Jump to content
IGNORED

Disassembling the Educational System Master Cartridge


Recommended Posts

Yup. I am working from memory access breakpoints (especially reads) in the debugger, and tracing back from that. So far it's helping get the variables documented.

 

again, don't think of it as byte code for an imaginary processor, bit rather as a terminal emulator, processing escape sequences....

Link to comment
Share on other sites

Hopefully, once I map out the zero page locations (which comprise the entirety of program state, minus the LMS, PMBASE, and CHBASE regions of ram), I'll have a good idea of the data area at the end of the ROM (which is at least two or more tables), and can then trace the memory accesses back into the main parts of the program.

 

-Thom

Link to comment
Share on other sites

It's common in the edu cart to use the X register as the primary parameter for a subroutine call, such as this one, which does a 16-bit increment:

 

where X in this case is the least significant byte to increment. X will increment, and if M = $FF, then X+1 will also increment.

 

 

lBC47   ; Callers: B855 lBBDA BC15 B8C1 BC7B BC82
    inc $00,x  ; BC47: F6 00
    bne lBC4D  ; BC49: D0 02
    inc $01,x  ; BC4B: F6 01

 

-Thom

Link to comment
Share on other sites

There are two sets of color setting code present:

 

 

lBCC7   ; Callers: B906 B970 B936
    lda $99  ; BCC7: A5 99
    sta COLPF2  ; BCC9: 8D 18 D0
    lda $9A  ; BCCC: A5 9A
    sta COLBK  ; BCCE: 8D 1A D0
    lda $9B  ; BCD1: A5 9B
    sta COLPM0  ; BCD3: 8D 12 D0
    sta COLPM1  ; BCD6: 8D 13 D0
    sta COLPM2  ; BCD9: 8D 14 D0
    sta COLPM3  ; BCDC: 8D 15 D0
    lda $BD72  ; BCDF: AD 72 BD
    sta COLPF1  ; BCE2: 8D 17 D0
uBCE5   ; Callers: -c BCE5
    rts      ; BCE5: 60

 

This would put $99, $9A, and $9B to set the color registers. $BD72 is $0A, which given COLPF1, would be the default text intensity.

 

I'm going to guess this is the standard color setting routine.

 

But wait, there's more... in BC76 we find:

 

 

lBC76   ; Callers: lB8ED lB939 B958 B8E5
    pha      ; BC76: 48
    txa      ; BC77: 8A
    pha      ; BC78: 48
    ldx #$92  ; BC79: A2 92
    jsr lBC47  ; BC7B: 20 47 BC
    bne lBCC3  ; BC7E: D0 43
    ldx #$94  ; BC80: A2 94
    jsr lBC47  ; BC82: 20 47 BC
    bne lBCC3  ; BC85: D0 3C
    lda #$FE  ; BC87: A9 FE
    sta $94  ; BC89: 85 94
    lda #$FF  ; BC8B: A9 FF
    sta $95  ; BC8D: 85 95
    lda $96  ; BC8F: A5 96
    clc      ; BC91: 18
    adc #$33  ; BC92: 69 33
    sta $96  ; BC94: 85 96
    and #$F7  ; BC96: 29 F7
    sta COLPF2  ; BC98: 8D 18 D0
    adc #$04  ; BC9B: 69 04
    and #$F7  ; BC9D: 29 F7
    sta COLPF1  ; BC9F: 8D 17 D0
    lda $98  ; BCA2: A5 98
    clc      ; BCA4: 18
    adc #$33  ; BCA5: 69 33
    sta $98  ; BCA7: 85 98
    and #$F7  ; BCA9: 29 F7
    sta COLPM0  ; BCAB: 8D 12 D0
    sta COLPM1  ; BCAE: 8D 13 D0
    sta COLPM2  ; BCB1: 8D 14 D0
    sta COLPM3  ; BCB4: 8D 15 D0
    lda $97  ; BCB7: A5 97
    clc      ; BCB9: 18
    adc #$55  ; BCBA: 69 55
    sta $97  ; BCBC: 85 97
    and #$F7  ; BCBE: 29 F7
    sta COLBK  ; BCC0: 8D 1A D0
lBCC3   ; Callers: BC7E BC85
    pla      ; BCC3: 68
    tax      ; BCC4: AA
    pla      ; BCC5: 68
    rts      ; BCC6: 60

 

This one uses $93 to $98 (some overlap) with some ANDing involved, so I'm _really_ curious as to what this is used for..will dig in, when I get home.

 

and just when you thought it wasn't weird enough, here's another:

 

 

lBAC0   ; Callers: BABA
    pha      ; BAC0: 48
    lda $80  ; BAC1: A5 80
    pha      ; BAC3: 48
    lda #$00  ; BAC4: A9 00
    sta $80  ; BAC6: 85 80
    jsr lBB70  ; BAC8: 20 70 BB
    pla      ; BACB: 68
    sta $80  ; BACC: 85 80
    pla      ; BACE: 68
    jsr lBAD5  ; BACF: 20 D5 BA
    jmp lBABF  ; BAD2: 4C BF BA
lBAD5   ; Callers: BACF
    clc      ; BAD5: 18
    adc #$01  ; BAD6: 69 01
    bpl lBAF6  ; BAD8: 10 1C
    adc #$06  ; BADA: 69 06
    bmi lBAFF  ; BADC: 30 21
    tax      ; BADE: AA
    lda $BD6C,x  ; BADF: BD 6C BD
    bit $80  ; BAE2: 24 80
    bpl lBAF7  ; BAE4: 10 11
    sta COLPM0  ; BAE6: 8D 12 D0
    sta COLPM1  ; BAE9: 8D 13 D0
    sta COLPM2  ; BAEC: 8D 14 D0
    sta COLPM3  ; BAEF: 8D 15 D0
    sta $98  ; BAF2: 85 98
    sta $9B  ; BAF4: 85 9B
lBAF6   ; Callers: BAD8
    rts      ; BAF6: 60

 

Will dig into these when I get home... :)

Link to comment
Share on other sites

@Xuel, the disassembly you have, lists BD30 as stream, and yeah, you're right really, this is the splash screen at the start of the program, and it's interpreted by the same code, really..

 

I'm thinking basically to input data into this part of memory, reset the cartridge, and observe the results, to test both my understanding of the code, and the resulting "encoding"

 

The data is most definitely ASCII, an interesting one at that, notice the lone carriage returns, with no line feeds? To me, this screams that the original Dorsett system was built on one of Don Lancaster's TV Typewriter designs. The 32 columns per line, and 13 lines seem to play this out (the TV Typewriter was 32 columns by 16 rows), and it took data in ASCII format.

 

I have yet to test, but I think it's pretty definite that flipping bit 7 of any printable character causes the "highlighter" to kick in.

 

$00 is timing, and you'll never see one by itself. Always in pairs. I also suspect that $00 was used for the same vestigial reason as it was in other vintage TTY systems, as a NUL for pausing.

 

This leaves the control codes to set colors...

 

Inverse # seems to clear page

inverse $ seems to cause a pause for selection. setting correct answer, still TBD.

 

Atari hints there are also quite a few unused control codes.

 

More to come later, as I actually test this out and see if i am right or wrong.

 

-Thom

Link to comment
Share on other sites

I'm starting a set of library routines to output a .wav file compatible with the cartridge. It's been about 20 years or so since I've written anything that constructs and writes sound buffers from scratch, so am stumbling along.

 

It's being crammed together in just plain C, so it can be embedded into whatever. no outside dependencies, none needed.

 

-Thom

  • Like 1
Link to comment
Share on other sites

Guys,

 

breakthrough.

 

After roughly half a day of coding and debugging, I have the start of an encoder for making Edu system tapes. Turns out AFSK is pretty damned simple, and after a little help from Joey Z. to debug my sine routine (basically approximation errors resulting from plotting too far out past the first cycle), I was able to not only get clean mark/space tones, but I was able to concatenate the baud tones together to get a nice clean FSK modulation happening. Add the start and stop bits, and I was off to the races.

 

I've made a little video showing the code, and demoing it off, with a message for the AtariAge community. Thank you all.

 

Still a lot left to do, but a big break, nonetheless. :)

 

 

-Thom

  • Like 7
Link to comment
Share on other sites

I have now decoded the color palette.

 

From my notes, each hex value is the character code, and the resulting codes

0x11 = Dark Red border
0x12 = Magenta border
0x13 = Red border
0x14 = Brown border 
0x15 = Green border
0x16 = Blue Border
 
0x19 = Dark Red background
0x1a = Magenta background
0x1b = Red background
0x1c = Brown background
0x1d = Green background
0x1e = Blue Background
 
0x99 = Dark Red hilight
0x9a = Magenta hilight
0x9b = Red hilight
0x9c = Brown hilight
0x9d = Green hilight
0x9e = Blue hilight

Weird color palette, huh? But yeah, those are all the colors I could find, and they all match regardless of what's being set, the background, border, or highlight.

 

One thing to note, each color code causes the cursor to advance, so be sure to do any color changes while text isn't intended to be printed (e.g. before a clear screen at the bottom of a page.)

 

This is what it looks like:

 

 

(for best results, set quality to 720p/60 HD) :)

 

Now? I try to decode the interactive codes.

 

(edited to correct the 0x9x codes, they are for hilight)

 

-Thom

  • Like 7
Link to comment
Share on other sites

Thanks Thom for checking.

 

Where do we have that again with other roms... ;-)

 

Your findings are incredible good! :-)))

 

Today, I received: Basic Psychology CX6011, just Cassette B is missing.

 

Basic Sociology CX6005 ; just Cassette B and C are missing.

 

Unbelievable. :) :) :) :) ;-)

I'm working on it. :)

Tape B recorded poorly unlike the rest. I will try to re-record it at a louder volume and see if that helps.

 

Allan

  • Like 1
Link to comment
Share on other sites

An Update from my side:

 

Now that the archaeology of the master cartridge disassembly and forensic analysis of the tape format is completed, and the encoder functions, I am currently writing up a book detailing the entire "dig", and will be releasing it to the public once complete.

 

It will consist of three major parts:

 

* Introduction

* Disassembling the Cartridge

* Forensic Analysis of the Cassette Format

 

The focus on this particular book is very much a "post mortem" of the Atari Educational System, with the intent of the book being viewed as a proper historical text deconstructing one of the earliest examples of both multimedia and computer based training.

I will then take the content of the book, and at the very least, take the reference bits and place onto AtariWiki, as this is the most logical place for it.

-Thom

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...