Hiding kilobytes C=Hacking Issue 7.txt
From ReplayResources
Jump to navigationJump to search
Taken from The Fridge C=Hacking Section C=Hacking Issue #7
This issue of C=Hacking #7 was stripped down to just the Hiding kilobytes article by Marko Mäkela which contains the interesting sections "_Freezer cartridges_" and "_Building an unbeatable freezer circuit_".
Hiding kilobytes by Marko M"akel"a <Marko.Makela@Helsinki.FI> Most Commodore 64 programs do not utilize even nearly all of the 64 kB random access memory space. By default, there are only 44 kilobytes of accessible RAM. This article describes how you can take the hiding 20 kilobytes to use. _Memory management_ The Commodore 64 has access to more memory than its processor can directly handle. This is possible by banking the memory. There are five user configurable inputs that affect the banking. Three of them can be controlled by program, and the rest two serve as control lines on the memory expansion port. The 6510 MPU has an integrated I/O port with six I/O lines. This port is accessed through the memory locations 0 and 1. The location 0 is the Data Direction Register for the Peripheral data Register, which is mapped to the other location. When a bit in the DDR is set, the corresponding PR bit controls the state of a corresponding Peripheral line as an output. When it is clear, the state of the Peripheral line is reflected by the Peripheral register. The Peripheral lines are numbered from 0 to 5, and they are mapped to the DDR and PR bits 0 - 5, respectively. The 8502 processor, which is used in the Commodore 128, has seven Peripheral lines in its I/O port. The seventh line is connected to the Caps lock or ASC/CC key. The I/O lines have the following functions: Direction Line Function --------- ---- -------- out P5 Cassette motor control. (0 = motor spins) in P4 Cassette sense. (0 = PLAY button depressed) out P3 Cassette write data. out P2 CHAREN out P1 HIRAM out P0 LORAM The default value of the DDR register is $2F, so all lines except Cassette sense are outputs. The default PR value is $37 (Datassette motor stopped, and all three memory management lines high). Like most chips in the Commodore 64, the 6510 MPU uses the NMOS (N-channel metal oxide semiconductor) technology. The NMOS switches produce strong logical '0' levels, but weak '1' levels. The opposite is the PMOS (P-channel metal oxide semiconductor) technology, which cannot pull strong signals low, but is able to drive them high. The CMOS technology (complementary metal oxide semiconductor), which combines these two technologies, is able to drive both logical levels. Because most integrated circuits in the C64 use the NMOS technology, all hardware lines that are not outputs are driven to +5 volts with a weak current. This is usually accomplished by pull-up resistors, large resistances between the hardware lines and the +5 volt power supply line. The resistors can be inside a chip or on the printed circuit board. This allows any NMOS or CMOS chip to drive the line to the desired state (low or high voltage level). The difference between an input and an output is that an output uses more current to drive the signal to the desired level. An input and an output outputting logical '1' are equivalent for any other inputting chip. But if a chip is trying to drive a signal to ground level, it needs more current to sink an output than an input. You can even use outputs as inputs, i.e. read them in your program. You can use this feature to distinquish between the left shift and the shift lock keys, although they are connected to same hardware lines. The shift lock key has smaller resistance than the left shift. If you make both CIA 1 ports to outputs (write $FF to $DC03 and $DC01) prior reading the left shift key, only shift lock can change the values you read from CIA 1 port B ($DC01).) So, if you turn any memory management line to input, the external pull-up resistors will make it look like it is outputting logical '1'. This is actually why the computer always switches the ROMs in upon startup: Pulling the -RESET line low resets all Peripheral lines to inputs, thus driving all three processor-driven memory management lines high. The two remaining memory management lines are -EXROM and -GAME on the cartridge port. Each line has a pull-up resistor, so the lines are '1' by default. (In the Commodore 128, you can set the state of these two lines prior to selecting the C64 mode, provided that you write the mode switch routine yourself.) Even though the memory banking has been implemented with a 82S100 Programmable _Logic_ Array, there is only one control line that seems to behave logically at first sight, the -CHAREN line. It is mostly used to choose between I/O address space and the character generator ROM. The following memory map introduces the oddities of -CHAREN and the other memory management lines. It is based on the memory maps in the Commodore 64 Programmer's Reference Guide, pp. 263 - 267, and some errors and inaccuracies have been corrected. The leftmost column of the table contains addresses in hexadecimal notation. The columns aside it introduce all possible memory configurations. The default mode is on the left, and the absolutely most rarely used Ultimax game console configuration is on the right. (There have been at least two Ultimax cartridges on the market.) Each memory configuration column has one or more four-digit binary numbers as a title. The bits, from left to right, represent the state of the -LORAM, -HIRAM, -GAME and -EXROM lines, respectively. The bits whose state does not matter are marked with "x". For instance, when the Ultimax video game configuration is active (the -GAME line is shorted to ground, -EXROM kept high), the -LORAM and -HIRAM lines have no effect. default Ultimax 1111 101x 1000 011x 001x 1110 0100 1100 xx01 00x0 10000 ----------------------------------------------------------------------------- F000 Kernal RAM RAM Kernal RAM Kernal Kernal Kernal ROMH(* E000 ----------------------------------------------------------------------------- D000 IO/C IO/C IO/RAM IO/C RAM IO/C IO/C IO/C I/O ----------------------------------------------------------------------------- C000 RAM RAM RAM RAM RAM RAM RAM RAM - ----------------------------------------------------------------------------- B000 BASIC RAM RAM RAM RAM BASIC ROMH ROMH - A000 ----------------------------------------------------------------------------- 9000 RAM RAM RAM RAM RAM ROML RAM ROML ROML(* 8000 ----------------------------------------------------------------------------- 7000 6000 RAM RAM RAM RAM RAM RAM RAM RAM - 5000 4000 ----------------------------------------------------------------------------- 3000 2000 RAM RAM RAM RAM RAM RAM RAM RAM - 1000 ----------------------------------------------------------------------------- 0000 RAM RAM RAM RAM RAM RAM RAM RAM RAM ----------------------------------------------------------------------------- *) Internal memory does not respond to write accesses to these areas. Legend: Kernal E000-FFFF Kernal ROM. IO/C D000-DFFF I/O address space or Character generator ROM, selected by -CHAREN. If the CHAREN bit is clear, the character generator ROM is chosen. If it is set, the I/O chips are accessible. IO/RAM D000-DFFF I/O address space or RAM, selected by -CHAREN. If the CHAREN bit is clear, the character generator ROM is chosen. If it is set, the internal RAM is accessible. I/O D000-DFFF I/O address space. The -CHAREN line has no effect. BASIC A000-BFFF BASIC ROM. ROMH A000-BFFF or External ROM with the -ROMH line E000-FFFF connected to its -CS line. ROML 8000-9FFF External ROM with the -ROML line connected to its -CS line. RAM various ranges Commodore 64's internal RAM. - 1000-7FFF and Open address space. A000-CFFF The Commodore 64's memory chips do not detect any memory accesses to this area except the VIC-II's DMA and memory refreshes. NOTE: Whenever the processor tries to write to any ROM area (Kernal, BASIC, CHAROM, ROML, ROMH), the data will get "through the ROM" to the C64's internal RAM. For this reason, you can easily copy data from ROM to RAM, without any bank switching. But implementing external memory expansions without DMA is very hard, as you have to use the Ultimax memory configuration, or the data will be written both to internal and external RAM. However, this is not true for the Ultimax game configuration. In that mode, the internal RAM ignores all memory accesses outside the area $0000-$0FFF, unless they are performed by the VIC, and you can write to external memory at $1000-$CFFF and $E000-$FFFF, if any, without changing the contents of the internal RAM. _A note concerning the I/O area_ The I/O area is divided as follows: Address range Owner ------------- ----- D000-D3FF MOS 6567/6569 VIC-II Video Interface Controller D400-D7FF MOS 6581 SID Sound Interface Device D800-DBFF Color RAM (only lower nybbles are connected) DC00-DCFF MOS 6526 CIA Complex Interface Adapter #1 DD00-DDFF MOS 6526 CIA Complex Interface Adapter #2 DE00-DEFF User expansion #1 (-I/O1 on Expansion Port) DF00-DFFF User expansion #2 (-I/O2 on Expansion Port) As you can see, the address ranges for the chips are much larger than required. Because of this, you can access the chips through multiple memory areas. The VIC-II appears in its window every $40 addresses. For instance, the addresses $D040 and $D080 are both mapped to the Sprite 0 X co-ordinate register. The SID has one register selection line less, thus it appears at every $20 bytes. The CIA chips have only 16 registers, so there are 16 copies of each in their memory area. However, you should not use other addresses than those specified by Commodore. For instance, the Commodore 128 mapped its additional I/O chips to this same memory area, and the SID responds only to the addresses D400-D4FF, also when in C64 mode. And the Commodore 65, which unfortunately did not make its way to the market, could narrow the memory window reserved for the MOS 6569/6567 VIC-II (or CSG 4567 VIC-III in that machine). _The video chip_ The MOS 6567/6569 VIC-II Video Interface Controller has access to only 16 kilobytes at a time. To enable the VIC-II to access the whole 64 kB memory space, the main memory is divided to four banks of 16 kB each. The lines PA0 and PA1 of the second CIA are the inverse of the virtual VIC-II address lines VA14 and VA15, respectively. To select a VIC-II bank other than the default, you must program the CIA lines to output the desired bit pair. For instance, the following code selects the memory area $4000-$7FFF (bank 1) for the video controller: LDA $DD02 ; Data Direction Register A ORA #$03 ; Set pins PA0 and PA1 to outputs STA $DD02 LDA $DD00 AND #$FC ; Mask the lowmost bit pair off ORA #$02 ; Select VIC-II bank 1 (the inverse of binary 01 is 10) STA $DD00 Why should you set the pins to outputs? Hardware RESET resets all I/O lines to inputs, and thanks to the CIA's internal pull-up resistors, the inputs actually output logical high voltage level. So, upon -RESET, the video bank 0 is selected automatically, and older Kernals could leave it uninitialized. Note that the VIC-II always fetches its information from the internal RAM, totally ignoring the memory configuration lines. There is only one exception to this rule: The character generator ROM. Unless the Ultimax mode is selected, VIC-II "sees" character generator ROM in the memory areas 1000-1FFF and 9000-9FFF. If the Ultimax configuration is active, the VIC-II will fetch all data from the internal RAM. _An application: Making an operating system extension_ If you are making a memory resident program and want to make it as invisible to the system as possible, probably the best method is keeping most of your code under the I/O area (in the RAM at $D000-$DFFF). This area is very safe, since programs utilizing it are rare, since they are very difficult to implement and to debug. You need only a short routine in the normally visible RAM that pushes the current value of the processor's I/O register $01 on stack, switches RAM on to $D000-$DFFF and jumps to this area. Returning from the $D000-$DFFF area is possible even without any routine in the normally visible RAM area. Just write an RTS or an RTI to an I/O register and return through it. But what if your program needs to use I/O? And how can you write the return instruction to an I/O register while the I/O area is switched off? You need a swap area for your program in normally visible memory. The first thing your routine at $D000-$DFFF does is copying the I/O routines (or the whole program) to normally visible memory, swapping the bytes. For instance, if your I/O routines are initially being stored at $D200-$D3FF, exchange the bytes in $D200-$D3FF with the contents of $C000-$C1FF. Now you can call the I/O routines from your routine at $D000-$DFFF, and the I/O routines can switch the I/O area temporarily on to access the I/O chips. And right before exiting your program at $D000-$DFFF swaps the old contents of that I/O routine area in, e.g. exchanges the memory areas $D200-$D3FF and $C000-$C1FF again. What I/O registers can you use for the return instruction? There are basically two alternatives: 8-bit VIC sprite registers or either CIA's serial port register. The VIC registers are easiest to use, as they act precisely like memory places: you can easily write the desired value to a register. But the CIA register is usually better, as changing the VIC registers might change the screen layout. However, also the SP register has some drawbacks: If the machine's CNT1 and CNT2 lines are connected to a frequency source, you must stop either CIA's Timer A to use the SP register method. Normally the 1st CIA's Timer A is the main hardware interrupt source. And if you use the Kernal's RS232, you cannot stop the 2nd CIA's Timer A either. Also, if you don't want to lose any CIA interrupts, you might want to know that executing the RTS or RTI at SP register has the side effect of reading the Interrupt Control Register, thus acknowledging an interrupt that might have been waiting. If you can't use either method, you can use either CIA's ToD seconds or minutes or ToD alarm time for storing an RTI. Or, if you don't want to alter any registers, use the VIC-II's light pen register. Before exiting, wait for appropriate raster line and trig the light pen latch with CIA1's PB4 bit. However, this method assumes that the control port 1's button/light pen line remains up for that frame. After trigging the light pen, causing the light pen Y co-ordinate register ($D014) to be $40 or $60, you have more than half a frame time to restore the state of the I/O chips and return through the register. You can also use the SID to store an RTI or RTS command. How is this possible, you might ask. After all, the chip consists of read only or write only registers. However, there are two registers that can be controlled by program, the envelope generator and oscillator outputs of the third voice. This method requires you to change the frequency of voice 3 and to select a waveform for it. This will affect on the voice output by turning the voice 3 off, but who would keep the voice 3 producing a tone while calling an operating system routine? Also keep in mind that the user could press RESTORE while the Kernal ROM and I/O areas are disabled. You could write your own non-maskable interrupt (NMI) handler (using the NMI vector at $FFFA), but a fast loader that uses very tight timing would still stop working if the user pressed RESTORE in the middle of a data block transfer. So, to make a robust program, you have to disable NMI interrupts. But how is this possible? They are Non-Maskable after all. The NMI interrupt is edge-sensitive, the processor jumps to NMI handler only when the -NMI line drops from +5V to ground. To disable the interrupt, simply cause an NMI with CIA2's timer, but don't read the Interrupt Control register. If you need to read $DD0D in your program, you must add a NMI handler just in case the user presses RESTORE. And don't forget to raise the -NMI line upon exiting the program. Otherwise the RESTORE key does not work until the user issues a -RESET or reads the ICR register explicitly. (The Kernal does not read $DD0D, unless it is handling an interrupt.) This can be done automatically by the two following SP register examples due to one of the 6510's undocumented features (refer to the descriptions of RTS and RTI below). ; Returning via VIC sprite 7 X co-ordinate register Initialization: ; This is executed when I/O is switched on LDA #$60 STA $D015 ; Write RTS to VIC register $15. Exiting: ; NOTE: This procedure must start at VIC register ; $12. You have multiple alternatives, as the VIC ; appears in memory at $D000+$40*n, where $0<=n<=$F. PLA ; Pull the saved 6510 I/O register state from stack STA $01 ; Restore original memory bank configuration ; Now the processor fetches the RTS command from the ; VIC register $15. ; Returning via CIA 2's ToD or ToD alarm seconds register Initialization: ; This is executed when I/O is switched on LDA #$40 STA $DD08 ; Set ToD tenths of seconds ; (clear it so that the seconds register ; would not overflow) ; If ToD alarm register is selected, this ; instruction will be unnecessary. STA $DD09 ; Set ToD seconds LDA $DD0B ; Read ToD hours (freeze ToD display) Exiting: ; NOTE: This procedure must start at CIA 2 register ; $6. As the CIA 2 appears in memory at $DD00+$10*n, ; where 0<=n<=$F, you have sixteen alternatives. PLA STA $01 ; Restore original memory bank configuration ; Now the processor fetches the RTS command from ; the CIA 2 register $9. ; Returning via CIA 2's SP register (assuming that CNT2 is stable) Initialization: ; This is executed when I/O is switched on LDA $DD0E ; CIA 2's Control Register A AND #$BF ; Set Serial Port to input STA $DD0E ; (make the SP register to act as a memory place) LDA #$60 STA $DD0C ; Write RTS to CIA 2 register $C. Exiting: ; NOTE: This procedure must start at CIA 2 register ; $9. As the CIA 2 appears in memory at $DD00+$10*n, ; where 0<=n<=$F, you have sixteen alternatives. PLA STA $01 ; Restore original memory bank configuration ; Now the processor fetches the RTS command from ; the CIA 2 register $C. ; Returning via CIA 2's SP register, stopping the Timer A ; and forcing SP2 and CNT2 to output Initialization: ; This is executed when I/O is switched on LDA $DD0E ; CIA 2's Control Register A AND #$FE ; Stop Timer A ORA #$40 ; Set Serial Port to output STA $DD0E ; (make the SP register to act as a memory place) LDA #$60 STA $DD0C ; Write RTS to CIA register $C. Exiting: ; NOTE: This procedure must start at CIA 2 register ; $9. As the CIA 2 appears in memory at $DD00+$10*n, ; where 0<=n<=$F, you have sixteen alternatives. PLA STA $01 ; Restore original memory bank configuration ; Now the processor fetches the RTS command from ; the CIA 2 register $C. ; Returning via SID oscillator 3 output register Initialization: ; This is executed when I/O is switched on LDA #$20 ; Select sawtooth waveform STA $D412 ; but do not enable the sound LDY #$00 ; Select frequency STY $D40E ; (system clock)/$FF00, LDA #$FF ; causing the OSC3 output to increment by one STY $D40F ; every $10000/$FF00 cycles. LDA #$0E LDX #$60 BIT $D41B ; Wait for the oscillator 3 output BMI *-3 ; to be in the range BVS *-5 ; $00-$3F. BIT $D41B ; Wait for the oscillator 3 output BVC *-3 ; to be at least $40. STA $D40F ; Slow down the frequency to (system clock)/$0E00. CPX $D41B ; Wait for the oscillator 3 BNE *-3 ; output to reach $60 (RTS) STY $D40F ; Reset the frequency of voice 3 ; (stop the OSC3 register from increasing) Exiting: ; NOTE: This procedure must start at SID register ; $18. As the SID appears in memory at $D400+$20*n, ; where 0<=n<=$20, you have thirty-two alternatives. ; However, in C128 there are only eight alternatives, ; as the SID is only at $D400-$D4FF. PLA STA $01 ; Restore original memory bank configuration ; Now the processor fetches the RTS command from ; the SID register $1B. For instance, if you want to make a highly compatible fast loader, make the ILOAD vector ($0330) point to the beginning of the stack area. Remember that the BASIC interpreter uses the first bytes of stack while converting numbers to text. A good address is $0120. Robust programs practically never use so much stack that it could corrupt this routine. Usually only crunched programs (demos and alike) use all stack in the decompression phase. They also make use of the $D000-$DFFF area. This stack routine will jump to your routine at $D000-$DFFF, as described above. For performance's sake, copy the whole byte transfer loop to the swap area, e.g. $C000-$C1FF, and call that subroutine after doing the preliminary work. But what about files that load over $C000-$C1FF? Wouldn't that destroy the transfer loop and jam the machine? Not necessarily. If you copy those bytes to your swap area at $D000-$DFFF, they will be loaded properly, as your program restores the original $C000-$C1FF area. If you want to make your program user-friendly, put a vector initialization routine to the stack area as well, so that the user can restore the fast loader by issuing a SYS command, rather than loading it each time he has pressed RESET. _An example: A "hello world" program_ To help you in getting started, I have written a small example program that echoes the famous message "hello, world!" to standard output (normally screen) using the Kernal's CHROUT subroutine. After the initialization routine has been run, the program can be started by commanding SYS 300. I used the Commodore 128's machine language monitor to put it up, but it was still pretty difficult to debug the program. Here it is in uuencoded format: begin 644 hello M`0@+",D'GC(P-C$```!XI0%(*?B%`:(,O3`(G2P!RA#WHHN]/`B=8]W*T/=H MA0%88*4!JBGX"01XA0%,I-WF`:*!C@W=H@".!=WHC@3=HMV.#MVB0(X,W<8! M8*4!2`D#A0&@#+DSP"#2_X@0]VB%`6`A1$Q23U<@+$],3$5(BDBM^O](K?O_ M2*D6C?K_J<"-^_\@W-T@`,!HC?O_:(WZ_R`=P"#<W6BHJ0!(NOX"`=`#_@,! 5A`&@/[X`P+EDW9D`P(J99-V($/!@ ` end In order to fully understand the operation of this program, you need to know how the instructions RTI, RTS and PHA work. There is some work going on to reverse engineer the NMOS 6502 microprocessor to large extent, and it is now known for most instructions what memory places they access during their execution and for what purpose. The internal procedures haven't been described in detail yet, but these descriptions should be easier to read anyway. For curiosity, I quote here the description of all instructions that use the stack. The descriptions of internal operations are yet inaccurate, but the memory accesses have been verified with an oscilloscope. I will mail copies the whole document upon request. When finished, the document will be put on an FTP site. JSR # address R/W description --- ------- --- ------------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R fetch address's low byte to latch, increment PC 3 $0100,S R 4 $0100,S W push PCH on stack, decrement S 5 $0100,S W push PCL on stack, decrement S 6 PC R copy latch to PCL, fetch address's high byte to latch, copy latch to PCH RTS # address R/W description --- ------- --- ----------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R read next instruction byte (and throw it away), increment PC 3 $0100,S R increment S 4 $0100,S R pull PCL from stack, increment S 5 $0100,S R pull PCH from stack 6 PC R increment PC BRK # address R/W description --- ------- --- ----------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R read next instruction byte (and throw it away), increment PC 3 $0100,S W push PCH on stack, decrement S 4 $0100,S W push PCL on stack, decrement S 5 $0100,S W push P on stack (with B flag set), decrement S, set I flag 6 $FFFE R fetch PCL 7 $FFFF R fetch PCH RTI # address R/W description --- ------- --- ----------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R read next instruction byte (and throw it away), increment PC 3 $0100,S R increment S 4 $0100,S R pull P from stack, increment S 5 $0100,S R pull PCL from stack, increment S 6 $0100,S R pull PCH from stack PHA, PHP # address R/W description --- ------- --- ----------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R read next instruction byte (and throw it away), increment PC 3 $0100,S W push register on stack, decrement S PLA, PLP # address R/W description --- ------- --- ----------------------------------------------- 1 PC R fetch opcode, increment PC 2 PC R read next instruction byte (and throw it away), increment PC 3 $0100,S R increment S 4 $0100,S R pull register from stack The example program consists of three parts. The first part transfers the other parts to appropriate memory areas. The second part is located in stack area (300-312), and it invokes the third part, the main module. The loader part ($0801-$08C7) is as follows: 1993 SYS2061 080D SEI Disable interrupts. 080E LDA $01 0810 PHA Store the state of the processor's I/O lines. 0811 AND #$F8 0813 STA $01 Select 64 kB RAM memory configuration. 0815 LDX #$0C Copy the invoking part to 300-312. 0817 LDA $0830,X 081A STA $012C,X 081D DEX 081E BPL $0817 0820 LDX #$8B Copy the main part to $DD64-$DDEE. 0822 LDA $083C,X 0825 STA $DD63,X 0828 DEX 0829 BNE $0822 082B PLA Restore original memory configuration. 082C STA $01 082E CLI Enable interrupts. 082F RTS Return. The user invokes the following part by issuing SYS 300. This part changes the memory configuration and jumps to the main part. 012C LDA $01 012E TAX Store original memory configuration to X register. 012F AND #$F8 0131 ORA #$04 0133 SEI Disable interrupts. 0134 STA $01 Select 64 kB RAM memory configuration. 0136 JMP $DDA4 Jump to the main part. The main part actually consists of two parts. It may be a bit complicated, and it might teach new tricks to you. DDA4 TXA DDA5 PHA Push original memory configuration on stack. DDA6 LDA $FFFA DDA9 PHA DDAA LDA $FFFB DDAD PHA Store the original values of $FFFA and $FFFB. DDAE LDA #$16 DDB0 STA $FFFA Set ($FFFA) to point to RTI. DDB3 LDA #$C0 DDB5 STA $FFFB DDB8 JSR $DDDC Swap the auxiliary routines in. DDBB JSR $C000 Disable NMI's and initialize CIA2. DDBE PLA DDBF STA $FFFB Restore original values to $FFFA and $FFFB. DDC2 PLA DDC3 STA $FFFA DDC6 JSR $C01D Print the message. DDC9 JSR $DDDC Swap the auxiliary routines out. DDCC PLA DDCD TAY Load original memory configuration to Y register. DDCE LDA #$00 Push desired stack register value on stack DDD0 PHA (clear all flags, especially the I flag). DDD1 TSX DDD2 INC $0102,X Increment the return address. DDD5 BNE $DDDA (RTS preincrements it, but RTI does not.) DDD7 INC $0103,X DDDA STY $01 Restore original memory configuration. (The 6510 fetches the next instruction from $DDDC, which is now connected to the CIA2's register $C, the Serial Port register. The initialization routine wrote an RTI to it. The processor also reads from $DDDD as a side effect of the instruction fetch, thus re-enabling NMI's.) DDDC LDY #$3F Subroutine: Swap the memory areas $C000-$C03F DDDE LDX $C000,Y and $DD64-$DDA3 with each other. DDE1 LDA $DD64,Y DDE4 STA $C000,Y DDE7 TXA DDE8 STA $DD64,Y DDEB DEY DDEC BPL $DDDE DDEE RTS C000 INC $01 Enable the I/O area. C002 LDX #$81 C004 STX $DD0D Enable Timer A interrupts of CIA2. C007 LDX #$00 C009 STX $DD05 C00C INX C00D STX $DD04 Prepare Timer A to count from 1 to 0. C010 LDX #$DD C012 STX $DD0E Cause an interrupt. (The instruction sets SP to output, makes Timer A to count system clock pulses, forces the CIA to load the initial value to the counter, selects one-shot counting and starts the timer.) C015 LDX #$40 (The processor now jumps to the NMI handler ($C016), and the SP register starts to act as a memory place.) C017 STX $DD0C Write an RTI to Serial Port register. C01A DEC $01 Disable the I/O area. C01C RTS Return. C01D LDA $01 C01F PHA C020 ORA #$03 Enable I/O and ROMs. C022 STA $01 C024 LDY #$0C Print the message. C026 LDA $C033,Y C029 JSR $FFD2 C02C DEY C02D BPL $C026 C02F PLA C030 STA $01 Restore the 64 kB memory configuration. C032 RTS C033 "!DLROW ,OLLEH" (The string is backwards in memory, since I don't want to waste cycles in explicit comparisons. This method results in more readable code than doing a forward loop with an index value $100-(number of characters).) This program is not excellent. It has the following bugs: o The 6510's memory management lines P0 and P1 (LORAM and HIRAM, respectively) are assumed to be outputs. If you issued the command POKE0,PEEK(0)AND252, this program would not work. This could be easily corrected by setting the P0 and P1 lines to output in the beginning of the interfacing routine (300 - 312): LDA $00 ORA #$02 STA $00 o The program does not restore the original state of the CIA2 Control Register A or Interrupt Control Register. It might be impossible to start using the Kernal's RS-232 routines after running this. o If the user redirected output to cassette or RS-232, interrupts would be required. However, they are completely disabled. o If a non-maskable interrupt occurs while the loader part is being executed, the program will screw up. This will happen also in the main part, if an NMI is issued after disabling ROMs and I/O in $0134 but before exchanging the contents of the memory places $C016 and $DD7A. _Freezer cartridges_ There are many cartridges that let you to stop almost any program for "back-up" purposes. One of the most popular of these freezer cartridges is the Action Replay VI made by Datel Electronics back in 1989. The cartridge has 8 kilobytes RAM and 32 kilobytes ROM on board, and it has a custom chip for fiddling with the C64 cartridge port lines -EXROM, -GAME, -IRQ, -NMI and BA. If the -NMI line is not asserted (the NMI interrupts are enabled), all freezer cartridges should be able to halt any program. When the user presses the "freeze" button, the cartridges halt the processor by dropping the BA line low. Then they switch some of their own ROM to the $E000 - $FFFF block by selecting the UltiMax configuration with the -EXROM and -GAME lines. After this, they assert the -NMI line and release the BA line. After completing the current instruction, the processor will take the NMI interrupt and load the program counter from the vector at $FFFA, provided that the NMI line was not asserted already. This approach is prone to many flaws. Firstly, if the processor is executing a write instruction when the program is being halted, and if the write occurred outside the area $0000 - $0FFF, the data would get lost, if the UltiMax configuration was asserted too early. This can be corrected to some extent by waiting at least two cycles after asserting the BA line, as the processor will not stop during write cycles. However, this is of no help if the processor has not gotten to the write stage yet. Secondly, if the instruction being executed is outside the area $0000 - $0FFF, or if it accesses any data outside that area, the processor will fetch either wrong parameters or incorrect data, or both. If the instruction does not write anything, will only corrupt one processor register. Thirdly, if the NMI interrupts are disabled, pressing the "freeze" button does not have any other immediate effect than leaving the UltiMax mode asserted, which makes any system RAM outside the area $0000 - $0FFF unavailable. It also forces the I/O area ($D000 - $DFFF) on. If the program has any instructions or data outside the lowmost four kilobytes, it will eventually jam, as that data will be something else than the program expects. One might except that reading from open address space should return random bytes. But, in at least two C64's, the bytes read are mostly $BD, which is the opcode for LDA absolute,X. So, if the processor has a "good luck", it will happily execute only LDA $BDBD,X commands, and it might survive to the cartridge ROM area without jamming. Or it could eventually fetch a BRK and jump to the cartridge ROM via the IRQ/BRK vector at $FFFE. The Action Replay VI has the familiar autostart data in the beginning of both the ROML and ROMH blocks by default, and that data could be interpreted as sensible commands. The Action Replay VI was indeed able to freeze my test program, even though I had covered its -RESET, -IRQ and -NMI lines with a piece of tape, until I relocated the program to the first 4 kilobyte block. _Building an unbeatable freezer circuit_ As you can see, it is totally impossible to design a freezer cartridge that freezes any program. If the program to be freezed has disabled the NMI interrupts, and if its code runs mostly at $0000 - $0FFF or $D000 - $DFFF, the computer will more probably hang than succeed in freezing the program. However, it is possible to make some internal modifications to a C64, so that it can freeze literally any program. You need to expand your machine to 256 kilobytes following the documents on ftp.funet.fi in the /pub/cbm/hardware/256kB directory. It will let you to reset the computer so that all of the 64 kilobytes the previous program used, will remain intact. If you add a switch to one of the memory expansion controller's chip selection lines, the program being examined will have no way to screw the machine up, as the additional memory management registers will not be available. A few enhancements to this circuit are required so that you can freeze the programs without losing the state of the I/O chips. You will also need to replace the Kernal ROM chip with your own code, if you do not want to lose the state of the A, X, P and S registers. Unfortunately this circuit will not preserve the state of the processor's Peripheral lines (its built-in I/O port mapped to the memory addresses 0 and 1), nor does it record the program counter (PC). I have a partial solution to the PC problem, though. If you are interested in this project, contact me. I will design the additional hardware, and I will program the startup routines, but I certainly do not have the time to program all of the freezer software. Most of the freezer software could be in RAM, so it would be very easy to develop it, and you could even use existing tools by patching them slightly. =============================================================================