Where does Open Firmware "live"?

[darthnVader]

It's a little off topic, but I didn't see a sub-forum this fit in.

I've often wondered if Open Firmware was on a ROM chip on the logic board, separate from the one that contains the Boot ROM, or if it is contained in the Boot ROM.

Does anyone know?

[Daniel]

Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

[darthnVader]

Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.

[Daniel]

Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.

In the OF prompt, the ' (yes, a single apostrophe) command looks up the command in front of it and puts its address on the stack.

Code: [Select]

' shut-down .This sequence looks up the address of the shut-down command and displays its address.

To get the address of the boot rom, type

Code: [Select]

dev /rom lsYou should see an entry that looks like boot-rom@ , with some number after the @ sign. That number is the starting virtual address of the boot rom. If you want the physical address, use the virt->real command to translate it.

To dump the rom, make sure you are saving a telnet log. Type the virtual address of the rom, followed by

Code: [Select]

o over - dump. You will get a very very long hex dump that ends with an error. Use some kind of automanted script on the telnet log to get the binary file. You do not want to type it in by hand.

[Daniel]

You can also try and decode a firmware update to get the rom image that way. There are firmware updates for a limited number of machines, but the techniques are probably applicable to all New World Macs. We could probably create our own rom update if we particularly wanted to.

[ELN]

Tiny bit risky, that! Would it be possible to load a new Boot ROM image from disk into RAM, then reset the machine to execute it?

[Daniel]

You wouldn't be able to start at the normal restart point, but you could be very close. RAM is probably not set up at the very beginning, so you can't run code in ram starting at that point. You would be able to bring up the OF Forth interpreter from the beginning (I have no idea how you would actually be able to do that). Because the OF enviroment is usually in virtual memory mode, you could do some magic to overwrite specific pages with versions in RAM. That might be interesting to do.

[darthnVader]

Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.

In the OF prompt, the ' (yes, a single apostrophe) command looks up the command in front of it and puts its address on the stack.

Code: [Select]

' shut-down .This sequence looks up the address of the shut-down command and displays its address.

To get the address of the boot rom, type

Code: [Select]

dev /rom lsYou should see an entry that looks like boot-rom@ , with some number after the @ sign. That number is the starting virtual address of the boot rom. If you want the physical address, use the virt->real command to translate it.

To dump the rom, make sure you are saving a telnet log. Type the virtual address of the rom, followed by

Code: [Select]

o over - dump. You will get a very very long hex dump that ends with an error. Use some kind of automanted script on the telnet log to get the binary file. You do not want to type it in by hand.

I must be misunderstanding how to properly do this:

Code: [Select]

0 > dev /rom  ok
0 > ls
ff899d38: /boot-rom@fff00000
ff899f30: /macos         
 ok
0 > fff00000 o over - dump
o, unknown word, HERE= ffa09035

OK, I see what I was doing wrong, but my dump has grown to over 2.3 MB and is still growing, the ROM ended around 960k, as you would expect for a 1MB boot rom image. Not sure the size of the EEROM, we'll see........

[darthnVader]

Code: [Select]

telnet 10.1.2.3 | tee -a powerbook.bin
ff899d38 0 over - dump
This seems to dump everything above that address?

The result is not a binary image file, it seems to dump everything into ASCII.

Is there anyway I can pipe the output of only the dump into a binary image file?

[Daniel]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

[darthnVader]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

Can I specify an end point to the dump?

[Daniel]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

Can I specify an end point to the dump?

I just used the filename that you used in the code you showed. The first powerbook.bin is the source and the second one is the destination.

[ELN]

I flashed my MDD FW800 with the FW400 ROM back in 2015. I’m thinking of reverting it to the original firmware. Could anyone possibly post a dump of this boot ROM?

[darthnVader]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.

[Daniel]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.

I would use whatever you want to save the file, and then use Textedit or something similar to edit out all the lines that don't look like this:

Code: [Select]

00800000: 01 df 00 03 00 00 00 00 00 00 00 00 00 00 00 00 |................|Those lines should only be at the very start and the very end of the dump file.

I suppose you could strip out the | xxd -r -p and use something else to convert the hex to binary.
The script in that case would look like this:

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' > powerbook.bin
Also, what exactly do you mean by not being able to convert it properly? You should be getting a multi-megabyte file filled with raw binary, whose bytes match up with the hex list lines. Is something else happening?

[darthnVader]

Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.

I would use whatever you want to save the file, and then use Textedit or something similar to edit out all the lines that don't look like this:

Code: [Select]

00800000: 01 df 00 03 00 00 00 00 00 00 00 00 00 00 00 00 |................|Those lines should only be at the very start and the very end of the dump file.

I suppose you could strip out the | xxd -r -p and use something else to convert the hex to binary.
The script in that case would look like this:

Code: [Select]

sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' > powerbook.bin
Also, what exactly do you mean by not being able to convert it properly? You should be getting a multi-megabyte file filled with raw binary, whose bytes match up with the hex list lines. Is something else happening?

Thanks Dan, but I'm still not getting it.

Here is one of my dumps, it looks correct when I open it in a text editor, but the conversion just gives me garbage.

If you don't mind, see if you can work your magic on it.

[Daniel]

I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:

Code: [Select]

dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpIt creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.

[darthnVader]

I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:

Code: [Select]

dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpIt creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.

Ok, how would I get the virtual address to dump?

BTW, really cool.

[Daniel]

I makes a new virtual address and sets it to point to the boot rom. Just run that code.

[darthnVader]

I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:

Code: [Select]

dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpIt creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.

Not working:

Code: [Select]

0 > dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear  ok
0 > 100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
claim, unknown word, HERE= ff9e8c2c
 ok
0 >