-----------------Alaska---------------- A 4am crack 2015-07-03 --------------------------------------- Name: Alaska Genre: educational Year: 1981 Authors: Larry and Martha Stevens Publisher: Applecart Programs for Education Media: 10 single-sided 5.25-inch discs OS: Pascal Other versions: none (preserved here for the first time) I have 10 disks. - Alaska: The Great Land - First People: Alaska's Natives part 1 - First People: Alaska's Natives part 2 - First People: Alaska's Natives part 3 - First People: Alaska's Natives part 4 - First People: Questions - New People: Russian Exploration - New People: Russian America 1781-1819 - New People: Russian America 1820-1867 - Letters from Alaska Each disk is bootable, and they all appear to be independent of each other. I'll start with "The Great Land." ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup can read track $00, sector $00 but nothing else EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor address prologue: AA D5 AB address epilogue: DE AB EB data prologue: AA D5 EB data epilogue: ED AA EB --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 311A LENGTH: 015F 3110: EE B6 ED AA EB FF FF FF VIEW ^^^^^^^^ data epilogue 3118: FF FF F7 BD EB AF ED FF 3120: DB B7 AD BF D7 AA D5 AB ^^^^^^^^ address prologue 3128: FF FE AA AB AF AB FA FE 3130: DE AB FF FF FF BA E5 B3 <-3132 ^^^^^ address epilogue 3138: DC BD EB AF ED FF AA D5 ^^^^^ 3140: EB 9A BD FE FC F5 EB A7 ^^ data prologue 3148: E6 F7 F6 EA E9 9E A7 D7 3150: EB B3 E9 A6 A7 DF EC DB --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer T00,S00 readable (but nothing else) ["O" -> "Input/Output Control"] set Address Prologue to "AA D5 AB" set Address Epilogue to "DE AB EB" set Data Prologue to "AA D5 EB" set Data Epilogue to "ED AA EB" All other tracks/sectors readable! T00 -> looks like Pascal disk catalog Why didn't COPYA work? modified prologues/epilogues Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. Super Demuffin to convert the disk to standard prologues/epilogues 2. patch bootloader and RWTS to read standard prologues/epilogues 3. There is no step 3 (I hope) ~ Chapter 1 In Which We Automate 99% Of The Job I'm going to use Super Demuffin here (instead of my usual go-to conversion tool, Advanced Demuffin). The disk is Pascal-based, so my AUTOTRACE script on my work disk won't capture the RWTS. But luckily, the RWTS modifications are minor -- custom prologues and epilogues that are the same on every track -- so Super Demuffin will work just fine. When you first run Super Demuffin, it asks for the parameters of the original disk. I enter the ones I saw in the Copy ][+ nibble editor. (The changes are highlighted below.) --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: AA D5 AB ^^^^^^^^ Address epilogue: DE AB EB DISK ^^ ORIGINAL Data prologue: AA D5 EB ^^^^^^^^ Data epilogue: ED AA EB ^^ Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP R*.................................. W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0A.................................. 1................................... 2................................... 3................................... 4................................... 5................................... 6................................... 7................................... 8................................... 9................................... A................................... B................................... C................................... D................................... 12 E................................... F................................... [ ] PRESS [RESET] TO EXIT --^-- Track $00, sector $00 didn't convert, of course, because it used standard prologues and epilogues to begin with. ~ Chapter 2 In Which The Remaining 1% Takes Up 99% Of Our Time, But That's OK Turning to my trusty Disk Fixer sector editor, I can copy the one sector that Super Demuffin left out. [Disk Fixer] ["R"ead track $00, sector $00] ["C"opy sector to drive 2] [S6,D1=demuffin'd copy] ]PR#6 ...hangs with drive motor on... Well that's not unexpected. The disk's bootloader is still expecting to find sectors delimited by the custom prologues and epilogues, which are now standard prologues and epilogues. Let's fix that. Returning to Disk Fixer and reading track $00, sector $00, the problem is immediately obvious: [Disk Fixer] ["R"ead T00,S00] ; quickly munge reset vector so Ctrl- ; Reset will reboot 0801- A9 00 LDA #$00 0803- 8D F4 03 STA $03F4 0806- 85 26 STA $26 ; slot number (x16) 0808- A6 2B LDX $2B ; look for custom address prologue ; (AA D5 AB) 080A- BD 8C C0 LDA $C08C,X 080D- 10 FB BPL $080A 080F- 49 AA EOR #$AA 0811- D0 F7 BNE $080A 0813- BD 8C C0 LDA $C08C,X 0816- 10 FB BPL $0813 0818- C9 D5 CMP #$D5 081A- D0 F3 BNE $080F 081C- EA NOP 081D- BD 8C C0 LDA $C08C,X 0820- 10 FB BPL $081D 0822- C9 AB CMP #$AB 0824- D0 E4 BNE $080A ; process address field 0826- A0 03 LDY #$03 0828- 85 40 STA $40 082A- BD 8C C0 LDA $C08C,X 082D- 10 FB BPL $082A 082F- 2A ROL 0830- 85 3C STA $3C 0832- BD 8C C0 LDA $C08C,X 0835- 10 FB BPL $0832 0837- 25 3C AND $3C 0839- 88 DEY 083A- D0 EC BNE $0828 083C- 85 3D STA $3D 083E- A4 3D LDY $3D 0840- B9 C4 08 LDA $08C4,Y 0843- F0 C3 BEQ $0808 0845- 85 27 STA $27 ; look for custom data prologue ; (AA D5 EB) 0847- BD 8C C0 LDA $C08C,X 084A- 10 FB BPL $0847 084C- 49 AA EOR #$AA 084E- D0 F7 BNE $0847 0850- BD 8C C0 LDA $C08C,X 0853- 10 FB BPL $0850 0855- C9 D5 CMP #$D5 0857- D0 F3 BNE $084C 0859- EA NOP 085A- BD 8C C0 LDA $C08C,X 085D- 10 FB BPL $085A 085F- 49 EB EOR #$EB 0861- D0 E4 BNE $0847 ; decode nibbles 0863- A0 56 LDY #$56 0865- 84 3C STY $3C 0867- BC 8C C0 LDY $C08C,X 086A- 10 FB BPL $0867 086C- 59 D6 02 EOR $02D6,Y . . . And so forth. It doesn't appear to be checking the address or data epilogues at this stage. T00,S00,$10 change "AA" to "D5" T00,S00,$19 change "D5" to "AA" T00,S00,$23 change "AB" to "96" T00,S00,$4D change "AA" to "D5" T00,S00,$56 change "D5" to "AA" T00,S00,$60 change "EB" to "AD" ]PR#6 ...still hangs... My guess is that there is a more robust RWTS being loaded, and that RWTS also needs patching. Before bothering to trace the boot, I go in search of a shortcut: looking for a "LDA $C08C,X" instruction. [Disk Fixer] ["F"ind] ["H"ex] ["BD 8C C0"] --v-- ------------- DISK SEARCH ------------- $00/$00-$0A $00/$00-$13 $00/$00-$1D $00/$00-$2A $00/$00-$32 $00/$00-$47 $00/$00-$50 $00/$00-$5A $00/$0C-$02 $00/$0C-$0D $00/$0C-$1A $00/$0C-$22 $00/$0C-$34 $00/$0C-$3E $00/$0D-$92 $00/$0D-$9C $00/$0D-$A7 $00/$0D-$E0 $00/$0D-$F8 --^-- Jackpot! I already know about the ones on sector $00. It looks like there's more RWTS- related code on sectors $0C and $0D. T00,S0D ----------- DISASSEMBLY MODE ---------- 008D:A0 20 LDY #$20 008F:88 DEY 0090:F0 59 BEQ $00EB ; data prologue 0092:BD 8C C0 LDA $C08C,X 0095:10 FB BPL $0092 0097:49 AA EOR #$AA <-- 0099:D0 F4 BNE $008F 009B:EA NOP 009C:BD 8C C0 LDA $C08C,X 009F:10 FB BPL $009C 00A1:C9 D5 CMP #$D5 <-- 00A3:D0 F2 BNE $0097 00A5:A0 56 LDY #$56 00A7:BD 8C C0 LDA $C08C,X 00AA:10 FB BPL $00A7 00AC:C9 EB CMP #$EB <-- 00AE:D0 E7 BNE $0097 00B0:A9 00 LDA #$00 00B2:88 DEY 00B3:84 26 STY $26 00B5:BC 8C C0 LDY $C08C,X 00B8:10 FB BPL $00B5 00BA:59 D6 02 EOR $02D6,Y . . . ; data epilogue (first nibble only) 00E0:BD 8C C0 LDA $C08C,X 00E3:10 FB BPL $00E0 00E5:C9 ED CMP #$ED <-- 00E7:D0 02 BNE $00EB 00E9:F0 5C BEQ $0147 00EB:38 SEC 00EC:60 RTS 00ED:A0 FC LDY #$FC 00EF:84 26 STY $26 00F1:C8 INY 00F2:D0 04 BNE $00F8 00F4:E6 26 INC $26 00F6:F0 F3 BEQ $00EB ; address prologue 00F8:BD 8C C0 LDA $C08C,X 00FB:10 FB BPL $00F8 00FD:C9 AA CMP #$AA <-- T00,S0C ----------- DISASSEMBLY MODE ---------- 0000:F0 EA BEQ $FFEC 0002:BD 8C C0 LDA $C08C,X 0005:10 FB BPL $0002 0007:C9 D5 CMP #$D5 <-- 0009:D0 F2 BNE $FFFD 000B:A0 03 LDY #$03 000D:BD 8C C0 LDA $C08C,X 0010:10 FB BPL $000D 0012:C9 AB CMP #$AB <-- 0014:D0 E7 BNE $FFFD . . . ; address epilogue (two nibbles only) 0034:BD 8C C0 LDA $C08C,X 0037:10 FB BPL $0034 0039:C9 DE CMP #$DE <-- 003B:D0 AE BNE $FFEB 003D:EA NOP 003E:BD 8C C0 LDA $C08C,X 0041:10 FB BPL $003E 0043:C9 AB CMP #$AB <-- 0045:D0 A4 BNE $FFEB 0047:18 CLC 0048:60 RTS Patching everything up: T00,S0D,$98 change "AA" to "D5" T00,S0D,$A2 change "D5" to "AA" T00,S0D,$AD change "EB" to "AD" T00,S0D,$E5 change "ED" to "DE" T00,S0D,$FE change "AA" to "D5" T00,S0C,$08 change "D5" to "AA" T00,S0C,$13 change "AB" to "96" T00,S0C,$44 change "AB" to "AA" ]PR#6 ...works... The other 9 disks use identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 355 ------------------EOF------------------