don't click here

Tripping the Lock-On™ Technology

Discussion in 'Engineering & Reverse Engineering' started by RealMalachi, Jan 21, 2024.

  1. VAdaPEGA

    VAdaPEGA

    Freelance Digital Artist Member
    80
    23
    8
    Portugal
    Probably something minimalistic
    Both have their own pros and cons when you think about it:
    S3 RAMsplosion method works with just about any cartridge but requires at least 4MiB of ROM space (2MiB if you use S3's serial, lower if you're masochistic).
    KtEiS2 Sound Driver jump exploit only requires 3MiB of ROM Space (or 1MiB if you use one of S2's serials, 512KiB if you're masochistic), doesn't require extra ROM space to set up (fake header + code at the jump point), but potentially only works on cartridges without SRAM (compatability still in research)
    If it ends up working the same way the SRAM version does, it may produce the same result, otherwise yes, it should play fine.
     
  2. Devon

    Devon

    I think I'm paranoid Tech Member
    1,166
    1,303
    93
    your mom
    Aren't plain ol ROM chip sizes powers of 2? Even if a game was 3 MiB, it'd still go on a 4 MiB ROM chip. I do know that Knuckles Chaotix is only 3 MiB, but uses 2 ROM chips to accomplish that.
     
  3. VAdaPEGA

    VAdaPEGA

    Freelance Digital Artist Member
    80
    23
    8
    Portugal
    Probably something minimalistic
    Look, just let me be Thomas Edison for a moment and spread misleading facts :V (yeah no i didn't think too hard about it)
     
  4. Chimes

    Chimes

    The One SSG-EG Maniac Member
    588
    466
    63
    So which one of you is gonna go the Satan's helper route and desolder a regular game's mask chip and install a socket with a custom EPROM to use with S&K
     
  5. Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    805
    200
    43
    Lyon, France
    Sonic 2 Long Version
    That's the point I finally wanted to discuss here. There is about no practical purpose for exploiting this, besides the challenge and bragging rights.

    99.9% of hacks players only play on emulators or on a pretty new Mega Everdrive flashcart. Emulators do not care for the exploit, and Mega Everdrive seems incompatible, or hard to become compatible at best. The easiest solution so far: MDPro flashcart and S3 RAMplosion work out of the box. But who owns an MDPro flashcart nowadays? And the means to program one? I only found and included the exploit in my hack 12 years ago because I ultimately want a shiny MDPro with a shiny "Sonic 2 Long Version" label on it that is compatible with lock-on technology, just like the original S2 game. But I'm well aware that this is all for almost nothing for the public. That's why, to reach the other 99.9% of the players, I also made sure that you can access all the features of the locked-on game from the regular game (with what I call a "software-lock-on" internally).

    Long story short, why make "Aladdin & Knuckles" with almost 0 public audience, when you can simply make a standard ROM hack of Aladdin including Knuckles playable for everyone?
     
  6. VAdaPEGA

    VAdaPEGA

    Freelance Digital Artist Member
    80
    23
    8
    Portugal
    Probably something minimalistic
    It's less about the praticallity and more just the fact it works and is a neat hidden extra. I like small details even if they take months to develop and especially if they take years to find, plus this presents a fun challenge to reverse it.
    If accessibility is a problem, I can just do what I have with my other projects and hide a Lock-on tool when you unzip the ROM.
     
  7. Do any of these exploits work with HackingWiz Pro? I ask this because I can't get that program to run on my PC.
     
  8. Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    805
    200
    43
    Lyon, France
    Sonic 2 Long Version
    I agree with what you say VAdaPEGA. It was just to tone down expectations a little, to clarify what this exploit can do and practically, what to expect from it. It is good as a little extra cherry on the top. This is not a magical tool that can transform any game in game & Knuckles in a snap. You have to do the proper ROM hack before, which cancels the point of having to lock-on.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  9. Bobblen

    Bobblen

    Member
    368
    183
    43
    The fun part of any homebrew on older hardware is pushing it to its limits and getting it to do things we haven't seen before. S&K lock on support for not Sonic 2/3 that isn't blue sphere certainly qualifies!
     
  10. DigitalDuck

    DigitalDuck

    Arriving four years late. Member
    5,324
    405
    63
    Lincs, UK
    TurBoa, S1RL
    If you're going to modify a ROM anyway you may as well just modify Sonic & Knuckles and have the patches applied directly. I think it'd be fun to mess with people with this though.

    Imagine taking your "perfectly normal" Sonic & Knuckles cartridge to a retro convention or something and saying you've unlocked the ability to make it work with any game. Someone plugs in their copy of Bonanza Bros. and have Sonic and Knuckles replace Mobo and Robo. Or they plug in SOR2 and get this (Bare Knuckles?)

    Of course, every game you want to work has to have its own code written, it's not a simple case of "it just works". Maybe we could start a big "& Knuckles Project" and have people work on patches for games they want to include. (or not, this is literally "make my idea for me")
     
  11. Devon

    Devon

    I think I'm paranoid Tech Member
    1,166
    1,303
    93
    your mom
    For what it's worth, Genesis Plus GX allows you to define a path for Sonic & Knuckles and the Knuckles in Sonic 2 UPMEM, and with them it can emulate the lock-on tech. The version on RetroArch allows this.

    [​IMG]

    [​IMG]

    [​IMG]
     
    Last edited: Jan 23, 2024
  12. rata

    rata

    Member
    684
    71
    28
    Argentina
    Trying to be useful somehow.
    Everdrive Pro & Knuckles, damn it!
     
  13. RealMalachi

    RealMalachi

    you can call me mal Member
    I found a massive annoyance with the RAMsplosion method if your game uses SRAM
    Before we're able to explode ram using the title screen, the game fully initiates some things such as the sound driver, and calls a routine called SRAM_Load, which initiates SRAM if it's detected to have incorrect data

    here's a cut down version of the routine, just the part loading competition modes data and the subroutines it uses
    there's more code then this, but it should be enough to understand
    Code (Text):
    1. SRAM_Load:
    2.     tst.w    (SK_alone_flag).w
    3.     bne.w    .exit            ; Don't bother if we're not playing S3K
    4.     lea    ($200011).l,a0
    5.     lea    ($2000BD).l,a1        ; seemingly a backup copy
    6.     lea    (Competition_saved_data).w,a2
    7.     moveq    #84/2-1,d0        ; all word data, 80 byte sram data, 2 byte integrity value, 2 byte checksum
    8.     move.w    #"LD",d1    ; $4C44    ; integrity value in question
    9. ; check main
    10.     movea.l    a2,a3    ; save registers for backup check
    11.     move.w    d0,d2
    12.     bsr.s    Read_SRAM
    13.     beq.s    .next
    14. ; if main fails, check backup
    15.     movea.l    a1,a0    ; use a1 instead of a0
    16.     movea.l    a3,a2
    17.     move.w    d2,d0
    18.     bsr.s    Read_SRAM
    19.     beq.s    .next
    20. ;  if neither are correctly set (incorrect checksum or lacking integrity value)...
    21. ; ...load initial competition data into sram
    22. ; regardless, do a similar, but much larger check for save select files
    23.  
    24. ; subroutines
    25. Read_SRAM:
    26.     move.b    #1,(SRAM_access_flag).l    ; Access SRAM
    27.     movea.l    a2,a6    ; save registers for checksum calculation
    28.     move.w    d0,d6
    29. ; load data, integrity value and checksum into ram
    30. .loop
    31.     movep.w    (a0),d3        ; Get data from SRAM
    32.     move.w    d3,(a2)+        ; Copy it into RAM
    33.     addq.w    #4,a0
    34.     dbf    d0,.loop
    35.     move.b    #0,(SRAM_access_flag).l    ; No longer access SRAM
    36.  
    37.     subq.w    #1,d6    ; only check data and integrity value
    38.     bsr.s    Create_SRAMChecksum    ; Get the checksum of the given data
    39.     cmp.w    (a6),d7            ; Compare the checksum result
    40.     bne.s    .rts
    41.     cmp.w    -2(a6),d1        ; Compare the integrity value with the data given in d1
    42. .rts
    43.     rts                ; if either are incorrect, it results in a failure
    44.  
    45. Create_SRAMChecksum:
    46.     moveq    #0,d7
    47. .chk_loop
    48.     move.w    (a6)+,d5
    49.     eor.w    d5,d7
    50.     lsr.w    #1,d7
    51.     bcc.s    .chk_carryclear
    52.     eori.w    #$8810,d7
    53. .chk_carryclear
    54.     dbf    d6,.chk_loop
    55.     rts
    An easy way around it would be to avoid using sram offsets $001-$3FF, since that's all the sram S3K uses, but honestly that feels a little cheap. Another way would be using even only sram, since S3K is odd only and I don't see any accidental even writes, although I haven't seen a single game use even only, and know for a fact that it'll cause compatibility issues with certain emulators and flashcarts (mainly the dragondrive)
    Though this does mean the KiS2 method does have a better use case, since it doesn't initiate sram at all
     
  14. VAdaPEGA

    VAdaPEGA

    Freelance Digital Artist Member
    80
    23
    8
    Portugal
    Probably something minimalistic
    This shouldn't be that big of a problem as long as the SRAM checksum and integrity bytes function the same way between S&K's code and the locked on cartridge.
     
  15. Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    805
    200
    43
    Lyon, France
    Sonic 2 Long Version
    That's exactly what I am doing. This is a bit tricky, but this works fine.
     
    • Informative Informative x 1
    • List