Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
mg_notes:iie_card:weird_stuff [2017/08/06 00:47]
M.G. !
mg_notes:iie_card:weird_stuff [2017/08/07 22:25] (current)
M.G. Slot scan/select description.
Line 8: Line 8:
  
 <​code>​ <​code>​
 +  .org $fbdd
   ; this code replaces the .1 second delay   ; this code replaces the .1 second delay
-  .byte $02 +  .byte $02  ; two byte NOP in 65C02 
-  .byte $01+  .byte $01  ; should be ignored by CPU
   rts   rts
   nop   nop
Line 30: Line 31:
  
 So this must be part of the magic that interfaces the card to the host Macintosh. ​ How very very interesting. So this must be part of the magic that interfaces the card to the host Macintosh. ​ How very very interesting.
 +
 +===== Other Weird Instructions =====
 +
 +The preceding find led me to search through the monitor ROM to look for other unusual instruction sequences.
 +
 +Here is what I found:
 +
 +^ In Routine ^ Address ^ Code    ^ Function ^
 +| PWRUP   | $FAB4   | $02 $02 | Loads A reg with $Cn+1 where n = startup slot or $C8 if scan. |
 +| PWRUP   | $FAC0   | $02 $03 | Displays "​UNABLE TO BOOT FROM STARTUP SLOT" if A reg = $Cn-1 where n = startup slot or $c0 if scan.  Disappears if screen scrolls. |
 +| APPLEII | $FB63   | $02 $04 | Display copyright message on screen, disappears if screen scrolls. |
 +| BELL1   | $FBDD   | $02 $01 | Play system bell sound. |
 +| GETLN1 ​ | $FD78   | $02 $06 | Key translation called right after rdchar. If A reg has <​key>​DELETE</​key>,​ converts it to <​key><​-</​key>​. |
 +|         ​| ​        | $02 $05 | Not found in firmware, yet, but presumably this exists. |
 +
 +==== The Key Translation and the A register ====
 +
 +Get to the monitor in your %%//%%e Card and try this:
 +
 +<​code>​
 +*!
 +!300:jsr fd35
 +! nop
 +! nop
 +! jmp fdda
 +!
 +*300G
 +</​code>​
 +
 +FD35 is the RDCHAR routine, FDDA is the print byte routine. ​ This routine reads a keypress and outputs its hex code.  Run it a few times to convince yourself there is no funny business. ​ Run it a final time and press <​key>​DELETE</​key>​.
 +
 +<​code>​
 +*300G
 +FF    (appears after pressing delete)
 +*
 +</​code>​
 +
 +FF is exactly what we expect to see with the Apple II delete key.
 +
 +Now want to see something interesting? ​ Change the NOPs to $02 $06 and run it again. ​ Try a few keys, then try it with <​key>​DELETE</​key>​.
 +
 +<​code>​
 +*303:02 06
 +*300G
 +88    (appears after pressing delete)
 +*
 +</​code>​
 +
 +88 is the code for the left arrow key.  That's some serious magic, and in two bytes the Card converts <​key>​DELETE</​key>​ to <​key><​-</​key>​.
 +
 +==== The Two-Byte Copyright ====
 +
 +Try this sequence of instructions:​
 +
 +<​code>​
 +]HOME
 +]CALL -151
 +*300:02 04 60
 +*300G
 +</​code>​
 +
 +Hit the left arrow a bunch of times until the display scrolls. **POOF!**
 +
 +==== Slot Scan Scam ====
 +
 +The %%//%%e Card lets the user pick the startup slot in the control panel or "​Scan"​ which is the behavior of a standard %%//%%e.
 +
 +This is implemented by the sequences $02 $02 which replaces the LDA #$C8 at the start of the slot scan loop, and $02 $03 which replaces the CMP #$C0 instruction that decides loop termination.
 +
 +The $02 $02 sequence loads the accumulator with $C8 if scan is selected, or $Cn+1 if a specific slot is selected.
 +
 +<​code>​
 +*300:02 02 4C DA FD
 +*300G
 +C8   (if scan or slot 7 selected, "​Cx"​ if another slot is selected)
 +*
 +</​code>​
 +
 +The $02 $03 sequence behaves as if CMP #$C0 or CMP #$Cn-1 has been executed and if it has, displays "​UNABLE TO BOOT FROM STARTUP SLOT" in the center of the screen in a similar manner to the copyright message. ​ The message is not in Apple II memory. ​ It returns with the flags set as executing the CMP instruction would have.