Apple IIe ROM hacking
er...@neilsonhart.com
Using an emulator, I'm attempting to implement a popular cracking
technique from back in the day where you modify your Apple II ROM so
that you can hit RESET and break directly into the monitor after
having moved some critical pieces of memory to safe locations (full
details are here: http://www.skepticfiles.org/cowtext/apple/krakowic.htm).
The ultimate goal is to burn a working ROM.
I've done the assembly and everything works, but I have one glaring
problem that is preventing me from implementing my cunning plan:
I need around 60 bytes of ROM space for my code. The old articles
from the 80s talk about using $FECD which is where some of the
cassette tape code is located, however, this only works for Apple II+
ROM code and not the enhanced IIe ROM. The IIe ROM only has 10 bytes
before you trounce some Monitor code (see
http://www.apple-iigs.info/doc/fichiers/appleiietechref4.pdf, page 368
for the commented IIe ROM disassembly at $FECD).
So does anyone have any ideas on where I can insert 60 bytes of code
into the ROM and still have a functioning Apple IIe? Here is the
code. It was written in SC-MASM and it's currently .org'd for $FECD.
Thanks.
1000 *APPLE IIE ROM PATCH FOR BREAKING INTO
DEBUGGER
FF59- 1001 MONITOR .EQ $FF59
C000- 1002 KEYBD .EQ $C000 KEYBOARD
FA62- 1003 OLDVEC .EQ $FA62
1005 .OR $FECD
1007 .TA $800
FECD- AD 00 C0 1010 START LDA KEYBD LOOK AT KEYBOARD
FED0- F0 FB 1020 BEQ START KEEP READING UNTIL A KEY
PRESSED
FED2- C9 9B 1025 CMP #$9B WAS ESC PRESSED?
FED4- F0 03 1030 BEQ CPY YES, START MEM COPY
FED6- 4C 62 FA 1040 JMP OLDVEC PROCEED NORMALLY
FED9- A0 00 1050 CPY LDY #$00 CLEAR Y REG
FEDB- B9 00 00 1060 MEMST LDA $00,Y XFER THE ZERO PAGE TO
FEDE- 99 00 20 1062 STA $2000,Y 2000-20FF SO WE CAN
USE
FEE1- C8 1064 INY THE ZERO-
PAGE MEMORY
FEE2- D0 F7 1066 BNE MEMST FOR THE OTHER MOVES
FEE4- A9 00 1090 LDA #$00 SET UP LOCNS 0 &
1 AS A
FEE6- 85 00 1100 STA $00 2-BYTE POINTER
FOR THE
FEE8- 85 02 1110 STA $02 SOURCE ADDRESS,
USE 2 & 3
FEEA- A9 01 1120 LDA #$01 AS 2-BYTE POINTER
FOR
FEEC- 85 01 1130 STA $01 THE DESTINATION
ADDR
FEEE- A9 21 1140 LDA #$21 STARTING AT 2100
FEF0- 85 03 1150 STA $03
FEF2- A5 00 1160 MCPY LDA $00 GET A BYTE FROM 100-UP
FEF4- 85 02 1162 STA $02 STORE AT 2100-UP
FEF6- E6 02 1164 INC $02 INC LO-ORDER BYTE
FEF8- E6 00 1166 INC $00
FEFA- D0 F6 1168 BNE MCPY
FEFC- E6 03 1170 INC $03 IF LO-ORDER=0, INC
THE
FEFE- E6 01 1180 INC $01 HI BYTE OF EACH
FF00- A5 01 1190 LDA $01 CHECK TO SEE IF HI-
BYTE =9
FF02- C9 09 1200 CMP #$09 IF 9, WE´RE THRU AT
8FF
FF04- D0 EC 1210 BNE MCPY IF NOT, LOOP BACK AND
KEEP COPYING
FF06- 4C 59 FF 1220 END JMP MONITOR
1230 .EN
SYMBOL TABLE
FED9- CPY
FF06- END
C000- KEYBD
FEF2- MCPY
FEDB- MEMST
FF59- MONITOR
FA62- OLDVEC
FECD- START
0000 ERRORS IN ASSEMBLY
Another article on ROM hacking here:
Issue #6, page 14
http://www.computist-project.net/pdfs/hardcore.computist/issue06.pdf
mdj
> Hi Everyone,
>
> Using an emulator, I'm attempting to implement a popular cracking
> technique from back in the day where you modify your Apple II ROM so
> that you can hit RESET and break directly into the monitor after
> having moved some critical pieces of memory to safe locations (full
> details are here:http://www.skepticfiles.org/cowtext/apple/krakowic.htm).
> The ultimate goal is to burn a working ROM.
>
> I've done the assembly and everything works, but I have one glaring
> problem that is preventing me from implementing my cunning plan:
>
> I need around 60 bytes of ROM space for my code. The old articles
> from the 80s talk about using $FECD which is where some of the
> cassette tape code is located, however, this only works for Apple II+
> ROM code and not the enhanced IIe ROM. The IIe ROM only has 10 bytes
> for the commented IIe ROM disassembly at $FECD).
>
> So does anyone have any ideas on where I can insert 60 bytes of code
> into the ROM and still have a functioning Apple IIe? Here is the
> code. It was written in SC-MASM and it's currently .org'd for $FECD.
Trash the self-test code. Plenty of room there!
Matt
lyricalnanoha
On Thu, 1 Jan 2009, er...@neilsonhart.com wrote:
> Hi Everyone,
>
> Using an emulator, I'm attempting to implement a popular cracking
> technique from back in the day where you modify your Apple II ROM so
> that you can hit RESET and break directly into the monitor after
> having moved some critical pieces of memory to safe locations (full
> details are here: http://www.skepticfiles.org/cowtext/apple/krakowic.htm).
> The ultimate goal is to burn a working ROM.
With the EDM you can hit Opt-Ctrl-Reset and break into the monitor...
...it's already junked the memory test
http://blog.jamtronix.com/2007/05/apple_extended_debugging_monit.html
Might be easier to tweak from there?
-uso.
Michael J. Mahon
Yep, two pages you can live without, at $C600 (with INTCXROM set). ;-)
-michael
******** Note new website URL ********
NadaNet and AppleCrate II for Apple II parallel computing!
Home page: http://home.comcast.net/~mjmahon/
"The wastebasket is our most important design
tool--and it's seriously underused."
mdj
<lyricalnan...@usotsuki.hoshinet.org> wrote:
<monkeys-uncle>
How is it that I've never noticed this little gem before? A semi-
official debugger ROM for the IIe!
One of the back-burner projects I had in mind was a 65c02 supporting
IIe ROM hack that would play nice with interrupts and AUX memory.
Just playing around with this now on Virtual II - there's even
support for 80 columns. Wow. One less project :-)
</monkeys-uncle>
er...@neilsonhart.com
> With the EDM you can hit Opt-Ctrl-Reset and break into the monitor...
>
> ...it's already junked the memory test
This is a rockin' awesome little ROM image. I think the text pages
are still effected when you enter the ROM, so I'll need to work on
that area to make sure they get moved before entering the Monitor. The
locations provided in this thread should be more than adequate.
Thanks everyone,
E
BLuRry
> > With the EDM you can hit Opt-Ctrl-Reset and break into the monitor...
>
> > ...it's already junked the memory test
>
> This is a rockin' awesome little ROM image.
Wow. Just padded 4k of zeros to the beginning of it and it booted
like a champ in JACE. This is a sweet monitor!!! This is like a
belated christmas present for the truly geeky!
-B
er...@neilsonhart.com
limitation. The act of breaking into the monitor and getting the
text
prompts appears to overwrite parts of the screen memory. Normally,
not
a big deal and expected, but it used to be pretty common practice to
put critical pieces of program code at this location for copy
protection purposes, so the act of breaking into the monitor would
overwrite parts of the program.
I therefore decided to continue developing my copy-first then enter
monitor ROM hack. I think it's working now if anyone wants to give
it
a try.
Usage:
1) Hex edit your APPLE2E.ROM image with new entries below (best make
a
copy)
2) Boot
3) The system will appear to hang. It's waiting for a key press:
ESC - Go directly to the monitor
Space - Copy memory from $0000-$08FF up into $2000-$28FF, save
the stack pointer to $2901, and then
enter monitor
Any other key - proceed normally
4) You will probably want to press any key at boot time to get where
you are going. You will know the ROM is working if you see "Apple //
k"
at boot
5) Anytime you press Reset or Boot on your Apple ][e, the system will
wait for a key press before continuing. Now you can do your cracking.
There are three parts:
Part 1 (resides at $FEFD) - Tape load area:
Handles the reset vector, bank switches, and jumps to main code at
INTCX $C600
Part 2 (resides at $C600 - INTCX) - Self-test area:
Checks keyboard input and then either jumps back to Part 1 for a
normal pass-through Reset or jumps to Part 3 for a monitor exit
Part 3 (resides at $FECD) - Tape save area:
un-bank switches back to SLOTCX memory and jumps to Monitor for some
fun!
Assuming all is in order, I've prepared a source package with docs
and
modified ROM if anyone wants to host it. Meanwhile, here are the
APPLE2E.ROM mods:
Location of Part 0 - Alter reset vector:
FILE OFFSET: $7FFC
2 BYTES
OLD: 62 FA
NEW: FD FE
Location of Part 1:
FILE OFFSET:$7EFD
12 BYTES
OLD:
8D07C020D1C58D06C0F032D0
NEW:
8D07C04C00C68D06C04C62FA
Location of Part 2:
FILE OFFSET: $4600
67 BYTES
OLD:
8D50C0A004A2001879B4C79500E8D0F71879B4C7D500D010E8D0F56A2C19C0100249A58810E130065500184CCDC6860186028603A2048604E601A88D83C08D83C0A501
NEW:
AD00C0F0FBC9A0F007C99BF0334C03FFBA8E0129A000B90000990020B90001990021C8D0F1843C8442843EA909853FA902853DA9228543202CFE202FFB2058FC4CCDFE
Location of Part 3:
FILE OFFSET: $7ECD
6 BYTES
OLD:
A9408D07C020
NEW:
8D06C04C59FF
Change the Apple //e logot to Apple //k:
FILE OFFSET: $7F12
OLD:
E5
NEW:
EB
Eric N.
sicklittlemonkey
> <monkeys-uncle>
I'm similarly surprised.
Also, following another link from Jonno's blog:
http://www.pagetable.com/?p=43
Microsoft's easter egg text in Applesoft:
---
A6 D3 C1 C8 D4 C8 D5 C4 CE CA
If we XOR every byte with 0x87, we get:
21 54 46 4f 53 4f 52 43 49 4d
which, again, is "MICROSOFT!" backwards
---
It's at $F094.
Cheers,
Nick.
er...@neilsonhart.com
everything to Asimov with instructions on how to use with an emulator
or burn your own modified CD and EF ROMs:
ftp://ftp.apple.asimov.net:21//pub/apple_II/emulators/rom_images/APPLE_IIe_ROM_KRK2.zip
Eric
Michael J. Mahon
The code:
C600- AD 00 C0 1010 START LDA KEYBD LOOK AT KEYBOARD
C603- F0 FB 1020 BEQ START KEEP READING UNTIL A KEY PRESSED
won't work, since the keyboard port is almost never zero. You want
a BPL in place of the BEQ to wait until an unread key is pressed.
er...@neilsonhart.com
> The code:
>
> C600- AD 00 C0 1010 START LDA KEYBD LOOK AT KEYBOARD
> C603- F0 FB 1020 BEQ START KEEP READING UNTIL A KEY PRESSED
>
> won't work, since the keyboard port is almost never zero. You want
> a BPL in place of the BEQ to wait until an unread key is pressed.
Thanks! I was just about to burn EPROMS this week. That's one of the
real-world things that never bothered the emulators.
I've uploaded a new version to Asimov. It will hopefully be posted
shortly.
Eric