SSF2T: The quest for the perfect training mode

Since I started playing ST a few months ago I wanted to have a training mode on MAME like the one available on the Sega Dreamcast port. I collected all the available training mode cheats but none of them convinced me, so I studied all them, fixed some of the glitches and finally end up taking the best of each one to write my own.

The first usable training mode cheat was made by Pasky, he explained it very well in this comment, the main problem with his cheat is that the stun meter stops working properly after the health bar is recharged and the cheat has to disable stun, so the players never get dizzy. The cheat is interesting because he hooks the game code to make it jump into his own subroutine that refills the health bar for both players. This cheat only recharges the bars after hit damage, but not after throw damage.

After that, there was a new training mode cheat made by d9x/dammit. It is way easier because it only recharges the health bar when the dummies are at a certain state (for example after being hit). We can see the value of this state at memory address FF8451 (or 0x400 more for P2). This allows the stun meters to work properly, so characters can get dizzy normally, however it still has some glitches like sometimes when the health is recharged opponent gets hit or pushed back.

In both Pasky and d9x cheats, the health bar can’t be empty (if this happens the round will end). This is one of the things that bothered me, because you can’t get an idea of how much damage you would do, for example with a 5-hit combo, as the bar is refilled very quickly after every hit or when it reaches a certain value.

Not long ago, jedpossum published a new training mode, which has the particularity that even after the health bar is empty, the game continues. However it has a few new glitches, like the player’s vertical position after a wall throw is sometimes messed up, and there’s the K.O. slowdown present when the health bar reaches zero.
Continue reading

Posted in SuperTurbo | Tagged , , , , | 6 Comments

Hacking Super Street Fighter II Turbo (Part 2)

In today’s post I will try to illustrate the difference between a RAM cheat and a ROM cheat. RAM cheats usually change the data the game has in RAM, for example the previous post showed how to change the value in a fixed memory address to adjust the game difficulty during gameplay. ROM cheats patch the game’s program code to force the game engine take a different path.

One thing I’ve always wanted to see is the combo messages that appear on the side of the screen when you do a multiple hit combo, but for the combos that the CPU does, which for some reason don’t appear. So, that’s what I’ll show you how to do today: hack the ST rom to see the CPU combo messages, plus some other bonus cheats we’ll discover while getting there :)


First thing we want to do is locate the memory region or address where the game stores who controls a character, the CPU or a human player. From there, we’ll see where in the code this memory region is accessed, and that should lead us to some point where the game engine decides “it’s a human player so I will show the combo message, or it’s a computer so I will not show it”. What we will try to do is patch that part of the code to make the game engine always show it!

We can start working on the “CPU Combo Messages” cheat using the memdump & diff method we used in the previous example, but we’ll use a different method now just for the purpose of illustrating the possibilities of MAME’s built in debugger: the “cheat” commands.

Start the game with the debugger enabled, and start playing with 2 human controlled characters (P1 & P2). When the “Round 1″ message disappears press ENTER in the debugger screen to break, and type the command cheatinit. This will start a new cheat search in memory by remembering the state of all memory addresses at that point. Now return into the game, and start playing with one human player (P1) against the CPU (P2). Ideally that match should have the same characters as the one before, with the same colors, etc… to produce the lesser variations possible in the game’s memory. Now when the “Round 1″ message disappears, press ENTER again in the debugger screen and type the command cheatnext decrease,1: this will search for all bytes that have decreased by one since we did the cheatinit. Now we can do a cheatlist to see all the possible memory locations that have changed:
Continue reading

Posted in SuperTurbo | Tagged , , , , | Leave a comment

Hacking Super Street Fighter II Turbo (Part 1)

In this post I will show how to debug the Super Street Fighter II Turbo ROM in MAME, to create a simple cheat. This will (hopefully) be the first post of a series that will show more advanced use of the MAME debugger and dig deeper into reverse engineering Super Turbo.

First we need to launch MAME using the ‘-debug‘ parameter, this will launch the MAME debugger. You can use the ‘help‘ command in the debugger to see the help.

mame debugger
Continue reading

Posted in SuperTurbo | Tagged , , , , | 1 Comment

ZTE Open FirefoxOS Phone, root and first impressions

zte openZTE Open is the first non-developer FirefoxOS phone, sold commercially in Spain by Movistar.

It can be rooted using CVE-2012-4220 aka Qualcomm DIAG root discovered by Giantpune. This security advisory was released by Qualcomm on November 15, 2012. The ZTE Open has been launched commercially 7 months later and neither ZTE nor Movistar have bothered to patch this security hole, shame on them for selling vulnerable devices to customers.

The ZTE Open comes with kernel 3.0.8 which is also vulnerable to CVE-2013-2094 (perf_event) exploit.


I took the exploit by Hiroyuki Ikezoe and adapted it to work on the ZTE Open. The source code is available here, and a redy-to-use compiled exploit is here: DOWNLOAD.

These are the details of the original firmware, as hopefully ZTE will patch the security hole and this exploit might not work in future versions: May 31 23:10:17 CST 2013

To run the exploit connect your phone to your computer using the USB cable, and make sure ‘Remote debugging‘ is enabled on your phone in Settings -> Device information -> More Information -> Developer.
You need to have the adb binary in your computer’s path, (if you don’t know what ADB is don’t bother rooting your phone) then execute “” on Linux or OS X, or “run.bat” on Windows.
If the exploit fails, reboot your ZTE Open and try again (the linux/MAC version will attempt to do that automatically). Once the exploit is successful it will remount the system partition in read/write mode and copy a setuid “su” binary into /system/xbin/su.

Custom ROMs

The bootloader on the ZTE Open does not allow to flash or boot unsigned code through fastboot protocol. The stock recovery image will verify the signature of update packages and not allow you to flash self-signed updates. To overcome that limitation you can flash a custom recovery image that will allow you to backup your current ROM to SD card and flash your customized build of FirefoxOS (or if you want, your own Android port).

You can download ClockWorkMod recovery for ZTE Open here: recovery-clockwork-
To flash it:

# first backup your existing recovery
adb shell dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
adb pull /sdcard/stock-recovery.img
# then flash clockworkmod recovery
adb push recovery-clockwork- /sdcard/cwm.img
adb shell flash_image recovery /sdcard/cwm.img

To boot into recovery mode, hold both volume down up and the power button while powering on the phone.

Enjoy! :)

Posted in FirefoxOS | Tagged , , , , , , , | 112 Comments

Fortifying a Galaxy Nexus with stock-ish image and root access

galaxy nexusIn this post I will describe my recipe to have a Samsung Galaxy Nexus (codename “maguro”) using a rooted factory image, capable of getting OTA updates without loosing root access and with a locked bootloader, keeping the user data safe in case it gets lost or stolen, in the sense that the person getting it will not be able to extract personal details from it like Google accounts, settings, downloaded apps and their data, media, etc.

I assume the reader starts with a stock unmodified factory image, and knows how to use fastboot.

Continue reading

Posted in android, linux, security | Tagged , , , , , , , , | 2 Comments

Why Broadcom 802.11 Linux STA driver sucks, and how to fix it

TL;DR – the broadcom sta linux driver always fails in the first scan request after the interface is brought up, this produces a long delay when connecting to a wireless network. There’s an open source driver which does not have this problem, but is not good with power management. In this post I describe the steps I took to pinpoint the problem in the proprietary driver and to fix it.

The story begins when I updated Ubuntu from 11.10 to 12.04 on my MacBook Air, everything worked fine after upgrading except one thing that bothered me a lot: when resuming the laptop after suspending it, it took around 30 seconds to connect to my wireless network. It wouldn’t have bothered me if it had been the same in 11.10, but in 11.10 the time to connect was barely 5 or 6 seconds, so having to wait 30 seconds was totally unacceptable.

Initially I thought it was a bug in NetworkManager, and increased the debug level in the config file to finally come out to the conclusion that I was using a different driver in 12.04 than in 11.10.

There are two drivers available for the Broadcom BCM4353 802.11 Wireless Controller:

Continue reading

Posted in linux, wireless | Tagged , , , , , , , , , , , , , | 19 Comments

Getting started on Android Development from Command Line

As a quick reference, here’s a list of useful and most commonly used commands if you want to do Android development from command line (for example, without using eclipse or any other bloated IDE). You must have installed the Android SDK on your system, and make sure the tools and platform-tools folders from the android SDK are available in your PATH environment variable:

export PATH="${PATH}:${ANDROID_SDK}/tools:${ANDROID_SDK}/platform-tools"

Continue reading

Posted in android | Tagged , , , , , , , , , , , , | 1 Comment

lightum: auto adjust keyboard brightness on Linux MacBook

If you are running Linux on your MacBookAir and want the keyboard light brightness changed automatically depending on the ambient light (just as OS X does), continue reading.

I’ve written a small daemon named lightum, source is on github and licensed under GPL-2+.

Usage:  lightum [-m value] [-p value] [-f]
        -m 0..255 : maximum brightness value between 1 and 255 (default=255)
        -p num    : number of seconds between light sensor polls (default=8)
        -f        : run in foreground (do not daemonize)
        -v        : verbose mode, useful for debugging with -f

For it to work you need dbus installed, and your MacBook should have the light sensor located in /sys/devices/platform/applesmc.768/light (should be available on all MacBookAir and MacBookPro versions which have a backlight on keyboard, as far as I know).

If you are running Ubuntu, you can install it by adding lightum-mba ppa to your system:

sudo add-apt-repository ppa:poliva/lightum-mba
sudo apt-get update
sudo apt-get install lightum

Otherwise, you can build it from source.

Posted in linux | Tagged , , , , | 51 Comments

Motorola Xoom: Review from an early adopter

Motorola Xoom
Yesterday morning I received the wifi-only version of the 10.1-inch Android tablet Motorola Xoom. I bought it in USA because it wasn’t yet available in Europe when I purchased it. I choose the wifi-only version because of the following main reasons:

  • the 3G/4G version available from Verizon USA uses CDMA technology and is not compatible with European GSM carriers.
  • I didn’t want to wait more time to have an Android 3 tablet
  • I don’t want to pay for another 3G data connection, because I already have one in my phone’s SIM card, which I can tether over wifi or bluetooth to give internet connectivity to the Xoom when there’s no wi-fi available.

Out of the box, the device comes with Android Honeycomb version 3.0.1, and no support for microSD card yet (it is advised in the manuals that microSD card support will be available trough a future system update).

The Xoom ships with an “unlockable” bootloader, that means you can connect via fastboot and issue the command ‘fastboot oem unlock‘ to be able to flash unsigned code at the expense of voiding your warranty, and that’s what you should do if you want support for microSD card today, because there’s an unofficial kernel with microSD support already available: Tiamat AOSP kernel Version 1.3.0.

Continue reading

Posted in android, gadgets, linux | Tagged , , , , , | 2 Comments

WiFite patch for WLAN/JAZZTEL networks WEP & WPA cracking

I have made a quick patch for wifite r67, which adds support to crack WLAN and JAZZTEL networks in Spain, both WEP and WPA versions.

The WPA keys are computed statically using the already known algorithms and the guessed key is shown at start, when wifite shows the available networks.

The WEP keys are cracked using a dictionary attack, generated automatically using wlandecrypter and jazzteldecrypter, so you only need 4 IVs to start cracking using the dictionary.

The patch is available here, and it’s agains revision r67 (latest at the moment of writing this). You can see it in action in these youtube videos I have uploaded:
Continue reading

Posted in linux, security, wireless | Tagged , , , , , , , | 12 Comments