Sonic Fighters Hacking

Discussion in 'Engineering & Reverse Engineering' started by Andrew75, Dec 2, 2012.

  1. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,065
    63
    28
    Formerly Sonic the Fighters
    In a collaborative effort between myself and @RyogaMasaki, we have found some DIP switch settings which work in conjunction with some debug mode flags.

    The beginning of inputs for Model2 games begins in the area of memory located at 0x01c00000 and in ElSemi's emulator is defined as the IOBASE. ElSemi's emulator also allows reading of memory at this address, however, fails it write to it. The last byte of a DWORD at 0x1c0000c is where the flags for the DIP switch settings are stored in memory. By default, they are set to 1, and thus the byte value here is 0xFF.

    In a combination of having the 15th bit set and the 9th bit cleared at the debug mode address 0x508000 and having DIP switch 0 set on the board, this will enable a debug information display in the game as seen here:


    [​IMG]

    However, since ElSemi's emulator does not support DIP switches, a workaround had to be made that effectively removes the need for the DIP switch to be set in order to work.

    A side effect from this discovery is that if the debug mode value has bit 15 set and the 9th bit is not cleared, this removes all foreground 2D textures (such as the PRESS START BUTTON and health bar hud) from being drawn to the screen.

    The most up to date cheat script as of this post is located here for anyone to freely mess around with.

    I hope I didn't mess up any information here as I am trying to represent it as accurately as possible.
     
  2. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,065
    63
    28
    Formerly Sonic the Fighters
    Interesing new discovery. I found the location of the stage order for music loads:

    [​IMG]

    "North Wind", the Sonic vs Knuckles theme, is loaded at offset 0xAE100C.
    "Hurry Up", which is never used in the game, is loaded at offset 0xAE100F.
    So in order, you fight:
    1. Knuckles
    2. Amy
    3. Bark
    4. Espio
    5. Tails
    6. Fang
    7. Bean
    8. Sonic
    9. Metal Sonic
    10. Eggman in Mech
    But note there are 11 songs listed!

    My new theory? You were supposed to fight the mechless Eggman (unused), then he gets in his suit after setting self-destruct. It makes sense to me, anyway.
     
    Last edited: Dec 4, 2019
    • Like Like x 3
    • Informative Informative x 2
    • List
  3. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,065
    63
    28
    Formerly Sonic the Fighters
    WORKING WITH @RyogaMasaki, WE HAVE HARDWARE VERIFIED THE FIRST SONIC THE FIGHTERS CHEAT!

    To see this debug display on hardware, set DIP Switch #1 to the "ON" position, hold "Service Coin" aka "Service 1" button on the motherboard and enter the following code on Player 1's controls: RIGHT, RIGHT, PUNCH, LEFT, RIGHT, PUNCH, KICK, RIGHT, RIGHT, UP, PUNCH.

    As previously indicated, ElSemi's emulator has all DIP switches flipped, so a switch that disables foreground textures takes priority here. But yes, it will work in the emulator, but it crashes MAME.\

    THIS IS BIG! Please comment! I've been so alone in this thread, lol.
     
    • Like Like x 7
    • Informative Informative x 1
    • List
  4. ICEknight

    ICEknight

    Researcher Researcher
    Hey, nice find! Have you tried entering that code in other SEGA arcade games from that era?

    Regarding the crash, are you using the latest MAME version?
     
  5. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,065
    63
    28
    Formerly Sonic the Fighters
    The crash actually happens when one of the dip switches is flipped, specifically 8. Ryoga and I believe that it's hitting some unimplemented opcode. The build that was tested was from last night's git pull, modified to have the DIP switch correctly enabled, which is not yet submitted as a pull request.

    As for other games of that era, Ryoga and I assume it should work on Virtua Fighter 2 and Fighting Vipers as well, as the engine also supports the same base engine. Most games I've looked at have no labels in their code, so it's difficult to assume this might work on those games when there's no literal ascii text to display to the screen.

    I could take a look, as Dynamite Cop seems promising with labels, but nothing this extensive.
     
  6. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    Yeah, I checked both FV and VF2, and they have the same program code, though the actual input code is different.

    To clarify a couple things about this input code: You do not need to have any DIPs set or unset to actually have it enabled; the flag is set as soon as you hit the correct input. But it's good to have only the lowest bit (DIP 1) enabled so you can see the debug text on the screen and have visual confirmation that it's enabled.

    In MAME, it only crashes when the highest bit (DIP 8) is set; the other switches work fine. Clearly this switch does something, but @biggestsonicfan reported there were no obvious changes where it was set on hardware.

    MAME is actually really bad with the i960. In my original article where we found the debug menu (shameless plug!) I had to write a separate cheat just to work around the unsupported opcodes. I do plan to submit a bug report about it eventually...

    For now, I'll be making a PR to MAME soon to add the DIP switches to the VF2/FV/SF boards, which will then be usable with the input codes. Doing some googling around for images, I actually think all Model 2 board revisions have a DIP switch somewhere, so I really think they should be added to all Model 2 boards in MAME... but I'll discuss that with some of the devs on twitter.
     
  7. kazblox

    kazblox

    Member
    172
    16
    18
    Diassemblies and decompilations.
    Be sure not to report the bugs to MAMETesters as Model 2 specific bugs, if they aren't the case! Model 2 is a NOT_WORKING driver, and thus any reports will be closed.
     
  8. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    The bug is with the i960 CPU in particular, but I'll keep that in mind and do my research before doing so. Thanks!
     
  9. qwertysonic

    qwertysonic

    Member
    333
    5
    18
    creating the biggest sonic collection
    I've been following this thread and I appreciate the work done here.
     
  10. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    Hi, who ordered the Sonic the Fighters prototype title screen and preview version ending screens?

    [​IMG]
    [​IMG]
    [​IMG]