+InsaneMultitasker Posted October 17, 2015 Share Posted October 17, 2015 Hi folks. Gazoo shared his XB27 BOOT loader code with me not too long ago. This snip of GPL code is stuffed into the cartridge at 0x6000. At powerup it moves BOOT / BOOU from the cartridge's 'gram' space into cpu ram. As you may recall, Gazoo wrote his GPL code directly as data statements. I'm hoping that someone can turn this into commented, GPL source code for me. Thanks GROM3 DATA >AA01,>0000,>600E,>600E DATA >0000,>0000,>0000,>0000 DATA >6018,>0442,>4F4F,>5400 DATA >BE74,>0303,>D675,>2040 DATA >28BD,>9073,>9072,>0000 DATA >3118,>008F,>9D00,>6800 DATA >3118,>008F,>3D00,>8000 DATA >BF00,>2006,>0FF0,>0000 1 Quote Link to comment Share on other sites More sharing options...
Tursi Posted October 17, 2015 Share Posted October 17, 2015 * Gazoo's BOOT loader *GROM3 DATA >AA01,>0000,>600E,>600E * DATA >0000,>0000,>0000,>0000 * DATA >6018,>0442,>4F4F,>5400 * DATA >BE74,>0303,>D675,>2040 * DATA >28BD,>9073,>9072,>0000 * DATA >3118,>008F,>9D00,>6800 * DATA >3118,>008F,>3D00,>8000 * DATA >BF00,>2006,>0FF0,>0000 * * Hand converted by Tursi, may need some massaging * to re-assemble. Data order is as in memory: * <opcode> <dest> <source> * * This code does not appear to verify that BOOT is legitimately * loaded into GRAM before executing it, though! * * Header first: AORG 6000 DATA >AA01 * valid rom, version 1 DATA >0000 * unused DATA >600E * Pointer to powerup list DATA >600E * Pointer to program list DATA >0000 * Pointer to DSR list DATA >0000 * Pointer to subprogram list * 600C: DATA >0000 * padding * 600E: DATA >0000 * next item pointer DATA >6018 * address BYTE >04 * name length (make sure assembler doesn't pad this to EVEN) TEXT 'BOOT' BYTE >00 * padding * 6018: ST @>8374,>03 * (BE,74,03) Set KSCAN mode at >8374 to mode 3 (PASCAL) SCAN * (03) read the keyboard CEQ @>8375,>20 * (D6,75,20) check if the returned key is space bar BR G@>6028 * (40,28) jump to >6028 if not equal (or xx28 if not loaded at >6000) * Space was held, bypass startup DST *>0073,*>0072 * (BD,90,73,90,72) I read >0203 and >0002 in ROM... * not sure why, no side effect. Bug? Obfuscation? Just playing? RTN * (00) finished * 6027: BYTE >00 * padding * 6028: jump here if space was NOT held MOVE >1800 TO @>2000 FROM G@>6800 * (31,18,00,8f,9d,00,68,00) * copy the program data into low memory MOVE >1800 TO @>C000 FROM G@>8000 * (31,18,00,8f,3d,00,80,00) * copy the program data into high memory DST @>8300,>2006 * (bf,00,20,06) store address to jump into scratchpad XML >F0 * (0f,f0) jumps to assembly address stored at >8300 * ie: launch boot RTN * (00) return, but never executed BYTE >00 * padding Hopefully AA won't mangle my padding too badly. I'm not sure what's up with the DST in the bypass code path, maybe he meant something else, or maybe I mis-decoded that instruction. I don't have that version of XB27 installed to verify it. The rest is all pretty straightforward -- it's just the MOVE opcodes you need in the end, and maybe the SCAN to check for a bypass key. (And the XML to branch to assembly from GROM, I guess. ) 3 Quote Link to comment Share on other sites More sharing options...
+InsaneMultitasker Posted October 17, 2015 Author Share Posted October 17, 2015 * 6028: jump here if space was NOT held MOVE >1800 TO @>2000 FROM G@>6800 * (31,18,00,8f,9d,00,68,00) * copy the program data into low memory MOVE >1800 TO @>C000 FROM G@>8000 * (31,18,00,8f,3d,00,80,00) Hopefully AA won't mangle my padding too badly. I'm not sure what's up with the DST in the bypass code path, maybe he meant something else, or maybe I mis-decoded that instruction. I don't have that version of XB27 installed to verify it. The rest is all pretty straightforward -- it's just the MOVE opcodes you need in the end, and maybe the SCAN to check for a bypass key. (And the XML to branch to assembly from GROM, I guess. ) Outstanding! No mangling noticed Seems pretty straightforward, although I must admit the MOVE instruction baffles me. Where are >2000 and >C000 hiding in that byte stream? Quote Link to comment Share on other sites More sharing options...
+InsaneMultitasker Posted October 17, 2015 Author Share Posted October 17, 2015 * Gazoo's Boot loader DEF START Show where program starts. REF VWTR,VSBW,VMBW,DSRLNK,VMBR,GPLLNK START B @START1 Go to actual start of program. PAB DATA >0500,>0FF0,>0000,>2000 Data for Peripheral access BYTE >00 block. FILENM BYTE >09 Length byte, pathname.filename TEXT 'DSK1.BOO' INCREM TEXT 'T ' FILE02 TEXT 'U ' GRMWA EQU >9C02 Grom write address register GRMWD EQU >9C00 VDPWA EQU >8C02 VDP WRITE address register VDPRD EQU >8800 VDP READ DATA REGISTER BUFFER EQU >0FC0 PABADR EQU >0F80 WR BSS >20 Save space for workspace. START1 LWPI WR Load workspace. LI R0,>0180 Set VDP register 1. BLWP @VWTR ******************************** BOOT LI R0,PABADR LI R1,PAB LI R2,25 BLWP @VMBW LI R6,PABADR+9 MOV R6,@>8356 BLWP @DSRLNK DATA 8 NOP LI R0,>0FF0 LI R1,>8300 LI R2,>0002 BLWP @VMBR MOV @>8300,R1 CI R1,>FFFF JNE ERROR LI R3,>9C04 BANK 2 LI R1,>6800 BL @LOADR ******************************** BOOU LI R9,FILE02 LI R10,INCREM MOV *R9,*R10 LI R0,PABADR LI R1,PAB LI R2,25 BLWP @VMBW LI R6,PABADR+9 MOV R6,@>8356 BLWP @DSRLNK DATA 8 NOP LI R0,>0FF0 LI R1,>8300 LI R2,>0002 BLWP @VMBR MOV @>8300,R1 CI R1,>0000 JNE ERROR LI R3,>9C04 BANK 2 LI R1,>8000 BL @LOADR B @HEADER ******************************* ERROR LI R1,>980C MOV R1,@>83FA BLWP @GPLLNK DATA >7810 ******************************* HEADER LI R0,>0FF0 LI R1,GROM3 LI R2,>0040 BLWP @VMBW NOP LI R3,>9C04 BANK 2 LI R1,>6000 CLR R0 MOVB R1,@GRMWA SWPB R1 MOVB R1,@GRMWA SWPB R1 LI R1,>0FF0 SWPB R1 MOVB R1,@VDPWA SWPB R1 MOVB R1,@VDPWA LI R0,>0040 LOOP3 MOVB @>8800,*R3 DEC R0 JGT LOOP3 ******************************** QUIT LIMI 2 CLR @>837C LWPI >83E0 BLWP @>0000 Go bye-bye. ******************************* LOADR CLR R0 MOVB R1,@GRMWA SWPB R1 MOVB R1,@GRMWA SWPB R1 LI R1,>0FF0 SWPB R1 MOVB R1,@VDPWA SWPB R1 MOVB R1,@VDPWA LI R0,>1800 LOOP4 MOVB @>8800,*R3 DEC R0 JGT LOOP4 RT ***************************************** ***************************************** * END * Gazoo's BOOT loader *GROM3 DATA >AA01,>0000,>600E,>600E * DATA >0000,>0000,>0000,>0000 * DATA >6018,>0442,>4F4F,>5400 * DATA >BE74,>0303,>D675,>2040 * DATA >28BD,>9073,>9072,>0000 * DATA >3118,>008F,>9D00,>6800 * DATA >3118,>008F,>3D00,>8000 * DATA >BF00,>2006,>0FF0,>0000 * * Hand converted by Tursi, may need some massaging * to re-assemble. Data order is as in memory: * <opcode> <dest> <source> * * This code does not appear to verify that BOOT is legitimately * loaded into GRAM before executing it, though! * * Header first: AORG 6000 DATA >AA01 * valid rom, version 1 DATA >0000 * unused DATA >600E * Pointer to powerup list DATA >600E * Pointer to program list DATA >0000 * Pointer to DSR list DATA >0000 * Pointer to subprogram list * 600C: DATA >0000 * padding * 600E: DATA >0000 * next item pointer DATA >6018 * address BYTE >04 * name length (make sure assembler doesn't pad this to EVEN) TEXT 'BOOT' BYTE >00 * padding * 6018: ST @>8374,>03 * (BE,74,03) Set KSCAN mode at >8374 to mode 3 (PASCAL) SCAN * (03) read the keyboard CEQ @>8375,>20 * (D6,75,20) check if the returned key is space bar BR G@>6028 * (40,28) jump to >6028 if not equal (or xx28 if not loaded at >6000) * Space was held, bypass startup DST *>0073,*>0072 * (BD,90,73,90,72) I read >0203 and >0002 in ROM... * not sure why, no side effect. Bug? Obfuscation? Just playing? RTN * (00) finished * 6027: BYTE >00 * padding * 6028: jump here if space was NOT held MOVE >1800 TO @>2000 FROM G@>6800 * (31,18,00,8f,9d,00,68,00) * copy the program data into low memory MOVE >1800 TO @>C000 FROM G@>8000 * (31,18,00,8f,3d,00,80,00) * copy the program data into high memory DST @>8300,>2006 * (bf,00,20,06) store address to jump into scratchpad XML >F0 * (0f,f0) jumps to assembly address stored at >8300 * ie: launch boot RTN * (00) return, but never executed BYTE >00 * padding Sharing the full loader routine in my original post would have made too much sense. See above. The powerup routine (DATA statements) should only be moved into 'gram' if BOOT and BOOU are first loaded successfully from disk. I believe this addresses the legitimacy concern, so far in that two files were loaded. There is no inspection of BOOT/BOOU beyond the header information. 1 Quote Link to comment Share on other sites More sharing options...
Tursi Posted October 17, 2015 Share Posted October 17, 2015 Outstanding! No mangling noticed Seems pretty straightforward, although I must admit the MOVE instruction baffles me. Where are >2000 and >C000 hiding in that byte stream? It's weird, eh? All absolute addresses in MOVE instructions have >8300 added to them. So it's the 9D00 and the 3D00. Quote Link to comment Share on other sites More sharing options...
+InsaneMultitasker Posted October 18, 2015 Author Share Posted October 18, 2015 It's weird, eh? All absolute addresses in MOVE instructions have >8300 added to them. So it's the 9D00 and the 3D00. Very! And all this time I thought Forth was weird!!! :grin: Quote Link to comment Share on other sites More sharing options...
Willsy Posted October 18, 2015 Share Posted October 18, 2015 Forth *is* weird :-) Quote Link to comment Share on other sites More sharing options...
atrax27407 Posted October 18, 2015 Share Posted October 18, 2015 Forth is simply the language of Yoda. Forth wierd is not. 3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.