PET 2001 with Rabbit ROM

[daver2]

The "illegal quantity error" is interesting. This implies (as the manual states) that the parameter to SYS should be in the range 0 through 65535. A negative number (as per the manual) is not valid.

As the positive number (40960) results in a "syntax error" I can only conclude that this is returned from the code that is actually invoked at the address 40960 ($A000). I can only therefore surmise that 40960 is not the correct entry point for the ROM.

Yes, if you can get a couple of screenshots from TIM then that might help us identify what the correct entry point is.

Dave

 

[adko]

I think the only solution is to disassemble and read the ROM
The ROM is probably no longer readable over time
I will also check the socked
Thank you all so much for all the information

If I know more I'll let you know
Greets Ad

 

[daver2]

If you don't have an easy way to completely image the EPROM then (as Gary has said) use the following procedure:

At the BASIC prompt type "sys 1024" to enter the machine code monitor TIM. This should give you a '.' prompt. See https://www.commodore.ca/wp-content/uploads/2018/11/PET_Machine_Language_Monitor.pdf.

Then, enter the command "m a000 a080" to selectively dump an area of the ROM. EDIT: The command may actually be "m a000,a080"...

You can then photograph and post a copy of the screen.

This could be a laborious job, because you will have to then dump the next area of memory (m a080 a100) and take another photograph and so on (counting in hexadecimal and not decimal of course) up to b000.

We can then 'hand type in' the hexadecimal codes you post and can start to disassemble the ROM - at least until we can work out what the entry point actually is.

This would give us a file containing the ROM contents (that can be posted for future posterity) and a means of documenting what extra commands may be in the ROM version over the tape version.

This could take a while - so plan every now and again to take a couple of screen dumps. For example, if you take two screen dumps per day and post those - it will take 16 days to complete the entire ROM dump.

Another way would be to BSAVE the image from A000 to AFFF (either on disk or tape) and see if someone could use that to extract the data. I could do it from a disk file - but not a cassette 'squeal'...

Dave

 

[adko]

Hi Dave, thank you for your patience and help
I managed to bring up the first screen and below is the picture of it, it's not very much work is for me is no problem and I like working with the PET
Could you also give me the other codes I have to enter so that I can request the correct one
Only a B comes into my picture instead of an A

Is it true that there is still data on the ROM Dave ?
Greets Ad

 

[Nivag Swerdna]

If you do the same command twice do you get the same result?

ea is an odd first instruction! Although my favourite... https://www.masswerk.at/6502/6502_instruction_set.html

 

[adko]

Just a quick question, can I read the rom with this eeprom reader?

 

[daver2]

>>> Just a quick question, can I read the rom with this eeprom reader?

It depends if that unit supports the particular ROM type.

I would hesitate to use it though when we have a perfectly good way now (albeit a bit time consuming) of dumping the contents without any risk whatsoever!

Yes, there is data/code there...

$EA is a NOP

$E6 $77 is INC $0077.

$D0 $02 is BNE +2.

An so forth...

The commands required to dump the complete contents of the ROM are:

.m a000 a080
.m a080 a100
.m a100 a180
.m a180 a200
.m a200 a280
.m a280 a300
.m a300 a380
.m a380 a400
.m a400 a480
.m a480 a500
.m a500 a580
.m a580 a600
.m a600 a680
.m a680 a700
.m a700 a780
.m a780 a800
.m a800 a880
.m a880 a900
.m a900 a980
.m a980 aa00
.m aa00 aa80
.m aa80 ab00
.m ab00 ab80
.m ab80 ac00
.m ac00 ac80
.m ac80 ad00
.m ad00 ad80
.m ad80 ae00
.m ae00 ae80
.m ae80 af00
.m af00 af80
.m af80 b000

The '.' of course is the TIM prompt - and I may have screwed up editing the command list for the post as well!

Each 'm' command will result in a hexadecimal dump that you will need to photograph.

There is some overlap in the data tables that are produced, so I can use this to detect any errors that could be made.

Dave

 

[adko]

If you do the same command twice do you get the same result?

ea is an odd first instruction! Although my favourite... https://www.masswerk.at/6502/6502_instruction_set.html

Yes Nivag, I also get the same screen the second time

 

[daver2]

That's good if you get the same screen twice. Good thinking Nivag.

This means that 'random' stuff is not being dumped!

>>> and I like working with the PET

Yep, the PET always was a nice machine to work with.

Dave

 

[adko]

>>> Just a quick question, can I read the rom with this eeprom reader?

It depends if that unit supports the particular ROM type.

I would hesitate to use it though when we have a perfectly good way now (albeit a bit time consuming) of dumping the contents without any risk whatsoever!

Yes, there is data/code there...

$EA is a NOP

$E6 $77 is INC $0077.

$D0 $02 is BNE +2.

An so forth...

The commands required to dump the complete contents of the ROM are:

.m a000 a080
.m a080 a100
.m a100 a180
.m a180 a200
.m a200 a280
.m a280 a300
.m a300 a380
.m a380 a400
.m a400 a480
.m a480 a500
.m a500 a580
.m a580 a600
.m a600 a680
.m a680 a700
.m a700 a780
.m a780 a800
.m a800 a880
.m a880 a900
.m a900 a980
.m a980 aa00
.m aa00 aa80
.m aa80 ab00
.m ab00 ab80
.m ab80 ac00
.m ac00 ac80
.m ac80 ad00
.m ad00 ad80
.m ad80 ae00
.m ae00 ae80
.m ae80 af00
.m af00 af80
.m af80 b000

The '.' of course is the TIM prompt - and I may have screwed up editing the command list for the post as well!

Each 'm' command will result in a hexadecimal dump that you will need to photograph.

There is some overlap in the data tables that are produced, so I can use this to detect any errors that could be made.

Dave

Thank you Dave, I can get started with this
What is the easiest way for you how I send the photos?
Or shall I send 1 reply with all the pictures?
Greetings Ad

 

[adko]

Hereby the 32 screen photos Dave, hopefully you can get something out of this
Thank you so much for all your help and energy
Greets Ad

 

[adko]

Part 2

 

[adko]

Part 3

 

[adko]

Part 4

 

[Nivag Swerdna]

Just a quick question, can I read the rom with this eeprom reader?
View attachment 1238870

Yes but with some jiggery pokery... like this... http://www.cosam.org/computers/cbm/pet/20090218.html

 

[daver2]

I know what I am doing tonight then...

Dave

 

[daver2]

The first page of disassembly as a 'proof of concept'. I am entering the bytes from each page of the listing using an online hex editor and saving the resultant binary file to my iMac. I am then transferring the binary file I have just created to an online 6502 disassembler and letting it 'do its business'. I am then transferring the resultant disassembly to a text file on my computer.

The net output from the process should (hopefully) be a byte-for-byte copy of your Rabbit ROM plus a first-pass disassembly.

Let's see where that takes us.

I can import the binary file into VICE (the Versatile Commodore Emulator) and run it in there to see what happens as a guess at the various SYS entry points...

Dave

                            * = $A000
A000   EA                   NOP
A001   E6 77                INC $77
A003   D0 02                BNE LA007
A005   E6 78                INC $78
A007   86 B3      LA007     STX $B3
A009   BA                   TSX
A00A   BD 01 01             LDA $0101,X
A00D   C9 9B                CMP #$9B
A00F   D0 55                BNE LA066
A011   BD 02 01             LDA $0102,X
A014   C9 C3                CMP #$C3
A016   D0 4E                BNE LA066
A018   A5 77                LDA $77
A01A   D0 4C                BNE LA068
A01C   A5 78                LDA $78
A01E   C9 02                CMP #$02
A020   D0 46                BNE LA068
A022   78                   SEI
A023   A9 C8                LDA #$C8
A025   85 90                STA $90
A027   A9 A7                LDA #$A7
A029   85 91                STA $91
A02B   58                   CLI
A02C   A0 00                LDY #$00
A02E   B1 77      LA02E     LDA ($77),Y
A030   C8                   INY
A031   C9 20                CMP #$20
A033   F0 F9                BEQ LA02E
A035   A2 03                LDX #$03
A037   DD 7F A0   LA037     CMP $A07F,X
A03A   F0 05                BEQ LA041
A03C   CA         LA03C     DEX
A03D   10 F8                BPL LA037
A03F   30 15                BMI LA056
A041   48         LA041     PHA
A042   B1 77                LDA ($77),Y
A044   29 7F                AND #$7F
A046   DD 83 A0             CMP $A083,X
A049   D0 07                BNE LA052
A04B   68                   PLA
A04C   20 87 A0             JSR LA087
A04F   4C 66 A0             JMP LA066
A052   68         LA052     PLA
A053   4C 3C A0             JMP LA03C
A056   A0 00      LA056     LDY #$00
A058   B1 77                LDA ($77),Y
A05A   C9 2A                CMP #$2A
A05C   D0 0A                BNE LA068
A05E   20 96 A0             JSR $A096
A061   A0 00                LDY #$00
A063   98                   TYA
A064   91 77                STA ($77),Y
A066   A6 B3      LA066     LDX $B3
A068   AD AA A1   LA068     LDA $A1AA
A06B   C9 4C                CMP #$4C
A06D   D0 0D                BNE LA07C
A06F   C6 77                DEC $77
A071   A5 77                LDA $77
A073   C9 FF                CMP #$FF
A075   D0 02                BNE LA079
A077   C6 78                DEC $78
A079   4C AA A1   LA079     JMP $A1AA
A07C   4C 76 00   LA07C     JMP $0076
A07F   4C 53 56             JMP $5653
A082   53                   ???
A083   4F                   ???
A084   41 45                EOR ($45,X)
A086   59 A9 00             EOR $00A9,Y
                            .END

;auto-generated symbols and labels
 LA007      $A007
 LA066      $A066
 LA068      $A068
 LA02E      $A02E
 LA041      $A041
 LA037      $A037
 LA056      $A056
 LA052      $A052
 LA087      $A087
 LA03C      $A03C
 LA07C      $A07C
 LA079      $A079

Ah, so the first bit of good news is that page 0 addresses $77 and $78 is/are the 16-bit pointer to the current byte of basic text in memory.

The NOP is probably a convenient place to put a debugging breakpoint in that case.

I have also seen the construct "TSX; LDA $0101,X" before to peek into the stack...

The ROM doesn't just contain 'garbage' !

Dave

 

[daver2]

I have entered and disassembled a bit more...

I have imported the PET BASIC 2 symbol table into the disassembler so it can label things automagically for me without me staring at HEX numbers all night. It is even making sense . I suspect that address $A000 is NOT the entry point. It seems as though this is the 'wedge' entry point - meaning that it will all go **** up if we invoke that address with a SYS command!

I'll do a couple more pages tomorrow and another disassembly.

I see where some of the commands are manipulating cassette ports #1 and #2...

Dave

 

[Nivag Swerdna]

A022 78 SEI A023 A9 C8 LDA #$C8 A025 85 90 STA $90 A027 A9 A7 LDA #$A7 A029 85 91 STA $91 A02B 58 CLI

Replaces the BASIC soft IRQ vector with $A7C8... definitely something going on there.

 

[Gary C]

Incredible work.

In other news, I have found a manual, but its for the cassette version but maybe useful when you get it working.

Does mention that it relocates HIMEM in the initialising code so that part should have STA #$34 & STA#$35 in it maybe ?