ELV Mobile Alerts

Mobile Alerts

This document tries to describe every detail of the Mobile Alerts sensors, which are sold by ELV in Germany, but are also available at the common suspects (Amazon, etc). Be careful buying at Amazon: certain sensors mention Mobile Alerts, but seem to be designed for the US. They are not compatible with the ELV Mobile Alerts ones!

Mobile Alerts is covering mostly climate sensors, but also contains moisture and door/window sensors plus a sound detector, which acts as a gateway for smoke sensors.

The Mobile Alerts are a version of the LaCrosse Alerts Mobile system made for the European market.

Detailed Infomation

Unit Calculator in Objective C

An piece of code I wrote in 2006, which allows you to do mathematical calculations with units from Objective-C. I’ve updated the code to Objective-C with properties and generics. It is not depended on macOS and should work fine on iOS as well.

By default the result will be in SI compatible units, but all units and prefixes (like kg or ms) can be freely defined in a configuration file units.dat. You can also force a specific unit and add variables to the term. It is also trivial to add new functions, even functions which accept a list of values.

A few examples:

((123.45e-1 + sqrt(+4) -4-.69/2)*2^1/5)^2 => 16
 avg(1,2,3,4) => 2.5
 (9*m^2)^0.5 => 3 m
 60 m + 2 mm => 60.002 m
 sqrt(9 m^2) => 3 m
 20 lb requestedUnit: kg => 9.07185 kg
 60 km/h + 12 m/s requestedUnit: km/h => 103.2 km/h
 1 Torr*760 requestedUnit: atm => 1 atm
 68 F requestedUnit: C => 20 C
 0 C + 0 C requestedUnit: C => 273.15 C --- internally temperatures are converted to Kelvin

The project is an Xcode project with a simple NSLog in the app delegate for testing. It also has a bunch of unit tests to make sure the math works out in all cases.

The code can be found on GitHub.

Label Placement

Implementation of a little algorithm to draw labels/rectangles on a background while trying to avoid overlapping. This is useful for maps, drawing labels on graphs, etc. The sources are – as always – available on GitHub.

In the screenshots you can see the planned area in light grey, while the repositioned ones are in black. The size of the rectangles is arbitrary.

The implementation is specifically simple and not optimized for performance at all. The goal is to be able to understand it.

Raspbian Jessie with a Pi-Raq LCD

The Pi-Raq came with an old version of Raspbian. An upgrade to e.g. Jessie will render the display non-functioning. The manufacturer sadly never got back to me, so I fixed it myself.

Download the archive with all needed files from GitHub.

There are two main things to do:

  1. Provide a custom dt-blob.bin for the pin configuration. This has changed with later version of Raspbian and is the reason why the old file no longer works.
  2. Update a stock config.txt to switch to the LCD.

How to modify the dt-blob.dts

There is very few documenation for this, which is expected, considering that hooking up a custom LCD to a Raspberry is not a very common thing to do.

I used the stock dt-blob.dts as a new base. First I stripped it down, because the Pi-Raq ships with a “Pi 2 Model B rev 1.1” only, which means all other pin configurations are not used anyway and I can’t test it. If you try to use it with a different Raspberry Pi (which seems possible), you have to change the pins_2b2 to match your Raspberry Pi. Use the stock version as an example and transfer the changes over.

By looking at the “Pi-RAQ Hardware Schematic.pdf” you can find out all custom pin mappings:

  • Pin 0 => PCLK-Out (pixel clock)
  • Pin 1 => DE-Out (display enable)
  • Pin 4–8 => B3-B7-Out (5 bits for blue)
  • Pin 9–14 => G2-G7-Out (6 bits for blue, our eyes are more sensitive to green)
  • Pin 15–19 => R3-R7-Out (5 bits for blue)
  • Pin 20–26 are for the jog shuttle controls. They don’t need a custom config, because they are already covered by the pin@default case.
    • Pin 20 = Right button
    • Pin 21 = Left button
    • Pin 22 = Rot1
    • Pin 23 = Center button
    • Pin 24 = Rot2
    • Pin 25 = Down button
    • Pin 26 = Left button
  • Pin 27 is the output for the backlight of the LCD. It has to be an output and should have a startup_state of “active”, otherwise the display stays off after boot. It can still be turned off at any time via a script.

Normal buttons are detected on a falling edge with 100ms debounce. Rotation is doing an edge-detection (both, 10ms debounce). If Rot1 changes and the Rot1 and Rot2 bits are the same, the wheel was rotated left. If both bits have a different value, it was rotated right.

Everything beyond pin 28 is not modified.

How to modify the config.txt

The config.txt has to be modified to switch from HDMI to the LCD. Besides basic changes, like turning overscan off (the LCD doesn’t have a overscan area) and set the framebuffer size to 1024×100 pixel, it is also necessary to enable dpi support (via enable_dpi_lcd), switch the default over and reconfigure the timing and output format for the dpi. Check the comments for a bit more details. The timings and the output format are specific to the LCD panel, which is connected.

Installation Step-by-Step

  1. Install Raspbian on an SD Card
  2. Use ApplePi-Baker to install Raspbian Jessie Lite (the normal version is not needed for this tiny display)
  3. Boot Raspberry with this card. You need to have a HDMI display connected and a USB keyboard
  4. sudo raspi-config => fix the keyboard layout, set a password, changed the hostname, reboot
  5. Remove the card and copy the content of this folder into /home/pi
  6. Put the card back into the Raspberry and boot the Pi-Raq again.
  7. It is typically faster to SSH into the Pi-Raq to configure it, but not necessary.
  8. Now finish the installation:

sudo nano /boot/config.txt

Uncomment/Modify the following lines, which should already be in the config.txt

disable_overscan=1

framebuffer_width=1024
framebuffer_height=100

and add this to the bottom of the file:

#----------------------------------------------------------------------------------------------------
#Generated on Thu Feb 19 13:20:39 2015 by Segler-HP
#config file for None
#Output Format -> DPI_OUTPUT_FORMAT_16BIT_565_CFG1
#RGB Order -> DPI_RGB_ORDER_RGB
#Output Enable Mode ->DPI_OUTPUT_ENABLE_MODE_DATA_VALID
#Invert Pixel Clock ->RGB Data changes on falling edge and is stable at rising edge
#Hsync Disable ->False
#Vsync Disable ->False
#Output Enable ->False
#Hsync Polarity ->Inverted
#Vsync Polarity ->Inverted
#Output Enable Polarity ->default for HDMI mode
#Hsync Phase ->DPI_PHASE_POSEDGE
#Vsync Phase ->DPI_PHASE_NEGEDGE
#Output Enable Phase ->DPI_PHASE_NEGEDGE
#----------------------------------------------------------------------------------------------------
hdmi_timings=1024 0 50 100 50  100 0 2 10 2 0 0 0  60 0 25000000 7
enable_dpi_lcd=1
display_default_lcd=1
dpi_output_format=4194306 #6488594
dpi_group=2
dpi_mode=87

The pin configuration of the device tree can be compiled from source:

sudo dtc -I dts -O dtb -o /boot/dt-blob.bin dt-blob.dts

As an alternative to you copy the dt-blob.bin

sudo cp dt-blob.bin /boot/dt-blob.bin

The Raspberry icons occupy a large amount of the vertical space during boot. They can be disabled by adding an option to the cmdline.txt:

sudo nano /boot/cmdline.txt

Add logo.nologo to the parameters. It should look like this after it:

dwc_otg.lpm_enable=0 logo.nologo console=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

We should also upgrade and update our installation:

sudo apt-get upgrade && sudo apt-get update

Now we can reboot:

sudo reboot

The HDMI should now be off (and can it be disconnected) and the LCD is used

Launching the demos

To get the demos to work, we need to install a few more python specific pieces:

For AlarmTest we need pygame:

sudo apt-get install python-pygame

This demo can be launched by cd AlarmTest and then python main.py

We need pip to install more Python packages

sudo apt-get install build-essential python-dev python-pip

This is only used for rotTest:

sudo pip install psutil

This demo can be launched by cd rotTest and then python main.py. The demo can be quit via Control-C, but the display stays blank. I haven’t fixed this. sudo reboot solves it…

The full dt-blob.dts for EarthLCD Pi-Raq

/dts-v1/;

/ {
   videocore {
      clock_routing {
        vco@PLLD { freq = <2000000000>; };
        chan@DPER { div = <8>; }; // APER will be 500MHz
      }; // clock routing

      pins_2b2 { // Pi 2 Model B rev 1.1
         pin_config {
            pin@default {
               polarity = "active_high";
               termination = "pull_down";
               startup_state = "inactive";
               function = "input";
            }; // pin

            pin@p0  { function = "dpi";    termination = "no_pulling"; drive_strength_mA = < 8 >; };    // PCLK-OUT
            pin@p1  { function = "dpi";    termination = "no_pulling"; drive_strength_mA = < 8 >; };    // DE-OUT

            pin@p2  { function = "i2c1";   termination = "pull_up";    }; // I2C 1 SDA
            pin@p3  { function = "i2c1";   termination = "pull_up";    }; // I2C 1 SCL

            pin@p4  { function = "dpi";    termination = "no_pulling"; };   // B3-Out
            pin@p5  { function = "dpi";    termination = "no_pulling"; };   // B4-Out
            pin@p6  { function = "dpi";    termination = "no_pulling"; };   // B5-Out
            pin@p7  { function = "dpi";    termination = "no_pulling"; };   // B6-Out
            pin@p8  { function = "dpi";    termination = "no_pulling"; };   // B7-Out

            pin@p9  { function = "dpi";    termination = "no_pulling"; };   // G2-Out
            pin@p10 { function = "dpi";    termination = "no_pulling"; };   // G3-Out
            pin@p11 { function = "dpi";    termination = "no_pulling"; };   // G4-Out
            pin@p12 { function = "dpi";    termination = "no_pulling"; };   // G5-Out
            pin@p13 { function = "dpi";    termination = "no_pulling"; };   // G6-Out
            pin@p14 { function = "dpi";    termination = "no_pulling"; };   // G7-Out

            pin@p15 { function = "dpi";    termination = "no_pulling"; };   // R3-Out
            pin@p16 { function = "dpi";    termination = "no_pulling"; };   // R4-Out
            pin@p17 { function = "dpi";    termination = "no_pulling"; };   // R5-Out
            pin@p18 { function = "dpi";    termination = "no_pulling"; };   // R6-Out
            pin@p19 { function = "dpi";    termination = "no_pulling"; };   // R7-Out

            // Pin 20..26 are the Jog Shuttle controls, they are all inputs, which is covered by the pin@default case
            // p20 = Right button
            // p21 = Left button
            // p22 = Rot1           (Rot1 ^ Rot2) != 0 => Right, (Rot1 ^ Rot2) == 0 => Left if an edge was detected
            // p23 = Center button
            // p24 = Rot2
            // p25 = Down button
            // p26 = Left button

            pin@p27 { function = "output"; termination = "pull_up"; startup_state = "active"; };    // LCD Backlight enable, active at boot

            // From here on it is identical to Jessie's defaults:

            // The firmware changes I2C pin functions on the fly, returning them to inputs when done. But pins 28&29 are
            // not used on a 1.1 Pi2, so the I2C0 function ends up multiply mapped (bad). therefore don't statically map.
            // pin@p28 { function = "i2c0";   termination = "pull_up";    }; // I2C 0 SDA
            // pin@p29 { function = "i2c0";   termination = "pull_up";    }; // I2C 0 SCL
            pin@p31 { function = "output"; termination = "pull_down"; }; // LAN_RUN
            pin@p32 { function = "output"; termination = "pull_down"; }; // Camera LED
            pin@p35 { function = "input";  termination = "no_pulling"; polarity = "active_low"; }; // Power low
            pin@p38 { function = "output"; termination = "no_pulling";    }; // USB current limit (0=600mA, 1=1200mA)
            pin@p40 { function = "pwm";    termination = "no_pulling"; drive_strength_mA = < 16 >; }; // Right audio
            pin@p41 { function = "output"; termination = "no_pulling";    }; // Camera shutdown
            // Communicate with the SMPS by "bit-bashing" the I2C protocol on GPIOs 42 and 43
            pin@p42 { function = "output"; termination = "pull_up";    }; // SMPS_SCL
            pin@p43 { function = "input";  termination = "no_pulling";    }; // SMPS_SDA
            pin@p44 { function = "gp_clk"; termination = "pull_down"; }; // ETH_CLK - Ethernet 25MHz output
            pin@p45 { function = "pwm";    termination = "no_pulling"; drive_strength_mA = < 16 >; }; // Left audio

            pin@p46 { function = "input";  termination = "no_pulling"; polarity = "active_low"; }; // HDMI hotplug detect (goes to pin 6 of IC1)
            pin@p47 { function = "output"; termination = "pull_down"; }; // activity LED
            pin@p48 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD CLK
            pin@p49 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD CMD
            pin@p50 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD D0
            pin@p51 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD D1
            pin@p52 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD D2
            pin@p53 { function = "sdcard"; termination = "pull_up";    drive_strength_mA = < 8 >; }; // SD D3
         }; // pin_config

         pin_defines {
            pin_define@HDMI_CONTROL_ATTACHED { type = "internal"; number = <46>; };

            pin_define@NUM_CAMERAS { type = "internal"; number = <1>; };
            pin_define@CAMERA_0_I2C_PORT { type = "internal"; number = <0>; };
            pin_define@CAMERA_0_SDA_PIN { type = "internal"; number = <28>; };
            pin_define@CAMERA_0_SCL_PIN { type = "internal"; number = <29>; };
            pin_define@CAMERA_0_SHUTDOWN { type = "internal"; number = <41>; };
            pin_define@CAMERA_0_UNICAM_PORT { type = "internal"; number = <1>; };
            pin_define@CAMERA_0_LED { type = "internal"; number = <32>; };

            pin_define@FLASH_0_ENABLE { type = "absent"; };
            pin_define@FLASH_0_INDICATOR { type = "absent"; };
            pin_define@FLASH_1_ENABLE { type = "absent"; };
            pin_define@FLASH_1_INDICATOR { type = "absent"; };

            pin_define@POWER_LOW { type = "internal"; number = <35>; };
            pin_define@LEDS_DISK_ACTIVITY { type = "internal"; number = <47>; };
            pin_define@LAN_RUN { type = "internal"; number = <31>; };
            pin_define@SMPS_SDA { type = "internal"; number = <43>; };
            pin_define@SMPS_SCL { type = "internal"; number = <42>; };
            pin_define@ETH_CLK { type = "internal"; number = <44>; };
            pin_define@USB_LIMIT_1A2 { type = "internal"; number = <38>; };
            pin_define@SIO_1V8_SEL { type = "absent"; };
            pin_define@PWML { type = "internal"; number = <45>; };
            pin_define@PWMR { type = "internal"; number = <40>; };
            pin_define@SAFE_MODE { type = "internal"; number = <3>; };
            pin_define@SD_CARD_DETECT { type = "absent"; };
            pin_define@ID_SDA { type = "internal"; number = <0>; };
            pin_define@ID_SCL { type = "internal"; number = <1>; };
            pin_define@DISPLAY_I2C_PORT { type = "internal"; number = <0>; };
            pin_define@DISPLAY_SDA { type = "internal"; number = <28>; };
            pin_define@DISPLAY_SCL { type = "internal"; number = <29>; };
         }; // pin_defines
      }; // pins

   };
};

The full config.txt

# For more options and information see
# http://www.raspberrypi.org/documentation/configuration/config-txt.md
# Some settings may impact device functionality. See link above for details

# uncomment if you get no picture on HDMI for a default "safe" mode
#hdmi_safe=1

# uncomment this if your display has a black border of unused pixels visible
# and your display can output without overscan
disable_overscan=1

# uncomment the following to adjust overscan. Use positive numbers if console
# goes off screen, and negative if there is too much border
#overscan_left=16
#overscan_right=16
#overscan_top=16
#overscan_bottom=16

# uncomment to force a console size. By default it will be display's size minus
# overscan.
framebuffer_width=1024
framebuffer_height=100

# uncomment if hdmi display is not detected and composite is being output
#hdmi_force_hotplug=1

# uncomment to force a specific HDMI mode (this will force VGA)
#hdmi_group=1
#hdmi_mode=1

# uncomment to force a HDMI mode rather than DVI. This can make audio work in
# DMT (computer monitor) modes
#hdmi_drive=2

# uncomment to increase signal to HDMI, if you have interference, blanking, or
# no display
#config_hdmi_boost=4

# uncomment for composite PAL
#sdtv_mode=2

#uncomment to overclock the arm. 700 MHz is the default.
#arm_freq=800

# Uncomment some or all of these to enable the optional hardware interfaces
#dtparam=i2c_arm=on
#dtparam=i2s=on
#dtparam=spi=on

# Uncomment this to enable the lirc-rpi module
#dtoverlay=lirc-rpi

# Additional overlays and parameters are documented /boot/overlays/README

#----------------------------------------------------------------------------------------------------
#Generated on Thu Feb 19 13:20:39 2015 by Segler-HP
#config file for None
#Output Format -> DPI_OUTPUT_FORMAT_16BIT_565_CFG1
#RGB Order -> DPI_RGB_ORDER_RGB
#Output Enable Mode ->DPI_OUTPUT_ENABLE_MODE_DATA_VALID
#Invert Pixel Clock ->RGB Data changes on falling edge and is stable at rising edge
#Hsync Disable ->False
#Vsync Disable ->False
#Output Enable ->False
#Hsync Polarity ->Inverted
#Vsync Polarity ->Inverted
#Output Enable Polarity ->default for HDMI mode
#Hsync Phase ->DPI_PHASE_POSEDGE
#Vsync Phase ->DPI_PHASE_NEGEDGE
#Output Enable Phase ->DPI_PHASE_NEGEDGE
#----------------------------------------------------------------------------------------------------
hdmi_timings=1024 0 50 100 50  100 0 2 10 2 0 0 0  60 0 25000000 7
enable_dpi_lcd=1
display_default_lcd=1
dpi_output_format=4194306 #6488594
dpi_group=2
dpi_mode=87

Mobile Alerts Sensors

ELV is selling affordable weather sensors http://www.elv.de/ip-wettersensoren-system.html, which can be monitored via an iOS application. To allow that all data is transmitted via a gateway to a server, which the application can access. Sadly the protocol is not documented. I don’t think anybody has documented the way the URL has been constructed, especially the MD5 hash over the first part of it.

This sample code integrates sensors into fhem and I wrote it for Mac OS X, but it should work on Linux, too.

All information (and more) is available on GitHub as well.

To integrate the sensors into fhem, add the sensors to the iOS application and check if they show up. You need to note all sensor IDs. The ID is 6 bytes long and represented as a hexadecimal number. This same code supports sensors of type 2 (temperature only) and type 3 (temperature and humidity), which can be recognized via the first two characters of the ID.

You have to adjust the following things in the code:

  • sensors = … Here you have to add all sensors IDs as strings
  • downloadPath This needs to be adjusted to point to the log folder of fhem.
  • vendorid You might want to change the UUID to a new one (just run uuidgen from the terminal)

Python Code

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import os
import json
import pprint
import datetime
import hashlib
import time

downloadPath = os.path.expanduser('~/fhem-5.7/log')
pp = pprint.PrettyPrinter()

sensors =  set(['021122334455',...,'031122334455'])

def parseJSON(jj):
    if not jj['success']:
        print '#%d %s' % (jj['errorcode'],jj['errormessage'])
        return
    for device in jj['result']['devices']:
        #pp.pprint(device)
        deviceTypeId = device['devicetypeid']
        deviceName = device['name']
        print '%s %s [%d] #%d %s' % (device['deviceid'], deviceName, device['lowbattery'],len(device['measurements']),datetime.datetime.fromtimestamp(device['lastseen']).strftime('%Y-%m-%d %H:%M:%S'))
        year = -1
        month = -1
        logPath = ''
        for measurement in device['measurements']:
            idx = measurement['idx']
            transmitTime = datetime.datetime.fromtimestamp(measurement['c'])
            measurementTime = datetime.datetime.fromtimestamp(measurement['ts'])
            tx = measurement['tx']
            mm = measurement
            del mm['idx']
            del mm['c']
            del mm['ts']
            del mm['tx']

            if year != measurementTime.year or month != measurementTime.month:
                if len(logPath):
                    f = open(logPath, "w")
                    for d in sorted(data):
                        f.write('%s %s\n' % (d,data[d]))
                year = measurementTime.year
                month = measurementTime.month
                logPath = downloadPath + '/S_SENSOR_%s-%d-%02d.log' % (deviceName.upper().replace(' ','_'),year,month)
                data = {}
                try:
                    for line in open(logPath).readlines():
                        vals = line[:-1].split(' ')
                        data[' '.join(vals[:-1])] = vals[-1]
                except:
                    pass
            dataKey = measurementTime.strftime('%Y-%m-%d_%H:%M:%S') + ' SENSOR_' + deviceName.upper().replace(' ','_') + ' '
            if deviceTypeId == 2:
                data[dataKey + 'TEMP:'] = '%.1f' % (measurement['t1'])
            elif deviceTypeId == 3:
                data[dataKey + 'TEMP:'] = '%.1f' % (measurement['t1'])
                data[dataKey + 'FEUCHTIGKEIT:'] = '%.1f' % (measurement['h'])
            else:
                pp.pprint(mm)
        if len(logPath):
            f = open(logPath, "w")
            for d in sorted(data):
                f.write('%s %s\n' % (d,data[d]))


import urllib
import urllib2

devicetoken = 'empty'               # defaults to "empty"
vendorid = '1FB220C4-CC15-4195-97CF-8BE4FD3DAE72'   # iOS vendor UUID (returned by iOS, any UUID will do). Launch uuidgen from the terminal to generate a fresh one.
phoneid = 'Unknown'                 # Phone ID - probably generated by the server based on the vendorid (this string can be "Unknown" and it still works)
version = '1.21'                    # Info.plist CFBundleShortVersionString
build = '248'                       # Info.plist CFBundleVersion
executable = 'Mobile Alerts'        # Info.plist CFBundleExecutable
bundle = 'de.synertronixx.remotemonitor'    # [[NSBundle mainBundle] bundleIdentifier]
lang = 'en'                         # preferred language

request = "devicetoken=%s&vendorid=%s&phoneid=%s&version=%s&build=%s&executable=%s&bundle=%s&lang=%s" % (devicetoken,vendorid,phoneid,version,build,executable,bundle,lang)
request += '&timezoneoffset=%d' % 60        # local offset to UTC time
request += '&timeampm=%s' % ('true')        # 12h vs 24h clock
request += '&usecelsius=%s' % ('true')      # Celcius vs Fahrenheit
request += '&usemm=%s' % ('true')           # mm va in
request += '&speedunit=%d' % 0              # wind speed (0: m/s, 1: km/h, 2: mph, 3: kn)
request += '&timestamp=%s' % datetime.datetime.utcnow().strftime("%s")  # current UTC timestamp

requestMD5 = request + 'asdfaldfjadflxgeteeiorut0ß8vfdft34503580'  # SALT for the MD5
requestMD5 = requestMD5.replace('-','')
requestMD5 = requestMD5.replace(',','')
requestMD5 = requestMD5.replace('.','')
requestMD5 = requestMD5.lower()

m = hashlib.md5()
m.update(requestMD5)
hexdig = m.hexdigest()

request += '&requesttoken=%s' % hexdig

request += '&deviceids=%s' % ','.join(sensors)
#request += '&measurementfroms=%s' % ('0,' * len(sensors))
#request += '&measurementcounts=%s' % ('50,' * len(sensors))

http_header = {
                "User-Agent" : "remotemonitor/248 CFNetwork/758.2.8 Darwin/15.0.0",
                "Accept-Language" : "en-us",
                "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
                "Host" : "www.data199.com:8080",
                }

# create an urllib2 opener()
opener = urllib2.build_opener()

# create your HTTP request
req = urllib2.Request('http://www.data199.com:8080/api/v1/dashboard', request, http_header)

# submit your request
while True:
    res = opener.open(req)
    parseJSON(json.loads(res.read()))
    print '-' * 40
    time.sleep(10*60)   # wait for 10 minutes

Atari ST Book: Internal Registers

By looking at the ROM code, available software and the hardware layout I can now document most specialty registers in the ST Book from Atari. I hope it is useful to you. Also available at GitHub.

The main ROM for the ST Book starts at $e0000 and ends at $e3ffff (256kb large). At $e40000 starts the ROM-Disk (also 256kb large), which is automatically activated as drive P.

YM Port A

Bit Description
0 Side Select (S0SEL)
1 Disk 0 Select (D0SEL)
2 Disk 1 Select (D1SEL)
3 MAX241 Pin 20 (TI3) – RS232 RTS (/MFPRTS)
4 MAX241 Pin 6 (TI2) – RS232 DTR (/MFPDTR)
5 Centronics Strobe (STROBE)
6 IDE Reset (IDERESET)
7 FDD Dense Selection (FDD_DENSE_SEL)

Autovector Interrupt Level 7 /POWER FAIL (NMI)

MFP Input Pins

Bit Description
7 Power Alarms (Power Alarms) (POWER_ALARMS-) = (/SRCLOW /RTC_ALARM /POWERON)
6 MAX241 Pin 22 (RD4) – RS232 CD (/MFPRI)
5 XDISKINT
4 KTDK (VBL) (KTOK)
3 XBLTINT
2 MAX241 Pin 26 (RD3) – RS232 CTS (/MFPCTS)
1 MAX241 Pin 5 (RD2) – RS232 DCD (/MFPCD)
0 Centronics Busy (BUSY)

$D0000 – Unknown $D0004 – Unknown

$FF820B

Bit Description
0 0: enable combo -> shadow controller video transfer, 1: disable combo -> shadow controller video transfer

$FF827E

Bit Description
0 0: Shadow Chip OFF
1 0: /SHIFTER_OFF output (Unused in STBook)
2 0: POWER_OFF (Turns off main VCC when high)
3 0: /22ON output (turns off LCD Bias when HIGH)
4 0: REFRESH_MACHINE output (turns on refresh controller)
5 0: RS–232_OFF output (turns off +/- 10 generator)
6 0: (Unused in STBook)
7 0: MTR_POWER_ON (turns on IDE drive motor supply)

$FF9200 (Configuration/Signal register)

Bit Description
0 0: Power Button pressed /(POWER_SWITCH)
1 0: Top is closed /(TOP_CLOSED)
2 0: RTC Alarm triggered /(RTC_ALARM)
3 0: “Common Source” voltage level below 7.2V /(SOURCE_DEAD) – triggers an NMI
4 0: “Common Source” voltage level below 8.8V /(SOURCE_LOW)
5 0: External Modem (Pin 10 on J204) /(MODEM_WAKE)
6 Reserved (always 1)
7 0: Triggered from the Expansion Port /(EXPANSION_WAKE)
8 Reserved
9 Reserved
10 Reserved
11 Reserved
12 Reserved
13 SELF TEST (?)
14 LOW SPEED FLOPPY
15 DMA AVAILABLE

$FF9210 8-bit Common Power Voltage Level in 100mV steps

$FF9214 8-bit Reference Voltage Level in 100mV steps

Atari ST Protection: Speedball

SpeedBall protection is almost identical in the code to Garfield. Track 79 has to be shorter than normal (e.g. 5979 bytes, about 5% shorter than normal)

02BDA8  48E77F7E            L0434:MOVEM.L   A1-A6/D1-D7,-(A7)
02BDAC  23C80002C1D0              MOVE.L    A0,$0002C1D0         L0465
02BDB2  13FC00000002C1D4          MOVE.B    #0,$0002C1D4         L0466
02BDBA  263C00000001              MOVE.L    #1,D3
02BDC0  23C30002C1D6        L0435:MOVE.L    D3,$0002C1D6         L0467
02BDC6  4EB90002BE38              JSR       EnterSuper
02BDCC  4EB90002C19E              JSR       InitProtBuffer
02BDD2  50F90000043E              ST        $43E.L
02BDD8  4EB90002BE90              JSR       YMPortDeselect
02BDDE  4EB90002BECE              JSR       FDCForceInterrupt
02BDE4  4EB90002BEF2              JSR       FDCSeekTrack79
02BDEA  4EB90002BF48              JSR       FDCReadTrack
02BDF0  4EB90002BF48              JSR       FDCReadTrack
02BDF6  4EB90002BECE              JSR       FDCForceInterrupt
02BDFC  4EB90002C050              JSR       YMDeselectFloppy
02BE02  51F90000043E              SF        $43E.L
02BE08  4EB90002C06A              JSR       ExitSuper
02BE0E  4EB90002C14E              JSR       CheckProtBuffer
02BE14  10390002C1BE              MOVE.B    $0002C1BE,D0         L045C
02BE1A  B03C0000                  CMP.B     #0,D0
02BE1E  67000012                  BEQ       18(PC)               L0436
02BE22  26390002C1D6              MOVE.L    $0002C1D6,D3         L0467
02BE28  51CBFF96                  DBF       D3,-106(PC)          L0435
02BE2C  4EF900025290              JMP       $25290
02BE32  4CDF7EFE            L0436:MOVEM.L   (A7)+,A1-A6/D1-D7
02BE36  4E75                      RTS

EnterSuper
02BE38  2F3C00000001              MOVE.L    #1,-(A7)
02BE3E  3F3C0020                  MOVE.W    #$20,-(A7)
02BE42  4E41                      TRAP      #1
02BE44  DFFC00000006              ADDA.L    #6,A7
02BE4A  4A40                      TST.W     D0
02BE4C  6600002C                  BNE       44(PC)               L0438
02BE50  42A7                      CLR.L     -(A7)
02BE52  3F3C0020                  MOVE.W    #$20,-(A7)
02BE56  4E41                      TRAP      #1
02BE58  DFFC00000006              ADDA.L    #6,A7
02BE5E  23C00002C1C0              MOVE.L    D0,$0002C1C0         L045D
02BE64  12390002C1D4              MOVE.B    $0002C1D4,D1         L0466
02BE6A  4A01                      TST.B     D1
02BE6C  66000020                  BNE       32(PC)               L0439
02BE70  13FC00020002C1D4          MOVE.B    #2,$0002C1D4         L0466
02BE78  4E75                      RTS
02BE7A  12390002C1D4        L0438:MOVE.B    $0002C1D4,D1         L0466
02BE80  4A01                      TST.B     D1
02BE82  6600000A                  BNE       10(PC)               L0439
02BE86  13FC00010002C1D4          MOVE.B    #1,$0002C1D4         L0466
02BE8E  4E75                L0439:RTS

YMPortDeselect
02BE90  4EB90002BE38              JSR       EnterSuper
02BE96  303C0000                  MOVE.W    #0,D0
02BE9A  5200                      ADDQ.B    #1,D0
02BE9C  E308                      LSL.B     #1,D0
02BE9E  00400000                  ORI.W     #0,D0
02BEA2  0A000007                  EORI.B    #7,D0
02BEA6  02000007                  ANDI.B    #7,D0
02BEAA  40E7                L043B:MOVE      SR,-(A7)
02BEAC  007C0700                  ORI.W     #$700,SR
02BEB0  13FC000E00FF8800          MOVE.B    #$E,$FF8800.L
02BEB8  123900FF8800              MOVE.B    $FF8800.L,D1
02BEBE  020100F8                  ANDI.B    #$F8,D1
02BEC2  8200                      OR.B      D0,D1
02BEC4  13C100FF8802              MOVE.B    D1,$FF8802.L
02BECA  46DF                      MOVE      (A7)+,SR
02BECC  4E75                      RTS

FDCForceInterrupt
02BECE  4EB90002BE38              JSR       EnterSuper
02BED4  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02BEDC  3C3C00D0                  MOVE.W    #$D0,D6
02BEE0  4EB90002C0B2              JSR       FDCWriteReg
02BEE6  3E3C0028                  MOVE.W    #$28,D7
02BEEA  4EB90002C0AC              JSR       DelayD7
02BEF0  4E75                      RTS

FDCSeekTrack79
02BEF2  4EB90002BE38              JSR       EnterSuper
02BEF8  4EB90002C0F0              JSR       $0002C0F0            L044E
02BEFE  33FC008600FF8606          MOVE.W    #$86,$FF8606.L
02BF06  3C3C004F                  MOVE.W    #$4F,D6
02BF0A  4EB90002C0B2              JSR       FDCWriteReg
02BF10  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02BF18  3C3C001B                  MOVE.W    #$1B,D6
02BF1C  4EB90002C0B2              JSR       FDCWriteReg
02BF22  2E3C00060000              MOVE.L    #$60000,D7
02BF28  5387                L043E:SUBQ.L    #1,D7
02BF2A  67000010                  BEQ       16(PC)               L043F
02BF2E  0839000500FFFA01          BTST      #5,$FFFA01.L
02BF36  6600FFF0                  BNE       -16(PC)              L043E
02BF3A  4E75                      RTS
02BF3C  3F3CFFF9            L043F:MOVE.W    #$FFF9,-(A7)
02BF40  4EB90002C14C              JSR       $0002C14C            L0452
02BF46  4E75                      RTS

FDCReadTrack
02BF48  4EB90002BE38              JSR       EnterSuper
02BF4E  42B90002C1C8              CLR.L     $0002C1C8            L045F
02BF54  40F90002C1B8              MOVE      SR,$0002C1B8         L0459
02BF5A  46FC2700                  MOVE      #$2700,SR
02BF5E  33FC009000FF8606          MOVE.W    #$90,$FF8606.L
02BF66  33FC019000FF8606          MOVE.W    #$190,$FF8606.L
02BF6E  33FC009000FF8606          MOVE.W    #$90,$FF8606.L
02BF76  3C3C0016                  MOVE.W    #$16,D6
02BF7A  343C0200                  MOVE.W    #$200,D2
02BF7E  C4C6                      MULU      D6,D2
02BF80  33C20002C1BA              MOVE.W    D2,$0002C1BA         L045A
02BF86  26390002C1D0              MOVE.L    $0002C1D0,D3         L0465
02BF8C  D483                      ADD.L     D3,D2
02BF8E  23C20002C1C4              MOVE.L    D2,$0002C1C4         L045E
02BF94  4EB90002C0B2              JSR       FDCWriteReg
02BF9A  20390002C1D0              MOVE.L    $0002C1D0,D0         L0465
02BFA0  13C000FF860D              MOVE.B    D0,$FF860D.L
02BFA6  E088                      LSR.L     #8,D0
02BFA8  13C000FF860B              MOVE.B    D0,$FF860B.L
02BFAE  E088                      LSR.L     #8,D0
02BFB0  13C000FF8609              MOVE.B    D0,$FF8609.L
02BFB6  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02BFBE  3C3C00E8                  MOVE.W    #$E8,D6
02BFC2  4EB90002C0B2              JSR       FDCWriteReg
02BFC8  2E3C00050000              MOVE.L    #$50000,D7
02BFCE  2A790002C1C4              MOVEA.L   $0002C1C4,A5         L045E
02BFD4  303C0200                  MOVE.W    #$200,D0
02BFD8  51C8FFFE            L0441:DBF       D0,-2(PC)            L0441
02BFDC  0839000500FFFA01    L0442:BTST      #5,$FFFA01.L
02BFE4  67000030                  BEQ       48(PC)               L0443
02BFE8  5387                      SUBQ.L    #1,D7
02BFEA  67000060                  BEQ       96(PC)               L0446
02BFEE  13F900FF86090002C1C9      MOVE.B    $FF8609.L,$0002C1C9  L0460
02BFF8  13F900FF860B0002C1CA      MOVE.B    $FF860B.L,$0002C1CA  L0461
02C002  13F900FF860D0002C1CB      MOVE.B    $FF860D.L,$0002C1CB  L0462
02C00C  BBF90002C1C8              CMPA.L    $0002C1C8,A5         L045F
02C012  6E00FFC8                  BGT       -56(PC)              L0442
02C016  33FC009000FF8606    L0443:MOVE.W    #$90,$FF8606.L
02C01E  3A3900FF8606              MOVE.W    $FF8606.L,D5
02C024  33C50002C1BC              MOVE.W    D5,$0002C1BC         L045B
02C02A  08050000                  BTST      #0,D5
02C02E  67000018                  BEQ       24(PC)               L0445
02C032  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02C03A  4EB90002C12E              JSR       $0002C12E            FDCReadRegB
02C040  46F90002C1B8        L0444:MOVE      $0002C1B8,SR         L0459
02C046  4E75                      RTS
02C048  6000FFF6            L0445:BRA       -10(PC)              L0444
02C04C  6000FFF2            L0446:BRA       -14(PC)              L0444

YMDeselectFloppy
02C050  4EB90002BE38              JSR       EnterSuper
02C056  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02C05E  103C0007                  MOVE.B    #7,D0
02C062  4EB90002BEAA              JSR       $0002BEAA            L043B
02C068  4E75                      RTS

ExitSuper
02C06A  10390002C1D4              MOVE.B    $0002C1D4,D0         L0466
02C070  5300                      SUBQ.B    #1,D0
02C072  4A00                      TST.B     D0
02C074  6700002C                  BEQ       44(PC)               L0449
02C078  2F3C00000001              MOVE.L    #1,-(A7)
02C07E  3F3C0020                  MOVE.W    #$20,-(A7)
02C082  4E41                      TRAP      #1
02C084  DFFC00000006              ADDA.L    #6,A7
02C08A  4A40                      TST.W     D0
02C08C  67000014                  BEQ       20(PC)               L0449
02C090  2F390002C1C0              MOVE.L    $0002C1C0,-(A7)      L045D
02C096  3F3C0020                  MOVE.W    #$20,-(A7)
02C09A  4E41                      TRAP      #1
02C09C  DFFC00000006              ADDA.L    #6,A7
02C0A2  33FC4E7100029B08    L0449:MOVE.W    #$4E71,$29B08       ;(#"Nq")
02C0AA  4E75                      RTS

DelayD7
02C0AC  51CFFFFE                  DBF       D7,-2(PC)            DelayD7
02C0B0  4E75                      RTS

FDCWriteReg
02C0B2  4EB90002BE38              JSR       EnterSuper
02C0B8  4EB90002C0DE              JSR       fdcDelay
02C0BE  33C600FF8604              MOVE.W    D6,$FF8604.L
02C0C4  4EB90002C0DE              JSR       fdcDelay
02C0CA  4E75                      RTS

FDCReadReg
02C0CC  4EB90002BE38              JSR       EnterSuper
02C0D2  363900FF8604              MOVE.W    $FF8604.L,D3
02C0D8  4EB90002C0DE              JSR       fdcDelay

fdcDelay
02C0DE  40E7                      MOVE      SR,-(A7)
02C0E0  3F07                      MOVE.W    D7,-(A7)
02C0E2  3E3C0028                  MOVE.W    #$28,D7             ;(#"(")
02C0E6  51CFFFFE            L044D:DBF       D7,-2(PC)            L044D
02C0EA  3E1F                      MOVE.W    (A7)+,D7
02C0EC  46DF                      MOVE      (A7)+,SR
02C0EE  4E75                      RTS

02C0F0  3C390002C1CC        L044E:MOVE.W    $0002C1CC,D6         L0463
02C0F6  02460003                  ANDI.W    #3,D6
02C0FA  2E3C00050000              MOVE.L    #$50000,D7
02C100  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
02C108  4EB90002C0B2              JSR       FDCWriteReg
02C10E  5387                L044F:SUBQ.L    #1,D7
02C110  67000010                  BEQ       16(PC)               L0450
02C114  0839000500FFFA01          BTST      #5,$FFFA01.L
02C11C  6600FFF0                  BNE       -16(PC)              L044F
02C120  4E75                      RTS
02C122  3F3CFFF9            L0450:MOVE.W    #$FFF9,-(A7)
02C126  4EB90002C14C              JSR       $0002C14C            L0452
02C12C  4E75                      RTS

FDCReadRegB
02C12E  4EB90002BE38              JSR       EnterSuper
02C134  4EB90002C0DE              JSR       fdcDelay
02C13A  33F900FF86040002C1CE      MOVE.W    $FF8604.L,$0002C1CE  L0464
02C144  4EB90002C0DE              JSR       fdcDelay
02C14A  4E75                      RTS

02C14C  4E75                L0452:RTS

CheckProtBuffer
02C14E  33FC4E750002BDA8          MOVE.W    #$4E75,$0002BDA8    ;(#"Nu") L0434
02C156  22390002C1D0              MOVE.L    $0002C1D0,D1         L0465
02C15C  068100002EE0              ADDI.L    #6000*2,D1
02C162  2041                      MOVEA.L   D1,A0
02C164  263C00000DAC              MOVE.L    #3500,D3
02C16A  243C00000000              MOVE.L    #0,D2
02C170  3A20                      MOVE.W    -(A0),D5
02C172  3020                L0454:MOVE.W    -(A0),D0
02C174  BA40                      CMP.W     D0,D5
02C176  660A                      BNE.S     10(PC)               L0455
02C178  5482                      ADDQ.L    #2,D2
02C17A  51CBFFF6                  DBF       D3,-10(PC)           L0454
02C17E  60000014                  BRA       20(PC)               L0456
02C182  04820000170C        L0455:SUBI.L    #5900,D2
02C188  6B0A                      BMI.S     10(PC)               L0456
02C18A  13FC00000002C1BE          MOVE.B    #0,$0002C1BE         L045C
02C192  4E75                      RTS
02C194  13FC00010002C1BE    L0456:MOVE.B    #1,$0002C1BE         L045C
02C19C  4E75                      RTS

InitProtBuffer
02C19E  243C0000176F              MOVE.L    #5999,D2
02C1A4  20790002C1D0              MOVEA.L   $0002C1D0,A0         L0465
02C1AA  2639000004BA              MOVE.L    $4BA.L,D3
02C1B0  30C3                L0458:MOVE.W    D3,(A0)+
02C1B2  51CAFFFC                  DBF       D2,-4(PC)            L0458
02C1B6  4E75                      RTS

02C1B8  2304                L0459:DC.W      $2304
02C1BA  2C00                L045A:DC.W      $2C00
02C1BC  0000                L045B:DC.W      $0000
02C1BE  0000                L045C:DC.W      $0000
02C1C0  00000000            L045D:DC.L      $00000000
02C1C4  00017EFA            L045E:DC.L      $00017EFA
02C1C8  00                  L045F:DC.B      $00
02C1C9  00                  L0460:DC.B      $00
02C1CA  00                  L0461:DC.B      $00
02C1CB  00                  L0462:DC.B      $00
02C1CC  0003                L0463:DC.W      $0003
02C1CE  0000                L0464:DC.W      $0000
02C1D0  000152FA            L0465:DC.L      $000152FA
02C1D4  0100                L0466:DC.B      $01,$00
02C1D6  00000001            L0467:DC.L      $00000001

Atari ST Protection: Silent Service, F15 Strike Eagle

This is a more interesting protection! For one it decrypts the track testing code only while it is executed (not really a problem with an Atari ST emulator) and encrypts it afterwards.

It reads track 79 and takes the very FIRST byte from the track and searches for the first position where this byte changes. Usually this is the first GAP before the first sector header and without a SYNC it can be shifted by even 1/2 bit by the FDC. However the code has a lookup table for all 16 possible bit-shift combinations and tests if this first byte plus the following 5 are in this table. This way even without a correct SYNC the protection test still succeeds!

But there is more! It skips sector 1..9 with their headers and data blocks and then stores the sector number of the first sector after these 9 sector (e.g. 0x13). This sector extends over the index mark and has to have random data at the end, because read track stops at the index mark. However up to 496 bytes at the beginning have to be identical. If there are no garbage data at the end of the sector, the protection fails, because the sector didn’t extend over the index!

As a last test the sector is read normally via XBIOS Floprd() and this call should return NO error (read sector doesn’t stop at the index mark, if it already started reading before the index mark). The whole 512 byte sector should have identical byte in it.

If all this succeeds, the copy protection test was successfull, too.

A very nice protection indeed!

silentServiceProtection:
    move.l  a6,$148d6
    lea     $1491a,a6
    movem.l d1-7/a0-5,-(a6)
    move.l  a6,$148da

    move.w  #$22,-(a7)
    trap    #14                 ;Kbdvbase()
    addq.w  #2,a7
    movea.l d0,a0
    move.l  16(a0),$148ae       ;->kb_mousevec

    move.l  $148ae,-(a7)
    lea     $13cd4,a0
    move.l  a0,-(a7)
    clr.w   -(a7)
    clr.w   -(a7)
    trap    #14                 ;Initmouse(0,...)
    adda.l  #12,a7

    move    sr,d0
    btst    #13,d0
    bne.s   L0102F4
    clr.l   -(a7)
    move.w  #$20,-(a7)
    trap    #1
    addq.w  #6,a7
    move.l  d0,$148ce
    move.l  #-1,$148c2
    bra.s   L0102FA
L0102F4
    clr.l   $148c2

L0102FA
    move.b  #$ff,$43e           ;set flock

    move    sr,-(a7)
    ori.w   #$700,sr
    clr.l   d0
    clr.l   d7
    move    (a7)+,sr

    move.w  #$19,-(a7)
    trap    #1                  ;Dgetdrv()
    addq.w  #2,a7
    cmpi.b  #1,d0
    bne.s   L01032A
    move.w  $4a6,d5
    cmpi.w  #2,d5
    beq.s   L01032A
    clr.l   d0
L01032A
    move.w  d0,$148ac

    addq.b  #1,d0               ;drive = 1/2
    lsl.b   #1,d0               ;drive = 2/4
    or.w    #0,d0               ;side 1
    eori.b  #7,d0
    and.b   #7,d0
    moveq   #2,d4               ;3 retries
    bsr     fdcSelect

    move.w  #$82,$ff8606        ;Track Register
    bsr     fdcReadD0
    move.w  d0,$148b4           ;save track register

cpRetry
    bsr     fdcRestore
    btst    #0,d6
    bne.l   cpFailed

    bsr     fdcSeek79
    btst    #0,d6
    bne.l   cpFailed

    clr.l   d3
    moveq   #2,d5
cpNextTrack:
    bsr     fdcReadTrack
    btst    #0,d6
    bne.l   cpFailed
    bsr     decryptCode

    lea     $1491e,a0       ;track buffer
    move.l  #$1f0,d0
    move.b  (a0)+,d7
cpSearch
    move.b  (a0)+,d6        ;find first changed byte
    cmp.b   d6,d7
    bne.s   cpNext
    dbra    d0,cpSearch
    bra.l   cpFailed
cpNext
    subq.l  #2,a0           ;back to the last byte from the block
    lea     $13c72,a2

    ;a possible bit shift mask
        $01,$03,$3F,$0F,$FF,$FF,
        $02,$06,$7C,$1F,$FF,$FF,
        $04,$0C,$F8,$3F,$FF,$FF,
        $08,$19,$F0,$7F,$FF,$FF,
        $10,$33,$E0,$FF,$FF,$FF,
        $20,$67,$C1,$FF,$FF,$FF,
        $40,$CF,$83,$FF,$FF,$FF,
        $80,$81,$9F,$07,$FF,$FF,

        $5E,$5C,$40,$B0,$00,$00,
        $BC,$B8,$81,$60,$00,$00,
        $97,$10,$2C,$00,$00,$00,
        $2F,$2E,$20,$58,$00,$00,
        $E5,$C4,$0B,$00,$00,$00,
        $CB,$88,$16,$00,$00,$00,
        $79,$71,$02,$C0,$00,$00,
        $F2,$E2,$05,$80,$00,$00,

        $55,$55

    move.b  (a0)+,d6        ;byte at the track beginning that was repeated
cpLoop
    move.b  (a2)+,d7        ;find the repeated byte
    cmp.b   #$55,d7
    beq.l   cpFailed
    cmp.b   d6,d7
    beq.s   cpNextB
    addq.w  #5,a2
    bra.s   cpLoop
cpNextB

    moveq   #4,d0
cpLoopB
    move.b  (a0)+,d6        ;the following 5 bytes have to be the same
    cmp.b   (a2)+,d6
    bne.l   cpFailed
    dbra    d0,cpLoopB

    ; skip 9 sectors 1..9 in the current track
    clr.b   d0
cpLoopC
    bsr     cpSearchSync    ;search for $A1,$A1
    addq.b  #1,d0           ;sector + 1
    move.b  (a0)+,d6
    cmp.b   #$fe,d6         ;Address Mark Header
    bne.l   cpFailed
    move.b  (a0)+,d6
    cmp.b   #$4f,d6         ;Track 79
    bne.l   cpFailed
    move.b  (a0)+,d6
    cmp.b   #0,d6           ;Side == 0
    bne.l   cpFailed
    move.b  (a0)+,d6
    cmp.b   d0,d6           ;Sector correct?
    bne.l   cpFailed

    bsr     cpSearchSync    ;search for $A1,$A1
    move.b  (a0)+,d6
    cmp.b   #$fb,d6         ;Data Header
    bne.l   cpFailed
    adda.l  #$200,a0        ;Skip Sector
    cmp.b   #9,d0
    bne.s   cpLoopC

    bsr     cpSearchSync    ;search for $A1,$A1
    move.b  (a0)+,d6
    cmp.b   #$fe,d6         ;Addres Mark Header
    bne.s   cpFailed
    move.b  (a0)+,d6
    movea.l #10,a6
    cmp.b   #$4f,d6         ;Track 79
    bne.s   cpFailed
    move.b  (a0)+,d6
    cmp.b   #0,d6           ;Side == 0
    bne.s   cpFailed
    clr.w   d6
    move.b  (a0)+,d6        ;Sector >= 10
    cmp.b   #10,d6
    blt.s   cpFailed
    move.w  d6,$13c6e       ;save found sector number ($0D)

    bsr     cpSearchSync    ;search for $A1,$A1
    move.b  (a0)+,d6
    cmp.b   #$fb,d6         ;Data Header
    bne.s   cpFailed

    clr.w   d0
    clr.w   d6
    move.b  (a0)+,d6
    move.w  d6,$13c70       ;first byte in the sector ($E5)
cpLoopD
    addq.w  #1,d0
    move.b  (a0)+,d6
    cmp.w   $13c70,d6       ;skip same bytes (first byte in the sector ($E5))
    bne.s   cpNextC
    cmp.w   #$1f0,d0        ;too many bytes?
    beq.s   cpFailed
    bra.s   cpLoopD
cpNextC

    cmp.b   #0,d6           ;end of track reached before end of sector?
    beq.s   cpOut

cpFailed
    clr.w   $13c6e          ;save found sector number = illegal

    bsr     encryptCode
    dbra    d5,cpNextTrack
    dbra    d4,cpRetry

    bsr     fdcDone
    move.b  d0,d6
    cmpi.l  #$0,$148c2
    beq.s   L0104A8
    move.l  $148ce,-(a7)
    move.w  #$20,-(a7)
    trap    #1
    addq.w  #6,a7
L0104A8
    bsr     cpCreateReturncode
    bsr     cpRestoreRegister
    rts

cpOut
    bsr     encryptCode
    bsr     fdcDone

    cmpi.l  #$0,$148c2
    beq.s   L0104D4
    move.l  $148ce,-(a7)
    move.w  #$20,-(a7)
    trap    #1
    addq.w  #6,a7

L0104D4
    move.w  #1,-(a7)            ;count
    move.w  #0,-(a7)            ;sideno
    move.w  #$4f,-(a7)          ;trackno
    move.w  $13c6e,-(a7)        ;sectno = saved found sector number ($0D)
    move.w  $148ac,-(a7)        ;devno
    clr.l   -(a7)               ;filler
    lea     $1491e,a0           ;track buffer
    move.l  a0,-(a7)
    move.w  #8,-(a7)
    trap    #14                 ;int16_t Floprd( void *buf, int32_t filler, int16_t devno, int16_t sectno, int16_t trackno, int16_t sideno, int16_t count )
    adda.l  #20,a7
    cmp.l   #0,d0
    beq.s   L010512             ;should be 0! =>
    andi.l  #$ffffff,d0
L010510
    rts

L010512
    ori.l   #$37000000,d0

    ;the sector has to have all the same byte
    move.l  #511,d7
    lea     $1491e,a0           ;track buffer
    clr.w   d6
L010526
    move.b  (a0)+,d6
    cmp.w   $13c70,d6           ;first byte in the sector ($E5)
    bne.s   L010510
    dbra    d7,L010526

    ori.l   #$4f,d0
    bsr     cpCreateReturncode
    bsr     cpRestoreRegister
    rts

fdcReadTrack:
    move.l  d7,$148ca
    lea     $1491e,a0           ;track buffer
    move.l  a0,$148d2
    move.b  $148d5,$ff860d
    move.b  $148d4,$ff860b
    move.b  $148d3,$ff8609
    move.l  #$680,d7
fdcReadTrackLoopA
    clr.l   (a0)+
    dbra    d7,fdcReadTrackLoopA
    move.w  #$90,$ff8606
    move.w  #$190,$ff8606
    move.w  #$90,$ff8606
    move.w  #31,d7
    bsr     fdcWriteD7          ;31 DMA sectors (31*512 bytes)
    move.w  #$80,$ff8606
    move.w  #$e4,d7
    bsr     fdcWriteD7          ;Read Track
    move.l  #$40000,d7
    move.b  #255,d6             ;Failed flag
fdcReadTrackLoopB
    btst    #5,$fffa01
    beq.s   fdcReadTrackDone
    subq.l  #1,d7
    bne.s   fdcReadTrackLoopB
    bsr     fdcForceInterrupt
    rts
fdcReadTrackDone
    move.w  #$90,$ff8606
    move.w  $ff8606,d0
    btst    #0,d0               ;DMA ok?
    beq.s   fdcReadTrackFailed
    clr.b   d6                  ;success
fdcReadTrackFailed
    rts

cpRestoreRegister:
    movea.l $148da,a6
    movem.l (a6)+,d1-7/a0-5
    movea.l $148d6,a6
    rts

cpSearchSync:
    move.l  #$1f0,d7
cpSearchSyncLoop
    move.b  (a0)+,d6
    cmp.b   #$a1,d6
    bne.s   cpSearchSyncCheck
    move.b  (a0)+,d6
    cmp.b   #$a1,d6
    bne.s   cpSearchSyncCheck
    rts
cpSearchSyncCheck
    dbra    d7,cpSearchSyncLoop
    suba.l  a6,a6
    addq.w  #4,a7
    bra.l   cpFailed

cpCreateReturncode:             ;$3700004F
    andi.l  #$ff0000ff,d0
    clr.l   d7
    move.w  $13c70,d7           ;first byte in the sector ($E5)
    rol.w   #8,d7
    or.w    $13c6e,d7           ;save found sector number ($0D)
    rol.w   #4,d7
    rol.l   #8,d7
    or.l    d7,d0               ;== $3750DE4F (Silent Service) / $37512E4F (F15 Strike Eagle)
    rts

Calculation after return:
0 == ($0062EB61 ^ $3750DE4F) - $3732352E


fdcDone
    movea.l $148c6,a5
    move.w  $148b4,d7           ;save track register
    bsr     fdcSeekD7
fdcDoneLoop
    move.w  #$80,$ff8606
    bsr     fdcReadD0           ;wait for the motor off
    btst    #7,d0
    bne.s   fdcDoneLoop
    move.b  d2,d0
    move.b  #$0,$43e            ;reset flock
    bsr     fdcSelect           ;deselect floppy

    move.l  $148ae,-(a7)
    lea     $13cd4,a0
    move.l  a0,-(a7)
    move.w  #1,-(a7)
    clr.w   -(a7)
    trap    #14                 ;Initmouse(1,...)
    adda.l  #12,a7
    rts

CryptRetA0Plus_16
    addq.l  #1,a0
    bsr CryptRetA0Plus_10
CryptRetA0Plus_5
    subq.l  #1,a0
    bsr CryptRetA0Plus_5B
CryptRetA0Plus_1
    subq.l  #1,a0
    bsr CryptRetA0Plus_2
CryptRetA0Plus_0
    rts


fdcWriteD7
    bsr.s   fdcDelay
    move.w  d7,$ff8604

fdcDelay
    move    sr,-(a7)
    move.w  d7,-(a7)
    move.w  #32,d7
fdcDelayLoop
    dbra    d7,fdcDelayLoop
    move.w  (a7)+,d7
    move    (a7)+,sr
    rts

encryptCode:
    bsr.s   CryptBlock
    move    $148b2,sr
    rts

decryptCode:
    move    sr,$148b2
    ori.w   #$700,sr
    bsr.s   CryptBlock
    rts

CryptBlock
    move    sr,d7
    lsr.w   #8,d7
    bset    #6,d7
    bclr    #4,d7
    bclr    #3,d7

    lea     $13ce1,a0
    lea     $1038a,a2
    bsr.s   CryptRetA0Plus_16
    addq.l  #1,a0               ;A0 = $13CF2
    moveq   #8,d0
    bsr.s   CryptBlockSub

    lea     $13ce1,a0
    lea     $103a8,a2
    bsr     CryptRetA0Plus_10   ;A0 = $13CF5
    moveq   #34,d0
    bsr.s   CryptBlockSub

    lea     $13ce1,a0
    lea     $103fe,a2
    bsr     CryptRetA0Plus_5B   ;A0 = $13CE6
    moveq   #26,d0
    bsr.s   CryptBlockSub

    addq.l  #5,a0               ;A0 = $13D06
    lea     $10444,a2
    moveq   #4,d0
    bsr.s   CryptBlockSub

    lea     $13ce1,a6
    lea     $10466,a2
    bsr     CryptRetA0Plus_1
    bsr     CryptRetA0Plus_2    ;A0 = $13D0E
    moveq   #4,d0
    bsr.s   CryptBlockSub
    rts

CryptBlockSub
    clr.l   d6
    move.b  (a0)+,d6
    adda.l  d6,a2
    eor.b   d7,(a2)
    dbra    d0,CryptBlockSub
    rts


fdcSelect:
    move    sr,-(a7)
    ori.w   #$700,sr
    move.b  #$e,$ff8800
    move.b  $ff8800,d1
    move.b  d1,d2
    and.b   #$f8,d1
    or.b    d0,d1
    move.b  d1,$ff8802
    move    (a7)+,sr
    rts


fdcReadD0
    bsr     fdcDelay
    move.w  $ff8604,d0
    bra.l   fdcDelay


fdcRestore
    move.w  #$03,d7
    bsr.s   fdcCommandAndWait
fdcRestoreLoop
    subq.l  #1,d6
    beq.s   fdcRestoreTimeout
    btst    #5,$fffa01
    bne.s   fdcRestoreLoop
    clr.l   d6
    move.w  #$80,$ff8606
    bsr.s   fdcReadD0
    btst    #2,d0           ;Track 0?
    bne.s   fdcRestoreSuccess
fdcRestoreTimeout
    bsr.s   fdcForceInterrupt
    moveq   #1,d6
fdcRestoreSuccess
    rts


fdcForceInterrupt
    move.w  #$80,$ff8606
    move.w  #$d0,d7
    bsr     fdcWriteD7
    bsr     fdcDelay
    rts


fdcSeek79
    move.w  #$4f,d7
fdcSeekD7
    move.w  #$86,$ff8606
    bsr     fdcWriteD7
    move.w  #$13,d7
    bsr.s   fdcCommandAndWait
fdcSeek79Loop
    subq.l  #1,d6
    beq.s   fdcSeek79Done
    btst    #5,$fffa01
    bne.s   fdcSeek79Loop
fdcSeek79Done
    clr.l   d6
    rts


fdcCommandAndWait
    move.l  #$40000,d6
    move.w  #$80,$ff8606
    bsr     fdcReadD0
    btst    #7,d0
    bne.s   fdcCommandAndWait2
    move.l  #$60000,d6
fdcCommandAndWait2
    bsr     fdcWriteD7
    rts


CryptRetA0Plus_10
    bsr     CryptRetA0Plus_5
CryptRetA0Plus_5B
    addq.l  #2,a0
    bsr     CryptRetA0Plus_1
CryptRetA0Plus_2
    addq.l  #2,a0
    bsr     CryptRetA0Plus_0
    rts

Atari ST Protection: Mighty Bombjack

Finally an interesting protection!

The boot sector is executable and simply loads the code into memory plus reading the boot sector (moving the head back to track 0). After loading the code the fun begins (skip further down…)

    TEXT
    BRA.S     L0000

    DC.B      $00,$00,$00,$00,$00,$00,$00,$00
    DC.B      $00,$00,$02,$02,$01,$00,$02,$70
    DC.B      $00,$20,$03,$00,$05,$00,$0A,$00
    DC.B      $01,$00,$00,$00,$00,$00

L0000:MOVE.L    #$230,D0        ;track 56, sector 1
    MOVE.L    #101,D1         ;$CA00 bytes
    MOVEA.L   $432.L,A0       ;_membot = Start of TPA (user memory)
    BSR       LoadSectors
    BNE.S     L0000
    LSL.L     #8,D1
    ADD.L     D1,D1           ;buf += 512 * sectors
    ADDA.L    D1,A0
    MOVEQ     #1,D1           ;$200 bytes
    BSR       LoadSectors     ;Track 1, Sector 1
    MOVE.L    $432.L,-(A7)    ;_membot = Start of TPA (user memory)
    RTS

LoadSectors:
    MOVEM.L   A0-A2/D1-D5,-(A7)
    MOVE.L    D0,D3           ;startsector
    MOVE.L    D1,D4           ;number of sectors
    MOVEQ     #-1,D0
LoadSectorsLoop:
    MOVE.L    D3,D0
    DIVU      #10,D0          ;10 sectors per track
    SWAP      D0
    MOVEQ     #0,D1
    MOVE.W    D0,D1
    ADDQ.W    #1,D1           ;sectno
    SWAP      D0
    ANDI.L    #$FF,D0         ;trackno
    MOVE.L    D0,D5
    MOVEQ     #11,D2
    SUB.L     D1,D2           ;number of sectors
    CMP.L     D2,D4
    BGE.S     LoadSectorsR    ;< remaining sectors
    MOVE.L    D4,D2           ;then read the remaining sectors
LoadSectorsR:
    BSR       Floprd
    BNE.S     LoadSectorsError
    ADD.L     D2,D3           ;sector += read sectors
    SUB.L     D2,D4           ;number of sectors -= read sectors
    LSL.L     #8,D2
    LSL.L     #1,D2           ;buf += read sectors * 512
    ADDA.L    D2,A0
    TST.L     D4              ;remaining sectors left?
    BGT.S     LoadSectorsLoop
    MOVEQ     #0,D0
LoadSectorsError:
    MOVEM.L   (A7)+,A0-A2/D1-D5
    TST.L     D0
    RTS

Floprd:MOVEM.L   A0/D1-D2,-(A7)
    MOVE.W    D2,-(A7)        ;count
    CLR.W     -(A7)           ;sideno
    MOVE.W    D0,-(A7)        ;trackno
    MOVE.W    D1,-(A7)        ;sectno
    CLR.W     -(A7)           ;devno = 'A'
    CLR.L     -(A7)           ;filler
    MOVE.L    A0,-(A7)        ;buf
    MOVE.W    #8,-(A7)  ;FLOPRD
    TRAP      #14             ;Floprd( void *buf, int32_t filler, int16_t devno, int16_t sectno, int16_t trackno, int16_t sideno, int16_t count )
    LEA       20(A7),A7
    TST.L     D0
    MOVEM.L   (A7)+,A0/D1-D2
    RTS

    DS.W      3
    DC.B      'Copylock ST (c)1988-90 Rob Northen Computing, U.K. All Rights Reserved.',0
    DS.W      123
    DC.W      $027F
    END

Ok, the code starts by entering supervisor mode via an illegal instruction, then pushing a trace exception handler onto the stack, which decrypts code on the fly. A *lot* of code. All this code is just there to annoy people trying to trace it by hand. Later it reaches the actual protection, which I'll publish here. It again uses trace to decrypt the next opcode (actually 8 bytes) and encrypting the last one again. As a little bonus it executes a subroutine if the "EXG D7,D7" opcode is executed. Fun, but useless: if you made it that far, this is not doing anything... Another thing: LINE-A, all interrupts and traps have to point to ROM, so does GPI7 and printer code (used to enter the debugger). If not, they point to a memory erase routine and a call into the reset of the ROM.

But now to the actual thing: the protection. 3 Parts:

- Via "read track" the first 450 bytes are read and the first sector address header is searched. It has to be a 512 byte sector on the first side and the first sector has to be equal to "(11 + (track % 5) * -2) % 10". If the routine fails, it returns -1, otherwise the current track. Funny thing: on track 0, sector 1 is just fine and because the boot sector was read at the end of the loading code, that's where the floppy head is located. 3 tries to get it done.
- Via Read Sector it reads sector 5 and sector 6 of track 0. It simply times the time it takes to read the sector and expects sector 6 to be at least >1% slower than sector 5. On the floppy it seems to be more than 3%, so 1% is safe.
- The first 16 bytes of sector 6 have to contain the string "Rob Northen Comp". A checksum over this string plus the following 8 bytes results in the serial number of the disk, which is specific for the application.

Yes, that's it for the protection. It continues with trace decoding and then launches the app. The following code is the heart of the protection, cleaned up and decoded.



018CAE  48E7C0C0                  MOVEM.L   A0-A1/D0-D1,-(A7)
018CB2  43F90000015C              LEA       $15C.L,A1
018CB8  233C00044ED0              MOVE.L    #$44ED0,-(A1)
018CBE  233CFFFA2078              MOVE.L    #$FFFA2078,-(A1)
018CC4  233CFFFF51C8              MOVE.L    #$FFFF51C8,-(A1)
018CCA  233C3FF948E0              MOVE.L    #$3FF948E0,-(A1)
018CD0  233C0000303C              MOVE.L    #$303C,-(A1)
018CD6  233C41F90010              MOVE.L    #$41F90010,-(A1)
018CDC  233C46FC2700              MOVE.L    #$46FC2700,-(A1)

        ;erase all memory and call reset
        000140: 46fc 2700                 MOVE      #$2700,SR
        000144: 41f9 0010 0000            LEA       $100000,A0
        00014a: 303c 3ff9                 MOVE.W    #$3FF9,D0
        00014e: 48e0 ffff                 MOVEM.L   D0-D7/A0-A7,-(A0)
        000152: 51c8 fffa                 DBF       D0,*-$4 [$14E]
        000156: 2078 0004                 MOVEA.L   $4.w,A0
        00015a: 4ed0                      JMP       (A0)

018CE2  23C90000042A              MOVE.L    A1,$42A.L
018CE8  23FC3141592600000426      MOVE.L    #$31415926,$426.L

018CF2  41F900000028              LEA       $28.L,A0            ;Line 1010 Emulator (LineA)
018CF8  61000038                  BSR       56(PC)               resetIfNotInROM
018CFC  41F900000060              LEA       $60.L,A0            ;all interrupts and traps!
018D02  6100002E            L0000:BSR       46(PC)               resetIfNotInROM
018D06  B1FC000000C0              CMPA.L    #$C0,A0
018D0C  66F4                      BNE.S     -12(PC)              L0000
018D0E  41F90000013C              LEA       $13C.L,A0           ;GPI7 - Monochrome Detect
018D14  6100001C                  BSR       28(PC)               resetIfNotInROM
018D18  41F90000050A              LEA       $50A.L,A0           ;prv_lst
018D1E  61000012                  BSR       18(PC)               resetIfNotInROM
018D22  41F900000512              LEA       $512.L,A0           ;prv_aux
018D28  61000008                  BSR       8(PC)                resetIfNotInROM
018D2C  4CDF0303                  MOVEM.L   (A7)+,A0-A1/D0-D1
018D30  6018                      BRA.S     24(PC)               L0003

resetIfNotInROM
018D32  2018                      MOVE.L    (A0)+,D0
018D34  6712                      BEQ.S     18(PC)               L0002
018D36  028000FFFFFF              ANDI.L    #$FFFFFF,D0
018D3C  B0BC00400000              CMP.L     #$400000,D0
018D42  6C04                      BGE.S     4(PC)                L0002
018D44  2149FFFC                  MOVE.L    A1,-4(A0)
018D48  4E75                L0002:RTS

018D4A  7000                L0003:MOVEQ     #0,D0
018D4C  7201                      MOVEQ     #1,D1
018D4E  48E73FF0                  MOVEM.L   A0-A3/D2-D7,-(A7)
018D52  7400                      MOVEQ     #0,D2
018D54  E690                      ROXR.L    #3,D0
018D56  E292                      ROXR.L    #1,D2
018D58  E790                      ROXL.L    #3,D0
018D5A  1400                      MOVE.B    D0,D2
018D5C  2601                      MOVE.L    D1,D3
018D5E  7E01                      MOVEQ     #1,D7
018D60  7C00                      MOVEQ     #0,D6
018D62  47FA03A6                  LEA       934(PC),A3           buffer512Bytes
018D66  3F390000043E              MOVE.W    $43E.L,-(A7)
018D6C  50F90000043E              ST        $43E.L
018D72  610000A0            L0004:BSR       160(PC)              doCheckDiskInterleave
018D76  6B0C                      BMI.S     12(PC)               L0005
018D78  61000036                  BSR       54(PC)               checkSectorsReturnMagic
018D7C  4A86                      TST.L     D6                   ;fail? 2nd try!
018D7E  6604                      BNE.S     4(PC)                L0005
018D80  6100002E                  BSR       46(PC)               checkSectorsReturnMagic
018D84  610000A0            L0005:BSR       160(PC)              seekToPreviousTrack
018D88  4A86                      TST.L     D6
018D8A  660E                      BNE.S     14(PC)               L0006
018D8C  4A82                      TST.L     D2
018D8E  6A0A                      BPL.S     10(PC)               L0006
018D90  5202                      ADDQ.B    #1,D2
018D92  02020001                  ANDI.B    #1,D2
018D96  51CFFFDA                  DBF       D7,-38(PC)           L0004
018D9A  6100005E            L0006:BSR       94(PC)               eraseBuffer
018D9E  33DF0000043E              MOVE.W    (A7)+,$43E.L
018DA4  3202                      MOVE.W    D2,D1               ;d1.w = drive no. key disk was found in
018DA6  2006                      MOVE.L    D6,D0               ;d0.l = serial no. 0=key disk not found
018DA8  4CDF0FFC                  MOVEM.L   (A7)+,A0-A3/D2-D7
018DAC  60000560                  BRA       1376(PC)             L002D

checkSectorsReturnMagic:
018DB0  598F                      SUBQ.L    #4,A7
018DB2  303C0005                  MOVE.W    #5,D0               ;Sector 5 in Track 0 (normal sector)
018DB6  610000AC                  BSR       172(PC)              fdcMeasureSectorTiming
018DBA  2E80                      MOVE.L    D0,(A7)
018DBC  303C0006                  MOVE.W    #6,D0               ;Sector 6 in Track 0 (slower sector, ~3%)
018DC0  610000A2                  BSR       162(PC)              fdcMeasureSectorTiming
018DC4  2217                      MOVE.L    (A7),D1
018DC6  9081                      SUB.L     D1,D0               ;delta between 5 and 6
018DC8  6B2C                      BMI.S     44(PC)               L000A
018DCA  C0FC0064                  MULU      #100,D0
018DCE  80C1                      DIVU      D1,D0               ;convert delta into percent
018DD0  B03C0001                  CMP.B     #1,D0               ;1 percent or less is not good enough!
018DD4  6D20                      BLT.S     32(PC)               L000A

018DD6  7000                      MOVEQ     #0,D0
018DD8  7203                      MOVEQ     #3,D1
018DDA  204B                      MOVEA.L   A3,A0
018DDC  9098                L0008:SUB.L     (A0)+,D0            ;checksum over first 16 bytes of sector 6 = "Rob Northen Comp"
018DDE  51C9FFFC                  DBF       D1,-4(PC)            L0008
018DE2  B0BCB34C4FDC              CMP.L     #$B34C4FDC,D0       ;has to be a specific value!
018DE8  660C                      BNE.S     12(PC)               L000A
018DEA  2C00                      MOVE.L    D0,D6
018DEC  7201                      MOVEQ     #1,D1
018DEE  DC98                L0009:ADD.L     (A0)+,D6            ;secret ID over the next 8 bytes
018DF0  4846                      SWAP      D6
018DF2  51C9FFFA                  DBF       D1,-6(PC)            L0009

018DF6  588F                L000A:ADDQ.L    #4,A7
018DF8  4E75                      RTS

eraseBuffer
018DFA  204B                      MOVEA.L   A3,A0
018DFC  323C00FF                  MOVE.W    #$FF,D1
018E00  203C00D4C742              MOVE.L    #$D4C742,D0
018E06  C0FC0011            L000C:MULU      #$11,D0
018E0A  5280                      ADDQ.L    #1,D0
018E0C  30C0                      MOVE.W    D0,(A0)+
018E0E  51C9FFF6                  DBF       D1,-10(PC)           L000C
018E12  4E75                      RTS

doCheckDiskInterleave:
018E14  61000028                  BSR       40(PC)               selectFloppy
018E18  610000D0                  BSR       208(PC)              checkDiskSectorInterleave
018E1C  3A00                      MOVE.W    D0,D5                => current track number
018E1E  6B04                      BMI.S     4(PC)                L000E
018E20  61000234                  BSR       564(PC)              fdcRestore
018E24  4E75                L000E:RTS

seekToPreviousTrack:
018E26  3005                      MOVE.W    D5,D0                current track number set?
018E28  6B0E                      BMI.S     14(PC)               L0010
018E2A  61000210                  BSR       528(PC)              fdcSeekD0
018E2E  4A86                      TST.L     D6
018E30  6722                      BEQ.S     34(PC)               deselectFloppy
018E32  4A03                      TST.B     D3
018E34  671E                      BEQ.S     30(PC)               deselectFloppy
018E36  4E75                      RTS
018E38  61000250            L0010:BSR       592(PC)              fdcFloppyDeselect
018E3C  4E75                      RTS

selectFloppy:
018E3E  1002                      MOVE.B    D2,D0
018E40  5200                      ADDQ.B    #1,D0
018E42  E308                      LSL.B     #1,D0
018E44  0A000007                  EORI.B    #7,D0
018E48  02000007                  ANDI.B    #7,D0
018E4C  7201                      MOVEQ     #1,D1
018E4E  61000244                  BSR       580(PC)              fdcFloppySelect
018E52  4E75                      RTS

deselectFloppy:
018E54  223C00005949              MOVE.L    #$5949,D1
018E5A  103C0007                  MOVE.B    #7,D0
018E5E  61000234                  BSR       564(PC)              fdcFloppySelect
018E62  4E75                      RTS

fdcMeasureSectorTiming:
018E64  48E72000                  MOVEM.L   D2,-(A7)
018E68  33FC008400FF8606          MOVE.W    #$84,$FF8606.L
018E70  6100027C                  BSR       636(PC)              fdcWriteD0
018E74  610000EE                  BSR       238(PC)              fdcDMAReadAddress
018E78  303C0001                  MOVE.W    #1,D0
018E7C  61000270                  BSR       624(PC)              fdcWriteD0
018E80  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
018E88  43F900FF860B              LEA       $FF860B.L,A1
018E8E  7200                      MOVEQ     #0,D1
018E90  240B                      MOVE.L    A3,D2
018E92  2F3C66F64E75              MOVE.L    #$66F64E75,-(A7)
018E98  2F3C00FFFA01              MOVE.L    #$FFFA01,-(A7)
018E9E  2F3C08390005              MOVE.L    #$8390005,-(A7)
018EA4  2F3CB44066F6              MOVE.L    #$B44066F6,-(A7)
018EAA  2F3C01090000              MOVE.L    #$1090000,-(A7)
018EB0  2F3C02005281              MOVE.L    #$2005281,-(A7)
018EB6  2F3C06820000              MOVE.L    #$6820000,-(A7)
018EBC  2F3CB44067F8              MOVE.L    #$B44067F8,-(A7)
018EC2  2F3C01090000              MOVE.L    #$1090000,-(A7)
018EC8  2F3C00FF8604              MOVE.L    #$FF8604,-(A7)
018ECE  2F3C33FC0080              MOVE.L    #$33FC0080,-(A7)
018ED4  2F3C007C0700              MOVE.L    #$7C0700,-(A7)
018EDA  244F                      MOVEA.L   A7,A2
018EDC  CF47                      EXG       D7,D7

A2 =>
        05BC8C  007C0700                  ORI.W     #$700,SR
        05BC90  33FC008000FF8604          MOVE.W    #$80,$FF8604.L
        05BC98  01090000            L0000:MOVEP.W   0(A1),D0
        05BC9C  B440                      CMP.W     D0,D2
        05BC9E  67F8                      BEQ.S     -8(PC)               L0000
        05BCA0  068200000200              ADDI.L    #$200,D2
        05BCA6  5281                L0001:ADDQ.L    #1,D1
        05BCA8  01090000                  MOVEP.W   0(A1),D0
        05BCAC  B440                      CMP.W     D0,D2
        05BCAE  66F6                      BNE.S     -10(PC)              L0001
        05BCB0  0839000500FFFA01    L0002:BTST      #5,$FFFA01.L
        05BCB8  66F6                      BNE.S     -10(PC)              L0002
        05BCBA  4E75                      RTS

018EDE  4FEF0030                  LEA       48(A7),A7
018EE2  2001                      MOVE.L    D1,D0
018EE4  4CDF0004                  MOVEM.L   (A7)+,D2
018EE8  4E75                      RTS

checkDiskSectorInterleave:
018EEA  61000044                  BSR       68(PC)               L0016
018EEE  6B3C                      BMI.S     60(PC)               L0015
018EF0  B03C0002                  CMP.B     #2,D0               ;512 bytes sector?
018EF4  6636                      BNE.S     54(PC)               L0015 ;no => error
018EF6  2200                      MOVE.L    D0,D1
018EF8  E199                      ROL.L     #8,D1
018EFA  0281000000FF              ANDI.L    #$FF,D1             ;track number
018F00  E088                      LSR.L     #8,D0               ;sector number
018F02  82FC0005                  DIVU      #5,D1
018F06  4241                      CLR.W     D1
018F08  4841                      SWAP      D1
018F0A  C2FCFFFE                  MULU      #$FFFE,D1
018F0E  02810000FFFF              ANDI.L    #$FFFF,D1
018F14  0641000B                  ADDI.W    #11,D1
018F18  82FC000A                  DIVU      #10,D1
018F1C  4841                      SWAP      D1                  ;d1 = (11 + (track % 5) * -2) % 10
018F1E  B200                      CMP.B     D0,D1               ;sector number == track
018F20  660A                      BNE.S     10(PC)               L0015
018F22  E088                      LSR.L     #8,D0               ;side
018F24  4A00                      TST.B     D0
018F26  6604                      BNE.S     4(PC)                L0015 ;Side 2? => error
018F28  E088                      LSR.L     #8,D0               ;return the track number
018F2A  4E75                      RTS
018F2C  70FF                L0015:MOVEQ     #-1,D0
018F2E  4E75                      RTS

; read track 0, load 4 bytes of the address block of first sector into D0 (Track,Side,Sector,Length)
; == 0x00000002
018F30  7202                L0016:MOVEQ     #2,D1               ; 3 tries
018F32  61000062            L0017:BSR       98(PC)               fdcReadTrack
018F36  6B2A                      BMI.S     42(PC)               L001B
018F38  204B                      MOVEA.L   A3,A0
018F3A  303C01C1                  MOVE.W    #450-1,D0
018F3E  0C1800FE            L0018:CMPI.B    #$FE,(A0)+
018F42  6614                      BNE.S     20(PC)               L001A
018F44  0C2800A1FFFE              CMPI.B    #$A1,-2(A0)
018F4A  660C                      BNE.S     12(PC)               L001A
018F4C  7203                      MOVEQ     #3,D1
018F4E  E188                L0019:LSL.L     #8,D0
018F50  1018                      MOVE.B    (A0)+,D0
018F52  51C9FFFA                  DBF       D1,-6(PC)            L0019
018F56  4E75                      RTS
018F58  51C8FFE4            L001A:DBF       D0,-28(PC)           L0018
018F5C  51C9FFD4                  DBF       D1,-44(PC)           L0017
018F60  70FF                      MOVEQ     #-1,D0
018F62  4E75                L001B:RTS

fdcDMAReadAddress:
018F64  200B                      MOVE.L    A3,D0
018F66  13C000FF860D              MOVE.B    D0,$FF860D.L
018F6C  E088                      LSR.L     #8,D0
018F6E  13C000FF860B              MOVE.B    D0,$FF860B.L
018F74  E088                      LSR.L     #8,D0
018F76  13C000FF8609              MOVE.B    D0,$FF8609.L
018F7C  33FC009000FF8606          MOVE.W    #$90,$FF8606.L
018F84  33FC019000FF8606          MOVE.W    #$190,$FF8606.L
018F8C  33FC009000FF8606          MOVE.W    #$90,$FF8606.L
018F94  4E75                      RTS

fdcReadTrack:
018F96  48A74000                  MOVEM.W   D1,-(A7)
018F9A  6100FFC8                  BSR       -56(PC)              fdcDMAReadAddress
018F9E  303C001F                  MOVE.W    #$1F,D0
018FA2  6100014A                  BSR       330(PC)              fdcWriteD0
018FA6  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
018FAE  223C00040000              MOVE.L    #$40000,D1
018FB4  43EB01C2                  LEA       450(A3),A1
018FB8  40E7                      MOVE      SR,-(A7)
018FBA  007C0700                  ORI.W     #$700,SR
018FBE  2F3C584F4E75              MOVE.L    #$584F4E75,-(A7)
018FC4  2F3C00FF8604              MOVE.L    #$FF8604,-(A7)
018FCA  2F3C33FC00D0              MOVE.L    #$33FC00D0,-(A7)
018FD0  2F3C00FF8606              MOVE.L    #$FF8606,-(A7)
018FD6  2F3C33FC0080              MOVE.L    #$33FC0080,-(A7)
018FDC  2F3CB3D76ED6              MOVE.L    #$B3D76ED6,-(A7)
018FE2  2F3C860D0003              MOVE.L    #$860D0003,-(A7)
018FE8  2F3C1F7900FF              MOVE.L    #$1F7900FF,-(A7)
018FEE  2F3C860B0002              MOVE.L    #$860B0002,-(A7)
018FF4  2F3C1F7900FF              MOVE.L    #$1F7900FF,-(A7)
018FFA  2F3C86090001              MOVE.L    #$86090001,-(A7)
019000  2F3C1F7900FF              MOVE.L    #$1F7900FF,-(A7)
019006  2F3C53816B1C              MOVE.L    #$53816B1C,-(A7)
01900C  2F3CFA016720              MOVE.L    #$FA016720,-(A7)
019012  2F3C000500FF              MOVE.L    #$500FF,-(A7)
019018  2F3C42A70839              MOVE.L    #$42A70839,-(A7)
01901E  2F3C00FF8604              MOVE.L    #$FF8604,-(A7)
019024  2F3C33FC00E0              MOVE.L    #$33FC00E0,-(A7)
01902A  244F                      MOVEA.L   A7,A2
01902C  CF47                      EXG       D7,D7

A2 =>
        05BC8C  33FC00E000FF8604          MOVE.W    #$E0,$FF8604.L      ; Read Track
        05BC94  42A7                      CLR.L     -(A7)
        05BC96  0839000500FFFA01    L0000:BTST      #5,$FFFA01.L
        05BC9E  6720                      BEQ.S     32(PC)               L0001
        05BCA0  5381                      SUBQ.L    #1,D1
        05BCA2  6B1C                      BMI.S     28(PC)               L0001
        05BCA4  1F7900FF86090001          MOVE.B    $FF8609.L,1(A7)
        05BCAC  1F7900FF860B0002          MOVE.B    $FF860B.L,2(A7)
        05BCB4  1F7900FF860D0003          MOVE.B    $FF860D.L,3(A7)
        05BCBC  B3D7                      CMPA.L    (A7),A1             ; end address reached?
        05BCBE  6ED6                      BGT.S     -42(PC)              L0000
        05BCC0  33FC008000FF8606    L0001:MOVE.W    #$80,$FF8606.L
        05BCC8  33FC00D000FF8604          MOVE.W    #$D0,$FF8604.L      ; Force Interrupt
        05BCD0  584F                      ADDQ.W    #4,A7
        05BCD2  4E75                      RTS

01902E  4FEF0048                  LEA       72(A7),A7
019032  46DF                      MOVE      (A7)+,SR
019034  2001                      MOVE.L    D1,D0
019036  4C9F0002                  MOVEM.W   (A7)+,D1
01903A  4E75                      RTS

fdcSeekD0:
01903C  33FC008600FF8606          MOVE.W    #$86,$FF8606.L
019044  610000A8                  BSR       168(PC)              fdcWriteD0
019048  303C0014                  MOVE.W    #$14,D0
01904C  6100000A                  BSR       10(PC)               fdcCommand
019050  6B02                      BMI.S     2(PC)                L001F
019052  7000                      MOVEQ     #0,D0
019054  4E75                L001F:RTS

fdcRestore:
019056  7004                      MOVEQ     #4,D0

fdcCommand:
019058  B03C0080                  CMP.B     #$80,D0             ;Type I command?
01905C  6404                      BCC.S     4(PC)                L0022
01905E  00000003                  ORI.B     #3,D0               ;=> seek rate = 3ms
019062  33FC008000FF8606    L0022:MOVE.W    #$80,$FF8606.L
01906A  61000082                  BSR       130(PC)              fdcWriteD0
01906E  203C00004000              MOVE.L    #$4000,D0
019074  0839000500FFFA01    L0023:BTST      #5,$FFFA01.L
01907C  6756                      BEQ.S     86(PC)               fdcReadStatus
01907E  5380                      SUBQ.L    #1,D0
019080  66F2                      BNE.S     -14(PC)              L0023
019082  61000038                  BSR       56(PC)               fdcForceInterrupt
019086  70FF                      MOVEQ     #-1,D0
019088  4E75                      RTS


fdcFloppyDeselect:
01908A  223C0000004B              MOVE.L    #$4B,D1
019090  103C0007                  MOVE.B    #7,D0

fdcFloppySelect:
019094  5381                      SUBQ.L    #1,D1
019096  66FC                      BNE.S     -4(PC)               fdcFloppySelect
019098  40E7                      MOVE      SR,-(A7)
01909A  007C0700                  ORI.W     #$700,SR
01909E  13FC000E00FF8800          MOVE.B    #$E,$FF8800.L
0190A6  123900FF8800              MOVE.B    $FF8800.L,D1
0190AC  020100F8                  ANDI.B    #$F8,D1
0190B0  8200                      OR.B      D0,D1
0190B2  13C100FF8802              MOVE.B    D1,$FF8802.L
0190B8  46DF                      MOVE      (A7)+,SR
0190BA  4E75                      RTS

fdcForceInterrupt:
0190BC  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
0190C4  303C00D0                  MOVE.W    #$D0,D0
0190C8  61000024                  BSR       36(PC)               fdcWriteD0
0190CC  303C000F                  MOVE.W    #$F,D0
0190D0  51C8FFFE            L0027:DBF       D0,-2(PC)            L0027

fdcReadStatus
0190D4  33FC008000FF8606          MOVE.W    #$80,$FF8606.L
0190DC  6100001A                  BSR       26(PC)               fdcDelay
0190E0  303900FF8604              MOVE.W    $FF8604.L,D0
0190E6  02800000001F              ANDI.L    #$1F,D0
0190EC  600A                      BRA.S     10(PC)               fdcDelay

fdcWriteD0
0190EE  61000008                  BSR       8(PC)                fdcDelay
0190F2  33C000FF8604              MOVE.W    D0,$FF8604.L

fdcDelay:
0190F8  40E7                      MOVE      SR,-(A7)
0190FA  3F00                      MOVE.W    D0,-(A7)
0190FC  303C0001                  MOVE.W    #1,D0
019100  51C8FFFE            L002B:DBF       D0,-2(PC)            L002B
019104  301F                      MOVE.W    (A7)+,D0
019106  46DF                      MOVE      (A7)+,SR
019108  4E75                      RTS

buffer512Bytes: DS.B 512