Both WBOOT/BOOT may not be patchable (to be confirmed) and if they are you need to use very specific firmware related hacks or quite involved hacks.
=== XSUB.COM ===
X-Sub is a persistent program which is loaded at the top of TPA. This is how it works:
* X-Sub patches the BDOS jump to it's own JP.
* The relocated X-Sub module starts with a JP and has 'xsub' immediately after it.
* X-Sub detects if it's installed by reading the BDOS JP and searching for 'xsub'. If found it is already installed, otherwise it's not. Based on this method it uses it assumes it has been installed last.
* It assumes that the address of the JP defines the top of TPA memory (the start of CCP). It then takes the address and subtracts it's size to allocate space, copies itself up to this memory and relocates the code, and then executes it's startup code.
* The startup code installs it's own wboot JP and it's own bdos JP.
* It then returns back to CCP.
* X-Sub's wboot restores the dma address and jumps back to CCP.
* X-sub's bdos jump filters the BDOS calls. It also remembers the dma address when used.
=== Installing persistent programs ===
This method installs a persistent program inside CP/M and uses TPA when it's installed.
See above how XSUB installs itself.
=== Links ===