*************************************** * * * * * KRAKOWICZ'S KRACKING KORNER * * * * * * BASIC HARDWARE KRACKING TOOLS * * * * * * * *************************************** IN ANSWER TO AN INCREASING NUMBER OF REQUESTS, HERE ARE A COUPLE OF RELATIVELY (?) SIMPLE HARDWARE DEVICES DESIGNED TO INCREASE YOUR KRACKING AND SNOOPING ABILITY. THE SELECTION RULES ARE SIMPLE: IF YOU DON'T KNOW HOW TO MAKE IT, DON'T TRY. IF YOU DON'T KNOW HOW TO USE IT, DON'T BOTHER. SOME OF THE PIECES WILL BE HARD TO FIND, SO IF YOUR SOLE SUPPLIER OF HARDWARE IS RADIO SHACK, YOU MAY HAVE SEVERE DIFFICULTIES BUILDING AT LEAST THE FIRST DEVICE. THESE ARE NOT (AS FAR AS I KNOW) COMMERCIAL PRODUCTS, AND NEITHER I NOR THE MANAGEMENT OF THIS INFORMATION SERVICE HAS ANY ABILITY OR DESIRE TO SUPPLY YOU WITH COMPLETED DEVICES, PARTS, ADDITIONAL INFORMATION, DEBUGGING AIDS, OR ADVICE IN THEIR UTILIZATION IN KRACKING, OTHER THAN THAT PRESENTED HERE. (THESE DEVICES ARE DESCRIBED "AS IS", AND THE MANUFACTURER MAKES NO WARRANTY, EXPRESS OR IMPLIED, REGARDING, BUT NOT RESTRICTED TO, MERCHANTABILITY, FITNESS OF USE, BLAH, BLAH, BULLSHIT, HAVE YOU ANY PULL?). THERE ARE TWO DEVICES. THE FIRST IS KNOWN AS THE "ROMSWITCH", AND ALLOWS YOU TO SELECT BETWEEN TWO PROMS IN THE F8 POSITION, ONE BEING A STANDARD APPLE 9316 PROM SUCH AS AN AUTOSTART ROM, AND THE OTHER A 2716 MODIFIED TO PERFORM PERVERTED ACTS FOR CLANDESTINE PURPOSES. YOU ARE CERTAINLY AWARE OF THOSE "PROTECTION" SCHEMES WHICH REQUIRE YOU TO HAVE AN UNMODIFIED AUTOSTART ROM IN THE F8 SOCKET IN ORDER TO BOOT (SHAME ON YOU FOR TRYING TO USE LOWER CASE!), AND THERE ARE MANY TIMES WHEN IT WOULD BE NICE TO SWITCH EASILY BETWEEN A NORMAL AUTOSTART ROM AND A KRAKROM WITH VOLATILE MEMORY SAVE AND NMI CAPABILITES (CRACK-SHOT, REPLAY, WILD CARD, AND FRIENDS ARE BENEATH CONTEMPT FOR THE SERIOUS KRACKIST). (THOSE OF YOU WHO HAVE FIGURED OUT HOW TO DO THIS BY PROGRAMMING A 2732 PROM TO CONTAIN BOTH THE NORMAL AND MODIFIED CODE, AND THEN TOGGLE BETWEEN THEM WITH A SWITCH ON THE A11 LINE AT PIN 18 NEED READ NO FURTHER. YOU ARE BEYOND US AND WE SALUTE YOU.) AS WE DESCRIBED IN "THE BASICS OF KRACKING 1", THE TWO PROMS DIFFER IN THEIR UTILIZATION OF CHIP SELECT AND CHIP ENABLE PINS. FORTUNATELY, THE PINS USED TO CONNECT THE ROM TO THE BUS (CHIP SELECT LINES) ARE OF OPPOSITE SEX: THE 9316 IS ENABLED BY PULLING PIN 18 UP TO 5 VOLTS, WHILE THE 2716 IS ENABLED BY PULLING PIN 18 DOWN TO GROUND. WHAT THIS MEANS TO US IS THAT WE CAN SELECT BETWEEN THE TWO CHIPS BY WIRING ALMOST ALL THE PINS IN PARALLEL AND USING A SINGLE-POLE, SINGLE THROW SWITCH TO CONNECT BOTH PINS TO EITHER 5 VOLTS OR GROUND. (MOST OF THE TIME) YOU CAN EVEN DO IT WHILE A PROGRAM IS RUNNING WITHOUT ANYONE KNOWING YOU DID IT. TO DO IT RIGHT, YOU WILL NEED A 24-PIN PLUG THAT FITS INTO THE F8 ROM SOCKET AND CONNECTS TO A 6-INCH PIECE OF 24-CONDUCTOR FLAT RIBBON CABLE. THIS IS KNOWN IN HARDWARE CIRCLES AS A CRIMP-ON 24-PIN DIP PLUG (3M #3460 OR EQUIVALENT). IF YOU CAN'T FIND ONE, YOU CAN SOLDER THE INDIVIDUAL WIRES TO THE SOCKET HOLES OF A 24-PIN SOCKET OR THE PINS OF A 24-PIN COMPONENT CARRIER, BUT YOU WILL NEED MUCH MORE SOLDERING SKILL TO AVOID SHORTS. CRIMP THE DIP PLUG ONTO THE 24-PIN CABLE, THEN AT THE OTHER END, CRIMP ON A TOTAL OF 4 40-PIN "BIPIN" HEADERS (EACH ONE HAS TWO ROWS OF 20 PINS ON 0.100 INCH CENTERS; ANSLEY, 3M, AMP MAKE 'EM), ALLOWING A SPACE OF EXACTLY 0.2 INCHES BETWEEN EACH PAIR. THE SPACING BETWEEN OUTSIDE ROWS ON ADJACENT HEADERS WILL THEN BE 0.6", JUST RIGHT FOR THE PINS ON 24-PIN DIP SOCKETS (IF ANYONE EVER FINDS A SOURCE OF 24-PIN CRIMP-ON IC SOCKETS, PLEASE POST A MESSAGE LISTING THE SOURCE. WE WILL BE ETERNALLY GRATEFUL TO YOU). (IN THE DIAGRAMS BELOW, PLEASE TRY TO PRETEND THAT THE THINGS THAT ARE SHAPED LIKE: /\/\/\ LOOK LIKE RESISTOR SYMBOLS. IT'LL MAKE ME FEEL A LOT BETTER). ___ ____________________ ^ !....................!_________ ! !....................!4 ^ ! !____________________!____ ! ! ! ! 0.2" ! !2716->!___________!_______ ____ 0.6" ! !....................! ! ! !....................!3______!_ ! !____________________! ! ! ! ! !___________!_______ ! !....................! ! !....................!2 ! !____________________! !9316->! ! ! !___________!_______ ! !....................! 40-PIN ! !....................!1 HEADERS ! !____________________! 6" ! ! ! ! ! ! ! ! ! ! ! ! ! ! 24-CONDUCTOR ! ! ! RIBBON CABLE ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! _!___________!_ ! ! ............ ! ! ! ! 24-PIN DIP ! ! ! PLUG ! ! ! ! ! ............ ! (TOP VIEW) _V_ !_______________! / PIN 1 PREPARE TWO 24-PIN WIRE-WRAP SOCKETS AS SHOWN BELOW: (THESE ARE BOTTOM VIEWS) --------------------------------------- ! 13 14 15 16 17 18 19 20 21 22 23 24! ! ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ! ! X ! ! 1000 OHMS /\ ! ! \ / ! / ! _/\/\/\/\___/ ! (NOTCH)->! ! ! ! \ ! ! ! 9316 PROM ! ! ! . . . . .! . . . . . . ! !/ / / / / / !/ / / / / / ! !12 11 10 9 8 7 !6 5 4 3 2 1 ! ------------------!-------------------- ! ! 100 OHMS ! / _!____/ --/\/\/\----> ! ! TO ! SPST 5 VOLTS ! SWITCH (PIN24) ! -----------------!--------------------- ! 13 14 15 16 17!18 19 20 21 22 23 24! ! ./ ./ ./ ./ ./ !/ ./ ./ / ./ ./ ./ ! ! -X X / ! ! 1000 OHMS / / / ! ! \ / /_______/ / ! _/\/\/\/\_/ ! ! / \ ! / 2716 PROM ! ! / . . . . . . . . . . . ! !/ / / / / / / / / / / / ! !12 11 10 9 8 7 6 5 4 3 2 1 ! --------------------------------------- X=CUT OFF THE PIN INSERT THE SOCKET PINS INTO THE =>OUTSIDE<= ROWS OF HOLES IN THE HEADERS: 4 3 ----- ----- ! . . ! ! . . ! ENLARGED VIEW ! . . ! ! . . ! OF LEFT SIDE ! . . ! ! . . ! OF CABLE ! . . ! ! . . ! ASSEMBLY SHOWN ! . . ! ! . . ! ABOVE ! . . ! ! . . ! ! . . ! ! . . ! ..! . . !....! . . !.. . ! . . !----! . . !-.----- . ! . . ! ! . . ! . . ! . . ! ! . . ! . /THE SOCKET . ! . . ! ! . . ! ./ WILL COVER . ! . . ! ! . . ! . THE SPACE . ! . . ! ! . . ! . INSIDE THE . ! . . ! ! . . ! . DOTTED LINE . ! . . ! ! . . ! . . ! . . ! ! . . ! . . ! . . ! ! . . ! . . ! . . ! ! . . ! . . ! . . ! ! . . ! . ..! !....! !..------ ----- ----- \ / \ PIN 1 / \ IC SOCKET PINS FIT IN THESE TWO LINES OF HOLES (ONE 24-PIN SOCKET COVERS THE LOWER PART OF BOTH HEADERS) (BECAUSE OF THE OFFSET USED TO CONNECT THE CRIMP PINS TO THE CABLE, THE INSIDE ROWS CONTAIN THE SAME PINS, BUT WITH THE SIDES SWITCHED. DON'T THINK ABOUT IT TOO LONG--IT INVITES MADNESS) INSERT THE SOCKET FOR THE 2716 PROM IN THE LEFTMOST PAIR OF HEADERS (IT DOESN'T REALLY MATTER WHICH ONE YOU USE AS LONG AS YOU PLUG EACH PROM INTO THE RIGHT SOCKET), AND THE 9316 SOCKET INTO THE RIGHTMOST PAIR. YOU CAN OBTAIN THE +5 VOLTS AT PIN 24 OF EITHER SOCKET, OR FROM PIN 25 OF ANY PERIPHERAL SLOT CONNECTOR. REMOVE THE PROM FROM THE F8 SOCKET ON THE MOTHER BOARD AND PLUG IT INTO THE 9316 SOCKET IN THE HEADERS (NOTCH AND PIN 1 TOWARD THE KEYBOARD, PLEASE). PLUG YOUR 2716 INTO THE OTHER SOCKET, THEN INSERT THE DIP PLUG AT THE OTHER END OF THE CABLE INTO THE F8 SOCKET ON THE MOTHER BOARD. IF YOU LIKE TO LEAVE YOUR APPLE OPEN, YOU CAN PUT THE SWITCH WHEREVER IT'S HANDY, OR ATTACH IT TO A COUPLE OF WIRES AND SNAKE IT OUT THROUGH ONE OF THE SLOTS IN THE BACK BEFORE YOU PUT THE TOP BACK ON YOUR APPLE. IF YOU CUT THE WIRE WRAP PINS ON THE 24-PIN SOCKETS DOWN TO ABOUT 1/4", THE ENTIRE CABLE ASSEMBLY CAN SAFELY SIT ON TOP OF THE POWER SUPPLY, EVEN WITH A "ZIF" SOCKET IN THE 2716 SOCKET FOR RAPID PROM CHANGING. --------------------------------------- THE SECOND CIRCUIT IS A "DEBOUNCED" NMI SWITCH. MOST OF US KNOW BY NOW THAT CONNECTING PIN 29 TO PIN 26 ON ANY OF THE PERIPHERAL SOCKETS WILL CAUSE AN NMI INTERRUPT. WHAT WE FOUND OUT A LITTLE LATER WAS THAT USING A MECHANICAL SWITCH TO CONNECT THE TWO LINES GAVE A LOT OF EXTRA "GARBAGE" ON THE STACK AND CAUSED A LARGE DISCREPANCY BETWEEN THE VALUE IN THE STACK POINTER STASH LOCATION ($2903 OR $4903 FOR KRAKROMS) AND THE ACTUAL LOCATIONS OF THE PROGRAM COUNTER AND STATUS WORD ON THE STACK. THE REASON FOR THIS IS "CONTACT BOUNCE". IF YOU TAKE A MICRO VIEW OF SWITCH CONTACTS SLAMMING AGAINST EACH OTHER AS A SPRING PULLS THEM TOGETHER, THEY ACTUALLY HIT, FLY APART, AND COME BACK TOGETHER AS MANY AS TEN OR TWENTY TIMES BEFORE THEY REMAIN IN CONTACT. THE ENTIRE PROCESS TAKES ONLY A FEW MILLISECONDS, BUT EACH TIME THE CONTACTS TOUCH, THE APPLE'S 6502 OBEDIENTLY DOES ANOTHER NMI INTERRUPT, EVEN IF IT HASN'T FINISHED THE LAST ONE (IT'S SORT OF A CPU ARCHITECT'S MORAL DILEMMA: DO YOU ALLOW AN NMI TO BE TRULY NON-MASKABLE BY ALLOWING IT TO EVEN INTERRUPT ITSELF, OR SHOULD YOU HAVE A FLAG THAT'S RAISED TO PREVENT AN NMI FROM DISTURBING AN NMI IN PROGRESS?). AT ANY RATE, IT'S AN UNWELCOME COMPLICATION TO THE ALREADY DIFFICULT TASK OF PROGRAM SNOOPING, SO WE HAVE TO DEAL WITH IT. THE SOLUTION IS TO USE A "DEBOUNCED" SWITCH, AND THE ACTUAL CIRCUIT CONSISTS OF ONLY ONE CHIP AND A PAIR OF RESISTORS. THE METHOD OF CONSTRUCTION IS OPEN, SINCE THERE ARE NO CRITICAL IMPEDANCES OR FREQUENCIES INVOLVED. IT'S EVEN POSSIBLE, IF YOU HAVE RUN OUT OF SLOTS, TO WIRE UP THE IC DIRECTLY TO THE SWITCH, AND CONNECT TO A PERIPHERAL CARD WITH A 3-WIRE CABLE. SOLDER THE APPROPRIATE WIRES ONTO ANY CARD WHICH HAS "FINGERS" ON PINS 25, 26, AND 29 (A PLAGUE OF THERMAL INTERMITTENTS ON THOSE HARDWARE PRODUCERS WHO SAVE ELEVEN CENTS PER BOARD BY ELIMINATING THE GOLD CARD-EDGE FINGERS THAT THEY DECIDE ARE SUPERFLUOUS!). IF YOU HAVE SLOTS TO SPARE, EITHER OBTAIN THE CARD-EDGE TO MAKE CONNECTIONS TO THE SOCKET (IT'S SURPRISING HOW MUCH SURPLUS ELECTRONICS EXISTS WITH CARD-EDGE CONNECTORS OF 50 OR MORE CONTACTS ON 0.100" CENTERS), OR BUY ONE OF THE HOBBY OR "KLUDGE" BOARDS DESIGNED FOR THIS KIND OF FOOLISHNESS. (AS USUAL, A.P.P.L.E. IN WASHINGTON STATE HAS THE BEST DEAL I'VE SEEN AT $14.00 FOR A BLANK BOARD--TERRIFIC OUTFIT, GOOD CHEAP SOFTWARE AND HARDWARE, GOOD MAGAZINE. YOU SHOULD JOIN). ONE OTHER SMALL DISADVANTAGE OF THIS CIRCUIT IS THAT YOU NEED AN SPDT SWITCH WHERE AN SPST IS ALL THAT'S REQUIRED ELECTRICALLY, BUT IT'S A SMALL PRICE TO PAY. NOW LET'S SEE IF WE CAN MAKE THIS LOOK LIKE A SCHEMATIC... +---+---O +5 VOLTS - ! ! SLOT PIN 25 \ \ (ALSO CONNECTED R1 / / R2 TO PIN 14, IC1) 3K \ \ 3K / / \ \ IC1 74LS00 ! ! ____ * ! ! ! \ O--+--/!\---+1 \ 3 * / ! ! O-+ ____/ ! +-+2 / ! ! * ! ! !____/ ! ! O--+ ! !________ / --- / ! ! \/__(NO - SPDT ! ! _________/\ CONN.) . SWITCH ! ! ! ____ \ \ ! ! ! ! \ ! \ ! ! +-+4 \ 6! GROUND- ! ! ! O-+-----O SLOT PIN 26 +---+----+5 / (ALSO TO !____/ TO SLOT PIN 7, IC1) PIN 29 (NMI) * CONNECTION POINT FOR WIRES TO SWITCH (IF THE CHIP IS ATTACHED TO THE SWITCH, THE WIRES GO TO PINS 25, 26 AND 29 OF THE PERIPHERAL SLOT CONNECTOR). NUMBERS AROUND THE ERSATZ NAND GATES ARE IC PIN NUMBERS-NOT PERIPHERAL SLOT CONNECTOR PINS A PUSHBUTTON SWITCH GIVES YOU A LITTLE FASTER RESPONSE WHEN YOU'RE TRYING TO STOP A PROGRAM AT JUST THE RIGHT POINT, BUT A TOGGLE SWITCH WILL ALSO GET THE JOB DONE. THE RESISTOR VALUES ARE NOT CRITICAL--ANYTHING FROM 1K TO 3K IS FINE. TO USE THESE DEVICES TOGETHER, REMEMBER THAT THE SWITCH GIVES YOU ABSOLUTE SELECTION OF THE 2716 OR 9316 AS LONG AS THE MOTHER BOARD HAS BEEN SELECTED AS THE SOURCE OF F8 CODE. THE MOTHER BOARD IS SELECTED AS THE ROM READ SPACE WHEN THE ADDRESSES $C081 OR $C082 WERE MOST RECENTLY ACCESSED. IF THE SWITCH IS PLACED IN THE "2716" POSITION WHEN THE MOTHER BOARD IS SELECTED, THE ADDRESS SPACE FROM $F800 TO $FFFF WILL BE MAPPED TO THE 2716 PROM, AND ALL MONITOR CALLS, RESETS, AND NMI OPERATIONS WILL GO WHERE YOU WANT THEM TO, NOT WHERE SOME PUBLISHER HAS DECIDED WOULD BE NICE. .