User Tools

Site Tools


mission_impossible

This is an old revision of the document!


Mission Impossible Hacking

June 2019 ROM of the Month

This page is under construction! Feel free to add notes and links in whatever way you see fit - we'll polish everything towards the end of the month.


Tools

  • miextract - Basic command-line ROM decompressor

See Also

SDK Functions

80072CA0 alHeapInit
80072CE0 alHeapDBAlloc
80072D30 alSynNew
80072FFC alAudioFrame
800731AC __allocParam
800731D8 __freeParam
800731F0 _collectPVoices
80073244 _freePVoice
800732CC _timeToSamples
800733C0 alSynDelete
800733D0 alSynAddPlayer
80073420 alSynAllocVoice
80073548 _allocatePVoice
80073600 alSynStopVoice
80073680 alSynStartVoice
80073720 alSynSetPitch
800737B0 alSynSetVol
80073900 alSynSetPan
80073990 alSynAllocFX
80073A30 _nsqrtf
80073A40 __cosf
80073B90 coss
80073BC0 guLookAtF
80073F40 guLookAt
8007462C guMtxXFMF
80074790 guPerspectiveF
80074940 guPerspective
80074BF0 __sinf
80074D90 sins
80074EC0 guRandom
80074EF0 osAiGetLength
80074F00 osAiSetFrequency
800750D0 osViSetSpecialFeatures
80075240 osViBlack
800752A0 osContSetCh
80075300 osEepromProbe
80075680 osPfsInitPak
80075F70 osCreatePiManager
80075F78 __Dom2SpeedParam
80075F8C __osPiTable
80075F90 __osCurrentHandle
80076100 __osEPiRawStartDma
800762D0 __osDevMgrMain
80076690 __osSiCreateAccessQueue
80076692 __osBbFatBlock
80076694 __osSiAccessQueue
80076698 __osPiAccessQueue
800766E4 __osSiGetAccess
80076750 __osPiRelAccess
80076780 osPiStartDma
80076830 strchr
80076870 strlen
80076894 memcpy
800768C0 sprintf
80076A00 __osDisableInt
80076A20 __osRestoreInt
80076AA0 osSetIntMask
80076BC0 osWritebackDCacheAll
80076BF0 osCreateMesgQueue
80076C20 osCreateThread
80076CF0 osGetThreadPri
80076D10 osGetTime
80076DA0 osJamMesg
80076EE0 osRecvMesg
80077010 __osResetGlobalIntMask
80077060 osSendMesg
80077190 fbPixel
800771F0 __osSetGlobalIntMask
80077230 osSetThreadPri
800773A0 osStartThread
800774C0 __osDequeueThread
800774C8 __osRunQueue
800774CC __osActiveQueue
800774D0 __osRunningThread
800774D4 __osFaultedThread
80077500 __osTimerServicesInit
80077504 __osProfileOverflowBin
80077508 __osCurrentTime
80077554 __osTimerInterrupt
80077800 osVirtualToPhysical
80077860 osYieldThread
800778C0 osCreateScheduler
80077A08 osScAddClient
80077A60 osScRemoveClient
80077AF0 osScGetCmdQ
800791E0 osContStartReadData
80079268 osContGetReadData
800793C0 osContInit
800793C1 __osContLastCmd
800793C4 __osEepromTimerMsg
800793C8 __osEepromTimer
800793D0 __osContPifRam
800798F0 osPfsIsPlug
80079900 __osPfsPifRam
80079A6C __osPfsRequestData
80079B10 __osPfsGetInitData
8007A910 _init_lpfilter
8007A9B4 alFxNew
8007B140 alAdpcmPull
8007B584 alRaw16Pull
8007B920 alLoadParam
8007BC50 alAuxBusPull
8007BD2C alAuxBusParam
8007CA90 alFilterNew
8007CAB0 alMainBusPull
8007CBF0 alMainBusParam
8007CC20 alResamplePull
8007CE0C alResampleParam
8007DBD0 __udiv_w_sdiv
8007DBE0 alCopy
8007DC20 __osAiDeviceBusy
8007DC40 osDpSetNextBuffer
8007DCE0 osSpTaskLoad
8007DEEC osSpTaskStartGo
8007DF20 osSpTaskYield
8007DF40 osSpTaskYielded
8007DF90 __osViInit
8007DFF0 __osViCurr
8007DFF4 __osViNext
8007E0A0 osViGetNextFramebuffer
8007E120 osCreateViManager
8007E13C __additional_scanline
8007E450 osViSetEvent
8007E4B0 osViSetMode
8007E500 osViSwapBuffer
8007E840 __osSpRawWriteIo
8007E8D0 __osSpRawReadIo
8007FD74 __osPiRawWriteIo
8007FDE0 __osPiRawStartDma
8007FEB0 osPiGetCmdQueue
8007FEC0 __osGetActiveQueue
80080650 _bcopy
80080970 _bzero
80080A10 _Printf
80081460 osGetCount
80081470 __osGetSR
80081500 __osProbeTLB
800815C0 __osSetCompare
800815D0 __osSetFpcCsr
800815E0 __osSetSR
800815F0 osMapTLBRdb
80081650 osDestroyThread
80081720 __osDpDeviceBusy
80081740 __osSpDeviceBusy
80081760 __osSpGetStatus
80081770 __osSpSetStatus
80081780 __osSpSetPc
800817B0 __osSpRawStartDma
800818B0 __osGetCurrFaultedThread
800818C0 __osSiDeviceBusy
800818E0 _Litob
80081B30 _Ldtob
800825C0 ldiv
80082644 lldiv

"Burp" Headers

Burp headers describe a series of compressed or uncompressed data blocks in ROM.

struct BurpBlock
{
    u32 dstSize;
    u32 srcSize;
    u32 unk08;
    u32 offset; // relative to start of BurpHeader
    u8 unk10[4];  // 00000000 when dst and src are the same size, otherwise 04000000
};

struct BurpHeader
{
    char   signature[4];  // "Burp"
    u32    numBlocks;
    struct BurpBlock blocks[];
};

Map of all burp headers: https://pastebin.com/raw/QT8gVWun


Level Objects

struct Object {
    /*0x00*/ void *unk00;
    /*0x04*/ void *unk04;
    /*0x08*/ u32   unk08;
    /*0x0C*/ u32   unk0C;
    /*0x10*/ u8    unk10[2];
    /*0x12*/ u16   unk12; // unioned with two u8's
    /*0x14*/ u16   unk14;
    /*0x16*/ u16   unk16;
    /*0x18*/ vec3f position;
    /*0x24*/ u8    unk24[0x0E];
    /*0x32*/ u16   unk16;
    /*0x34*/ u8    unk34[0x0C];
    /*0x40*/ vec3f rotation;
    /*0x4C*/ s32   timer;    // copied from gFrameCount
    /*0x50*/ u8    unk50[2]; // player: FFFF
    /*0x52*/ u16   unk52;    // some flags? unsetting bit 5 makes object invisible
    /*0x54*/ s32   unk54;    // maybe an animation counter, but locking it seems to have no effect
    /*0x58*/ u8    unk58[4]; // 003d0900 for player object
    /*0x5C*/ s32   unk5C;
    /*0x60*/ struct Object *unk60;
    /*0x64*/ u8    unk64[4];
    /*0x68*/ s16   unk68; // 0x0004 for player object
    /*0x68*/ s16   unk6A; // 0x0005 for player object 
    /*0x6C*/ s32   unk6C;
    /*0x70*/ u8    unk70[8];
    /*0x78*/ u16   unk78;
    /*0x7A*/ u16   unk7A;
    /*0x7C*/ u8    unk7C[4]; // 00058800 for player object
};
/*80086190*/ struct Object *gLevelObjects;
/*80093840*/ s16 gNumLevelObjects;

Below is the header struct for level object placement data. When a level is loaded, one of these structs is decompressed from ROM along with ObjectPosRot and ObjectPosArray structs that follow. All pointer members of this struct are initially offsets relative to the beginning of the struct, but the game converts them to virtual addresses in-place.

struct ObjectPlacements
{
    /*0x00*/ s32    numPlacements0;
    /*0x04*/ struct ObjectPosRot *placements0;
    /*0x08*/ s32    numPlacements1;
    /*0x0C*/ struct ObjectPosRot *placements1;
    /*0x10*/ s32    numPlacements2;
    /*0x14*/ struct ObjectPosRot *placements2; // unconfirmed type
    /*0x18*/ s32    numPlacements3;
    /*0x1C*/ struct ObjectPosArray *placements3[];
};
struct ObjectPosRot
{
    /*0x00*/ u8    unk00[2];
    /*0x02*/ vec3s position;
    /*0x08*/ vec3s rotation;
};
struct ObjectPosArray
{
    /*0x00*/ s32   numPositions;
    /*0x04*/ vec3s positions[];
};
/*0x800A98CC*/ struct ObjectPlacements *gObjectPlacements;

Breakdown of object placement data for the first mission: https://pastebin.com/raw/657rL7jD

mission_impossible.1560733832.txt.gz · Last modified: 2019/06/17 01:10 by shygoo