Lock-On Technology Hacking Guide

The complete reference guide for adding the "Lock-On Technology" enhancements to Sonic the Hedgehog 2 & 3 and others.
By NO CARRIER

Revision: 2.1E (English)
Released: 01202000


English | Español | Français| Italiano
1. Introduction
2. Things to Know
3. Sonic 3 and Knuckles
4. Sonic 2 and Knuckles
5. Sonic 1 and Knuckles
6. Sonic and Knuckles With Anything
A Contributions:

This document is intended to provide a complete technical documention of the Lock-On technolgy found in the SEGA game "Sonic and Knuckles." The information in here comes after years of on and off research from many contributors, including myself. We hope you find this information useful!

1.) Introduction

What SEGA wants you to know

By merely placing any Sonic game into the Lock-On port of the S&K cart, one will be able to play as Knuckles within that game. Attach Sonic 2 and take advantage of Knuckle's special moves to discover secret powerups and hidden passages. Attach Sonic 3 to transform S&K into a huge 32-Megabit epic with a more intensive story line and over a dozen total zones to explore!

This is all accomplished using some new technology called "Lock-On Technology."

What SEGA does NOT want you to know.
There is nothing magical or revolutionary about the "Lock-On Technology. It was rumored that Sonic 1 had a glitch that crashed the game if Knuckles glided onto a conveyor built, so a 3D bonus level game was created instead. Sonic 2 was patched to enable Knuckles by using a hidden 256k ROM within the S&K cart. Sonic 3 was designed with S&K in mind. In fact, it is believed that the levels in S&K3 were originally planed for Sonic 3.

Never the less, implementing this concept with Sonic 2, a game which was already on the market, was not an easy task. This innovative new idea brought some fresh new life to the Sonic line of games in a manner none have seen before!

2.) Things to Know

Binary Format Only
Make sure that the ROMs you use in this project are in binary (.bin) format. The other file formats, such as .smd and .md, will not work. The reason for this is because their file formats store the data in a manner that differs from the original. Bluntly speaking, it tosses blocks of bytes into different locations which alters their corresponding addresses. The binary format, on the other hand, is a straight flush of the data from the original ROM. This means that the data you see is stored in the same locations as of that in the physical counterpart. For a complete explanation of the .smd and .md file formats and to gain a better understanding on why these formats cannot be used, refer to this doc.
Lanchtool's Genesis ROM documentation.

If you happen to have ROMs in the .md or .smd format, do not despair. They can be easily converted to the .bin format using a ROM conversion utility. I prefer Lanchtool for this task since it runs the fastest and is easy to use. Lanchtool homepage. If you are using a MAC, then you should check the SMD to BIN converter that our French mirror maintainer has written.

Dirty ROMs
I have noticed after months of experience that some copies of the S&K ROM floating around the web are "dirty." What I mean by dirty is that some bytes within the ROM image do not match the original. There are many possible explanations on why a few bytes might be off, such as a stray signal being absorbed by the ROM copier's circuitry, but oddly enough, only a few bytes are off and at the same locations.

How can this be true? Well, I'm not experienced in ROM copiers, so it could be a design flaw in dumpier itself. The bytes that are off are located not that far from the header, so if these bytes were off, it wouldn't not be too crucial to the normal operation of the ROM. However, the bytes in question are located right around the area in the ROM believed to be where the decision making of what ROM is the in the expansion port is made. So, it's credible to assume that a different final S&K ROM exists and is floating around the net with the normal one.

Nevertheless, if you happen to have a dirty S&K ROM, you will simply need to take an additional step of running a hex editor and correcting the altered bytes. If the thought of using a hex editor make you squeamish, then you can try one of the IPS patches that I have made instead. Ever way, this step can be performed before or after the S&K cart is combined to another cart.

Combining the ROMs
This step is quite simple, really. You must understand that when you lock-on another game to the expansion port, the SEGA Genesis will treat the memories of the two cartridges and one large contiguous segment of memory. So, it should come as no surprise that in order to create a cart that resembles, say S&K locked-on with Sonic 3, we merely concatenate the two ROM images together to generate the "one large contiguous segment of memory" that the Genesis will see.

This step can be accomplished by tacking on Sonic 3's data, byte per byte, from the beginning of the Sonic 3 cart to the end of the S&K cart. This step can prove to become a grueling task if done by hand in a hex editor. A program can written to do the job for us, but the easiest way to handle this task is to use DOS's COPY command. We can instruct COPY to perform a binary copy to concatenate the two binary files into one large binary. The syntax to accomplish this task is as follows:


COPY /B S&K.BIN + SONIC3.BIN SONIC4.BIN
           |            |            |
           |            |            - Output name (Can be anything you wish.)
           |            |
           |            - Name of ROM to Lock-On
           |
           - Sonic and Knuckles ROM name

To understand why this works on an emulator, we need to look at the hardware from a programmer's perspective. In order for the program to access any data, it must specify an address. So, if a programmer requests data in the Sonic 3 cart, the programmer just needs to call the address corresponding to that part of the ROM. He/she does not need to know how this is handled hardware wise, other then the fact that the memories of the two carts is treated by the Genesis as "one large contiguous segment of memory." That is why this technique works correctly on an emulator without the need of neither a clever ROM patch nor any additions to the emulator itself: there is no extra programmable hardware that plays a roll!

To gain a better understand on how this is implement hardware wise, you will need to examine the extra circuitry in the ROM and figure out what it does. Download this schematic of the key circuitry in the ROM and read this technical explanation I wrote. To make a long story short for those experienced in hardware, the extra circuit behaves as a bank switch mechanism, which enables/disables the appropriate ROM cart based on the upper bits of an address request. The circuitry incorporated is more complex then that used to switch between, say 4-64k ROM chips, so you might want to take a peak none-the-less.

3.) Sonic 3 & Knuckles

Sonic 3 and Knuckles (S&K3)
Stealth, Tom, and a few others have called the Lock-On Technology a sham. The reason for this is because there is evidence that Sonic 3 was designed to be associated with S&K ROM sometime in the future. One example is the ability to select Knuckles from the character select screen in Sonic 3. This can be accomplished with some cleaver hex editing of a save state associated with that location in the game. The biggest piece of evidence is the existence of some of the levels of S&K within Sonic 3. For more information on how to expose these hidden levels, visit
Tom's Sonic Hacking station.

The most obvious piece of evidence is how the SRAM chip in the Sonic 3 cart is utilized by Sonic 3 and S&K. If you save a game in Sonic 3 and then try to save a game at the same location with Sonic 3 Locked-On to S&K, you will discover that the location in question is blank or contains a different savestate altogether. The fact that they don't over write each other's save states proves that one was written with the other in mind. (Give this a shot with the real game carts and with an emulator!)

But alas, there is a problem! If you try to save a game with a generated S&K3 ROM on an emulator: it doesn't actually save the game to disk. This problem is attributed to the fact that the S&K ROM header does not explicitly specify that SRAM exists. To understand why this is a problem, and how to provide a solution, we need to understand how SRAM works.

If you examine the circuitry of S&K cart, you will notice that the S&K cart passes all of its data and address lines to the cart in the expansion port. This circuitry ensures that whenever a request is made to access SRAM, the cart in the expansion port, namely the Sonic 3 cart, will receive it.

From a programmer perspective, any Genesis hardware, weather it be a register, system RAM, ROM, VRAM, or even SRAM, is accessed by addressing memory within a certain range (band) of memory. This technique is called I/O mapping. An emulator will register any data written to/from any band of memory and record it in its memory; SRAM is no exception. So if a game requests to write a piece of data to SRAM, the emulator will record the new data and register it in the emulators's memory. It will become the task of the emulator to assure that the newly written piece of data is accuratly acted upon within the emulator, whether it be used to control an I/O device or lay simply as data.

Once you exit the emulator, the data in emulator's memory is lost, which means that the data in system RAM, VRAM, etc, is lost as well. Since the emulator does not know that SRAM exists, it does not bother to emulate SRAM by saving its data to disk. It might seem foolish for an emulator author not to store any data in a band of memory primarly used for SRAM. However, not all carts use SRAM, and the data stored here could be as meaningless as random mumbo-jumbo.

So now, as you can imagine, the solution is to make the emulator think that SRAM exists in the S&K cart. This step will require some hex editing of the header of the combined S&K3 ROM image.

The data from 01B0h to 1BBh of the ROM header specified weather or not any external memory (ie, SRAM) is available. If there is any, it will also specify the range of this memory in the form of a starting and ending I/O address. I like to think of them as a "base" and "limit register", which are found in most modern CPU's.

If no external memory exists, then this part of the header is filled with a blank space character (20h.) If you look at the ROM header of an S&K ROM, you will notice that this is what it is currently set to. So now, we need to change these bits to explicity inform the emulator that SRAM exists. This is accomplished by placing the SRAM data from the header of Sonic 3 cart into the header of the S&K3 cart.

Replace data from 1B0h to 1BCh with 5241 F820 0020 0001 0020 03FF
Where:
1B0h to 1B3h: -> Inform unit external memory exists. A "RA" code is used.
1B4h to 1B7h: -> External Ram Starting I/O Address
1B8h to 1BBh: -> External Ram Ending  I/O Address.

Save changes and your favorite emulator should now recognize that your S&K3 ROM does indeed use SRAM. As a challenge, see if you can discover for yourself that the Sonic 3 and S&K3 carts do not overwrite each other's SRAM data when used on an emulator.

4.) Sonic 2 & Knuckles

Sonic 2 and Knuckles
The hack to enable S&K2 took many months of research. Many theories were written on how to enable this ROM and many complex solutions were proposed. In the end, the solution to this problem was as simple as adding an extra parameter to the command line arguement.

What made this quest so troubling for so many was the fact that the S&K ROM contained a hidden 256k patch in memory. If you attempted the copy the contents of S&K2 from a ROM copier, it would fail to recognize and read this extra ROM chip. This special hidden 256k ROM is only enabled if the S&K cart enables it; otherwise it's inaccessible. Refer to my technical document mentioned earlier for information on how this switching is accomplish. For information on how to dump this hidden ROM chip, refer to Rizzo's technical document on this matter. If you are not feeling that ambitious enough to dump the ROM yourself, you can grab the ROM from this site.

Please note that the correct size of the hidden ROM module is 256k in size, not 512k as suspected earlier. Apparently, the pin associated with Address 18 is really a blank pin, meaning it's not connected to the chip itself. Furthermore, the header of the Sonic and Knuckles ROM tells you that it is 256K.

There is actually an undocument section within the header to specify the existance of any secondary ROM modules built into the cart. The location in question has been documented for use as a "memo". (Located from 1C8h to 1EEh.) Appearently, it seems that this location of memory was reserved for future use.

This hidden section begins at 0x1E0 with "RO," (for ROM,) and then has the addresses $300000 and $33FFFF (the starting and ending I/O address.) This implies that the ROM is $33FFFF minus $300000 long, or 256K.

There are many credible reasons on why a hidden ROM was used.. To understand them, you need to examine their accompanying theories on how control is passed from the S&K cart to the Sonic 2 cart. I will discuses the one theory that I feel is the most sound explanation.

Some suspect that the ROM itself is a patch to the graphics and the levels in Sonic 2. (Hence, is the reason why two copyright dates appear on the title screen of S2&K.) This would mean that the S&K ROM has soul control of the Sonic 2 cart and merely uses the original Sonic 2 cart for data. If this is true, why not store this "patch" within the S&K ROM itself? The reason is because there is simply not enough space in the S&K ROM.

So, why not just use a larger ROM chip? The memory chips SEGA uses in their carts are 4MBit, 8MBit, or 32MBit. So, for an extra 256K they would have had to expand the main ROM by at least another 4MBit, which would have been more costly. It would also complicate the circuitry and the programming in many ways. And since the data it would store only needs to be accessed by just one ROM, it was feasible solution.

Now back to business. If you examine Rizzo's schematics of the S&K cart and review my technical document about the mechanics of the cart, you will discover that the way to concatenate the three ROM images is basically the same as before. Simply put, the command reads as follows:

COPY /B S&K.BIN + SONIC2.BIN + S2KUPMEM.BIN SONIC4.BIN
           |            |           | 		|
           |            |           | 		- Output name
           |            |           |
           |            |           - "Patch" or hidden ROM
           |	        |
           |            - Name of Sonic 2 ROM
           |
           - Sonic and Knuckles ROM name

Your newly generated ROM image will work on all emulators, except KGen98. The reason being Kgen98 is a more accurate emulator then the other emulators at the hardware level. This means that Kgen98 is more picky on what it reads and executes. Again, this bug is attributed to the "dirty ROM" syndrome mentioned earlier. Merely modify this byte to enable the ROM on Kgen98.

000003B5: 01->02

Note: This byte can be modified regardless of which emulator you wish to use.

5.) Sonic 1 & Knuckles

Sonic 1 & Knuckles It has been rumored that SEGA initially intended to incorperate Knuckles as a playable charactor in Sonic 1. However, a glitch within the engine caused the game to crash whenever Knuckles glided onto a convayor belt. This eventually lead to the demise of Knuckles appearing in Sonic 1... well it's only a rumor.

To me, unless they were under pressure of a deadline, it seems foolish to eliminate such an incredible feature because of a mere programming flaw. A more logical suggestion would be that there exists locations in the game which are impassible to Knuckles, such as a cliff that is too high to jump to or a boss which can't be defeated by Knuckles's traditional moves. In any event, Knuckles is not a playable charactor in Sonic 1.

If you Lock-On Sonic 1, (US or Jap version,) to the S&K cart, you are presented with a screen displaying Sonic and the gang with the text "NO WAY" scrolling at the top. Press all the buttons on the controller simultaneously to activate the hidden 134,217,728 (2^27) level 3D bonus game. It runs in the same tradition as the ones found in Sonic 3 and S&K, except you advance to a new board once you successfully complete the previous one. It is important to note that you don't have to actually play all 134,217,728 levels. If you're good, you can leap ahead 10 levels instead of one if you get a "perfect on the rings," or in other words, collect all the rings and touch all the blue spheres on the board. (Refer to the boxes at the top of the screen to chart your progress.)

Once you have completed the last level of the game, the game loops back and starts all over again on level 0, which leads to level 1, etc. As you might of guessed, this game is pretty meaningless, (unless you are looking for some practice,) so here are some codes incase you wanted to venture into this 3D challenge yourself.

Now, back to business. Assuming you have a clean copy of the S&K ROM onhand, you should be able to combine the two carts just like before without any problems. If all goes well, you should see a screen with a scrolling "No Way" banner at the top. However, if your S&K ROM is dirty, you will instead witness the normal starting animation of the S&K cart. To correct this problem, you will need to perform the following modification to the ROM:

00000433: 00->2C

Again, this byte is located around the area in the ROM believed to be where the decision is made on what ROM is in the expansion port.

For kicks, here's something I discovered which I can't explain. You will need a dirty S&K ROM, but you can always "contaminate" it so it does not work with Sonic 1. Combine the dirty S&K cart with Sonic 1 and replace the following bytes:

0000042D: FF->00
0000042F: AE->A1

The ROM will yield a blank screen. Now modifiy the the following byte like before:

00000433: 00->2C

and the ROM works. What makes this so unusual is the fact that the first two bytes (42Dh and 42Fh) are located before the position of the third byte (433h). You would think that altering the third byte would have no effect to the changes made to the first two bytes, but it does! What is also unusual is that instead of displaying the opening S&K animation, this modification causes the ROM to freeze with a blank screen So, what do the first two bytes represent? It could be either an address, a machine instruction, or a variable. In any case, they appear to be related... or they could not.

6.) Sonic & Knuckles With Anything Else (S1&K Part 2)

Sonic & Knuckles With Anything Else. (Part two of Sonic 1 and Knuckles)
It's not too far fetched to imagine that the owner of a S&K cart would surely attempt to Lock-On any Genesis cart they may have on hand. As a reward for their experimentation, the S&K cart will select a random level based on the serial number of the cart inserted to the Lock-On (expension) port.

If you combine a clean S&K cart to any Genesis cart, you will be presented with the same "NO WAY" display like before with Sonic 1. However, there will be some important differences. For starters, the color palete for Sonic and the others on the main screen will be darker, and their movements will remain frozen in place. Though the random level that you are brought to might seem like a good starting place, it is important to note that after you successfuly compelete that level, you are brought back to the same level from which you began.

So now, the question is raised, "how does the S&K cart determine what random level to choose?" To begin, let's explain how it determine if the Sonic 1 cart is Locked-On. If you recall, the data/instructions around address 3C0h is beleived to be where the code to determining what ROM is in the expansion port resides. If you pock around, you will see the serial numbers for Sonic 2 and Sonic 3, but no serial number for Sonic 1. How can this be? Easy. It's stored in a different location. Goto address 4CD00h and you will discover the serial numbers for both the US and Japanese version of Sonic 1.

As proof, try changing the serial number of the ROM you intend to Lock-On with that of Sonic 1. The serial number is located at 180h:

GM 00001009-00 (US Sonic 1)
GM 00004049-00 (Jap Sonic 1)

Walah! Instead of a random level, you now have the full 3D game associated with Sonic 1 & Knuckles.

Now back to the original question, "how does it generate a random level?" As you might of guessed, the serial number of the cart within the expansion port plays the key role. If you tinker around with the serial number, you can actually generate a diffent level. I have not done too much investigating on this mater, so maybe someone can fill in the blanks for me.

Ex:
diagram

Contributions:
Chaos Emerald: S&K1 3D gaming findings.
Cherry: Released the correct S&K2 ROM.
Jan Abaza: Suggestions
Nime: Italian Mirror
Rizzo: Inital S&K2 discovery, S&K1 suggestions.
Thomas Rodriguez: French Mirror.
Stealth: Initial Sonic 3&K SRAM fix discovery, S&K2 suggestions, S&K1 suggestions and for the support through-out the years.
Wiseman: Spanish mirror of this doc and the nifty GIF diagrams to replace my cheesy ascii diagrams.
Andy Wolan: Initial S&K3 discovery, this document, for pieceing together the "holes" in people's theories and for keeping the hope alive for almost 3 years!

Greetings:
Jarred, KidAlex, TC, DC, Sir Lamer, Stark, Sir James, Spector, Ruski, The G-Funks, T-Boy, Andy Watts, the SSRG Team and to everyone that has been following this project.

Disclaimer
The author of this page is not responsible for any damage caused by this procedure in any shape, way or form, no matter what. The author also has no relations with Sega or Sega of America. USE AT YOUR OWN RISK.


This Site is Sonic 2 Hacking Approved
Sonic is a registered trademark of Sega 1991. All other trademarks are trademarks of the respected companies.

Copyright 1999-2000 Andy Wolan