Nem s3ss

From Sonic Retro

Historical document icon.svg This historical hacking document is preserved here for archival purposes.
It has not been revised since its original writing and may be outdated.


Here are my notes on the S3 savestates. In order to edit these files I recommend a hex utility called Hex Workshop, and I recommend getting the emulators gens and genecyst. Gens is the one I use most of the time, but genecyst has a lot of features that are extremely useful that gens dosen't have.

First of all it's very important that you understand the basics. All data stored on a computer is in the form of 1's and 0's. On a CD for example, a laser hits the surface, and if the laser bounces back and hits the lens it's a 1, and if it dosen't it's a zero. Each 1 or 0 is called a bit, and a bit cannot have any other characters in it other that a 1 or a 0. Now the computer deals with bits in groups of 4. There are 16 possible combinations for a group of four 1's and 0's, so to make it simpler to deal with it as one value, rather than 4 (Eg. 0110 becomes 6). Now as there are 16 possible combinations for a group of 4 bits, this value to represent thier values must have 16 values itself, so rather than a simple 0-9, this value is 0-F (0123456789ABCDEF). This value is called a hexadecimal value (hex value fo short). Each hex value is dealt with in groups of 2, called a byte, each byte having 128 possible combinations. Now on a final output level the byte may be looked up on an ASCII table, which will convert that value into a recogniseable character (Eg. a byte value of 73 becomes a lowercase s on an english ASCII table). You will practically never touch the ASCII version of the code in hacking though.

Now one important thing to realise is that as one character of hex has 16 values and a decimal (real) value only has 10, it may be nessicary to convert the numbers between them from time to time. This is done with the use of a base converter (included in hex workshop). Let's say you wanted to give Sonic 50 rings. If you enter 50 as the vaue, you will in fact end up with 80, becuase that value you are entering is actually a hex value, but if you use the base converer to convert it first, you merely enter the value of 50 into the decimal box, and it will spit out a hex value of 32, which will in fact give you 50 rings in the game. Another useful utility that you will need is a hex calculator (also included in hex workshop). A hex calculator is the same as a normal calculator, but it deals with hex values rather than decimal values.

Now onto exactly what a savestate consists of. A savestate is a dump of all the ram that is allocated to the system, but that's not just main system ram, it's sound ram, CPU cache, etc. In a savestate all of this is mashed together in one file. Here's what's where in a genecyst savestate:

0-111 Unknown
112-191 C ram
192-1E1 VS ram
1E2 and 1E3 A 2 byte break.
1E4-3E3 YM2612 registers
3E4-473 Some kind of sound ram (Z80 internal cache?)(93)
474-2473 Z80 ram (sound ram)
2474-2477 A 4 byte break
2478-12477 System ram
12478-22477 Video ram
22478-22523 Stuff that the emulator writes to savestate(AB)

And here's what's where in a Kgen savestate:

0-97 File header
98-2097 Z80 ram
2098-12097 System ram
12098-22097 Video ram
22098-22117 C ram
22118-223A5 Unknown (D72)
223A6-225A5 YM2612 registers
225A6-2275B Unknown (1B6)

Now any single value that is stored in the system ram can be altered in game by use of a pro action replay code. First of all, here's an example of a Pro action replay code: FFFE10:0800

Now, the first byte in this code is FF, and a value of FF in the first two characters indicates that the code is altering data in the system ram. The next four character after it are the actual memory location in the ram, and the last four are the two byte value to write into that memory address. The pro action replay will always alter two memory addreses at a time by the way, because the Mega Drive (Genesis) is a 16 bit system. It dosen't matter though because you will find that a value will have two bytes assigned to it anyway, or the second byte will be related. In the case of the example, the first byte being altered is the current level, and the second is the current act within that level. The actual address of these values in the savestate are 12288 and 12289. An explination of why lies in the locations of the ram data that is stored in the savestate. If you look at the above table, there are 2478 lines worth of data before the system ram in the savestate, so for any action replay code you want to convert into a file location, you will need to add 2478 to the line number, and for any line number you want to convert into a pro action replay code you will need to minus 2478. Remember that these line numbers are hex values though, so you will need to do this in a hex calculator. (NOTE: Genecyst dosen't do pro action replay codes properly, use gens instead for that function).

Another thing you need to know is that each level in Sonic 3 has a value asigned to it, but this value does not correspond with each level's final position in the game. Here is a list of the level values in S3&K:

00 Angel island zone
01 Hydrocity zone
02 Marble garden zone
03 Carnival Night zone
04 Flying Battery zone
05 Ice cap zone
06 launch base zone
07 Empty
08 Empty
09 Empty
0A Empty
0B Empty
0C Empty
0D Empty
0E Azure Lake
0F Balloon Park
10 Chrome Gadget
11 Desert Palace
12 Endless Mine
13 Bonus Stage
14 Empty
15 Empty
16 Empty
17 Empty

And one last thing you need to know is the way that the Mega Drive stores all the art. All the art that is used in the game is stored in the form of 8x8 pixel blocks. These blocks do not actually store colours at all, they actually only have one hex value per pixel. That value specifies what point on the palette line the pixel will get it's colour from. The palette has 4 lines, each with 16 colurs on them. Now the colours on the palette can be changed at any point during play, and some palette colours may even automatically change colour each couple of frames to make it look like the colour is flashing.

Now these 8x8 blocks are not what makes up the level directly. 4 8x8 blocks are grouped together to form a 16x16 block, and it is at this point that the palette line to use for that 16x16 block is specified. The 8x8 patterns can also have thier x, y, or x and y values reversed when placing them in a 16x16 block. Also it's at the 16x16 level that the collision index comes into play. Now finally we get to a 128x128 block, and these are the things that the actual level info loads. It is made up of 64 16x16 blocks,and each block inside them can use a different palette line. You cannot place anything except a sprite or a 128x128 block directly into a level.

Now that you know all the basics, here's my breakdown:

Internal Groups

System ram
2478-A477 128x128 block mappings
A478-B477 Level layout
B478-CE77 16x16 block mappings
CE78-D477 Pattern decompression buffer
D478-F477 Buffered sprites
F478-10477 Unknown
10478-11477 Unknown
12078-120F7 Above water palette
Video ram
12478-1E477 Main Pattern Info
1E478-1F477 Makeup of buffered foreground
1F478-20477 Patterns for text/computers/rings
20478-21477 Makeup of buffered background
21478-21C77 Patterns for sonic and tails
21C78-21EF7 Makeup of buffered active objects?
21EF8-22077 Lives counter patterns
22078-223F7 Current state of background tiles
223F8-22477 4 empty blocks

Single variables

1089A and 1089B Character x location in special stage
1089C and 1089D Character y location in special stage
1089E Direction character is facing in special stage
108A0 and 108A1 Speed of character in special stage (speed increases as the value gets higher up to 8000 when the values mirror)
108B0 and 108B1 Number of blue spheres remaining in special stage
108B2 and 108B3 Number of rings sonic has in special stage
108BA and 108BB Number of rings remaining in special stage
108BC and 108BD Jumping height in special stage (the lower the value the heigher the jump. Value peaks at 8000 then mirrors. Specifying a jump height too great will cause the game to crash)
108BF-108C2 Loading address in rom for mappings of floor in special stage (changing this value will make the floor patterns go psycho)
1128A and 1128B Screen y end location
1128C and 1128D Screen x start location
1128E and 1128F Screen x end location
112AB A very interesting trigger that appears to be a special properties flag about the screen. 06 will make the screen not move back for example.
112BA-112BD Ring positions when approaching from the left
112BE-112C1 Ring positions when approaching from the right
112F0 and 112F1 Camera x position
112F4 and 112F5 Camera y position
11A78 Master level trigger
11BEA-11BED Sprite loading address when approaching from the left
11BEE-11BF1 Sprite loading address when approaching from the right
11C0E-11C11 16x16 collision index in use
11C2C-11C2F Primary 16x16 collision index
11C30-11C33 Secondary 16x16 collision index
12298 and 12299 Number of rings you have
12288 Level
12289 Act
12427 Last special stage that was entered (This value is used to determine which stage will be loaded up next time the player enters a special stage. If a stage is marked as completed, it will be skipped over, and the next stage that it comes across that is not completed will be loaded. When all the chaos emeralds are obtained, this value is set back to 00. If this value is not set to 00, the beginning of MHZ will be that of S&K, and the normal special stages will be present instead of the super special stages.)
12428 and 12429 Number of emeralds that have been obtained (This value affects the ability to become super/hyper, and specifies the group of special stages to select from. If value is 07 or above, the S&K special stages are used in conjunction with the completed special stage values. Set this value to 07 to enable super, and to 0E to enable hyper.)
1242A-12430 Special stages completed (One byte per stage. In S3 levels: 00=not completed, 01-FF=completed. Setting a special stage as completed also makes the emerald for that stage appear on the results screen at the end of a special stage. In S&K levels: 00=no correponding super emerald presend in HPZ, and super emerald will not appear upon entry. 01=no super emerald present, but upon entry of sonic the corresponding chaos emerald will fly up and turn into a powered down super emerald. 02=Super emerald present, but powered down. 03=Super emerald present and powered up.)

Pattern breakdown 8x8 blocks (12478-1C477)

All 8x8 patterns are stored sequentially, each one taking up 32(20) bytes. One pixel takes up one hex value, not one byte. The value of this hex value being 0-16 represents the colour that pixel is on the palette, 0 being the start, and F being the end (NOTE: specifying a value of 0 will not load up the first colour on the palette line, but instead make that pixel transparent).

16x16 block mappings: (B478-CE77)

Each 16x16 block is made up of four 8x8 blocks. Delt with in blocks of 8 bytes, 2 bytes per pattern to be used in block. First value determins which palette line to use, and which orientation the pattern is at. Refer to table for explination:

Value palette line flipped horizntally flipped vertically
0 1 n n
1 1 n y
2 2 n n
3 2 n y
4 3 n n
5 3 n y
6 4 n n
7 4 n y
8 1 n n
9 1 y n
A 2 n n
B 2 y n
C 3 n n
D 3 y n
E 4 n n
F 4 y n

The next three values represent the pattern number to use. Specify the number that the pattern is in the list. Past the value of 800, the block number restarts back at block 0, but the block is mirrored. The block mappings use the standard method of layout, start at x0 y0 and move across x values until end of line is reached, then repeating on next y value. If a space is blank in the 16x16 mappings, it will have the values 4000 in every box.

128x128 block mappings: (2478-A477)

A simple 12 bit RGB value. One colour on palette is represented by two bytes, and working back from the last value forward an RGB value is specified like this: 0BGR. So if you wanted that colour on the palette to be completely red, you would enter a value of 000F. The first colour on the palette is the default colour of the stage. If you had a value of 0 in one of the background tiles, this colour will be substituted in instead of making it transparent.

Pattern load cue (11AF8-?????)

Requests are processed in the order they are listed. If you try to load multiple patterns to the same area, the last one will overwrite the first. A six byte value per request. First four bytes are the address to load the patterns from the rom (eg, 0008 30D2). The last two bytes are the address to load the patterns into in the video ram. The pattern view window in genecyst is the easiest way to determine this. Note that whenever clearing out the pattern cue you must also set 11B71 to 00, or else some crap will be written over the first few patterns in the video ram. I have yet to narrow down the exact relationship this variable has with the load cue.

Master level trigger (11A78)

This trigger is the main trigger that specifies the current "mode" if you will that the game is in. Changing this will make the game switch to the mode you specify once it finishes it's current process.

00 SEGA logo
04 SEGA logo
08 SEGA logo
0C Normal level
10 SEGA logo
14 Continue screen
18 SEGA logo
1C 2 player vs level select screen (s2)
20 Credits
24 Options screen (s2)
28 Level select screen
2C Special stage (instantly fades out)
30 Special stage (instantly fades out)
34 Special stage
38 Competition mode main screen
3C Competition mode grandprix character selection
40 Competition mode character/level selection
44 Competition mode results screen
48 Special stage results screen
4C Save slot selection screen
50 Timeattack competition mode results screen

These values repeat after 80. Values above 50 have not been used. If you change this value in level the screen will fade out and the data for the thing you have selected will be loaded instead. If you specify a value betwen the values I have listed, you will get some strange results.

Level layout (A478-B477)

In sonic 3 the level layout is stored in a clever way to save space, and as such allow for the larger levels that the S3 platform supports. I'm not sure what the first 8 bytes do, but after that there's a list of 2 byte ram locations. There's two locations per line of 128x128 blocks. The first one gives the location of the foreground line, and the second one gives the location of the background line. To get this location from a savestate, minus 2478 from the internal file location.

The lines themselves are simple. The level is delt with as a grid, starting with first tile in top left and working across to the right doing one x value at a time. One byte represents one tile in one grid location. A value of 00 is the first large tile in the database, 01 is the second, etc.


Sonic Community Hacking Guide
SonED2 Manual | Subroutine Equivalency List
Sonic the Hedgehog (16-bit) | Sonic the Hedgehog (8-bit) | Sonic CD (prototype 510) | Sonic CD | Sonic CD (PC) | Sonic CD (2011) | Sonic 2 (Simon Wai prototype) | Sonic 2 (16-bit) | Sonic 2 (Master System) | Sonic 3 | Sonic 3 & Knuckles | Chaotix | Sonic Jam | Sonic Jam 6 | Sonic Adventure | Sonic Adventure DX: Director's Cut | Sonic Adventure DX: PC | Sonic Adventure (2010) | Sonic Adventure 2 | Sonic Adventure 2: Battle | Sonic Adventure 2 (PC) | Sonic Heroes | Sonic Riders | Sonic the Hedgehog (2006) | Sonic & Sega All-Stars Racing | Sonic Unleashed (Xbox 360/PS3) | Sonic Colours | Sonic Generations | Sonic Forces
Technical information
Sonic Eraser | Sonic 2 (Nick Arcade prototype) | Sonic CD (prototype; 1992-12-04) | Dr. Robotnik's Mean Bean Machine | Sonic Triple Trouble | Tails Adventures | Sonic Crackers | Sonic 3D: Flickies' Island | Sonic & Knuckles Collection | Sonic R | Sonic Shuffle | Sonic Advance | Sonic Advance 3 | Sonic Battle | Shadow the Hedgehog | Sonic Rush | Sonic Classic Collection | Sonic Free Riders | Sonic Lost World
Legacy Guides
The Nemesis Hacking Guides The Esrael Hacking Guides
ROM: Sonic 1 | Sonic 2 | Sonic 2 Beta | Sonic 3

Savestate: Sonic 1 | Sonic 2 Beta/Final | Sonic 3

Sonic 1 (English / Portuguese) | Sonic 2 Beta (English / Portuguese) | Sonic 2 and Knuckles (English / Portuguese)
Move to Sega Retro
Number Systems (or scrap) | Assembly Hacking Guide | 68000 Instruction Set | 68000 ASM-to-Hex Code Reference | SMPS Music Hacking Guide | Mega Drive technical information