Toss
55=Conga Beats Chest
56=Conga Beats Chest
57=Idle Swimstroke
58=Idle Swimstroke
59=Sliding On Butt
5A=Belly Slide
5E=Termite Idle
5F=Termite Walk
60=Termite Jump
61=Walked Off Ledge?
66=Talon Damage
68=Yuh Oh
69=Unused Sidle?
6D=Mumbo Casts Spell
6F=Stand
70=Underwater Swim
71=Underwater Kick
72=Holding Item
73=Walking With Item
77=You Lost
79=Intro
7A=Angry Kick Intro
7B=Playing Banjo Intro
7C=Banjo Finish
7D=Tooty Flute
7E=More Banjo Intro
8C=Rareware Logo Appear/Slammed
8F=N Logo Walking
90=N Logo Looks and Shrugs
93=Mad Dash To Lair
95=Pecked Head
A0=Pumpkin Idle/Walk
A1=Pumpkin Jump
B0=Falling After Air Action
B1=Climbing Look
B2=Climb Idle
B5=Captain Blubber Sad Walk
B6=Blubber Crying
B7=Happy Blubber
B8=Blubber Runs
CC=End Blast
D2=Getting Up From Fall
D3=Flying Damage
F6=Choked Kazooie
0109=Evil Snowman Throwing
010C=Crouched Turn
010D=Blast Bounce
0116=Crouch Look
011B=Throwing Item
011F=Walrus Stand
0121=Walrus Jump
012F=TipTup Choir Bashed
0130=Jinjo Flying
0131=Jinjo Flight
0139=Bottles Diving
013A=Bottles Digging Out
013B=Bottles Idle/Standing
0149=Fall Slam
014A=Talk Understand
014E=Boggy Down
014F=Boggy Running
0150=Boggy Sledding
0153=Rare Logo Jumps Out
0167=Standing Before Dance/Jiggy/Talk
019C=Walrus Damage
01A0=Underwater Damage
01C6=Another Test Animation
01C7=Banjo In Bed
01C8=Banjo Awake
0236=Pumpkin Damage
024A=Cooking
024B=Cook Selected
024C=Cook Distress?
024D=Sleeping
024E=Sleep Selected
024F=Slung Out Window
0250=Playing Gameboy
0251=Game On!
0252=Gaming Springed
0282=Dancing Bow
0293=Drinking Some
0295=Chair Breaks?
029A=Happy Drink
029B=Get that Witch!
02B8=Into The Gameboy?
02BA=Show Us Secrets
02BD-02BF=More Test Animations

Common searchable address found for Banjo-Kazooie animation address nearby location!

32bits search for:
0x80289A78

HatCat
15th March 2014, 05:10 AM
Just a heads up, retroben.

I've got the 64-bit checksum in Banjo-Tooie's EEPROM save file figured out. (I'll be tracking updates on that utility on my GitHub.) It should be possible now to write a save editor for the game's progress over the intervals of time which I find to do so.

retroben
15th March 2014, 07:05 PM
Congrats on finding the checksum!

If you don't mind me asking,what helped you find the checksum?
Was it something like turning a cheato code on and off between saving,or was it a much more complex method?

retroben
16th March 2014, 10:27 PM
This is retroben and I am your host.

Jump Soundbank
80364563 00xx
00=First Jump
01=Second Jump
02=Third Jump
03-FF=other sounds replacing jump

Damage Sound Modifiers
81364564 0xxx
81364566 0xxx
81364568 0xxx
8136456A 0xxx
8136456C 0xxx
8136456E 0xxx
81364570 0xxx
81364572 0xxx
32,34,35,37,38,39,3A,3B=Defaults

Jump Sound Modifiers
81364574 0xxx
81364576 0xxx
81364578 0xxx
54,55,56=Defaults
These are what started my sound findings.
Originally found by Ice Mario in the UK version.

retroben
16th March 2014, 11:01 PM
Finally found these damn standing values!

Standing Animations Mod
812B49B6 0xxx
812B51DA 0xxx
006F=Defaults
Two phases before Kazooie pecks your head!

Egg Fart Animation Mod
812A217A 0xxx
002B=Default

Running Animation Mod
812B787E 0xxx
0002=Sneaky Run
000B=Zombie Run
000C=Default
0011=Crying Banjo
0017=Dainty Running
002C=Crab Walk?
0038=Hovering Banjo
0039=Swim Run
003F=Land Dolphin
0047=E. Honda Headbutt
0068=Trying To Fly
0070=Kick Swim
0071=Kicking Swim
0083=...just try it
0093=BETA running through wind/snow?
00B5=Sad Walk
00B7=Trala-la-la-la
00B8=Captain Blubber Walk
00B9=I'm Gonna Getcha!
014F=Haters Gonna Hate
0156=More Crab Walk

HatCat
16th March 2014, 11:11 PM
Congrats on finding the checksum!

If you don't mind me asking,what helped you find the checksum?
Was it something like turning a cheato code on and off between saving,or was it a much more complex method?

It was stepping through the instruction cache in Nemu64 and writing assembly-style C functions to model the MIPS behavior.


u64 calculate_Banjo_checksum(unsigned int block, int size)
{
__W64 ret_slot;
int branch, half_done;
u32 fake_stack[0x60 / 4] = {
0x00000000, 0x80082130, 0x80079B78, 0x80082154,
0x00000001, 0x00000003, 0x00000000, 0x801922F0,
0x800456E8, 0x00000002, 0xFFFFFFFF, 0x801929C8,
0x00000002, 0xFFFFFFFF, 0x801927F0, 0x80088708,
0x80081F3C, 0xC0000000, 0x8F809F47, 0x3108B3C1,
0x00000000, 0x00000000, 0x801922F0, 0x00000080
};

half_done = 0;
/*
* Fake the RDRAM offsets to target buffered EEPROM.
*/
GPR[SP].W = (u32)(fake_stack);
GPR[S0].W = (u32)(EEPROM) + 8*block;
GPR[S5].W = GPR[S0].W + size;
/*
* MIPS "re-assembly" of the checksum algorithm:
*/
or (S1, ZERO, ZERO);
/* ... */
or (S3, ZERO, ZERO);
or (S4, ZERO, ZERO);
/* ... */
addiu (S2, SP, 0x0048);
block_1: /* USA offset: 0x1928A4 */
lbu (T8, S0, 0x0000);
lw (T5, SP, 0x004C);
andi (T9, S1, 0x000F);
sllv (T0, T8, T9);
lw (T4, SP, 0x0048);
addu (T7, T0, T5);
sra (T2, T0, 31);
sltu (AT, T7, T5);
addu (T6, AT, T2);
addu (T6, T6, T4);
sw (T6, SP, 0x0048);
sw (T7, SP, 0x004C);
jal (&branch);
or (A0, S2, ZERO);
if (branch != 0)
goto block_2;
/* who cares (unconditional jump) */
block_2: /* USA offset: 0x1168AC */
ld (A3, A0, 0x0000);
dsll32 (A2, A3, 31);
dsll (A1, A3, 31);
dsrl (A2, A2, 31);
dsrl32 (A1, A1, 0);
dsll32 (A3, A3, 12);
or (A2, A2, A1);
dsrl32 (A3, A3, 0);
xor (A2, A2, A3);
dsrl (A3, A2, 20);
andi (A3, A3, 0x0FFF);
xor (A3, A3, A2);
dsll32 (V0, A3, 0);
sd (A3, A0, 0x0000);
jr (&branch);
dsra32 (V0, V0, 0);
if (branch != 0)
{
if (half_done == 0)
goto block_3;
else
goto block_6;
}
/* who cares (unconditional jump) */
block_3: /* USA offset: 0x1928DC */
addiu (S0, S0, 0x0001);
addiu (S1, S1, 0x0007);
bne (&branch, S0, S5);
xor (S3, S3, V0);
if (branch != 0)
goto block_1;
half_done = 1;
#ifndef REAL_N64_RDRAM_STATE
GPR[S0].W = (u32)(EEPROM) + 8*block;
sw (S0, SP, 0x0058);
#endif
lw (A3, SP, 0x0058);
addiu (S0, S5, 0xFFFF);
sltu (AT, S0, A3);
bnez (&branch, AT);
addiu (S2, SP, 0x0048);
if (branch != 0) /* This should never happen. */
goto block_5;
addiu (S5, A3, 0xFFFF);
block_4: /* USA offset: 0x192904 */
lbu (T1, S0, 0x0000);
lw (T3, SP, 0x004C);
andi (T8, S1, 0x000F);
sllv (T9, T1, T8);
lw (T2, SP, 0x0048);
addu (T5, T9, T3);
sra (T0, T9, 31);
sltu (AT, T5, T3);
addu (T4, AT, T0);
addu (T4, T4, T2);
sw (T4, SP, 0x0048);
sw (T5, SP, 0x004C);
jal (&branch);
or (A0, S2, ZERO);
if (branch != 0)
goto block_2;
/* who cares (unconditional jump) */
block_6: /* USA offset: 0x19293C */
addiu (S0, S0, 0xFFFF);
addiu (S1, S1, 0x0003);
bne (&branch, S0, S5);
xor (S4, S4, V0);
if (branch != 0)
goto block_4;
ret_slot.HW[1] = GPR[S3].HW[0];
ret_slot.HW[0] = GPR[S4].HW[0];
return (ret_slot.UW);
block_5:
return (GPR[S3].W & 0x00000000FFFFFFFF);
}


Since I was unfamiliar with most of the 64-bit modes of MIPS operations, I decided to check Project64 2.1 source code to the interpreter since quite a while.

It's a coincidence that I implemented the MIPS register in terms of hand-written unions and types like zilmar does. I just happened to arrive at the same conclusion he did.

HatCat
16th March 2014, 11:19 PM
Somebody else is maintaining the high-level, C algorithm to Rareware's 64-bit checksum security algorithm.

I don't really like concerning myself with that because it's obvious that Rare customized their own type of checksum, possibly using inline assembly and not native C code, so rather than guess a bunch of retarded variable names I sort of wrote a MIPS simulator to do the work for me. I really don't care about the checksum/encryption line of business anyway; I just want to get on with the save editor.

retroben
17th March 2014, 01:51 AM
I would have to say that is complex.

I am one step closer to making a Play As Gruntilda code for Banjo-Kazooie.

I am planning to replace several animations and sounds for a more realistic feel.
I have already found some of her animations that I can use to replace Banjo's with,even for flying.

I really need a way to get her eyes to appear properly.

HatCat
17th March 2014, 02:31 AM
Playing as Grunty...lol.

Here is what I've worked out so far about the Banjo-Tooie EEPROM resource (although it probably won't help you very much):


/* WIDESCREEN MODE */
global_data[0x01] &= 0b11111101; /* global_data[0x01]1 <-- 0 */
global_data[0x01] |= 0b00000000; /* 0 :: off */
global_data[0x01] |= 0b00000010; /* 1 :: on */

/* SCREEN ADJUSTMENT */
global_data[0x01] ^= 0b00000001; /* unknown/unused bit 0? */
global_data[0x01] &= 0b00000011; /* global_data[0x01]7..2 <-- 0 */
global_data[0x02] &= 0b11000000; /* global_data[0x02]5..0 <-- 0 */
global_data[0x01] |= 0b??????00; /* 0 to 63 pixels off from the left */
global_data[0x02] |= 0b00??????; /* 0 to 63 pixels off from the top */
global_data[0x02] ^= 0b11000000; /* unknown/unused bits 7..6? */

/* SOUND OUTPUT */
global_data[0x02] &= 0b00111111; /* global_data[0x02]7..6 <-- 0 */
global_data[0x02] |= 0b00000000; /* 0 :: MONO */
global_data[0x02] |= 0b01000000; /* 1 :: STEREO */
global_data[0x02] |= 0b10000000; /* 2 :: HEADPHONE */
global_data[0x02] |= 0b11000000; /* 3 :: DOLBY SURROUND */

/* BOSSES */
global_data[0x03] |= 0b00000001; /* KLUNGO 1 */
global_data[0x03] |= 0b00000010; /* KLUNGO 2 */
global_data[0x03] |= 0b00000100; /* KLUNGO 3 */
global_data[0x03] |= 0b00001000; /* TARGITZAN */
global_data[0x03] |= 0b00010000; /* OLD KING COAL */
global_data[0x03] |= 0b00100000; /* MR. PATCH */
global_data[0x03] |= 0b01000000; /* LORD WOO FAK FAK */
global_data[0x03] |= 0b10000000; /* TERRY */
global_data[0x04] |= 0b00000001; /* WELDAR */
global_data[0x04] |= 0b00000010; /* CHILLY WILLY */
global_data[0x04] |= 0b00000100; /* CHILLY BILLI */
global_data[0x04] |= 0b00001000; /* MINGY JONGO */
global_data[0x04] |= 0b00010000; /* HAG 1 */

/* MINI-GAMES */
global_data[0x06] |= 0b00001000; /* MAYAN KICKBALL (QUARTERFINAL) */
global_data[0x06] |= 0b00010000; /* MAYAN KICKBALL (SEMIFINAL) */
global_data[0x06] |= 0b00100000; /* MAYAN KICKBALL (FINAL) */
global_data[0x06] |= 0b01000000; /* ORDNANCE STORAGE */
global_data[0x06] |= 0b10000000; /* DODGEMS CHALLENGE (1-ON-1) */
global_data[0x07] |= 0b00000001; /* DODGEMS CHALLENGE (2-ON-1) */
global_data[0x07] |= 0b00000010; /* DODGEMS CHALLENGE (3-ON-1) */
global_data[0x07] |= 0b00000100; /* HOOP HURRY CHALLENGE */
global_data[0x07] |= 0b00001000; /* BALLOON BURST CHALLENGE */
global_data[0x07] |= 0b00010000; /* SAUCER OF PERIL RIDE */
global_data[0x07] |= 0b00100000; /* MINI-SUB CHALLENGE */
global_data[0x07] |= 0b01000000; /* CHOMPA'S BELLY */
global_data[0x07] |= 0b10000000; /* CLINKER'S CAVERN */
global_data[0x08] |= 0b00000001; /* TWINKLIES PACKING */
global_data[0x08] |= 0b00000010; /* COLOSSEUM KICKBALL (QUARTERFINAL) */
global_data[0x08] |= 0b00000100; /* COLOSSEUM KICKBALL (SEMIFINAL) */
global_data[0x08] |= 0b00001000; /* COLOSSEUM KICKBALL (FINAL) */
global_data[0x08] |= 0b00010000; /* POT O' GOLD */
global_data[0x08] |= 0b00100000; /* TRASH CAN GERMS */
global_data[0x08] |= 0b01000000; /* ZUBBAS' HIVE */
global_data[0x08] |= 0b10000000; /* TOWER OF TRAGEDY QUIZ (ROUND 1) */
global_data[0x09] |= 0b00000001; /* TOWER OF TRAGEDY QUIZ (ROUND 2) */
global_data[0x09] |= 0b00000010; /* TOWER OF TRAGEDY QUIZ (ROUND 3) */

/* CINEMA */
global_data[0x09] |= 0b00000100; /* OPENING STORY */
global_data[0x09] |= 0b00001000; /* KING JINGALING GETS ZAPPED */
global_data[0x09] |= 0b00010000; /* BOTTLES AND JINGALING RESTORED */
global_data[0x09] |= 0b00100000; /* GRUNTY DEFEATED */
global_data[0x09] |= 0b01000000; /* CREDITS */
global_data[0x09] |= 0b10000000; /* CHARACTER PARADE */

retroben
17th March 2014, 03:01 AM
Not really getting anything potentially useful from that,but thanks for posting your findings anyway.

I already have a "beta" version of my intended Gruntilda code.

Gruntilda (sounds)
8129FF0E 0162
812A251A 0131
812A29B2 0142
812A29FE 0164
812A478A 012A
812A4816 0131
812A4846 0132
812A49B2 012A
802A66B7 00ED
812A8826 018D
812A883E 018E
802A945F 00EE
812B1E3E 0163
812B1E9A 0130
812B4682 0131
812B46AA 0131
812B6B2E 0133
81364564 012A
81364566 0131
81364568 0132
8136456A 0133
8136456C 012A
8136456E 0131
81364570 0132
81364572 0133
80364575 00EC
80364577 00ED
80364579 00EE
Jumps,rolling,trotting,damage,falling/slamming,Ratta-Tat Rap,Talon Jump,and crash landing.
Edit:There is an issue where you move slowly if this code is enabled before the game starts.
Edit2:Fixed that damn high fall slam.

Gruntilda With Broomstick! (animations) UPDATE!
812986BA 0457
812986BE 0457
812A43BA 01C5
812A903A 01C5
812A934E 01C5
812B49B6 01BF
812B51DA 01BF
812B787E 01C0
8037C0E7 0001
She runs properly,and she rides her "actual" broom correctly when using "talon" trot.

Edit:Now she "actually" rides her broomstick when Beak Bombing.

I can't seem to find the fly animation mod for some reason.

EDIT:Her eyes work now!

retroben
17th March 2014, 03:51 AM
Gruntilda animations added!:D

PLEASE! Everyone let me know what you think of these.

HatCat
17th March 2014, 04:21 AM
You know what I could really use these days retroben?

How about a cheat code that lets me press START to cut past the spinning N logo intro when the ROM first starts up?

Normally I have to hit F4 and take off the speed limiter, but protect memory with recompiler is too slow on my 1.90 GHz machine anyway. Loading saved states also flushes the EEPROM I hacked for Banjo to load.

So can I get a code that makes me not wait too long to be able to press START to enter the game? :p

retroben
17th March 2014, 04:57 AM
Edit:Tomorrow is now today.

retroben
17th March 2014, 09:46 PM
@HatCat:I have found the skip intro code for B-T.

Banjo-Tooie (U)

Skip Startup Intro
8012C78D 0040
Just press start when the game gets going.

HatCat
17th March 2014, 10:11 PM
Thanks! Works like a charm; this should speed things up a bit.

retroben
18th March 2014, 09:13 PM
Banjo-Kazooie (U) (V1.0)

Crouch Animation Mod
812AD84A 0xxx
0001=Default
00FF=Banjo likes what he sees!

Crouch-turn Animation Mod
812AD6DA 0xxx
010C=Default

Beak Barge Animation Mod
8129F67E 0xxx
0005=Balrog Punch
0011=Wonder Barge
001C=Default

Talon-Ledge Animation Mod
812A9C5E 0xxx
0027=Default

Feathery Flap Animation Mod
812A2A9E 0xxx
0017=Default

Attack Bounce Animation Mod
812B38F2 0xxx
000F=Default

Dog-Paddle AnimationMod
812B5B7A 0xxx
0039=Default

Throw Orange Animation Mod
812B6566 0xxx
011B=Default

Turn Around Animation Mod
812B6786 0xxx
000E=Default

retroben
19th March 2014, 02:03 AM
Banjo-Tooie (U)

Kazooie Color/Lighting Mod
81120000 3C0E
D3081084 0800
81120002 0100
81120004 AC8E
81120006 08BF
81120010 240E
81120012 xxxx
81120014 AC8E
81120016 08yy
D1081084 0800
D01354E3 000B
81120002 0101
Requires master code.
xxxx=color strength
yy=color affected
Press D-Pad Up to make colors change in patterns.
Only for Kazooie Alone because Banjo causes an exception.
YY Values:
C8=RED
CC=GREEN
D0=BLUE

retroben
19th March 2014, 03:21 AM
Inconsistent Color/Lighting Mod
81120000 240E
81120002 rrrr
81120004 AC8E
81120006 08C8
81120010 240E
81120012 gggg
81120014 AC8E
81120016 08CC
81120020 240E
81120022 vvvv
81120024 AC8E
81120026 08D0
Requires master code.
rrrr=red
gggg=green
vvvv=blue (violet)
You can change two of them to zero and the other one to 7E7E for a solid color.
This one works with Banjo.

You can change all three to 8000 for crazy rainbow banjo.

HatCat
19th March 2014, 03:46 PM
Hey do you still need that save editor for Tooie I was starting?

If I recall you said something about it being a pain in the ass to keep re-unlocking the cheat codes in the Mayahem Temple code chamber on your keyboard. (btw keyboards ftw! :p Happy to help out a fellow keyboard gamer.) I had some similar frustrations unlocking them all, too, so I added this to my save editor.


Syntax: b7 %filepath% -c <flags>
Effect: standard in-game cheat codes activated through the Mayahem Temple code
chamber (not to be confused with which cheats were simply told to Banjo
but not yet activated in the code chamber)

<flags> -- A little-endian string of twelve binary digits signifying whether
each of the twelve in-game cheats are set on or off.
000000000000: no in-game cheat codes enabled
000000000001: DOUBLE MAXIMUM FEATHERS # FEATHERS
000000000010: DOUBLE MAXIMUM EGGS # EGGS
000000000100: NO ENERGY LOSS FROM FALLING # FALLPROOF
000000001000: AUTOMATIC ENERGY REGAIN # HONEYBACK
000000010000: JOLLY'S JUKEBOX # JUKEBOX
000000100000: JIGGYWIGGY TEMPLE SIGNPOSTS # GETJIGGY
000001000000: FAST BANJO # CHEATO SUPERBANJO
000010000000: FAST BADDIES # CHEATO SUPERBADDY
000100000000: NO ENERGY OR AIR LOSS # CHEATO HONEYKING
001000000000: INFINITE EGGS AND FEATHERS # CHEATO NESTKING
010000000000: OPEN UP ALL WORLD DOORS # CHEATO JIGGYWIGGYSPECIAL
100000000000: ENABLE HOMING EGGS # HOMING
111111111111: all in-game cheat codes enabled


So calling my exe on the command-line like so:

b7.exe "BANJO TOOIE.eep" -c 111101111111

... turns on all the cheats (without unlocking them in the in-game cheat menu, anyway) except for FAST BADDIES which I personally don't see the use for.

You can't make this into a GameShark cheat code too easily cause GameShark codes only give you byte-precision access. Some of these cheat code flag bits are mixed in with jigsaw pieces collected in some worlds which makes it a little too awkward to make a GS code for.

retroben
19th March 2014, 06:19 PM
The Super Baddies cheat is for either a more challenging game,or to make Super Banjo not OP.

Let me know when and where I can get and use your B-T save editor.

My favorite combination is 001101010000

I hope there can be an interface/for dummies version for your save editor.
Even if you have to get someone who will agree to make an interface.
I am not very knowledgable of CMD,but I have used it for a few things.

Besides,the stupid CMDs always close on the instant I open them directly!:mad:

OH,you meant the main CMD in the Start Menu,that one does not close randomly.
I could easily use that particular CMD to do such a thing.

What we really need is the actual cheat list for easily enabling and disabling them.

Edit:I just hatched an idea for a Gameshark code that disables the auto-return/magnetism of the egg shooting cursor!
I hope I can make it so anyone could put in the cheato codes effortlessly with a keyboard.

If only someone would have made an analog version of the cursor keys the standard for every keyboard.

Edit:Sorry guys,I had no luck in finding anything that stops the egg shooting cursor from jumping back to the center.

RPGMaster
19th March 2014, 09:53 PM
Lol I'm not a big fan of using CMD, so I just make a bat file instead of opening up CMD. I find it a lot more convenient.

Honestly though, GUI's take minutes to make even with Winapi.

HatCat
19th March 2014, 09:58 PM
I hope there can be an interface/for dummies version for your save editor.
Even if you have to get someone who will agree to make an interface.
I am not very knowledgable of CMD,but I have used it for a few things.

Besides,the stupid CMDs always close on the instant I open them directly!:mad:

Nah, GUIs are obsolete. :p
Windows batch command script I wrote so far:

@ECHO OFF
TITLE Banjo-Tooie Save Editor
SET file="F:\N64\Save\BANJO TOOIE.eep"

COPY /Y %file% /B "NB7E.eep.bak" /B
b7 %file%
b7 %file% -K 1
b7 %file% -g 256
b7 %file% -h 256
b7 %file% -p 25
b7 %file% -c 111101111111
PAUSE


You'd open the batch .cmd file I wrote that in,
it would mark Klungo has having already spotted you in Spiral Mountain,
gives you 256 Glowbos,
gives you 256 extra honeycomb pieces,
gives you 25 cheato pages,
sets the 12-bit cheat mask as documented in previous post,
PAUSEs the command console to make sure the window doesn't close before you see any output.


Why the fuck would anyone in their right mind want a graphical user interface, when my command-line interface can do all of that just by double-clicking a batch file? I mean it's faster than checking a bunch of boxes and typing a bunch of input in some GUI frontend with check boxes, text boxes and other hideous shit. Anyway in short don't worry; you'll be able to use it no sweat. :p

What we really need is the actual cheat list for easily enabling and disabling them.

Yeah actually you're right.
It looks like I have to make them available in the in-game cheat list for them to be activatable, so I'm implementing that into the save edit as well.

HatCat
19th March 2014, 10:01 PM
Oh shi- , ninja'd by RPGMaster lol.

Yep! It uses a batch file to do all those EEPROM changes with the click of a file.

I suppose it's possible to make a GUI, graphical editor that's about as fast to use as my method, if you store settings in some INI file or in the registry or w/e so that it remembers settings from last time, but I don't even know how to make a graphical interface out of anything even if I wanted to anyway so I just optimized the command-line core of it. Anyone can make a GUI frontend if they want though.

RPGMaster
19th March 2014, 10:36 PM
Lol I was wondering how you replied so fast. I'm a noob at batch so reading your post convinced me that GUI's are not needed in this case. Batch is even better than I thought. I was going to say how GUI is not needed, but then I thought about the 1's and 0's so I could see how that could be convenient to use.

retroben
19th March 2014, 10:55 PM
When using Batch and CMD,I have to manually put in the file's directory in order to write to it,as my drive letter and my save file folder is in a completely different place.
I also have to type the flag variable perfectly to get the desired result.
One typo and i'm screwed.

Having a GUI makes it more user friendly,as I can open a file by navigating to its directory via using the select file window.
And I could choose between what I have and don't have in the game with checkboxes and number boxes.

A GUI would actually be faster when selecting checkboxes for what cheats you want after quickly finding the save file in the file selection.
As for amount of items,those would use increment/decrement number boxes.

I can still use it with CMD or Batch,but it will take forever to manually set the batch file to the right directory and choose what stuff I want.

HatCat
19th March 2014, 11:43 PM
Lol I was wondering how you replied so fast. I'm a noob at batch so reading your post convinced me that GUI's are not needed in this case. Batch is even better than I thought. I was going to say how GUI is not needed, but then I thought about the 1's and 0's so I could see how that could be convenient to use.

Sometimes I wish I did know GUI coding, like for some things...but other times I feel like it's a distraction to what's really my goal, so I let Notepad or whatever edits batch files be the GUI for stuff I do. :p

Honestly it's like the easiest things to do, like GUIs, that I have the most trouble with, or something. I tried learning Windows API GUI stuff and I hated the bloated code and examples so bad I guess I just stopped bothering with it.

When using Batch and CMD,I have to manually put in the file's directory in order to write to it,as my drive letter and my save file folder is in a completely different place.
I also have to type the flag variable perfectly to get the desired result.
One typo and i'm screwed.

I don't think it's a good idea to be using a computer when you can't type properly anyway.

GUIs are full of bloat and operating-system-specific things.
It's way faster for me to type "F:/N64/Save/Banjo Tooie.eep" than it is for you to use a GUI and open "F:", then open "N64", "Save", then finally clicking "Banjo-Tooie.eep". All that time wasted on clicking on a bunch of folders could have been used just typing out the directory, son! :eek:

Having a GUI makes it more user friendly,as I can open a file by navigating to its directory via using the select file window.

I think that's somewhat not-user-friendly when you consider how unstable and unpredictable operating systems can sometimes be.

C:\Program Files (x86)\Project64 2.1\Save\

Sure, maybe it took me 8 seconds to type that; maybe it took you 6 seconds to click through the File Open GUI window and pick the save folder graphically, but at least I didn't have to click "File\Open" to begin with and the fact remains that you don't need to change the filepath every so often! Once it's set, it's set; forget about it and stop complaining about being a bad typo-ist. :p

And I could choose between what I have and don't have in the game with checkboxes and number boxes.

And I could choose between what I have and don't have in the game with bit fields and integer parameters on the command-line.
Your point?

A GUI would actually be faster when selecting checkboxes for what cheats you want after quickly finding the save file in the file selection.

Sounds pretty slow if you ask me.
I can type 1111101111111111 WAY faster than you'll ever click 16 checkboxes. I think your graphical method of filling in the settings is much slower and inefficient.

Look dude, do you have any idea how many hundreds of trivial progress flags this game remembers in the EEPROM? How are you going to make a GUI that's small enough to contain editing UI for all 500 of them? The answer is: You're not. By making people go through a GUI, you're still going to force them through navigation and tabbing management, and guesswork. It's not that much better than making people navigate through the MANUAL to remember how to type it in a simple batch text file.

As for amount of items,those would use increment/decrement number boxes.

You're not serious about this one, are you? :p

You'd rather implement an increment/decrement number box, just so I can click the up-arrow next to the number and keep increasing it until it's as high as I want, to some random number?

Otherwise, wouldn't it be faster to simply type in the number than go through up/down/arrows?

Face it. GUIs FAIL! :P (not for everything just for some things anyway =])

I can still use it with CMD or Batch,but it will take forever to manually set the batch file to the right directory and choose what stuff I want.

If it takes me forever to copy/paste or type in the file path/directory, then it'll take you forever + 1 at the very least with your slow graphical selection method.

Maybe you can help write a GUI frontend for my program if you really insist on there being a graphical frontend that badly. I suppose it could be nice for one or two things.

RPGMaster
20th March 2014, 12:03 AM
Lol I guess I'm pretty lazy ;/ . I generally put stuff in the same area so I don't have to worry about stuff like C:\Users\ . I just do name.filetype lol.

Reading Retroben's post made me realise that I don't make user friendly programs xD. My reason though is because I make the programs for myself so it's more convenient to make assumptions, since I know exactly what I'm going to do with it. I've never even made a program that dealt with file directories, since I put everything related in the same folder.

If I were to make it super user friendly it would take longer than just a few minutes :( .

I like BatCat's idea of ini files though. I've never used much file i/o. I mostly did that for practice or to output data into a text or binary file. Lol parsing text is a hassle so I'd prolly make a binary file that saves settings.

Edit: Using Winapi won't increase the file size by much, unless the GUI has a ton of different buttons, boxes, text, etc. It usually only increases my program by a few kb (my programs are generally simple). The problem is that most people don't use pure WinApi so they use things like WTL, MFC, etc. Those will definitely cause code bloating. If you like Windows, I'd definitely recommend you learn WinApi.
I will say that WinApi is tough to learn. It's only simple when you find good examples. I learned it from reading good examples for the basic functions. It's a hassle to make user friendly applications with it though. I just stick to simple things like textboxes, dropdownlist, etc. I don't bother with the file directory stuff. I'm so lazy that I'd rather just have a textbox for file directory LOL. I agree with BatCat that the more

retroben
20th March 2014, 12:10 AM
Oh Fudge!

NINJA'D by the ninja master.
---------------------------------------

I guess one upside would be that it would already have the right directory after setting it.

I don't have the required amount of time to build a GUI,nor do I know how to make one.

I have to deal with my five cats deciding to run up the walls at the risk of them knocking the computer plug out of its extremely loose and broken-ish socket.
So I am always under extreme stress to the point of needing to watch for them constantly when using the computer for fear of them knocking the plug out.
The wiring is messed up,so it can't be easily fixed for a tighter hold.

Not to mention,I am technically not supposed to do game related stuff on the computer,so I have to keep hiding my stuff whenever a parent comes into the room.

The cats are running and jumping around as I post this reply.

Edit:I am lucky when I find codes that I post here.

retroben
20th March 2014, 12:15 AM
DP unless ninja'd again

What about base directory detection?

You know,when the file and the .exe are in the same directory.

HatCat
20th March 2014, 12:31 AM
Lol I guess I'm pretty lazy ;/ . I generally put stuff in the same area so I don't have to worry about stuff like C:\Users\ . I just do name.filetype lol.

That works too.
I used to do it that way all the time too.

I didn't do it here cause the save file is installed to an emulator such as Project64, and rather than put my save editing stuff in the same folder as all my EEPROM files I just figured I'd use that %file% batch variable for maintainability. Since I have no desire of ever changing the file path (at least not too many times in a lifetime) it was enough organization for me to bother with.

I like BatCat's idea of ini files though. I've never used much file i/o. I mostly did that for practice or to output data into a text or binary file. Lol parsing text is a hassle so I'd prolly make a binary file that saves settings.

It occurred to me a little late, but, technically since it's a save editor we might not need INI profiles. We could fill in the GUI checkboxes, combo text boxes etc. with what's stored in the EEPROM save file, which would give the advantage of seeing the current, existing value for each setting before changing it on the command-line. Then again, I could just as easily generate a text report of all the current settings, so, no huge loss on my end.

Raw WINAPI might be worthfile for GUI stuff then, maybe I was trying to learn just from the wrong tutorials. I still hate referencing API functions that I have no control over but, hell, if it were more multi-OS and not so damn hard to port over it wouldn't be such a bad thing to consistently apply.

DP unless ninja'd again

What about base directory detection?

You know,when the file and the .exe are in the same directory.

I'm not sure what you mean.

You can either do
b7 filename.bin ...
for the filename.bin in the current directory as the exe,
or
b7 C:\Windows\plzkillmypcnow.bin

retroben
20th March 2014, 12:52 AM
So modifying a save from the .EXEs base directory is already possible?

I hope this means you can make it work universally without worrying about the drive letter or specific directory path so anyone can use it without needing to type in an exact directory.

Edit:I just want to share this changed code. also,fixd

Rainbow Seizure Banjo
81120000 240E
81120002 4900
81120004 AC8E
81120006 0C56
81120008 240E
8112000A 4900
8112000C AC8E
8112000E 0C5A
81120010 240E
81120012 4900
81120014 AC8E
81120016 0C5E
Requires master code.
Warning may cause seizures.

You can change the 4900s to any other values for different colors.

RPGMaster
20th March 2014, 12:59 AM
Lol I have a habit of typing something, then forgetting to post it.

I don't expect anyone to make a GUI for these kind of tools. Reason being is that the programmer has to put in extra work, just to help the users. The only reason I'd even make a GUI for this (assuming I played this game), would be so I don't have to write stuff like 1110010101 lol. If I really wanted, I could just have a text file explaining each sequence of 0's and 1's. That might actually take me less time than creating the GUI lol. See if I were to make a GUI that wasn't user friendly, it would take me like ~10 mins (depends on the complexity of the GUI). If I make it user friendly, it would probably take twice as long if not more. Generally a GUI is slower than writing text, except for when you have to do math or other things that are time consuming to do. Spamming the tab button can make GUI's quicker to use.

If you guys wouldn't mind me using WinAPI, I might consider making a GUI for it. It would be a good practice for file i/o. I'll have to get better with WinAPI if I want to make it super user friendly. All this talk about the save editor makes me want to make one for other N64 games too :) . Both Zelda games for N64 are lacking in even gameshark codes. For instance, if I use the unlock deku stick code in OOT, when one deku stick breaks, it makes me lose all my sticks. So we need to find more data to make proper codes.

Ya, the main downside to WinAPI is portability. I wanted to try out QT, but I just never bothered after briefly looking at what the code looks like. Maybe sometime, I will try something like wxWidgets when I decide to start writing portable code.

I just thought of an idea for dealing with the 1's and 0's. You could write something like this in notepad++
1 DOUBLE MAXIMUM FEATHERS # FEATHERS
0 DOUBLE MAXIMUM EGGS # EGGS
1 NO ENERGY LOSS FROM FALLING # FALLPROOF
0 AUTOMATIC ENERGY REGAIN # HONEYBACK
1 JOLLY'S JUKEBOX # JUKEBOX
0 JIGGYWIGGY TEMPLE SIGNPOSTS # GETJIGGY
1 FAST BANJO # CHEATO SUPERBANJO
0 FAST BADDIES # CHEATO SUPERBADDY
1 NO ENERGY OR AIR LOSS # CHEATO HONEYKING
0 INFINITE EGGS AND FEATHERS # CHEATO NESTKING
0 OPEN UP ALL WORLD DOORS # CHEATO JIGGYWIGGYSPECIAL
1 ENABLE HOMING EGGS # HOMING
Then you can alt shift to highlight only the 0's and 1's, then copy and paste it into empty space, then highlight the copied 1's and 0's and erase the \r\n in the selection. If you think this is too much effort, then you could make a macro lol.

All this talk about GUI's makes me want to learn more about WinAPI and Stdio. I'm glad I now have the drive to do something. For the past few days I've just been so uninterested in everything. Now this save editor stuff has caught my interest.

HatCat
20th March 2014, 01:26 AM
Yeah a major problem with QT is all the dependencies, or at least on Windows. On systems like Linux it might not be so bad.

But as far as any contributed GUIs go ultimately I'm happy with just about anything. I'm not too picky when it comes to graphical frontend stuff since I feel like the only perfection is when I'm free of external OS library APIs anyway.

About the 1/0 bitstring for the cheats, I guess I'm not sure what you were suggesting I implement exactly, but the reason I did the bit string the way I did was cause there were 12 cheat codes. So, if I wanted to enable cheat #1, I'd |= 000000000001. To enable cheat #12, I'd |= 100000000000. Since I remember most of the significant in-game cheats by their official number, from 1 to 12, I usually remember which bit to mask in from the right-most position to enable which cheat, without having to consult the manual I wrote.

By the way if you do end up taking a keen interest in save editors, I wouldn't recommend doing the Rareware or Banjo games. Rare does too much protection stuff even with hacking or cheat prevention. Something using a 512-byte EEPROM like Super Mario 64 would be a cleaner, simpler start experience I think.

HatCat
20th March 2014, 01:30 AM
Hm, but, yeah, the bit string stuff is probably the most unsatisfying part of my command-line method, that could use a GUI for some possible improvement.

More often than not I avoid them, but sometimes I think they're the best way.

I mean, for the 7 stars in Super Mario 64's worlds, you wouldn't implement a command-line option to toggle stars on or off, by typing out the full, entire name of the star would you? You'd use bit strings, and, hopefully happen to remember which star is star #1, 2, ...7 (the 100-coin star) without having to consult the manual. So, if your memory is half-decent, typing in bits might not be such a bad downer from using checkboxes.

I did avoid arbitrary bit strings, though, like the speaker mode sound output setting in Tooie.


--------------------------------------------------------------------------------
Option: -S
Syntax: b7 %filepath% -S <mode>
Effect: sound output speaker mode

<mode> -- A case-insensitive string of text beginning with one of four letters:
"M[ono]": monaural audio
"S[tereo]": dual-speaker audio
"H[eadphone]": for headphones
"D[olby Surround]": w/e that's supposed to mean!
--------------------------------------------------------------------------------


All my program really cares about is the first ASCII letter put in the command, but for readability I like to type out the full option's name anyway.

RPGMaster
20th March 2014, 02:33 AM
I totally understand the concept of bitstrings. I just happen to have a bad memory so I just thought of ways where I could generate the desired values for the bitstrings.

The point of my previous post was to line up the 0's and 1's, then copy them after vertically highlighting them, then pasting them and highlight the pasted values, then using control-f to replace \r\n with nothing, so it erases the newline characters so that it combines the 1's and 0's into 1 string of numbers.

Lol looking back on it, I could probably just read each thing. I was just being silly. I remember taking a while to come up with the desired bit string values for the songs I wanted.

For save editor, I'm mostly interested in OOT and Majora's mask.

HatCat
20th March 2014, 02:55 AM
I totally understand the concept of bitstrings. I just happen to have a bad memory so I just thought of ways where I could generate the desired values for the bitstrings.

The point of my previous post was to line up the 0's and 1's, then copy them after vertically highlighting them, then pasting them and highlight the pasted values, then using control-f to replace \r\n with nothing, so it erases the newline characters so that it combines the 1's and 0's into 1 string of numbers.

Lol looking back on it, I could probably just read each thing. I was just being silly. I remember taking a while to come up with the desired bit string values for the songs I wanted.

Since you mentioned vertically highlighting them I take it you were talking about how to do it in a graphical user interface, not a GUI-free console like the way I'm doing. I did try to think of other ways to take in the cheat flags besides making the user type in a string of bits, but I couldn't think of anything more...convenient. If you have a bad memory then yes, having checkboxes with the names of the cheats next to them is best. (Then again you lose sight of the low-level of how the cheat bits are stored in the EEPROM, so a GUI sacrifices some information that can only be seen when working on the console level, too...it's not all one-sided.)

Btw sorry for spamming your thread again retroben. :D

For save editor, I'm mostly interested in OOT and Majora's mask.

Ah, I don't believe anyone's ever contributed a save editor for Zelda OOT yet.
I prefer Majora's Mask as a game so ended up doing my flashram editor there.

Still, with OOT, you have to understand the 32-bit CRC it does. I'm not very good at CRC polynomials or data encryption stuff, but you said you were interested in algorithms so I suppose it could be an interesting test to you.

Zelda MM only uses a simple, additive 16-bit checksum. (I just had to add up all the bytes up to a certain point.) Nothing too challenging about checksum algorithms there.

retroben
20th March 2014, 03:08 AM
If it is Banjo related,then its not spamming.

I asked for that Banjo-Tooie save editor anyway.

I can't think clearly because of the dizzy headaches I have been frequently getting lately.

RPGMaster
20th March 2014, 03:50 AM
The highlighting suggestion was for writing down the 1's and 0's in notepad. I was just being silly, thinking it was a hassle to write a few 1's and 0's since I wouldn't memorize what each digit represents. I could just read through a list when writing the 0's and 1's so that whole copy paste thing is not needed ;/. Since you already worked on MM, I'll probably do that one before I do OOT. With Nemu, would I be able to see the checksum algorithm for the save data?

Again I might make a GUI for even Banjo-Tooie. I'd like some suggestions on what features to put in it. Nothing too fancy though.

My biggest problem with a GUI is that if you want a full fledged save editor, there's just too much stuff to put in lol. BatCat, is your MM save editor open source? I could make a GUI for it.

HatCat
20th March 2014, 04:05 AM
First off, to try and stay on-topic to retroben's thread, I just added another option to make sure all the shortcut silos are opened up throughout the Isle O' Hags.

--------------------------------------------------------------------------------
Option: -s
Syntax: b7 %filepath% -s <flags>
Effect: access to Jamjar's silo shortcut tunnels

<flags> -- A little-endian string of eight binary digits, signifying whether
each of Jamjars' silos is accessible to Banjo.
00000001: JINJO VILLAGE
00000010: WOODED HOLLOW
00000100: PLATEAU
00001000: PINE GROVE
00010000: CLIFF TOP
00100000: WASTELAND
01000000: QUAGMIRE
10000000: just whether or not Jamjars has introduced this feature to Banjo yet
--------------------------------------------------------------------------------


That last bit there may seem fairly useless, but it was bunched together with the other 7 bits, so the most organized thing to do seemed to be adding it in as a feature.


Heh, RPGMaster I'd feel kinda bad about making people type in 0s and 1s all the time if I never documented in the manual what the flags do.

If you do make a GUI for a save editor, I think the only real goal is just ease of use, clarity, things like that. I have no idea how you would tab the things out though...maybe have one tab for all the global game settings, another for game progress settings, ...idk. Creative thinking works best here. :p

With Nemu, would I be able to see the checksum algorithm for the save data?

That was how I found the checksum algorithm for Banjo-Tooie, so yes I'm sure you could use Nemu64 to set breakpoints and step through the MIPS machine code instructions, register changes, etc. However like I said, I know next to nothing about checksums, encryption, CRCs ... I didn't understand a damn thing about what Banjo-Tooie's custom checksum algorithm was doing other than a lot of 64-bit bit-wise math, so I just literally implemented it in assembly-language-style C code based on what I learned from Nemu64:


u64 calculate_Banjo_checksum(unsigned int block, int size)
{
__W64 ret_slot;
int branch, half_done;
u32 fake_stack[0x60 / 4] = {
0x00000000, 0x80082130, 0x80079B78, 0x80082154,
0x00000001, 0x00000003, 0x00000000, 0x801922F0,
0x800456E8, 0x00000002, 0xFFFFFFFF, 0x801929C8,
0x00000002, 0xFFFFFFFF, 0x801927F0, 0x80088708,
0x80081F3C, 0xC0000000, 0x8F809F47, 0x3108B3C1,
0x00000000, 0x00000000, 0x801922F0, 0x00000080
};

half_done = 0;
/*
* Fake the RDRAM offsets to target buffered EEPROM.
*/
GPR[SP].W = (u32)(fake_stack);
GPR[S0].W = (u32)(EEPROM) + 8*block;
GPR[S5].W = GPR[S0].W + size;
/*
* MIPS "re-assembly" of the checksum algorithm:
*/
or (S1, ZERO, ZERO);
/* ... */
or (S3, ZERO, ZERO);
or (S4, ZERO, ZERO);
/* ... */
addiu (S2, SP, 0x0048);
block_1: /* USA offset: 0x1928A4 */
lbu (T8, S0, 0x0000);
lw (T5, SP, 0x004C);
andi (T9, S1, 0x000F);
sllv (T0, T8, T9);
lw (T4, SP, 0x0048);
addu (T7, T0, T5);
sra (T2, T0, 31);
sltu (AT, T7, T5);
addu (T6, AT, T2);
addu (T6, T6, T4);
sw (T6, SP, 0x0048);
sw (T7, SP, 0x004C);
jal (&branch);
or (A0, S2, ZERO);
if (branch != 0)
goto block_2;
/* who cares (unconditional jump) */
block_2: /* USA offset: 0x1168AC */
ld (A3, A0, 0x0000);
dsll32 (A2, A3, 31);
dsll (A1, A3, 31);
dsrl (A2, A2, 31);
dsrl32 (A1, A1, 0);
dsll32 (A3, A3, 12);
or (A2, A2, A1);
dsrl32 (A3, A3, 0);
xor (A2, A2, A3);
dsrl (A3, A2, 20);
andi (A3, A3, 0x0FFF);
xor (A3, A3, A2);
dsll32 (V0, A3, 0);
sd (A3, A0, 0x0000);
jr (&branch);
dsra32 (V0, V0, 0);
if (branch != 0)
{
if (half_done == 0)
goto block_3;
else
goto block_6;
}
/* who cares (unconditional jump) */
block_3: /* USA offset: 0x1928DC */
addiu (S0, S0, 0x0001);
addiu (S1, S1, 0x0007);
bne (&branch, S0, S5);
xor (S3, S3, V0);
if (branch != 0)
goto block_1;
half_done = 1;
#ifndef REAL_N64_RDRAM_STATE
GPR[S0].W = (u32)(EEPROM) + 8*block;
sw (S0, SP, 0x0058);
#endif
lw (A3, SP, 0x0058);
addiu (S0, S5, 0xFFFF);
sltu (AT, S0, A3);
bnez (&branch, AT);
addiu (S2, SP, 0x0048);
if (branch != 0) /* This should never happen. */
goto block_5;
addiu (S5, A3, 0xFFFF);
block_4: /* USA offset: 0x192904 */
lbu (T1, S0, 0x0000);
lw (T3, SP, 0x004C);
andi (T8, S1, 0x000F);
sllv (T9, T1, T8);
lw (T2, SP, 0x0048);
addu (T5, T9, T3);
sra (T0, T9, 31);
sltu (AT, T5, T3);
addu (T4, AT, T0);
addu (T4, T4, T2);
sw (T4, SP, 0x0048);
sw (T5, SP, 0x004C);
jal (&branch);
or (A0, S2, ZERO);
if (branch != 0)
goto block_2;
/* who cares (unconditional jump) */
block_6: /* USA offset: 0x19293C */
addiu (S0, S0, 0xFFFF);
addiu (S1, S1, 0x0003);
bne (&branch, S0, S5);
xor (S4, S4, V0);
if (branch != 0)
goto block_4;
ret_slot.HW[1] = GPR[S3].HW[0];
ret_slot.HW[0] = GPR[S4].HW[0];
return (ret_slot.UW);
block_5:
return (GPR[S3].W & 0x00000000FFFFFFFF);
}


However, you really shouldn't have to resort to this.

If Zelda OOT's CRC-32 is the standard, well-documented and very-well-heard-of CRC algorithm I'm thinking of, you shouldn't need to use Nemu64 to disassemble the ROM and hack out the algorithm. There's probably some C standard header file that includes its own CRC-32 function that will completely do the work for you for something that widespread and well-documented.

BatCat, is your MM save editor open source? I could make a GUI for it.

Yes it is open-source and on my GitHub online repository which I prefer to refrain from linking to in public.

Still, I released that software in binary and source form in this thread:
http://forum.pj64-emu.com/showthread.php?t=4132
... so you should be able to get it there.


Wow, 738 views and 56 downloads??
I never thought it'd achieve that kind of popularity...I thought everyone would give me shit about it needing a GUI, and making people read the manual and do file byte-swapping themselves...but I guess loads of people were so desperate for a Zelda MM save editor they didn't complain.

RPGMaster
20th March 2014, 07:08 AM
I don't see the source code in the link you provided. I just need it for helping me with file i/o. I've never really read a file then updated the file. I also don't know the addresses for each variable.

I've decided to work on a GUI this week. I'm thinkin I'll start with MM first, because the banjo one is incomplete. I don't have enough time to do much in-game testing, so I have to rely on you guys for the addresses for variables.

retroben
20th March 2014, 09:19 AM
Retroben with the kewl codes.:cool:
Hatcat makes the save editors.:D
RPGMaster builds the GUIs for them.:eek:

The equivalent of the IT Crowd...

We are the PJ Crowd! :D

HatCat
20th March 2014, 02:40 PM
Retroben with the kewl codes.:cool:
Hatcat makes the save editors.:D
RPGMaster builds the GUIs for them.:eek:

The equivalent of the IT Crowd...

We are the PJ Crowd! :D

lol, is that right? What's the IT Crowd?

I don't see the source code in the link you provided. I just need it for helping me with file i/o. I've never really read a file then updated the file. I also don't know the addresses for each variable.

OMG you're right!
Well that was dumb of me...shit. I don't have a clue why I didn't bundle src.

I guess I was so pushed into uploading the software by a couple Zelda freaks that I was reluctant and hesitant enough about organizing it to begin with, so I felt like doing a minimalist upload just to shut people up.

Well, if I'd known it'd attract that much attention, I'd have thrown in source code with it. ...I think? Then again, it does have a lot of swear words in it XD. Some things I did in the source then, I would not have done now.... Perhaps I just need to maintain it again.

I've decided to work on a GUI this week. I'm thinkin I'll start with MM first, because the banjo one is incomplete. I don't have enough time to do much in-game testing, so I have to rely on you guys for the addresses for variables.

You shouldn't need to know the FLASHRAM addresses to make a GUI frontend.

All you'd really need to know is basic string manipulation I guess. Like, if the user checks the 4 boxes in your GUI saying, "Have boss masks: Odolwa, Goht, Gyrog, Twinmold", then you would create a 4-digit bitstring "1111" and pass that as the argument. You'd probably use the system() function in C stdlib, as: system("zs flashram_input.fla 0 --boss-masks 1111"); and, without knowing the flashram addresses in my C source, your frontend would successfully call my core executable to do the job.

Now, if you're trying to re-do a save editor as a GUI application, without it being a front-end extension to an existing console application I wrote, then you would need source code...hm. Well at any rate if it makes you feel more comfortable I'll see if I can dig up exactly what mess of C I used to compile the bin I attached to that thread. Now that you mention it I remember having to go back to an old tree of my repository back when the program still worked. XD

HatCat
20th March 2014, 03:04 PM
You mentioned needing help with practical file stream usage in C.

A basic FLASHRAM save file loader in C should go like this:


#include <stdio.h>

#define FLASH_SIZE 0x00020000

unsigned char FLASHRAM[FLASH_SIZE];

int main(int argc, char* argv[])
{
FILE* stream;
register int i;

if (argc < 2) /* argv[1] does not exist. */
stream = fopen("ZELDA MAJORA'S MASK.fla", "rb");
else
stream = fopen(argv[1], "rb");

if (stream == NULL)
{
fputs("Failed to import FLASHRAM.\n", stderr);
return 1;
}
fclose(stream); /* with all binary imported, we needn't this anymore */

for (i = 0; i < FLASH_SIZE; i++)
{
const int test = fgetc(stream);

if (test == EOF) /* defined in <stdio.h> */
break;
else
FLASHRAM[i] = (unsigned char)(test);
}

FLASHRAM[0x10000] = 0x11; /* just a test change :P */

/* now to write up-to-date FLASHRAM array back to a file... */
if (argc < 2)
stream = fopen("ZELDA MAJORA'S MASK.fla", "wb");
else
stream = fopen(argv[1], "wb");

for (i = 0; i < FLASH_SIZE; i++)
fputc(FLASHRAM[i], stream); /* writes each byte to the file */
return 0;
}


Obv there are plenty of things in that code which would be done differently (such as using fread instead of my massive, compatibility fgetc loop, same thing for writing the file back onto your hard disk drive), but at least it should make sense at any rate.

HatCat
20th March 2014, 04:26 PM
Heh, that jiggy in Mayahem Temple where you "have to" get the wading boots to go across the quicksand to get it?

Guess Rare didn't put enough thought into the bypasses for that one. With the SUPERBANJO cheat entered, Mumbo Jumbo had enough speed to just keep jumping across the man-eating shit and get the jiggy without the wading boots.

Also, I had no idea that SUPERBANJO cheat would make Golden Goliath move faster too

RPGMaster
20th March 2014, 07:05 PM
Lol ok, so I had the right idea with using a large buffer to read the fla data. Idk why people are so against global variables. Ya I generally used fread. I forgot what I did to count the number of bytes in the file lol. I'll have to go back and look at some of my previous programs. I love how I can totally forget how to do something and quickly relearn it since I can just refer to previous thing's I've either written or read.

I suppose making a front end GUI would be easier for me. All I'd have to do is be able to generate commands :) .

Eventually I'd like to have the flashram addresses, because I like collecting data :) . I should probably beat the game before I add stuff to the save editors for Zelda though.

Edit: I've never tried that system("") other than system("PAUSE") in school. I'm going to see how that works now :) .

retroben
20th March 2014, 08:48 PM
Info about the "The IT Crowd" sitcom on wikipedia.

WTFITSen.wikipedia.org/wiki/The_IT_Crowd

retroben
20th March 2014, 09:36 PM
Banjo-Kazooie (U) (V1.0)

Machine Gun Kazooie (forward)
802A2537 0031
I finally found it.

Landing After Feathery Flap Action? Mod
802A2747 00xx
0006=Lose
0012=Default
0019=Swimming Transform/Failed T-rex
001A=WIN!
WOW,Just WOW!

Upward Flap
802A2A57 0006
Kazooie tries extra hard to lift Banjo.

retroben
21st March 2014, 12:21 AM
And now for something EPIC!

Roll To Fly!
802B6C47 0023
After you finish rolling,Banjo takes flight!

Roll End ACTION Mod
802B6C47 00xx
01=Default
05=Jump
06=Punch
07=Crouch?
08=Talon Jump
09=Egg Spit
0A=Egg Lay
0F=Beak Buster
12=Backflip
13=Beak Barge
14=Enter Trot
15=In Trot
16=Trotting
18=Bounce Away?
1A=Enter Golden
1B=In Golden (no music change)
21=Shock-Spring Jump
22=Shock-Spring Jumping
23=Take Flight
2A=Painful Beak Bomb
31=Roll...Roll...Roll
34=WIN
35=Instant Termite
3D=Slam Of Pain
41=Death
43=Termite Death
44=Collect Jiggy and Win (savestate recommended/only use in Lair)
46=Instant Winning Bee
48=Pumpkin?
4E=Pumpkin? Death
4F=Random Teleport/Center???
50=Another Random Teleport/Center
51=Jump Off Pole?
53=Lose
54=Take A Breath
58=Crash Landing
59=Flight Damage
5E=Instant Croc
64=Croc Death
67=Instant Walrus?
6B=Instant Bee
6D=Bee Death
6F=Croc Gagging On Worm
72=OW!
7D=Walrus On Sled
7F=Swim Damage
80=Walrus Lose?
8A=Bee Death Again!
8B=Bee Takes Flight Like Kazooie
91=Flight Damage Again!
92-9A/9C/9D=Various Actions To Last Entrance (convenient)
9E=Teleport To Map Center
A4=Golden Feather To Last Entrance

retroben
21st March 2014, 01:20 AM
Talon-Trot Action Mod
802ADD6F 00xx
14=Default
15=Instant Trot
23=Fly
92=Return To Last Entrance
A4=Golden To Last Entrance

Mutual Damage
802963B3 001B
802963F3 001B
Enemies get killed when you get hurt by them.

Jump Action Mod
8029C7D7 00xx
05=Default
06=Fueled Punches
08=Talon Jump
22=Immediate Shock Jump
31=RollRollRoll

Roll Action Mod
802B6F6B 00xx
0031=Default

Feather Flap Action Mod
802B157F 00xx
0005=Multi-Jump
000F=Beak Buster
0010=Default
0011=Ratta-Tat-Rap

Ratta-Tat-Rap Action Mod
802B1593 00xx
0005=Multi-Jump
000F=Beak Buster
0010=Feather Flap
0011=Default

retroben
21st March 2014, 02:47 AM
Backflip Action Mod
802ADDCB 00xx
08=Talon Jump
12=Default
22=Instant Shock Jump
23=Take Flight

Beak Barge Action Mod
802ADDDF 00xx
0013=Default
0018=Bounce Away

Bounce Off Enemy Action Mod
802960A7 00xx
05=Jump
18=Super Bounce
56=Default

Fall Action Mod
802A2C8F 00xx
802A3267 00xx
802A97F3 00xx
802AA00B 00xx
802B1843 00xx
05=Jump
10=Kazooie's got Banjo's Back
31=Mid-air Roll Down To Safety
3D=Defaults
Updated with more conditions.

Wall Impact Action Mod
802A410F 00xx
05=Bail Out
23=Re-Fly
24=Continue Flying
2A=Retarded Banjo
59=Default
You still take damage.

Crash Landing Action Mod
802A4317 00xx
01=Safety
05=Jump On Impact
23=Retry
58=Default
59=Ground Impact

Slam Action Mod
802B1F4F 00xx
01=Fallproof
05=yuh-oh yuh-oh yuh-oh yuh-oh...
58=Crash Landing
59=Gound Impact
72=Default

retroben
21st March 2014, 04:00 AM
Death Action Modifier
80296393 00xx
1B=Immortal
41=Default
53=Lose
A4=Golden Protection

Drown Action Mod
802967DB 00xx
14=Talon Fall
1A=Golden Fall
41=Death At A Drowning
54=Default
58=Crash Landing
59=Water Impact?
72=OW!

retroben
21st March 2014, 04:41 AM
Climb Action Mod
80296A3B 00xx
05=Jump Up
08=Kazooie Jumps Up
11=Ratta-Tat Rap Up
41=Climbing Can Be Deadly
4F=Default
51=Auto-Climb

I am out of time until this Sunday.

RPGMaster
21st March 2014, 09:38 PM
Before I get bored from programming, is there enough save data info for Banjo Tooie, for it to be worth making a gui for? If not I'll just hit the books I guess and chill for the week. I should catch up on my studies.

Lol I tend to go through cycles where I really want to do something and spend all day on it, then eventually I get hooked onto something else and the cycle repeats itself. I really need to buy a new controller though :( . It's frustrating how I broke the wire, so it randomly stops working. Some emulators (like 1964 and Nemu) will stop working, the minute my controller turns off.

HatCat
21st March 2014, 10:27 PM
There is way too much stuff stored in Banjo-Tooie eep; I haven't hacked near all of that out yet.

I'm sorry to say of all the save editors I've done I haven't left behind a very ideal example for you to play with.

Technically the only save editor I made for a game that was small enough, for me to finish reversing every single byte/bit and what they do in the EEPROM, is Super Mario 64. However I did that so long ago that it's not a proper command-line application and doesn't take arguments on the console when calling the EXE (tries to ask you all the questions wizard-style during run time). However, my documentation of the Mario64 EEPROM is complete for every last bit, so it could be an opportunity of experience for you to write your own save editor for that.

RPGMaster
21st March 2014, 11:13 PM
Lol I figured there wasn't enough mapped data yet for Banjo Tooie. It's good to know that SM64 is well documented though. I might take a look at that this week. Unfortunately I can't be bothered with collecting addresses for Banjo Tooie because I have enough work to do on other games (like Zelda). Hopefully Retroben or someone else can help you with the save editor.

In the meantime, I will be learning stdio, stdlib, and winapi. I'm a noob at command line stuff, so I'm going to try and master batch too.

HatCat
22nd March 2014, 12:16 AM
I'm pretty much alright on my own with the Banjo-Tooie EEPROM. It's not exactly what I would call "challenging", just time-consuming. For example how am I supposed to document which bit or bytes of the EEPROM, correspond to whether this or that musical note in a world has been collected yet? That's like, 16*9 bits to document lol. Again, not hard, just tedious.

But Super Mario 64 is the most straightforward save data I've reversed. Actually another hacker named bryc took the whole initiative on that and led to my inspiration to even think to do save editors instead of GameShark codes all the time, but I was able to help fill in the missing gaps and start (but not finish!) a complete save editor (lolwut?). I haven't touched it since 2011, maybe 2012.

It's a good idea to learn <stdio>, as that's important stuff internal to the C implementation on operating systems! I don't use <stdlib> all that often, but that's about the same concept except more generic.

Now, if you ever think about making your own save editor or want to have a look at Mario 64's EEPROM, I don't really like publicly linking to my GitHub repository (though plenty of individuals already know about it), so I'll have you Google something:
super mario 64 eeprom
Somewhere on the first page (hopefully) of Google results should be my markdown documentation for the save file data mario64 uses.

RPGMaster
22nd March 2014, 07:15 AM
Lol ya, I know documenting variables & addresses isn't difficult. It's just too much work for 1 individual imo. That's why I'd want others helping you, so that it will be easier and more work gets done. Lol just thinking about mapping Zelda data by myself discourages me :( . I really don't know why more info isn't documented. Why must people be so lazy .___.

I haven't played SM64 in ages, aside from briefly trying to see if I could hack it. I was inspired by the multiplayer hack to try and figure out how to make certain single player games multiplayer. I wish I knew what to do lol. I always wanted Star Ocean 2 to be 2 players. Kingdom Hearts would be fun too :) .

Basically for a save editor all I'd do is read the save file into a buffer, then do bitwise AND / OR operations, then overwrite the save file using the buffer right?

I really need to learn batch. That's probably what I'm going to focus on this weekend, along with winapi and maybe stdio if I am unable to do things in pure winapi.

Edit: One thing I'd like to be able to do for certain applications is run a bash script that can programatically get the pid of a desired process. Then I could pass the PID # to the program that needs it. That would be more convenient than my current method :) . I'd also prefer using batch instead of dealing with file i/o just for settings.

HatCat
22nd March 2014, 04:19 PM
I think Windows taskkill.exe which you could call in a batch script will let you kill an exact process by PID, but I'm not sure how you'd fix an exact PID to a newly initiating process.

For a save editor, you would want to only do AND operations when clearing/erasing specific bits, and OR operations when forcing certain bits on. For example, there is not a x86 assembly command to directly address any specific bit, within any byte, and say that it's on or off. That's why AND/OR just happen to get used so much; they're indirect ways of accessing them. All you really need to care about to begin with is just buffering the EEPROM into an array of bytes so that you can play with it however you want on the C level.

RPGMaster
22nd March 2014, 08:52 PM
I think I might map out data this week for Zelda MM. Is there anything in particular that you think I should find first?

I'm going to study up on batch and winapi this week. Hopefully I'll find some good tutorials/examples on batch.

I'm probably being silly by prefering to do certain tasks with batch, instead of just doing file i/o. For some reason batch just interests me.

HatCat
22nd March 2014, 10:19 PM
Well I use batch commands to backup the file before editing it, but you can't use batch to edit save files more than you could use a hex editor to do it yourself.

You can find whatever you want for Zelda MM, but none of it can be changed yourself until you figure out the 16-bit checksum it uses. There is a byte which counts the number of times you've saved using the Song of Time I think, but even if you're just trying to save to the FLASHRAM to isolate which byte got changed to find that value, it won't be the only thing that changes. Somewhere deep into the save file is a 16-bit data segment that added up the hex values of all the bytes before it. If you don't update this 16-bit checksum when you hex-edit the FLA save yourself, the game will throw away any hacking you did to the save.

RPGMaster
22nd March 2014, 11:23 PM
Lol i should be more clear when I explain things. Sometimes I do a bad job explaining stuff. I just want to use batch for passing the values of certain variables to the program, instead of reading an ini file.

Ya, I will need to find the checksum formula before I begin lol. If you could tell me more details, I'd be very greatful. Is the checksum in multiple places?

Lol I remember a while ago when i went ahead and tried out your save editor without fully reading your documentation. I ended up wasting time trying to edit the save file by hand xD. Now that I understand more about RAM and the save file, it should be easier for me to find the offsets.

I just finished watching some anime so now I'm going to be programming a lot for the next few days.

HatCat
22nd March 2014, 11:45 PM
It is in multiple places but in one place only if you are only concerned with one save game.

The FLASHRAM save chip is as you know 128 * 1024 bytes in size, divided into what I've identified to be 16 "pages" or I guess blocks, whatever I should be calling them, of 8,192-byte chunks.

So the first section is from FLASHRAM[0x000000] to FLASHRAM[0x001FFF], the second is from FLASHRAM[0x002000] to FLASHRAM[0x003FFF], ... all the way up to the sixteenth section, which exists from FLASHRAM[0x01E000] to FLASHRAM[0x01FFFF].

Some sections correspond to File 1 or File 2 of the Zelda game save data; some correspond to the global settings like Z-targeting, sound output mode, or PAL (European ROM) language setting; some correspond to backups of File 1 or 2 in case you incorrectly edited the primary save chunks for them by failing to update the checksum, the magic number, or w/e (then the game discards your changes and loads from these buffers instead); some of them are owl statue save data points for when reloading your game save file from an owl statue spot in Termina; some of them are 100% ignored/reserved/unused, empty 8-KB blocks with no purpose.

If you don't feel like reversing which blocks seem to correspond to File 1 or File 2, you can cheat and use the answer tables I wrote out in my MANUAL text, bundled with my zs.exe.

So, by using C pointer indirection, you can address the 8-KB blocks of memory like so:

#define FLASH_SIZE (0x01FFFF + 1)

unsigned char FLASHRAM[FLASH_SIZE];
unsigned char* block_00 = (unsigned long)(FLASHRAM) + 0x000000;
unsigned char* block_01 = (unsigned long)(FLASHRAM) + 0x002000;
unsigned char* block_02 = (unsigned long)(FLASHRAM) + 0x004000;
unsigned char* block_03 = (unsigned long)(FLASHRAM) + 0x006000;
unsigned char* block_04 = (unsigned long)(FLASHRAM) + 0x008000;
unsigned char* block_05 = (unsigned long)(FLASHRAM) + 0x00A000;
unsigned char* block_06 = (unsigned long)(FLASHRAM) + 0x00C000;
unsigned char* block_07 = (unsigned long)(FLASHRAM) + 0x00E000;
unsigned char* block_10 = (unsigned long)(FLASHRAM) + 0x010000;
unsigned char* block_11 = (unsigned long)(FLASHRAM) + 0x012000;
unsigned char* block_12 = (unsigned long)(FLASHRAM) + 0x014000;
unsigned char* block_13 = (unsigned long)(FLASHRAM) + 0x016000;
unsigned char* block_14 = (unsigned long)(FLASHRAM) + 0x018000;
unsigned char* block_15 = (unsigned long)(FLASHRAM) + 0x01A000;
unsigned char* block_16 = (unsigned long)(FLASHRAM) + 0x01C000;
unsigned char* block_17 = (unsigned long)(FLASHRAM) + 0x01E000;


So, as an example, if you read anything from [...] = block_17[0x0FFF], you are directly reading from FLASHRAM[0x01E000 + 0x0FFF], and if you write anything to block_17[0x0FFF] = [...], you are directly writing to FLASHRAM[0x01E000 + 0x0FFF], because these are all pointers into the 128-KiB FLASHRAM chunk array you've declared.

For each block_?? pointer into the loaded flashram array, there is exactly 1 16-bit checksum. It's up to you to find what offset deep into the game's updated 8-KB chunk of your choice, this checksum is stored to, updated and read from. If you understand C well enough of course you can see the answer yourself in my aserdrtgftargttagfasdf nvm that's right I was wrong when I thought I open-sourced my program in the ZIP I posted. :D Oh well, let's wait and see if you can find it first.

RPGMaster
23rd March 2014, 12:51 AM
Thanks a lot! I'm reading your documentation now. I will do some testing with the save data soon. I was practicing winapi. I take it, once I'm done with the save editor, I will need to reverse the endianess of the fla file while editing it right?

I need to start paying more attention to details. For now, at least I'm getting closer to my goals with batch. I'm starting to understand things better.

HatCat
23rd March 2014, 01:02 AM
Yeah actually I forgot about that.

Project64 doesn't implement FLASHRAM correctly for a number of reasons.

One of the problems is that, where the bytes should read "ZELDA3" in the flashram save, it actually comes out as "DLEZ??3A" with DCBA byte order. Both x86 and N64 MIPS are 32-bit machines here, though, so the byte-endianness is always on a 32-bit boundary.

retroben
23rd March 2014, 08:38 PM
Punch Action Mod
802B491F 00xx
802B6F83 00xx
06=Default
0E=Fake Damage
13=Beak Barge
31=Roll
There are two because of idle and moving conditions.

Edit:I found out something interesting about these action mods.
They correspond in multiple situations.

Beak Buster Action Mod
802B15A7 00xx
05=Jump
0F=Default
22=Mid-air Shock Jump
24=Instant Flying
You can still exit flying by Beak Busting.

Fly Buster Action Mod
802A3E8F 00xx
The Beak Buster when flying.

Shock Buster Action Mod
802A70B7 00xx
The Beak Buster when using the Shock Jump.

Backflip Buster Action Mod
802A317B 00xx
The Beak Buster when doing a backflip.

Banjo-Kazooie's action modifying is more custom than I thought!

Edit:

Feathery Buster Action Mod
802A2CBF 00xx
The Beak Buster when using Feathery Flap.

Air-tion End Buster Action Mod
802B188F 00xx
The Beak Buster after an air action that leads to the 2F action.

retroben
23rd March 2014, 09:58 PM
Now if you use this...

code
802A2CBF 0024
802A3E8F 002F
802A70B7 0022
802B15A7 0022
802B188F 0022

You can always ShockSpring Jump with jumping,SS jumping,and Air-ction End.
And instead of SS Jump when Beak Busting in a Feathery Flap,you will be flying!
Now finally,you also air cancel in flight instead of Beak Busting,allowing you to SS Jump again!

Too bad you can't do FF twice in the air.

This code is awesome!

retroben
23rd March 2014, 10:46 PM
Landing Action Mods
802B15C7 00xx
802B1903 00xx
20=Defaults

Talon Off Action Mods
802A8DE7 00xx
802A9297 00xx
04=Instant
17=Defaults

Turning Action Mod
802B7AEB 00xx
04=Instant Turn
0C=Default
58=Painful Tripping

Instant Talon-Trots
802A8DE7 0004
802A9297 0004
802ADD6F 0015
802B7AEB 0004
You can spam into and out of Talon-Trotting.

Splash Action Mod
802A86FF 00xx
2C=Water Music Glitch
2D=Default

Get Into Water Action Mod
802B7B6B 00xx
2D=Default

Stride Stop Action Mod
802B5D03 00xx
2D=Default

Swim Action Mod
802B5A4F 00xx
2E=Default

retroben
23rd March 2014, 11:49 PM
A random code I just found.

No HUD
802FABB3 0001
2C=Default Value

Edit:Finally some more.

Termite Slope Talon-Slide Action Mods
802A8E17 00xx
802A92C7 00xx
802A9847 00xx
08=Talon-Jump
41=Death Challenge
45=Defaults

Banjo Slope Slide Action Mods
802B496B 00xx
802B74BF 00xx
802B7B4F 00xx
05=Jump
32=Defaults
41=Death Challenge
Also works on termite slopes.

Mutual Damage
802963B3 001B
802963F3 001B
Updated with Talon-Trot Damage.

retroben
24th March 2014, 02:24 AM
Fast Swim-stroke
802A78B7 0006

Beak Slam Action Mod
802A00E7 00xx
20=Landing
72=Default
Beak Slam is the damage action after a Beak Buster from too high up.

HatCat
24th March 2014, 08:56 PM
Here we are; I was able to release save-editing tool.
http://forum.pj64-emu.com/showthread.php?t=4419

It's open-source and all that, so it might be used to create other things like a GUI.

retroben
24th March 2014, 10:40 PM
Nice!
I will see if I can even figure out how to use it,because unlike you,I suck at manual and precise commands of text on CMD.

If I fail,I will just have to hope for a GUI.
Besides,it does not have the most important part yet,the has cheato code in list flags.
That is needed for the keyboard users that can't have and/or use a joystick,or otherwise prefer using a keyboard.

On an unrelated note,I just boosted my internet speed even more by fixing an internet tweak I had already done.
I got approximately 48.0Mbps on my 30.0Mbps Charter Internet plan.

How am I getting more speed than my ISP cap!

retroben
24th March 2014, 10:53 PM
I have an idea for a code that can preset all but one letter for x cheato code currently being entered.
I hope it is not located in a pointer-based address location.

retroben
24th March 2014, 11:14 PM
Retroben used Triple-post!

IT'S SUPER EFFECTIVE!

I just successfully used the .cmd batch file to enable some cheats at the very beginning.

Me being snobby:I could still do it much faster with a GUI.

retroben
24th March 2014, 11:33 PM
Banjo-Kazooie (U) (V1.0)

Uncapped Egg Shots (from behind)
802A224B 000C
Just mash C-down while crouching.

Edit:I finally found a stable egg shot limit code,at least for behind.

Egg Shots At A Time (from behind)
802A223B 000x
x=amount
An example is you can shoot up to five at a time with 05 and nine with 09.

HatCat
25th March 2014, 12:16 AM
There, see? You can do it if you try. :D

Besides,it does not have the most important part yet,the has cheato code in list flags.
That is needed for the keyboard users that can't have and/or use a joystick,or otherwise prefer using a keyboard.

That's kind of retarded. Why would that be "the most important part"?

The most important part is just being able to enable/disable the cheats AT ALL, period. Allowing you to indirectly do it by using the cheats list in the game is just an indirect way of accomplishing that goal, and it would still have required you to use the command-line console script I wrote anyway, even if my program did support it.

Besides, I'm a keyboard-only user myself. :3 Keyboard users love the terminal. :p

retroben
25th March 2014, 12:28 AM
Egg Fart/Lay Disabler
802A2213 000x
C=Disables Egg Fart/Lay
D=Default
This makes no eggs come out AND mutes the fart sound.

Faster Egg Lay
802A2187 0003

Faster Egg Spit
802A256B 0001

retroben
25th March 2014, 01:36 AM
Found a missing code.

Punch Sound Modifiers
812AB4BA 0xxx
812AB4EE 0xxx
812AB506 0xxx
0002=Defaults
0009=Squeak
003E=Fart
The 2nd punch seems to read from the first punch's value for some reason.
The 2nd punch will only work if the first one is the same.

Endless Feathery Flap
802A2B67 004C
You endlessly flap when tired.

Ratta-Tat Rap Sound Modifier
812A66B6 0xxx
0042=Default

No Ratta Challenge
802A66A7 0006

Ratta-Tat Rap Length
812A67C6 xxxx
3E00=Shorter
3F00=Default
3F80=Six
4000=Long
4100=Longer

Talon Jump Sound Modifier
812A945E 0xxx
0048=Default

retroben
25th March 2014, 05:11 AM
Here is a sound volume enhancer code for the Play As Gruntilda code on page 18.

Some Louder Gruntilda Sounds
812A29C2 7FFF
812A2A0A 7FFF
812B1E4A 7FFF
812B1EA6 7FFF
812B6B3A 7FFF

retroben
25th March 2014, 09:32 PM
I have some info regarding the condition for entering at least the Super Banjo cheat.
It is a pointed address like the ones for Player Status.
I just hope it does not differentiate like the animation modifier location.

Address for base position=0x80135490
View the 32bits value in the memory viewer.

Last Base Position=801B0860=0000
+03E0=Transparency/Walking Type 16bits value=FF 01

Offsets

0x001E9078=+38818

01 01 00 00=Cheato has been entered/waiting for code.

0x001E91C0=+38960

00 09 00 09=SUPER BANJ has been entered,shoot O to receive the Super Banjo cheat in your list.

nihon24
25th March 2014, 11:41 PM
Egg Fart/Lay Disabler
802A2213 000x
C=Disables Egg Fart/Lay
D=Default
This makes no eggs come out AND mutes the fart sound.

Faster Egg Lay
802A2187 0003

Do you have a code for slow egg laying?
Also, I tried the egg fart disabler and it didn't seem to work. (there are still eggs)

retroben
26th March 2014, 02:19 AM
Strange,it works fine for me.

Egg Lay Disabled
802A2213 000C

Also LOL I found slow egg laying in the same address as the faster one!

Slow Egg Lay
802A2187 0002
The same address for faster egg lay.

Edit:the slow/fast egg lay code seems to have a mind of its own.

After feathery flap,02 or 03 goes slow,after walking,02 or 03 goes fast.
So they are actually the same effect,meaning it is context sensitive.
It is sensitive to context.

nihon24
26th March 2014, 03:18 AM
Strange,it works fine for me.

Egg Lay Disabled
802A2213 000C

Also LOL I found slow egg laying in the same address as the faster one!

Slow Egg Lay
802A2187 0002
The same address for faster egg lay.

Edit:the slow/fast egg lay code seems to have a mind of its own.

After feathery flap,02 or 03 goes slow,after walking,02 or 03 goes fast.
So they are actually the same effect,meaning it is context sensitive.
It is sensitive to context.

Oddly enough, it's not working for me

As for the egg laying speed, I noticed that as well.

retroben
28th March 2014, 12:29 AM
I had to remove two lines from the Gruntilda Sounds code to stop it from making you move too slowly.
It will be missing the two sounds I had to remove.

Gruntilda (sounds) Fixed
812A251A 0131
812A29B2 0142
812A29FE 0164
812A478A 012A
812A4816 0131
812A4846 0132
812A49B2 012A
802A66B7 00ED
812A8826 018D
812A883E 018E
802A945F 00EE
812B1E3E 0163
812B1E9A 0130
812B4682 0131
812B6B2E 0133
81364564 012A
81364566 0131
81364568 0132
8136456A 0133
8136456C 012A
8136456E 0131
81364570 0132
81364572 0133
80364575 00EC
80364577 00ED
80364579 00EE
Fixed slow movement for when enabled on startup.

retroben
10th April 2014, 08:18 PM
Banjo-Tooie (U)

Kazooie Torpedo Tail
81120000 3C0E
81120002 0101
81120004 AC8E
81120006 0EC4
Requires master code.
Kazooie alone always has the fan blade as if she was swimming as a torpedo.

The master code is on the first page of this thread.

retroben
10th April 2014, 10:46 PM
Breegull Bash Kazooie Stays Visible D-PAD UP
81120000 3C0E
81120002 0006
81120004 2400
81120006 0DB2
D1081084 0800
81120004 AC8E
Requires master code.
Press D-PAD UP during a Breegull Bash.

Edit2:I can only set it to a button.