| |
Lord Crucifier
Registered: Feb 2004
Posts: 49 |
What's the process for cracking cartridges?
How was this done in the old days? Convoluted custom hardware soldered together with exotic parts and many wires? Or something boring and straightforward?
I duckduckgo'ed for a bit and couldn't find much info. |
|
| |
JackAsser
Registered: Jun 2002
Posts: 2038 |
We copied the ROMs onto PROMs and the manually drew copies of the board onto OH-film which we then used to produce PCBs, then soldered, flashed the PROMs and inserted into sockets.
So it's not cracking. Just simple replication. |
| |
hedning
Registered: Mar 2009
Posts: 4754 |
http://markus.brenner.de/cartridge/ |
| |
tlr
Registered: Sep 2003
Posts: 1797 |
DISCLAIMER: don't try this at home!
You can in most cases hotplug the cartridge after starting your dumping software.
If you dump $8000-$bfff to disc you can then examine what happens after the reset by following the CBM80 vectors. Any banking logic, if any may be deduced from the code there. A visual inspection of the cartridge circuitry will show if banking functionality is plausible. |
| |
Oswald
Registered: Apr 2002
Posts: 5110 |
it was common practice to change system roms in those days so I can imagine a rom hack which asks you wether to dump the cart or start it ? :) |
| |
Lord Crucifier
Registered: Feb 2004
Posts: 49 |
Thanks for the replies. I was referring to "cartridge to disk" cracks, and wondered how you got into the ROM data stored on the cartridge in order to crack it. Hedning's link cleared up a lot, thanks! |
| |
AlexC
Registered: Jan 2008
Posts: 299 |
Some custom kernals (Dolphin DOS if I remember correctly) allowed to bypass CBM80 check in memory when certain key has been pressed during startup, thus resulting in starting with BASIC. This allowed to dump from memory to disk. Another solution was to read ROM with EPROM burners and dump it (there were many EPROM burners for c64 including Promenade, Datel and Rex) to disk. Third option was either a custom switch or dedicated hardware product like Cartridge Backer that would disconnect some lines at cartridge port. A variant of it would be port expander allowing selection of lines that should be left open/closed. Not all expanders have such option.
After dumping ROM to disk you have to write loader that would load dumped ROM into memory and run it. If the cartridge did not have any protection and no banking it was basically game over (unless you would pack it to make loading faster and link with intro). Some cartridges have banking capabilities so the loader needs to take that into account and it requires some code modification. Another thing is that some ROMs had anti-dumping protection techniques. Some were software based - like at the beginning of code execution startup code tries to overwrite own memory. This will not work with ROM obviously but will hang system when code is executed from RAM. Others had some additional hardware. If I remember correctly MSSIAH had such thing implemented, thus it not working correctly with some hardware emulators/recreations of C64. |
| |
Bacchus
Registered: Jan 2002
Posts: 156 |
I had a swtich that sort of disabled the cart. Allowing the computer to boot with the cart inserted but not active, I could then enable it, load any software based machine code monitor not residing at the $8000 area and then save the content of the cart. Pretty straight forward for the vanilla 8Kb carts...
Pontus "Bacchus" Berg
* FairLight Council * |
