Atari ST Protection: Brataccas

The protection is also simple: track 81, sector 20 has to contain at least 71 times ‘JAKE’ at the beginning. It then reads sector 1 in track 5, which has to have a CRC error in the data block (the FDC status has bit 3 set, but not bit 4).

Interesting, but not as interesting as the code in the boot sector. Michael K. Glover had some fun with it:

This is the executed code:

$FFFF8800 = $0E, $FFFF8802 = $05    ;Select Disk A, Side 0
$FFFF8606 = $80, $FFFF8604 = $03    ;CMD Restore
WAIT BTST #0,$FA01                  ;wait for completion
$FFFF8606 = $86, $FFFF8604 = $0A    ;DATA = 10
$FFFF8606 = $80, $FFFF8604 = $10    ;CMD Seek to track 10
WAIT BTST #0,$FA01                  ;wait for completion
$FFFF8606 = $84, $FFFF8604 = $0A    ;SECTOR = 10
$FFFF8606 = $82, $FFFF8604 = $45    ;TRACK = $45
$FFFF8609 = $00, $FFFF860B = $04, $FFFF860D = $80,  ;DMA ADDRESS = $000480
$FFFF8606 = $90, $FFFF8606 = $190, $FFFF8606 = $90  ;DMA read
$FFFF8604 = $01                     ;1 sector (512 bytes)
$FFFF8606 = $80, $FFFF8604 = $80    ;CMD Read Sector
WAIT BTST #0,$FA01                  ;wait for completion
JMP (A6) => $480


    TEXT
$0000 BRA.S     L0000
$0002 DC.B      'M.Glover',$00
$000B DC.B      $00,$02, $02, $01,$00, $02, $70,$00, $D0,$02, $F8, $05,$00, $09,$00, $01,$00, $00,$00
$001E DC.B      $00,$00, $00,$00, $00,$00, $00,$00, $00,$00, $00,$00
    DC.B      $00,$04, $00,$00, $00,$00,$80,$00
    DC.B      'TOS     IMG',$00

L0000:MOVE      #$2700,SR
    BRA       L000E

    DC.B      'This beauty by Michael K. Glover.(JAKE)'
    DC.B      'I dont know about "NEUTER BOOTER",but you need real balls to check this out!!!',0

    //        D0    D4    D5    D6    D7    A1    A2    A3    A4    A5
L0001:DC.W      $0000,$0001,$0001,$0000,$001A,$8800,$8608,$FA01,$8609,$000F

L0002:
$00CC EXT.W     D0
$00CE MOVEM.W   L0001(PC,D0.W),A1-A5/D4-D7/D0
$00D4 MOVEM.L   L0005(PC,D7.W),A6-A7            ; L0007
$00DA LEA       L0007+3(PC,A5.L),A5

L0003:
$00DE MOVE.B    (A5)+,D6
$00E0 MOVE.B    D6,(A1)+            ;select floppy and side
$00E2 ADDQ.L    #1,A1
$00E4 DBF       D5,L0003

L0004:
$00E8 JSR       L000C(PC,D7.W)  ;L000D
$00EC JSR       L0004(PC,D7.W)  ;L0008
$00F0 JSR       L000B(PC,D7.W)  ;L000D
$00F4 JSR       L0006(PC,D7.W)  ;L0008
$00F8 JSR       L0009(PC,D7.W)  ;L000D

;set DMA address
$00FC MOVE.W    (A5)+,D2
$00FE MOVE.B    D2,(A4)+
$0100 ADDQ.L    #1,A4
L0005:
$0102 DBF       D7,$00FC

;$90,$190,$90 => FFFF8606
$0106 ADDQ.L    #2,A0
$0108 MOVE.W    (A5)+,(A0)
$010A DBF       D4,$0108
$010E MOVEQ     #1,D0
$0110 JSR       L0010(PC,D7.W)  ;$0167 + D7 (-1) => $0166 = L000D
L0006 EQU $0112
$0114 JSR       L0003(PC,D7.W)  ;$00DE + $46 => $0124 = L0008
$0118 BRA       L000F

    //        A6    A7
L0007:
$011C DC.W      $0000,$0480
$0120 DC.W      $0007,$0000

L0008:
$0124 BTST      D6,(A3)
$0126 BNE.S     L0008
$0128 MOVE.W    (A5)+,D7
L0009:
$012A MOVE.W    (A5)+,D0
L000A:
$012C RTS

L000X:
$012E DC.B      $0E,$05
$0130 DC.W      $0080,$0003,$003C   ;=> L0008
$0136 DC.W      $0028,$0001         ;=> L000D, D0=1

$013A DC.W      $0086,$000A
L000B:
$013E DC.W      $0080,$0010,$0012   ;L0008

    DC.W      $003C,$0001         ;L000D
    DC.W      $0084,$000A
L000C:DC.W      $0082,$0045,$0002
    DC.W      $0000,$0004,$0080
    DC.W      $0090,$0190,$0090
    DC.W      $0001,$0080,$0080,$0046

L000D:
$0166 MOVEA.L   A2,A0
L0010 EQU       *-1
    MOVE.W    (A5)+,-(A0)
    BSR.S     L000A
    MOVE.W    (A5)+,-(A0)
    DBF       D0,L000D
    MOVE.W    (A5)+,D7
    RTS

    DC.B      'So there it is. What a little beauty Eh?'

L000E:MOVE      SR,D0
    ORI.W     #0,D0
    ORI.W     #6,D1
    ORI.W     #8,D1
    ORI.W     #0,D1
    BRA       L0002

    DC.B      'The code in this game is by Dave,Jake and Phil!!'

L000F:JMP       (A6)

    ; checksum
    DC.B      $90,$EE,$00,$00,$00,$00,$00,$00
    DCB.W     9,0

Atari ST Protection: Turrican

The boot sector starts quite interesting: copying code to address 8 and executing it there. The format of the disk is different, but not special: sector 1 in the track is 512 bytes long, sector 2–6 are each 1024 bytes long. 5632 bytes per track out of possible 6250 bytes, pretty good capacity on a double sided disk. The trick is that the last 1024 byte sector starts at the end of the track and extends for more than 500 bytes over the index marker. The first sector is packed right after the sector at the beginning. The tracks 75..79 are not used. Strangely on the back side Track 79 contains an empty 512 sector, which does not seem to be part of the protection.

Track 7 to 10 contain the actual protection. The test starts in track 7 and tests the protection, if it fails it continous till track 10 to find a valid protection. If it fails on all 4 tracks, it erases the memory till it crashes…

The usual 6 sectors exist in these tracks, but they also contain sector 0 and 16 in different positions (the position is not tested). They are supposed to be each 1024 bytes long, but they only have an address mark plus the sector header and can not be read without a CRC error. The reason for this is interesting and István Fábián figured out what is going on the the actual disk medium! http://www.atari-forum.com/viewtopic.php?f=47&t=19948&start=25

Track  7: sector order: 5,3,6, 0,16, 1,4,2
Track  8: sector order:  0,16, 1,4,2,5,3,6
Track  9: sector order:  5,3,6, 0,16, 1,4,2
Track 10: sector order:  0,16, 1,4,2,5,3,6

Sector 0 starts with the following data, as you can see it clearly contains the sector header of sector 16! You can also see four weird bytes: 0x14, 0x14, 0x14, 0x00. These bytes are actually 3 sync markers 0xa1 and another sector header 0xfe, but shifted by one bit and the FDC will re-sync to them when trying to read sector 16. And because data bits and clock bits are interleaved, the re-sync will now actually read the clock bits instead of the data bits! The protection therefore reads the data bits via sector 0 (re-sync is disabled after a 0xFE is found for 1024 bytes plus CRC) and then the clock bits via sector 16.

0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   A1 A1 A1 FE 07 00 10 03 BB 21 4E 4E 4E 4E 4E 4E    .........!NNNNNN
0020   4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E    NNNNNNNNNNNNNNNN
0030   FF FF FF FF FF FF FF FF FF FF FF FE 14 14 14 00    ................
0040   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF    ................
0050   80 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00    ................
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

The DMA read code ignores the first 64 bytes, which is a gap and the re-sync for the sector 16. The following 16 bytes have to contain 0xFF bytes and other 32 bytes have to have more than 204 cleared bits (out of 256 possible bits).

Sector 16 (the clock bits) starts with the following data:

0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    @...............
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

The first 16 bytes have to contain 0x00 bytes and other 32 bytes have to have more than 204 cleared bits (out of 256 possible bits), because of clock drift the FDC probably can randomly read a 1 instead of a 0.

copyProtection:
    MOVEM.L   A0-A6/D0-D7,-(A7)
    MOVE.L    #$100000,D0
L056B:SUBQ.L    #1,D0           ;delay
    BNE.S     L056B
    MOVE      SR,-(A7)
    BTST      #5,(A7)
    BNE.S     L056C
    CLR.L     -(A7)
    MOVE.W    #$20,-(A7)    ;SUPER
    TRAP      #1
    MOVE.L    D0,2(A7)
L056C:MOVE      #$2700,SR

    BSR       clearKeyboard

    LEA       $FFFF8000.W,A4  ;ffff8000
    LEA       1549(A4),A3     ;ffff860d
    LEA       1542(A4),A2     ;ffff8606
    LEA       1540(A4),A1     ;ffff8604
    LEA       31233(A4),A0    ;fffffa01

    MOVEQ     #5,D0
    BSR       selectFloppy

    MOVE.W    #$82,(A2)       ;track register
    BSR       fdcDelay
    MOVE.W    (A1),D0
    ANDI.W    #$FF,D0
    MOVE.W    D0,-(A7)        ;current track

    MOVE.W    #$80,(A2)
    MOVEQ     #$01,D2
    BSR       fdcCommand      ;Restore

    MOVEQ     #7,D7           ;start with track 7
L056D:MOVE.W    D7,D2
    BSR       fdcSeek
    BSR       checkSectors
    TST.W     D6
    BPL.S     L056F
    ADDQ.W    #1,D7
    CMPI.W    #10,D7          ;up to track 10
    BLE.S     L056D

    LEA       $80000,A7
L056E:CLR.L     -(A7)           ;erase everything and crash...
    BRA.S     L056E

L056F:MOVE.W    (A7)+,D2        ;current track
    BSR       fdcSeek
L0570:MOVE.W    (A1),D0         ;wait for motor off
    TST.B     D0
    BMI.S     L0570
    MOVEQ     #7,D0
    BSR       selectFloppy    ;deselect drive
    BSR.S     clearKeyboard
    MOVE.W    (A7)+,D0
    CMPI.W    #$20,D0         ;supervisor mode active?
    BNE.S     L0571
    MOVEA.L   (A7)+,A0
    MOVE.W    (A7)+,D0
    MOVE      A7,USP          ;back to user mode
    MOVEA.L   A0,A7
L0571:MOVE      D0,SR
    MOVEM.L   (A7)+,A0-A6/D0-D7
    BRA       copyProtectionReturn

clearKeyboard
    MOVEQ     #$FF,D0
L0573:BTST      #0,$FFFFFC00.W
    BEQ.S     L0574
    MOVE.B    $FFFFFC02.W,D0
    BRA.S     clearKeyboard
L0574:DBF       D0,L0573
    RTS

checkSectors:
    MOVEQ     #4,D6           ;5 tries
checkSectorsTries:
    MOVEQ     #0,D1           ;sector 0
    MOVEQ     #4,D5           ;skip 5 DMA buffer (one empty at the beginning)
    LEA       -128(A7),A5     ;base address
    BSR       readSector
    MOVEQ     #15,D0
L0577:CMPI.B    #$FF,(A5)+      ;16 0xFF bytes have to be at the beginning of the buffer
    BNE.S     checkSectorsFailed
    DBF       D0,L0577
    BSR       countClearedBits
    CMPI.W    #$CC,D0         ;at least 204 cleared bits have to be in the buffer
    BLT.S     checkSectorsFailed

    MOVEQ     #16,D1          ;sector 16
    MOVEQ     #0,D5           ;skip 1 DMA buffer (which is empty anyway)
    LEA       -64(A7),A5      ;base address
    BSR       readSector
    MOVEQ     #15,D0
L0578:TST.B     (A5)+           ;16 0x00 bytes have to be at the beginning of the buffer
    BNE.S     checkSectorsFailed
    DBF       D0,L0578
    BSR.S     countClearedBits
    CMPI.W    #$CC,D0         ;at least 204 cleared bits have to be in the buffer
    BGE.S     checkSectorsSuccess
checkSectorsFailed:
    DBF       D6,checkSectorsTries
checkSectorsSuccess:
    RTS

;count the number of cleared bits in 32 bytes
countClearedBits:
    MOVEQ     #0,D0
    MOVEQ     #31,D1
L057C:MOVEQ     #7,D2
L057D:BTST      D2,(A5)
    BNE.S     L057E
    ADDQ.L    #1,D0
L057E:DBF       D2,L057D
    ADDQ.L    #1,A5
    DBF       D1,L057C
    RTS

readSector:
    MOVE.L    A5,D0
    MOVE.B    D0,(A3)
    LSR.W     #8,D0
    MOVE.B    D0,1547(A4)     ;set the DMA address
    SWAP      D0
    MOVE.B    D0,1545(A4)
    MOVE.W    #$90,(A2)
    MOVE.W    #$190,(A2)      ;read
    MOVE.W    #$90,(A2)
    MOVEQ     #$10,D2
    BSR       fdcWriteD2      ;16*512 byte
    MOVE.W    #$84,(A2)
    MOVE.W    D1,D2           ;sector number
    BSR       fdcWriteD2
    MOVE.W    #$80,(A2)
    BSR       fdcDelay
    MOVE.W    #$80,(A1)       ;read sector

;5+3 DMA buffer = 128 bytes

L0580:MOVEM.L   (A5),D0-D3      ;read original bytes from the buffer
    SUBQ.W    #1,D5           ;5 DMA buffers
    BMI.S     L0582
    MOVE.W    A5,D4
L0581:CMP.B     (A3),D4         ;DMA low unchanged?
    BEQ.S     L0581           ;wait!
    MOVEM.L   D0-D3,(A5)
    LEA       16(A5),A5
    BRA.S     L0580

L0582:MOVEQ     #2,D1
L0583:MOVE.B    (A3),D0
L0584:CMP.B     (A3),D0         ;wait for DMA low to change 3 times
    BEQ.S     L0584
    DBF       D1,L0583

    MOVE.W    #$50,(A2)
    MOVE.W    #$150,(A2)      ;just weird...
    MOVE.W    #$50,(A2)
    BRA       fdcWait

    RTS

selectFloppy:
    MOVE.B    #$E,2048(A4)
    MOVEQ     #$F8,D1
    AND.B     2048(A4),D1
    OR.B      D0,D1
    MOVE.B    D1,2050(A4)
    RTS

fdcSeek:
    MOVE.W    #$86,(A2)
    BSR.S     fdcWriteD2
    MOVE.W    #$80,(A2)
    MOVEQ     #$11,D2
fdcCommand:
    BSR.S     fdcWriteD2
fdcWait:
    BTST      #5,(A0)
    BNE.S     fdcWait
    RTS

fdcWriteD2:
    BSR.S     fdcDelay
    MOVE.W    D2,(A1)

fdcDelay:
    MOVEQ     #$7F,D3
L058B:DBF       D3,L058B
    RTS

copyProtectionReturn:
    RTS

Atari ST Protection: The Sentry or The Sentinel

This protection is in track 20, it searches for $13,$07,$F7,$19,$87,$F7 right AFTER the CRC of sector 9, especially the $F7 is nasty, because the FDC normally writes a two byte CRC when receiving a $F7 with the write track command. Because of a bad implementation these bytes could be written inside sector 9 and it would still work…

001644  605C                      BRA.S     92(PC)               L0000

001646  4E4E4E4E4E4E6969          DC.B      $4E,$4E,$4E,$4E,$4E,$4E,$69,$69
00164E  6900020201000270          DC.B      $69,$00,$02,$02,$01,$00,$02,$70
001656  00D002F805000900          DC.B      $00,$D0,$02,$F8,$05,$00,$09,$00
00165E  01000000                  DC.B      $01,$00,$00,$00

001662                            DC.B 'Copyright (c) 1987 Michael K. Glover/Icom Simulations (U.K.) Ltd'

0016A2  780A                L0000:MOVEQ     #$A,D4
0016A4  2444                      MOVEA.L   D4,A2
0016A6  D4C4                      ADDA.W    D4,A2
0016A8  42AA0010                  CLR.L     16(A2)            ;$24
0016AC  42AA0030                  CLR.L     48(A2)            ;$44
0016B0  4EBA0136                  JSR       310(PC)              loadRegisters

0016B4  1145FFFE                  MOVE.B    D5,-2(A0)           ;$FF8800 = $0E
0016B8  E05D                      ROR.W     #8,D5
0016BA  1085                      MOVE.B    D5,(A0)             ;$FF8802 = $25

0016BC  32BC0080                  MOVE.W    #$80,(A1)           ;$FF8606 = $80
0016C0  4EBA0148                  JSR       328(PC)              clrTrace
0016C4  337C0003FFFE              MOVE.W    #3,-2(A1)           ;$FF8604 = $03   Restore
0016CA  4EBA012C                  JSR       300(PC)              waitFDC

0016CE  2C0E                      MOVE.L    A6,D6               ;buffer address = $30000
0016D0  17460002                  MOVE.B    D6,2(A3)            ;$FF860D = low
0016D4  E05E                      ROR.W     #8,D6
0016D6  1686                      MOVE.B    D6,(A3)             ;$FF860B = mid
0016D8  4846                      SWAP      D6
0016DA  1746FFFE                  MOVE.B    D6,-2(A3)           ;$FF8609 = high
0016DE  3282                      MOVE.W    D2,(A1)             ;$FF8606 = $90
0016E0  8441                      OR.W      D1,D2
0016E2  3282                      MOVE.W    D2,(A1)             ;$FF8606 = $190 DMA Read
0016E4  9441                      SUB.W     D1,D2
0016E6  3282                      MOVE.W    D2,(A1)             ;$FF8606 = $90
0016E8  4EBA0120                  JSR       288(PC)              clrTrace
0016EC  3343FFFE                  MOVE.W    D3,-2(A1)           ;$FF8604 = $1F 31 DMA Sectors
0016F0  4EBA0118                  JSR       280(PC)              clrTrace
0016F4  3284                      MOVE.W    D4,(A1)             ;$FF8606 = $80
0016F6  4EBA0112                  JSR       274(PC)              clrTrace
0016FA  3347FFFE                  MOVE.W    D7,-2(A1)           ;$FF8604 = $E0 Read Track
0016FE  4EBA00F8                  JSR       248(PC)              waitFDC

001702  32BC0086                  MOVE.W    #$86,(A1)           ;$FF8606 = $86
001706  4EBA0102                  JSR       258(PC)              clrTrace
00170A  337C0014FFFE              MOVE.W    #$14,-2(A1)         ;$FF8604 = $14
001710  4EBA00F8                  JSR       248(PC)              clrTrace
001714  3284                      MOVE.W    D4,(A1)             ;$FF8606 = $80
001716  4EBA00F2                  JSR       242(PC)              clrTrace
00171A  337C0013FFFE              MOVE.W    #$13,-2(A1)         ;$FF8606 = $13 Seek Track 20
001720  4EBA00D6                  JSR       214(PC)              waitFDC

001724  224E                      MOVEA.L   A6,A1
001726  D2FC125A                  ADDA.W    #$125A,A1           ;offset before header of sector 9 in track 0
00172A  3C3C0500                  MOVE.W    #$500,D6            ;search to the end of the track
00172E  7E05                L0001:MOVEQ     #5,D7
001730  41FA00F8                  LEA       248(PC),A0           L000F
                                        $13,$07,$F7,$19,$87,$F7 ;these bytes are directly after the CRC of sector 9.
                                                                ;funny thing: you could copy them INTO sector 9 and
                                                                ;the protection would still work.

001734  B308                L0002:CMPM.B    (A0)+,(A1)+
001736  6606                      BNE.S     6(PC)                L0003
001738  51CFFFFA                  DBF       D7,-6(PC)            L0002
00173C  600A                      BRA.S     10(PC)               L0004
00173E  51CEFFEE            L0003:DBF       D6,-18(PC)           L0001
001742  DECB                      ADDA.W    A3,A7               ;kill stackpointer (it will become negative => double bus fault)
001744  4EBA00C4                  JSR       196(PC)              clrTrace

001748  41FA0058            L0004:LEA       88(PC),A0            L0005
00174C  227C00054C00              MOVEA.L   #$54C00,A1
001752  2E3C0000A400              MOVE.L    #$A400,D7
001758  4EBA0062                  JSR       98(PC)               loadFile

00175C  41FA0047                  LEA       71(PC),A0            L0006
001760  227C00048000              MOVEA.L   #$48000,A1
001766  2E3C00007D00              MOVE.L    #$7D00,D7
00176C  4EBA004E                  JSR       78(PC)               loadFile

001770  41FA003E                  LEA       62(PC),A0            L0007
001774  227C00070000              MOVEA.L   #$70000,A1
00177A  2E3C00007D00              MOVE.L    #$7D00,D7
001780  4EBA003A                  JSR       58(PC)               loadFile

001784  42A7                      CLR.L     -(A7)
001786  3F3C0020                  MOVE.W    #$20,-(A7)
00178A  4E41                      TRAP      #1
00178C  5C8F                      ADDQ.L    #6,A7

00178E  13FC007B0005C452          MOVE.B    #$7B,$5C452
001796  11FC00801876              MOVE.B    #$80,$1876.W
00179C  4EF900058000              JMP       $58000

0017A2  534D00              L0005:DC.B      'SM',0
0017A5  5446494E414C2E4249  L0006:DC.B      'TFINAL.BIN',0
0017B0  534B59424F582E42    L0007:DC.B      'SKYBOX.BIN',0

0017BC  3F3C0000            loadFile:MOVE.W    #0,-(A7)
0017C0  2F08                      MOVE.L    A0,-(A7)
0017C2  3F3C003D                  MOVE.W    #$3D,-(A7)
0017C6                      L0009 EQU       *-2
0017C6  4E41                      TRAP      #1
0017C8  508F                      ADDQ.L    #8,A7
0017CA  3C00                      MOVE.W    D0,D6
0017CC  2F09                      MOVE.L    A1,-(A7)
0017CE  2F07                      MOVE.L    D7,-(A7)
0017D0  3F06                      MOVE.W    D6,-(A7)
0017D2  3F3C003F                  MOVE.W    #$3F,-(A7)
0017D6  4E41                      TRAP      #1
0017D8  DEFC000C                  ADDA.W    #$C,A7
0017DC  3F06                      MOVE.W    D6,-(A7)
0017DE  3F3C003E                  MOVE.W    #$3E,-(A7)
0017E2  4E41                      TRAP      #1
0017E4  588F                      ADDQ.L    #4,A7
0017E6  4E75                      RTS

0017E8  E744                loadRegisters:ASL.W     #3,D4
0017EA  4CBB3FFE40D6              MOVEM.W   -42(PC,D4.W),A0-A5/D1-D7 L0009      ;001814
0017F0  4DF900030000              LEA       $30000,A6
0017F6  4E75                      RTS

0017F8  2C3C0007A120        waitFDC:MOVE.L    #500000,D6
0017FE  08120005            L000C:BTST      #5,(A2)
001802  6704                      BEQ.S     4(PC)                L000D
001804  5386                      SUBQ.L    #1,D6
001806  66F6                      BNE.S     -10(PC)              L000C
001808  4E75                L000D:RTS

00180A  42B80024            clrTrace:CLR.L     $24.W
00180E  42B8002C                  CLR.L     $2C.W
001812  4E75                      RTS

001814  01000090001F0080          DC.W      $0100,$0090,$001F,$0080     ; D1,D2,D3,D4
00181C  250E230E00E08802          DC.W      $250E,$230E,$00E0,$8802     ; D5,D7,D7,A0
001824  8606FA01860B              DC.W      $8606,$FA01,$860B           ; A1,A2,A3

00182A  1307F71987F7FFA0    L000F:DC.B      $13,$07,$F7,$19,$87,$F7,$FF,$A0 ;A4,A5
001832  00000000CA4B0000          DC.B      $00,$00,$00,$00,$CA,$4B,$00,$00
00183A  0000000000000000          DC.B      $00,$00,$00,$00,$00,$00,$00,$00
001842  0000000000000000          DC.B      $00,$00,$00,$00,$00,$00,$00,$00
00184A  0000000000000000          DC.B      $00,$00,$00,$00,$00,$00,$00,$00
001852  0000000000000000          DC.B      $00,$00,$00,$00,$00,$00,$00,$00

Atari ST Protection: Arkanoid/CopylockST

This is an earlier version of CopylockST from Rob Northen from 29/09/88, it doesn’t use timing variations but three tests:

  • Track 79: has to be shorter than 6027 bytes, that is not possible to be written with a standard drive.
  • Track 0: The GAP 3a of Sector 1 (after the address mark) has to be exactly 32 bytes long and followed by 0x56,0x1E. Easily to miss this one.
  • Track 0: Byte 8 and 9 of Sector 1 has to contain 0xF5 and 0xF7 (not really a “protection”)
copyProtectionBaseAddress:
000188e4: 243c 0000 0200                 MOVE.L   #$200,D2
000188ea: 206f 0004                      MOVEA.L  (4,A7),A0
000188ee: 2628 000c                      MOVE.L   (12,A0),D3
000188f2: 0483 0000 0044                 SUBI.L   #$44,D3
000188f8: 41fa ffea                      LEA      copyProtectionBaseAddress(PC),A0
000188fc: 43fa 002a                      LEA      startOfDecodedBlock(PC),A1
00018900: 4280                           CLR.L    D0
00018902: 4281                           CLR.L    D1
00018904: 3a30 0000                      MOVE.W   (0,A0,D0.W),D5
00018908: bb71 1000                      EOR.W    D5,(0,A1,D1.W)
0001890c: 3a31 1000                      MOVE.W   (0,A1,D1.W),D5
00018910: 5481                           ADDQ.L   #2,D1
00018912: b243                           CMP.W    D3,D1
00018914: 6600 fff2                      BNE      *-$C [$18908]
00018918: 5480                           ADDQ.L   #2,D0
0001891a: b07c 0044                      CMP.W    #$44,D0
0001891e: 6700 fff8                      BEQ      *-$6 [$18918]
00018922: b042                           CMP.W    D2,D0
00018924: 6600 ffdc                      BNE      *-$22 [$18902]

startOfDecodedBlock:
00018928: 2a6f 0004                      MOVEA.L  (4,A7),A5
0001892c: 206d 0010                      MOVEA.L  ($10,A5),A0
00018930: 43fa 0948                      LEA      ($948,PC) [$1927A],A1
00018934: 2288                           MOVE.L   A0,(A1)

00018936: 6100 0454                      BSR      disableMFPInterrupts
0001893a: 6100 02ea                      BSR      checkFloppyProtection
0001893e: 6100 0036                      BSR      readArkanoidProFile
00018942: 6100 0084                      BSR      decompressArkanoidProFile
00018946: 6100 0158                      BSR      checksumCompare
0001894a: 6100 0180                      BSR      relocateApplication
0001894e: 6100 01d8                      BSR      getApplicationSizes
00018952: 6100 0206                      BSR      runApplication
; the following code is unused, because runApplication never returns anyway

00018956: 6100 0174                      BSR      relocateApplication
0001895a: 6100 01cc                      BSR      getApplicationSizes
0001895e: 6100 042c                      BSR      disableMFPInterrupts
00018962: 6100 0012                      BSR      readArkanoidProFile
00018966: 6100 0060                      BSR      decompressArkanoidProFile
0001896a: 6100 0134                      BSR      checksumCompare
0001896e: 6100 02b6                      BSR      checkFloppyProtection
00018972: 6000 01e6                      BRA      runApplication


readArkanoidProFile:
00018976: 4267                           CLR.W    -(A7)
00018978: 487a 090a                      PEA      ($90A,PC) [$19284]
0001897c: 3f3c 003d                      MOVE.W   #$3D,-(A7)
00018980: 4e41                           TRAP     #1                        ;Fopen ("arkanoid.PRO", 0)
00018982: 508f                           ADDQ.L   #8,A7
00018984: 4a80                           TST.L    D0
00018986: 6b00 0038                      BMI      *+$3A [$189C0]
0001898a: 3f00                           MOVE.W   D0,-(A7)
0001898c: 2f3a 08ec                      MOVE.L   ($8EC,PC) [$1927A],-(A7)  ;buffer address
00018990: 2f3a 08e0                      MOVE.L   ($8E0,PC) [$19272],-(A7)  ;number of bytes
00018994: 3f00                           MOVE.W   D0,-(A7)
00018996: 3f3c 003f                      MOVE.W   #$3F,-(A7)
0001899a: 4e41                           TRAP     #1                        ;Fread ( int16_t handle, int32_t count, void *buf )
0001899c: dffc 0000 000c                 ADDA.L   #$C,A7
000189a2: 4a80                           TST.L    D0
000189a4: 6b00 001a                      BMI      *+$1C [$189C0]
000189a8: b0ba 08c8                      CMP.L    ($8C8,PC) [$19272],D0     ;all bytes read?
000189ac: 6600 0012                      BNE      *+$14 [$189C0]
000189b0: 3f3c 003e                      MOVE.W   #$3E,-(A7)
000189b4: 4e41                           TRAP     #1                        ;Fclose ( int16_t handle )
000189b6: 588f                           ADDQ.L   #4,A7
000189b8: 4a80                           TST.L    D0
000189ba: 6b00 0004                      BMI      *+$6 [$189C0]
000189be: 4e75                           RTS
000189c0: 41fa 08ea                      LEA      ($8EA,PC) [$192AC],A0     ;"[ESC]lDisc error loading file"
000189c4: 6000 01f4                      BRA      fatalError

decompressArkanoidProFile:
000189c8: 41fa ff1a                      LEA      copyProtectionBaseAddress,A0
000189cc: 203c 0000 0972                 MOVE.L   #$972,D0
000189d2: 6100 00ea                      BSR      longChecksumD6
000189d6: 41fa 092e                      LEA      ($92E,PC) [$19306],A0
000189da: 227a 089e                      MOVEA.L  ($89E,PC) [$1927A],A1     ;arkanoid pro file buffer
000189de: 323c 0001                      MOVE.W   #1,D1
000189e2: 4240                           CLR.W    D0
000189e4: 4a70 0000                      TST.W    (0,A0,D0.W)
000189e8: 6700 0032                      BEQ      *+$34 [$18A1C]
000189ec: b270 0000                      CMP.W    (0,A0,D0.W),D1
000189f0: 6700 0008                      BEQ      *+$A [$189FA]
000189f4: 5840                           ADDQ.W   #4,D0
000189f6: 6000 ffec                      BRA      *-$12 [$189E4]
000189fa: 3f30 0002                      MOVE.W   (2,A0,D0.W),-(A7)
000189fe: e448                           LSR.W    #2,D0
00018a00: 0640 0001                      ADDI.W   #1,D0
00018a04: 6100 0018                      BSR      *+$1A [$18A1E]
00018a08: 301f                           MOVE.W   (A7)+,D0
00018a0a: 343a 0876                      MOVE.W   ($876,PC) [$19282],D2     ;copy protection checksum
00018a0e: bd42                           EOR.W    D6,D2
00018a10: b540                           EOR.W    D2,D0
00018a12: 6100 005c                      BSR      *+$5E [$18A70]
00018a16: 5281                           ADDQ.L   #1,D1
00018a18: 6000 ffc8                      BRA      *-$36 [$189E2]
00018a1c: 4e75                           RTS

00018a1e: 48e7 c000                      MOVEM.L  D0-D1,-(A7)
00018a22: b240                           CMP.W    D0,D1
00018a24: 6700 0044                      BEQ      *+$46 [$18A6A]
00018a28: 0440 0001                      SUBI.W   #1,D0
00018a2c: 0441 0001                      SUBI.W   #1,D1
00018a30: e548                           LSL.W    #2,D0
00018a32: e549                           LSL.W    #2,D1
00018a34: 2430 0000                      MOVE.L   (0,A0,D0.W),D2
00018a38: 21b0 1000 0000                 MOVE.L   (0,A0,D1.W),(0,A0,D0.W)
00018a3e: 2182 1000                      MOVE.L   D2,(0,A0,D1.W)
00018a42: 0280 0000 ffff                 ANDI.L   #$FFFF,D0
00018a48: 0281 0000 ffff                 ANDI.L   #$FFFF,D1
00018a4e: ef88                           LSL.L    #7,D0
00018a50: ef89                           LSL.L    #7,D1
00018a52: 2449                           MOVEA.L  A1,A2
00018a54: 2649                           MOVEA.L  A1,A3
00018a56: d5c0                           ADDA.L   D0,A2
00018a58: d7c1                           ADDA.L   D1,A3
00018a5a: 203c 0000 007f                 MOVE.L   #$7F,D0
00018a60: 2212                           MOVE.L   (A2),D1
00018a62: 24d3                           MOVE.L   (A3),(A2)+
00018a64: 26c1                           MOVE.L   D1,(A3)+
00018a66: 51c8 fff8                      DBF      D0,*-$6 [$18A60]
00018a6a: 4cdf 0003                      MOVEM.L  (A7)+,D0-D1
00018a6e: 4e75                           RTS

00018a70: 48e7 4080                      MOVEM.L  D1/A0,-(A7)
00018a74: 0281 0000 ffff                 ANDI.L   #$FFFF,D1
00018a7a: 5381                           SUBQ.L   #1,D1
00018a7c: e189                           LSL.L    #8,D1
00018a7e: e389                           LSL.L    #1,D1
00018a80: 207a 07f8                      MOVEA.L  ($7F8,PC) [$1927A],A0
00018a84: d1c1                           ADDA.L   D1,A0
00018a86: 223c 0000 00ff                 MOVE.L   #$FF,D1
00018a8c: 4a58                           TST.W    (A0)+
00018a8e: 6700 0006                      BEQ      *+$8 [$18A96]
00018a92: b168 fffe                      EOR.W    D0,(-2,A0)
00018a96: 51c9 fff4                      DBF      D1,*-$A [$18A8C]
00018a9a: 4cdf 0102                      MOVEM.L  (A7)+,D1/A0
00018a9e: 4e75                           RTS

checksumCompare:
00018aa0: 207a 07d8                      MOVEA.L  ($7D8,PC) [$1927A],A0
00018aa4: 203a 07cc                      MOVE.L   ($7CC,PC) [$19272],D0
00018aa8: 6100 0014                      BSR      longChecksumD6
00018aac: bcba 07d0                      CMP.L    ($7D0,PC) [$1927E],D6
00018ab0: 6700 000a                      BEQ      *+$C [$18ABC]
00018ab4: 41fa 0826                      LEA      ($826,PC) [$192DC],A0     ;"[ESC]lData has been corrupted"
00018ab8: 6000 0100                      BRA      fatalError
00018abc: 4e75                           RTS

longChecksumD6:
00018abe: e488                           LSR.L    #2,D0
00018ac0: 4286                           CLR.L    D6
00018ac2: dc98                           ADD.L    (A0)+,D6
00018ac4: 5380                           SUBQ.L   #1,D0
00018ac6: 6600 fffa                      BNE      *-$4 [$18AC2]
00018aca: 4e75                           RTS

relocateApplication:
00018acc: 207a 07ac                      MOVEA.L  ($7AC,PC) [$1927A],A0
00018ad0: 2028 0002                      MOVE.L   (2,A0),D0             ;text size
00018ad4: d0a8 0006                      ADD.L    (6,A0),D0             ;data size
00018ad8: 43fa 079c                      LEA      ($79C,PC) [$19276],A1 ;application text+data size
00018adc: 2280                           MOVE.L   D0,(A1)
00018ade: 4a68 001a                      TST.W    ($1A,A0)              ;reloc info
00018ae2: 6600 0042                      BNE      *+$44 [$18B26]
00018ae6: 2248                           MOVEA.L  A0,A1
00018ae8: d3fc 0000 001c                 ADDA.L   #28,A1
00018aee: 2449                           MOVEA.L  A1,A2
00018af0: d5e8 0002                      ADDA.L   (2,A0),A2             ;text size
00018af4: d5e8 0006                      ADDA.L   (6,A0),A2             ;data size
00018af8: d5e8 000e                      ADDA.L   ($E,A0),A2            ;symbol table size
00018afc: 4281                           CLR.L    D1
00018afe: 41fa fde4                      LEA      copyProtectionBaseAddress,A0
00018b02: 2408                           MOVE.L   A0,D2
00018b04: 201a                           MOVE.L   (A2)+,D0
00018b06: d5b1 0800                      ADD.L    D2,(0,A1,D0.L)
00018b0a: 121a                           MOVE.B   (A2)+,D1
00018b0c: 4a01                           TST.B    D1
00018b0e: 6700 0016                      BEQ      *+$18 [$18B26]
00018b12: d081                           ADD.L    D1,D0
00018b14: b23c 0001                      CMP.B    #1,D1
00018b18: 6600 ffec                      BNE      *-$12 [$18B06]
00018b1c: 0680 0000 00fd                 ADDI.L   #254-1,D0
00018b22: 6000 ffe6                      BRA      *-$18 [$18B0A]
00018b26: 4e75                           RTS

getApplicationSizes:
00018b28: 206f 0008                      MOVEA.L  (8,A7),A0
00018b2c: 43fa fdb6                      LEA      copyProtectionBaseAddress,A1
00018b30: 2009                           MOVE.L   A1,D0
00018b32: 227a 0746                      MOVEA.L  ($746,PC) [$1927A],A1
00018b36: 2169 0002 000c                 MOVE.L   (2,A1),(12,A0)        ;text size
00018b3c: d0a8 000c                      ADD.L    (12,A0),D0
00018b40: 2140 0010                      MOVE.L   D0,(16,A0)
00018b44: 2169 0006 0014                 MOVE.L   (6,A1),(20,A0)        ;data size
00018b4a: d0a8 0014                      ADD.L    (20,A0),D0
00018b4e: 2140 0018                      MOVE.L   D0,(24,A0)
00018b52: 2169 000a 001c                 MOVE.L   (10,A1),(28,A0)       ;bss size
00018b58: 4e75                           RTS

runApplication:
00018b5a: 588f                           ADDQ.L   #4,A7
00018b5c: 206f 0004                      MOVEA.L  (4,A7),A0
00018b60: 2468 0018                      MOVEA.L  (24,A0),A2            ;bss address
00018b64: 2228 001c                      MOVE.L   (28,A0),D1            ;bss size
00018b68: 264a                           MOVEA.L  A2,A3
00018b6a: d7c1                           ADDA.L   D1,A3                 ;bss end address
00018b6c: 207a 070c                      MOVEA.L  ($70C,PC) [$1927A],A0
00018b70: d1fa 0700                      ADDA.L   ($700,PC) [$19272],A0
00018b74: b1cb                           CMPA.L   A3,A0
00018b76: 6d00 0004                      BLT      *+$6 [$18B7C]
00018b7a: 2648                           MOVEA.L  A0,A3
00018b7c: 203c 0000 000b                 MOVE.L   #$B,D0
00018b82: 41fa 0036                      LEA      fatalError,A0
00018b86: 43fa fd5c                      LEA      copyProtectionBaseAddress,A1
00018b8a: 2f09                           MOVE.L   A1,-(A7)
00018b8c: 3f20                           MOVE.W   -(A0),-(A7)
00018b8e: 51c8 fffc                      DBF      D0,*-$2 [$18B8C]
00018b92: 207a 06e6                      MOVEA.L  ($6E6,PC) [$1927A],A0
00018b96: d1fc 0000 001c                 ADDA.L   #28,A0                ;text + data code
00018b9c: 203a 06d8                      MOVE.L   ($6D8,PC) [$19276],D0 ;application text+data size
00018ba0: 4ed7                           JMP      (A7)
00018ba2: 22d8                           MOVE.L   (A0)+,(A1)+
00018ba4: 5980                           SUBQ.L   #4,D0
00018ba6: 6a00 fffa                      BPL      *-$4 [$18BA2]
00018baa: 429a                           CLR.L    (A2)+
00018bac: b7ca                           CMPA.L   A2,A3
00018bae: 6e00 fffa                      BGT      *-$4 [$18BAA]
00018bb2: dffc 0000 0018                 ADDA.L   #$18,A7
00018bb8: 4e75                           RTS

fatalError:
00018bba: 227a 06be                      MOVEA.L  ($6BE,PC) [$1927A],A1
00018bbe: 12d8                           MOVE.B   (A0)+,(A1)+
00018bc0: 6600 fffc                      BNE      *-$2 [$18BBE]
00018bc4: 5389                           SUBQ.L   #1,A1
00018bc6: 41fa 072e                      LEA      ($72E,PC) [$192F6],A0 ;" - Press a key"
00018bca: 12d8                           MOVE.B   (A0)+,(A1)+
00018bcc: 6600 fffc                      BNE      *-$2 [$18BCA]
00018bd0: 2009                           MOVE.L   A1,D0
00018bd2: 0800 0000                      BTST     #0,D0
00018bd6: 6700 0004                      BEQ      *+$6 [$18BDC]
00018bda: 5289                           ADDQ.L   #1,A1
00018bdc: 3f21                           MOVE.W   -(A1),-(A7)
00018bde: b3fa 069a                      CMPA.L   ($69A,PC) [$1927A],A1
00018be2: 6600 fff8                      BNE      *-$6 [$18BDC]

; copy fail text onto the stack and jump into this routine, it erases the copy protection routine
; and prints a fail text.
00018be6: 2c4f                           MOVEA.L  A7,A6
00018be8: 203c 0000 000d                 MOVE.L   #13,D0
00018bee: 41fa 0036                      LEA      ($36,PC) [$18C26],A0
00018bf2: 3f20                           MOVE.W   -(A0),-(A7)
00018bf4: 51c8 fffc                      DBF      D0,*-$2 [$18BF2]
00018bf8: 41fa fcea                      LEA      copyProtectionBaseAddress,A0
00018bfc: 227a 067c                      MOVEA.L  ($67C,PC) [$1927A],A1
00018c00: 93c8                           SUBA.L   A0,A1
00018c02: 203a 066e                      MOVE.L   ($66E,PC) [$19272],D0
00018c06: d089                           ADD.L    A1,D0
00018c08: 4ed7                           JMP      (A7)

00018c0a: 4218                           CLR.B    (A0)+
00018c0c: 51c8 fffc                      DBF      D0,*-$2 [$18C0A]
00018c10: 2f0e                           MOVE.L   A6,-(A7)
00018c12: 3f3c 0009                      MOVE.W   #9,-(A7)
00018c16: 4e41                           TRAP     #1
00018c18: 5c8f                           ADDQ.L   #6,A7
00018c1a: 3f3c 0001                      MOVE.W   #1,-(A7)
00018c1e: 4e41                           TRAP     #1
00018c20: 548f                           ADDQ.L   #2,A7
00018c22: 4267                           CLR.W    -(A7)
00018c24: 4e41                           TRAP     #1


checkFloppyProtection:
00018c26: 6100 05b4                      BSR      GEMDOS_Dgetdrv
00018c2a: 41fa 062a                      LEA      ($62A,PC) [$19256],A0
00018c2e: 3140 0000                      MOVE.W   D0,(0,A0)                 ;floppy drive
00018c32: b07c 0002                      CMP.W    #2,D0
00018c36: 6d00 001a                      BLT      *+$1C [$18C52]
00018c3a: 317c 0000 0000                 MOVE.W   #0,(0,A0)                 ;floppy drive = A
00018c40: 6100 0022                      BSR      checkProtectionDrive
00018c44: 6700 001c                      BEQ      *+$1E [$18C62]
00018c48: 41fa 060c                      LEA      ($60C,PC) [$19256],A0
00018c4c: 317c 0001 0000                 MOVE.W   #1,(0,A0)                 ;floppy drive = B
00018c52: 6100 0010                      BSR      checkProtectionDrive
00018c56: 6700 000a                      BEQ      *+$C [$18C62]
00018c5a: 41fa 066a                      LEA      ($66A,PC) [$192C6],A0     ;"[ESC]lThis disc is a copy"
00018c5e: 6000 ff5a                      BRA      fatalError
00018c62: 4e75                           RTS

checkProtectionDrive:
00018c64: 41fa 05f0                      LEA      ($5F0,PC) [$19256],A0
00018c68: 217a 0610 0002                 MOVE.L   ($610,PC) [$1927A],(2,A0) [$19258] ;FDC Buffer
00018c6e: 317c 00e0 0008                 MOVE.W   #$E0,(8,A0) [$1925E]      ;Read Track
00018c74: 41fa 05e0                      LEA      ($5E0,PC) [$19256],A0
00018c78: 317c 004f 000a                 MOVE.W   #$4F,(10,A0) [$19260]     ;Track 79
00018c7e: 6100 0144                      BSR      scheduleFDCCommand
00018c82: 243a 05e6                      MOVE.L   ($5E6,PC) [$1926A],D2     ;end address of the DMA
00018c86: 94ba 05d0                      SUB.L    ($5D0,PC) [$19258],D2     ;- start address of the DMA = length of the track
00018c8a: 6100 00d4                      BSR      testTrack79
00018c8e: 43fa 05f2                      LEA      ($5F2,PC) [$19282],A1     ;copy protection checksum
00018c92: 3282                           MOVE.W   D2,(A1)                   ;track length (filtered by valid values, should be $1746)
00018c94: 383c 0002                      MOVE.W   #2,D4                     ;try 3 times!
00018c98: 41fa 05bc                      LEA      ($5BC,PC) [$19256],A0
00018c9c: 317c 0000 000a                 MOVE.W   #0,(10,A0) [$19260]       ;Track 0
00018ca2: 6100 0120                      BSR      scheduleFDCCommand
00018ca6: 6100 0084                      BSR      testTrack0
00018caa: 57cc ffec                      DBEQ     D4,*-$12 [$18C98]

00018cae: 40e7                           MOVE     SR,-(A7)
00018cb0: 3f3c 0001                      MOVE.W   #1,-(A7)                  ;count
00018cb4: 4267                           CLR.W    -(A7)                     ;side
00018cb6: 4267                           CLR.W    -(A7)                     ;track
00018cb8: 3f3c 0001                      MOVE.W   #1,-(A7)                  ;sector
00018cbc: 3f3a 0598                      MOVE.W   ($598,PC) [$19256],-(A7)  ;devno = floppy drive
00018cc0: 42a7                           CLR.L    -(A7)                     ;filler
00018cc2: 2f3a 05b6                      MOVE.L   ($5B6,PC) [$1927A],-(A7)  ;FDC Buffer
00018cc6: 3f3c 0008                      MOVE.W   #8,-(A7)
00018cca: 4e4e                           TRAP     #$E
00018ccc: dffc 0000 0014                 ADDA.L   #$14,A7
00018cd2: 44df                           MOVE     (A7)+,CCR
00018cd4: 6600 000c                      BNE      *+$E [$18CE2]
00018cd8: 207a 05a0                      MOVEA.L  ($5A0,PC) [$1927A],A0
00018cdc: 0c68 f5f7 0008                 CMPI.W   #$F5F7,(8,A0)             ;Byte 8 and 9 in the boot sector should contain these bytes
00018ce2: 4e75                           RTS

track0SearchSector1:
00018ce4: 323a 057a                      MOVE.W   ($57A,PC) [$19260],D1     ;track number
00018ce8: 207a 0590                      MOVEA.L  ($590,PC) [$1927A],A0     ;buffer
00018cec: 4280                           CLR.L    D0
00018cee: 0c30 00fe 0000                 CMPI.B   #$FE,(0,A0,D0.W)          ;ID Address Mark
00018cf4: 6600 0028                      BNE      *+$2A [$18D1E]
00018cf8: b230 0001                      CMP.B    (1,A0,D0.W),D1            ;Track Number
00018cfc: 6600 0020                      BNE      *+$22 [$18D1E]
00018d00: 0c30 0000 0002                 CMPI.B   #0,(2,A0,D0.W)            ;Side = 0
00018d06: 6600 0016                      BNE      *+$18 [$18D1E]
00018d0a: 0c30 0001 0003                 CMPI.B   #1,(3,A0,D0.W)            ;Sector = 1
00018d10: 6600 000c                      BNE      *+$E [$18D1E]
00018d14: 0c30 0002 0004                 CMPI.B   #2,(4,A0,D0.W)            ;Sector Length = 2 (512 bytes)
00018d1a: 6700 000e                      BEQ      *+$10 [$18D2A]
00018d1e: 5280                           ADDQ.L   #1,D0
00018d20: b07c 1900                      CMP.W    #$1900,D0
00018d24: 6600 ffc8                      BNE      *-$36 [$18CEE]
00018d28: 7001                           MOVEQ    #1,D0
00018d2a: 4e75                           RTS

testTrack0:
00018d2c: 6100 ffb6                      BSR      track0SearchSector1       ;D0 should point the the Address Mark of the first sector
00018d30: 662c                           BNE.S    *+$2E [$18D5E]
00018d32: 323c ffff                      MOVE.W   #-1,D1
00018d36: 5280                           ADDQ.L   #1,D0
00018d38: 5281                           ADDQ.L   #1,D1
00018d3a: 0c30 004e 0006                 CMPI.B   #$4E,(6,A0,D0.W)          ;skip GAP 3a
00018d40: 6700 fff4                      BEQ      *-$A [$18D36]
00018d44: b27c 0020                      CMP.W    #32,D1                    ;should be exactly 32 bytes long! (normal is 22)
00018d48: 6600 0014                      BNE      *+$16 [$18D5E]
00018d4c: 1230 0006                      MOVE.B   (6,A0,D0.W),D1
00018d50: e149                           LSL.W    #8,D1                     ;$561E follow right after that
00018d52: 1230 0007                      MOVE.B   (7,A0,D0.W),D1
00018d56: 43fa 052a                      LEA      ($52A,PC) [$19282],A1     ;copy protection checksum
00018d5a: d351                           ADD.W    D1,(A1)                   ;$561e + $1746 == $6d64 ('md')
00018d5c: 7000                           MOVEQ    #0,D0
00018d5e: 4e75                           RTS

testTrack79:    // D2 should be 0x1738, should return $1746 in D2
00018d60: 41fa 0018                      LEA      ($18,PC) [$18D7A],A0
00018d64: b458                           CMP.W    (A0)+,D2
00018d66: 6cfc                           BGE.S    *-$2 [$18D64]
00018d68: 3220                           MOVE.W   -(A0),D1          ;max
00018d6a: 9260                           SUB.W    -(A0),D1          ;min
00018d6c: e249                           LSR.W    #1,D1
00018d6e: d250                           ADD.W    (A0),D1           ;val = (max - min) / 2 + min
00018d70: b441                           CMP.W    D1,D2             ;closer to previous value?
00018d72: 6d02                           BLT.S    *+$4 [$18D76]     ;then return min
00018d74: 4a58                           TST.W    (A0)+
00018d76: 3410                           MOVE.W   (A0),D2           ;else return max
00018d78: 4e75                           RTS
00018D7A: DC.W $0000,$1746,$17d1,$186a,$190a,$19b2,$1a64,$1b20,$7fff


disableMFPInterrupts:
00018d8c: 7800                           MOVEQ    #0,D4
00018d8e: 41fa 0016                      LEA      ($16,PC) [$18DA6],A0
00018d92: 3030 4000                      MOVE.W   (0,A0,D4.W),D0
00018d96: 6700 000c                      BEQ      *+$E [$18DA4]
00018d9a: 6100 001c                      BSR      *+$1E [$18DB8]
00018d9e: 5484                           ADDQ.L   #2,D4
00018da0: 6000 ffec                      BRA      *-$12 [$18D8E]
00018da4: 4e75                           RTS
00018DA6: DC.W 1,2,4,9,10,11,12,14,0
00018db8: 3f00                           MOVE.W   D0,-(A7)
00018dba: 3f3c 001a                      MOVE.W   #$1A,-(A7)
00018dbe: 4e4e                           TRAP     #$E                   ;Jdisint(number)
00018dc0: 588f                           ADDQ.L   #4,A7
00018dc2: 4e75                           RTS



scheduleFDCCommand:
00018dc4: 48e7 ff7e                      MOVEM.L  D0-D7/A1-A6,-(A7)
00018dc8: 43fa 049a                      LEA      ($49A,PC) [$19264],A1
00018dcc: 6100 0420                      BSR      GEMDOS_SuperOn
00018dd0: 50f9 0000 043e                 ST.B     $43E
00018dd6: 6100 037e                      BSR      select
00018dda: 6100 005a                      BSR      *+$5C [$18E36]
00018dde: 6700 0036                      BEQ      *+$38 [$18E16]
00018de2: 4a71 5000                      TST.W    (0,A1,D5.W)       ;track position for drive valid?
00018de6: 6a00 001c                      BPL      *+$1E [$18E04]    ;=> yes
00018dea: 6100 028e                      BSR      fdcRestore
00018dee: 6700 0014                      BEQ      *+$16 [$18E04]
00018df2: 7c0a                           MOVEQ    #$0A,D6           ;Restore with no spin-up, but with verify
00018df4: 6100 025a                      BSR      executeFDCCommandD6
00018df8: 6600 001c                      BNE      *+$1E [$18E16]
00018dfc: 6100 027c                      BSR      fdcRestore
00018e00: 6600 0014                      BNE      *+$16 [$18E16]

00018e04: 6100 0246                      BSR      executeFDCcommand
00018e08: 0c68 0069 0008                 CMPI.W   #$69,(8,A0) [$1925E]
00018e0e: 6700 0006                      BEQ      *+$8 [$18E16]
00018e12: 6100 007a                      BSR      *+$7C [$18E8E]
00018e16: 6100 032e                      BSR      deselect
00018e1a: 4279 0000 043e                 CLR.W    $43E
00018e20: 6100 0402                      BSR      GEMDOS_SuperOff
00018e24: 3028 0006                      MOVE.W   (6,A0) [$1925C],D0
00018e28: e348                           LSL.W    #1,D0
00018e2a: 31a9 0004 000a                 MOVE.W   (4,A1),(10,A0,D0.W) [$19260]
00018e30: 4cdf 7eff                      MOVEM.L  (A7)+,D0-D7/A1-A6
00018e34: 4e75                           RTS

00018e36: 0c68 007a 0008                 CMPI.W   #$7A,(8,A0) [$1925E]
00018e3c: 6700 000e                      BEQ      *+$10 [$18E4C]
00018e40: 0c68 007d 0008                 CMPI.W   #$7D,(8,A0) [$1925E]
00018e46: 6700 0018                      BEQ      *+$1A [$18E60]
00018e4a: 4e75                           RTS

00018e4c: 6100 0026                      BSR      *+$28 [$18E74]
00018e50: 6600 0008                      BNE      *+$A [$18E5A]
00018e54: 33a8 000c 0000                 MOVE.W   (12,A0),(0,A1,D0.W)
00018e5a: 003c 0004                      ORI      #$4,CCR
00018e5e: 4e75                           RTS

00018e60: 6100 0012                      BSR      *+$14 [$18E74]
00018e64: 6600 0008                      BNE      *+$A [$18E6E]
00018e68: 3171 0000 000c                 MOVE.W   (0,A1,D0.W),(12,A0)
00018e6e: 003c 0004                      ORI      #$4,CCR
00018e72: 4e75                           RTS

00018e74: 303c 0000                      MOVE.W   #0,D0
00018e78: 0c68 0012 000a                 CMPI.W   #$12,(10,A0) [$19260]      ; Drive A
00018e7e: 6700 000c                      BEQ      *+$E [$18E8C]
00018e82: 303c 0002                      MOVE.W   #2,D0
00018e86: 0c68 001a 000a                 CMPI.W   #$1A,(10,A0) [$19260]      ; Drive B
00018e8c: 4e75                           RTS

00018e8e: 0c68 00e0 0008                 CMPI.W   #$E0,(8,A0) [$1925E]       ;read track
00018e94: 6700 008e                      BEQ      *+$90 [$18F24]
00018e98: 0c68 00f0 0008                 CMPI.W   #$F0,(8,A0) [$1925E]       ;write track
00018e9e: 6700 0018                      BEQ      *+$1A [$18EB8]
00018ea2: 0c68 0053 0008                 CMPI.W   #$53,(8,A0) [$1925E]       ;write sector
00018ea8: 6700 0088                      BEQ      *+$8A [$18F32]
00018eac: 0c68 005d 0008                 CMPI.W   #$5D,(8,A0) [$1925E]       ;???
00018eb2: 6700 00f4                      BEQ      *+$F6 [$18FA8]
00018eb6: 4e75                           RTS

00018eb8: 3c3c 00f0                      MOVE.W   #$F0,D6
00018ebc: 6100 0174                      BSR      dmaWriteMode
00018ec0: 33fc 001f 00ff 8604            MOVE.W   #$1F,$FF8604
00018ec8: 33fc 0180 00ff 8606            MOVE.W   #$180,$FF8606
00018ed0: 6100 0228                      BSR      wrfdc
00018ed4: 2e3c 0004 0000                 MOVE.L   #$40000,D7
00018eda: 0839 0005 00ff fa01            BTST     #5,$FFFA01
00018ee2: 6700 0014                      BEQ      *+$16 [$18EF8]
00018ee6: 5387                           SUBQ.L   #1,D7
00018ee8: 6600 fff0                      BNE      *-$E [$18EDA]
00018eec: 6100 0220                      BSR      forceInterrupt
00018ef0: 7e01                           MOVEQ    #1,D7
00018ef2: 3347 0004                      MOVE.W   D7,(4,A1)
00018ef6: 4e75                           RTS
00018ef8: 33fc 0190 00ff 8606            MOVE.W   #$190,$FF8606
00018f00: 3039 00ff 8606                 MOVE.W   $FF8606,D0
00018f06: 0800 0000                      BTST     #0,D0
00018f0a: 6700 ffe4                      BEQ      *-$1A [$18EF0]
00018f0e: 33fc 0180 00ff 8606            MOVE.W   #$180,$FF8606
00018f16: 6100 020e                      BSR      readfdc
00018f1a: 0247 0044                      ANDI.W   #$44,D7
00018f1e: 3347 0004                      MOVE.W   D7,(4,A1)
00018f22: 4e75                           RTS


00018f24: 3c3c 00e0                      MOVE.W   #$E0,D6           ;read track
00018f28: 247c 0000 2c00                 MOVEA.L  #$2C00,A2         ;maximum number of bytes
00018f2e: 6000 001a                      BRA      *+$1C [$18F4A]

00018f32: 33fc 0084 00ff 8606            MOVE.W   #$84,$FF8606      ;FDC Sector Register
00018f3a: 3c28 000c                      MOVE.W   (12,A0) [$19262],D6 ;sector number
00018f3e: 6100 01ba                      BSR      wrfdc
00018f42: 3c3c 0090                      MOVE.W   #$90,D6           ;write sector
00018f46: 3468 000e                      MOVEA.W  (14,A0) [$19264],A2 ;number of bytes


00018f4a: 6100 00cc                      BSR      dmaReadMode
00018f4e: 33fc 0016 00ff 8604            MOVE.W   #$16,$FF8604
00018f56: d5e8 0002                      ADDA.L   (2,A0) [$19258],A2 ;end address of the buffer
00018f5a: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
00018f62: 6100 0196                      BSR      wrfdc
00018f66: 2e3c 0004 0000                 MOVE.L   #$40000,D7
00018f6c: 137c 0000 0006                 MOVE.B   #0,(6,A1)

00018f72: 0839 0005 00ff fa01            BTST     #5,$FFFA01        ;wait for the FDC to complete
00018f7a: 6700 008a                      BEQ      fdcDone
00018f7e: 1379 00ff 8609 0007            MOVE.B   $FF8609,(7,A1) [$1926A+1]
00018f86: 1379 00ff 860b 0008            MOVE.B   $FF860B,(8,A1) [$1926A+2]    ;or the end address being reached
00018f8e: 1379 00ff 860d 0009            MOVE.B   $FF860D,(9,A1) [$1926A+3]
00018f96: b5e9 0006                      CMPA.L   (6,A1) [$1926A],A2
00018f9a: 6f00 0066                      BLE      *+$68 [$19002]
00018f9e: 5387                           SUBQ.L   #1,D7             ;or a timeout
00018fa0: 6600 ffd0                      BNE      *-$2E [$18F72]
00018fa4: 6700 005c                      BEQ      fdcTimeout

00018fa8: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
00018fb0: 6100 0182                      BSR      waitl
00018fb4: 3e39 00ff 8604                 MOVE.W   $FF8604,D7
00018fba: 0247 0002                      ANDI.W   #2,D7
00018fbe: 6700 fff4                      BEQ      *-$A [$18FB4]
00018fc2: 6100 0054                      BSR      dmaReadMode
00018fc6: 33fc 0001 00ff 8604            MOVE.W   #1,$FF8604
00018fce: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
00018fd6: 3828 000c                      MOVE.W   (12,A0) [$19262],D4
00018fda: 3c3c 00c0                      MOVE.W   #$C0,D6           ;Read Address
00018fde: 2e3c 0004 0000                 MOVE.L   #$40000,D7
00018fe4: 6100 0114                      BSR      wrfdc
00018fe8: 0839 0005 00ff fa01            BTST     #5,$FFFA01
00018ff0: 6700 000c                      BEQ      *+$E [$18FFE]
00018ff4: 5387                           SUBQ.L   #1,D7
00018ff6: 6700 000a                      BEQ      *+$C [$19002]
00018ffa: 6000 ffec                      BRA      *-$12 [$18FE8]
00018ffe: 51cc ffda                      DBF      D4,*-$24 [$18FDA]

fdcTimeout:
00019002: 6100 010a                      BSR      forceInterrupt

fdcDone:
00019006: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
0001900e: 6100 0116                      BSR      readfdc
00019012: 3347 0004                      MOVE.W   D7,(4,A1)
00019016: 4e75                           RTS

dmaReadMode:
00019018: 33fc 0090 00ff 8606            MOVE.W   #$90,$FF8606
00019020: 33fc 0190 00ff 8606            MOVE.W   #$190,$FF8606
00019028: 33fc 0090 00ff 8606            MOVE.W   #$90,$FF8606
00019030: 4e75                           RTS

dmaWriteMode:
00019032: 33fc 0190 00ff 8606            MOVE.W   #$190,$FF8606
0001903a: 33fc 0090 00ff 8606            MOVE.W   #$90,$FF8606
00019042: 33fc 0190 00ff 8606            MOVE.W   #$190,$FF8606
0001904a: 4e75                           RTS

executeFDCcommand:
0001904c: 3c28 000a                      MOVE.W   (10,A0) [$19260],D6
executeFDCCommandD6:
00019050: 4a46                           TST.W    D6
00019052: 6700 0026                      BEQ      fdcRestore
00019056: 33fc 0086 00ff 8606            MOVE.W   #$86,$FF8606
0001905e: 6100 009a                      BSR      wrfdc
00019062: 3c3c 0010                      MOVE.W   #$10,D6
00019066: 6100 0038                      BSR      doFDCCommand
0001906a: 6600 000c                      BNE      *+$E [$19078]
0001906e: 3c28 000a                      MOVE.W   (10,A0) [$19260],D6
00019072: 3386 5000                      MOVE.W   D6,(0,A1,D5.W)    ;store track position for drive
00019076: 4246                           CLR.W    D6
00019078: 4e75                           RTS

fdcRestore:
0001907a: 4246                           CLR.W    D6
0001907c: 6100 0022                      BSR      doFDCCommand
00019080: 0807 0002                      BTST     #2,D7             ;Track 0 indicator
00019084: 0a3c 0004                      EORI     #$4,CCR
00019088: 6600 0014                      BNE      *+$16 [$1909E]
0001908c: 33fc 0082 00ff 8606            MOVE.W   #$82,$FF8606
00019094: 7c00                           MOVEQ    #0,D6
00019096: 6100 0062                      BSR      wrfdc             ;Set Track Register to 0
0001909a: 4271 5000                      CLR.W    (0,A1,D5.W)       ;reset track position for drive
0001909e: 4e75                           RTS

doFDCCommand:
000190a0: 3039 0000 0440                 MOVE.W   $440,D0           ;seekrate (0 - 6ms, 1 - 12ms, 2 - 2ms, 3 - 3ms (default))
000190a6: 0200 0003                      ANDI.B   #3,D0
000190aa: 8c00                           OR.B     D0,D6
000190ac: 2e3c 0004 0000                 MOVE.L   #$40000,D7
000190b2: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606      ;FDC Status
000190ba: 6100 006a                      BSR      readfdc
000190be: 0800 0007                      BTST     #7,D0             ;Motor already on?
000190c2: 6600 0008                      BNE      *+$A [$190CC]
000190c6: 2e3c 0006 0000                 MOVE.L   #$60000,D7        ;no => longer timeout
000190cc: 6100 002c                      BSR      wrfdc
000190d0: 5387                           SUBQ.L   #1,D7
000190d2: 6700 001e                      BEQ      *+$20 [$190F2]
000190d6: 0839 0005 00ff fa01            BTST     #5,$FFFA01
000190de: 6600 fff0                      BNE      *-$E [$190D0]
000190e2: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
000190ea: 6100 003a                      BSR      readfdc
000190ee: 4246                           CLR.W    D6
000190f0: 4e75                           RTS
000190f2: 6100 001a                      BSR      forceInterrupt
000190f6: 7c01                           MOVEQ    #1,D6
000190f8: 4e75                           RTS

wrfdc:
000190fa: 6100 0038                      BSR      waitl
000190fe: 33c6 00ff 8604                 MOVE.W   D6,$FF8604
00019104: 6000 002e                      BRA      waitl

delayD7:
00019108: 51cf fffe                      DBF      D7,delayD7
0001910c: 4e75                           RTS

forceInterrupt:
0001910e: 33fc 0080 00ff 8606            MOVE.W   #$80,$FF8606
00019116: 3c3c 00d0                      MOVE.W   #$D0,D6
0001911a: 6100 ffde                      BSR      wrfdc
0001911e: 3e3c 000f                      MOVE.W   #15,D7
00019122: 6100 ffe4                      BSR      delayD7

readfdc:
00019126: 6100 000c                      BSR      waitl
0001912a: 3e39 00ff 8604                 MOVE.W   $FF8604,D7
00019130: 0247 007f                      ANDI.W   #$7F,D7

waitl:
00019134: 40e7                           MOVE     SR,-(A7)
00019136: 3f07                           MOVE.W   D7,-(A7)
00019138: 3e3c 0020                      MOVE.W   #$20,D7
0001913c: 51cf fffe                      DBF      D7,*-$0 [$1913C]
00019140: 3e1f                           MOVE.W   (A7)+,D7
00019142: 46df                           MOVE     (A7)+,SR
00019144: 4e75                           RTS

deselect:
00019146: 3e3c 3a98                      MOVE.W   #15000,D7
0001914a: 6100 ffbc                      BSR      delayD7
0001914e: 103c 0007                      MOVE.B   #7,D0
00019152: 6000 0064                      BRA      *+$66 [$191B8]

select:
00019156: 3028 0000                      MOVE.W   (0,A0),D0
0001915a: 6a00 0006                      BPL      *+$8 [$19162]
0001915e: 6100 007c                      BSR      GEMDOS_Dgetdrv
00019162: 0240 0003                      ANDI.W   #3,D0
00019166: 1a00                           MOVE.B   D0,D5
00019168: 0200 0001                      ANDI.B   #1,D0
0001916c: 5200                           ADDQ.B   #1,D0
0001916e: e308                           LSL.B    #1,D0
00019170: 0805 0001                      BTST     #1,D5
00019174: 6700 0006                      BEQ      *+$8 [$1917C]
00019178: 0000 0001                      ORI.B    #1,D0
0001917c: 0a00 0007                      EORI.B   #7,D0
00019180: 0200 0007                      ANDI.B   #7,D0
00019184: 6100 0032                      BSR      *+$34 [$191B8]
00019188: 13e8 0005 00ff 860d            MOVE.B   (5,A0),$FF860D
00019190: 13e8 0004 00ff 860b            MOVE.B   (4,A0),$FF860B
00019198: 13e8 0003 00ff 8609            MOVE.B   (3,A0),$FF8609
000191a0: 0245 0001                      ANDI.W   #1,D5
000191a4: e34d                           LSL.W    #1,D5
000191a6: 3c31 5000                      MOVE.W   (0,A1,D5.W),D6    ;track position for drive
000191aa: 33fc 0082 00ff 8606            MOVE.W   #$82,$FF8606      ;set track register
000191b2: 6100 ff46                      BSR      wrfdc
000191b6: 4e75                           RTS

000191b8: 40e7                           MOVE     SR,-(A7)
000191ba: 007c 0700                      ORI      #$700,SR
000191be: 13fc 000e 00ff 8800            MOVE.B   #$E,$FF8800
000191c6: 1239 00ff 8800                 MOVE.B   $FF8800,D1
000191cc: 0201 00f8                      ANDI.B   #$F8,D1
000191d0: 8200                           OR.B     D0,D1
000191d2: 13c1 00ff 8802                 MOVE.B   D1,$FF8802
000191d8: 46df                           MOVE     (A7)+,SR
000191da: 4e75                           RTS

GEMDOS_Dgetdrv:
000191dc: 48e7 7ffe                      MOVEM.L  D1-D7/A0-A6,-(A7)
000191e0: 3f3c 0019                      MOVE.W   #$19,-(A7)
000191e4: 4e41                           TRAP     #1
000191e6: 548f                           ADDQ.L   #2,A7
000191e8: 4cdf 7ffe                      MOVEM.L  (A7)+,D1-D7/A0-A6
000191ec: 4e75                           RTS

GEMDOS_SuperOn:
000191ee: 48e7 00c0                      MOVEM.L  A0-A1,-(A7)
000191f2: 2f3c 0000 0001                 MOVE.L   #1,-(A7)
000191f8: 3f3c 0020                      MOVE.W   #$20,-(A7)
000191fc: 4e41                           TRAP     #1
000191fe: dffc 0000 0006                 ADDA.L   #6,A7
00019204: 4a40                           TST.W    D0
00019206: 6600 0016                      BNE      *+$18 [$1921E]
0001920a: 42a7                           CLR.L    -(A7)
0001920c: 3f3c 0020                      MOVE.W   #$20,-(A7)
00019210: 4e41                           TRAP     #1
00019212: dffc 0000 0006                 ADDA.L   #6,A7
00019218: 41fa 0054                      LEA      ($54,PC) [$1926E],A0
0001921c: 2080                           MOVE.L   D0,(A0)
0001921e: 4cdf 0300                      MOVEM.L  (A7)+,A0-A1
00019222: 4e75                           RTS

GEMDOS_SuperOff:
00019224: 48e7 00c0                      MOVEM.L  A0-A1,-(A7)
00019228: 2f3c 0000 0001                 MOVE.L   #1,-(A7)
0001922e: 3f3c 0020                      MOVE.W   #$20,-(A7)
00019232: 4e41                           TRAP     #1
00019234: dffc 0000 0006                 ADDA.L   #6,A7
0001923a: 4a40                           TST.W    D0
0001923c: 6700 0012                      BEQ      *+$14 [$19250]
00019240: 2f3a 002c                      MOVE.L   ($2C,PC) [$1926E],-(A7)
00019244: 3f3c 0020                      MOVE.W   #$20,-(A7)
00019248: 4e41                           TRAP     #1
0001924a: dffc 0000 0006                 ADDA.L   #6,A7
00019250: 4cdf 0300                      MOVEM.L  (A7)+,A0-A1
00019254: 4e75                           RTS

BEFORE:
A0:
0 $19256: DC.W $ffff
2 $19258: DC.L $ffffffff
6 $1925C: DC.W $0001
8 $1925E: DC.W $00e0
10 $19260: DC.W $0000
12 $19262: DC.W $0000

A1:
$19264: DC.W $ffff,$ffff
$19268: DC.W $ffff
$1926A: DC.L $00000000
$1926E: DC.L $00000000
$19272: DC.L $00000200
$19276: DC.L $0
$1927A: DC.L $0001fd88
$1927E: DC.L $695cb2a0
$19282: DC.W $0000


$19284: DC.B "arkanoid.PRO",0
$192AC: DC.B "\x1blDisc error loading file",0
$192C6: DC.B "\x1blThis disc is a copy",0
$192DC: DC.B "\x1blData has been corrupted",0
$192F6: DC.B " - Press a key",0,0

$19306: DC.W $0001,$e1f0,$0000
$1930C: DS.B ...            ;buffer

Atari ST Protection: PASTI file format

Files in this format have the extension “.stx”, probably for “ST – eXtended”. This description is valid for files created with PASTI 0.4b BETA.

  • 0x.. is a hex offset to the beginning of the structure
  • .b = a single byte
  • .w = a 16-bit word (little endian!)
  • .l = a 32-bit word (little endian!)

A typical protected file looks like this:

  • File Header
  • Track Header
  • Sector Header
  • Sector Header
  • Sector Header
  • Fuzzy sector mask
  • Track data (either the sectors or the whole track)
  • Track Header
  • Sector Header
  • Sector Header
  • Sector Header
  • Fuzzy sector mask
  • Track data (either the sectors or the whole track)

File header (16 bytes)

  • 0x00 : ‘R’,‘S’,‘Y’,0 – File ID
  • 0x04 : 0x03,0x00 – Probably the version number of the format
  • 0x06 : 1.w
  • 0x08 : 0.w
  • 0x0a : tracks.b (e.g. 80 or 160 for double sided)
  • 0x0b : 1
  • 0x0c : 0.l

After the file header one block for each track is following. Each block also starts with a 16 byte header:

Track Header (16 bytes)

  • 0x00.l : length of the track in bytes. This value plus the current position in the file points to the following track header.
  • 0x04.l : bytes of fuzzy sector mask in this track
  • 0x08.w : number of sectors in the track
  • 0x0A.w : bitmask with flags
  • 0x0C.w : length of the track in bytes (around 6kb is normal)
  • 0x0E.b : track number
  • 0x0F.b : unused in the file

The bitmask for the flags

  • 7 – The track image also contains a sync-offset to the beginning of the first sync marker
  • 6 – If set the track is saved as an image with all gaps via the read track command with the sector content filled in via read sector.
  • 5 – with PASTI 0.4b always set, if Bit 0 is set (= track protected)
  • 4 – unused
  • 3 – unused
  • 2 – unused
  • 1 – unused
  • 0 – If set the track is protected or with a non-standard sectorsize (!= 512 bytes)

If Bit 0 is clear, the track is unprotected and the number of sectors as stored in the track block header are simply saved as 512 byte blocks directly after the header. The track is therefore 16 + 512 * sectors bytes long.

If Bit is set, the header is first followed the sector headers. One for each sector in the track, again 16 bytes per header.

Sector Header (16 bytes)

  • 0x00.l : sector offset inside the track data
  • 0x04.w : position of the sector header relative to the beginning of the track as a time stamp. The position timing is depended on the RPM speed of the drive, but for a ~6250 byte track the value for a full rotation is around 50000 (for 300 rpm). This allows software to simulate the time it takes to find the sector and read it, something certain copy protection schemes test.
  • 0x06.w : read timing of the sector data, certain copy protections write sectors so, that it takes longer to read them. The protection measures the time to read the sector. 16384 is the default value, larger values mean that it takes longer to read the sector than normal. However if the measured value by PASTI is within 2% of this value (16384 +/- 320), the value written to the stx file is 0 as a sign for a stable read speed.
  • 0x08.b : Track number from the address block identifying the sector (typically 0..79)
  • 0x09.b : Side from the address block identifying the sector (typically 0 or 1)
  • 0x0a.b : Sector from the address block identifying the sector (typically 1..9)
  • 0x0b.b : Size of the sector from the address block identifying the sector (typically: 0=128, 1=256, 2=512 or 3=1024 bytes)
  • 0x0c.b : First byte of the CRC over the address block
  • 0x0d.b : Second byte of the CRC over the address block
  • 0x0e.b : FDC status register after reading the sector
  • 0x0f.b : Sector flags, always 0x00

The CRC is a CCITT CRC16 calculated by the FDC. It is initialized with 0xFFFF and includes the sync marks, therefore typically 0xA1,0xA1,0xA1,0xFE plus the 4 bytes from the address block.

The FDC status is typically 0x00. Also common is 0x10 for a sector not found and 0x08 for a CRC error when reading. Bit 7 has a special meaning: it hints that the sector has fuzzy bits and the fuzzy sector mask should be used. If Bit 7 is set, Bit 3 is usually also set, because fuzzy bits will trigger a CRC error inside the sector.

After the sector headers the fuzzy sector mask is following, if the value is != 0 in the track header. The mask identifies the bits that are random in a given sector. The size of the fuzzy sector mask depends on the sector size (from the header) and the number of fuzzy sectors in the track itself. The fuzzy sector mask has bits set for every bit in in the sector, that is not random. Therefore a byte generated with the mask could be calculated like this:

fdcSectorByte[byteOffset] = (sectorData[byteOffset] & fuzzyMask[byteOffset])
                            | (rand() & ~fuzzyMask[byteOffset])`

After the fuzzy sector mask, the sectors are written to the file. If neither Bit 6 or 7 in the track flags is set, only the content of the sectors is written. Again with the sector size in the header taking into consideration. These tracks can be also easily recognized by sector offsets that are always a power of 2 (typically in 512 byte increments), starting at 0.

Following the fuzzy sector mask is the track data area. This area can contain either the sectors by itself, or the complete track image with the sectors embedded, or the complete track with the sectors separate (following the track image). How they are stored is stored in Bit 6 and 7 in the track flags.

If Bit 6 and 7 are clear, there is no track image and the sectors are stored just by order end length – just like the fuzzy sector mask, except this time for all sectors. Warning: sectors can be missing, if only a header was read, but the data was missing. The FDC status has Bit 4 (Record not found) set in this case.

If Bit 6 is set and 7 is clear, the track image is written with a track image header and the sectors follow the track image in the usually order and length. The track image header is just a word (little endian, as usual) that contains the length of the track image.

Bit Bit 6 and 7 is set, the track image is written with a track image header that has two words: the first one is a byte offset to the first 0xA1 address mark sync, the second word is the length of the track image in bytes.

If Bit 7 is set, the sector data is usually merged inside the track image, the sector offsets then point inside the actual track image. However, it is possible for single sectors to have an offset behind the track image, if PASTI couldn’t map them correctly into the track image. A software should always read the sectors based on the sector offset in the sector header.

Atari ST Protection: Spy Vs Spy from Databyte

Another simple, yet efficient protection. Sector 9 in Track 79 is read twice, the EOR checksum has to change, done via “weak” or “fuzzy” bits in the sector. Again: easily defeated with a Floprd() patch.

move.w #$9,d0                                    ; 00CEC0: 303C 0009
bsr .l +$28 {$00CEEE}                            ; 00CEC4: 6100 0028
move.b d0,$cf2c                                  ; 00CEC8: 13C0 0000 CF2C
move.w #$9,d0                                    ; 00CECE: 303C 0009
bsr .l +$1a {$00CEEE}                            ; 00CED2: 6100 001A
move.b $cf2c,d1                                  ; 00CED6: 1239 0000 CF2C
cmp.b d0,d1                                      ; 00CEDC: B200
beq .l +$8 {$00CEE8}                             ; 00CEDE: 6700 0008
move.b #$0,d0                                    ; 00CEE2: 103C 0000
rts                                              ; 00CEE6: 4E75
move.b #$1,d0                                    ; 00CEE8: 103C 0001
rts                                              ; 00CEEC: 4E75
move.w #$1,-(a7)                                 ; 00CEEE: 3F3C 0001
move.w #$0,-(a7)                                 ; 00CEF2: 3F3C 0000
move.w #$4f,-(a7)                                ; 00CEF6: 3F3C 004F
move.w d0,-(a7)                                  ; 00CEFA: 3F00
move.w #$0,-(a7)                                 ; 00CEFC: 3F3C 0000
clr.l -(a7)                                      ; 00CF00: 42A7
move.l #$cf2e,-(a7)                              ; 00CF02: 2F3C 0000 CF2E
move.w #$8,-(a7)                                 ; 00CF08: 3F3C 0008
trap #14                                         ; 00CF0C: 4E4E
adda.l #$14,a7                                   ; 00CF0E: DFFC 0000 0014
lea $cf2e,a0                                     ; 00CF14: 41F9 0000 CF2E
move.w #$10,d1                                   ; 00CF1A: 323C 0010
move.b #$0,d0                                    ; 00CF1E: 103C 0000
move.b (a0)+,d2                                  ; 00CF22: 1418
eor.b d2,d0                                      ; 00CF24: B500
dbra d1,-6 {$00CF22}                             ; 00CF26: 51C9 FFFA
rts                                              ; 00CF2A: 4E75

Waves GTR Ground MIDI Protocol

Waves GTR Ground

This information is also available at GitHub.

The Waves GTR Ground is a MIDI foot controller with 11 buttons and 2 foot pedals. It has three 15-segment LEDs for seven buttons, plus two LEDs and brightness control for the LEDs.

The device is a USB MIDI compliant device with a USB Vendor ID of 0x6824 and a USB Product ID of 0x0100. My device returned Version “ 1.01” and “Waves Audio LTD.” as the Manufacturer. The MIDI properties for my device are:

  • SerialNumber = “Ver. 1.4”;
  • Manufacturer = “Waves Audio LTD.”;
  • Model = “GTR Ground Ver 1.4”;
  • Name = “GTR Ground Ver 1.4”;

The following MIDI events are send from the device:

  • MIDI CC 0x0E = Right Pedal (0x00..0x7F)
  • MIDI CC 0x0F = Left Pedal (0x00..0x7F)
  • MIDI CC 0x10 = Button ‘A’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x11 = Button ‘B’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x12 = Button ‘C’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x13 = Button ‘D’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x14 = Button ‘E’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x15 = Button ‘F’ (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x16 = Button A/B (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x17 = Button Down (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x18 = Button Up (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x19 = Button Preset/Stomp (0x7F: pushed down, 0x00:released)
  • MIDI CC 0x1A = Button Tuner/Tap Tempo (0x7F: pushed down, 0x00:released)

To control the LEDs on the device, a USB Real Time message can be send to the device: The message is always 48 bytes long, all unused bytes are set to 0x00, the last byte is 0xF7.

0xF0, 0x7F, 0x00, 0x20, 0x66, <type>, <variable data>, 0x00*, 0xF7

An example

All LED segments on for button A (1st event), LED to max brightness (2nd event), both A/B LEDs on (3rd event)

F0 7F 00 20 66 41 00 38 7F 7F 7F 7F 7F 7F 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F7
F0 7F 00 20 66 51 0F 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F7
F0 7F 00 20 66 62 03 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F7

Controlling the LEDs next to A/B button

  • 0x62, 0x01 = B LED on
  • 0x62, 0x02 = A LED on
  • 0x62, 0x03 = A LED and B LED on

Controlling the brightness of the LED displays

  • 0x51, value Brightness for ‘A’
  • 0x52, value Brightness for ‘B’
  • 0x53, value Brightness for ‘C’
  • 0x54, value Brightness for ‘D’
  • 0x55, value Brightness for ‘E’
  • 0x56, value Brightness for ‘F’
  • 0x57, value Brightness for Preset

value =

  • 0x00 .. 0x07 LEDs off
  • 0x08 .. 0x0F Brightness (dark … bright)

Setting the segments in the LED displays

  • 0x41 Set LED Text above the ‘A’ button
  • 0x42 Set LED Text above the ‘B’ button
  • 0x43 Set LED Text above the ‘C’ button
  • 0x44 Set LED Text above the ‘D’ button
  • 0x45 Set LED Text above the ‘E’ button
  • 0x46 Set LED Text above the ‘F’ button
  • 0x47 Set LED Text below the Preset button

There are the 3 15 Segment-LEDs per button:

  -     -     -      A
|\|/| |\|/| |\|/|  BCDEF
 - -   - -   - -    G H
|/|\| |/|\| |/|\|  IJKLM
  - .   - .   - .    N  O
 1st   2nd   3rd

The ‘A’ to ‘O’ above are the references to a specific LED segment.

The format is as followed:

1. Byte
    0x00 (this byte seems to be unused and always 0x00)
2. Byte (by bits)
    6 - (unused)
    5 - Dot behind the 3rd segment
    4 - Dot behind the 2nd segment
    3 - Dot behind the 1st segment
    2 - (unused)
    1 - (unused)
    0 - (unused)
3. Byte (by bits) (1. LED)
    6 - G (left middle bar)
    5 - B
    4 - I
    3 - N (the 6 outside segments, counter clockwise)
    2 - M
    1 - F
    0 - A
4. Byte (by bits)
    6 - J
    5 - K
    4 - L
    3 - E (the 6 inside segments, counter clockwise)
    2 - D
    1 - C
    0 - H (right middle bar)
5. Byte (by bits) (2. LED)
    6 - G (left middle bar)
    5 - B
    4 - I
    3 - N (the 6 outside segments, counter clockwise)
    2 - M
    1 - F
    0 - A
6. Byte (by bits)
    6 - J
    5 - K
    4 - L
    3 - E (the 6 inside segments, counter clockwise)
    2 - D
    1 - C
    0 - H (right middle bar)
7. Byte (by bits) (3. LED)
    6 - G (left middle bar)
    5 - B
    4 - I
    3 - N (the 6 outside segments, counter clockwise)
    2 - M
    1 - F
    0 - A
8. Byte (by bits)
    6 - J
    5 - K
    4 - L
    3 - E (the 6 inside segments, counter clockwise)
    2 - D
    1 - C
    0 - H (right middle bar)

enableATA6

This little kernel extension allows using hard drives with more than 128MB on a Macintosh Cube. It does so by setting the flags for ATA6 inside the driver.

This project is available at GitHub.

enableATA6.h

#include <IOKit/IOService.h>
#include "IOATABlockStorageDriver.h"

class com_sarnau_enableATA6 : public IOATABlockStorageDriver
{
    OSDeclareDefaultStructors ( com_sarnau_enableATA6 )

protected:
    virtual IOReturn    identifyAndConfigureATADevice ( void );
};

enableATA6.cpp

#include "enableATA6.h"

#define super IOATABlockStorageDriver
OSDefineMetaClassAndStructors ( com_sarnau_enableATA6, IOATABlockStorageDriver );

/***
*  This kext overloads the standard IOATABlockStorageDriver (by having a IOProbeScore of 1000)
*
*  We only have to overload the identifyAndConfigureATADevice function and patch a variable
*  to enable LBA support. The problem is the IOATABusInfo class - this class checks the bus
*  interface hardware and detects that the computer is not capable of supporting LBA drives.
*  And so LBA support is disabled in general. There is a good reason to do this, because without
*  this support in the ROM the system can't read the kernel from the drive, if the kernel is
*  beyond the 128MB border. For this reason we should partition a drive and make sure that the
*  boot partition is 127.99 GB or smaller. If we don't boot from this drive, we don't have to
*  partition it.
***/
IOReturn    com_sarnau_enableATA6::identifyAndConfigureATADevice(void)
{
    // call super class (and execute IDENTIFY DEVICE commamd - see ATA6 spec for more information)
    IOReturn    err = super::identifyAndConfigureATADevice();

    // does the drive support the 48 bit command set?
    if(fDeviceIdentifyData[kATAIdentifyCommandSetSupported2] & kATASupports48BitAddressingMask)
    {
        // and is the 48 bit command set really enabled for that drive?
        if(fDeviceIdentifyData[kATAIdentifyCommandsEnabled] & kATASupports48BitAddressingMask)
        {
            // then force the use of the LBA commands in the driver
            fUseExtendedLBA = true;

            // set the "48-bit LBA supported" bit in the "ATA Features" entry in the registry
            // (this seems not to be necessary, but maybe 3rd party software checks the registry)
            fSupportedFeatures |= kIOATAFeature48BitLBA;

            // we don't increase the buffer size, which is normally done by the super class
            // when a LBA drive is recognized. So we are limited to 256 instead of 2048 blocks
            // per read or write.
        }
    }

    return err;
}

PC Protocol of Suunto Spyder

This document describes the transfer protocol and memory layout of these Suunto diving computers:

  • Suunto Sypder

Communication

The protocol uses 2400 8O1, which means 2400 baud with 8 bits, odd parity and 1 stop-bit. The check for the interfaces uses 2400 8N1, but it also works with 2400 8O1. This was the trivial part… But some lines have a special meaning with the interface!

The DTR line should always be set. It is used as a power supply for the interface.

RTS is a toggle for the direction of the half-duplex interface. To send a command to the interface, set RTS. When you await a command, clear RTS. Timing also seems to be critical! To make sure that all data is sent to the interface, before clearing RTS, I wait about 200ms. After clearing RTS, I also have to wait 400ms and use a 500ms timeout for receiving data.

The test for the existance of the interface is simple: the computer sends AT plus a CR ($41, $54, $0D) and awaits the same answer.

Transfer

The protocol for the Suunto Spyder, Vyper and Cobra are identical, but the memory layout of the Spyder is different. All data is send in packages to and from the computer. Every package is followed by a CRC for checksum reasons.

unsigned char checksum = 0x00;
for(int i=0; i<packageLen; ++i)
 checksum ^= package[i];
  • Read memory
    • to Spyder: 05 + addr_high + addr_low + count (1..32) + CRC
    • from Spyder: 05 + addr_high + addr_low + count (1..32) + n Bytes + CRC
  • Write memory
    • to Spyder: 06 + addr_high + addr_low + count (1..31)+ n Bytes + CRC
    • from Spyder: 06 + addr_high + addr_low + count (1..31) + CRC
  • Used before every ‘Write memory’ call
    • to Spyder: 07 + $a5 + CRC
    • from Spyder: 07 + $a5 + CRC
  • Get first dive profile
    • to Spyder: 08 + $a5 + CRC
    • from Spyder: 08 + count (1..32) + n Bytes + CRC (if more than 32 bytes needs to be transmitted, they are split in 32 byte packages)
  • Get next dive profile
    • to Spyder: 09 + $a5 + CRC
    • from Spyder: 09 + count (1..32) + n Bytes + CRC (if more than 32 bytes needs to be transmitted, they are split in 32 byte packages)

The DiveManager Software from Suunto does the following when reading data from a Spyder: – Check for correct computer – Read Memory ($24, 1) – Read the internal memory: – Read Memory ($1E, 14) – Read Memory ($2C, 32) – Read Memory ($53, 30) – Get first dive profile – Get next dive profile – … – If “next dive profile” returns a null package, the end of the log memory is reached.

Memory layout

Default name of the LOG file: ‘‘PROFILE.ACW’’

  offset |     format   |  testvalue  | content
$00-$15 MSB binary unused by the PC software, probably configuration values for the computer
$16-$17 MSB binary $0102 Firmware version of the Spyder (old ACW $0101, new ACW $0102)
$18-$1B MSB binary Serialnumber (new ACW, e.g. $0002.0F7F = 203.967) or ID no. (old ACW, e.g. $2E.61.122E = 469704654) of the Spyder
$1C-$1D MSB binary Ptr to the last $82 byte in the profile ringbuffer
$1E-$1F MSB binary $3F46 max. depth in ft * 128.0
$20-$21 MSB binary total dive time in minutes
$22-$23 MSB binary total number of dives
$24 MSB binary $14 interval (20s, 30s or 60s, Changing ist not allowed by DiveManager software! Why? Marketing?)
$25 MSB binary altitude and personal settings (height (0..2) + 3 * personal (0..2))
$26-$2B MSB binary ? ($0B,$03,$1F,$FF,$1F,$FF : identical on all Suunto computers?)
$2C-$49 ASCII ACW Diver personal information (“ACW Diver”, otherwise filled to the maximum length with spaces)
$4A-$4B MSB binary ? ($01, $01 : identical on all ACW?!? Version of the profile memory?)
$4C-$1FFF MSB binary ring buffer for the profile memory

The ring-buffer is a stream of data, which ends at the position, that is marked in the header. At this position the computer starts writing the information from the next dive. If the write pointer reaches the value $2000, it jumps back to $4C.

Format for one dive

offset format description
0 MSB binary unknown — air preassure at the end of the dive?
1 MSB binary temperature in degress celcius.
2… binary profile data from the end to the beginning of the dive,this means reverse order!
n MSB binary minutes at the beginning of the dive
n + 1 MSB binary hours at the beginning of the dive
n + 2 MSB binary day at the beginning of the dive
n + 3 MSB binary month at the beginning of the dive
n + 4 MSB binary year at the beginning of the dive (90..99 = 1990..1999, 00..89 = 2000..2089)
n + 5 MSB binary altitude and personal settings (height (0..2) + 3 * personal (0..2))
n + 6 MSB binary unknown — air preassure at the beginning of the dive?
n + 7 MSB binary interval (20s, 30s or 60s)
n + 8 MSB binary dive number in the Spyder (for repetitive dives)
n + 9 MSB binary hours of the surface interval
n + 10 MSB binary minutes of the surface interval

Profile information

The profile data is a stream of bytes. Every minute (or 30s or 20s – see the profile interval) a byte is recorded. This byte is the delta depth in ft to the last depth! E.g. you start your dive at a depth of 0 feet go down to 30ft in a minute, so the value is –30ft (because you go 30ft down) or $E2 in binary, if you then go up to 20ft, the next value will be +10ft (because you go 10ft up) or $0A in binary.

Some values have special meanings:

Byte Type Description
$7d Surfaced you have reached the surface while (or after) the dive
$7e ASC dive now is a decompression dive
$7f ERR decompression missed
$80 End end of the dive. The next byte is n + 1 in the format description of the dive.
$81 Slow Slow warning while the dive. If the dive ends with $7d8180 (Surfaced, Slow, End) it means, you finished the dive with a blinking SLOW warning in the display.
$82 End of data set after the last dive (written after the dive as a marker, so technically not profile information)

Necessary conversions

meter = (int)(feet * 0.3048 * 10) / 10
psi = bar * 14.50377377
fahrenheit = celcius * 1.8 + 32

Altitude:

value meters feet
0 700m 2300ft
1 1500m 5000ft
2 2400m 8000ft

ATTN: the computers don’t round after the 2. digit, when calculating feet => meter! They cut it after the 2. digit. This results to the modified formula.