If you disassemble a single binary, you can never tell why something was done in a certain way. If you have eight different versions, you can tell a lot. This episode of “Computer Archeology” is about reverse engineering eight different versions of Microsoft BASIC 6502 (Commodore, AppleSoft etc.), reconstructing the family tree, and understanding when bugs were fixed and when new bugs, features and easter eggs were introduced.
This article also presents a set of assembly source files that can be made to compile into a byte exact copy of seven different versions of Microsoft BASIC, and lets you even create your own version.
Microsoft BASIC for MOS 6502
First written in 1976, Microsoft BASIC for the 8 bit MOS 6502 has been available for virtually every 6502-based computer including the Commodore series (PET, C64), the Apple II series, Atari 8 bit machines, and many more.
These are the first eight versions of Microsoft BASIC:
|Commodore BASIC 1||1977||Y||9||Y||ZP||CBM||1.0|
|Commodore BASIC 2||1979||Y||9||Y||0200||CBM||2a||KBD BASIC||1982||Y||6||Y||0700||KBD||2b|
Name: Name of the computer system or BASIC interpreter
Release: Release date of this version – not necessarily the date when the source code was forked from Microsoft’s
VER: Version string inside the interpreter itself
ROM: Whether the software shipped in ROM, or was a program supposed to be loaded into RAM
FP: Whether the 6 digit or 9 digit floating point library was included. 9 digit als means that long error messages were included instead of two character codes, and the GET statement was supported.
ROR: Whether the ROR assembly instruction was used or whether the code worked around it
Buffer: Location of the direct mode input buffer; either zero page or above
Extensions: What BASIC extensions were added by the OEM, of any.
Version: My private version number used in this article and in my combined source
The Microsoft BASIC 6502 Combined Source Code
Download the assembly source code here: msbasic.zip
In order to assemble if, you will need the CC65 compiler/assembler/linker package.
The source can be assembled into byte-exact versions of the following seven BASICs:
- Commodore BASIC 1
- OSI BASIC
- AppleSoft I
- KIM-1 BASIC
- Commodore BASIC 2 (PET)
- Intellivision Keyboard Component BASIC
- MicroTAN BASIC
You can build the source by running the shell script make.sh. This will create the seven files cbmbasic1.bin, osi.bin, applesoft.bin, kb9.bin, cbmbasic2.bin, kbd.bin and microtan.bin in the “tmp” directory, which are identical to the original ROMs.
You are welcome to help clean up the source more, to make it more readable and to break features out into CONFIG_* defines, so that the source base can be made more customizable.
Make sure to read on to the end of the article, as it explains more about the source and what you can do with it.
Microsoft BASIC 1
Ric Weiland, Bill Gates and Monte Davidoff at Microsoft wrote MOS 6502 BASIC in the summer of 1976 by converting the Intel 8080 version. While the former could fit well into 8 KB, so that a computer manufacturer could add some machine-specific I/O code and ship a single 8 KB ROM, code density was less on the 6502, and they could not fit it significantly below 8 KB – it was around 7900 bytes – so that computers with BASIC in ROM would require more than a single 8 KB ROM chip.
Spilling over 8 KB anyway, they decided to also offer an improved version with extra features in a little under 9 KB: This version had a 40 bit floating point library (“9 digits”) instead of the 32 bit one (“6 digits”), and the two-character error codes were replaced with actual error messages:
|6 digit BASIC||9 digit BASIC|
|?NEXT WITHOUT FOR ERROR
9 digit BASIC also added support for the GET statement to read single keystrokes from the keyboard.
On startup, Microsoft BASIC 6502 asks for the size of memory:
If the user just presses return, BASIC detects the size of memory itself. If, on the other hand, the user enters “A”, it prints:
WRITTEN BY RICHARD W. WEILAND.
Versions since 1.1 print:
WRITTEN BY WEILAND & GATES
Then it asks:
Microsoft’s codebase could also be assembled either for use in ROM or in RAM: The RAM version additionally asks:
These four statements are located at the very end of the interpreter image (actually, the init code is at the very end, but that gets overwritten anyway), so that up to 250 more bytes are available for the BASIC program if the start of BASIC RAM was set to the beginning of the SIN/COS/TAN/ATN code (“N”), or to overwrite ATN only (“A”) – in this case, the user would gain about 100 bytes extra.
All these questions were very similar to the ones presented on an Intel 8080 BASIC system – after all, BASIC 6502 was a direct port.
The start message looks something like this:
MOS TECH 6502 BASIC V1.0 COPYRIGHT 1977 BY MICROSOFT CO. n BYTES FREE OK
Microsoft’s codebase was very generic and didn’t make any assumptions on the machine it was running on. A single binary image could run on any 6502 system, if the start of RAM was set correctly, the calls to “MONRDKEY”, “MONCOUT”, “LOAD” and “SAVE” were filled with pointers to the machine-specific I/O code, and the “ISCNTC” function was filled with code to test for Ctrl+C.
Microsoft maintained this source tree internally and, at different points in time, handed their current version of the source to OEMs, which adapted and/or extended it for their machines. While most OEM versions were heavily modified in its user interaction (startup screen, line editing…), most of the code was very similar; some functions were even never changed for any version of BASIC. No OEM ever came back to Microsoft for updates, except for Apple and Commodore, which both synced once each, up to the bugfixed version 2.
Commodore BASIC 1 (1.0)
The BASIC that shipped with the first Commodore PET in 1977 is the oldest known version of Microsoft BASIC for 6502. It does not say “Microsoft” anywhere, and memory size detection and screen width were hardcoded, so on startup, it just prints *** COMMODORE BASIC ***, followed by the number of bytes available for BASIC.
Commodore added the “OPEN”, “CLOSE”, “PRINT#”, “INPUT#” and “CMD” statements for file I/O and added VERIFY to compare a program in memory to a file on a storage device. They also added “SYS” to call into assembly code – Microsoft’s code had only provided the “USR” function with a similar purpose. It seems Commodore didn’t like the “OK” prompt, so they renamed it to “READY.”.
All machine-specifics were properly abstracted by calls into the KERNAL jump table, the upper 7 KB of the 16 KB ROM – except for one call out into the screen editor part of the PET ROM:
iny lda (INDEX),y .ifdef CONFIG_CBM1_PATCHES jsr LE7F3 ; patch .else ldy #$00 asl a adc #$05 .endif adc INDEX sta INDEX bcc L33A7 inc INDEX+1
This code fixes the garbage collector by doing the missing ldy/asl/adc in the patch code.
Speaking of patches: Commodore BASIC 1 has been binary patched a lot: There are six patch functions appended to the very end of the interpreter image that work around miscellaneous fixes. This is what one of these calls into a patch function looks like:
.ifdef CONFIG_CBM1_PATCHES jmp PATCH1 .else clc jmp CONTROL_C_TYPED .endif
Here is the patch function – someone indeed forget to clear the carry flag:
PATCH1: clc jmp CONTROL_C_TYPED
Some of these patches are in generic code, and some in Microsoft-specific code. Later fixes in generic code are not necessarily identical to these patches. So this indicates that Commodore wrote the fixes. But it is unknown why these additions were done in the binary as opposed to the source: Commodore had the source and made lots of additions to it. Maybe it was just more convenient to patch the binary for debugging at some point.
Ohio Scientific (1.0a)
Ohio Scientific sold a wide series of 6502-based machines for several years, but they all shipped with the same version of 6 digit BASIC bought from Microsoft in 1977.
6 digit vs. 9 digit was probably a compile time option, because the differences are pretty straightforward, as can be seen in this example:
; ---------------------------------------------------------------------------- ; ADD MANTISSAS OF FAC AND ARG INTO FAC ; ---------------------------------------------------------------------------- FADD4: adc ARGEXTENSION sta FACEXTENSION .ifndef CONFIG_SMALL lda FAC+4 adc ARG+4 sta FAC+4 .endif lda FAC+3 adc ARG+3 sta FAC+3 lda FAC+2 adc ARG+2 sta FAC+2 lda FAC+1 adc ARG+1 sta FAC+1 jmp NORMALIZE_FAC5
Ohio Scientific only made minimal adaptions for their computers, and added no extensions. It asks for memory size and terminal width, and then prints OSI 6502 BASIC VERSION 1.0 REV 3.2".
One quirk on the Ohio Scientific is the inclusion of the WANT SIN-COS-TAN-ATN string, although BASIC ran in ROM. The code to print this string and adjust memory layout accordingly is not included. OSI BASIC is 7906 bytes in size. Without the extra string, they could have saved 21 bytes.
The string Garbage Collector was horribly broken in OSI BASIC, effectively destroying all string data – in Commodore BASIC 1, it had been binary patched for fix the problem.
AppleSoft I (1.1)
Apple shipped the first Apple II systems with Integer BASIC in ROM, Microsoft BASIC was only available as an option loaded from disk or tape. AppleSoft BASIC, as it was named, had only minor adaptions and extensions. On startup, it printed:
APPLE BASIC V1.1 COPYRIGHT 1977 BY MICROSOFT CO.
In order to make AppleSoft feel more like Integer BASIC, it showed a ‘]’ character instead of “OK” and said “ERR” instead of ERROR.
The memory size easter egg was modified in this version, it printed COPYRIGHT 1977 BY MICROSOFT CO instead of Weiland’s and Gates’ names. Since the Apple II character output code ignored the uppermost bit, this text could be hidden in ROM by setting the MSBs of every character:
.;287F C3 CF D0 D9 D2 C9 C7 C8 "COPYRIGH" .;2887 D4 A0 B1 B9 B7 B7 A0 C2 "T 1977 B" .;288F D9 A0 CD C9 C3 D2 CF D3 "Y MICROS" .;2897 CF C6 D4 A0 C3 CF 0D 00 "OFT CO."
This version introduced another easter egg present in all later versions: BASIC 1.1 was the first version to include the "MICROSOFT!" easter egg text, as described in a previous article. The encoded (XOR 0x87) text was hidden in some floating point constants and never addressed.
AppleSoft I is the oldest known BASIC 1.1. Compared to 1.0, version 1.1 included minor bugfixes in GET/INPUT/READ, TAB() and LIST, as well as the fix in the Garbage Collector present in the Ohio Scientific machines and binary patched in Commodore BASIC 1.
BASIC 1.0 also had a bug where lines in direct mode that started with a colon were ignored:
jsr CHRGET .ifdef CONFIG_11 tax .endif beq L2351
CHRGET is supposed to set the zero flag on the end of an instruction, which can be end of line (0 character) or a colon. The original code wanted to check for an empty line and got the first character, and went on reading another line of it was empty - but a colon as the first character had the same effect. 1.1 fixed this by setting the flags on the value again.
Version 1.1 also contained various tiny speed optimizations: BEQs and BNEs were changed so that a cycle could be saved on the more likely case.
Here is another optimization in LEFT$/RIGHT$/MID$:
.ifndef CONFIG_11 sta JMPADRS+1 pla sta JMPADRS+2 .else tay pla sta Z52 .endif [...] .ifdef CONFIG_11 lda Z52 pha tya pha .endif ldy #$00 txa .ifndef CONFIG_11 inc JMPADRS+1 jmp (JMPADRS+1) .else rts .endif
The original code isn't only suboptimal, it's even dangerous, because it only increments the low byte of the address it wants to jump to and assumes it doesn't roll over to $00.
For some reason, the random number seed was changed slightly:
.ifdef CONFIG_11 .byte $80,$4F,$C7,$52,$58 .else .byte $80,$4F,$C7,$52,$59 .endif
But this doesn't make a difference, due to a bug present in all 9 digit versions of BASIC: The value is copied into the zero page together with the CHRGET routine:
.ifdef CONFIG_SMALL ldx #GENERIC_CHRGET_END-GENERIC_CHRGET .else ldx #GENERIC_CHRGET_END-GENERIC_CHRGET-1 .endif L4098: lda GENERIC_CHRGET-1,x sta CHRGET-1,x dex bne L4098
On 9 digit BASIC, one extra byte had to be copied, but the start index was not changed, so the last digit was omitted. This bug exists in every known version of Microsoft BASIC.
Another bug was introduced on the Apple II: All previous versions of BASIC had the input buffer for instructions in direct mode in the zero page. On the Apple II, it was at $0200 in RAM, which broke some code that made assumptions on the address:
NEWSTT: jsr ISCNTC ; check for Ctrl + C lda TXTPTR ldy TXTPTR+1 ; high-byte of instruction pointer beq L2683 ; 0 -> direct mode sta OLDTEXT sty OLDTEXT+1
Subsequent versions of BASIC compared the high-address of the text pointer:
The KIM-1 is a computer kit based around the MOS 6502, which was sold by the makers of the 6502 to show off the capabilities of this CPU. A 6 digit and a 9 digit version of Microsoft BASIC was available on tape, but the 6 digit version seems to be very rare. BASIC for the KIM-1 is the most authentic version of Microsoft BASIC, because it has only been minimally modified, it contains all questions about memory size, screen width, and the trigonometric functions, as well as the memory width easter egg. The encoded "MICROSOFT!" string can be found at the same spot as on the Apple II.
Although this is based on BASIC 1.1, just like AppleSoft I, there are a few fixes in array handling and the PRINT statement.
But they also introduced another bug: In input handling, again concerning the location of the input buffer, there is the following code:
ldx #<(INPUTBUFFER-1) ldy #>(INPUTBUFFER-1) bne L2AF8 ; always
This code has been in place since 1.0 and assumes that INPUTBUFFER is above $0100. On the CBM1, which had the input buffer in the zero page, this had been hotfixed by Commodore by swapping the ldx and the ldy. On the OSI, this code didn't exist, as it is only included in versions that have the GET statement, i.e. 9 digit versions. AppleSoft I was not affected either, because it had the input buffer at $0200. And versions after the KIM fixed this by replacing the BNE with a BEQ in case the input buffer is in the zero page. It is obviously hard to maintain a single codebase with many compile time options that still does optimizations like these.
Since the first KIM-1 systems shipped in late 1975, their CPUs had the 6502 ROR bug, so KIM-1 BASIC had to work around this: Every ROR instruction is replaced by a corresponding sequence using LSR instead.
AppleSoft II (2.0)
AppleSoft II is the oldest version of Microsoft BASIC 2. It was available on tape or disk, and also in ROM in later Apple II models. It is the first BASIC from an OEM that had extended BASIC which was re-sync'ed with Microsoft's codebase. In other words: Apple licensed an improved and bugfixed version of BASIC, and merged their old changes into it.
BASIC 2 contains mostly bugfixes (all input buffer location bugs have finally been eliminated), small optimizations (reuse two adjacent zeros inside the floating point constant of 1/2 as the 16 bit constant of zero instead of laying it down separately), better error handling for DEF FN, and support for "GO TO" with a space in between as a synonym for GOTO. Also, the memory test pattern has been changed from $92/$24 to the more standard $55/$AA.
In AppleSoft II, Apple also eliminated the "memory size" and "terminal width" questions.
Commodore BASIC 2 (2.0a)
Just like Apple, Commodore went back to Microsoft for an updated version of BASIC, and integrated its changes into the new version. The version they got was slightly newer than Apple's, but the major difference was that Microsoft added the "WAIT 6502" easter egg. For this, they changed the encoding of the string "MICROSOFT!" that was hidden in every BASIC since 1.1 from XORed ASCII into PETSCII with the upper two bits randomly set - this way, the text would be just as obfuscated, but it the decoder would be shorter on PET systems. So Commodore BASIC 2 is the only version of Microsoft BASIC that ever accesses this hidden text.
Every version since 2.0a had the PETSCII version of the "MICROSOFT!" text in it - and so did every version of BASIC for 6809.
Intellivision Keyboard Component BASIC (2.0b)
The Mattel Intellivision is a game console released in 1980 that contained a very nonstandard 16 bit "CP1610" CPU. After a series of delays, the "Keyboard Component", an extension with its own 6502 CPU and Microsoft BASIC, was released in 1982, but canceled very soon. They are very rare today.
The BASIC in the Keyboard Component is the most custom of all known versions. It is based on a 6 digit version of BASIC 2 and younger than Commodore BASIC 2: It contains two bugfixes: One piece of code that pulled its caller's address from the stack and normalized it by adding one, had forgotten to respect the carry, so this could fail if the caller sits just on a page boundary. The other fix changed the number of steps needed for normalizing a floating point number.
Intellivision BASIC replaced LOAD and SAVE by PLOD, PSAV, VLOD, VSAV and SLOD, PRT, GETC and VER were added, and PEEK, POKE and WAIT were removed. But the customizations were even more extensive: Instead of keeping the interface to library code, a lot of code was replaced inline, and the whole init code was rewritten. While most of the generic code, for example memory handling was unchanged across Commodore, Ohio, AppleSoft and KIM, making it easier to later integrate Microsoft's fixes, some of even this code was altered on the Keyboard Component.
What is interesting about the strings in Intellivision BASIC is that they use both upper- and lower case. The start message is this:
INTELLIVISION BASIC Copyright Microsoft, Mattel 1980
But upper-/lowercase support doesn't stop here: The complete code has been extended to be case insensitive, but case preserving. The CHRGET code, a super-optimized function living in the zeropage has been patched with a call to this function:
LF430: cmp #'a' bcc LF43A cmp #'z'+1 bcs LF43A sbc #$1F LF43A: rts
This very unoptimized piece of code adds at least 17 cycles to every CHRGET, and will slow down execution measurably.
Microtan BASIC (2.0c)
The version of BASIC that shipped on the Tangerine MICROTAN 65 is, like the Ohio and KIM versions, again a very authentic version with few changes. The updated BASIC 2 contained a single bug fix, which is the floating point constant of -32768 which hadn't been updated from 6 to 9 digits correctly and was missing a byte. The startup message looks like this:
MICROTAN BASIC (C) 1980 MICROSOFT
Microtan BASIC contains the complete "memory size" and terminal width procedures and the "Weiland/Gates" easter egg.
Although the Microtan was introduced in 1980, its version of BASIC was, like the KIM version, assembled with code that worked around the ROR bug in 6502 chips until mid-1976. The I/O library on the other hand made use of ROR, suggesting that this compile time option was set in error.
Bugs never fixed
As you can see, the first versions had many bugs that were quickly fixed, but fixed became less and less - simply because there were only very few bugs left. But still there are some bugs that never got fixed. The short copy of the random number seed for example, exists on all versions.
Similarly, the two extra constants used for generating random numbers (CONRND1, CONRND2) are 4 bytes in all versions, which is one byte short for 9 digit BASIC. But this is another bug that doesn't really matter, since the numbers will still be random enough.
The buggy check on large line numbers has also never been fixed. Typing 35072121 into any version of Microsoft BASIC will have the interpreter jump to a pseudo random memory address. The buggy code resides in "LINGET".
Something similar happens in the case of PRINT 5+"A"+-5: The interpreter will build up the formula on the CPU stack, but miss the string/float type mismatch because of the "+-", and messes up its stack when removing items. This bug is in "FRMEVL".
But the fact that Microsoft never fixed these bugs in their codebase doesn't mean none of the OEMs fixed them. While the LINGET and FRMEVL seem to have been unnoticed everywhere, at least the CONRND1/CONRND2 bug has been fixed by Commodore, at least as early as for the VIC-20 in 1980.
How to build your own BASIC
Now that you have the source that can build seven different OEM versions of Microsoft BASIC, and that you know about the differences between those, you might be interested in building your own version of BASIC 6502 for some 6502-based machine or customizing BASIC to build a bugfixed or extended version for some platform.
First duplicate one of the cfg files, and add it to make.sh. cbmbasic2 is a good start, as you can quite easily test the resulting images in the VICE emulator - CC65 can even provide symbol information for the VICE debugger. Add a case in defines.s to define one of CBM1, CBM2, APPLE etc., because you need one flavour of platform specific code, and include your own defines_*.s. For Commodore BASIC, you also need to define CONFIG_CBM_ALL.
If you are targeting a new type of computer, make sure to adjust the zero page locations in your defines_*.s file (ZP_STARTn) so that they don't clash with your I/O library. Also make sure that, in case you are compiling for RAM, the init code does not try to detect the memory size and overwrite itself.
The CONFIG_n defines specify what Microsoft-version the OEM version is based on. If CONFIG_2B is defined, for example, CONFIG_2A, CONFIG_2, CONFIG_11A, CONFIG_11 and CONFIG_10A will be defined as well, and all bugfixes up to version 2B will be enabled. The following symbols can be defined in addition:
|CONFIG_CBM1_PATCHES||jump out into CBM1's binary patches instead of doing the right thing inline|
|CONFIG_CBM_ALL||add all Commodore-specific additions except file I/O|
|CONFIG_EASTER_EGG||include the CBM2 "WAIT 6502" easter egg|
|CONFIG_FILE||support Commodore PRINT#, INPUT#, GET#, CMD|
|CONFIG_IO_MSB||all I/O has bit #7 set|
|CONFIG_MONCOUT_DESTROYS_Y||Y needs to be preserved when calling MONCOUT|
|CONFIG_NO_CR||terminal doesn't need explicit CRs on line ends|
|CONFIG_NO_LINE_EDITING||disable support for Microsoft-style "@", "_", BEL etc.|
|CONFIG_NO_POKE||don't support PEEK, POKE and WAIT|
|CONFIG_NO_READ_Y_IS_ZERO_HACK||don't do a very volatile trick that saves one byte|
|CONFIG_NULL||support for the NULL statement (send sync 0s for serial terminals)|
|CONFIG_PEEK_SAVE_LINNUM||preserve LINNUM on a PEEK|
|CONFIG_PRINTNULLS||whether PRINTNULLS does anything|
|CONFIG_PRINT_CR||print CR when line end reached|
|CONFIG_RAM||optimizations for RAM version of BASIC, only use on 1.x|
|CONFIG_ROR_WORKAROUND||use workaround for buggy 6502s from 1975/1976; not safe for CONFIG_SMALL!|
|CONFIG_SAFE_NAMENOTFOUND||check both bytes of the caller's address in NAMENOTFOUND|
|CONFIG_SCRTCH_ORDER||where in the init code to call SCRTCH|
|CONFIG_SMALL||use 6 digit FP instead of 9 digit, use 2 character error messages, don't have GET|
Changing symbol definitions can alter an existing base configuration, but it is not guaranteed to assemble or work correctly.
I am very interested in your creations. Please add a comment to this article if you have made something new out of this source base!
Using the Floating Point Library Standalone
The complete project has been split into many components, each in their own assembly source file. The core floating point library is in float.s, extra trigonometric functions are in trig.s. It should not be too hard to use this broken-out part (in a 6 digit or 9 digit version) standalone in your own creations. The 9 digit version is a little over 2 KB in size, the 6 digit version is a little smaller.
Adding More Versions
If you want to add another version of BASIC into the source base, you can do it like this: Use "da65" from the CC65 package to dissemble your version of BASIC and all existing .bin files (with the correct base addresses), and run a "diff" command on the new disassembly and each of the disassemblies of the existing versions. The diff that contained the fewest changes (just look at the file size) is probably a good candidate to base your new version on. Or look at the release date or the family tree to find a version which is similar.
Now create a new version in the source base, as described earlier. Make sure the new version assembles; then compare the disassembly of your version with the disassembly of the original binary in a diff program, like the excellent Mac OS X FileMerge, to find the differences. In most cases, you will only have to adjust a few defines (CONFIG_* and zero page locations) in your defines_*.s file to get matching output. Otherwise, add ifdefs to the respective source files. Run regress.sh to verify that you didn't break the other versions.
Repeat the last step until the assembly process outputs the same file. Send your changes to me. :-)
Note that the idea of all versions of BASIC in the current source code is that they are all direct forks from Microsoft's codebase. I chose not to include versions like Commodore BASIC 4, Commodore BASIC 2 for the VIC-20/C64 etc., and I wouldn't add very late AppleSoft versions, because these are only extended versions of earlier forks and contain no extra code from the original Microsoft source base. Versions that would be very interesting to integrate would be AppleSoft II and Atari Microsoft BASIC, preferably the very first revisions of these.
- Function names and all uppercase comments taken from Bob Sander-Cederlof's excellent AppleSoft II disassembly
- AppleSoft lite by Tom Greene helped a lot, too.
- Thanks to Joe Zbicak for his help with Intellivision Keyboard BASIC
- This work is dedicated to the memory of my dear hacking pal Michael "acidity" Kollmann.