First, the drive routine at $90AE is sent to $0300 in the drive by
      a Memory-Write. Then, the routine is Memory-Executed after sending
      3 additional bytes: $80, $28, and $0E. The drive routine stores
      these 3 bytes into job queue $01, producing a read ($80) of track
      40 ($28)/sector 14 ($0E) into drive memory $0400. The computer
      waits for this read to be completed, then stores the sector of 
      data at $4200 - $42FF, not caring if the read was successful or
      not. It assumes all the needed data is in place and starts up the
      game.
      
      Use the drive monitor and the original SG disk to look at this
      sector. Initialize the disk and place $28 and $0E into job queue
      $08 and $09. Then place $80 into $01. When the drive shuts off,
      check $01 for a successful read: if it contains a $01 then the job
      completed successfully (a backup should produce an error code 
      ($02 - $0A). Disassemble the data at $0400. This is the code the
      protection is trying to load at $4200 in the computer. A bad read
      attempt will not produce the correct data, therefore whatever is
      loaded into $4200 will be executed, whether it's valid code or 
      not.

      This results in a system crash.

      To produce a copyable backup, we must relocate this sector to a
      normal DOS track. We prefer to use directory sectors when 
      possible.

      Track/sector 18/6 ($12/06) is available, so use the job queue to
      write our data to it. Insert your backup copy, initialize the
      drive, and place $12 into $08, $06 into $09 and $90 into $01. Our
      sector is now easily accessible - to us. The protection routine
      will still look for it on track 40. We must find a way to 
      re-direct the sector read to our new location.
      
      There might be a simpler way, however. The nature of the 1541
      DOS is that a sector header error (which will occur with a backup
      copy of SG) will NOT corrupt the current contents of the drive
      buffer. That is, the data residing in the buffer will still be
      intact after a header error. If we can read our sector at the
      appropriate time, the protection check will not destroy the data,
      assuming it doesn't find a valid header in track 40. One way is to
      "wedge" ourselves into the drive code.
      
      One of the first things the auto-boot routine does is to
      execute the custom loader routine in the drive. This code reads in
      a sector of data and transmits it to the computer. What if we
      modified the routine to read our sector at $12/$06 AFTER it has
      completed its other duties? This would leave the data in $0400 as
      described above and the protection check would be satisfied. 
      Reboot SG and allow it to load until the drive motor turns off.
      Press the reset button and load in the $1000 monitor. Examine the
      auto-boot code at $010E. This routine outputs a block-execute
      command (backwards at $0191 - 'B-E 2 0 18 02') that starts up drive
      code located on T/S 18/2 ($12/02).

            K.J. REVEALED TRILOGY    PAGE [124]    (C)1990 K.J.P.B.