Understanding BOOSTER.ROM

19:24, 05 July 11

There is a ROM called BOOSTER.ROM which works with the Inicron RAM-ROM and Symbiface 2 which allows you to initialise and use ROMs 16-31 on these devices.  You put it in space 15 and on boot it initialises and allows access to the higher than normal ROMs.

I disassembled it and the codes looks a bit jumbled in places (it appears to initialise twice) but I've isolated the main routine.  Problem is, I can't really test it or mess about with it much as emulators like WinAPE only support ROM spaces 0-15 and I don't have any real hardware with the extra ROM spaces on my CPC either (can't wait for the MegaFlash!).

I'd like to try and adapt it to work with the Plus cartridge ROM spaces (132 to 135 in a 128kb cartridge) but the code is a bit beyond me at the moment... So, can anyone help me understand how it works?

org &8000 ; was in upper rom space
; just put it here to see if it would assemble correctly

start: push af
call    routine_1
pop     af

routine_1:      ld      a,(variable_1) ; set to &02 at start
dec     a
ret     z

ld      b,a ; ? ld b,1
ld      c,&01 ; ? ld c,1
loop_1: push    bc ; ? store bc (&0101)
ld      a,c ; ? ld a,1
add     a,a ; ? a = 02
add     a,c ; ? a = 03
add     a,&07 ; ? a = 0A
ld      l,a ; ? l = 0A
ld      h,&c0 ; ? h = C0
ld      e,(hl) ; ? ld e,(&c00A)
inc     hl
ld      d,(hl) ; ? de holds &c2e2
ld      b,&00
ld      hl,&c1e0
add     hl,bc
bit     7,(hl)
jr      z,condition_1
call    routine_3 ; routine_3
jr      z,condition_1
push    de
ld      hl,routine_2 ; copy routine_2 to workable memory
ld      de,&bf20 ; to &bf20
ld      bc,&0012 ; 12 bytes long
ldir    ; copy it
pop     hl
call    &bf20 ; call routine_2 in workable memory
condition_1: pop     bc
inc     c
djnz    loop_1


routine_2: call    &b912 ; KL CURR SELECTION
; Action Gets the ROM select address of the current ROM
; Entry No entry conditions
; Exit A contains the ROM select address of the current ROM, and all other registers are preserved
ld      c,a
call    &b90f ; KL ROM SELECT
; Action Selects an upper ROM and also enables it
; Entry C contains the ROM select address of the required ROM
; Exit C contains the ROM select address of the previous ROM, and B contains the state of the previous ROM
push    bc
ld      de,&bf2e ; tag bf23 here, &bf2e when routine_2 copied to &bf20
push    de
xor     a
jp      (hl)
bf23: pop     bc
jp      &b918 ; KL ROM DESELECT
; Action Selects the previous upper ROM and sets its state
; Entry C contains me ROM select address of the ROM to be reselected, and B contains the state of the required ROM
; Exit C contains the ROM select address of me current ROM, B is corrupt, and all others are preserved
; Notes This routine reverses the acoon of KL ROM SELECT, and uses the values that it returns in B and C


routine_3: di     
ld      bc,&f40e
out     (c),c
ld      b,&f6
in      a,(c)
and     &30
ld      c,a
or      &c0
out     (c),a
out     (c),c
inc     b
ld      a,&92
out     (c),a
push    bc
set     6,c
ld      a,&05
add     a,c
ld      b,&f6
out     (c),a
ld      b,&f4
in      a,(c)
ld      l,a
pop     bc
ld      a,&82
out     (c),a
dec     b
out     (c),c
bit     7,l


variable_1: defb &02


routine 3 is reading from the keyboard.
line 5, bit 7 which is space.

routine 2 is the important bit I think.

but it doesn't make a lot of sense as it is here, perhaps the full dissassembly makes more sense.

does it initialise some kind of rsx?
arnoldemu on 13:22, 06 July 11
routine 3 is reading from the keyboard.
line 5, bit 7 which is space.

Well that's weird, maybe if you hold down space or something during the boot it doesn't initialise?  Not got any real hardware to test it on myself unfortunately.

arnoldemu on 13:22, 06 July 11
routine 2 is the important bit I think.

Me too, and I can kind of see what it's doing - however, after a ROM has been initialised, doesn't the firmware routine in the OS (for example KL FIND COMMAND) walk the ROMs again to find the RSX you've entered?  If so, this routine will be hard-coded to ROMs 15 to 0 (on a 6128) and I can't work out how this program patches this in any way...?

arnoldemu on 13:22, 06 July 11
but it doesn't make a lot of sense as it is here, perhaps the full dissassembly makes more sense.
does it initialise some kind of rsx?

Well here is the full raw disassembly, but as far as I can see the routines before it just print the welcome text and do a checksum.  Obviously some of the disassembly is text so the instructions are not relevant as the disassembler doesn't realise it's text and turned the hex into instructions.

Not sure about the RSX init, thought it might have something to do with a table address loaded into DE but really not sure.

As far as I know, TFMs ROMManager program has a similar process to activate ROMs above 15, maybe he can give you a few tips on what's happening?



Bryce on 13:38, 06 July 11
As far as I know, TFMs ROMManager program has a similar process to activate ROMs above 15, maybe he can give you a few tips on what's happening?

I have asked TFM several times about this but he didn't have any time and pointed me to the BOOSTER.ROM, which is why I'm trying to find out this way.


a quick analysis shows.

rom starts up, does checksum
if checksum succeeds, it then does a loop.
it needs to copy a routine to ram because it manipulates the roms
it then selects each rom, and executes it's startup routine.
it also patches some firmware functions (that are copied into ram), so that it can select the other roms ok.
arnoldemu on 13:46, 06 July 11
a quick analysis shows.

rom starts up, does checksum
if checksum succeeds, it then does a loop.
it needs to copy a routine to ram because it manipulates the roms
it then selects each rom, and executes it's startup routine.
it also patches some firmware functions (that are copied into ram), so that it can select the other roms ok.

That's great that you can see what's happening!

Would you mind telling me the locations in memory where each of these occurs, then I can start working backwards with it...?


@ &51:  &3a6 is copied to &b900. length 01e4.

any calls referencing that area (ba00) or so, these will be within this.
So you can work out the function and where it's calling.

any calls to &c000 or so will be to roms.

keep the dissassembly at &c000 and work through it, documenting the firmware functions.

I can't give anymore help at this time.
arnoldemu on 13:56, 06 July 11
keep the dissassembly at &c000 and work through it, documenting the firmware functions.

That's great, thanks for your help.

I did think it might be patching the firmware in RAM, which is good news for the MegaFlash - you don't actually need the Booster ROM as you can patch the OS ROM itself and and load this into the MegaFlash directly to override the CPC's internal OS ROM. 

Bad news for me though as patching these routines to work from &84 to &87 (the Plus cartridge ROM spaces) is incredibly difficult.


I doubt many people will want to initialise all 32 ROMs much of the time though. It takes up a lot of RAM doing that.



Bryce on 13:38, 06 July 11
As far as I know, TFMs ROMManager program has a similar process to activate ROMs above 15, maybe he can give you a few tips on what's happening?


Actually not, because the ROManager only manages the ROMs. The Booster initializes them. However, I can give some explanations here. The ROM Booster must be (should!) a ROM position 15. So it get's initialized first. Now it does the following: It initializes all ROMs between 16 and 31. Cuidado! Danger! Don't initialize ROM with a number bigger than 31, because this would crash the Amsdos/Basic.

Then the ROM Booster initialzes itself and then gives the control back to the CPC.

The source is a bis screwed up, because it was probably taken from the ROM itself, and this was generated by the ROM-Gen 1.16 or higher, so this explains that.

All clear?
TFM of FutureSoft
Also visit the CPC and Plus users favorite OS: FutureOS - The Revolution on CPC6128 and 6128Plus


Bryce on 14:28, 06 July 11
I doubt many people will want to initialise all 32 ROMs much of the time though. It takes up a lot of RAM doing that.


Yes, but it depends on the ROMs. Some ROMs take only few bytes, needed for the RSX chain (like FutureOS ;)) and others take whole pages (Maxam, Amsdos, other dos, protext etc.). So if you put "the right" ROMs above 16 it can make sense.

However, every ROM with a number bigger than 7 will probably shit down the Amsdos RAM, which confuses games that directly access memory (like at &A701 etc.).

The Booster ROM is basicly all you need, it provides also a lot of space for programs, to be added into the same ROM. Further you can deactivate = park it, so it will not work if you don't like it working.

TFM of FutureSoft
Also visit the CPC and Plus users favorite OS: FutureOS - The Revolution on CPC6128 and 6128Plus


TFM/FS on 21:18, 06 July 11
Don't initialize ROM with a number bigger than 31, because this would crash the Amsdos/Basic.

Thanks TFM.

Yes, this is what I have found too.  However, I can't find out exactly why - I know that the OS kernel routines have error checks to ensure that only ROMs 0-15 (or 0-7 on a 464) are initialised, but can't see why Amsdos/Basic can't deal with any ROMs above position 31...  Can you please explain the reason for this?

TFM/FS on 21:18, 06 July 11
The source is a bis screwed up, because it was probably taken from the ROM itself, and this was generated by the ROM-Gen 1.16 or higher, so this explains that.

Yeah I found the string relating to R-GEN 1.16 too in the RSX table and guess it was a ROM generator.  It appears the author of the Booster from wrote a program called MANAGE.BIN and used this utility to make his ROM.  You can actually access the routine again in Basic if you use the RSX |MANAGE.BIN .


I'd also like to know why a ROM above 31 would crash the CPC. There's certainly no hardware reason for this.



Bryce on 21:58, 06 July 11
I'd also like to know why a ROM above 31 would crash the CPC. There's certainly no hardware reason for this.


No absolutely not, it's only a space problem in the CPCs RAM. Every ROM needs some bytes in RAM to be managed by the firmware, so this couple of bytes will overwrite other code of the firmware.

Don't let me be misunderstood (like the song). To connect ROMs with numbers over 31 is no problem at all. You can connect all 256 possible ROMs to the CPC and there will be no problem. But you can only integrate 0-31 to the RSX chain of the CPCs firmware.
TFM of FutureSoft
Also visit the CPC and Plus users favorite OS: FutureOS - The Revolution on CPC6128 and 6128Plus


TFM/FS on 18:37, 07 July 11
No absolutely not, it's only a space problem in the CPCs RAM. Every ROM needs some bytes in RAM to be managed by the firmware, so this couple of bytes will overwrite other code of the firmware. To connect ROMs with numbers over 31 is no problem at all. You can connect all 256 possible ROMs to the CPC and there will be no problem. But you can only integrate 0-31 to the RSX chain of the CPCs firmware.

Ah so it's a problem with the RSXs in ROMs higher than 31. I wasn't aware of this and only knew about ROMs requesting a little bit of RAM as general workspace, which I assume is not what you are talking about here).

So, for example, if you have only 1 ROM in slot 40 you can't initialise it's RSXs because this ROM slot's required 'few bytes' will overwrite some part of the firmware...?  Is this right?  And where in memory would these 'few bytes' be - do you have a formula or something to calculate it?


The firmware always initializes ROMs 0-15 (-7 if 464), but there is space for 16-31 too, when using the Booster ROM.

You may can initialize a ROM of number 40 "by hand" but not by firmware.

ROMs need two kinds of space:

- some bytes for the firmware, their management, and their RSXes.

- RAM that is used by the software on ROM

The minimum amount of bytes a ROM needs is four bytes, the firmware can't work with less.

TFM of FutureSoft
Also visit the CPC and Plus users favorite OS: FutureOS - The Revolution on CPC6128 and 6128Plus


Ok, so it's not the actual number being used by a ROM that's important, but the fact that there is only space for 32 ROM "header bytes". So if only ROMs 0 and 7 were initialised, it would still be possible to initialise (by hand) 30 other ROMs at positions above 31?

Is this also the case with the CPC Plus? The reason I ask is the MegaFlash: If ROMs 0 and 7 are initialised, and a cartridge also takes some ROM space, then can I still activate 32 ROMs on the MegaFlash without the CPC crashing?



Bryce on 08:14, 08 July 11
Ok, so it's not the actual number being used by a ROM that's important, but the fact that there is only space for 32 ROM "header bytes".

This appears to be what TFM is saying and I already knew about this.  It's the same reason it's not a good idea to initialise 32 ROMs at once - Himem gets so low from all the RAM grabbed by the ROMs that the CPC becomes pretty unusable.

Bryce on 08:14, 08 July 11
So if only ROMs 0 and 7 were initialised, it would still be possible to initialise (by hand) 30 other ROMs at positions above 31?

What I thought he was saying is that you can't initialise any ROM which uses RSXs over position 31 but yes, TFM then says you can do this by hand.  However, the only way I can test this is by trying to initialise a ROM in slot 132 (in the Plus cartridge, 128-131 are system ROMs and after that you have 4 free spaces in a 128kb cartridge from 132-135) and I can tell you that this definitely doesn't work - the ROM does appear to init, but you get artefacts on the screen and none of the RSXs work.

The only other way I can think of testing this is to have a device like your MegaFlash with more than 512kb so it has ROM positions over 31 (would have to be 1Mb I guess) and see what happens.  Or you could try my code on your existing MegaFlash and see if it works with a ROM in say position 20 (change the first LD C to LD C,20 then assemble it and CALL &8000 from BASIC)...?

It is highly possible, of course, that we find a problem with my code but I did take it from the firmware OS routines that Arnoldemu disassembled though, so should be ok.  Can anyone check it for me?

org &8000

ld c,&84 ; select ROM &84 (132) from Plus Cartridge
call kl_init_back ; initialise ROM

kl_init_back: ld      a,(&b8d9) ; &B8D9 - 1 - foreground ROM select address (0 for the BASIC ROM)
cp      c
ret     z

;; DISABLED - check ROM is in 0-15 range
;; ld      a,c ; checks rom is in 0-15 range
;; cp      &10
;; ret     nc

call    kl_rom_select ;; HI: KL ROM SELECT

    ld      a,(&c000) ; get ROM type number
and     &03 ; checks number is in range 0-3 in decimal
dec     a ; checks ROM type number is 0 (background ROM)
jr      nz,not_background_rom ; and if not exit routine, else...

push    bc ; preserve ROM number
scf      ; set carry flag
call    &c006 ; initialise ROM, ROM init has SCF at end of routine, therefore...
jr      nc,init_not_done ; if initalise unsuccessful exit routine, else..

push    de
inc     hl
ex      de,hl
ld      hl,&b8da ; &B8DA - 16*2 - ROM entry IY value (ie the address table) - the 6128 has ROMs numbered from 0 to 15:
ld      bc,(&b8d6) ; &B8D6 - 1 - Upper ROM status (eg select number)
ld      b,&00
add     hl,bc
add     hl,bc
ld      (hl),e
inc     hl
ld      (hl),d
ld      hl,&fffc
add     hl,de
call    kl_log_ext ; KL LOG EXT
dec     hl
pop     de
init_not_done: pop     bc
not_background_rom: jp      kl_rom_deselect ;; HI: KL ROM DESELECT

kl_rom_select: call    kl_u_rom_enable ;; HI: KL U ROM ENABLE
push    hl ; routine duplicated in kl_rom_deselect, repeated here for clarity
ld      b,&df
out     (c),c
ld      hl,&b8d6
ld      b,(hl)
ld      (hl),c
ld      c,b
ld      b,a
pop     hl

kl_rom_deselect: push    af
ld      a,b
call    kl_l_rom_restore ;; HI: KL L ROM RESTORE
pop     af
push    hl
ld      b,&df
out     (c),c
ld      hl,&b8d6
ld      b,(hl)
ld      (hl),c
ld      c,b
ld      b,a
pop     hl

kl_l_rom_restore: di     
xor     c
and     &0c
xor     c
ld      c,a
out     (c),c
exx      ; routine duplicated in kl_u_rom_enable, repeated here for clarity

kl_log_ext: push    hl
ld      de,(&b8d3)
ld      (&b8d3),hl
ld      (hl),e
inc     hl
ld      (hl),d
inc     hl
ld      (hl),c
inc     hl
ld      (hl),b
pop     hl

kl_u_rom_enable: di     
ld      a,c
res     3,c ; resets bit 3 to 0 (? problem with ROM number 132, not sure but doesn't work without it)
out     (c),c


You could test it with any standard ROMBoard that decodes all 8 Data lines. Just add an inverter to say D6, so that they ROMBoard then replies when it's equal to 1. This would shift the entire ROMBoard up to ROMs 64 onwards.

In fact it's even easier on a ROMBoard that DOESN'T decode all the data bits. On these, the ROMs are technically also present right up to 255, you would just have to initialise a position higher up the line, although you might have to park the original ROM that got initialised in the 0-7 range to avaiod a clash? Not sure about that though, is there a problem with having the same ROM twice on a CPC?



Bryce on 10:55, 08 July 11
You could test it with any standard ROMBoard that decodes all 8 Data lines. Just add an inverter to say D6, so that they ROMBoard then replies when it's equal to 1. This would shift the entire ROMBoard up to ROMs 64 onwards.

Makes sense, but I don't have a ROM board to try it  :(  Maybe we could alter an emulator to do this?  Winape only supports 0-15 at present, not sure about the others.

Bryce on 10:55, 08 July 11
Not sure about that though, is there a problem with having the same ROM twice on a CPC?

I put Maxam 1.5 in ROM spaces 5 and 6 in WinApe and it worked fine - the ROM just initialised twice and shows as installed twice in the display (|HELP) details, so I don't think there's a problem with this. The RSX commands worked too, assume it routes to the last initialised ROM.


Interesting to know. I don't know how it actually interprets RSX commands, but I would assume, the one with the highest ROM No. is the one actually being used, because the CPC reads them in from 15 to 0 and lists them in a table in RAM. When you type the RSX, I assumed it read the list from top to bottom, but maybe it's the other way around?



Bryce on 12:15, 08 July 11
When you type the RSX, I assumed it read the list from top to bottom, but maybe it's the other way around?

It's KL FIND COMMAND which finds RSXs, and the description from the Firmware guide says "the sequence of searching is RSXs, then ROMs with lower numbers before ROMs with higher numbers". 

But this kind of contradicts RSXs that have been initially logged by KL LOG EXT... I think you can either increase or decrease the memory space each time this is done, and think the latter is generally the convention used (because ROM walking is also done from high to low numbers).

On another note - I've found the ROM Utopia to look interesting as it has two RSX commands |ROMON and |ROMOFF.  You can use them alone for all ROMs or with a number, such as |ROMON,7 .

I've tried it with |ROMON,20 and it accepts the input and doesn't crash.  I've also tried it with |ROMON,132 and the Maxam ROM in that space in the cartridge position but unfortunately it didn't do anything.  However, I think it's worth a try to put the Utopia ROM in say slot 6 in the MegaFlash and then any other ROM (Maxam or something) in slot 20.  Then try a |ROMON,20 from BASIC and we can see if it works.

If it does, great news and I can look into it further.  If not, then maybe it's just the code but at least I'll have something to go on!


Although the Cartridge system is very similar to the ROMBoard system, they are not the same. ROMON and ROMOFF won't work on a ROM in a cartridge. ROMs in a ROMBoard react to the /ROMEN signal, whereas cartridges have a seperate /ROM signal which the ROMON / ROMOFF commands don't trigger.



Bryce on 12:55, 08 July 11
Although the Cartridge system is very similar to the ROMBoard system, they are not the same. ROMON and ROMOFF won't work on a ROM in a cartridge. ROMs in a ROMBoard react to the /ROMEN signal, whereas cartridges have a seperate /ROM signal which the ROMON / ROMOFF commands don't trigger.

This is very interesting, is this part of the hardware design?  And something to do with how ROM slots 128-131 are patched into their 'real' positions (0, 1 and 7) on the Plus?

I don't know what the ROMEN signal is, do you have any more information.

