counted to the end of the data block.
            
      $04BA: JSR $0502 (see above) to check this tail gap.
      
      $04BD: Count $0A (10) bytes on the track. This is the next
             header block.
               
      $04C2: We're back to the top of the loop. JSR $0502 (see above)
             to check this header gap. Decrement the sector count. If
             zero, we're done; otherwise branch back to $04B0.
      
      $04C8: We've passed the protection check. Read and send
             the third and last segment at track/sector $14/$11
             (remember the KERNAL VLIR sector?).
      
      The drive code has done it's job and exits. Now how do we
      disable the protection check without scrambling the data?
      You might have noticed that the drive's BAM buffer from $0700-
      $07FF is totally unused by the drive code. If we copy the
      block of drive code that's being used as the decryption key to
      $0700 and change the BIT/EOR address at $0413 to look there
      instead, we can freely alter the protection check. Change the LDY
      $1C00 at $0502 to read JMP $04FD and the 2 bytes ($55 and $67) 
      will never be checked.

      Getting inside the drive during the loading process presents a
      problem, however. Remember that the drive code is stored in pieces
      in GEOS BOOT. Alterations there would be tedious and 
      mistake-prone.

      But if our code was already waiting inside the drive, all we have
      to do is change the M-E address that GEOS BOOT sends (the same one
      we changed in the first place) and we're in-like-Flint. When GEOS
      BOOT starts, the disk BAM (track/sector $12/$00) is sitting at
      $0700. There is empty space in the BAM from $07A0 - $07FF: a great
      place for extra code.

      But how can we copy the drive into $0700 if we're there? We
      would destroy ourselves. The answer is to make our BAM code load
      our copy/alter routine into drive buffer $0600. We then jump to
      THAT code, which copies the drive code to $0700, alters the
      protection check, and jumps to $0457 (fast loader entry point).
      
      If this sounds complicated, it's because it IS. Use the provided
      GEOS 2.0 parameter on your backup copy and examine the BAM code. 
      It will clarify what we've been discussing.
      
      We're still not finished with GEOS BOOT! There is ANOTHER
      protection check that drove us crazy until we found it. The last
      sector of the KERNAL that's loaded remains in the drive at $0600

            K.J. REVEALED TRILOGY    PAGE [111]    (C)1990 K.J.P.B.