Aug 162014
 

For no particularly good reason I found myself looking at the boot code for Jordan Mechner’s Prince of Persia, the source code for which was released to the world a little while back. I was flipping through the protection code, and found a comment that said “Motorcycle disk drive“.

Pop motorcycle disk drive

A quick glance at it revealed that, indeed, it is code that is designed to make your disk drive sound like a motorcycle. It pulls the drive head back until it starts hitting the edge and keeps going, which is basically the same thing that happens when you boot a disk (causing the characteristic Apple II booting noise from the drive). This differs only in that it is using specific delays (controlled by paddle zero) to alter the frequency of the motor turns.

That’s kind of a weird thing. When does this get executed?

Backing up a bit, I saw that when the protection check succeeds, control passes to the point labeled “:yippee“, which does the following thing: Check to see if both the open-apple and closed-apple keys and one other key is pressed. If not, everything proceeds as normal, but if so, look up the key in a dispatch table (just below the code pictured below) and jump to the address in the table.

Pop dispatch

Looking at the dispatch table, it has a few different vectors in it. One of them is for “^” which has the address for the motorcycle disk drive routine in it.

Pop dispatch table

So, if you’re holding down (open-apple, closed-apple, and) ^ at this point very early in the boot process, the code to make your disk drive sound like a motorcycle will be executed, rather than Prince of Persia. (This code is quite likely actually written by Roland Gustafsson, rather than by Jordan Mechner, since Roland was mostly in charge of dealing with the disk drives as I understand it.)

There are in fact a couple of other Easter eggs available at this same point in the boot process. OA-CA-return will give you “confusion” and OA-CA-@ will give you “rotcube”, both graphics demos, and OA-CA-! will print a little message from Jordan (Mechner) and Roland (Gustafsson) to Robert (Cook?) dated 8/25/1989 wishing him well at college and then show some randomly colored blocks.

I have yet to see these run in meatspace, though I’ve hand-assembled the motorcycle code and tried it out on an emulator. Which is a ridiculous thing to do, really—this is code that uses hardware banging against other hardware to make a noise. However, if you can compile it, OpenEmulator does in fact do a good job of emulating the sound, though Virtual II didn’t manage it despite otherwise being pretty accurate with its emulated disk noises. Copying and pasting the assembly code below at the monitor prompt will get you the hand-assembled program, though:

6000: A2 60 BD 89 C0 BD 87 C0 BD 80 C0 20 2C 60 BD 85 C0 BD 86 C0 20 2C 60 BD 83 C0 BD 84 C0 20 2C 60 BD 81 C0 BD 82 C0 20 2C 60 4C 05 60 A9 06 85 00 2C 70 C0 EA EA 2C 64 C0 30 F9 C6 00 D0 F2 60 N6000G

The other Easter eggs would take too long to hand-assemble, and I haven’t yet imported the PoP code into a compilable form for any assembler, so I’ve left it at that for now. If anyone has a real disk, real hardware, and a video-capturing machine, I’d be interested to see these Easter eggs actually being triggered.

[Update: Antoine Vignau pointed out that the secret keys were already documented in the crack documentation, and pointed to a disk image that allows you to play with the Easter eggs by pressing 1-5 upon startup: Brain Trust's Prince of Persia crack. Still was neat to discover myself, of course!]

Jun 112014
 

I’d always been fairly aware of the Peelings II magazine back during the early 1980s when the Apple II was going strong, because they advertised fairly aggressively in things that I did read, but for some reason I’d never really read any of the issues. Probably this is because the magazine wasn’t sold on any newsstands I had easy access to, and I was never motivated to subscribe. Looking at it now, though, it’s pretty interesting. It’s essentially a magazine of reviews, and as such, it provides quite a bit of useful information for the modern-day retrocomputing enthusiast.

Peelings ii v4n1 7

I looked around a bit, but I couldn’t find any issues scanned online. I have exactly seven issues of the magazine, the first 7 issues of 1983. The issues don’t have dates on them (apart from “1983″), but it appears that Peelings II came out 9 times per year.

So, I scanned the ones I have. And they are linked below. They’re scanned at 600dpi, so the files are fairly large.

Peelings ii v4n1 Peelings ii v4n2
Peelings ii v4n3 Peelings ii v4n4
Peelings ii v4n5 Peelings ii v4n6
Peelings ii v4n7  
Dec 112013
 

I tried making some nibble copies of Origin Software’s Autoduel to run in an emulator, and of course it didn’t work. So I figured I’d try my hand again at boot tracing. Tricky stuff. There are a couple of hints out there about how to make the Autoduel disk copyable (see Computist #38, which refers back to the Ultima IV soft key in Computist #28, and “Toinet”‘s discussion of Ultima IV), but for the most part they don’t talk about what it’s doing, they just talk about the end result, what you need to change to defeat the copy protection. I will instead see if I can delve into the copy protection itself.

Using Virtual II’s Inspector, I managed to trace a bit down. It is kind of long and involved figuring out what everything does, even when it turns out to be innocuous. Let me just hit the highlights here.

When I try to boot the nibble copy, it just hangs. Why?

When it boots, it starts at $801, which loads in a few more sectors, and then jumps into it at $B700. The first kind of neat trick they did here is that the 26-byte program at $B700 takes everything in memory from $B71A onward and EORs it with $E6. So, you wouldn’t be able to find the code on the disk, because it’s all been (weakly) encrypted. Once the decryption is done, execution falls into the decrypted code at $B71A.

Autoduel decrypt b700

If we set the breakpoint at $B71A and let the decryption execute, we get much more sensible code there.

Autoduel decrypted b71a

Now we can actually look at what’s happening. And I did, but I won’t go into all the gory details here. The code at $B71A basically sets a bunch of parameters (and disables Reset), calls $B793, and then goes to $9D82, which is surely a DOS 3.3-like entry point. So, the next bit of trickery to be concerned with is what happens at $B793, where the rest of DOS is loaded.

The instruction at $B793 is just a JMP to $B800, but the first thing that happens at $B800 is that it goes back and modifies $B793 so that it starts with a LDY $B7E5 instead of a JMP $B800. So $B793 will be a useful routine, in fact it is going to be where execution continues shortly.

Autoduel address check b800

After it’s “un-patched” $B793, a counter is set to 7, and the disk is checked to see if it is write protected. If it isn’t, execution is diverted to $B830, which heads off to $B76B. This is fatal, if we look at what $B76B does, it moves a chunk of code from $B779 to $E0 and executes it. The chunk of code that it moves there just wipes out RAM and hangs in an infinite loop.

Autoduel move kill code b76b

Autoduel kill code e0

So, that’s the source of the hang I was getting, triggered just by the fact that the disk was not write protected. But write protecting the disk doesn’t solve the problem, it just moves us on to the next stage of the copy protection.

If we pass the write protection test, the next thing it does is call $B83E, store the result, call $B83E, and compare the result with what we stored the first time. If we get the same result for each pair of calls, the counter is decremented, and it tries again. Once it has made seven attempts, we are again sent to the kill code at $B76B. So, now the question is, what is $B83E looking for and returning?

Looking at what’s happening here at the beginning, it’s pretty clear. It’s looking for address marks D5 AA 96 on the disk. Then it loads four more nibbles, but throws them away (they should be the volume number and track number of the address it found).

Autoduel b83e t0s0 check

Continuing on after that point, from $B86E, it then looks for the nibble sequence AA AA, which would indicate that it is looking at sector zero. If it wasn’t looking at sector zero, it goes back and tries to find another sector. If it did find sector zero, then it loads up five more nibbles and returns with the last of them. These should be the checksum and then the address field closer, which on a DOS 3.3 disk is generally DE AA EB. So if this were a DOS 3.3 disk, we’d expect it to return EB.

Autoduel b83e t0s0 check end

In actual fact, the nibble stream I captured on side one of the disk has an address field closer of AF A5 AA for track 0 sector 0. Ultimately what this means is that every call to $B83E is coming back with AA. It is always the same, and so eventually the retry counter reaches zero, memory is wiped, and the program hangs.

At this point, I don’t actually know what they did to the original Autoduel disk to result in having the address field closer on track 0, sector 0, come back with an inconsistent third value. But I did know how I could fake it, and maybe this is how it was done on the original disk as well, although it was not captured by SST if so. What I did is found the stream of sync bits at the end of track zero (a whole bunch of FF nibbles), and stuck D5 AA 96 96 96 96 96 AA AA 96 96 96 96 96 in there in the nibble image using a hex editor. Breaking that down, it is the address field header D5 AA 96, four throwaway nibbles (96), the two AAs that the routine is looking for to identify sector zero, and five more throwaway nibbles representing the slots for the checksum and the address field closer. The important thing here is that the last nibble is not AA (I chose 96, but anything but AA would work).

This will now pass the protection check at $B800, and I didn’t have to modify any of the code. When it is looking for sector zero, sometimes it will find the real one and get AA as the last nibble and sometimes it will find my fake one and get 96 as the last nibble. They won’t match, and so execution continues back at $B793 without ticking down the counter and hanging.

The code at $B793, after having been modified by the routine at $B800, goes through and loads the rest of DOS, which it does through repeated calls to $B7B5, which stifles interrupts and passes control to $BA00. This is all basically just RWTS calls. However, trying to boot the disk at this stage still doesn’t work, it just grinds. So, there’s still one more level of protection somewhere.

I had observed above that the address field closers on the front side of the disk were abnormal, they generally start with AF, and then it varies, but they are not the usual DE AA EB. The address field closers on the back of the disk are DE AA EB, though. So, that’s a natural place to look, based on the experience with the Electronic Mailbag I detailed earlier. And it turns out Autoduel does a very similar trick. Deep in the heart of the RWTS routines, we find the part that reads the address field at $BE4D. It’s a little hard to follow, but it’s looking for D5 AA 96, grabs and decodes the next eight nibbles (volume, track, sector, checksum), and then starts looking for the closer at $BE8C.

Autoduel rwts addr closer

If it finds DE, the job is done, nothing else is checked. This would happen if we were reading the second side of the disk. The carry flag is cleared to indicate no error, and we’re out. If it doesn’t find DE (and it would have found AF on the front side of the disk), then it does that same thing I saw on Electronic Mailbag, it waits a couple of cycles then sees if it has gotten enough bits in (even before the whole nibble is read) to exceed 00001000. If it has, it reports an error. So again, I think what must have happened on the real disk is that there were some extra zeros written here to delay the arrival of the second nibble. In an emulated nibble image, this is not really an easy option.

Probably at this point, I could have tried to go through the entire nibble image and replace all of the initial two nibbles in the address field trailers with AF 00. That might work. It seems like a drastic change to make, but it has the advantage that the protection code could be left untouched. Because the address field closers are not really consistent in my image of the first side, though, a simple search and replace wouldn’t work. Moreover AF 00 is not a valid nibble sequence, so it relies on the emulator being willing to overlook that. Perhaps a simpler alternative would be to change those AFs to DEs in the first nibble of the address field closer, but it’s still not an easy search and replace to perform as far as I can tell using the hex editor I’m using.

One thing that does work, though it requires patching the code, is changing the CMP #$DE (which gives the second side an automatic pass) to AND #$8E CMP #$8E, since both DE and AF are 8E when ANDed with 8E. This gives both DE and AF an automatic pass. So if you’re sitting at the breakpoint that catches that very first write protection check, you can alter BE91 to 29 8E C9 8E F0 07 EA EA EA EA EA D0, which results in this:

Autoduel rwts addr patch

This leaves a little bit of protection in place to catch genuine disk errors (though I guess those are unlikely using an emulator), while allowing either AF or DE to be satisfactory first nibbles in the address field closer.

So, with the nibble image modified to contain the additional fake sector zero header on track zero, and a breakpoint set at the write protection check so I can set the negative flag and patch BE91 as above, resuming from there allows Autoduel to boot. This leaves the disk in pretty much its originally protected state, minus whatever bit delays were allowing it to actually pass the protection and accordingly, minus the check for them.

Autoduel splash screen

The last step is to write my new code back out to the nibble image. Again, I have the problem that this is a nibble image I’m trying to modify (because I want to leave the protection as close to intact as I can), and so replacing those 12 bytes is not a simple task.

Following the same procedure I used before with Electronic Mailbag, even after EORing it all with E6 to re-encrypt it, didn’t seem to work, I was still unable to find the nibble stream I needed in the Autoduel nibble image. So I’ll have to leave this project here incomplete, but at least with a beginning of an understanding of where the checks are and what they’re checking for. There may be something else going on (though the nibble image preserved it, since the disk boots). For the moment, the image is only usable by setting a breakpoint and modifying the code in place, then resuming the boot. Perhaps I’ll come back to it. The short version of how to get the disk to boot as-is in Virtual II: Set a breakpoint at $B81C, boot, set the negative flag, replace BE91 with 29 8E C9 8E F0 07 EA EA EA EA EA D0, and resume.

  • Autoduel side 1 (nibble image, still won’t boot without live patching of memory)
  • Autoduel side 2 (nibble image, works fine, a DSK might be fine too)
Nov 282013
 

MUSE Software is probably most famous for Castle Wolfenstein, already a fairly early game for the Apple II platform, but they got their start much earlier. In 1978, MUSE was already producing quite a few titles on cassette, back when their name stood for Micro Users Software Exchange.

Mazegame tape 4

Already by 1979, they’d switched to referring to themselves as The Muse Software Company or The Muse Company, and then by 1980, MUSE Software, which stuck until the end. I tend to refer to them as MUSE now. The company had an interesting history, and there’s lots to say about them. Someday I’ll write more, though others have already written about them. Ed Zaron, Silas Warner, and Jim Black started the company, and Ed and Silas wrote pretty much everything during the early years.

There’s a nice overview of Silas Warner’s story at the Digital Antiquarian (Silas Warner and Muse Software), and the audio from Silas Warner’s presentation at KansasFest 1992 was preserved and made available. Softalk February 1982 has a company overview (Exec Muse) but I haven’t scanned it yet.

This post here is not about Maze Game (the picture of the tape above was just to show that MUSE was originally an acronym), though I’ll do a post about that later, but rather about ABM, one of the titles that MUSE released shortly before Castle Wolfenstein. Silas Warner speaks a bit about it in the KansasFest talk, I’ll transcribe what he said here.

ABM was written [...] just before we started Castle Wolfenstein. [...] As far as we knew it was a straight license from Atari Missile Command. Basically we wrote it and then Atari — we knew Atari was going to come back and someday say “We want a license fee from you,” but we figured we could get a few sales in before they actually demanded it. They came back, demanded a license fee, we paid it, and ABM came on that. By the way, there’s an interesting story about the title of ABM. We built a scrolling thing that would print up “ABM” in black and white squares using the text screen. So it would come up and then the rest of MUSE software and all that would come up. The “ABM” would scroll up from the bottom, real quick. Well, we made a mistake in that program, and instead of “ABM” scrolling up from the bottom and stopping, “ABM” would scroll up from the bottom — blip blip blip blip, up continuously. And we thought this looked so good that we kept it in the game, only adding a counter so it would do that five times.

The packaging for ABM was a simple white cardstock with red and black ink, sold in a baggie, the disk the standard Dysan disk (that MUSE pretty much always used) with a typewritten label. The instruction card on my particular copy had been folded in the middle, but was otherwise in remarkably good shape. Both the instruction card and the disk read “Audiovisual licensed from Atari.”

ABM packaging

I made a nibble copy of the disk image, and a scan of the card, which are below. The nibble image works fine in Virtual II.

ABM splash screen

ABM title screen

The gameplay is pretty much just Missile Command. The screen shot below is taken from the self-running demo that starts if you don’t start playing, incidentally. I’d like to think I’d do slightly better if I were actually playing.

ABM game play

Nov 232013
 

In a previous post, I went over the contents of The Electronic Mailbag program, but I want to also run through how I managed to get it into a usable format, since it was an interesting foray back into the world of boot tracing.

The disk itself is fairly resistant to copying, throwing lots of errors in most every program I tried. I had hoped just a nibble copy would suffice, but it didn’t.

When you start the program, it clearly is just booting DOS 3.3 (or, actually, as I discovered later on, Diversi-DOS, which is a modified and optimized version of DOS 3.3). It looks just like any standard-issue disk when booting, it makes the normal sounds, shows the Applesoft prompt, and runs a startup program. So it should be relatively easy. Nevertheless, the bit copies I made would grind and grind and then restart when I tried to use them.

So, step one was to grab the nibbles, which I accomplished using SST (Saltine’s Super-Transcopy), a modified version of the EDD (Essential Data Duplicator) copy program that allows to save the nibbles it collects during a copy operation onto two data disks, that can be later used to reconstitute the original disk. I saved the half tracks as well just in case, though they didn’t turn out to be necessary. Using the CFFA3000, I was able to put these data images on a USB stick that I could then move to my Mac for the rest of the work.

Mailbag sst

Once the images are on the Mac, running SST on an emulator allows you to reconstitute the nibbles onto a nibble image. I’m using Virtual II on the Mac, which has a bunch of very useful features for making this boot tracing adventure easier. Running SST in reverse and saving onto a .nib format disk image, I wound up with a mostly-faithful copy of the disk. What is not preserved is any kind of special timing information.

Inserting the disk into Virtual II and booting it just resulted in a bunch of disk grinding and rebooting. So, I decided to start watching what it was doing to see if I could find where it was going wrong.

The “normal” procedure for boot tracing is to copy the Disk II controller boot ROM into RAM somewhere and modify it so that when it is about to jump to the next stage, it instead stops, so you can examine memory. The ROM loads track 0, sector 0 into $0800 and then jumps to $0801, so normally you just change the jump to a return (60) and then look to see what it loaded.

This is where modern technology comes in, though. Now that the machine is virtual, it is no longer necessary to do all of that in quite such a step by step way. Instead, I just set a breakpoint at the jump to $0801 and used Virtual II’s fantastic “Inspector” panel to see what was happening.

Mailbag inspector 0801

Then just restart the machine and boot the disk, and it halts. The code it executes at $0801 loads the next stage of the boot process, and it’s pretty standard DOS 3.3 stuff. It loads the first 10 sectors of the disk into $B700-BFFF (which provides the basic RWTS [Read/Write Track/Sector] routines) and then jumps into it to load the rest of DOS in. Usually, this jumps to $B800, but here it is jumping instead to $BB00. So, set a breakpoint there (and best to clear the breakpoint at $C6F8, since that gets called repeatedly until RWTS is loaded).

Mailbag jmp bb00

Resuming on, it loads RWTS and stops at the breakpoint so we can investigate.

Mailbag bb00

It turns out that what happens at $BB00 is a little patch. This sets the reset vector so that pressing Reset won’t let the user out of the program (it will jump to $B75D if you hit reset and tells the machine it was just powered up), it stores $AA in zero page address $31, and then resumes the normal booting procedure at $B700. So this is a little bit of protection.

The code at $B700 is pretty much standard, there’s nothing of interest here that’s different from normal DOS 3.3. So, it loads all of the rest of the sectors to bring in DOS and then jumps to the DOS coldstart entry point at $9D84. However, it is clear from booting the disk that it never makes it to the DOS coldstart call. When it tries to read the disk, it just gets drive errors and fails. So there must be something tricky in the read part of RWTS. Let’s see.

The part of RWTS that reads the address marks is at $B944 (and this is all made much easier of course by the fact that this is just a slightly modified DOS 3.3 being used here, so all of the known entry points still seem to be valid). What this does on a normal DOS disk is this: it reads things on the disk until it encounters the nibbles D5 AA 96, after which it expects to find address information that tells it where it is on the disk, consisting of a track number, sector number, volume number, and checksum. After those, it expects to find DE AA, and then it is ready to start reading the sector data. It is actually a fairly common copy protection trick to alter these signatures, since normal DOS won’t be able to find any data if it can’t find the address marks. Looking at this, I see that it does something a little bit unusual here.

Mailbag address marks

Instead of looking for a nibble value of D5, it instead checks to see if the value it read, shifted one bit to the right, is 6A. As it happens, D5 shifted one bit to the right is 6A, so it would recognize normal D5 address mark nibbles, but it would also recognize D4 as well. A search of the nibble image does reveal a few D4AA96 headers (as well as D5AA96 headers), so that was one trick they used to keep the disk from being copyable. The second nibble in the header is normally AA, but here, rather than checking for AA, they check for whatever is in zero page address $31. Back a couple of steps ago, the patch at $BB00 put AA in $31, and as far as I can tell nothing ever changes that. Maybe this was a protection mechanism that they in the end opted not to use. So, the code is slightly different from standard DOS 3.3, but the effect is the same. Then, it wraps up by looking for 96 as usual. So, we now know that it is willing to accept address fields starting either with D5AA96 or D4AA96. While interesting, this hasn’t really gotten us any closer to making the disk boot, though, since the nibbles are recorded faithfully and the mixture of D5AA96 and D4AA96 headers were accordingly preserved as they were.

After reading the headers, it does the standard thing to bring in the track, sector, volume, and checksum information, and then it looks for a DE nibble to close the header, but then it does something strange.

Mailbag cmp 08

Normally, DOS would check for a DE, then check for an AA, and then it would be satisfied that the address has been read. What this does, however, is checks for a DE, and then immediately, without even waiting for the entire nibble to be read, pulls in some bits off the disk. If the bits it pulls in come too quickly, it reports an error. Specifically, it is reading the data latch (LDA $C08C,X) and if it has already gotten enough 1 bits to exceed 00001000, then it branches off to report a read error. So, what must have happened is that on the original disk, some extra zeros (or just a nonstandard nibble) were written after the DE nibble in the address field trailer. If those extra zeros are not there (and they wouldn’t be either in this nibble image or likely in a nibble copy), then the disk must not be the original.

So, that’s why it’s throwing all these read errors. But there is an easy fix. We just tell it not to react with an error even if it got the next nibble too quickly, by “commenting out” the branch to error. Specifically, replacing that instruction (BCS $B942) with NOP (no operation) commands. Fortunately, Virtual II also allows you to alter memory on the fly, so we can insert those NOPs now.

Mailbag nop nop

With that modification in place, resuming allows the disk to boot property.

Mailbag booted

If we were willing to set a breakpoint and modify the memory each time we booted the disk, we’d be done. But of course it would be nice to record those NOPs in the code it loads from the disk, so that it would just boot on its own.

This turned out to be a bigger challenge than I thought it would be. Ideally, I would have just copied the sectors over onto a normal DOS 3.3 disk and then used a disk editor to alter those bytes. But this address mark trickery was foiling almost every copy program I tried. This would still be the next step, since it is likely very feasible to turn this into a regular DOS 3.3 COPYAble disk. However, most copy programs are set up to handle altered address marks, and don’t allow you to completely ignore the closing marks, and after a while fiddling with Super IOB and modifications to RWTS, I decided I would just change the nibbles in the nibble image.

This is not an easy task. The form the data takes on the actual disk is actually quite far removed from the form it takes in memory. Each section is 256 bytes long, but due to the way the disk hardware works, it can only read 6 bits at a time. That’s what the nibbles are, 6 bit representations of parts of the bytes it is trying to read. So, when a sector is written, the bytes are all broken up into 6-bit chunks, with the most significant bits stored in one buffer, and then a mixture of the least significant bits, grouped together, in a second buffer. Once this is done, the 6-bit data is then run through a translation table to get to the actual nibbles that are written to the disk. Furthermore, the nibbles are not a straight translation through the table, but are also exclusive-ored with the previous nibble in order to generate a checksum at the end. So even though I knew very well that what I wanted to do was find the sequence C9 08 B0 A5 and replace it with C9 08 EA EA, finding that in the nibble stream is not at all easy.

I did some math and worked through lookup tables, thought I’d gotten what I was looking for and then got foiled by the fact that the nibbles are all exclusive-ored with each other, and finally gave up and decided to take a possibly easier route. I extracted the RWTS from the protected disk by setting a breakpoint at $BB00, and then moved the program counter to $FF65 (reset), moved the RWTS into memory that would be safe across rebooting, booted another disk, and BSAVEd just the page with the C9 08 B0 A5 in it onto a newly formatted nibble-format disk image. Then I replaced B0 A5 with EAs (the desired change) and BSAVEd the same page. And then I went in with a hex editor, located the two sectors that had the “before” and “after” data, copied it out into a text editor, and just scanned the lines until I found the differences. There were two triples that needed to be changed. A D6BDEA that needed to change to DBB4D7, and a EB9EB7 that needed to change to F79696. This was at a cost of a bit of time and eyestrain, but ultimately seemed like the simplest way to do what I was after.

Mailbag nibble compare

So, in a hex editor, I made the changes to the Electronic Mailbag nibble image, so that the address mark trailer check was NOPed out, and that is the nibble image I posted before. And which I will repeat here. The data disk is a normal DOS 3.3 disk.

I almost thought I still had something left to do, because when I tried to use it and it asked for the original disk to be inserted, it wasn’t recognized. I again turned to Virtual II’s inspector and took a little tour through the program that was loaded, looking for the text of the message that asked for the original disk to be inserted. A closer look revealed what the problem was.

Insert master disk

This is the Applesoft code, and all of the Applesoft keywords are tokenized, so it’s a bit hard to read. But you can use a grid of Applesoft tokens to decode it. The line that prints the message starts at $3BFB. It points to the next line (at $3C53), it is line number $84DA=34010 and it says HOME (97):VTAB (A2) 12:PRINT (BA) ” INSERT THE MASTER PROGRAM DISK AND PRESS A KEY”;:GET (BE) A$:PRINT (BA). The next line references the following line ($3C5E), is line number $84E4=34020, and says GOTO (AB) 34004. So, where is 34004? That would be line $84D4, which starts at $3BD4. It says PRINT (BA):HOME (97), then the next line says PRINT CHR$(4);”VERIFY SYSTEM”:GOTO (AB) 281. Ok, now where is 281? That’s $0119, so back to the early part of the program… One of the great things about Virtual II’s inspector is that you can just search memory, so I searched for 19 01 and found it right away.

Mailbag line 281

Without parsing it out, clearly it is invoking DOS to delete a file, and rewrite it as a text file that runs whatever is stored in F$, possibly the program that was chosen from the menu selection. This gave me an idea, though. Maybe all that it was doing was presuming that it was not using the original disk if the disk was not write protected. So, I tried write protecting the disk image, and presto! No more problems recognizing the original disk. So, I didn’t need to change anything after all, this was just enough exploration to give me an idea of what to try.

There’s no check here exactly, but the most obvious way to make it behave this way is to use the ONERR GOTO command, which traps errors and sends program control off to whatever line is specified. From the Applesoft token table, this would mean we should find the tokens A5 AB somewhere (ONERR GOTO), and searching around in memory I did find a few places where this was used. I didn’t investigate all of them, but they all send program control into those sections at the end of the program in the 30000 range.

Mailbag onerr goto

Anyway, so that’s how I got The Electronic Mailbag to run properly in an emulator. It is in almost pristine form, the only thing I had to do was NOP out a single check in the RWTS on the address field trailer. It is not “cracked” insofar as if it were written back out to a floppy, it wouldn’t be much more copyable than it was before (though now a bit copier should be able to copy it successfully). It actually shouldn’t be all that difficult to get it into a more standardized DOS 3.3 format from here, since it is basically just in a slightly warped DOS 3.3 format already, but for archival purposes, the goal is already achieved, so I’ll probably direct my energy elsewhere.

Nov 232013
 

A while back, I got a copy of a disk called The Electronic Mailbag from eBay. The purpose of the software was to help the user get used to the idea of electronic mail and how checking/sending messages, printing, mass emails, and searching worked. A way to practice without the hazards inherent in using actual electronic mail.

Electronic mailbag disks

I thought “that sounds comical,” and wound up with the disks. Something to archive, as far as I know this is essentially its first appearance on the internet. According to the label and the screens within, it was produced in 1985 by a company called Exsys.

It isn’t really comical, though, it is pretty straightforward. If there was a manual, I don’t have it, and it doesn’t provide any amusing speculations about the future of email. It’s really just a program that mocks up an email interface and allows you to exchange messages with other people who have an account on the data disk. What was actually quite a bit more interesting was preparing this for use in an emulator. Though it is still kind of interesting that a product like this existed, from back when email was fairly new and relatively uncommon. These were the days when even BITNET was new, email was mostly for CompuServe and BBS users.

Here, I’ll just walk through the program. In a later post, I’ll discuss the lengths I went to to bring you the disk image. First the disk images, there is a program disk and a data disk. The data disk is a normal DOS 3.3 disk, and the program disk has to be used in this nibble format because I have not fully deprotected it, only got it to work with the nibble copy. The program disk must be write protected (which I note is not in the instructions anywhere, and the original disk is not write protected—nevertheless, it will refuse to recognize the program disk as original during a requested disk swap if it is able to modify the disk). In Virtual II on the Mac, write protecting a disk can be accomplished by “locking” the file (Get Info on the file in the Finder, check the “locked” checkbox).

When you start it up, you can either start the program, or go to the utilities. Let’s start with the program. There are three “levels” that the program can be run at, set within the utilities (basic, intermediate, and advanced). We will start at the intermediate level. At the basic and intermediate level, you have graphical menus.

Mailbag top menu

The first step in any email-related experience is to log in. You log in by entering a last name and a first name, and if you don’t yet have an account, entering “NEW” (otherwise, entering your password).

Mailbag login please Mailbag login last
Mailbag login first Mailbag login new
Mailbag insert data Mailbag new password

Once we have established who we are, we are presented with the main menu. The options are to read mail, send mail, get a list of users, and exit. We have no mail waiting.

Mailbag menu nomail

You are not allowed to send email to yourself, it seems, so I used another user account that was already on the disk and sent mail to myself. Here is what it looks like. There is no word-wrap, so if you type up to the end of the line, it will just beep at you. When you are ready to send or you realize you have made a mistake, you press Esc and you are presented with a basic line editor, where you can edit or delete a line, start over, or send.

Mailbag send mail

Mailbag send nowrap

Mailbag send message

Mailbag editor menu

Now, when we are back at the main menu, we have mail! Which we can read. (I obscured the name of the other account on the disk, but it doesn’t matter. There are no messages saved, and so certainly none that might compromise any future political careers.)

Mailbag youve got mail

Mailbag read mail

That’s basically it. Though, once you’ve mastered intermediate email, you can move on to the advanced level. This is accomplished by rebooting the disk and going into the utilities menu, and selecting the advanced level. Also in the utilities is the ability to send a “form letter” to all users.

Mailbag utility menu

Mailbag data disk utils

Mailbag form letter

Mailbag form letter text

The “advanced” version is non-graphical, simulating what you would experience over a modem in 80-column mode. When you log in, it helpfully tells you “Connection established” on “Port 14.” The options are mostly the same, though the ability to send messages to multiple recipients is now available, as is a user list search.

Mailbag advanced login

Mailbag advanced logging in

Mailbag advanced menu

Mailbag advanced read

And that’s about it. I decided not to take screenshots of every single thing you can do with the utility program, but it allows you to catalog the data disk, read messages, look up passwords, set the interface level. As far as I can tell, the main difference between “basic” and “intermediate” levels is that at the basic level you don’t have the text editing options in the graphical interface, you can just send or start over.

Mailbag basic send

The description of this program has already gotten so long that I won’t detail here how I got it into a usable nibble format, but I will post that soon, since it is interesting in its own right—actually quite a bit more interesting than it is to have preserved the program.

Nov 092013
 

One of the tapes I recently got was this one. On the front it says “Road Race Game”, copyright “WOW”. Ok. I’m appropriately awed.

Wow road race tape

Flipping it over, I saw that the other side contains “Space War” and that “WOW” is short for “Wise Owl Workshop”.

Wow space war tape

I’d never heard of Wise Owl Workshop before. And Google barely has either. There are a couple of passing references to them, but they seem mostly unknown to the internet, and not really represented at all in online software image collections. So, it’s actually kind of likely that this tape hardly exists anywhere else, and that the images I made of it are the first to hit the internet. WOW seems to have written some education and science related software for Apple II, TRS-80, C64, some on tape, some on disk. The fact that they just used a standard data cassette with a typewritten label stuck on it suggests to me that they were a pretty small operation. At least at the time they were distributing this tape.

Anyway, on to the programs. Below are WAV and AIFF files, and I’ve tested the AIFF files in Virtual II. The DSK files below are for use if you just want to play the games without monkeying around with the tape interface.

In Space War, you can play against another player or not, and you can either be shooting at the other player, or the “stars” between you.

Space war start

In two-player mode, each player is controlled by a paddle, and you shoot horizontally, either missing entirely, or hitting the other player or a star in the way. In “shoot the stars” mode, you just shoot at the stars.

Space war play

In two-player mode, this has the potential to be kind of engaging, I suppose.

Road Race Game is a road race game. When you start it up you are presented with some options. The course complexity I believe controls how sharp and frequent the zigs and zags are. If you choose the standard course, I assume you get the same course each time, and otherwise the zigs and zags are randomized. I have not tested these hypotheses very thoroughly but it seems true and sensible.

Road race start

You control a car with the paddles. Paddle 0 controls the horizontal position and paddle 1 controls the throttle. Button 0 applies the brake, and button 1 just ends the game. If you don’t end the game intentionally, it seems to end after 2 minutes (after the clock reaches 120). The goal is to keep the car between the posts, which zig and zag, and points are awarded for progressing and taken away (quickly) for being off the track. The game is a bit like Night Driver, though more primitive. It doesn’t seem like a very hard game, though I didn’t spend much time playing it.

Road race play

Anyway, another tape saved for posterity, though I don’t expect posterity will really spend much time playing either of these games. Still, somebody put work into writing them, and now that work is at least not lost.

Nov 082013
 

Back when the Apple II was new, there wasn’t a lot of software available for it. On the earliest price list I’ve seen, April 1977, Apple listed the Apple I™ and several cassette tapes for it, and the then new Apple II™, but with no software available. The next iteration of the price list, October 1977, dropped the Apple I entirely, listing only the Apple II, but still with no software available. One thing that I found interesting about those two early price lists is they contain the only explanation I’ve seen for the coding system that Apple used for the things it sold. Here is the legend from the April 1977 price list (cropped from the scan made available by The Mothership):

Apple codes

So, if you’ve ever wondered about the A2M0003 on the disk drives, or the A2T0008X on cassettes, this was the rationale. A is for Apple (that’s good enough for me) and 2 is for the model, both of which are basically fixed after the April 1977 price list, since no mention was made of the Apple I after that. Until we get to the Apple ///, which did use the designator A3. The next letter indicated Tape, Literature (manuals), Module (external peripherals, which would include the Disk II, A2M0003, but also smaller things like memory and the Programmer’s Aid #1 chip), Component (like printer paper), Board (back when you could order the Apple II as just a board, and also including peripheral cards), System (board in a case with keyboard, power supply, speaker). Once disks appeared, the D designation for software on disk was used. For boards and systems, a three digit code indicating the amount of memory, and an X “for future use.” For things other than boards and systems, the four digit numeric code was a sequence number in essentially the order of release.

It’s a nice scheme, though they didn’t entirely stick to it. The three digit memory code turned into a four digit code, with the first digit distinguishing between standard Apple II (as of the introduction of the red label, the model number was printed on the bottom, with a “0″ in the first digit, then the three digit memory code) and Apple II+ (where the first digit was a “1″). The “X” for future expansion was for some reason explicitly included as part of the model numbers printed on the cassettes, and it was used at the very tail end of the Apple II+ (model number A2S1048A). Apple “Special Delivery Software” had codes starting with “C” rather than with “A”, then a 2 or 3 (depending on whether it was for the Apple II or Apple ///), a sub code indicating Education, Home, Business, or Science, and then a sequence number basically counting up in the order of release.

The first price list where I found software listed for the Apple II was June 1978, at a time when the Disk II was still new and all of the software was on tape. Which brings me to A2T0008, new in the June 1978 catalog, containing Blackjack and Slot Machine.

002 0011 00 black jack a2t0008x

002 0011 00 slot machine a2t0008x

The Apple tapes have an additional number on them, this one has 002-0011-00. It’s not entirely clear to me what these signify, but I expect that the 002 was originally designating software for the Apple II. Later on in the production of the tapes, they would use 600 here instead, with sequence numbers like 20xx, and my suspicion is that the 600 designation was for tapes that were included as a set with the computer. There are also a few tapes that have 685 here. So the Startrek/Starwars tape, while always being part number A2T0002X, exists at least as 002-0006-00 and 600-2013-00.

But that was all a kind of long-winded introduction to what was really intended to be a post about Blackjack and Slot Machine. I have done the audio imaging of the cassette, and the audio files (in WAV and AIFF format, the AIFF having been tested to load fine in Virtual II) and disk versions made to simplify use in emulators are below:

Slot machine splash

Slot Machine is a simulation of a standard, quarter-taking slot machine, drawn in lo-res graphics.

Slot machine start

The mode of interaction is kind of neat, you “pull the lever” by swiping the paddle (or horizontal axis of a joystick) from one side to the other. This may have been more effective with the original paddles that Apple included with the machine, which were essentially the paddles below from the Adversary console—they actually had a “paddle” form on a one-dimensional track. Spinning a standard later paddle wouldn’t have quite the same feel, though a joystick works well to recreate the effect (as long as you hold it turned 90 degrees).

Adversary paddles b

All you do in the game is wiggle the paddle back and forth to spin the dials. You win some, you lose some, though the house gets killed. You win far more often than you lose, so you can walk away with as many virtual quarters as you have time to accumulate.

Slot machine play

The Blackjack game on the other side of the cassette is quite a bit more interactive. You start by telling it how much money (in whatever your favorite denomination is, it’s only interested in the number) you wish to start with. As far as I can tell, this makes little difference to anything. The game doesn’t stop when you reach zero, it will happily continue playing when you are down. In fact, the game doesn’t stop at all.

Blackjack start

On the play field, the dealer’s cards are shown in the top row, and yours in the second row. From here, you choose whether to hit, stay, double, or split.

Blackjack play

If you bust, you lose your bet. Here I am, 470 drachma down.

Blackjack bust

You can win it all back the next time, though, if you’re lucky and skillful…

Blackjack win

…or, if you cheat. If you’re worried about owing your Apple II hundreds of kroner, just bet a negative number and bust, and you’ll be doing fine.

Blackjack bet 6502

Oct 192013
 

At a few different times in its history, Apple has published magazines of a sort. These were not just catalogs, although they did of course promote the Apple cause. The Apple magazine lasted for a few issues in the early 1980s, and I will be posting scans of those at some point in the future. Later on, there was an Apple magazine issue that made an appearance in 1997, but as far as I know was just a single issue and then the project was dropped again. In between, Apple produced two issues of Apple on Apples. I don’t believe that there were any more than those two. Apple seems to keep thinking this is a good idea, but then changing its mind and just going back to publishing catalogs. The second issue is undated, but the events list suggests it is from early 1983, so I’m going to guess January 1983.

The Apple on Apples issues are quite short. The first one has only a couple of contentful articles, amounting to a profile of a couple of companies using Apple II Pluses to run their businesses, and an interview with Mike Markkula. The second issue is more developed, with articles on Logo, the Lisa and //e, online and local networking with the Apple II Plus, an interview with Paul C. Dali, profiles of Allen Dziejma and Paul Lutus, and tips on integrating Visicalc and Apple Writer on an Apple ///.

Each issue features a “puzzler” as well. In the first issue, the questions included “What is the weight of an FCC-approved Apple II?” and the answers were provided. In the second issue, Apple was more ambitious with the puzzler and made it a contest, six winners being awarded “I solved the puzzler” T-shirts. I have no idea if those were ever given out, or what the answers to the puzzler were, because there was no issue number 3. One thing I don’t understand about the puzzler is that in issue 2, they list the winners of the last puzzler, yet the puzzler in issue 1 gave the answers and didn’t provide anywhere to write in. Did they just make those winners up? Very strange. [Update: see below.]

In any event, they’re sort of interesting, and they’re quite uncommon in the wild.

Apple on apples v1n1 Apple on apples v1n2

For the record, the problems I found in the “puzzler” were: One disk has its media access slot sideways, the logo and the feed advance wheel on the Silentype printer are on the wrong side and the plug comes out the back not out the side, the Monitor III is essentially upside down, though the switches are at the top instead of the bottom and are red, there is no useful need for antennae above the monitor, the keyboard is wrong in various ways (missing a row of keys, the space bar is red, some keys are elongated where they shouldn’t be. Anyone have an “I solved the puzzler” T-shirt?

Update: Turns out, there were actually two versions of Apple on Apples v1n1. The one I scanned and discussed here says “October 1982″ on the cover, and has the puzzler as discussed, with the answers. The other version does not give a date on the cover, has an additional introductory “About this issue” note, and has a trimmed-down “puzzler” section that actually does give an address to send answers to. Unfortunately, my copy of this second version has some water damage, but I will add a scan of it here shortly.

Oct 142013
 

Pretty much right from the beginning, Apple marketed itself heavily to children and the educational market. Through a happy accident I wound up with what seems to be an untouched Apple Curriculum Materials Kit, from February 1979. From what’s inside, it seems to have been sent out to schools (on request) to persuade them both of the value of having microcomputers in the classroom (as opposed to larger timeshare machines in computer rooms), and promoting the Apple II as the computer that would fit the bill, with a future and plenty of established material already.

IMG 3617

In this kit is a cover letter introducing the materials, an outline of why microcomputers and the Apple II in particular is a great step forward for education, some ideas for computer awareness and literacy units for various grade levels, a price list (effective February 15, 1979), a list of dealers, a list of users groups, and a reply card to get on the mailing list.

For grades K-3, it is suggested that the children might like nice friendly games like “Sink-the-ship” or “Shootout” or variations on “Hangman,” while in grades 4-6, it is suggested that children might enjoy destroying submarines.

Unfortunately, the original version of the reply card referred to the “educators mailing list” and it seems that somebody got nervous about sending this out to educators, and behind the scenes of this little card you can just feel the wheels turning.

Hmm. “Place me on your people mailing list” doesn’t sound right, so “educators mailing list” must not be quite right. “Mailing list for educators” would probably be best, except the cards are already printed. And this is 1979 for heaven’s sake, we’re aren’t anywhere close yet to being the most valuable company in the world. We can’t just print a whole new stack. Well, maybe we can salvage it by saying it’s the “educators’ mailing list.” That sounds nice, kind of personalizes it for them. Ok.

And so, somebody drew in apostrophes on the reply card so that it reads “educators’mailing list.” I don’t think these were hand drawn on each card, but it’s possible. It’s hard to say for sure. But it is clearly hand drawn after the fact.

Anyway, the shape that this kit was in was truly remarkable, given that it took nearly 34 years to wind up in my hands. So, here are the scans.

Dear educator cover letter Microcomputers in education
Microcomputer classroom Apple price list feb15 1979
Apple authorized dealers Apple users groups
Apple v1n1 currkit cover Curriculum reply card