Sonic Heroes Hacking with the Xbox Remote Debugger

Tired of playing the same levels over and over? Can't stand the Dark's annoyingly difficult second missions? Still can't find the 20th Hermit Crab? Don't worry; so long as you have a modded Xbox, you can easily hack your way to all A ranks.

What you'll need:
- a modded Xbox with the latest version of EvolutionX and LAN connection
- hex calculator (the Windows calculator works fine; just set it to scientific mode)
- some basic hex editing/hacking knowledge

Getting started:
There is a little known about feature in EvoX called the Remote Debugger. This allows you to telnet into your Xbox while a game is running and modify memory values. Luckily for us, your save data is plainly stored in memory when you load a save, making it very easy for us to unlock everything.

First of all, in EvoX, scroll down to System Utils, and go to Settings. (This may be different per your EvoX setup, I think you'd be smart enough to figure out how to get there =) Scroll down to Telnet and make sure it is enabled, and make sure RDTools is enabled as well. Scroll down further and make sure TSR is set for Debug. If Heroes locks up or otherwise doesn't load, try setting TSR back to normal. (If other games lock up or don't load, simply disable TSR before you play them) Scroll down to Save and Exit, then reboot your Xbox and load up Heroes.

Make sure you know your Xbox's IP address! You can view it by switching to the included InfoDash skin. Once Heroes has loaded, run telnet from your PC and open a connection to your Xbox. You should see:

RemoteX Debugger V1.1
.

If you see that, you're ready to start hacking. If not, try switching out your TSR and double check that RDTools has been enabled (and that your xbox has a network connection!)

Level record hacking:
NOTE: All values listed are hexadecimal unless otherwise noted

There are three basic commands you'll need to know to hack the game:

db
db will dump the contents of an address in memory for len bytes. Len is displayed in increments of ten, rounded up. For example:
.db 60dd10 33
0060dd10 : 23 00 00 00 2d 01 00 00 ba f4 00 05 04 20 45 05 | #...-...:t... E.
0060dd20 : e2 00 00 00 d4 e4 00 00 04 0d 45 05 28 01 00 00 | b...Td....E.(...
0060dd30 : 7e 30 01 00 06 04 09 05 06 10 04 05 58 00 00 00 | ~0..........X...
0060dd40 : 44 cf 00 00 02 05 44 05 02 00 09 05 bb 00 00 00 | DO....D.....;...

poke
poke changes a byte in memory to value. This is your primary tool for making actual changes. For example:
.db 60dd37 1
0060dd37 : 05 06 10 04 05 58 00 00 00 44 cf 00 00 02 05 44 | .....X...DO....D
.poke 60dd37 3
.db 60dd37 1
0060dd37 : 03 06 10 04 05 58 00 00 00 44 cf 00 00 02 05 44 | .....X...DO....D

You can see how your game has changed in the Challenge menu. If you change your ring count, for one team, hit left or right to switch to another, then switch back. Your new ring count will be shown. Of course this is all in the RAM; you'll need to force the game to dump the file to apply the changes to your savegame. The best way to do this is to go to the Options menu, change your gamma settings a little (so the game has a reason to save), then hit B until you exit completely out to the title screen. Your saved game shoud have your hacked values.

The game data is stored in a large block arranged with the main levels first then the boss battles. Here is the address table for Seaside Hill, the first level:

NOTES ABOUT ADDRESS/VALUES: I've listed the length of the values next to their type on the top of the table. A dword is 4 bytes. Also, the values are stored in little endian format, which means that they will appear 'backwards.' Example: if you have decimal 312 (0x0138 hex) rings, then it will appears as 38 01 00 00 in memory.

Each level follows one right after the other with no break, and each is laid out just like this. So it's quite simple to change any value in any level using just this table. The size for each level block is 0x50 bytes. You simply add 0x50 for each level after Seaside hill to the address of the value you want to change. An easier way to think of it is to give each level after Seaside Hill a number:

1 (50) - Ocean Palace
2 (a0) - Grand Metropolis
3 (f0) - Power Plant
4 (140) - Casino Park
5 (190) - BINGO Highway
6 (1e0) - Rail Canyon
7 (230) - Bullet Station
8 (280) - Frog Forest
9 (2d0) - Lost Jungle
A (320) - Hang Castle
B (370) - Mystic Mansion
C (3c0) - Egg Fleet
D (410) - Final Fortress

You would multiply 0x50 with the level number shown here and add that to the address in the table above to get the new address. For example, if you want to change Chaotix's mission 2 rank in Mystic Mansion, you first take 0x50 multiplied by 0x0b which yields 0x370 (in case it wasn't obvious, the numbers in parenthesis above are the values multiplied by 0x50). Mission 2 rank for Chaotix in Seaside Hill is 0x60dd63. Add 0x370 this address and you get 0x60e0d3. That is the address to change. So, to give yourself an A rank, in the remote debugger, you'd type:

.poke 60e0d3 5

You can then do:

.db 60e0d3 10
0060e0d3 : 05 0a 00 00 00 ba 27 00 00 0f 1b 40 05 00 00 00 | .....:'....@....

to verify the change. Change as much as you like, but do the forced save trick every now and then just in case.

The boss battles work in a smiliar way:

Since the length of the boss battle blocks are 0x10 bytes, multiply 0x10 by the battle number below to get the address to change.

1 (10) - Team Battle #1 (@ Power Plant)
2 (20) - Robot Carnival
3 (30) - Egg Albatross
4 (40) - Team Battle #2 (@ Lost Jungle)
5 (50) - Robot Storm
6 (60) - Egg Emporer

Metal Madness is slightly different since the time/rank applies to all the teams:

If done properly, you can easily give yourself all A ranks. Then just force a save and reload; Super Hard should be unlocked.

Emblem hacking:
Changing the amount of emblems you have is also very easy; the data for it is a byte located at 0x60dcea. Just change this to 0x78 to get all 120 emblems.