LNX format extraction

[GadgetUK]

Hi,

 

Are there any tools to extract the parts from a lnx image? I want to take the code and data section out of an existing rom, add an animated intro done in CC65 as the first title in a new rom, and have the original game then get loaded.

 

The other element to this relates to rebooting the Lynx, is it possible to force a reboot?

[LX.NET]

I havent tested this, but apparently SYSCTL1 has a bit flag for power that will force a reset. Check what happens when you write a zero to bit 2 at $FD87.

[sage]

yes there is a tool to decipher the rom content of either lyx or lnx and extract the "files". what you want to do depends strongly on the ROM layout. depending on that this ranges from trivial to nearly impossible. extracting the files from the rom is the easiest part and might not solve your problem at all as file offsets are hardcoded within the files.

 

in the worst case you can isbale interrupts, enable the ROM and jump there, this is not a power cycle, but forces a reload of the boot loader. this was discussed before, search the forum.

[GadgetUK]

I havent tested this, but apparently SYSCTL1 has a bit flag for power that will force a reset. Check what happens when you write a zero to bit 2 at $FD87.

 

Thx, will try this later.

[GadgetUK]

yes there is a tool to decipher the rom content of either lyx or lnx and extract the "files". what you want to do depends strongly on the ROM layout. depending on that this ranges from trivial to nearly impossible. extracting the files from the rom is the easiest part and might not solve your problem at all as file offsets are hardcoded within the files.

 

in the worst case you can isbale interrupts, enable the ROM and jump there, this is not a power cycle, but forces a reload of the boot loader. this was discussed before, search the forum.

 

Thanks, whats the exe/utility called?

[sage]

romrip (sound obvious...)

[GadgetUK]

Hi,

 

Are there any tools to extract the parts from a lnx image? I want to take the code and data section out of an existing rom, add an animated intro done in CC65 as the first title in a new rom, and have the original game then get loaded.

 

The other element to this relates to rebooting the Lynx, is it possible to force a reboot?

 

H

I havent tested this, but apparently SYSCTL1 has a bit flag for power that will force a reset. Check what happens when you write a zero to bit 2 at $FD87.

 

Hmmm, nice power down feature but it does what it says on the tin - it powers down lol.

 

I will take a look through the docs and see what other register I might be able to use.

[GadgetUK]

Far easier than I thought. I've simply looked at the start address of the STARTUP segment and done a none conditional jump there and it works fine.

 

EDIT: But... This isn't resetting every area of RAM like it would on a proper reset. I've noticed that if I paused the game and then reset it, when I start the next game it starts paused. Ideally there should be a way to change the reset vector of miki or suzi to whatever address the internal loader ROM is, then it would load the ROM from scratch and do whatever gets done normally. The way mine is now is OK, its functional but I would prefer a hard reset.

 

;utils

.include "lynx.inc"

 

.export _reset_lynx

_reset_lynx:

;jump to address of STARTUP segment

jmp $501F

Edited June 14, 2013 by GadgetUK

[+karri]

Cleaning up RAM at reset works only on Handy and on carts where there is cleanup in the bootloader.

 

On cc65 carts the RAM will not be cleaned up at boot. Instead the last content or random garbage will fill it.

[GadgetUK]

Thanks for clearing that up (ahem, pun not intended). I've cleared a couple of variables I missed and it looks like doing a JMP to the address of STARTUP is the best bet. It's working fine, tested pretty thoroughly - Just need to remember to check if every now and again as the address of STARTUP in my memory map shifts occasionally by the odd byte as I change certain code.

[GadgetUK]

Does anyone have a copy of 'romrip'? I cannot find it anywhere.

[GadgetUK]

Bump - Still looking for 'romrip' or something similar in order to extract sections from a .LNX ROM.

[sage]

it will not help you, but I send you the link

[GadgetUK]

Thanks, sounds like it might be easier to write something myself to extract the code. I guess I can look to Handy source to understand the decryption process and how the ROM is loaded and start from there.

[LX.NET]

I guess I can look to Handy source to understand the decryption process and how the ROM is loaded and start from there.

The Handy source does not contain information on the decryption process, as that is performed in 65SC02 code. Wookie has successfully reverse-engineered the algorithm and retrieved the cryptographic keys. You can take a look at the code http://lynxemulator.codeplex.com/SourceControl/latest#Source/AtariLynxEmulator/Tooling/AtariLynx.Cryptography/EncryptedLoaderFrame.cs and the other files in the same directory. It has a C# implementation of de/encrypting and has unit tests to show how it works. It is almost trivial to encrypt your custom loader using that.

[sage]

Thanks, sounds like it might be easier to write something myself to extract the code. I guess I can look to Handy source to understand the decryption process and how the ROM is loaded and start from there.

 

the decrytion has nothing to do with the "files" you want to extract.

 

for what you want to do (if I interpret your msg above correctly) you first have to check what hind of ROM you want to hack. Is it BLL/EPICs loader based or cc65 (not newcc65) based?

Then you have to check what code you want to inject, cc65 will (most likely) not work if you do not modify the cc65 lib code.

If you return from injected code to original code you have to make sure that the code (and variable space) do not overlap during loading. If Its EPICS or BLL Rom image and you want to inject lyxass based code, it really easy and will not take more than a few minutes to adjust the code addresses.

[LX.NET]

So, Sage, enlighten us please.

[LX.NET]

So, Sage, enlighten us please for performing the minutes of work.

[sage]

So, Sage, enlighten us please.

 

http://lynxdev.atari.org/enlighten_lx.pdf

[sage]

After reading that, you see its quiet simple:

 

first remark: if its an checksum protected rom, you have to remove the checksumming. (by overwriting the loader with the hacked one. can be done with romrip or dd)

 

You add your code to the end of the cartridge. it has to embed the usual code to load files from directory (check that its compiled for the correct ROM size and directory layout/offset).

Now you write down blocknumber and block offset for your code.

You put that into the second stage loader code and recompile/reencrypt the loader. done. this is nice because you not have a checksummed rom.

 

OR

 

you hardcode the block/offset of the first original file (after the title picture that is) into your code. then just need to replace the file entry by your code (and if crcr, see above).

 

OR

 

you replace the loader by the micro loader from dave/karri/cc65 and put your code address at 203 and leave the original directory as it is. bad thing, the title picture will not be shown anymore.

 

for full encrypting with crc you will have to run something like

#!/bin/bash
echo "Add a loader to a 128kb ROM (well 512bytes/block)"
echo "Process $1, get dir entries"
buildchk $1 128
echo "now romdir.i and checkstring.src have been created"
echo "next assmble new stage1 using loader_stage1.asm"
lyxass -d -o "$1.stage1_plain" loader_stage1.asm
lynxenc "$1.stage1_plain" "$1.stage1_enc"
OUT="$1_mod.lyx"
echo "Copy Image file to new name... $OUT"
cp  "$1" $OUT
## Now write the stage 1 part (which depend on file dir)
SIZE1=154
dd if="$1.stage1_enc"  of="$OUT" bs=1 count=$SIZE1 conv=notrunc
## Now write the stage 2 part
SIZE2=256
dd if="loader.stage2_128k_enc"  of="$OUT" bs=1 count=$SIZE2 conv=notrunc seek=$SIZE1
OUT2="_$(basename "$OUT")"
echo "Now make a lnx... $OUT"
mv $OUT "$OUT2"
make_lnx "$OUT2" -b0 128k
echo "Finished"

[LX.NET]

Thanks sage for the extensive explanation and the document. And sorry for the duplicate post (on a bad connection for the next two weeks)

[GadgetUK]

Sorry I didnt reply to this until now, just had too many other things on the go. Very interesting and thanks LX.NET and Sage for progressing this, and to Sage for expanding with a detailed reply, it is much appreciated and more complex than I expected. Still at least its possible and the information you've posted is mega useful.

[johannesmutlu]

If it is true that the lynx can be ATLEAST. Be hard reset trough a bootloader on the card, that would be great for homebrewers to open up new capabities,like multi rom images, the fact is i can't wait for thd x cart to be released,wich works with micro sd card on the lynx, a prototype of it exists but no picture of it ever found, aaarrrggg.