42bs Posted October 2, 2018 Share Posted October 2, 2018 Hi just want to share this: https://6502bench.com/ or https://github.com/fadden/6502bench/ 1 1 Quote Link to comment Share on other sites More sharing options...
+karri Posted October 2, 2018 Share Posted October 2, 2018 (edited) Nice! I have actually also been a bit creative lately in the disassembler field. Currently I can disasseble a cart image back to a source tree with proper Makefiles and config files. I am using the disassembler in the cc65 suite. Running "make" produces a cart image that is identical to the source. It also creates pcx images out of all sprites it finds. The sources use proper register names and defines which makes browsing through the carts quite interesting. For compressed files I still need to find a proper unzipper. The new driving episode in "Shaken, not stirred" was heavily inspired by my disassembly session of RoadRiot. The starting point in doing this was the wonderful sounds in Shadow of the beast. I cannot understand how to get certain great sounds out of Lynx hardware so I built a little tool for helping me look at how other programmers are dealing with sound. Edited October 2, 2018 by karri 2 Quote Link to comment Share on other sites More sharing options...
joeyaage Posted October 3, 2018 Share Posted October 3, 2018 Just what I wanted, thankyou. I will give it a go. Quote Link to comment Share on other sites More sharing options...
oziphantom Posted October 3, 2018 Share Posted October 3, 2018 It's a good start, long way to go. Quote Link to comment Share on other sites More sharing options...
Turbo Laser Lynx Posted October 3, 2018 Share Posted October 3, 2018 (edited) I have actually also been a bit creative lately in the disassembler field. Currently I can disasseble a cart image back to a source tree with proper Makefiles and config files. I am using the disassembler in the cc65 suite. Running "make" produces a cart image that is identical to the source. It also creates pcx images out of all sprites it finds. The sources use proper register names and defines which makes browsing through the carts quite interesting. For compressed files I still need to find a proper unzipper. The new driving episode in "Shaken, not stirred" was heavily inspired by my disassembly session of RoadRiot. The starting point in doing this was the wonderful sounds in Shadow of the beast. I cannot understand how to get certain great sounds out of Lynx hardware so I built a little tool for helping me look at how other programmers are dealing with sound. That sounds exciting! Did you find out some of the sounds they used? Shadow of the beast has some great music, especially level 1 / "overworld theme". Robotron's wonderful arcadey sound effects also come to mind. I wish I'd understand finding sounds for the Lynx better. I guess it's at least relatively easy to experiment on chipper. I thought it was funny in the chips challenge interview episode of the handycast when "LX Rudis" said that they tried to get rid of him several times, but no one of the new guys could be bothered with understanding how the sound generation on the Lynx works, and that he also sometimes used to get frustrated and just start guessing sounds! Edited October 3, 2018 by Turbo Laser Lynx Quote Link to comment Share on other sites More sharing options...
42bs Posted October 3, 2018 Author Share Posted October 3, 2018 Karri, a sprite to pcx tool sounds great. I have some sprites where I do not have the original image anymore (like King Tut ;( ) Quote Link to comment Share on other sites More sharing options...
+karri Posted October 3, 2018 Share Posted October 3, 2018 (edited) I have everything in a single Python file. I can PM it to you with an example of use. You need to run the tool many times and edit some conf files manually between runs. Example file001.info: GLOBAL { OUTPUTNAME "titlesprite.s"; INPUTNAME "file001"; STARTADDR $2400; PAGELENGTH 0; CPU "65sc02"; }; RANGE { START $2400; END $241F; TYPE ByteTable; }; RANGE { START $2420; END $2422; TYPE ByteTable; }; RANGE { START $2423; END $2426; TYPE AddrTable; }; RANGE { START $2427; END $243A; TYPE ByteTable; }; RANGE { START $243B; END $4000; TYPE ByteTable; }; LABEL { NAME "titlepal"; ADDR $2400; }; LABEL { NAME "spr001_1"; ADDR $2420; }; In order to create original images you need to define where the sprite call starts. This is needed in order to find the right quadrants and bits per pixel. This will then produce a source file looking like this: .setcpu "65SC02" ; ---------------------------------------------------------------------------- L0000 := $0000 ; ---------------------------------------------------------------------------- titlepal: .byte $01,$0C,$0A,$08,$06,$05,$04,$03 ; 2400 01 0C 0A 08 06 05 04 03 .byte $00,$03,$02,$01,$00,$03,$02,$00 ; 2408 00 03 02 01 00 03 02 00 .byte $04,$CC,$BA,$98,$76,$65,$53,$42 ; 2410 04 CC BA 98 76 65 53 42 .byte $03,$38,$27,$15,$04,$16,$05,$00 ; 2418 03 38 27 15 04 16 05 00 spr001_1: .byte $C1,$30,$00 ; 2420 C1 30 00 ; ---------------------------------------------------------------------------- .addr L0000 ; 2423 00 00 .addr L243B ; 2425 3B 24 ; ---------------------------------------------------------------------------- .byte $00,$00,$00,$00,$00,$01,$00,$01 ; 2427 00 00 00 00 00 01 00 01 .byte $00,$00,$00,$00,$01,$23,$45,$67 ; 242F 00 00 00 00 01 23 45 67 .byte $9A,$BC,$F0,$00 ; 2437 9A BC F0 00 L243B: .byte $0D,$7D,$BE,$DF,$6F,$B7,$DB,$ED ; 243B 0D 7D BE DF 6F B7 DB ED .byte $F6,$FB,$7D,$BE,$C0,$0D,$7D,$BE ; 2443 F6 FB 7D BE C0 0D 7D BE .byte $DF,$6F,$B7,$DB,$ED,$F6,$FB,$7D ; 244B DF 6F B7 DB ED F6 FB 7D Edited October 3, 2018 by karri Quote Link to comment Share on other sites More sharing options...
42bs Posted October 3, 2018 Author Share Posted October 3, 2018 I have everything in a single Python file. I can PM it to you with an example of use. You need to run the tool many times and edit some conf files manually between runs. Yes, please. I'll give it a try. Quote Link to comment Share on other sites More sharing options...
OldAtAtari Posted January 27, 2021 Share Posted January 27, 2021 Thanks for these links, 42bs. It seems to be exactly what I need. Oddly, my Lynx can't run Zarlor Mercenary, either from the original cartridge or from the ROM on my BennVenn flash cart. It crashes just after the title screen, but if I hit A quickly enough, I can bypass the broken section and get into the player selection screen. So I want to see if I can disassemble the *.lnx file and hack the broken section out of it. I'll give it a go with the 6502bench tools. Thanks again. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 27, 2021 Author Share Posted January 27, 2021 1 hour ago, OldAtAtari said: Oddly, my Lynx can't run Zarlor Mercenary, either from the original cartridge or from the ROM on my BennVenn flash cart. It crashes just after the title screen, but if I hit A quickly enough, I can bypass the broken section and get into the player selection screen. Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff). 1 Quote Link to comment Share on other sites More sharing options...
OldAtAtari Posted January 27, 2021 Share Posted January 27, 2021 29 minutes ago, 42bs said: Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff). Yeah, interesting for sure, and disappointing. I was looking forward to playing this game. I'm not sure what checking _all_ ROM contents means. My guess was simply that my Lynx has a bad piece of RAM, and Zarlor was trying to reference that particular bad address, whereas perhaps my other games don't use that address. A simpleton kind of answer from a simpleton kind of guy. Quote Link to comment Share on other sites More sharing options...
sage Posted January 27, 2021 Share Posted January 27, 2021 (edited) 19 hours ago, 42bs said: Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff). ~Until now I have not seen any game which checks the complete rom.~ Seems I was wrong ? Edited January 28, 2021 by sage Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 10 hours ago, sage said: Until now I have not seen any game which checks the complete rom. Ok, I haven't checked all of them. But Gauntlet makes a checksum over all but the first block. But only of the first 256 bytes. Just looked into the bootloader of PowerFactor: Here they check all 1024 bytes of each block. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 Ok, yes, Zarlor Mercenary only checks the first 512 bytes of each block. I checked it: Change a byte at n*1024+512 => Game starts. Change at n*1024 => game does not start. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 This is the code to look for in the boot sector: _382 lda $31 jsr $fe00 lda $fcb0 beq _38f jsr _24f _38f lda #$10 sta $32 _393 sec ldx #$10 _396 lda $fcb2 ldy #3 _39b adc $fcb2 dey bne _39b This is for a 256K game (ldy #3 => sum up 4 bytes). 512K games have ldy #7. 128K games have no loop, so just sum up 2 bytes. I picked 8 games, and all checked the correct number of bytes. So EPYX took the wrong boot sector. 1 Quote Link to comment Share on other sites More sharing options...
OldAtAtari Posted January 28, 2021 Share Posted January 28, 2021 23 minutes ago, 42bs said: This is the code to look for in the boot sector: _382 lda $31 jsr $fe00 lda $fcb0 beq _38f jsr _24f _38f lda #$10 sta $32 _393 sec ldx #$10 _396 lda $fcb2 ldy #3 _39b adc $fcb2 dey bne _39b This is for a 256K game (ldy #3 => sum up 4 bytes). 512K games have ldy #7. 128K games have no loop, so just sum up 2 bytes. I picked 8 games, and all checked the correct number of bytes. So EPYX took the wrong boot sector. 42bs, thank you so much for looking into the Zarlor issue. I'm not sure what to make of your response, but it's 2am here, and I'm a bit tired. Not to mention that I'm a complete hack. I've been trying to disassemble the zarlor *.lnx file tonight. Both with da65 and with 6502bench. Both mostly give me data lines, not code lines, and that boot sector isn't in there. With 6502bench, I assume that my problem is an incorrect .org line. Either way, I'm done for tonight. I'll get back on it tomorrow. By the way, thanks again for starting this topic. The 6502bench software is really nice, and the instructions and tutorials are terrific. I just haven't been able to read enough of them yet to have a clue what I'm doing. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 Did some more checking, the first 6 games (from this list: Wikipedia:Lynx ) contain the same header, means they check only 256 bytes of each block and the load address of the title picture is unchecked. From KLAX on there is a new boot sector which contains also the load address of the title picture, so no Troian Horse possible which we used for BLL. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 8 minutes ago, OldAtAtari said: I've been trying to disassemble the zarlor *.lnx file tonight. Both with da65 and with 6502bench. Both mostly give me data lines, not code lines, and that boot sector isn't in there. With 6502bench, I assume that my problem is an incorrect .org line. The bootsector gets decoded by the ROM, so looking at it raw makes no sense. Best is to load a game into Handybug, set a breakpoint at 0x200 and let it hit it two times. The decode bootsector is now from 0x200..0x3ff. Quote Link to comment Share on other sites More sharing options...
sage Posted January 28, 2021 Share Posted January 28, 2021 There are only a few "different" loaders used. And the difference is small. I am still sure that not the whole cart is checksummed (this would take a significant time) Quote Link to comment Share on other sites More sharing options...
sage Posted January 28, 2021 Share Posted January 28, 2021 Name Typ Größe stage1 stage1 size stage2 Blue Lightning 512 type1 5 type1 California Games (128k) 512 type1 5 type1 Chip's Challenge (128k) 512 type1 5 type1 Electrocop (128k) 512 type1 5 type1 Gauntlet - The Third Encounter (128k) 512 type1 5 type1 Gates of Zendocon (128k) 512 type2 5 type2 Todd's Adventure in Slime World (128k) 512 type3b 3 type3_512 Asteroids and Missile Command 512 type3 3 type3_512 Basketbrawl 512 type3 3 type3_512 Battle Wheels (128k) 512 type3 3 type3_512 Block Out (128k) 512 type3 3 type3_512 Crystal Mines II (128k) 512 type3 3 type3_512 European Soccer Challenge (128k) 512 type3 3 type3_512 Hard Drivin' (128k) 512 type3 3 type3_512 Ishido - The Way of the Stones (128k) 512 type3 3 type3_512 Joust (128k) 512 type3 3 type3_512 Ms. Pac-Man (128k) 512 type3 3 type3_512 Pac-Land (128k) 512 type3 3 type3_512 Paperboy (128k) 512 type3 3 type3_512 Qix (128k) 512 type3 3 type3_512 Robo-Squash (128k) 512 type3 3 type3_512 Robotron 2084 512 type3 3 type3_512 Shanghai (128k) 512 type3 3 type3_512 Turbo Sub (128k) 512 type3 3 type3_512 Ultimate Chess Challenge (128k) 512 type3 3 type3_512 Warbirds (128k) 512 type3 3 type3_512 Xenophobe 512 type3 3 type3_512 Zarlor Mercenary (128k) 512 type3 3 type3_512 Atomic BLL 1024 type1 5 type1 Battling Chimera Taquin BLL 1024 type1 5 type1 bll BLL 1024 type1 5 type1 Championship Rally 256x1k BLL 1024 type1 5 type1 clicks BLL 1024 type1 5 type1 Conquest of Zow BLL 1024 type1 5 type1 DM_Dungeon_master BLL 1024 type1 5 type1 Dynalynx BLL 1024 type1 5 type1 FS-3_256k_AudioLo BLL 1024 type1 5 type1 Hyperdrome 128x1k BLL 1024 type1 5 type1 Kistenschieben BLL 1024 type1 5 type1 Lexis (Shadowsoft 1999) unclear 1024 type1 5 type1 LynxReloaded_128x1k BLL 1024 type1 5 type1 Marble Madness BLL 1024 type1 5 type1 Nonameyet BLL 1024 type1 5 type1 Puzzler 2000 BLL 1024 type1 5 type1 Rapide Racer BLL 1024 type1 5 type1 Remnant Special CGE2K Edition 64x1k BLL 1024 type1 5 type1 simis BLL 1024 type1 5 type1 Slideshow 256x1k BLL 1024 type1 5 type1 SokoMania 128x1k BLL 1024 type1 5 type1 Teenage BLL 1024 type1 5 type1 The return to the space coyote BLL 1024 type1 5 type1 v7SE BLL 1024 type1 5 type1 Wolf BLL 1024 type1 5 type1 yastuna2 BLL 1024 type1 5 type1 Zaku Public Demo (2005-11-13) BLL 1024 type1 5 type1 Othello 256x1k protected 1024 type2 5 type2 MegaPak Megapak 1024 type4 3 type4_1024 Zaku final Zaku 2048 type4 3 type4_2048 APB - All Points Bulletin 1024 type3 3 type3_1024 Awesome Golf 1024 type3 3 type3_1024 Baseball Heroes 1024 type3 3 type3_1024 Batman Returns 1024 type3 3 type3_1024 Battlezone 2000 1024 type3 3 type3_1024 Bill and Ted's 1024 type3 3 type3_1024 Bubble Trouble 1024 type3 3 type3_1024 Checkered Flag 1024 type3 3 type3_1024 CM2-Buried Treasure 1024 type3 3 type3_1024 Cybervirus 256x1k 1024 type3 3 type3_1024 Desert Strike 1024 type3 3 type3_1024 dgate 1024 type3 3 type3_1024 Dinolympics 1024 type3 3 type3_1024 Dirty Larry - Renegade Cop 1024 type3 3 type3_1024 Double Dragon 1024 type3 3 type3_1024 Dracula the Undead 1024 type3 3 type3_1024 Fat Bobby 1024 type3 3 type3_1024 Gordo 106 - The Mutated Lab Monkey 1024 type3 3 type3_1024 Hockey 1024 type3 3 type3_1024 Hydra 1024 type3 3 type3_1024 Klax 1024 type3 3 type3_1024 Krazy Ace Minature Golf 1024 type3 3 type3_1024 Kung Food 1024 type3 3 type3_1024 Lemmings 1024 type3 3 type3_1024 Lynx Casino 1024 type3 3 type3_1024 Malibu Bikini Volleyball 1024 type3 3 type3_1024 NFL Football 1024 type3 3 type3_1024 Ninja Gaiden 1024 type3 3 type3_1024 Pinball Jam 1024 type3 3 type3_1024 Power Factor 1024 type3 3 type3_1024 Rampage 1024 type3 3 type3_1024 Rampart 1024 type3 3 type3_1024 RoadBlasters 1024 type3 3 type3_1024 Rygar 1024 type3 3 type3_1024 S.T.U.N. Runner 1024 type3 3 type3_1024 Scrapyard Dog 1024 type3 3 type3_1024 Shadow of the Beast 1024 type3 3 type3_1024 Steel Talons 1024 type3 3 type3_1024 Super Off-Road 1024 type3 3 type3_1024 Super Skweek 1024 type3 3 type3_1024 Switchblade II 1024 type3 3 type3_1024 Toki 1024 type3 3 type3_1024 Tournament Cyberball 2072 1024 type3 3 type3_1024 Viking Child 1024 type3 3 type3_1024 World Class Soccer 1024 type3 3 type3_1024 Xybots 1024 type3 3 type3_1024 eotb_neu 2048 type3 3 type3_2048 Ninja Gaiden III - The Ancient Ship of Doom 2048 type3 3 type3_2048 Pit Fighter - The Ultimate Competition 2048 type3 3 type3_2048 Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 BLL - Loader or Type 1 (0xFB first byte) Reads the directory entry for the title picture from the directory at 0x200 _before_ checksumming. The hack was to replace the boot code with a faked image. The checksumming only tests the first 256bytes of each block, even Electrocop which is a 256K (thus 1024 bytes per block) game. The other official loader checksums _all_ of the card (exception so far Zarlor) and stores the directory entry for the title picture in the encrypted part. And really, _all_ of the card is read. Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 Gates of Zendocon is a Type 1 boot sector, means checks only the first 256bytes of each (but the first) block. Quote Link to comment Share on other sites More sharing options...
sage Posted January 28, 2021 Share Posted January 28, 2021 1 hour ago, 42bs said: Gates of Zendocon is a Type 1 boot sector, means checks only the first 256bytes of each (but the first) block. sure, i list it separate, because there are non trivial changes on the code. (trivial changes are title picture address and the copied in values for entry0,1,hash (depending on stage1,stage2) Quote Link to comment Share on other sites More sharing options...
42bs Posted January 28, 2021 Author Share Posted January 28, 2021 Well, did not go that much into detail. But w.r.t the checksum, it is the same code as Gauntlet. Quote Link to comment Share on other sites More sharing options...
sage Posted January 28, 2021 Share Posted January 28, 2021 2 hours ago, 42bs said: The other official loader checksums _all_ of the card (exception so far Zarlor) and stores the directory entry for the title picture in the encrypted part. And really, _all_ of the card is read. Maybe that is the reason I immediately replace the loader when touching a rom Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.