After Bug Attack, I decided to dig a little deeper. I hadn’t really explored any of the ROM code that ships in the computer. In fact, I’d never gotten around to learning the boot-loader that had inspired me. Now seemed like the time!
It was another personal quest. The ultimate goal was to see if I could learn enough to reproduce what that cracker had done years before. I could have gone to the boards and looked up how, but that wasn’t the point. I wanted to reconstruct the knowledge from first principles. From analyzing and uncovering how the computer actually worked.
I started with the boot code. I thought it would be cool to figure out how it made the drive move. I really had no idea how it worked. I just knew where it started.
Each peripheral card was allotted two sections of memory. The first depended upon which slot the card was plugged into. The disk drive’s interface was traditionally plugged into slot 6. That meant memory locations C600-C6FF. It was only 256 bytes it seemed a trivial task. The second memory space was fixed in memory and shared among the cards. When code in the card’s first block was executed it told the machine to bank-switch the 2K of code in its second block. I knew the theory, now time to understand the practice.
I started it as a puzzle just like I did Bug Attack. I had the monitor disassemble and list the code starting at C600. I gave it a cursory look and I kept disassembling until I found the RTS that marked the end of the section. Once I knew its basics I went back to the beginning and listed it to the printer. That way I had a place to make notes. Then on the printout I circled each JSR, JMP, or branch instruction. Those told you were to look for code next.
It was a simple matter of repetition. Grab a target address from the circled list and start disassembling again. Occasionally I saw the code reference a location as data. I’d print out a section of memory in hex and draw a box around the referenced location. That meant it was data. Everything had to be either code or data. Figuring out which was which was the jigsaw part. Then you just studied the assembled work, appreciating its previously hidden meaning.
As my stack of listings grew, I’d see circled instructions loop back to previous listings. That was doubly gratifying. It meant that circle was already done. Just skip it and move on. Second, it showed the referenced page to be reusable and thus important to read and understand early.
It was one of these loop backs that brought everything to a screeching halt. The code referred back to one of my previous listings, but not to a sensible place. It seemed to be telling the computer to execute at a place that was data not code. The location in question was marked by the disassembler as an operand. A part of the previous instruction. Clearly I had a mistake somewhere. I assumed the previous listing was wrong so I stated a listing at the new location. It looked perfectly sensible, so I drew a big X on the prior listing and moved on.
I grabbed the next circled address in my list and looked that up. It was impossible. It referred back to a location one byte before the listing I’d just printed. Exactly at the place the crossed out listing had started. It was telling me I had been right the first time. I circled the byte in question on both listings. It was exactly the same. Of course it had to be exactly the same. It was in PROM, and area of memory that couldn’t change.
It was an optical illusion. Like a picture that showed the face of a young girl sometimes, but other times appeared to be an old woman. But computers don’t perceive optical illusions. I had to be making a mistake.
I studied each calling routing to understand what it was trying to do. Each made perfect sense. I could see into the mind of the developer just like before. I studied both versions of the questionable routine. Each performed a slightly different task but both were exactly what the calling routines were requesting.
That’s when I saw it. No it couldn’t be true. My jaw slacked. Goosebumps rose and my scalp began to tingle as every hair stood straight. It made perfect sense but it seemed impossible. It broke every rule I’d been taught, yet it worked brilliantly. And I knew not only how, but exactly why. I’d seen it. It felt as personal to me as that third day working on my first assembly program. It just had to be.
But how could I know? I just had to know. I searched the shelf for the computer manuals I hadn’t opened in years. I remembered there being schematics. Could their possibly be listings? Not likely. Not since the start of the war. It simply wasn’t done. But just maybe…
Woz had never taken sides in the war. At least he never became a public adversary. He had every reason to, others would say, it was after all his livelihood. But he never did. It made Woz my (and everyone else’s) hero. He just quietly carried on making the impossible look easy, then showering his knowledge down from above the fracas.
Yes! It was there! Deep in the back of the reference manual breaking all industries conventions was an assembly listing of the ROMs. I frantically flipped pages searching for the line in question. My knees buckled as I saw the two entry points listed one byte apart exactly as intended. I don’t remember if there was a comment but I didn’t need one. Doing two things with one byte meant more PROM space for something else. That was a win.
It was like seeing the mind of God.