the turbo code for different drive types (1571 or 1581) in 
             and out of this reserved area as needed. Desk Top does this
             (rather poorly sometimes).
      
      $61B1: Get random value from the C-64 VIC raster interrupt and 
             store it to $02FE. This becomes the seed value for the GEOS
             serial number generated when the original disk is first 
             booted (installed).
      
      $61B7: Load second segment to $5000. This is the cold start routine
             to activate the GEOS KERNAL. If an REU is present, the code
             at $C000 is copied here (see $60EB above).
      
      $61C2: Load last segment from $BF00 to $FFF9. This is the actual
             GEOS KERNAL. The first protection check by the drive is
             executed prior to this. If the check fails, no KERNAL code 
             is sent. The computer checks $05 (the load address high 
             byte) for any change from its initial value ($BF). If it
             still equals $BF, the protection check failed and GEOS BOOT
             resets the computer (JMP $FCE2).
      
      $61D6: The protection passed and a second VIC raster value is 
             stored to $02FF for serial number generation if this is a 
             first-time load. Any open drive channels are closed and GEOS
             BOOT jumps to $5000 (KERNAL cold start) indirectly through
             the jump address stored at $C003.
      
      Now that we have a better idea of the protection's strategy,
      let's take a peek inside the drive. Reload "GEOS BOOT" and again
      create the infinite loop at the bottom of the decryption routine. 
      When the computer freezes up, press your reset button and
      reactivate "GMON". Using the "M" (monitor) command, look for "M-E"
      (Memory-Execute) text in memory between $6000 and $64A9. When you 
      find it (at $61FB on our version), remember the execution address: 
      $0457.
      
      To trap the drive code in a viewable state, we need to make
      the drive shut down without resetting. Drive memory is normally
      wiped out during a reset. We'll change the M-E address to a DOS
      routine that will exit gracefully and allow us into the drive. 
      Fairly reliable is TURNOFF (turn off drive motor) at $F98F. Because
      the M-E command is encrypted, we'll add a short routine to change 
      the drive address to the correct value. Reset the computer, 
      activate "GMON" and reload "GEOS BOOT" (sigh) again.
      
      At $64A0, enter:  A 64A0 JMP $64A9 
      At $64A9, enter:  A 64A9 LDA #$8F   ;change M-E 
                        , 64AB STA $61FE  ;address to 
                        , 64AE LDA #$F9   ; TURNOFF
      
            K.J. REVEALED TRILOGY    PAGE [108]    (C)1990 K.J.P.B.