Registered: Feb 2004
What's the process for cracking cartridges?|
How was this done in the old days? Convoluted custom hardware soldered together with exotic parts and many wires? Or something boring and straightforward?
I duckduckgo'ed for a bit and couldn't find much info.
Registered: Jun 2002
We copied the ROMs onto PROMs and the manually drew copies of the board onto OH-film which we then used to produce PCBs, then soldered, flashed the PROMs and inserted into sockets.|
So it's not cracking. Just simple replication.
Registered: Mar 2009
Registered: Sep 2003
DISCLAIMER: don't try this at home!|
You can in most cases hotplug the cartridge after starting your dumping software.
If you dump $8000-$bfff to disc you can then examine what happens after the reset by following the CBM80 vectors. Any banking logic, if any may be deduced from the code there. A visual inspection of the cartridge circuitry will show if banking functionality is plausible.
Registered: Apr 2002
it was common practice to change system roms in those days so I can imagine a rom hack which asks you wether to dump the cart or start it ? :)|
Registered: Feb 2004
Thanks for the replies. I was referring to "cartridge to disk" cracks, and wondered how you got into the ROM data stored on the cartridge in order to crack it. Hedning's link cleared up a lot, thanks!|
Registered: Jan 2008
Some custom kernals (Dolphin DOS if I remember correctly) allowed to bypass CBM80 check in memory when certain key has been pressed during startup, thus resulting in starting with BASIC. This allowed to dump from memory to disk. Another solution was to read ROM with EPROM burners and dump it (there were many EPROM burners for c64 including Promenade, Datel and Rex) to disk. Third option was either a custom switch or dedicated hardware product like Cartridge Backer that would disconnect some lines at cartridge port. A variant of it would be port expander allowing selection of lines that should be left open/closed. Not all expanders have such option. |
After dumping ROM to disk you have to write loader that would load dumped ROM into memory and run it. If the cartridge did not have any protection and no banking it was basically game over (unless you would pack it to make loading faster and link with intro). Some cartridges have banking capabilities so the loader needs to take that into account and it requires some code modification. Another thing is that some ROMs had anti-dumping protection techniques. Some were software based - like at the beginning of code execution startup code tries to overwrite own memory. This will not work with ROM obviously but will hang system when code is executed from RAM. Others had some additional hardware. If I remember correctly MSSIAH had such thing implemented, thus it not working correctly with some hardware emulators/recreations of C64.
Registered: Jan 2002
I had a swtich that sort of disabled the cart. Allowing the computer to boot with the cart inserted but not active, I could then enable it, load any software based machine code monitor not residing at the $8000 area and then save the content of the cart. Pretty straight forward for the vanilla 8Kb carts...|
Pontus "Bacchus" Berg
* FairLight Council *