Code escapes from Cartridge!
Hi there!
Uihjah!
Remember that small snippet from yesterday? Besides calling half a dozen reset routines from the kernel and the BASIC interpreter, it basically just copies the first two bank 1 pages into the C64 RAM. Then it jumps there and does something rather unusual (at least for the VCS programmer 
):
It switches through all four banks, copying all content of the cartridge into the C64 RAM, creating a solid 28K block of ROM. If you ever tried booting the Park Patrol cartridge in VICE, you may have noticed that it starts with a black screen, unexpectedly saying "Loading". So that's precisely what it really does then! 
Here's where the contents get copied:
- $9000-$9FFF from Bank 1 goes to $5000-$5FFF
- $8000-$9FFF from Bank 2 goes to $6000-$7FFF
- $8000-$9FFF from Bank 3 goes to $8000-$9FFF
- $8000-$9FFF from Bank 4 goes to $A000-$BFFF
Notice something? Bank 3 goes to $8000! That's where I said the cartridge is residing! Huh?!?
Well, actually no big deal. The C64 is a pretty smart machine. It has a full 64K of RAM. When you write to an area where a ROM block is active, all writes will still go through to the RAM *under* the ROM. (Reading there still means reading from the ROM.)
What puzzles me though, is: Why is the content of bank 3 *copied* there?
- It could've just switched to bank 3 to get the content of bank 3 there in no time!
Well, Ok, maybe for some selfmodifying code. (Or just making it easier for Crackers to copy the game onto disk, making 'em no worries over the bankswitching... 
)
Remember another thing I said about bank 3 yesterday? Yup, it's the other one with starting code! Hm... well, I bet the game *is* started there, but why does it need a cartridge boot signature? Only thing I can think of right now, is that it is required for a warm start. To start it now after the copying sequence, all it requires is to jump there after activating RAM at $8000 again.
I think that is exactly what it does at the end of the copying routine:
lda #$2F sta $00 lda #$36 sta $01 jmp J_8009; $8009
I'm not C64 expert enough to fully understand this. Location $00 is the data direction register of the 6510. AFAIK is #$2F the default value, so I could imagine that this turns the cartridge off. Location $01 handles which parts of the multi-layered memory map are active. What I definitely can say is that it does switch from the BASIC interpreter ROM to the RAM residing there, which makes sense as the loader code just copied the 4th Park Patrol bank there
Interesting note at this point: It seems as if the remainder of the first 4K of the first bank contains just unused garbage. Also interesting: The *used* 4K are almost completely filled with alternating $00 and $FF pages... Hm... 
My next task will be constructing a working PRG file, by combining all info bits I found out so far. Halfway as a proof of concept of all my theories so far and halfway to have a compiling and working game source in hands to toy with 
Greetings,
Manuel
Like us on Facebook
Follow us on Twitter
AtariAge on Instagram
Watch us on YouTube
Chat on Discord
2 Comments
Recommended Comments