don't click here

Checksum Check = Bad

Discussion in 'Engineering & Reverse Engineering' started by fuzzbuzz, Jun 9, 2004.

  1. fuzzbuzz

    fuzzbuzz

    Tech Member
    625
    0
    0
    Here
    Many Many Programming/hacking tools...
    Ah, you little rom hacking people I really don't know that well because I only see you as a typed name....anywho, on to my sales speech:

    Have YOU ever made a rom hack?
    Have you ever released one to the public?
    Have you ever been bombarded with questions or concerns on how just a 'red screen' comes up, because you forgot to change the checksum?
    Tired of telling them to turn on auto fix checkum in Gens?

    Well, if you're tired of that, then just follow these simple steps and you're safe to release your hacks to the public. That's right, disabling the checksum check.

    Easy, just follow this simple step.

    Sonic 1 - Change $33A to $4E $71 $4E $71
    Sonic 2 - Change $346 to $4E $71 $4E $71

    Happy Birfday. Make hacks and give them to people now where they won't be confused why you changed the sega logo to a red screen that lasts indefinately.


    FINITO
     
  2. Rarmander

    Rarmander

    Poetaster Member
    1,918
    0
    16
    An Empyreal Child
    This is imformative and I think it should be pinned. Anyone else concur?
     
  3. Skaarg

    Skaarg

    Member
    3,683
    0
    16
    NOT UNTIL HE SPELLS BIRTHDAY RIGHT!!! :P Anyways thankyou very much for this info. I'll defianatly use this in my hack as soon as I start understanding hex a little bit more.
     
  4. Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    Yes.

    Not yet.

    *cough* *cough* *splutter* *hack* *pukes phlegm all over fuzzbuzz*

    YES, ESPECIALLY WHEN THERE'S A PINNED TOPIC ABOUT IT. <_<
     
  5. drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    I always use this method =P
     
  6. JoseTB

    JoseTB

    Tech Member
    716
    59
    28
    More games to add: (use the same way,2 nop, or 4e 71 4e 71)

    $33a-Sonic 1 jap
    $249be- Sonic & knuckles
    $249be -Sonic 2K
    $249be -Sonic 3K
    $249be -Sonic 1K (special stages)
    $22fc4- Sonic 3

    These offsets are correct,and yes,I said 249be four times.
     
  7. drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    It's because all those SK lock-ons are SK roms with other games data =P By the way, I don't know why there is a subroutine for checksum checking (why it isn't built-in in hardware).
     
  8. JoseTB

    JoseTB

    Tech Member
    716
    59
    28
    I know,probably the only difference between the lock on different roms is some value in a routine that tell to jump to different part of code
    Probably is only for internal sega security,to not allow to somebody modify the rom without permission when they are developing.
     
  9. LocalH

    LocalH

    roxoring your soxors Tech Member
    Well, it works completely differently in hardware, and so far is only properly emulated by having different combined ROMs. What happens is, when you lock on S2, it shows up at $200000 (S&K is always at $000000 of course). Also, a 'hidden' 256K ROM containing the S2&K game logic appears at $300000, and the S&K code jumps to $300000. When you lock on S3, it appears at $200000, and the hidden ROM doesn't appear at all, since S3 fills up the rest of the Genesis' addressable ROM space. And when you lock on S1 or (most) any other game, it jumps to the blue spheres game, although the game you get with S1 is different from what you get with any other cart.

    This is why merely combining the ROMs works with any emulator, and indeed the combined ROMs would work correctly when copied onto a flashcart or used with a backup device. For ages, the existence of the hidden 256K ROM was not known, and it was felt that S2&K emulation would require emulator modification.
     
  10. JoseTB

    JoseTB

    Tech Member
    716
    59
    28
    I remember I read that in the old ssrg.Anyway,nice stuff.I maybe try to see how it works,now I know 68k (Because when I read it I didn`t know nothing about 68k).
     
  11. Tom41

    Tom41

    Pheer the baby EggRobo! Oldbie
    291
    0
    0
    UK
    I often use a Game Genie to change the country lock on my carts from E to U - therefore my EU carts will run on my EU MD2 in 60hz mode.
    (Modding to make it run in 60hz also changes the console region to U)
    But on some games, that causes a checksum failure so some form? of Master Code is needed to make the game start up.

    4E 71 translates to Nq in ASCII, and that's an instruction which basically means 'do nothing'. So instead of coming across the instruction which makes the game run its checksum routine, it just skips over that and goes onto the next bit of code - almost like commenting out source code, but with the binary ;)

    I've never come across a Red Screen problem when using Game Genie codes on Sonic 1/2 on the real console, but I have had it so the game doesn't even get to the SEGA screen (freezes on black screen) unless I have the code switch disabled when it starts up. Is this a checksum problem? (If so, thanks for the checksum fix code :()

    I know this isn't really Sonic related, but I'm sure other games have a 'magic' location which you can NqNq out, to bypass the checksum protection. How easy is it to find this?
     
  12. Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    Look for a reference to ($18E).l followed by a branch (6xxx).
     
  13. JoseTB

    JoseTB

    Tech Member
    716
    59
    28
    4e 71 means a "nop" in 68k.I don?t like call an instruction by the ascii representation,because that?s only a coincidence,and actually Nq is nothing.

    And add the "nops" where the branch is.
     
  14. Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    It may be a coincidence, but that's still the ASCII representation for NOP and it's how most people recognise NOP commands in 68k ASM when looking at it in a hex editor.
     
  15. JoseTB

    JoseTB

    Tech Member
    716
    59
    28
    Well,yes,is a way to recognise it in a hex editor,but I only wanted to say that Nq by itself is no more than a coincidence.Actually is like change all "a" in a text to b,and read it knowing that b is a.You can search directly 4e 71 instead of his consequence in ASCII.Although,I understand that is more graphical in a hex editor the ASCII representation.
     
  16. Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    807
    200
    43
    Lyon, France
    Sonic 2 Long Version
    I'm working on the lock-on technology with S2&K long version.
    There is a LOT of jumps under the extra 256KB of S2&K.
    Actually, the S&K part is useless to run S2&K correctly. All the game data (except Knuckles frames) is under this extra 256KB, or under the S2 part.
    Locking my hack with S&K works with some modifications.
     
  17. drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    Checksum checking sub is always the same:

    Code (Text):
    1. ChecksumCheck:  &nbsp;; CODE XREF: ROM:0000030Ej
    2.  &nbsp;movea.l  #$200,a0
    3.  &nbsp;movea.l  #RomEndLoc,a1
    4.  &nbsp;move.l   (a1),d0
    5.  &nbsp;moveq    #0,d1
    6.  
    7. loc_32C:    &nbsp;; CODE XREF: ROM:00000330j
    8.  &nbsp;add.w    (a0)+,d1
    9.  &nbsp;cmp.l    a0,d0
    10.  &nbsp;bcc.s    loc_32C
    11.  &nbsp;movea.l  #Checksum,a1; Checksum
    12.  &nbsp;cmp.w    (a1),d1 ; Compare correct checksum to the one in ROM
    13.  &nbsp;bne.w    ChecksumError
    which equals to this in machine code:
    Code (Text):
    1. 207C 0000 0200
    2. 227C 0000 01A4
    3. 2011 7200
    4. D258
    5. B088
    6. 64FA
    7. 227C 0000 018E
    8. B251
    9. 6600 00xx
    Just nop out the 6600 00xx.
     
  18. fuzzbuzz

    fuzzbuzz

    Tech Member
    625
    0
    0
    Here
    Many Many Programming/hacking tools...
    NOPs are 4E71, for people who don't know.
     
  19. LocalH

    LocalH

    roxoring your soxors Tech Member
    Yeah, you're correct, I looked, and I believe the only access to the 256K ROM (S&KUPMEM), in the main S&K ROM, is a single JMP $300000. The code and a few of the tiles is in S&KUPMEM, and the rest comes from the S2 ROM at $200000. Theoretically, as long as your hack doesn't extend the ROM, all you have to do to get S2&K to work with your hack, is modify all the pointers in S&KUPMEM to match those you modified in S2, with $200000 added to them. If your hack is longer, you'd have to derive a disassembly with Nemesis' method and reassemble S&KUPMEM to start at the total size of your hack + $200000, and then modify the JMP $300000 to match that same address. You shouldn't have to modify your hack just to get it to work with S&K.

    At least, that'd be the best way to do it if you're trying to stay faithful to the original lockon concept, which was to take the unmodified Sonic 2 cart and wrap it in new code.
     
  20. Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    807
    200
    43
    Lyon, France
    Sonic 2 Long Version
    That's not exactly what I'm doing.
    I've found that the S2&KUPMEM has almost all the data to run the game correctly. Some data is taken from S2, but that's very few.
    Instead of keeping the useless S&K part, I copied my hack. There is now my hack, some data for Knuckles, the end of the game and sprites placement, S2 at $200000 and the UPMEM at $300000 (there is no more lock-on at this point).
    Changing the vector table, my rom now starts at $300000 directly (without this JMP feature that was under S&K that's now removed).
    I made a list of all things I have to take from my hack (like palettes, level layouts, mappings and art data for the new levels...). I have changed some pointers and some code under the UPMEM to take the data from my hack instead of S2 or the UPMEM.
    This way, I don't modify my hack and S2, but I'm hacking the UPMEM itself, changing his pointers to take all I need to build the Long Version.
    All is perfect now, but I have again a little problem with the new sprites that come from S2 beta (dinobot, trycerobot...) and with the debug mode password.
    After one week (only?) of hard work, S2&K Long Version is almost ready! :P

    EDIT: Sorry, that may be a little off topic but...