Cheats Using CR PRG Ram Don't work

[Slade1972]

Games that use the 68K CPU ram space, these cheats work fine. However, games that use the CD PRG Ram do not work.

As an example: Sonic CD (USA) with a memory location of:

15 16 in 68K ram is the level timer. Keeping this at 00 stops the level timer from climbing.

The cheat file would look like this:

00 00 00 00 16 15 FF 00 00 00 00 00 00 00 00 00

This works fine.

However, The Amazing Spider-Man Vs The Kingpin, has the web shooter ram address in the CD PRG Ram and looks like this:

00 00 00 00 21 C9 07 FF 00 00 00 00 50 00 00 00

I have tried various combinations, with and without the "FF" (which I'm not sure of the significance), as well as setting the compare flag in the first byte, and by moving the poke value from 50 00 00 00 to 00 50 00 00, none of which has made any difference.

I can only conclude that cheats in the CD PRG ram space don't work or aren't compatible with the binary game genie format that comes from gamehacking.org. Frustratingly, gamhacking.org requires all cheats to be in a 2 byte format, which won't work with all systems, and can cause confusion as to which bytes to poke.

Any assistance would be appreciated.

[Slade1972]

After some more investigating, it seems that CD PRG ram cheats that only write a byte value don't work. No idea why. As an example, using The Adventures of Batman and Robin, the time cheat for the first stages, looks like this:

80 00 00 00 3E 12 06 FF 00 00 00 00 00 0F 00 00

This writes F0 00 to 06 12 3E and works fine.

However, the infinite missiles cheat, which looks like this:

80 00 00 00 D1 FF 07 FF 00 00 00 00 00 03 00 00

Does not work. It should write 03 to 07 FF D1 but nothing seems to happen. I have also tested with the compare flag off and on, as well as moving the 03 from 00 03 00 00 to 03 00 00 00 with no change.

Also of note, the no damage cheat works as well:

80 00 00 00 22 64 06 FF 00 00 00 00 F4 01 00 00

Again, being a 2 byte value, there doesn't seem to be a problem.

[sorgelig]

If i remember right only Genesis-compatible cheats are implemented.

[Slade1972]

Is there a definitive way to test that ?

I'm just surprised the two byte cheat works, but the byte cheat doesn't.

Would it be beneficial to find the same Genesis game (assuming there is one) and see if the same basic cheats work? In what sense are the cheats Genesis compatible?

Thanks for responding.

[sorgelig]

ok, i've refreshed my memory: 1) both main CPU memory and CD CPU memory are supported. 2) in address the most bit defines if it's main CPU (0) or CD CPU (1) address space. 3) cheat engine supports only one data size, so for 8bit systems it's BYTE, and for 16bit system it's WORD.

so for MegaCD and Genesis all compare and write data must be words (16bits) and address should be always even. That's why byte value doesn't work. You need to expand it to word. Cheat may write WORD value using original value on other byte.

[sorgelig]

actually looking at cheat codes you've mentioned i don't see how WORD write should be differentiated from BYTE write. There are no WORD/BYTE flag as i see. I think cheat engine can be updated but cheats also need to be updated with additional flag

p.s: 00 03 00 00 data for byte writing to address 07 FF D1 looks malformed. Motorola 68K is big-endian system so odd byte comes first, then even follows. So data should be 03 00 00 00 if address is odd. So for me the whole cheat for byte write is wrong. I think the correct cheat should be: 80 00 00 00 D0 FF 07 FF 00 00 00 00 03 00 00 00 (address must be always even, and odd byte comes first). But if another byte has some meaning, then cheat won't work as it will effectively write WORD with 00 in even byte.

[sorgelig]

MegaCD.zip This is test version supporting byte write. Byte write cheat must be updated to: 02 00 00 00 D1 FF 07 FF 00 00 00 00 03 00 00 00 1) data/compare for byte write must be always in lowest byte regardless even or odd byte 2) address should reflect actual address with LSB, so it can be even or odd depending which byte is being written/compared. 3) 02 mask means byte write (03 if compare value is used).

please test it and report.

[Slade1972]

I've been speaking with Tony H at gamehacking.org about the SegaCD cheats. Apparently we only need the FF at the end of the address if it's Genesis ram (ie, the 68k ram), which are two byte (or word) addresses. The FF isn't required if it's a 3 byte address. - (Edit) This is not true. MiSTer requires the FF on all cheats (at least with The Adventures of Batman and Robin).

However, that didn't seem too change much.

I downloaded the new file, and manually edited several of the cheats. The missile cheats now looks like this:

02 00 00 00 D1 FF 07 00 00 00 00 00 03 00 00 00

02 00 00 00 - compare (byte selected) D1 FF 07 00 - little endian for the ram location in CD PRG Ram (written as 07 FF D1 in the cheat file created in BizHawk) 03 00 00 00 - the value to be written

I tried this with multiple cheats, for bombs, lives and missiles - all using 3 byte ram locations and byte values. None seemed to work.

Ok, I thought I'd test something before posting, and I'm glad I did. I edited the files manually, and they definitely need the FF in the cheat file. No idea why, nor what it signifies.

So this did work: 02 00 00 00 D1 FF 07 FF 00 00 00 00 03 00 00 00 and I have infinite "lives/bombs/missiles" or whatever that one is.

I'll test out some more games and see if they work as well. Thanks for your help. Now to get the gamehacking guys on board with the changes.

[Slade1972]

I've been testing The Amazing Spider-Man vs. The Kingpin (USA), and this works fine too. Provided the compare flag is set to 02. Without that, it doesn't work. But that was to be expected.

I'll test some more games over the next few hours. I'm guessing they should all work fine.

[sorgelig]

As i've told you, MSB=1 means CD address space (RAM, CPU in CD addon) is used. It can be 80 or FF - doesn't matter. If MSB=0 then main address space (in-console CPU) is used. Since your cheat is used inside CD addon memory, you have to use 80 or FF. gamehacking cheats must be updated with correct MSB flag. I think not all cheats are using CD memory, so not every cheat will use FF. Check it carefully.

02 00 00 00 - compare (byte selected)

02 is byte mask. 01 is compare mask (otherwise unconditional write). So compare+byte will be 03

[Slade1972]

It took me about 2 minutes to decode what MSB meant (Most Significant Bit). I'm going to have to request an update on gamehacking.org, and I'm not confident it will happen. At least any time soon. The person who does a lot of the site changes, apparently, doesn't visit very often anymore. All I can do is ask. Failing that, I'll just manually create the cheat files, and post them to github for people to download.

I wouldn't mind updating the Wiki with more information on the cheats. It's a little sparse at the moment. (I'm happy to do that).

I apologise if I sound half dense (I'm sure, we're all half dense compared to you), a cheat using 68k ram, can either have the initial byte set to 80 or the ram address can have FF as the least significant bit, but doesn't require both.

I haven't tested this, and this isn't my cheat, but for 3 Ninja's Kick Back (USA), the timer freeze is:

80 00 00 00 19 7C 00 00 00 00 00 00 A0 00 00 00 Edit: This cheat as is, does not work. Having 80 as the MSB didn't make this cheat work. /Edit.

Which uses the 68K Genesis ram, and should be fine. It could also possibly be written as:

00 00 00 00 19 7C FF 00 00 00 00 00 A0 00 00 00

And that would also work?

Edit2: I haven't tested the cheat listed directly above, however in order to get the Time / Health cheat working, I did have to add the FF to the end of the address, so it looked like this:

80 00 00 00 19 7C FF 00 00 00 00 00 A0 00 00 00 - This differs to what you've said above, requiring either the 80 or the FF for the 68K ram address space. I don't know if I can do it without the 80, that's my next test. /Edit.

I'm going to go test this some more, to see what combinations do and don't work. It does seem that gamehacking.org isn't producing correct cheats for MiSTer. Thanks for the help.

[sorgelig]

80 00 00 00 19 7C 00 00 00 00 00 00 A0 00 00 00

I don't know what 80 (7th bit in flags) in first byte means. it's present in some cheats but it's not used by MiSTer. Probably it's wrong implementation. May be it should mean MSB of address, then it's in wrong place.

address in cheat is defined as 32bit, it's 19 7C 00 00 (00007C19). If you want to use CD memory space, then MSB should be 1. So it should look like this 19 7C 00 80 (80007C19). And since address is odd, it's probably reffered as byte, so it should have 02 in first byte of cheat. so full cheat probably must look like this: 02 00 00 00 19 7C 00 80 00 00 00 00 A0 00 00 00

I have no idea if cheat refers CD memory or main memory space, so i'm not sure about MSB value

[Slade1972]

That's awesome. Thank you. It makes far more sense now! 02 00 00 00 19 7C 00 80 00 00 00 00 A0 00 00 00 The address is two bytes and is in 68K ram. The Genesis only has 64k of ram, so 00 00 to FF FF. All two byte addresses must be in the 68K ram address space. The Sega CD has 6Mbits of ram, so if the address is greater than two bytes, it has to be in the CD PRG ram.

I ended up writing some software that can write out compliant .gg files for games. I need to tweak it more based on what you're written above, and want to get it to read the cheat files produced by the BizHawk emulator, so I don't have to manually enter the cheats one at a time. Hopefully over the next few days that'll get finished, and I'll get back to making cheats for the games. I'll probably just host the files here on GitHub and make a post in the forums.

[sorgelig]

Great! Current state and amount of MegaCD cheats is bad.

[sorgelig]

The Sega CD has 6Mbits of ram, so if the address is greater than two bytes, it has to be in the CD PRG ram.

Even for CD memory the cheat can be in first 64KB, so address can fit 2 bytes as well.

[Slade1972]

The Sega CD has 6Mbits of ram, so if the address is greater than two bytes, it has to be in the CD PRG ram.

Even for CD memory the cheat can be in first 64KB, so address can fit 2 bytes as well.

Yeah. My comment above was a bit dumb :)

I've come across something that I can't get working. In the game 3 Ninjas Kick Back, there are two level styles. The main one being the side scrolling platform sections, and there are two levels of first person action levels. They use two sets of memory regions for the different levels. That's ok. I've found the addresses for all items. The side scroll level cheats work fine.

Infinite health in the first levels looks like this:

02 00 00 00 4B B0 07 FF 00 00 00 00 06 00 00 00 And can be broken up as:

02 00 00 00 compare flags - set as byte write with no compare 4B B0 07 FF Write to CD PRG ram 07 B0 4B 00 00 00 00 no compare value 06 00 00 00 write 06 to the above address.

I appreciate you know all this, but please, follow along, it's how my brain processes things. One step at a time.

In the first person view levels, the health cheat looks like this:

02 00 00 00 C8 60 00 FF 00 00 00 00 06 00 00 00 I have tested both FF and 80 as the MSB of the address with no difference. This one can be broken up as:

02 00 00 00 compare flag - set as byte write with no compare C8 60 00 FF write to address 00 60 C8 in CD PRG ram (the emulator references the address with the extra leading zeros) 00 00 00 00 no compare value 06 00 00 00 write 06 to the address above.

This cheat does not work. You are correct, some games use the first 64k of ram in the CD PRG space.

I'm basing this off what you've written here:

address in cheat is defined as 32bit, it's 19 7C 00 00 (00007C19). If you want to use CD memory space, then MSB should be 1. So it should look like this 19 7C 00 80 (80007C19). And since address is odd, it's probably referred as byte, so it should have 02 in first byte of cheat. so full cheat probably must look like this: 02 00 00 00 19 7C 00 80 00 00 00 00 A0 00 00 00 I have no idea if cheat refers CD memory or main memory space, so i'm not sure about MSB value

If I rewrite the cheat as:

02 00 00 00 C8 60 FF 00 00 00 00 00 06 00 00 00 Wouldn't that attempt to write to the 68K ram? (It's the only thing I can think of that could work). Edit: That didn't work /edit.

Edit: What makes it more frustrating is that the time cheat works (edit2: without glitching).

The time cheat is: 02 00 00 00 CB 60 00 80 00 00 00 00 52 00 00 00 Which is in the same address space above.

[sorgelig]

C8 60 FF 00 is wrong by any mean. it should be either C8 60 00 00 or C8 60 00 FF. Why it doesn't work - i don't know. May be address is wrong. May be it should write WORD, not BYTE. May be it's BYTE but should be odd address (because of big-endian). If you have emulator where cheats can be used, then better to verify there.

[Slade1972]

Yeah, I had a feeling that C8 60 FF 00 would be completely wrong :)

I'm not sure how well this system handles pictures, but here goes...

These 5 locations represent the Player 1 space within this level (as well as the other 1st person level)

Everything is byte in length and definitely in CD PRG Ram space.

0x 00 60 C7 - Lives 0x 00 60 C8 - Health 0x 00 60 C9 - Bomb type 0x 00 60 CA - Bomb amount 0x 00 60 CB - Time

These ram locations can be confirmed by watching the Emulator (I changed the lives from 3 to 5.)

And nothing can be longer than a byte, otherwise it would override the next value / location, which would cause issues.

The cheats list sets these as all bytes, given that's all the game uses.

I'll keep playing with it, but it'll be one of those things that bugs me if I can't get it fixed.

[sorgelig]

0x 00 60 C7 - Lives 0x 00 60 C8 - Health 0x 00 60 C9 - Bomb type 0x 00 60 CA - Bomb amount 0x 00 60 CB - Time

which of these cheats are working?

[Slade1972]

The time cheat:

02 00 00 00 CB 60 00 FF 00 00 00 00 52 00 00 00

It's the last one in the list :)

I did a test, and if I run each cheat on their own I get the following:

02 00 00 00 C7 60 00 FF 00 00 00 00 09 00 00 00 Lives: Works, but reverts to 03 when disabled?! If I die with this enabled, it reverts to 08 lives once disabled. I lost a second life, the lives went to 07. Enable the cheat it goes to 09, disable and back to 07. That's just bizarre.

02 00 00 00 C8 60 00 FF 00 00 00 00 06 00 00 00 Health: Nothing happens that I can see. 0x 00 60 C9 Bomb Type: No cheat set up. Since you can't change this on the fly I didn't bother. 02 00 00 00 CA 60 00 FF 00 00 00 00 05 00 00 00 Bomb amount: Time gets set to 05 seconds and freezes (05 is constantly written, but to 0x 00 60 CB. Bombs stays at what ever value was there previously.

02 00 00 00 CB 60 00 FF 00 00 00 00 52 00 00 00 Time: Works fine. I can enable / disable and it will override the current time with 52.

That's using the test version provided here.

[sorgelig]

These cheats may be originally work that way. What you described doesn't look like cheat engine problem. It only replace the memory value.

[Slade1972]

These cheats may be originally work that way. What you described doesn't look like cheat engine problem. It only replace the memory value.

I don't understand what you mean. I found those cheats myself. They're not in the available list from gamehacking.org. I've been testing 3 Ninjas Kick Back, and played through the entire game. When the game shifts to the first person view, I realised the existing cheats don't work. I found the new ones. They work fine in the emulator, doing the exact same thing that all ram cheats do: Poke a value into a specific location, of a specific length, repeatedly (in this case).

If you're thinking they replace the screen value, then no, that's not true. I usually test my cheats to the extreme. The time cheat, I'll just leave for 5-10 minutes to see if the level ends (indicating the time is counting, but the screen isn't being updated). I do the same for all the cheats. Throw dozens of bombs, get hit more than 6 times. These do work in the emulator.

Those locations are the correct places.

Is there a way of hooking up a debugger to the MiSTer? Something that could be used to dump the ram or watch the ram in real time?

[Slade1972]

Just to test something out, I modified the Health cheat to write 1 byte earlier:

02 00 00 00 C7 60 00 FF 00 00 00 00 06 00 00 00 This should overwrite the lives, and it does. You get 6 lives with this. And I just checked, by playing and dying 10 times - still 6 lives left.

Similarly, I modified the lives cheat 1 byte earlier, which shouldn't do anything:

02 00 00 00 C6 60 00 FF 00 00 00 00 09 00 00 00 If you guessed "you get 9 lives", you would have been correct. Why, I don't know?

And the time cheat still works. And I've just realised the common factor between all of these addresses. They're all odd addresses. The even addresses won't get written to.

Edit:

This works for infinite health, but it overwrites the Bomb type with 00 giving you no bomb type. 00 00 00 00 C8 60 00 FF 00 00 00 00 00 06 00 00

This does not work (with the byte flag set). 02 00 00 00 C8 60 00 FF 00 00 00 00 00 06 00 00

Again, making my point that there seems to be an issue writing byte values to even addresses in this address space.

[sorgelig]

Are those cheats still for 3 Ninjas? For me lives cheat don't work. Is it for specific level?

[sorgelig]

I think i've found bug in cheat engine. Try this build: MegaCD.zip

[Slade1972]

Are those cheats still for 3 Ninjas? For me lives cheat don't work. Is it for specific level?

Yes, these are only for level 3 and 6 in 3 Ninjas. On the start screen (where you choose 1 or 2 players) press Left, A, Right, Down. Then you'll hear an explosion sound. Start a game and the level select screen comes up after choosing a character. Start level 3 or 6 and you should be good.

I'll try the new build shortly and let you know.

[sorgelig]

i found that cheats are working in attract mode. This is enough for me for testing :)

[Slade1972]

i found that cheats are working in attract mode. This is enough for me for testing :)

YES!! You are the man! That fixed it. Thank you very much. Does this mean that all other cores need updating or was the issue specific to the SegaCD?

[sorgelig]

Only Genesis (but it's not updated yet). Other cores are 8-bit and not relevant to this topic.

[Slade1972]

Awesome. Well I have enough to keep me going on the SegaCD for the time being. And I'd guess that Genesis has a lot of cheats for it already.

I'll admit, I'm over playing this game. There are so many different ram locations :) One for each of the Player 1 and 2 on the side scrolling level. A separate location for single player on level 3 & 6. Another location for player one (in a two player game) for levels 3 & 6, which is in close proximity to player 2 in levels 3 & 6, which differ from the side scrolling levels.

I've just finished making these on the emulator, and have created the .gg files, and now I get to play the game again on MiSTer to see if they all work :)

Thanks again for your help and patience.

[Slade1972]

So, I've just discovered something odd. I've been writing some cheats, and so far they've all worked. I've finished my software that converts BizHawk cheat files to Game Genie files, which makes conversion and testing so much faster.

And this is where things get strange. Batman Returns (usa), like a lot of games, uses two different ram locations. The driving sections have lives in 68k Ram and the rest of the items in CD PRG Ram.

However, the walking sections (side scrolling), have all the items stored in the CD Word Ram.

Is there a way for the cheat engine in MiSTer to access that ram? And if so, how?

[sorgelig]

WORDRAM is visible for both CPUs.

WORDRAM is mapped to Main CPU at addresses 200000-23FFFF. so for your example 3FExx should be 23FExx. Since it's Main CPU address space it needs MSB=0

but.. it's unclear which CPU needs the data.

CD CPU maps WORDRAM at 080000-0BFFFF (in 2M mode. 1M mode has other mapping). So if cheats are intended for CD CPU then in your example it will be 0BFExx with MSB=1 (800BFExx).

So you probably need to try both variants.

[Slade1972]

Thanks for that explanation. That helped a lot! I've managed to get working Batman Returns cheats auto converting, I just changed my software to output two sets of files. These work through the CD CPU.

Although, funnily enough, if I enable the 68K CPU, the screen value stays static, but the number actually drops. So I can only guess that the game does copy the actual values to the corresponding 68K CPU ram location for the screen display.

On a final note (for this message, I'm sure I'll end up with another question). Thank you for MiSTer! I've enjoyed it a lot over the past 12 months or so, and do appreciate the effort you've put into this.

I can only hope my little contribution helps out. The GitHub page is up, but I only have a few games on there so far, and I want to get a good 10 or so games done before I post a message about it. It's time consuming finding cheats, and checking they work throughout the game. I usually play most games to completion just to make sure everything is working fine.

[sorgelig]

So these cheats probably need 2 copies of each. MiSTer supports multicheats, so file size will be multiple of 16 bytes. In this case each cheat file will have 32bytes with 2 cheats inside (for Main and CD CPUs). Just remember that only up to 32 simultaneous cheats are supported.

[Slade1972]

Thanks again. Since one location is screen memory, keeping that "locked" doesn't do anything, so seems like a waste of a cheat. All it means is that you're shown 1 less item than you truly have. I've set each item to be 10, so the screen shows 9. No big deal. If I wanted it to display 10, I'd just set it to 11. It doesn't matter, you still get an infinite amount of them.

[Slade1972]

I told you I'd be back :)

I'm not sure why this cheat doesn't work. It's part of the 2 Meg Word Ram for Citizen X (USA) (Unl). It's the only part of the game stored here. Everything else is in CD PRG ram.

As you've mentioned above, there's no way of knowing which CPU addresses this memory, so I create two sets of cheats. One for the 68k CPU and one for the CD CPU.

This is the CD CPU 00 00 00 00 52 D0 0B 80 00 00 00 00 59 59 00 00

I even tried a byte write, with no effect (on both, just one shown here) 02 00 00 00 52 D0 23 FF 00 00 00 00 59 00 00 00

02 00 00 00 53 D0 23 FF 00 00 00 00 59 00 00 00

And this is the 68K CPU 00 00 00 00 52 D0 23 FF 00 00 00 00 59 59 00 00

Frustratingly, neither work on MiSTer. I've checked and the time is not present if I search in any of the other memory locations available in EmuHawk.

Do you have any suggestions?

[sorgelig]

i think you need to learn about addresses. It's nonsense what you did in this cheat. for main CPU it's 0020D052 for CD CPU it's 8080D052

[Slade1972]

i think you need to learn about addresses. It's nonsense what you did in this cheat. for main CPU it's 0020D052 for CD CPU it's 8080D052

I think you're right :) This is making my head hurt.

Sounds like for 68k CPU (the main one), I should take the address for the cheat and add 200000 to map it to the 68k.

And for the CD CPU I add 080000. Which is what you mentioned above:

CD CPU maps WORDRAM at 080000-0BFFFF

Wouldn't that make it 8008D052?

Edit: I amended my program to add the different base addresses to the "found" addresses, and it outputs these two files:

CD PRG Ram - This one works perfectly. 00 00 00 00 52 D0 08 80 00 00 00 00 59 59 00 00

68k Ram - This is the screen ram. 00 00 00 00 52 D0 20 00 00 00 00 00 59 59 00 00

Thanks again! I haven't written any software in a few years. I've not had the need, and I'm as rusty as all hell.

[sorgelig]

Wouldn't that make it 8008D052?

right. i've mistyped.

Glad it's working now.

[thehughhefner]

I believe this issue ticket can be closed