mykes@3comvax.UUCP (Mike Schwartz) (01/31/86)
I have had a few requests for information about some reverse engineering I did on the Epyx Fastload cartridge a few months ago. I haven't really prepared anything, so what I will be describing is off the top of my head, so to speak. Basically what I do know about is how the circuit board works, how to disassemble the rom, how to run programs in the 1541, and how to use the CIA's (serial bus) to handshake bytes across faster than commodore does it. I do not know a whole lot about the actual program in the Fastload ROM, but I have seen enough of it disassembled to get a flavor of the scheme they use. I can discuss the techniques I developed myself. In order to best follow along with this discussion, I would suggest turning to page 366 of the C64 Programmer's Reference Guide. The Expansion Port is described in adequate (not great, in my opinion) detail. Also of interest is the section covering memory maps (pages 263 and 265[bottom]). Page 265 illustrates the memory map for the C64 when a cartridge has been inserted in the Expansion port. The only difference between this memory map and the standard C64 memory map is the 8K expansion ROM and the state of EXROM. GIVEN: WHENEVER EXROM IS PULLED LOW (grounded), THE 6510 WILL SEE 8K OF ROM AT $8000. EXROM is defined to be PIN 9 of the Expansion Port. In order for the Fastload Cartridge to work invisibly with all that software that it does work with, it cannot be present in RAM (or applications would write over it), and it cannont replace RAM at $8000 with ROM (or applications that expect RAM there would not work). To solve this problem, Epyx designed a special board that can bank in or out the ROM at $8000. This is done by a capacitor that, when charged up, will pull EXROM low and bank in the cartridge. As the CAP discharges to no charge, the ROM will bank out. Several other control lines on the Expansion Port are used by the PC board. I/O1 (bar) and I/O2 (bar) are partially decoded address lines. This means that whenever the address lines of the 6510 indicate a range of $DE00-$DEFF or $DF00-$DFFF, I/O1 or I/O2 will be pulled low. A similar control line is ROML (bar), which is pulled low wheneber the 6510 address pins indicate an address of $8000-$9FFF (8K). The RESET (bar) control line is pulled low whenever the 6510 resets. A standard ROM cartridge will simply pull EXROM low all the time and will decode addresses in ROML to an 8K ROM on the cartridge board. The EPYX board decodes all but the last 256 bytes of the 8K ROM in this address space. The last 256 bytes are decoded at $DF00-$DFFF! This is a neat way to get 256 bytes of ROM somewhere in the C64 where there is normally NOTHING. Since C64 programs expect nothing at this address range, the 256 bytes of ROM will not interfere. This trick is accomplished by using the IO/2 control line. The IO/1 control line is tied directly to the Capacitor which controls EXROM. Each time the IO/1 line is toggled, the CAP charges up a little more, so that by accessing memory at $DE00-$DEFF many times in succession will eventually charge up the cap enough to bring EXROM low and bank in the 8K (minus 256 bytes) of ROM at $8000. Remember that when the CAP discharges (continuously over time), EXROM will change to HI and the cartridge will bank out and RAM will appear at $8000. The RESET control line is also tied to the CAP, so that each time the C64 is reset, the CAP will charge up and the ROM will bank in. Immediately at powerup, the C64 Kernel Rom looks at memory at $8000 for a certain pattern of bytes. These will be found in the Fastload Cartridge because it is banked in by reset. The Kernel will then jump to the program in the cartridge at $8000. The Fastload software takes over the load vector at $314 and points it at an address somewhere in IO/2 address space. This routine in IO/2 address space fetches from IO/1 a few hundred times to bank in the ROM, then jumps to the "FASTLOAD" routine. While the 6510 is executing from the ROM, the CAP will dissapate and the ROM will bank out prematurely. For this reason, the ROML line also charges the CAP. This will keep the cartridge banked in the entire time that the 6510 executes code @ $8000 in the ROM. When the software in the ROM wants to call a Rom Kernel routine, it must jump to a subroutine in IO/2 space which waits for the CAP to discharge, calls the Kernel routine, banks in the Rom again, then returns. This basically concludes my discussion of the Fastload cartridge board. I can prepare a similar discussion about how to talk to the 1541 using custom handshake schemes that directly control the serial bus, if I get enough e-mail requesting it. I would prefer that you do a little reverse engineering of your own, though. To disassemble the EPYX Rom, you will need to solder one end of a short wire to pin 9 (EXROM) on the cartridge board connector. I leave the other end of this wire hanging free. When this free end of the wire is grouneded, by touching it to pins 1, 22, A, or Z, the ROM will be banked in regardless of the state of the CAP. A neat trick I found is that you can touch the free end of the wire to a metal (about 3" by 5") part of the case that surrounds the expansion port. What I did was to load the debugger I got with my C64 assembler, ground EXROM, and dumped the disassembled code to the printer. I also would like to take this opportunity to mention a side-effect of the Epyx Fastload Cartridge PC board design. A program could be copy protected for the C64 without making the diskes uncopyable. I personally cannot stand disk protection and will always vote to abolish it! A floppy disk is too fragile a media to not let people who pay good money copy it and maintain archives. If a C64 program simply called a few important subroutines at $DF00-$DFFF, which can only be present if a cartridge is there, then people can copy the disks all they want - the cartridge will still be necessary and is much harder to copy than a disk. Cartridges are cheap enough, why not package one with the software? I think similar schemes could be used with the Apple II and IBM PCs, although it would require a slot in these machines for the protection. Until next time.... sooooooo loooooonnnnnnnggggggg