Mario Kart 64 Hacking General Discussion

[shygoo]

MK64 (U) hacking doc
by shygoo
Aug 31 2015
______________________________________________________

ROM/RAM map
     ROM    RAM      Description
CODE ?????? 800067C4 Set places (1st, 2nd, etc)
     ?????? 800115F4 Process path data on course load
     ?????? 8002F35C Controls cpu movement along track while player is moving
     ?????? 800400D0 MIO0 decoder
     ?????? 800404C0 MIO0 encoder
     ?????? 800405D0 TKMK00 decoder
     ?????? 80093134 Print text
     ?????? 8009338C Print text
     ?????? 80093788 Print text
     ?????? 80099124 Segmented to virtual address converter
     ?????? 80099154 Segmented to virtual address converter (duplicate)
     ?????? 800C4148 Play sound
DATA ------ 800DC53C Game mode selection
     ------ 800DC598 Course timer (float)
     ------ 800DC5A0 Course selection
     0E3AD0 800E2ED0 Kart unique settings table, 40 bytes per entry
     0F0468 800EF868 Ascii text bank
     0F4BB0 ???????? "RSP Gfx ucode F3DEX 0.95 Yoshitaka Yasumoto Nintendo."
     0F53B0 ???????? "RSP Gfx ucode F3DLX 0.95 Yoshitaka Yasumoto Nintendo."
     ------ 80150258 RAM Segments table
     ------ 80165C18 Course RAM objects array? (bowser whomps, luigi hot air balloon)
     ------ 8018EDE4 Character selections
     ------ 8018EDF0 Player count selection
CODE ?????? 8029D584 Place x with segment 06 offset
     ?????? 8029D60C Place bushes with segment 06 offset (bowser's castle)
     ?????? 8029D830 Place all item boxes using segment 06 offset
     ?????? 802A7B94 Segment base setter
     ?????? 802A85CC MIO0 '0F' list related
     ?????? 802A9AF4 Display list unpacker (A0 = segmented address of packed dlist, A1 = length)
     ?????? 802AA918 Course data main loader 
DATA 122390 802B8D80 Course data reference table
     1232A4 802B9C94 Jump table for segment 7 display list unpacking
     ------ 802BA274 Index for packed dlist commands
     12A1F0 ???????? Ascii text bank (credits)
     132B50 -------- First MIO0 block
     145470 -------- Kart texture and palette bank (MIO0 8CI textures, raw RGBA5551 palettes)
     641F70 -------- Course texture bank
     712DC0 -------- An MIO0 bank (kart exaust textures?)
     729A30 -------- MIO0 Large character face textures
     7FA3C0 -------- TKMK00 bank
     820FC0 -------- Last TKMK block in ROM
     821D10 -------- Two MIO0 blocks
     8284D0 -------- Course assets MIO0 bank
     88CD70 -------- Course texture/Seg06 dlist reference bank
     88FA10 -------- Course MIO0 vertex data & special dlist bank
     963EF0 -------- Last MIO0 block in ROM
     BC5F60 ???????? M64 music data
     BE9160 -------- End of ROM, 93856 padding bytes
______________________________________________________

RAM segments table (80150258)
 00 General purpose, always 0x00000000
 01 ?
 02 ?
 03 Common textures
 04 Course mesh, for both collisions and graphics
 05 Course textures
 06 Some display lists, item box placements, path data
 07 Generated display lists which reference the course mesh data
 08 ?
 09 Texture list and segment 06 display list jump table is loaded here
 0A ?
 0B ?
 0C ?
 0D ?
 0F Temporary buffer for course mesh MIO0 and packed dlists || Course collisions table (44 byte entries)

Course data reference table (122390 / 802B8D80)
 This table references course display lists, vertex data, textures, object placements; each entry is 0x30 bytes:
                            00     04       08     0C       10     14      18       1C       20       24       28       2C
 Mario Raceway       0000: [8284D0 82B620] [88FA10 89B510] [88CD70 88D070] 0F000000 0000167D 0F0096F4 00006930 09000000 00000000
 Choco Mountain      0001: [82B620 82DF40] [89B510 8A7640] [88D070 88D340] 0F000000 000015B8 0F00A0B4 00005AE8 09000000 00010000
 Bowser's Castle     0002: [82DF40 831DC0] [8A7640 8B9630] [88D340 88D6C0] 0F000000 00002537 0F00E368 00009918 09000000 00000000
 Banshee Boardwalk   0003: [831DC0 835BA0] [8B9630 8C2510] [88D6C0 88D9C0] 0F000000 00001351 0F0068E8 00007340 09000000 00010000
 Yoshi Valley        0004: [835BA0 83F740] [8C2510 8CC900] [88D9C0 88DAB0] 0F000000 00000E88 0F007D90 00008158 09000000 00000000
 Frappe Snowland     0005: [83F740 842E40] [8CC900 8D8E50] [88DAB0 88DB40] 0F000000 00001599 0F009D24 00006648 09000000 00000000
 Koopa Troopa Beach  0006: [842E40 84ABD0] [8D8E50 8EC390] [88DB40 88DC50] 0F000000 000024A0 0F00FD78 0000B2B8 09000000 00000000
 Royal Raceway       0007: [84ABD0 84E8E0] [8EC390 8FE640] [88DC50 88E120] 0F000000 00002072 0F00EC60 0000B128 09000000 00000000
 Luigi Raceway       0008: [84E8E0 852E20] [8FE640 90B3E0] [88E120 88E590] 0F000000 00001730 0F009800 0000C738 09000000 00000000
 Moo Moo Farm        0009: [852E20 857E80] [90B3E0 91B980] [88E590 88E8D0] 0F000000 00001F24 0F00DAEC 00006738 09000000 00000000
 Toad's Turnpike     000A: [857E80 8666A0] [91B980 928C70] [88E8D0 88ECD0] 0F000000 000018D7 0F00A5D0 00006B10 09000000 00000000
 Kalimari Desert     000B: [8666A0 86ECF0] [928C70 936FD0] [88ECD0 88EFB0] 0F000000 000018F9 0F00B394 0000A678 09000000 00000000
 Sherbet Land        000C: [86ECF0 872A00] [936FD0 93CC60] [88EFB0 88F2A0] 0F000000 00000A76 0F0049F8 00003850 09000000 00000000
 Rainbow Road        000D: [872A00 8804A0] [93CC60 9438C0] [88F2A0 88F300] 0F000000 00000C27 0F005A5C 00002100 09000000 00000000
 Wario Stadium       000E: [8804A0 885630] [9438C0 951780] [88F300 88F600] 0F000000 000017B3 0F00A9CC 0000A4B8 09000000 00000000
 Block Fort          000F: [885630 885780] [951780 953890] [88F600 88F680] 0F000000 00000440 0F0018D8 000015D0 09000000 00000000
 Skyscraper          0010: [885780 8858A0] [953890 955620] [88F680 88F800] 0F000000 0000043E 0F001678 00001118 09000000 00000000
 Double Deck         0011: [8858A0 885A10] [955620 956670] [88F800 88F830] 0F000000 0000022B 0F000CD4 00000748 09000000 00000000
 DK's Jungle Parkway 0012: [885A10 88CC50] [956670 963EF0] [88F830 88F9C0] 0F000000 0000162F 0F00A45C 00009C20 09000000 00000000
 Big Donut           0013: [88CC50 88CD70] [963EF0 966260] [88F9C0 88FA10] 0F000000 0000048D 0F001B84 00001078 09000000 00000000

+---0x00: 008284D0 0082B620 // MIO0 block containing display lists, item box placements, path data, and ??; decoded to segment 06
|+--0x08: 0088FA10 0089B510 // Copied to segment 0F - MIO0 block of course vertex data (gfx & collisions); decoded to segment 04, followed by packed display list, decoded to segment 07
||+-0x10: 0088CD70 0088D070 // Course texture MIO0 block references (segment 05), segment 06 display list references
||| 0x18: 0F000000 // Segment to load vertex data and packed dlists pre-decompression/unpacking ?
||| 0x1C: 0000167D // ? (gets multiplied by 24 at some point)
||| 0x20: 0F0096F4 // Segment offset of packed display list (unpacked to segment 7)
||| 0x24: 00006930 // Segment 7 unpacked dlist size?
||| 0x28: 09000000 // Segment to load texture list and dlist jump table?
||| 0x2C: 0000     // ? 0000 or 0001
||| 0x2E: ----     // struct padding, unused
||| 
||+-> Reference structure (16 bytes each): // related function 802A85CC
||     0x00: 0F001080 // Offset of an MIO0 block relative to 641F70 (the '0F' prefix is ANDed out)
||     0x04: 00000149 // MIO0 block size
||     0x08: 00000800 // Decompressed image size (eg 32x32 = 0x800, 64x32 = 0x1000)
||     0x0C: 00000000 // ? Always 0
|| 
||     At the end of the MIO0 block reference list there are 16 bytes of null padding followed by a list of segmented addresses referencing display lists in segment 06
||
|+--> Mesh vertex structure:
|      ROM (14 bytes): | RAM (16 bytes):
|       0x00: s16 Vx   |  0x00: s16 Vx
|       0x02: s16 Vy   |  0x02: s16 Vy
|       0x04: s16 Vz   |  0x04: s16 Vz
|       0x06: s16 U    |  0x06: u16 ?
|       0x08: s16 V    |  0x08: s16 U
|       0x0A: ?        |  0x0A: s16 V
|       0x0B: ?        |  0x0C: u8  R
|       0x0C: ?        |  0x0D: u8  G
|       0x0D: ?        |  0x0E: u8  B
|                      |  0x0F: u8  A
|
|       Looks like a,b,c,d (rom) are the vertex color channels but the data differs slightly in ram, code should be checked
|    
+---> Offsets for segment 6 assets are hardcoded

 802AA918 Function called to load a course's assets using the course data table
  800DC5A0 holds the current course selection ID, which is passed to this function
  
______________________________________________________

Segment 0F collision structure

 0x00 u16 ?
 0x02 u8  unused
 0x03 u8  collision attribute
 0x04 s16 ?
 0x06 s16 ?
 0x08 s16 ?
 0x0A s16 ?
 0x0C s16 ?
 0x0E s16 ?
 0x10 s16* vertex reference
 0x14 s16* vertex reference
 0x18 s16* vertex reference
 0x1C float ?
 0x20 float ?
 0x24 float ?
 0x28 float ?
 
 Collision attributes:
  0x00 ?
  0x01 Asphalt
  0x02 Slightly bumpy
  0x03 Dirt
  0x04 ?
  0x05 Snow?
  0x06 ?
  0x07 Sand?
  0x08 Grass (slows kart)
  0x09 Ice (creates reflection)
  0x0A Dirt?
  0x0B Snow?
  0x0C ?
  0x0D Clay? (red dust)
  0x0E Railroad tracks (creates sound)
  0x0F ?
  0x10 Bumpy (creates sound)
  0x11 Bumpy (creates sound)
  0x12 ?
  0x13 ?
  0x14 ?
 
 (check 802AE9D0)
______________________________________________________
 
800EF868 / F0468 Ascii text bank

Printer functions:
 8009338C (a0 = x, a1 = y, a2 = pointer to asciiz string, a3 = controls text spacing) large
 80093788
 80093134

Special ascii sequences:
 A3 EE small "ND"
 A3 F2 small "RD"
 A3 F3 small "ST"
 A3 F4 small "TH"
______________________________________________________

Objects/behavior related
 80040EE0 void thwomp_move(float* thwomp_y) moves a thwomp up and down
 8008B80C object x,y,z initialisation // callers: 80074C24, 80085484
 800DC59B float course timer
 801660A4 float Y coordinate of Luigi raceway hot air balloon
 80166424 float Y coordinate of a thwomp, 801675A4 another one
 
 course item box array 80160218
 item_box {
  ...
  float shadow_coord_y; // 0x08
  ...
  float coord_x; // 0x1C
  float coord_y; // 0x20
  float coord_z; // 0x24
  ...
 }
 
 
 80165C18 course complex object array
 course_object { // 224 bytes each
  ...
  float coord_x; // 0x28
  float coord_y; // 0x2C
  float coord_z; // 0x30
  ...
 }
 
______________________________________________________
Other notes
 TKMK00 blocks seem to only contain image data for the background on startup, and startup selection screens
 800BC360 m64 related code
  
Todo:
 Check on vertex color rom -> ram change
 Find where collision data comes from
 Collect all hardcoded segment 06 pointers
 Draft "course script" engine to replace the hardcoded stuff
 Add parameter to course table for optional raw display list
 Find course m64 references
 Find course complex object placement method


A work-in-progress webgl/three.js level viewer: (demo)

Spoiler: Screenshot

https://github.com/shygoo/mk64project all of my documents and tools can be found here

[PablosCorner]

(02-02-2015, 08:37 PM)shygoo Wrote: The day is pretty dead at work right now because of snowstorms and such so I'm screwing around a little bit with mario kart.

Here's a map of all the encoded files along with some very unconfirmed asm routines to go with them. I haven't found out how the files are pointed to yet (I'm pretty limited in what I can do right now; since I'm at work I'm just keeping the emulator game window off-screen kek). I found that there are over 3000 mio0 headers and 25 different JALs to the mio0 decode routine, which I suspect might turn out to be a pain in the ass later but we'll see.

mio0_encode?  80040030(?...) // calls @ 802A83EC, 802A84C4
mio0_decode   800400D0(a0 = file, a1 = dest) // 25 calls (ugh)
tkmk00_decode 800405D0(a0 = pointer to head, a1 = end??, a2 = dest?, a3 = ??)
set_segment?  802A7B94(?...)

TKMK00 header map: http://pastebin.com/NnGnYfSu
MIO0 header map: http://pastebin.com/SSnykJa9

​

I would love to see MK64 hacking happen and evolve like SM64. (custom levels, music, etc)

[shygoo]

I've revisted this, main post is updated with some more information and a little extraction program

[shygoo]

Main post updated again; I think there's almost enough information here for a course editor now.

Here's what's on my todo list:
-Collect all hardcoded segment 6 pointers
-Draft "course script" engine to replace the hardcoded stuff
-Find course m64 references
-Find course object placement method (not item boxes)
-Find what 0x18:0x2C in course data structs are for
-Find how segment 5 is filled (course textures)
-Find how segment 7 f3d is generated
-Find what 8029D584 function does

Also, here's a pretty render of rainbow road's path data:

[awesomefriends56]

(13-08-2015, 08:23 PM)shygoo Wrote: Main post updated again; I think there's almost enough information here for a course editor now.
Also, here's a pretty render of rainbow road's path data:
*snip*

​

I'm interested to see how this ends up. Maybe we can eventually end up with custom track packs by the community like that seen in CTGP-R for the Wii. Also in that render, would I be correct in saying that those are all points where the AI looks to go to?

[shygoo]

Yup, the AI follows those points.

---

New mario raceway pic: awfully rendered level geometry (no display lists at the moment, they are weirdly encoded), path data, item boxes, trees, piranha plants, and another type of path data (yellow) which is a mystery to me.

[orbitaldecay]

I cannot convey how happy I am to have found this thread. I started work on a kart editor a few weeks ago. I'm currently mucking through image compression / importing / exporting. I've found a boat load of kart variables (weight, handling, speeds, things that effect physics, etc.) It's way past my bedtime right now, but I'll hop on tomorrow and post everything I've found to add to the list.

Let me know if you're interested in collaborating on tools.

Btw, there's some useful information in another thread I started here. Also, not sure if you're still trying to figure out how segment 5 is filled, but the function that fills it is at 802AA7C8 in RAM. It just decompresses all of the textures in the track listing and writes them sequentially.

[shygoo]

Did you come across this one?

Quote:​
0E3AD0 800E2ED0 Kart unique settings table, 40 bytes per entry

​
I noticed the floats here seem to effect the way the individual karts handle but I'm not sure how it's structured.

Yeah we can collab, my skype is shyguyhex and I'm on the #origami64 irc all the time

---

​
I've updated my webgl course viewer with a built in mio0 decoder to load roms instead of having to load individual decompressed files. It can be tested here.

[orbitaldecay]

Yeah, I've seen the table at 800E2ED0, but  I haven't figured out exactly what it does yet. Here are most of the tables I've identified so far:

​Kart properties:

ROM    RAM      Description
?????? 800DDBD4 Kart Scale
?????? 800DDE34 Kart Graphics (Wheel Base) (Pointers)
?????? 800E257C 50cc Kart Speed
?????? 800E259C 100cc Kart Speed
?????? 800E25BC 150cc Kart Speed
?????? 800E25DC Extra Kart Speed
?????? 800E25FC Battle Kart Speed
?????? 800E2630 Kart Friction
?????? 800E2650 Kart Gravity?
?????? 800E2690 Kart Top Speed
?????? 800E26B0 Kart Bounding Box Size (also affects camera angle)
?????? 800E3010 Kart Acceleration (Pointers to structs)
?????? 800E3630 Kart Handling (Turn Angle)
?????? 800E3670 Kart Turn Speed Reduction Coefficient
?????? 800E3690 Kart Turn Speed Reduction Coefficient 2
?????? 800E36D0 Kart Hop Height
?????? 800E36F0 Kart Hop Fall Speed
121DA0 802B8790 Kart Weight (this gets dma-ed over every time we load a track)

Probability tables:

?????? 801A7A90 Item Table (GP Human) - 8 Entries
?????? 801A7DB0 Item Table (GP Computer) - 8 Entries
?????? 801A80D0 Item Table (VS 2 Player) - 2 Entries
?????? 801A8198 Item Table (VS 3 Player) - 3 Entries
?????? 801A82C4 Item Table (VS 4 Player) - 4 Entries
?????? 801A8454 Item Table (Battle) - 1 Entry

Weapon values:

00: Nothing
01: Single Bananna Peel
02: Triple Bananna Peels
03: Single Green Shell
04: Triple Green Shell
05: Single Red Shell
06: Triple Red Shell
07: Blue Shell
08: Lightning Bolt
09: Evil Item Box
0A: Star
0B: Ghost
0C: Single Mushroom
0D: Two Mushrooms
0E: Three Mushrooms
0F: Super Mushroom

The probability tables work like this: Each race position has 1 entry. Each entry has 100 cells. Each cell has a weapon value in it. A cell is chosen at random when we hit an item box in the given position.

Things like the player current weapon variables, etc. are pretty easy to find and I haven't included them.

Segment 09 points to a table. The first half of the table contains offsets of compressed textures in the texture bank. It has the following format:
​
00 offset in texture bank
04 compressed size
08 uncompressed size
0C unused (0)
​
Compressed texture bank address is 641F70 in ROM. Offsets are relative to this. After this in the segment 9 table comes a NULL terminator, followed by a bunch of segment pointers to segment 6 (I think this is display list related)?

I am also hanging around the IRC. I'll be in touch about the collab.

Edit: I've also started working on a Mario Kart Nemu64 bookmark file. It's at http://pastebin.com/nYPZ8APk. Just save it as "Mario Kart 64 (U) [!].nbm" in the same directory as Nemu64.exe

[TheSolipsistOwl]

Mario Kart 64 is my favorite game, and one I regularly play throughout the year; I've made a point to check for updates on its hacking progress.

Unfortunately, there's been nothing since the 2009 track Starlight by Rena Kunisaki. Rena had done more hacking on the game than anyone and was developing a tool for custom track design. They've since been considering whether to hack Mario Kart Wii instead, but I've let them know of this project.

I've spoken to Orbital Decay about hacking the game before, and am pleased to see him here. I will do what I can to support the project, even though I have no hacking skillset.