Analyzing the ROMs of Third Party Disk Drives for the C64

Most Commodore 64 users had a 1541 disk drives, but there were always also third part options. Most of them claimed full 1541 compatibility, which sounds impossible without using the same ROM. Let’s analyze the ROMs of some third party drives!

Spoiler: They all used Commodore’s ROM code, and used varying degrees of obfuscation to hide it.

Blue Chip BCD/5.25 and Rapid Access FD148

The Blue Chip BCD/5.25 and the Rapid Access drives are standard 1541 clones. The power-up message says “CBM DOS V2.6 1541” – the same as a 1541. There is the string “Copyright © 1985 Blue Chip Electronics, Inc.” both at the bottom and the top of the ROM:

c000  43 6f 70 79 72 69 67 68  74 20 28 43 29 20 31 39  |Copyright (C) 19|  
c010  38 35 20 42 6c 75 65 20  43 68 69 70 20 45 6c 65  |85 Blue Chip Ele|  
c020  63 74 72 6f 6e 69 63 73  2c 20 49 6e 63 2e ff ff  |ctronics, Inc...|

ef20  ad 00 18 29 01 d0 f9 a9  01 8d 05 18 4c df e9 43  |...)........L..C|  
ef30  6f 70 79 72 69 67 68 74  20 28 43 29 20 31 39 38  |opyright (C) 198|  
ef40  35 20 42 6c 75 65 20 43  68 69 70 20 45 6c 65 63  |5 Blue Chip Elec|  
ef50  74 72 6f 6e 69 63 73 2c  20 49 6e 63 2e 85 4a 4c  |tronics, Inc..JL|

(The Rapid Access version does not contain the $C000 message.)

Comparing the ROMs to any version of the 1541 ROM shows lots and lots of differences. Yet, the ROM looks suspicously like a 1541 ROM. The error messages:

e500  20 21 22 23 24 27 d2 45  41 44 89 52 83 20 54 4f  | !"#$'.EAD.R. TO|  
e510  4f 20 4c 41 52 47 c5 50  8b 06 20 50 52 45 53 45  |O LARG.P.. PRESE|  
e520  4e d4 51 cf 56 45 52 46  4c 4f 57 20 49 4e 8b 25  |N.Q.VERFLOW IN.%|  
e530  28 8a 89 26 8a 20 50 52  4f 54 45 43 54 20 4f ce  |(..&. PROTECT O.|  
e540  29 88 20 49 44 85 30 31  32 33 34 d3 59 4e 54 41  |). ID.01234.YNTA|  
e550  58 89 60 8a 03 84 63 83  20 45 58 49 53 54 d3 64  |X.`...c. EXIST.d|  
e560  83 20 54 59 50 45 85 65  ce 4f 20 42 4c 4f 43 cb  |. TYPE.e.O BLOC.|  
e570  66 67 c9 4c 4c 45 47 41  4c 20 54 52 41 43 4b 20  |fg.LLEGAL TRACK |  
e580  4f 52 20 53 45 43 54 4f  d2 61 83 06 84 39 62 83  |OR SECTO.a...9b.|  
e590  06 87 01 83 53 20 53 43  52 41 54 43 48 45 c4 70  |....S SCRATCHE.p|  
e5a0  ce 4f 20 43 48 41 4e 4e  45 cc 71 c4 49 52 89 72  |.O CHANNE.q.IR.r|  
e5b0  88 20 46 55 4c cc 73 c3  42 4d 20 44 4f 53 20 56  |. FUL.s.BM DOS V|  
e5c0  32 2e 36 20 31 35 34 b1  74 c4 52 49 56 45 06 20  |2.6 154.t.RIVE. |  
e5d0  52 45 41 44 d9 09 c5 52  52 4f d2 0a d7 52 49 54  |READ...RRO...RIT|  
e5e0  c5 03 c6 49 4c c5 04 cf  50 45 ce 05 cd 49 53 4d  |...IL...PE...ISM|  
e5f0  41 54 43 c8 06 ce 4f d4  07 c6 4f 55 4e c4 08 c4  |ATC...O...OUN...|  
e600  49 53 cb 0b d2 45 43 4f  52 c4 48 86 f9 8a 0a aa  |IS...ECOR.H.....|

And the commands, file control methods and file types:

fe80  a8 68 aa 68 40 12 04 04  90 56 49 44 4d 42 55 50  |.h.h@....VIDMBUP|  
fe90  26 43 52 53 4e 84 05 c1  f8 1b 5c 07 a3 f0 88 23  |&CRSN.....\....#|  
fea0  0d ed d0 c8 ca cc cb e2  e7 c8 ca c8 ee 51 dd 1c  |.............Q..|  
feb0  9e 1c 52 57 41 4d 44 53  50 55 4c 44 53 50 55 52  |..RWAMDSPULDSPUR|  
fec0  45 45 52 53 45 4c 51 47  52 4c 08 00 00 3f 7f bf  |EERSELQGRL...?..|

All these string sections are at the same locations and have the same encoding. Disassembling the code shows how it’s possible that the ROMs are so different nevertheless – 1541 on the left, Blue Chip on the right:

.,c2b3  A4 A3       LDY $A3         .,c2b3  A4 A3       LDY $A3  
.,c2b5  F0 14       BEQ $C2CB       .,c2b5  F0 12       BEQ $C2C9  
.,c2b7  88          DEY             .,c2b7  88          DEY  
.,c2b8  F0 10       BEQ $C2CA       .,c2b8  F0 0E       BEQ $C2C8  
.,c2ba  B9 00 02    LDA $0200,Y     .,c2ba  A9 0D       LDA #$0D  
.,c2bd  C9 0D       CMP #$0D        .,c2bc  D9 00 02    CMP $0200,Y  
.,c2bf  F0 0A       BEQ $C2CB       .,c2bf  F0 08       BEQ $C2C9  
.,c2c1  88          DEY             .,c2c1  88          DEY  
.,c2c2  B9 00 02    LDA $0200,Y     .,c2c2  D9 00 02    CMP $0200,Y  
.,c2c5  C9 0D       CMP #$0D        .,c2c5  F0 02       BEQ $C2C9  
.,c2c7  F0 02       BEQ $C2CB       .,c2c7  C8          INY  
.,c2c9  C8          INY             .,c2c8  C8          INY  
.,c2ca  C8          INY             .,c2c9  8C 74 02    STY $0274  
.,c2cb  8C 74 02    STY $0274       .,c2cc  C0 2A       CPY #$2A  
.,c2ce  C0 2A       CPY #$2A        .,c2ce  90 0C       BCC $C2DC  
.,c2d0  A0 FF       LDY #$FF        .,c2d0  A9 FF       LDA #$FF  
.,c2d2  90 08       BCC $C2DC       .,c2d2  8D 2A 02    STA $022A  
.,c2d4  8C 2A 02    STY $022A       .,c2d5  A9 32       LDA #$32  
.,c2d7  A9 32       LDA #$32        .,c2d7  4C C8 C1    JMP $C1C8  
.,c2d9  4C C8 C1    JMP $C1C8       .,c2da  FF FF       .byte $FF, $FF

All over the place, instructions were shuffled around, in order to make the code look different, but behave the same. In some cases, the new code saves a byte or two, so filler bytes had to be added to keep the code layout the same.

Interestingly, whoever did this, seems to have lost interest at $D200 – the code after that is mostly untouched. Other than that, there only seems to be one more difference: The ROM checksum check has been disabled.

So the ROM is clearly Commodore’s code (based on version -05), shuffling around instructions doesn’t changed anything about that.

Commander C-II

The Commander C-II ROM also shows lots of differences compared to the 1541 ROM, but again, the well-known strings are are the right spots. The power-up message is unchanged, and (more or less broken) variations of the message “© 1984 Commander Electronics” can be found at the bottom and the top of the ROM.

c010  55 55 55 55 55 55 55 55  28 43 29 20 31 39 38 34  |UUUUUUUU(C) 1984|  
c020  00 43 6f 6d 6d 61 6e 64  65 72 20 45 6c 65 63 74  |.Commander Elect|  
c030  72 6f 6e 69 63 73 55 55  55 55 55 55 55 55 55 55  |ronicsUUUUUUUUUU|

ef30  55 55 55 55 55 55 55 28  43 29 20 31 39 38 34 20  |UUUUUUU(C) 1984 |  
ef40  41 6f 6d 6d 61 6e 64 65  72 20 45 6c 65 63 74 72  |Aommander Electr|  
ef50  6f 6e 69 63 73 c9 30 f0  06 c9 31 f0 02 09 80 29  |onics.0...1....)|

This is the reason for the difference in this case:

.,c2b3  A4 A3       LDY $A3         .,c2b2  A4 A3       LDY $A3  
.,c2b5  F0 14       BEQ $C2CB       .,c2b4  F0 14       BEQ $C2CA  
.,c2b7  88          DEY             .,c2b6  88          DEY  
.,c2b8  F0 10       BEQ $C2CA       .,c2b7  F0 10       BEQ $C2C9  
.,c2ba  B9 00 02    LDA $0200,Y     .,c2b9  B9 00 02    LDA $0200,Y  
.,c2bd  C9 0D       CMP #$0D        .,c2bc  C9 0D       CMP #$0D  
.,c2bf  F0 0A       BEQ $C2CB       .,c2be  F0 0A       BEQ $C2CA  
[...]

A big chunk of the code ($C100-$CEE1) is moved up by one byte! All references to this code have been properly updated – it seems they reverse engineered the ROM into buildable assembly source for that. The changes of the function addresses will introduce incompatibilities with third party code though that accesses these functions directly.

In addition, throughout the code, the following type of change was made:

.,c2d9  4C C8 C1    JMP $C1C8       .,c2d8  4C C7 81    JMP $81C7

RAM and ROM don’t nearly fill the 64 KB address space, and incomplete address decoding leads to lots of mirrors of RAM and ROM in the address space. The Commander C-II ROM uses random mirrors for most ROM and RAM accesses.

This ROM is based on the 1541-II version of Commodore’s code, and again, moving code and obfuscating addresses doesn’t make it an independent creation.

Enhancer 2000

I found two different ROMs for the Enhancer 2000. Let’s start with enhancer_2000.bin, which has a power-up message of “ENHANCER 2000 2.0” and the following string at $C000:

THIS IS THE ENHANCER 2000ROM. ALL PORTIONSOF THIS ROM ARE COPYRIGHTED FISH ARE FROGS. SPACE FOR RENT, CHEAP! BEWARE THE HIDDEN COPYRIGHTNOTICE

It’s based on version -05 of Commodore’s code, and at several sections throughout the ROM, it uses the same trick of shuffling instructions – but this was done independently of the Blue Chip ROM.

This ROM doesn’t just have swapped instructions though – big chunks have been completely rewritten, including the send and receive code on the serial bus and the GCR encoding/decoding. It would be interestig to analyze what the advantages of these new implementations are!

And there is a lot of new code, too. The previously unused areas are full, and the “boot clip” autostart code at $E780 was replaced with new code as well. I couldn’t find what calls this code, but some of it compares the second character of the command against one of these: “LUMPBIND-T”, and jumps to one of 10 functions based on it. It looks like the device implements some extra commands! The manual doesn’t mention anything though – early devices are supposed to have had original 1541 ROMs, so maybe this manual is based on that.

The other version, Enhancer 2000 Comtel 2.6.bin, shows the original 1541 power-up message (“CBM DOS V2.6 1541”) and has a different string at $C000:

LICENSED TO;
'THE COMTEL GROUP INC.'
1651 E. EDINGER #209
P.O. BOX 15485
SANTA ANA, CA 92705
(714)953-6165 TELEX:503727
/PROTECTED WORLD-WIDE BY COPYRIGHT LAWS

It seems to be a later version, because in addition to everything in the version already described, it also uses the “mirror address” method to make all remaining code look different – even in the added code!

Interestingly, the string with the added command characters has been changed to “LUPBCDHN B”.

This version of the Enhancer 2000 ROM is the most obfuscated 1541 ROM copy I’ve found!

Indus GT

Now for something lighter! The Indus GT has a few extra features compared to the 1541, like a two-digit display to show the current track, a write protect button, and a drive “1” (same syntax as Commodore’s dual drive units) that accesses tools on a built-in ROM.

The ROM is based on version -05 of the 1541 ROM, diligently binary-patched to support the extra features. The power-up string has been changed to “INDUS GT C64 V1.1”. And that’s it! No obfuscation! Just a plain feature-enhanced 1541 ROM. Most of the “ROM disk” code lives in an extra 8 KB ROM at $A000 (together with the ROM disk contents), and the existing ROM calls out to it.

MSD SD-1 and SD-2

The MSD drives are the most interesting ones. SD-1 is a single-drive device, and SD-2 has two drives, allowing the “1:” syntax of Commodore’s dual drives and supporting file copy across drives (“C” command) as well as disk copy (“D” command). Both devices also have both an IEEE-488 and a Commodore Serial bus.

These devices diverge a lot from Commodore’s offerings: No Commodore device ever had both ports, and all Commodore devices with two drives had two CPUs – the MSDs have only one CPU. The documented RAM layout (including the location of the I/O chips) also doesn’t match any Commodore device.

Comparing the disassemblies shows that the MSD ROMs are very different from 1541 ROMs, but they don’t show any signs of obfuscation.

So have the MSD ROMs independently developed?

No.

Most of the code is still Commodore’s, it is just organized differently. Pratically any core function in the 1541 ROM can be found in the MSD ROM somewhere, line by line. The ROM of the 1541 must have been reverse engineered into buildable source code, and the new features were then added, probably also by looking at the ROM of some other devices (like the 2031 or SFD-1001 for the IEEE-488 code, and the 4040, 8050 or 8250 to see how two drives are handled).

Conclusion

Drive Shuffling Relocation Mirror addresses Rewritten code Added features Different layout
Blue Chip BCD/5.25
Commander C-II
Enhancer 2000 (✓)
Indus GT
MSD SD-1 and SD-2

None of the ROMs of any of the 5.25″ disk drives for the C64 that I could find were independently developed. Some supposedly just shipped with the exact Commodore code for a while, until Commodore threatened to sue them, so they obfuscated their use of the copyrighted material. It’s unlikely that this would have fooled Commodore, but in times where it was tricky to convince a judge that code could be copyrighted at all, it was probably good enough.

Ironically, it was not the hardware, but the obfuscations of the software that caused some compatibility issues. Some addresses were different, some messages weren’t what apps expected. GEOS for example reads some ROM contents to decide what fast loader to use. Many users replaced the ROM chips of their clones with EPROMs containing the original Commodore code, which fixed most compatibility issues!

But not all 3rd party manufacturers borrowed Commodore’s code. Devices that didn’t use 5.25″ disks, like hard drives and 3.5″ disk drives, were quite incompatible with the 1541 and practically all games anyway, so there was no need to use the most compatible ROM in the first place. Still, developing a complete reimplementation of Commodore DOS is costly.

Creative Micro Devices (CMD) went that route. Their CMD HD (bridging to SCSI), CMD FD (3.5″ HD and ED) and RAMLink (RAM disk) devices used a DOS that was implemented from scratch.

More Research

There are still some open questions:
* Are the Enhancer 2000 versions of Serial and GCR better?
* What do the added commands of the Enhancer 2000 do?
* How exactly was the ROM of the MSD devices created?
* Are there ROMs of more 1541 clones out there? (Please submit them to zimmers.net!)

2 thoughts on “Analyzing the ROMs of Third Party Disk Drives for the C64

  1. MiaM

    I’ve seen people claiming that at least some of these third party 5.25″ drives used JiffyDOS code.

    Myabe it might be a good idea to compare the Enhancer 2000 code to the JiffyDOS code?

    I’ve somewhere also read claims that by legally licensing JiffyDOS they got around having to use Commodore code in at least some places. Obviously as you have analyzed they still used Commodore code, but perhaps to some lesser extent.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *