Tweet
I was successful at hacking a Wiimote/Nunchuk motion activated code. I thought I would share how I did it in layman’s terms. I’ll be using Cocoto Kart Racer [CKR] (Wii) as an example.
-Note that I am using Dolphin along with aldelero5 ram viewer.
-All values are in hex.
-It is assumed you know how to find the “button” activators for games. If not go here for an excellent explanation on how to do that:
https://gamehacking.org/faqs/Wii-Hacking_Button_Activators.pdf
Because addresses change from course to course, ASM code hacking was a must. In addition, said ASM pisses the game off while booting and causes it to lock up, necessitating the use of button activators.
Here is the code in its original state before using Wiimotion:
Infinite Ammo/power-ups (Note)
281ADA8C 00001400 Button Activator -> If value at 801ADA8C = 1400 execute code below [B and (-) = 1400]
C2054774 00000001 This gives you infinite ammo/power-ups on picked up items.
38030000 00000000
C2058FA8 00000001 This gives you a quantity of 3 on weapons/power-ups that normally
38000003 00000000 only give you 1.
C2058FAC 00000002
38000003 901E0154
60000000 00000000
C2055750 00000001 If you lose your weapon/power-up, you will automatically be given
380000XX 00000000 weapon/power-up XX with infinite ammo
E0000000 00000000 Half-way terminator.
281ADA8C 00001000 Button Activator -> If value at 801ADA8C = 1000 execute code below [(-) = 1000]
C2054774 00000001 This restores the ASM coding to its original state. Game operates normally.
3803FFFF 00000000
C2058FA8 00000001
38000001 00000000
C2058FAC 00000001
901E0154 00000000
C2055750 00000001
38000000 00000000
E0000000 80008000 Full terminator.
(Note) Press B and (-) to activate. This effects the other racers also. If they receive XX = 06 – Red Fairy/Storm Angel, or you set this value in the code, it results in a cluster funk, with all of the racers being hit by lightning. Press (-) to deactivate the code if this happens. If you want to change weapons/power-ups, deactivate the code to use up the currently held item, then reactivate to get a new weapon/power-up. Don’t activate code until you’re at the starting line.
XX – Weapon/Power-up Modifier
01 – Mosquito Fork/Dart
02 – Fireball/Piranha
03 – Turbo
04 – Invincibility
05 – Blue Fairy/Storm Angel
06 – Red Fairy/Storm Angel
07 – Fireball/Explosive Cloud
08 – Tomato
09 – Sticky Lava Ball/Paralyzing Ice
The code works great, but pressing button combinations to activate/deactivate while racing, is
a drag and is not very intuitive. So, I turned my attention to the motion capabilities of the Wiimote/Nunchuk. At first, I used the Nunchuk, but ultimately decided against it, because during the heat of racing, I found myself intermittently activating/deactivating the code with unintended Nunchuk movement.
The Wiimote was a much better choice, as most people aren’t going to wield it like a Flakka Dancer.
The process for finding the activator address is the same for the Nunchuk and Wiimote.
Here is how to find the Wiimote motion activator addresses:
- I’m using CKR for this example
- Boot up the game in dolphin
- Open up aldelero5 ram viewer for searching
- Go into one of the selection screens
- Because I was looking solely for the Wiimote activator address, I unplugged the Nunchuk (less variables)
- Lay the Wiimote on a flat surface with the B button on the bottom.
- Now roll the Wiimote 180 degrees to the right (CW), so the right side is flat to the surface. While holding it there, do an exact value Single Byte search for “BF”
- Now roll it over, and hold so the left side of the Wiimote is flat to the surface. Do an exact value search for “3F”
-You should end up with a small list of search returns, I think 6 or so
- Pick up the Wiimote. While twisting 90 degrees to the right or left of center, you should see the address you’re searching for alternate between 3F & BF consitantly.
- I picked the first one on the search list. Double click on it to add to the watch pane.
- Double click on the address in the watch pane. In the pop-up window, change it to a 2 Byte watch
- Now you can observe how the Wiimote responds to motion (rolling left or right)
- To find the up/down address, clear the search and do an exact single Byte search for 3F while the Wiimote is pointing straight down and an exact single Byte search for BF while the Wiimote is pointing straight up
- I picked the first one on the search list. Double click on it to add to the watch pane.
- Double click on the address in the watch pane. In the pop-up window, change it to a 2 Byte watch
- Now you can observe how the Wiimote responds to up/down motion
-While holding the Wiimote you’ll notice it baubles around 3AXX & BAXX (Appx.) until you make a rotate left/right, up/down motion. The more extreme the motion, the greater the value, until full deflection 3FXX or BFXX (although I’ve seen it hit 40XX and C0XX during very extreme motions). This is how you can adjust the sensitivity of the activator. After observation I found that BF70 and 3F70 worked well for my activator/deactivator values.
Now to create the code activator.
Because the value is constantly changing with motion, you have to use less than/greater than conditionals.
In the original button code, the activator was:
281ADA8C 00001400 If the value at 801ADA8C is equal to 1400, execute next line of code.
If I use the “28” (equal to) conditional with the Wiimote activators, it doesn’t work well. The reason being is if you move the controller really fast the exact value may not be seen by the code handler. It will still work if you move the controller much slower, (more than you’d probably want during game play).
281ADB68 0000BF70 No Bueno!!! Intermittent activation/deactivation.
I decided to make rolling the Wiimote 90 degrees to the right the activator. Using my threshold value of BF70 I used the “2C” conditional which is greater than. So…
2C1ADB68 0000BF70 If the value at 801ADB68 is greater than BF70, execute next line of code
The deactivator would be roll the Wiimote 90 degrees to the left. Using my threshold value of 3F70 I used the “2C” conditional which is [greater than]. So…
2C1ADB68 00003F70 If the value at 801ADB68 is greater than 3F70, execute next line of code
However, this presents a problem. If you roll the controller to the right, the value will go to BFXX which is greater than 3F70. This will also cause the next line of code to be executed, causing the code to be activated/deactivated at the same time. To fix this, we use the “2E” Conditional, Which is [less than]. So…
2C1ADB68 00003F70 If the value at 801ADB68 is greater than 3F70, execute next line of code
2E1ADB68 00004000 If the value at 801ADB68 is less than 4000, execute next line of code
So, if you roll the controller to the right, the values go up into the BXXX range which of course is greater than 3F70 so the first line of code is set true and executes the next line of code. The next line sets the upper limit of the value (4000), that can be used to deactivate. BXXX is of course greater than 4000 so turning the controller to the right will cause this line to be false and not execute the next line of code which is the deactivator part of the code.
So, the final code I came up with is:
Infinite Ammo/power-ups (Note)
2C1ADB68 0000BF70 Rolling Wiimote to the right 90 degrees activates code if value at 801ADB68 is [greater than] BF70
C2054774 00000001 This gives you infinite ammo/power-ups on picked up items.
38030000 00000000
C2058FA8 00000001 This gives you a quantity of 3 on weapons/power-ups that normally
38000003 00000000 only give you 1.
C2058FAC 00000002
38000003 901E0154
60000000 00000000
C2055750 00000001 If you lose your weapon/power-up, you will automatically be given
380000XX 00000000 weapon/power-up XX with infinite ammo. See modifier list.
E0000000 00000000 Half-way terminator.
2C1ADB68 00003F70 Rolling Wiimote to the left 90 degrees deactivates the code. If the value at 801ADB68 is [greater than] 3F70, the next line of code is executed.
2E1ADB68 00004000 If the value at 801ADB68 is [less than] 4000, the next line of code is executed.
C2054774 00000001 This restores the ASM coding to its original state. Game operates normally.
3803FFFF 00000000
C2058FA8 00000001
38000001 00000000
C2058FAC 00000001
901E0154 00000000
C2055750 00000001
38000000 00000000
E0000000 80008000 Full terminator.
(Note) Roll the Wiimote 90 degrees to the right (CW), to activate. This effects the other racers also. If they receive XX = 06 – Red Fairy/Storm Angel, or you set this value in the code, it results in a cluster funk, with all of the racers being hit by lightning. Roll the Wiimote 90 degrees to the left (CCW), to deactivate the code if this happens. Or if you want to change weapons/power-ups, deactivate the code to use up the currently held item, then reactivate to get a new weapon/power-up. Don’t activate code until you’re at the starting line.
XX – Weapon/Power-up Modifier
01 – Mosquito Fork/Dart
02 – Fireball/Piranha
03 – Turbo
04 – Invincibility
05 – Blue Fairy/Storm Angel
06 – Red Fairy/Storm Angel
07 – Fireball/Explosive Cloud
08 – Tomato
09 – Sticky Lava Ball/Paralyzing Ice
Enjoy!!!!!
-Note that I am using Dolphin along with aldelero5 ram viewer.
-All values are in hex.
-It is assumed you know how to find the “button” activators for games. If not go here for an excellent explanation on how to do that:
https://gamehacking.org/faqs/Wii-Hacking_Button_Activators.pdf
Because addresses change from course to course, ASM code hacking was a must. In addition, said ASM pisses the game off while booting and causes it to lock up, necessitating the use of button activators.
Here is the code in its original state before using Wiimotion:
Infinite Ammo/power-ups (Note)
281ADA8C 00001400 Button Activator -> If value at 801ADA8C = 1400 execute code below [B and (-) = 1400]
C2054774 00000001 This gives you infinite ammo/power-ups on picked up items.
38030000 00000000
C2058FA8 00000001 This gives you a quantity of 3 on weapons/power-ups that normally
38000003 00000000 only give you 1.
C2058FAC 00000002
38000003 901E0154
60000000 00000000
C2055750 00000001 If you lose your weapon/power-up, you will automatically be given
380000XX 00000000 weapon/power-up XX with infinite ammo
E0000000 00000000 Half-way terminator.
281ADA8C 00001000 Button Activator -> If value at 801ADA8C = 1000 execute code below [(-) = 1000]
C2054774 00000001 This restores the ASM coding to its original state. Game operates normally.
3803FFFF 00000000
C2058FA8 00000001
38000001 00000000
C2058FAC 00000001
901E0154 00000000
C2055750 00000001
38000000 00000000
E0000000 80008000 Full terminator.
(Note) Press B and (-) to activate. This effects the other racers also. If they receive XX = 06 – Red Fairy/Storm Angel, or you set this value in the code, it results in a cluster funk, with all of the racers being hit by lightning. Press (-) to deactivate the code if this happens. If you want to change weapons/power-ups, deactivate the code to use up the currently held item, then reactivate to get a new weapon/power-up. Don’t activate code until you’re at the starting line.
XX – Weapon/Power-up Modifier
01 – Mosquito Fork/Dart
02 – Fireball/Piranha
03 – Turbo
04 – Invincibility
05 – Blue Fairy/Storm Angel
06 – Red Fairy/Storm Angel
07 – Fireball/Explosive Cloud
08 – Tomato
09 – Sticky Lava Ball/Paralyzing Ice
The code works great, but pressing button combinations to activate/deactivate while racing, is
a drag and is not very intuitive. So, I turned my attention to the motion capabilities of the Wiimote/Nunchuk. At first, I used the Nunchuk, but ultimately decided against it, because during the heat of racing, I found myself intermittently activating/deactivating the code with unintended Nunchuk movement.
The Wiimote was a much better choice, as most people aren’t going to wield it like a Flakka Dancer.
The process for finding the activator address is the same for the Nunchuk and Wiimote.
Here is how to find the Wiimote motion activator addresses:
- I’m using CKR for this example
- Boot up the game in dolphin
- Open up aldelero5 ram viewer for searching
- Go into one of the selection screens
- Because I was looking solely for the Wiimote activator address, I unplugged the Nunchuk (less variables)
- Lay the Wiimote on a flat surface with the B button on the bottom.
- Now roll the Wiimote 180 degrees to the right (CW), so the right side is flat to the surface. While holding it there, do an exact value Single Byte search for “BF”
- Now roll it over, and hold so the left side of the Wiimote is flat to the surface. Do an exact value search for “3F”
-You should end up with a small list of search returns, I think 6 or so
- Pick up the Wiimote. While twisting 90 degrees to the right or left of center, you should see the address you’re searching for alternate between 3F & BF consitantly.
- I picked the first one on the search list. Double click on it to add to the watch pane.
- Double click on the address in the watch pane. In the pop-up window, change it to a 2 Byte watch
- Now you can observe how the Wiimote responds to motion (rolling left or right)
- To find the up/down address, clear the search and do an exact single Byte search for 3F while the Wiimote is pointing straight down and an exact single Byte search for BF while the Wiimote is pointing straight up
- I picked the first one on the search list. Double click on it to add to the watch pane.
- Double click on the address in the watch pane. In the pop-up window, change it to a 2 Byte watch
- Now you can observe how the Wiimote responds to up/down motion
-While holding the Wiimote you’ll notice it baubles around 3AXX & BAXX (Appx.) until you make a rotate left/right, up/down motion. The more extreme the motion, the greater the value, until full deflection 3FXX or BFXX (although I’ve seen it hit 40XX and C0XX during very extreme motions). This is how you can adjust the sensitivity of the activator. After observation I found that BF70 and 3F70 worked well for my activator/deactivator values.
Now to create the code activator.
Because the value is constantly changing with motion, you have to use less than/greater than conditionals.
In the original button code, the activator was:
281ADA8C 00001400 If the value at 801ADA8C is equal to 1400, execute next line of code.
If I use the “28” (equal to) conditional with the Wiimote activators, it doesn’t work well. The reason being is if you move the controller really fast the exact value may not be seen by the code handler. It will still work if you move the controller much slower, (more than you’d probably want during game play).
281ADB68 0000BF70 No Bueno!!! Intermittent activation/deactivation.
I decided to make rolling the Wiimote 90 degrees to the right the activator. Using my threshold value of BF70 I used the “2C” conditional which is greater than. So…
2C1ADB68 0000BF70 If the value at 801ADB68 is greater than BF70, execute next line of code
The deactivator would be roll the Wiimote 90 degrees to the left. Using my threshold value of 3F70 I used the “2C” conditional which is [greater than]. So…
2C1ADB68 00003F70 If the value at 801ADB68 is greater than 3F70, execute next line of code
However, this presents a problem. If you roll the controller to the right, the value will go to BFXX which is greater than 3F70. This will also cause the next line of code to be executed, causing the code to be activated/deactivated at the same time. To fix this, we use the “2E” Conditional, Which is [less than]. So…
2C1ADB68 00003F70 If the value at 801ADB68 is greater than 3F70, execute next line of code
2E1ADB68 00004000 If the value at 801ADB68 is less than 4000, execute next line of code
So, if you roll the controller to the right, the values go up into the BXXX range which of course is greater than 3F70 so the first line of code is set true and executes the next line of code. The next line sets the upper limit of the value (4000), that can be used to deactivate. BXXX is of course greater than 4000 so turning the controller to the right will cause this line to be false and not execute the next line of code which is the deactivator part of the code.
So, the final code I came up with is:
Infinite Ammo/power-ups (Note)
2C1ADB68 0000BF70 Rolling Wiimote to the right 90 degrees activates code if value at 801ADB68 is [greater than] BF70
C2054774 00000001 This gives you infinite ammo/power-ups on picked up items.
38030000 00000000
C2058FA8 00000001 This gives you a quantity of 3 on weapons/power-ups that normally
38000003 00000000 only give you 1.
C2058FAC 00000002
38000003 901E0154
60000000 00000000
C2055750 00000001 If you lose your weapon/power-up, you will automatically be given
380000XX 00000000 weapon/power-up XX with infinite ammo. See modifier list.
E0000000 00000000 Half-way terminator.
2C1ADB68 00003F70 Rolling Wiimote to the left 90 degrees deactivates the code. If the value at 801ADB68 is [greater than] 3F70, the next line of code is executed.
2E1ADB68 00004000 If the value at 801ADB68 is [less than] 4000, the next line of code is executed.
C2054774 00000001 This restores the ASM coding to its original state. Game operates normally.
3803FFFF 00000000
C2058FA8 00000001
38000001 00000000
C2058FAC 00000001
901E0154 00000000
C2055750 00000001
38000000 00000000
E0000000 80008000 Full terminator.
(Note) Roll the Wiimote 90 degrees to the right (CW), to activate. This effects the other racers also. If they receive XX = 06 – Red Fairy/Storm Angel, or you set this value in the code, it results in a cluster funk, with all of the racers being hit by lightning. Roll the Wiimote 90 degrees to the left (CCW), to deactivate the code if this happens. Or if you want to change weapons/power-ups, deactivate the code to use up the currently held item, then reactivate to get a new weapon/power-up. Don’t activate code until you’re at the starting line.
XX – Weapon/Power-up Modifier
01 – Mosquito Fork/Dart
02 – Fireball/Piranha
03 – Turbo
04 – Invincibility
05 – Blue Fairy/Storm Angel
06 – Red Fairy/Storm Angel
07 – Fireball/Explosive Cloud
08 – Tomato
09 – Sticky Lava Ball/Paralyzing Ice
Enjoy!!!!!