• Rise from your gwave!

32x ROM Hacking Info

Discussion in 'Genesis/Mega Drive' started by Tony H, Aug 17, 2008.

  1. Tony H

    Tony H New Member

    NOTE: No guarantees that the info below is correct. If you see any

    "bad" info, let me know (In other words, I'm no 32x expert).


    =======================


    There's a modded version of Gens out that's pretty damn cool. It's version 9.5b. It has the memory tracer and assembly logger from "Gens Tracer", and it also has an improved RAM searching feature that lets you search for normal "FF" type RAM addresses, and it will search for Sega CD and 32x RAM addresses.


    Here's a link for Gens 9.5b


    http://www.homeactionreplay.org/info/


    I didn't get my copy from that site, so let me know if you have problems with the link/DL and I'll get another address.


    =================================


    32x info...


    Now that I can search for 32x RAM addresses (SH2 memory), I started playing around with some 32x games that I didn't have much luck with before. I found


    some interesting stuff...


    As it is right now, once you find a 32x RAM address (SH2 memory), there's only one way that I could think of to find out where that RAM address is being controlled from in the ROM... use the unmodded version of Gens 2.11 that has the built in 68k/32x debugger. I used Chemist's method of using save states and tracing through the assembly using the O, I, U, Y, and T keys and watching the SH2 CPU memory addresses for changes. All the assembly language is completely different than 68000, but it still uses MOVE, RTS, SUB etc, so you can kinda figure out what's going on.


    There is a big problem using that method though... it appears that Game Genie codes will not modify areas of the ROM that are specifically for the 32x.


    Usually you need to use Game Genie codes to get past code that just cycles over and over, but with 32x games you can't, so you have to "step" over those parts of code with the "N" key. Very time consuming but it usually

    works.


    Since Gens won't let you use Game Genie codes for areas of the ROM that are specifically for 32x, you have to hack the ROM instead. When you do this, you'll probably find that you get a blank screen when you try to run the ROM. Checksum problems.


    As far as I can tell, the Genesis part of the ROM and the 32x part of the ROM don't use the same checksum routine. For example, Doom 32x doesn't need a master code when you use my "start on hidden level" Game Genie code, but if you hack an area of the ROM that's for the 32x, you need a 32x master code.


    The good news is that so far, it looks like several 32x games all use the exact same 32x master code. The 32x master code can be done by hacking the ROM or with a Game Genie code: $0007CC:6002 = AJDT-AA8N.


    Here are some 32x RAM addresses (SH2 memory)...


    Blackthorne 32x

    Health = 0603AC40 (although it may be used for other things as well?)


    Kolibri

    Health = 06036D8C


    Doom 32x

    Health = 060012ED



    When you use the 32x debugger in Gens, ignore the "06" in the SH2 memory addresses above (0603AC40 = 03AC40 etc). When you're looking at the "Master SH2 Debug" screen in Gens, you'll see ROM addresses like this: 0205CCD0.

    Remove the "02" to get the actual ROM address.



    Anyways, if anyone has some 32x knowledge, please let me know, because I have a ton of questions.






    Tony H. t_hedstrom@yahoo.com



    --------------------------------------------------------------------


    Some interesting things I've noticed about the 32x...


    It appears that all 32x instructions are only 2 bytes (meaning there are no operands). A little hard to get used to after spending so much time with 6502, 65c816 and 68k.


    While trying to figure out why Shadow Squadron wouldn't run, I made an assembly trace and found what appears to be how the 68k goes into "32x mode" (I have no idea what it's really called, but the 68k only does this with 32x games).


    00:04BE 4E D0 JMP (A0) A0=00FF0000 A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


    FF:0000 1B 7C MOVE.b #$01,$5101(A5) A0=00FF0000 A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


    FF:0006 41 F9 LEA ($000006BC),A0 A0=00FF0000 A1=00FF0020 A2=00C000 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


    FF:000C D1 FC ADDA.L #$88,A0 A0=000006BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


    FF:0012 4E D0 JMP (A0) A0=008806BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


    88:06BC 41 F9 LEA ($00FF0000),A0 A0=008806BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc



    Hopefully, someone will make a 32x assembly tracer someday.


    ================================


    In case anyone wants to know how to make 32x ROM hacks (I'm sure there are thousands of people. lol), here's a quick guide...


    Use Gens 9.5b to find the SH2 memory address (32x RAM).


    Use regular (non modded) Gens 2.10 (or any version that has the 32x debugger) and open your 32x ROM.


    We'll use Shadow Squadron as an example. The SH2 memory address for damage/shield is $061CE19. Remove the "06" from the address to get the actual RAM address used in the debugger: 1CE19.


    Once the game is running, wait until your ship is just about to take some damage and press F5 to make a save state. The closer to the exact point when you'll actually take damage the better. Enter the 32x debugger. Look in the SH2 memory section of the debugger and use these keys to find the SH2 memory address that you found earlier:


    Memory (RAM) Window Movement Keys:

    R-Up 1 Line

    F-Down 1 Line

    E-Up 12 Lines

    D-Down 12 Lines

    W-Up 144 Lines

    S-Down 144 Lines


    Once you can see the value for your RAM address, all you have to do is load

    your save state and start tracing through lines of code until your RAM address changes. Find the exact line of code that caused the RAM address to change, and you have your hack (almost).


    Here's the keys to use to trace through the code...


    Debugger Tracing Keys:

    T - Trace 1 command

    Y - Trace 10 commands

    U - Trace 100 commands

    I - Trace 1,000 commands

    O - Trace 10,000 commands

    P - Trace 100,000 commands


    If you go past the line of code that caused the RAM address to change, press F8 to reload the save state.


    There is one fairly big problem though... many games will go into an endless loop when you enter the debugger and try tracing. If you're familiar with 32x assembly, this should be no problem, but if you're like me and know very little 32x asm, here's how to get out of those endless loops...


    Trace one line of code at a time (the "T" key) and look for something like this: "bf 02xxxxxx" or "bf/s 02xxxxxx". When you get to that line, press the "N" key to step over that instruction. You may have to do this more than once.


    One last thing, the ROM/CPU address shown in the 32x debugger isn't the actual ROM address. If it begins with "02xxxxxx", then you can usually just ignore the "02" for the actual ROM address, but if it begins with "06xxxxxx", you'll need to write down a string of numbers (32x opcodes) and search for that string in the ROM.


    Since there are no operands, NOP will work in many situations to kill additions, subtractions, etc (0009 = NOP).


    Don't forget to hack the 32x master code into your ROM or else you'll get a blank screen.



    =====================================================


    More misc. 32x info....





    32x debugger info. Written by: Tony Hedstrom t_hedstrom@yahoo.com



    Use Gens 9.5b to find 32x RAM addresses.


    Also use Gens 9z (works on Shadow Squadron 32x)



    Use Gens 2.11 debugger to find ROM address by using Chemist's method

    of using save states and tracing with the P, O, I, U, Y, and T keys.


    To step through "stuck" areas when tracing in debugger, look for

    "bf 02xxxxxx" or "bf/s 02xxxxxx" and press "N" to step through it.

    You may have to do it more than once, or you may have to step

    through it, and then trace one line at a time ("T" key) and find

    another "bf 02xxxxxx" or bf/s 02xxxxxx" that you don't get stuck

    on and press "N" to bypass that one. Also "bt 06xxxxxx"??


    Also try using the sub/Slave 32x debugger (worked with Kolibri).



    06xxxxxx = 32x RAM address? (SH2 CPU memory?) (ignore the "06" part).


    02xxxxxx = 32x CPU/ROM address? (ignore the "02" part).



    A few Opcodes/instructions...


    0009 = NOP

    000B = rts


    3028 = sub

    3138 = sub r3, r1

    3208 = sub


    303C = add r3, r0

    304C = add r4, r0

    305C = add r5, r0


    70FF = add #FF, r0

    71FA = add #FA, r1

    72EE = add #EE, r2

    7D06 = add #06, r13


    E600 = mov #00, r6



    Master codes...


    So far, the 32x master codes are exactly the same for 2 different

    games: (Blackthorne and Doom 32x) $07CC:6002. It looks like this

    only applies when you hack areas of the ROM that are specifically

    for the 32x. When I use a Game Genie code with Doom, I don't

    need a master code, but when I hacked an area of the ROM that is

    for 32x, all I got was a blank screen. Adding the 32x master

    code above ($07CC:6002) solved the problem. Hopefully the 32x

    master code will work on all 32x games. Time for more testing.


    UPDATE:

    32x master code also works on Knuckles Chaotix, Kolibri and Shadow

    Squadron.



    ================================================


    It looks like you can't use Game Genie codes for areas of the ROM

    that are for 32x, but you CAN hack the codes into the ROM.


    As far as I can tell, all 32x instructions are only 2 bytes (no

    operands).??


    Sometimes the ROM addresses shown in the debugger don't correspond

    at all to the real ROM address, so you'll have to write down a

    string of bytes and search for that in the ROM.



    Looks like all 32x games start at ROM address $03F0 (the 68k part).


    ===============================================

    32x ROM hacks

    ===============================================



    Knuckles Chaotix 32x (5/NTSC version only, will not work on A/PAL)


    This hack will make it so that you don't lose any rings because of

    time in special stages (you normally lose 1 ring about every second).

    Don't let your ring count go over 255 or else you may "time out".



    Open up your Knuckles Chaotix ROM (5/NTSC version) with a hex editor

    (your ROM must be in "bin" format). Hack the following codes into

    your ROM...



    $07CC:6002

    32x Master Code



    $07D31C:7000

    Don't lose rings (from time) in special stages


    =====================================================



    Kolibri 32x


    Open up your Kolibri 32x ROM with a hex editor (must be in "bin"

    format). Hack the following codes into the ROM...



    $07CC:6002

    32x Master Code



    $0925C6:7100

    Protection from most damage (toad can still kill you)


    ======================================================



    Shadow Squadron / Stellar Assualt 32x


    Open up your Shadow Squadron 32x ROM with a hex editor (must be in

    "bin" format). Hack the following codes into the ROM...



    $07CC:6002

    32x Master Code



    $116572:0009

    Gun blasts from the large ships won't hurt you. Works on either

    "Feather 1" or "Feather 2".



    $10D1A2:0009

    The "Feather 1" ship won't use up any fuel when you use the special

    weapon (special weapon is activated by double tapping the "A" button

    and holding it on the second tap). Doesn't work on "Feather 2" ship.






    Tony H. t_hedstrom@yahoo.com
     
  2. ExCyber

    ExCyber Staff Member

    This is sort of correct and sort of wrong. The instructions are fixed-length, but some do contain 8-bit immediate operands. Generally though, if you want some data for a particular instruction, the way it's done is to have a literal pool after the routine and use PC-relative addressing to load it (similar to ARM).
     
  3. Jedi Master Thrash

    Jedi Master Thrash New Member

    So, do any of these codes work with a real game genie and a real 32X? Or does it only work in emulation/rom hacking?
     
  4. Tony H

    Tony H New Member


    I own a real 32x and a Game Genie, and I was never able to get Game Genie codes to work on any 32x games.


    The 32x codes I posted above will only work by hacking them into the ROM. However, the 32x master code ($07CC:6002) can be done via a Game Genie code in an emulator, or by hacking it into the ROM. Just remember that the 32x master code MUST be used whenever you hack a 32x code into the ROM. If you don't use the master code, you'll just get a blank screen when you try to play the hacked ROM. The master code bypasses the 32x checksum routine.



    ExCyber... Thanks for the info.
     

Share This Page