Creating 1Mb+ ROMs

As mentioned before, there’s no such thing as a 1Mb Kickstart, yes, there’s physical ROMs which are 1Mb, however, the Amiga will map this to two 512k banks at non-contiguous addresses.

The first released ROMs were 256k, starting at 0xFC0000, during the changeover from KS1.3 to KS2.0 these were superseded by 512k ROMs which load (lower in memory) at 0xF80000, the CD32 uses a 1Mb (physical) ROM which consists of a 512k bank at 0xF80000 and an “extended” bank at 0xE00000.

Booting and loading

When an Amiga boots, it loads the exec library first, exec then will load the other kickstart libraries, or more correctly, it creates the references and function tables to the library, it also loads up any required initial data.

Exec finds the libraries in memory by looking for a “LIBHEADER”, this always starts with couple of bytes (0x4AFC, the “magic number”) and to check this isn’t just random data, this is followed by the address of the magic number, e.g. 0x4AFC00F800B6 where 0xF800B6 is the memory address of the 0x4AFC bytes, using the rest of the fields in the LIBHEADER it loads the library.

Choosing the banks to scan

Exec will scan defined areas of memory, for a standard A600 512k 3.1 ROM which loads at 0xF80000 it will scan 0xF80000 to 0x01000000, for a standard CD32 with a 3.1 kickstart it will scan 0xF80000 to 0x0100000 and the “extended” bank 0xE00000 to 0xE80000.

The list of areas to scan we call a “scantable”, this is an informal name, not documented as such, have a look at Kickstart->Kickstart Structure->Scantable for some examples.

Modifying the SCANTABLE

To get Exec to scan different areas of the ROM, there’s two approaches;

  1. Modify (patch) the SCANTABLE itself, by changing the list of areas you can scan different areas of memory.
  2. Append a new SCANTABLE to the ROM and patch the code to point to the new table

All SCANTABLES include are area 0xF00000-0xF80000 for scanning expansion ROMs so you can replace this (but lose the ability to use expansion ROMs). KS1.3 has 0xFC0000 listed twice so you can modify one of these without changing how it works, in theory, you can modify the 0xF00000-0xF80000 to 0xF00000-0x01000000 which will retain expansion ROM compatibility and still scan 0xF8, freeing up space to add 0xE0, however, this does change the loading order and that might have undesired effects.

Most 1Mb+patches will append a new SCANTABLE that has the new areas included and then change the code that points to the old SCANTABLE to point to the new one, this is a more elegant solution, but isn’t without challenges!

Patching KS1.3

As noted above, there’s duplicate entries in the KS1.3 SCANTABLE, so if you need to change it, you can an an entry easily.

find $exec.library 0x00FC00000100000000FC00000100000000F0000000F80000FFFFFFFF

Patching KS2.x

Patching KS2.x is slightly more complex than patching KS3.1 because, like KS3.1 it has two references to the SCANTABLE, but unlike KS3.1, there are two SCANTABLEs, and each reference refers to a different SCANTABLE.

Patching KS3.1

To patch KS3.1 you need to find the SCANTABLE and then find the code that points to it, finding the SCANTABLE is easy;

find $exec.library 0x00F800000100000000F0000000F80000FFFFFFFF

Finding the code that points to it isn’t as easy, you’ll need to find an opcode which looks something like “LEA $F8036A(PC),A0”, and of course this is a relative address, i.e. you won’t find the string of bytes “00F8036A” in memory, so you’ll need to disassemble the code – luckily Cap has a disassembler built in, note, as this is a relative (four byte) address, the maximum “jump” from the LEA to the new SCANTABLE is ±32k

findopcode $exec.library "LEA $F8036A(PC),A0"

Once you have the address of the opcode, you can patch it with the new address – note, there are two references to the SCANTABLE, both must be patched.

Patching KS3.1.4

KS3.1.4 is much easier to patch as the code uses an absolute address to reference the SCANTABLE, so you need to find the SCANTABLE and then look for where that address is used in the ROM (should be twice).
However, the SCANTABLE varies in all ROMs as it has an initial entry that references the ENDSKIP of exec, so when looking for the SCANTABLE, you need to look for a string of bytes that includes ENDSKIP

Note, I believe this is also the SCANTABLE method used in Cloanto KS3.X

find $exec.library 0x00F80000$ENDSKIP00F800000100000000F0000000F80000FFFFFFFF 
#Add the ROMBASE to get a proper Amiga address after the ROM is loaded
alias FIND add $ROMBASE
find $exec.library $FIND
Scroll to Top