Amtech RF512C manipulates reading the ROM image with M-R

From: Spiro Trikaliotis <ml-cbmhackers_at_trikaliotis.net>
Date: Thu, 19 Aug 2021 20:22:08 +0200
Message-ID: <20210819182208.GQ6646_at_hermes.local.trikaliotis.net> 
Hello,

answering to my own mail:

* On Wed, Aug 04, 2021 at 11:34:18AM +0200 I wrote:
 
> does anyone have a ROM image of the Amtech RF512C drive? It seems to be
> a 1571 clone.
> 
> I am asking because I asked someone to give me a ROM image that is
> collected with M-R (cbmctrl download from OpenCBM), and the image looks
> very "suspicious". That is, things are not at the locations where they
> should be. The image "as is" would not even boot, because the RESET
> vector is invalid!
> 
> Does anyone know if this drive has some "counter-copyright-detection"
> measures? That is, does it really return the ROM contents on M-R in the
> are $8000-$FFFF?

Yes, it has. It is rather simple, but it is there.

The M-R is manipulated.

Let's look at the original routine:

00CAFF  1                       ; store the address low/high at T0/T0+1
00CAFF  1  AD 03 02             lda     CMDBUF + 3
00CB02  1  85 6F                sta     T0
00CB04  1  AD 04 02             lda     CMDBUF + 4
00CB07  1  85 70                sta     T0+1
00CB09  1
00CB09  1                       ; determine the exact command to execute
00CB09  1
00CB09  1  A0 00                ldy     #$00
00CB0B  1  AD 02 02             lda     CMDBUF + 2              ; get relevant command byte
00CB0E  1
00CB0E  1                       ; test for M-R
00CB0E  1  C9 52                cmp     #'R'
00CB10  1  F0 0E                beq     _at_cmd_memory_read        ; execute M-R
...
00CB20  1               _at_cmd_memory_read:
00CB20  1  B1 6F                lda     (T0),y                  ; read the first byte at the given memory position
00CB22  1  85 85                sta     DATA                    ; remember it
...

That's all we need.

That is, the routine does the following: Read the LOW byte of the
address to read from CMDBUF+3 ($0203) and store it at T0 ($6F), then
get the HIGH byte to read from CMDBUF+4 ($0204) and store it at T0+1
($70).

Now, in the M-R, we read from (T0),Y byte by byte and store it to put
it into the buffer to return.

What is patched in the ROM?

CB20 is changed to:

CB20 JSR $C0B0
CB23 NOP

That is, the read and the store are manipulated.

Let's look what the routine does:

40B0  A5 70       LDA $70      ; high byte of the source address
40B2  C9 FF       CMP #$FF     ; is it $FF?
40B4  90 0A       BCC $40C0    ; now, it is lower (that is, != $FF) --> just proceed "as usual"

40B6  AD 03 02    LDA $0203    ; get the LOW byte of the M-R source
40B9  85 70       STA $70      ; and store it as HIGH byte of the source

40BB  AD 04 02    LDA $0204    ; get the HIGH byte of the M-R source
40BE  85 6F       STA $6F      ; and store it as LOW byte of the source

; from here, this is a copy of $CB20: Read the value and remember it
40C0  B1 6F       LDA ($6F),Y
40C2  85 85       STA $85
40C4  60          RTS


That is, the ROM manipulates the way the M-R commands read from the
$FFxx area. Instead of reading from there, the M-R command reads
starting from $xxFF. So, the last page of the ROM cannot be read with
the M-R command.


I will give the person who gave me the dump a program to read back the
missing page, and I will give a more thorough analysis of the ROM later.

Regards,
Spiro.

-- 
Spiro R. Trikaliotis
https://spiro.trikaliotis.net/
Received on 2021-08-19 21:00:11

Archive generated by hypermail 2.3.0.