Monday, 16 October 2017

Apple /// Copy protection - some further investigation

I did some further reading and it seemed that the On Three Uncopyprotect driver would also work for Apple Writer /// (version3.0). I found a copy of the disk images for this on the website and booted up the first disk, AppleWriter30MSTR.dsk, in Mess. It failed to start, but came up with a different error message than Visicalc,  SYSTEM FAILURE = $06.

I then used the SCP and added the uncopyprotect driver to the disk image and then booted it again in Mess. This time success!

AppleWriter /// is using the same inbuilt copy protection and the same key as Visicalc. Interesting that it gives a different error. This would depend on the the jump taken in the still encrypted sos.interp file after the protection validation has failed. I traced with the Mess debugger and it jumps to the NMI handler routine, and then jumps to the system death routine which gives the above error.
I have seen this error for other disk images and had wondered why they gave that error. Looks like it could be due to copy protection failing for the disks.

I did some more searching and there is a copy of AppleWriter /// v4.1 in the WAP disks (APPLE-3-WAP-wdp-01a.dsk), and this one is not copy protected. So that's the easiest option to get it running and avoid this problem. Though we really need some NIB or better format images of the original v3.0 disks to preserve them in running condition.

Another disk image that I have seen reported before as broken, is the Apple3SystemDemo disk. I downloaded the disk image of this from, Apple3SystemDemo.dsk and booted it in Mess. This also gives the same SYSTEM FAILURE=$06.

I then thought I would try to copy in the uncopyprotect driver to the disk and see if this would also work. One catch though, from the disassembly in the previous blog entry, it needs SOS1.3 to work, and this disk has SOS1.1 on it. I used the Apple3SystemUtilities to copy over the SOS1.3 and driver file with the uncopyprotectdriver on it. (for some reason Ciderpress complains about a damaged directory entry, so i had to do this the long way)

With the new sos.kernel file and the sos.driver file, the disk actually boots. but.. then gives an error about a sos call. I suspect this is due to the change from SOS1.1 to 1.3. The uncopyprotect driver did however, help to successfully decode the sos.interp file (which is business basic) and was able to run it. It must therefore use the same protection key as the other programs. I think this also means that SOS 1.1 had the same copy protection support built in.
The easier way to fix this would be to copy in a unprotected version of the Business Basic sos.interp into this disk. I used the Apple3SystemUtils disk and copied one over from a working Business basic disk. Success, the demo works now, here is the classic running Horses :-) (disk image here)

It looks like Apple used the same protection Key for Visicalc, AppleWriter, and this demodisk. I would have thought they may have used individual ones for each program, but seems this is not the case. Also looks like if any disk gives these errors, then it may be due to copy protection failing.

Friday, 13 October 2017

Apple /// Advanced Visicalc and an interesting discovery

I recently purchased a copy of the Apple /// version of Advanced VisiCalc on ebay. It has since arrived and is a nice and complete setup, with the manual, command helper sheet, pocket reference and two sets of disks.

I went to look for some disk images to have a quick play with it on the Mess emulator. I could not find any in any of the usual places, but did remember seeing it in the apple3rtr package. So some time later and some reading of the manual, I was quite impressed at how many features it had back then compared to what I am used to with the current version of Excel. Although no mouse support, so lots of key commands to learn.

I then thought I would image the disks that came with the package, with some suspicion that there might be some copy protection involved. My goto setup for imaging is ADT using my IIc, as this can be setup/removed on my desk quickly. I then tried the newly created disk images on the Mess emulator, and looks like there is some copy protection as the program will not run. SOS boots ok, and then when the application goes to run (sos.interp), you just get the following screen.

I did some basic comparison of the sos.kernal file (v1.3) to check it is not changed, and it was the same as others I had, so not that. I started Mess with the debugger enabled and looked to find out when SOS jumps to the interpreter, and then see what happens there to look for any clues. A quick look at the SOS source code to find a starting point and address $1EB0 is the address in SOS that it jumps to the interpreter. (in sosldr)

That jumped to $2007 (in the sos.interp for Visicalc), which contains an indirect JMP to the address at $FFFC. This turns out to contain address $E833, this looked to be within SOS. A further look through the SOS source code and we find that's the SOS system Cold Start routine, which is what we end up with when we run with the copied disks.

Something strange going on here. It all boots as described in the SOS manuals, but just ends up at the cold start routine.

I left it there, as I remembered the On Three 'uncopyprotect' driver. It allows Visicalc to run and bypass the copy protection. I wonder what this could be doing, it may give some clues. I then ran the SCP and added the uncopyprotect driver to the VisiCalc Loader disk image, and then the disk boots up fine.

So what does this driver do to bypass the protection. I then did a disassembly of the uncopyprotect driver. This takes a little bit to extract the relocatable code part and disassemble, the details for that will be for another blog post.

It was a very small driver so not too much work to decode. The disassembly listing is here uncopy.asm It still needs some finishing off, but the big clue is that it patches the SOS BFM_INIT2 module (bfm_init2.lst). This is very interesting as I had not looked at this in detail, but seems SOS has some copy protection support built in to the operating system! Sounds very similar to some discussion papers that surfaced recently on SSAFE!

The BFM_INIT2 module is run as part of the SOS loader during startup. The module reads the disk from Track 9, Sector 2, and grabs the volume number from the sector. It then waits a set time and seeks to the next track, reads a sector, again grabbing the volume number. And so on until Track 16. It then checks if the last Sector read was 6, and errors if its not. So it needs the sectors synchronized on the disk! (and the volume number preserved, so a DSK image was never  going to work) This leaves us with an 8 byte Key made up of 8 volume numbers, one read from each track. It then uses this key to decrypt the sos.interp file in memory, and then does some modification of the start pointer and then runs the interpreter.

A look back at the uncopyprotect driver and it has the specific Key hardcoded into it for visicalc. And the driver patches it into SOS when the driver is initialised. Then when Visicalc is run, SOS thinks it has read the correct key and decrypts and run Visicalc ok.

To summarise things:
- SOS has copy protection support built into the operating system (aka SSAFE)
- For programs using the protection, the sos.interp file is encrypted with a key stored on the original disk
- SOS uses eight volume numbers stored across eight track/sectors to 'hide' the key- The tracks are read in sequential order via a timed routine, and this expects a particular sector to be read on the last track, so they must be synced!
- When the disk is booted, the key is read and then the sos.interp file is decrypted with the key, and then run.
- without the key, the software cannot be decrypted and run!

I wonder how many other Apple /// software packages used this support. I could see it possible to read the key from the original disk and decrypt the sos.interp file and then make a new disk with this on it. Then the software would be permanently unprotected. This may be worthwhile if there are a few disks that have this protection used.

Wow, not how I thought this journey would have ended.

Update with additional info:
NIB image of the original disk: AVCLOADER.NIB
Volume numbers extracted from the NIB image: Volume Number list

Thursday, 6 October 2016

RetroChallenge_201610 #2

Sometimes you need to read the manual...

The idea I was thinking of was to be able to enter the music notes and the lyrics either directly into the basic program, or enter them as a text file and have the program read it. I think I'll use this as a good easy song to start with. :-)

Then have a file something like this, notes, then duration, and the lyrics lined up possibly to get the timing.
   c.5 c.5 d1    c1  f1 e2  c.5 c.5 d1    c1  f1 e2  
   Hap-py  birth-day to you Hap-py  birth-day to you

I need to try and work out some ways to transfer the music notes to the speech to bring the tune into it. And play with some of the other features of SAM to see what adds to this. First thing was to enter the text and convert using the new function on my driver. The first line converted to phonemes ends up like this.

SAM supports setting the pitch, the standard pitch used is 120 in the examples, so the first thought was to make this C, and then add 10 for each note. ie D becomes 110, E = 120, and so on. rolled out, it becomes like this.
   "#P120"   (C)
   "#P120"   (C)
   "#P130"   (D)
   " BERTH"
   "#P120"   (C)
   " DEY5"
   "#P150"   (F)
   " TUX"
   "#P140"   (E)
   " YUW"

Well, here is how that sounds, not to good at all.

Now remember the opening line of the blog, a quick look at the SAM manual and it looks like the pitch is the other way around, smaller value is higher pitch.
   00-20 impractical
   20-30 very high
   30-40 high
   40-50 high normal
   50-70 normal
   70-80 low normal
   80-90 low
   90-255 very low
   default = 64

A quick swap around and this was the modified test program:

and this was the result. Still not to good.

SAM supports adding a stress value after the phoneme to add some expression. From the manual:
   1 = very emotional stress
   2 = very emphatic stress
   3 = rather strong stress
   4 = ordinary stress
   5 = tight stress
   6 = neutral (no pitch change) stress
   7 = pitch-dropping stress
   8 = extreme pitch-dropping stress

I then added a value of 5, need to have a play with these more, they might be quite useful.
This was the modified test program with an arbitrary stress value after the last phoneme:

and this was the result. Not to sure if this is better, I think it is improving.

Then the next thing was to extend the words, based on timing. I did this by just repeating the phonemes. Although the last word 'you' should probably be extended more, but it does not sound to good like that. Need to try some other ideas for it.
This is the test program with these changes:

and here is the result, its starting to get there!

I need to play some more with this, but I have some ideas now on how to translate from the music/lyrics to SAM.

Tuesday, 4 October 2016

RetroChallenge_201610 #1

Time to get started on this challenge!

To be able to work with and manipulate the speech output, I need to work with Phonemes, rather than plain text. This will allow me to extend the words and 'hold a note' for longer (or sing!). But working with them would take a lot of manual work to convert them from the text of the song lyrics. So the first thing I want to do is extend my Apple/// SAM driver to help with this.

First, some background on SAM. The original SAM software came with two binary programs, SAM and RECITER.

SAM is the actual speech program that takes Phonemes as input, and outputs speech from these through the 8 bit DAC card. Phonemes are speech sounds made by the mouth. Put together these make up words or speech. The full list of Phonemes that SAM supports are available in the user manual, linked here:

SAM Owner Manual

As an example, to say "Hello There" would need the following input " /HEHLOW DHEHR" to SAM.

The other program RECITER takes plain text as input and using rule based conversion, converts these to Phonemes. It then passes the output to SAM to speak them. Reciter has a large table of rules that it uses to look at letters preceding and after to work out the Phonemes it should use. Some of these are for specific words, and some are building blocks, eg sounds for word. I just noticed it has a table entry for Atari! ".ASCII "(ATARI)=AHTAA4RI""

My Apple/// driver implementation is done as a SOS character mode driver. A character mode driver supports reading and writing character strings. Currently I have two 'sub' drivers implemented, .SAM to support Phonemes, and .RECITER to support plain text.

For both of these 'sub' drivers, you first open them. And then just write a string to them, and they will speak the string. To check for errors, you can read from these, and the error code is returned. If its 255, then all went ok. Other wise, it will return the character position in the string where the error occured. eg when an incorrect phoneme is found.

What I want to be able to do is after the .RECITER has converted the plain text to Phonemes, I want to be able to read this back. The way i will implement this is to detect when a second read occurs, then return the converted string.

I have added a variable to monitor the number of reads:
  READNUM     .BYTE   000     ;flag to determine number of reads after write, 0=none
Whenever a write occurs, I will clear this back to zero:
  SPEAK       LDA     #000
              STA     014FC               ;disable extended indirect addressing for FB/FC
              STA     READNUM             ;clear previous reads number
              LDA     EReg

Then in the READ part, i have added a check and then either return the error code for the first read
or return the converted string.

$010        LDA     READNUM             ;check number of previous reads
              BNE     RETPHONM            ;yes, there has been, return converted string
                                          ;otherwise, return error code
  ;return error code
  ;return converted string containing Phonemes
  RETPHONM    LDY     #00
  $020        LDA     INPUTBUF,Y          ;read converted text from INPUTBUF
              STA     (BUFFER),Y          ;store in read buffer
              CMP     #ASC_CR             ;if CR then this is the end of the string
              BNE     $020                ;no, next
              TYA                         ;yes, ret count = index +1
              LDY     #00
              STA     (RTNCNT),Y          ;actual characters read count, low byte
              LDA     #00
              STA     (RTNCNT),Y          ;actual characters read count, high byte

One issue with this is it will actually speak the output each time your convert. If I have time, I will come back and improve this.
I have updated the changes into my github repository for this here:

To test this out, I have updated one of my test programs to check the driver operation. The disk image is available here with the updated driver and Basic test program.

its quite simple, here is the output show the program and the output from it running in MESS:

Next step will be to add pitch statements to see if SAM can start to sing..

Friday, 23 September 2016

RetroChallenge_201610 #0

While working on porting the Software Automatic Mouth (SAM) software to the Apple ///,  see . I came across a demo for SAM that someone had made getting SAM to sing the American National Anthem. SAM supports setting the pitch and speed for the speech output, so setting this and lengthening the phonemes allows some sort of singing to be achieved.

What I want to do for the RetroChallenge is to make a basic program to convert music and lyrics into a format that SAM could play or maybe that should be sing. (hopefully something like that :-) ) This might end up more of a helper program, and then some manual editing of the resultant phonemes to get it to sound better might be more likely.

I'm thinking I will add the ability to my Apple /// driver to be able to use it to convert text to phonemes. Currently you can send text to it, but it just converts and speaks it. Then write a Basic program to read notes and text and convert to pitch statements/phonemes, and then play them.

That's the idea, lets see how it goes once I get into it.

Friday, 8 July 2016

iMC Portcom II

This is my iMC Portcom II Apple II clone. Its more of a luggable type portable apple II. I purchased this recently off ebay. It looks like its an Apple II plus clone. (not IIe)

It has some power supply issues as it causes my house RCD to trip when I turn it on now. It did have some signs of life for a little while until the power supply failed. The screen is an Amber colour monochrome type.

It has 64k of memory on board and 5 apple slots. The one and only thing I can find on the internet about the iMC Portcom II says that they are slots 0,3,4,5,7. My board does not have any silkscreen on it at all.

It has two ROMs on the motherboard, they are both 2716 eproms (2k x 8). ROM1 is for $F800-FF00. It has just the basics to display the message on the screen, wait for a keypress, and then jump to the disk controller firmware at $C600. The other rom looks like it has the IO card firmware for the disk controller and I assume for the inbuilt serial and parallel ports.

This is my dump of the ROMs and a quick dissassembly of ROM1.
iMC Portcom II roms and dissassembly

I have connected another power supply to test the main board and see if it works. It does, it displays this message now when i turn it on:

The next issue encountered was trying to press a key :-(  The keyboard was unresponsive. This required that the keyboard needed to be opened up. The keyboard encoder has a Z80, 2k eprom and 1k ram. I tried to read the eprom to see if it looked ok, and some bad news. It looks like has been erased over time. (there was no sticker over the window. The reader was not able to read anything useful This will take some reverse engineering to get it going...