8-Bit Software

The BBC and Master Computer Public Domain Library

Back to 8BS
Return To On Line Magazine

Ample ROM Patch by Philip Mulrane


Download the patch

Thanks to Philip Mulrane for creating a patch to bypass the AMPLE ROM checksum. People picking up Music 5000 hardware were having real trouble getting the software to run due to the protection within the Ample ROM itself. This little utility by Philip patches the ROM so that it will work with any of the Ample software. Info from Philip:

How to remove the protection from the Ample ROM:

The protection of the Ample ROM is twofold,
1) The ROM is checksummed against modification. The ROM is viewed as an array of 16 bit values, they are summed (from &BFF1 down to &8000), and the 16 bit result must be zero, otherwise the message 'bad rom' appears. This 'zero summing' depends on the 16 bit values at &804C/D and &804E/F summing to &118b7. These 4 bytes are the only bytes that change from one Ample ROM to the next. &804C/D contain the ROM id, and the two bytes at &804E/F ensure that the ROM checksums to zero. The checksumming of the ROM is responsible for the brief delay between the ROM signing on after a '*AMPLE' and the '%' prompt appearing.
2) The modules are checksummed, they are also viewed as an array of 16 bit values, they are summed, and the 16 bit result must be equal to the 16 bit value stored at ROM address &804C/D (i.e. the ROM id), which differ from ROM to ROM. To this end the bytes at offset A and B in each module contain a suitable number so that the checksum will be correct for a given ROM only.

Additionally all programs loaded by the system are also passed through this checksum routine, their checksums are always equal to &5E01. The checksum routine is at address &A348.

This presents us with the following problem, the checksumming of the ROM and modules needs to be disabled, while the checksumming of programs must be maintained, otherwise programs saved with the patched ROM would be unloadable on normal Ample ROMs An additional problem is where to place the patch. The bytes from &BFF2 up to &BFFF are free, containing only &FFs, but this will not be enough for our patch.

The approach I took was to place the patch in the area occupied by the text message printed when the Ample ROM signs on. I discovered that the printout routine stops as soon as it sees two zero bytes, so adding in an extra couple of zero bytes at &8014/5 freed up the space between &8016 and &803A. Also a fake copyright byte sequence &00,'(C)',&00,&00 is required by the OS before it will accept the patched ROM as a valid image, I placed this at &8010. The byte pointer to the copyright also needs to be changed, it is stored at &8007, this I changed to &10.
Now for the patch itself. First I patched the checksum routine to jump directly to my patch at &8016 before it does anything else. Now I needed some way of knowing what the checksum routine was supposed to be doing, checksumming the ROM, or a module or a program? After a bit of searching I found that the address &8
contains &DB when checksumming the ROM, &ED for a program load, &DD for a program save, and otherwise a module in being checked. So the patch just needs to check the value stored in &8, and then either jump back to the
original checksum routine, or provide a fake checksum. By setting the ROM id bytes (&804C/D) to zero, I was able to kill two birds with one stone:

I provide the same the fake checksum of zero for a module or for the ROM itself. The ROM has to have a checksum of zero, so this is OK, and the modules are checked against the value in &804C/D, which is also zero. An additional side effect is that the id reported by the ROM is also zero.

Here is the code involved:

10 MODE7
20 DIM R 16384:REM Create a 16K buffer for our rom image
30 OSCLI("LOAD AMPLERO "+STR$~R) :REM Load the ROM image to our buffer
50 O%=R+&16:P%=&8016:REM this is the start of the area containg the copyright
55 REM and we can overwrite this with our patch
60 [OPT F%
70 LDA&08 \contents of &8 indicate what the rom is up to
80 CMP#&DB \ROM init
90 BEQ rominit
100 CMP#&ED \loading a program
110 BEQ progload
120 CMP#&DD \saving a program
130 BEQ progsave
140 .rominit \we land here also for module loading, i.e. when &8 contains
141 \anything other than &DB,&ED or &DD
150 LDA#0
160 STA&6:STA&7 \fake a checksum of zero
170 JSR&9403
180 JMP&971D \jump back into rom after checksum routine
190 .progload
200 .progsave
210 JSR&9403 \programs need to be checksummed properly,
220 JMP&A34B \so here we jump back into the original checksum routine
230 ]
240 NEXT
250 R?7=&10:REM change pointer to copyright to point to our fake copyright
260 P%=R+&10:[EQUB0:EQUS"(C)":EQUB0:EQUB0:]:REM fake copyright to satisfy the OS
270 R?&4C=0:R?&4D=0:REM romid to zero
280 P%=R+&2348:[JMP&8016:]:REM patch the original checksum routine to point to our main patch
290 OSCLI("SAVE AMPLEPA "+STR$~R+" +4000 8000 8000"):REM save the patched image, done

The resulting ROM loads modules without restriction, and programs created using it can be loaded on non patched ROMs, it also starts up faster. Also the freely available wave modifying module EWMOD and the Music 500 compatibility module MU500 written by Angus Duggan can now be used by anyone. Philip Mulrane 14/9/02.

 Back to 8BS
Return To On Line Magazine