don't click here

Sonic Jam symbol leaks (and the further search for more original S1/CD/2/3/K source code labels)

Discussion in 'Engineering & Reverse Engineering' started by kazblox, Dec 5, 2019.

Tags:
  1. Dec 5, 2019 #1
    kazblox

    kazblox

    Member
    178
    27
    28
    Diassemblies and decompilations.
    Motivated by evilhamwizard mentioning that possible Sonic 3 and Sonic & Knuckles symbol and data leftovers exist in Sonic Jam, I dug through all versions of the game to confirm. Surprise, not surprise, SH assembler leftovers. Then there came the symbols, and I was gazing in awe. He was right.

    To make this quick: The symbol format seems to be a bit verbose, but this is all what I conclusively needed in end: the first 4 bytes after the name. They are laid out as 00 00 04, then either: 06 for addresses, 00 for constants, and FF for constants in which empty bytes are $FF instead of $00. Which symbol gets included per version seems to sporadically vary, except for JP Satakore and partially US.

    Code (Text):
    1. ; Satakore only
    2. sc2ahposit -> 0F F7 DC
    3. sys_pattim3 -> 0F FE B4
    4. extrascore -> 0F FF C0
    5.  
    6. ; both versions
    7. gplap1p -> 0F 78 00
    8. stageno_s2 -> 0F FE 4A
    9. pl2ring_f2 -> 0F FE BF
    10. cartridge -> 0F FF AE
    11. mdstatus -> 0F FF D8
    12. whoplay1 -> 0F FF EA
    13. Stack -> 00 20 00
    14. Fram_md -> 00 38 01
    15. plefectwk2 -> 0C DD 64
    16. hscroll -> 0F F6 1A
    17. bitdev_d6 -> 0F F6 F4
    18. end_timer -> 0F FA 82
    19. limit_flg -> 0F FA AA
    20. bxspeed_m -> 0F FA F8
    21. level or llevel? -> 0F FF A8
    22. Colorbuf -> 0D 7D D0

    Code (Text):
    1. actwk08 -> 0C C2 60
    2. specrevers -> 0F E4 2B
    3. specspeedmax -> 0F E4 44
    4. ramf1 -> 0F F1 00
    5. scr_evta -> 0F EE C0
    6. ringbonus -> 0F F7 D4
    7. sysdirec1 -> 0F FE 74
    8. sysdirspd2 -> 0F FE 7A
    9. plresetflag -> 0F FF 97

    Code (Text):
    1. ; also in JP Satakore
    2. sc2ahposit -> 0F F7 DC
    3. sys_pattim3 -> 0F FE B4
    4. extrascore -> 0F FF C0
    5.  
    6. ; US only
    7. ssonicflag -> 0F FE 19
    8. dmadivide_a0_3 -> 0F FF 70
    9. actwk0a -> 0C C2 F8
    10. scr_v_adj -> E0 02 24 (?)
    11. i_register -> 00 30 00

    Code (Text):
    1. ramf8 -> 0F F8 00
    2. direc_x -> 0F E4 00
    3. cos_z -> 0F E4 10
    4. specxposi -> 0F E4 22
    5. scrc_v_old -> 0F EE A2
    6. scr_work4 -> 0F EE DA
    7. scrc3 -> 0F EE E8
    8. waterposi -> 0F F6 46
    9. automode -> 0F F7 08
    10. swbufcnt2 -> 0F F7 32
    11. fintimer -> 0F F7 94
    12. tobiraposiwk -> 0F F7 B0
    13. plring_s -> 0F FE 32
    14. scra_v_posit_s -> 0F FE 3E
    15. sysdirec8 -> 0F FE 90
    16. sysdirspd9 -> 0F FE 96
    17. stageno_is2 -> 0F FF 9C
    18. emy_wrt_flg -> 0F FA 9A
    19. playerwk2 -> 0C C0 4C
    20. colibuffer -> 0F E3 80
    21. sin_x -> 0F E4 06
    22. watermode -> 0F F7 30

    Code (Text):
    1. ; Satakore only
    2. se_d3 -> FF FF D3
    3. risu04_vram -> 00 04 2E
    4. gole_vram -> 00 05 00
    5. z0406sp_vram -> 00 04 02
    6. z0415sp_vram -> 00 03 2B
    7. z0424sp_vram -> 00 03 39
    8. z0703sp_vram -> 00 03 57
    9.  
    10. ; both versions
    11. pg_next -> FF FF F8
    12. se_a1 -> FF FF A1
    13. se_b0 -> FF FF B0
    14. se_aa -> FF FF 91
    15. ftrr02_vram -> 00 05 00
    16. kumo04_vram -> 00 03 A3
    17. nk0700_vram -> 00 05 00
    18. wood07_vram -> 00 00 01
    19. obox08_vram -> 00 05 36
    20. knuckles_vram -> 00 06 A0
    21. sboom_vram -> 00 03 D1
    22. z0120sp_vram -> 00 03 5C
    23. shibuki1_vram -> 00 03 B2
    24. z0210sp_vram -> 00 03 5F
    25. z0300sp_vram -> 00 03 51
    26. cannon03_vram -> 00 03 74
    27. z1110sp_vram -> 00 03 00
    28. boss00_dev -> 00 00 6B
    29. D0B -> 00 00 03
    30. pad_b -> 00 01 00
    31. handlesub -> 00 00 00
    32. D1B -> 00 00 07
    33. pad_c -> 00 02 00
    34. scrbbase2 -> 00 A0 00
    35. footdir -> 00 00 3A
    36. plpower_mb -> 00 00 01
    37. se_3a -> 00 00 3A
    38. ropesp11 -> 00 00 00
    39. ropesp20 -> 00 00 00
    40. D6B -> 00 00 1B
    41. word -> 00 00 02
    42. pattimm -> 00 00 25
    43. eventflag -> 00 00 37
    44. sprhs_m (couldn't be recovered)

    Code (Text):
    1. D0L -> 00 00 00
    2. pad_l -> 00 40 00
    3. vs_selectgmd -> 00 00 3C
    4. cddat -> 00 00 2A
    5. ring_vram -> 00 06 BC
    6. specply0_vram -> 00 07 D4
    7. dai0020_vram -> 00 04 40
    8. zone0b20_vram -> 00 02 92
    9. zone0c10_vram -> 00 00 00
    10. gole_dev -> 00 00 04
    11. D6L -> 00 00 18
    12. speeduptimer -> 00 00 36

    Code (Text):
    1. ; also in JP Satakore
    2. se_d3 -> FF FF D3
    3. risu04_vram -> 00 04 2E
    4. gole_vram -> 00 05 00
    5. z0406sp_vram -> 00 04 02
    6. z0415sp_vram -> 00 03 2B
    7. z0424sp_vram -> 00 03 39
    8. z0703sp_vram -> 00 03 57
    9.  
    10. ; US only
    11. se_99 -> FF FF 84
    12. se_ac -> FF FF AC
    13. se_bb -> FF FF BB
    14. se_ca -> FF FF CA
    15. end_od -> 00 00 20
    16. bs00m2_vram -> 00 04 74
    17. bs02m0_vram -> 00 05 4F
    18. iwa021_vram -> 00 05 70
    19. frog06_vram -> 00 05 47
    20. bfly07_vram -> 00 05 14
    21. mole07_vram -> 00 05 45
    22. wave01_vram -> 00 03 7A
    23. efect0625_vram -> 00 01 75
    24. efect0715_vram -> 00 00 1D
    25. efect0913_vram -> 00 03 50
    26. efect0922_vram -> 00 03 58
    27. efect0931_vram -> 00 01 94
    28. efect0940_vram -> 00 02 D0
    29. z0a15sp_vram -> 00 03 10
    30. z0b05sp_vram -> 00 03 85
    31. vsasciib_vram -> 00 06 32
    32. z0f10sp_vram -> 00 03 00
    33. boss07m_dev -> 00 00 61
    34. boss0d_dev -> 00 00 78
    35. boss08m_dev -> 00 00 62
    36. boss0e_dev -> 00 00 79
    37. specsubtbl3 -> 00 00 00
    38. specplaycoliwk -> 00 00 44
    39. specringsp39 -> 00 00 00
    40. specringsp48 -> 00 00 00
    41. gamemd -> 00 00 0C
    42. cd_ballj -> 00 00 04
    43. plpower_ab -> 00 00 03
    44. pobj -> 00 00 3F
    45. advamd -> 00 00 04
    46. logoint_fl -> 00 00 02
    47. shot_od -> 00 00 02
    48. ko_adr -> 00 00 44
    49. saru00_vram -> 00 05 48
    50. snkf09_vram -> 00 05 12
    51. iwa091_vram -> 00 05 00
    52. gkn209_vram -> 00 05 2E
    53. bs09m0_vram -> 00 03 FB

    Code (Text):
    1. se_34 -> FF FF B9
    2. se_rockroll -> FF FF 96
    3. cd_down -> 00 00 01
    4. pri_4 -> 00 02 00
    5. sd_08 -> 00 00 08
    6. sd_17 -> 00 00 17
    7. sd_26 -> 00 00 26
    8. se_43 -> 00 00 43
    9. se_52 -> 00 00 4E
    10. se_61 -> 00 00 58
    11. se_70 -> 00 00 62
    12. se_dC -> 00 00 32
    13. bs02b0_vram (couldn't be recovered)
    14. se_44 -> 00 00 44
    15. se_53 -> 00 00 4F
    16. se_62 -> 00 00 59
    17. se_71 -> 00 00 63
    18. se_80 -> 00 00 72
    19. se_dD -> 00 00 32
    20. pause_b -> 00 00 07
    21. mvlr_bit -> 00 00 03
    22. oya_adr -> 00 00 46
    23. bs03b0_vram -> 00 04 30
    24. efect0012_vram -> 00 02 FE
    25. efect0021_vram -> 00 00 CA
    26. efect0111_vram -> 00 02 DC
    27. efect0120_vram -> 00 02 5E (?)
    28. exp0100_vram -> 00 04 D2
    29. bs00bw_vram -> 00 03 52
    30. yado01_vram -> 00 05 00
    31. bs06b1_vram -> 00 04 25
    32. bgm_zone002 -> 00 00 02
    33. bgm_zone011 -> 00 00 03
    34. efect0124_vram (couldn't be recovered)
    35. [bos?]s09_dev -> 00 00 74
    36. starsp01 -> 00 00 00
    37. scu_spr -> 00 00 4D
    38. col_b -> 00 04 00
    39. levertimer -> 00 00 39
    40. hitcolflagb -> 00 00 0F

    Note that for addresses that start with $0C instead of $0F, you will have to add $8000 to get the actual Work RAM high location. Think the same goes with addresses that start with $0E. Figuring this out (the hints should have given it away anyway) also lead me to conclude that the RAM per object for 3 & Knuckles in Jam is 2 bytes bigger, for some reason.
     
    Last edited: Dec 5, 2019
    • Like Like x 9
    • Informative Informative x 3
    • Useful Useful x 1
    • List
  2. Dec 5, 2019 #2
    Aerosol

    Aerosol

    Not here. Moderator
    11,213
    609
    93
    Not where I want to be.
    Sonic (?): Coming summer of 2055...?
    Phenomenal work! Thanks for this.
     
  3. Dec 5, 2019 #3
    Mastered Realm

    Mastered Realm

    Member
    3,876
    586
    93
    -
    Someone needs a promotion to techie :)
     
  4. Jan 12, 2024 #4
    BenoitRen

    BenoitRen

    Tech Member
    945
    573
    93
    Hi, could you clarify this? Will adding $8000 get me the RAM location of where it resides in the Saturn's memory, or the Mega Drive's?

    Could you also expand on objects being 2 bytes bigger? I suspect some labels are off by 2 bytes when trying to map them to Mega Drive RAM.

    Now that I'm through the list of addresses, I wonder what the list of constants means.
     
    Last edited: Jan 12, 2024
  5. Jan 14, 2024 #5
    Brainulator

    Brainulator

    Regular garden-variety member Member
    808
    237
    43
    United States
    For both of these questions, let's look at one example:
    playerwk2 is the RAM address in which the second player is contained, equivalent to Player_2 in the current GitHub disassembly of Sonic 3 & Knuckles. Subtract $0CC000, divide by $4C, multiply by $4A (the size of an object's RAM in the Mega Drive version), and add $FFB000 to get the equivalent MD RAM address: $FFB04A. Similarly:
    • plefectwk2 -> $0CDD64 -> $1D64 -> $63 -> $1C9E -> $FFCC9E (= Dust_P2 in GitHub disasm)
    • actwk08 -> $0CC260 -> $260 -> $8 -> $250 -> $FFB250
    • actwk0a -> $0CC2F8 -> $2F8 -> $A -> $2E4 -> $FFB2E4
    It would seem that plefectwk2 is the work RAM (wk) for effects (efect) left by player (pl) 2 (2).
    I have figured a good number of them out:
    • Symbols listed with all zeroes seem to be locations within the program itself.
    • Symbols ending with _vram appear to be VRAM locations, measured in cells and without priority, palette, or flip information. I'll list a few I'm pretty sure of:
      • gole_vram: signpost
      • cannon03_vram: Carnival Night Zone cannon (CNZ being zone 3 internally)
      • ring_vram: rings
      • specply0_vram: Special Stage player 1
      • frog06_vram: Ribot, the Launch Base Zone (zone 06) frog enemy
      • Symbols starting with bs seem to involve bosses
      • Symbols starting with efect involve animated level art
    • Some offsets which I suspect were used with 68k data register simulation (relevant post):
      • D0L = 0
      • D0B = 3 (D0L+3)
      • D1B = 7
      • D6L = $18
      • D6B = $1B (D6L+3)
    • Symbols starting with se_ seem to be sound effect offsets.
    • Symbols starting with bgm_ seem to be music.
    • Symbols ending with _dev appear to be numbers for entries in the pattern load cue lists (or divdevtbl).
    • Symbols ending with md appear to be game mode values: spgamemd is attested in the Sonic 2 Nick Arcade prototype, in which it refers to the Special Stage game mode. (I suspect this value may have even been kept around in Sonic 3 & Knuckles's code.)
    • Symbols starting with pad_ are possibly for controller buttons. I am not sure.
    • pg_next seems to be used by "raw" animations.
    • word is, well, a word (that is, 2 bytes). Attested in S2NA.
    • plpower_mb and plpower_ab seem to be bits within $2B of a player's RAM, the former being invincibility (muteki) and the latter being... I don't know. They're equivalent to Gems Collection Sonic CD's plpower_m and plpower_a.
    • scrbbase2 seems to be the base VRAM address for scroll plane B at some point.
    • SST values:
      • footdir: player angle
      • pattimm: master value for pattim. Attested in Gems SCD
      • ko_adr: child address
      • oya_adr: parent address
      • cddat: status bitfield. Attested in S2NA and Gems SCD
      • speeduptimer: timer for speed shoes
    • cd_ballj and cd_down seem to be bits used by cddat: cd_down is attested in February 1990 dev footage of Sonic 1, while cd_ballj lines up with the bit that locks horizontal controls when jumping after rolling.
    • hitcolflagb might be a collision thing.
    • pri_4 seems to be priority level 4, presumably used by sprpri (the sprite's priority value).
     
  6. Feb 21, 2024 #6
    BenoitRen

    BenoitRen

    Tech Member
    945
    573
    93
    Some time back I've cross-referenced the addresses with the wiki's RAM data information.

    These are the ones I'm sure about:
    $E400 direc_x
    Part of "In 1-player mode, this is Sonic's statistic recording buffer, used by Tails' AI. In 2-player mode, this is player 2's position table.".

    $E406 sin_x
    Part of "In 1-player mode, this is Sonic's statistic recording buffer, used by Tails' AI. In 2-player mode, this is player 2's position table.".
    $E410 cos_z
    Part of "In 1-player mode, this is Sonic's statistic recording buffer, used by Tails' AI. In 2-player mode, this is player 2's position table.".

    $E422 specxposi
    Part of "In 1-player mode, this is Sonic's statistic recording buffer, used by Tails' AI. In 2-player mode, this is player 2's position table.".

    $E444-$E445 specspeedmax
    Special Stage speed. Starts off at $1000 and is incremented by $400 every time the speed increase timer expires until it reaches $2000.

    $EEA8 scrc3
    Plane X-wrap value.

    $EEC0-$EEC3 scr_evta
    "Screen event routine counter." and "Trigger event routine counter.".

    $EEDA-$EEDD scr_work4
    Various meanings in level events and sometimes other game modes. Every word usually has different meaning.

    $F646-$F647 waterposi
    Current water level.

    $F708-$F709 automode
    Tails CPU routine.

    $F730 watermode
    Water flag.

    $F794-$F795 fintimer
    Some type of timer used in palette fade routines.

    $FAAA limit_flg
    Flag which is set when a title card goes away, or when an Act 1 results screen goes away.

    $FE19 ssonicflag
    Super/Hyper Sonic flag.

    $FE32-$FE33 plring_s
    Starpole variables. Number of rings collected.

    $FE3E-$FE3F scra_v_posit_s
    Starpole variables. Plane A Y-position.

    $FE4A-$FE4B stageno_s2
    "Current zone." and "Current act.".

    $FEBF pl2ring_f2
    Extra lives bits from rings for player 2.

    $FF97 plresetflag
    If set, the sprite and ring loaders will not clear the respawn table when the level loads. Used for returning from special and bonus stages.

    $FF9C stageno_is2
    Apparent Zone in which special stage or bonus stage was entered.

    $FFA8 llevel
    Part of "Level number in Blue Sphere".

    $FFAE-$FFAF cartridge
    0 if locked on to Sonic 3; nonzero otherwise.

    $FFC0-$FFC3 extrascore
    Amount of score required for the next extra life.

    $FFD8 mdstatus
    Hardware register value, specifically the region bits (bits 6 and 7).

    $FFEA whoplay1
    2p mode player 1's character.
    These ones are referenced in Sonic & Knuckles Collection, but there's not enough information to be sure that I've matched the RAM location:
    $7800-$7803 gplap1p
    Part of "128x128 chunk mappings".

    $E380 colibuffer
    Number of objects currently in collision response list, multiplied by 2.

    $E42B specrevers
    Unknown in Special Stage.

    $EEA2 scrc_v_old
    Unknown.

    $F100 ramf1
    Plane buffer.

    $F61A-$F61D hscroll
    Unused, but cleared in various places.

    $F7B0 tobiraposiwk
    Unknown, used by some objects for storing player-specific state.

    $F800-F803 ramf8
    Part of "Sprite table buffer.".

    $FA82-$FA83
    end_timer Unknown.

    $FA9A emy_wrt_flg
    Unknown.

    $FAF8 bxspeed_m
    Part of "Unknown".
    These aren't referenced, so I'm not sure about having matched the RAM location at all.
    $F6F4 bitdev_d6
    Part of "Used by the PLC routines using decompression.".

    $F732 swbufcnt2
    Unused.

    $F7D4 ringbonus
    Ring bonus counter at the end of level result screen.

    $F7DC-$F7DD sc2ahposit
    Unused, referenced in dead code.

    $FE74 sysdirec1
    Part of "Oscillating numbers data.".

    $FE7A sysdirspd2
    Part of "Oscillating numbers data.".

    $FE90 sysdirec8
    Part of "Oscillating numbers data.".

    $FE96 sysdirspd9
    Part of "Oscillating numbers data.".

    $FEB4 sys_pattim3
    Unknown.

    $FF70 dmadivide_a0_3
    Part of "The KosinskiM decompression and DMA queue.".
     
  7. Feb 21, 2024 #7
    Brainulator

    Brainulator

    Regular garden-variety member Member
    808
    237
    43
    United States
    • I think stageno_s2 and stageno_is2 are both used specifically by starposts.
    • colibuffer is used by the object collision processing routines.
    • ram_f1 and ram_f8 I suspect were used for clearing RAM. I could be wrong, though.
    • emy_wrt_flg is equivalent to Slotted_object_bits in skdisasm.
    • sys_pattim3 is also in Sonic CD Gems Collection.
     
  8. Apr 28, 2024 #8
    BenoitRen

    BenoitRen

    Tech Member
    945
    573
    93
    I was looking at the lists again, and I think I know what "levertimer" with value 0x39 is. It's a sprite status object index. According to the wiki:
    It caught my eye because "lever" is referenced in Sonic's code. It was one of the most painful Sonic CD functions to decompile. Now I finally know what the heck it was referring to.
     
  9. Apr 28, 2024 #9
    Kilo

    Kilo

    The Scatterbrained Hacker Tech Member
    1,328
    1,265
    93
    Canada
    Sonic 1 Source Code Recration
    I mean I suppose calling it lever makes sense in a way... Since a lever can go up or down.
     
  10. Aug 29, 2024 #10
    BenoitRen

    BenoitRen

    Tech Member
    945
    573
    93
    Was looking at this list again, and wanted to note down one finding:
    Code (Text):
    1. scr_v_adj -> E0 02 24 (?)
    I can't be sure because the numbers don't entirely line up, but this seems to be the label for the region $EE02-$EE03. The wiki description does seem to match the name: "Variable set by the vertical scroll manager to the difference between the old and new camera Y positions, multiplied by 256".