don't click here

Sonic Pocket Adventure's Debug Mode

Discussion in 'Engineering & Reverse Engineering' started by SANiK, Jan 23, 2011.

Thread Status:
Not open for further replies.
  1. SANiK

    SANiK

    Tech Member
    413
    0
    16
    What is the scientific reason that Sonic Pocket Adventure / SPA enters debug mode when using an emulator? I have the actual hardware and pressing Options at the SEGA screen does not work. It might be that debug mode is removed from my build if there are others capable of entering debug mode without an emulator. So are there?

    Debug mode's activation is often cited as an emulator bug. Did anyone look into it further? The most prominent Sonic Pocket Adventure hacking was done by Rolken in this thread, but being in 2006 it seems his efforts are long dead and so are the links.
     
  2. MathUser

    MathUser

    3rd top wiki contributor Researcher
    2,151
    8
    18
    You are a tech member, can't you find that out for yourself?
     
  3. DigitalDuck

    DigitalDuck

    Arriving four years late. Member
    5,338
    412
    63
    Lincs, UK
    TurBoa, S1RL
    Protip: Not all Tech Members are good at everything.
     
  4. Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Not everybody has worked on the NGPC, MathUser...

    But yeah, I believe it's a bug because only shitty emulators let you enter that menu. I wonder if there's some hardware status that isn't being set properly...
     
  5. SANiK

    SANiK

    Tech Member
    413
    0
    16
    Research takes time and so does getting adjusted to a machine's environment. The first step is to pool the community's knowledge.

    NGPC emulator documentation mentions a watchdog timer in the NGPC that has to be written to with 0x4E every 100ms otherwise the NGPC resets. I remember in one of the emulators, clicking outside the window and coming back caused it to enter a sort of floating debug mode. A guess here is that the emulator screws up the timing somehow, and if the game detects that the system operates without needing to inform the watchdog, then it might think its running on a development station.
     
  6. Overlord

    Overlord

    Now playable in Smash Bros Ultimate Moderator
    19,218
    965
    93
    Long-term happiness
    Wow, that was incredibly dickish and uncalled for. Enjoy your day's holiday.
     
  7. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,971
    76
    28
    USA
    rom-properties
    I believe the debug mode only triggers in one emulator, "RAPE". (Either that or "LAME" - they're both hacks of each other, or something like that.) Mednafen doesn't trigger it. (EDIT: djohe tells me that RacePSP also triggers it, so maybe it's a misdocumented hardware quirk that's being emulated incorrectly by some emulators?)

    There's a high barrier of entry with regards to SPA because of the NGPC's unusual CPU, a Toshiba TLCS900H. I don't know if there's any disassemblers available for the TLCS900H, or if the system uses bankswitching or not. (Bankswitching would significantly complicate any sort of disassembly.)
     
  8. Mikel

    Mikel

    Member
    NeoPocott, another old NGPC emulator also triggers Debug mode.

    I guess I will post this video here, which I think will go well with the Game Secrets:Sonic Pocket Adventure page:

     
  9. Rolken

    Rolken

    Tech Member
    I was mostly hacking to get maps, which are up at TSC. I don't know where any of the technical stuff or spritesheets or so forth are anymore. Sorry. But at least I did give copious enough documentation there that you could probably reconstruct everything I did if you really wanted to. I'll take a look at some of my older laptops to see if I still have any of the old stuff around, but I make no promises.

    I vaguely remember looking into the debug weirdness but it's been too long for me to remember what I figured out, if anything.

    And I looked for the disassembler I originally used but it looks like it's gone offline by now too, which kinda sucks. Oh well.

    And dicks like MathUser are why I left this place (until getting a friendly email a few minutes ago). Can't even have a coherent goddamn conversation around here without somebody gratuitously shitting in the punch bowl. A one day holiday isn't really sending much of a message.

    edit: and I'm PRETTY sure the NGPC did not use bankswitching but don't bet money on it @ Gerbil
     
  10. SANiK

    SANiK

    Tech Member
    413
    0
    16
    :off-topic: I think he was just misinformed? Just like a pencil artist is not the same as a digital artist, he probably just doesn't know how one machine may vary greatly from another machine. Just unban him and let it slide. It's not like I was offended anyways. :off-topic:

    According to http://info.sonicretro.org/Game_Secrets:So...ocket_Adventure R.A.P.E, Neopocott, and the PSP emulator RacePSP are the ones that have this debug mode access.

    From reading briefly about the system, it seems bank switching is only used for roms greater than 2MB. Sonic Pocket Adventure is 2MB.

    There were assemblers and disassemblers floating around. The big year in Neo Geo Pocket development was 2003. After that things just started 404ing. Although, the NeoPop core has a disassembler component, http://neopop.emuxhaven.net/NeoPop-Src-Core-0.71.zip
    See "Core\TLCS-900h\TLCS900h_disassemble.c"
    Mednafen uses the NeoPop core.

    A possible approach may be to do what Nemesis did with Sonic 2 and have the emulator track the instruction branches by modifying the source code of an existing emulator and playing the game for a while in order to create an accurate disassembly.

    edit:
    That was fast!
     
  11. Rolken

    Rolken

    Tech Member
    Heh, that's convenient.

    I looked through my most recently discarded laptop and turned up bupkis, which means if I have anything it's stuck away who knows where and I probably won't find it any time soon. Sorry.
     
  12. Skeledroid

    Skeledroid

    Member
    227
    0
    0
    it's probably something simple like a certain value upon initialization
     
  13. SANiK

    SANiK

    Tech Member
    413
    0
    16
    Okay. I figured it out. Take a hex editor, open up the Sonic Pocket Adventure rom, and change byte 0x1F of the rom to 0xFF. This enables developer mode for the rom.
    Emulators like RAPE automatically change that byte for games. NeoPop does not do it, hence why the Debug mode switch does not work in NeoPop.

    Rom offset 0x1F in the NGPC rom header is the 32bit initial PC value. The NGPC only addresses from 0x000000 to 0xFFFFFF leaving the top byte unused. So developers use the top byte as a dev-mode switch instead since 0x??###### becomes 0x######

    Anyone have a NGPC with a NGPC flash cart that wants to give the above modification a try on actual hardware for the hell of it?
     
  14. Skeledroid

    Skeledroid

    Member
    227
    0
    0
    yeah, it's not expecting FF as the initialized value as suspected.

    if you do it on the real hardware you're just creating an emulator's error by altering the game. that's kind of backwards as far as the issue?
     
  15. Tweaker

    Tweaker

    Banned
    12,387
    2
    0
    Wow. I've been waiting over 8 years for a way to trigger debug mode in that game at will. Fantastic job!
     
  16. JaxTH

    JaxTH

    Pudding Deity Oldbie
    10,355
    586
    93
    Los Angeles
    Jack shit.
    Wow. haven't heard that name in years. Does it still have no sound?
     
  17. SANiK

    SANiK

    Tech Member
    413
    0
    16
    It's not really an emulator error per say. When the emulator authors were reverse engineering games, they saw that 0xFF at 0x1F was needed for the game to load certain content. In Metal Slug 0xFF at 0x1F would enable certain sfx. The content they were seeing was actually debug or prototype data. The emulator authors did not know this and they assumed the extra content was a required part of the game so they forced it on.
    With that said, the actual official debug cartridges would have 0xFF at 0x1F to denote they are debug carts or if that was not the case it would then be added in by the development NGPC machine. It's one or the other.

    Anyways, I took the NeoPop emulator source code and modified it to do what Nemesis did years ago, and that is to have it generate the assembly as the emulator goes from place to place. I also had it generate a bitmap for every byte in the rom to denote if it is code or data.

    [​IMG]

    The NGPC's Toshiba CPU uses a hideous assembly language.
     
  18. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,971
    76
    28
    USA
    rom-properties
    Looks like an extension of the Z80 assembly language to me, along with "extended" 32-bit registers like XDE and XHL.

    Anyways, it's interesting how they used the high byte of the RESET vector to indicate debug vs. production. I remember that many older Macintosh applications used the high byte of addresses for various flags, which caused all sorts of problems when the Macintosh II came out with its 68020 CPU.
     
  19. Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Now that's the most stupid emulation bug I've ever seen.

    Also this reminds me of how Ultimate Mortal Kombat 3 on the Mega Drive uses the highest byte of the vector address to figure out what caused an error.
     
  20. nineko

    nineko

    I am the Holy Cat Tech Member
    6,298
    475
    63
    italy
    Hey, MathUser was incredibly rude, but he was right in the end :v:

    Glad to see another little discovery.
     
Thread Status:
Not open for further replies.