Mac OS 9 Lives

Classic Mac OS Hardware => Mac OS 9 on Unsupported Hardware => Topic started by: darthnVader on March 05, 2018, 04:00:05 AM

Title: Where does Open Firmware "live"?
Post by: darthnVader on March 05, 2018, 04:00:05 AM
It's a little off topic, but I didn't see a sub-forum this fit in.

I've often wondered if Open Firmware was on a ROM chip on the logic board, separate from the one that contains the Boot ROM, or if it is contained in the Boot ROM.

Does anyone know?
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 05, 2018, 12:05:27 PM
Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on March 05, 2018, 08:38:29 PM
Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.

Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 06, 2018, 03:46:04 AM
Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.


In the OF prompt, the ' (yes, a single apostrophe) command looks up the command in front of it and puts its address on the stack.
Code: [Select]
' shut-down .This sequence looks up the address of the shut-down command and displays its address.

To get the address of the boot rom, type
Code: [Select]
dev /rom lsYou should see an entry that looks like boot-rom@ , with some number after the @ sign. That number is the starting virtual address of the boot rom. If you want the physical address, use the virt->real command to translate it.

To dump the rom, make sure you are saving a telnet log. Type the virtual address of the rom, followed by
Code: [Select]
o over - dump. You will get a very very long hex dump that ends with an error. Use some kind of automanted script on the telnet log to get the binary file. You do not want to type it in by hand.
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 06, 2018, 01:04:14 PM
You can also try and decode a firmware update to get the rom image that way. There are firmware updates for a limited number of machines, but the techniques are probably applicable to all New World Macs. We could probably create our own rom update if we particularly wanted to.
Title: Re: Where does Open Firmware "live"?
Post by: ELN on March 06, 2018, 05:45:54 PM
Tiny bit risky, that! Would it be possible to load a new Boot ROM image from disk into RAM, then reset the machine to execute it?
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 06, 2018, 06:17:54 PM
You wouldn't be able to start at the normal restart point, but you could be very close. RAM is probably not set up at the very beginning, so you can't run code in ram starting at that point. You would be able to bring up the OF Forth interpreter from the beginning (I have no idea how you would actually be able to do that). Because the OF enviroment is usually in virtual memory mode, you could do some magic to overwrite specific pages with versions in RAM. That might be interesting to do.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on March 07, 2018, 05:17:08 AM
Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.

Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?

I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.


In the OF prompt, the ' (yes, a single apostrophe) command looks up the command in front of it and puts its address on the stack.
Code: [Select]
' shut-down .This sequence looks up the address of the shut-down command and displays its address.

To get the address of the boot rom, type
Code: [Select]
dev /rom lsYou should see an entry that looks like boot-rom@ , with some number after the @ sign. That number is the starting virtual address of the boot rom. If you want the physical address, use the virt->real command to translate it.

To dump the rom, make sure you are saving a telnet log. Type the virtual address of the rom, followed by
Code: [Select]
o over - dump. You will get a very very long hex dump that ends with an error. Use some kind of automanted script on the telnet log to get the binary file. You do not want to type it in by hand.

I must be misunderstanding how to properly do this:

Code: [Select]
0 > dev /rom  ok
0 > ls
ff899d38: /boot-rom@fff00000
ff899f30: /macos         
 ok
0 > fff00000 o over - dump
o, unknown word, HERE= ffa09035

OK, I see what I was doing wrong, but my dump has grown to over 2.3 MB and is still growing, the ROM ended around 960k, as you would expect for a 1MB boot rom image. Not sure the size of the EEROM, we'll see........
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on March 07, 2018, 06:36:34 AM
Code: [Select]
telnet 10.1.2.3 | tee -a powerbook.bin
ff899d38 0 over - dump

This seems to dump everything above that address?

The result is not a binary image file, it seems to dump everything into ASCII.

Is there anyway I can pipe the output of only the dump into a binary image file?
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 07, 2018, 09:22:44 AM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on March 07, 2018, 10:04:32 AM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

Can I specify an end point to the dump?

Title: Re: Where does Open Firmware "live"?
Post by: Daniel on March 07, 2018, 11:55:17 AM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

Can I specify an end point to the dump?
I just used the filename that you used in the code you showed. The first powerbook.bin is the source and the second one is the destination.
Title: Re: Where does Open Firmware "live"?
Post by: ELN on March 07, 2018, 11:54:33 PM
I flashed my MDD FW800 with the FW400 ROM back in 2015. I’m thinking of reverting it to the original firmware. Could anyone possibly post a dump of this boot ROM?
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 27, 2018, 11:16:21 PM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.

Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 28, 2018, 06:47:00 AM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.
I would use whatever you want to save the file, and then use Textedit or something similar to edit out all the lines that don't look like this:
Code: [Select]
00800000: 01 df 00 03 00 00 00 00 00 00 00 00 00 00 00 00 |................|Those lines should only be at the very start and the very end of the dump file.

I suppose you could strip out the | xxd -r -p and use something else to convert the hex to binary.
The script in that case would look like this:
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' > powerbook.bin
Also, what exactly do you mean by not being able to convert it properly? You should be getting a multi-megabyte file filled with raw binary, whose bytes match up with the hex list lines. Is something else happening?
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 28, 2018, 05:19:16 PM
Yes, it dumps as everything above that address. If you get the starting address of the bootrom, it will print and keep printing until it reaches the end of the address space or there is an access fault. Using ff800000 as the starting address should get you the entire boot rom (I hope).

It dumps it as hex and ascii. You then have to make or get a tool that converts it to binary for you. I would suggest this horrifying shell script I made. I am nowhere near fluent in bash, but it works.
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook.bin

I can't seem to convert the output file properly, Dan, what should I use to log the telnet session?

Hopefully something under OS X.
I would use whatever you want to save the file, and then use Textedit or something similar to edit out all the lines that don't look like this:
Code: [Select]
00800000: 01 df 00 03 00 00 00 00 00 00 00 00 00 00 00 00 |................|Those lines should only be at the very start and the very end of the dump file.

I suppose you could strip out the | xxd -r -p and use something else to convert the hex to binary.
The script in that case would look like this:
Code: [Select]
sed 's/^.*:/ /p' powerbook.bin | sed -n -e 's/\|.*\|/ /p' > powerbook.bin
Also, what exactly do you mean by not being able to convert it properly? You should be getting a multi-megabyte file filled with raw binary, whose bytes match up with the hex list lines. Is something else happening?

Thanks Dan, but I'm still not getting it.

Here is one of my dumps, it looks correct when I open it in a text editor, but the conversion just gives me garbage.

If you don't mind, see if you can work your magic on it. ;D

Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 28, 2018, 06:18:22 PM
I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:
Code: [Select]
dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
It creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 29, 2018, 03:36:53 AM
I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:
Code: [Select]
dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
It creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.

Ok, how would I get the virtual address to dump?

BTW, really cool. 8)
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 29, 2018, 06:20:04 AM
I makes a new virtual address and sets it to point to the boot rom. Just run that code.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 29, 2018, 03:37:29 PM
I think I just figured out what the problem is. The address shown is a physical address, not a virtual one. Try this OF code:
Code: [Select]
dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear
100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
It creates a new 1MB virtual address range and maps it to the boot-rom. It then dumps it.

Then, you can use the command line to turn it into a binary file. If you have trouble with that, send the file to me.

Not working:

Code: [Select]
0 > dev /chosen " mmu" active-package get-package-property drop decode-int to active-package clear  ok
0 > 100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
claim, unknown word, HERE= ff9e8c2c
 ok
0 >


Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 29, 2018, 03:46:08 PM
Ugh. Do this.
Code: [Select]
dev /cpus lsSelect the first device reported by that.
Then do this.
Code: [Select]
.properties words
100000 4 claim dup fff00000 swap 100000 10 map 10000 dump
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 29, 2018, 04:13:40 PM
Ugh. Do this.
Code: [Select]
dev /cpus lsSelect the first device reported by that.
Then do this.
Code: [Select]
.properties words
100000 4 claim dup fff00000 swap 100000 10 map 10000 dump

Sorry, you're just confusing me. :-[
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 29, 2018, 04:38:02 PM
Sorry. I guess I need to be more clear with what I am saying.
You need to select the primary CPU. This is because it has the memory management functions in it.
The OF command sequence:
Code: [Select]
dev /cpus lsShould have an output looking somewhat like this:
Code: [Select]
0 > dev /cpus ls
ff83d900: /PowerPC,750@0
ff83dcc0:    /l2-cache
There may be more than one CPU, and the name of it depends on what CPU your machine is.
You select it with dev. In my example, it would look like this:
Code: [Select]
dev /cpus/PowerPC,750@0Then, lets do a simple sanity check so it will be easier to find any problems in the next step.
Code: [Select]
pwd .properties wordsNow we move on to the actual code that dumps the rom:
Code: [Select]
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpAll of this is done on the OF prompt so far. If it works, you will be able to use the bash script I showed you earlier  to get the raw rom, which should be a 1MB binary mess of powerpc code and data structures.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on April 30, 2018, 03:21:51 AM
Sorry. I guess I need to be more clear with what I am saying.
You need to select the primary CPU. This is because it has the memory management functions in it.
The OF command sequence:
Code: [Select]
dev /cpus lsShould have an output looking somewhat like this:
Code: [Select]
0 > dev /cpus ls
ff83d900: /PowerPC,750@0
ff83dcc0:    /l2-cache
There may be more than one CPU, and the name of it depends on what CPU your machine is.
You select it with dev. In my example, it would look like this:
Code: [Select]
dev /cpus/PowerPC,750@0Then, lets do a simple sanity check so it will be easier to find any problems in the next step.
Code: [Select]
pwd .properties wordsNow we move on to the actual code that dumps the rom:
Code: [Select]
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpAll of this is done on the OF prompt so far. If it works, you will be able to use the bash script I showed you earlier  to get the raw rom, which should be a 1MB binary mess of powerpc code and data structures.

Thanks for bearing with me, I was pretty sure you meant to dev /cpu/@0, just wanted to be sure.

However, the conversion still turns up garbage.

The .txt file is the result of the telnet dump/log, and the .bin file is the result of the sed conversion.



Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 30, 2018, 03:36:33 AM
Sorry. I guess I need to be more clear with what I am saying.
You need to select the primary CPU. This is because it has the memory management functions in it.
The OF command sequence:
Code: [Select]
dev /cpus lsShould have an output looking somewhat like this:
Code: [Select]
0 > dev /cpus ls
ff83d900: /PowerPC,750@0
ff83dcc0:    /l2-cache
There may be more than one CPU, and the name of it depends on what CPU your machine is.
You select it with dev. In my example, it would look like this:
Code: [Select]
dev /cpus/PowerPC,750@0Then, lets do a simple sanity check so it will be easier to find any problems in the next step.
Code: [Select]
pwd .properties wordsNow we move on to the actual code that dumps the rom:
Code: [Select]
100000 4 claim dup fff00000 swap 100000 10 map 10000 dumpAll of this is done on the OF prompt so far. If it works, you will be able to use the bash script I showed you earlier  to get the raw rom, which should be a 1MB binary mess of powerpc code and data structures.

Thanks for bearing with me, I was pretty sure you meant to dev /cpu/@0, just wanted to be sure.

However, the conversion still turns up garbage.

The .txt file is the result of the telnet dump/log, and the .bin file is the result of the sed conversion.
I guess that means something is very wrong in my assumptions.

dev /cpus/@0 works perfect. I didn't know you could do that.

I will be back once I figure out another way to do this. It might take a while.
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on April 30, 2018, 01:04:03 PM
I seem to have overlooked a much simpler way of doing this. It looks like you can just do this in OF:
Code: [Select]
ff800000 100000 dumpThe rom image starts with a bunch of 0xdeadbeef values, interleaved with ppc code at offsets divisible by 0x100. This is the exception vector table, and it starts at 0xFFF00000 in physical address space. Just trace through everything, starting with the reset vector.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on May 01, 2018, 01:54:12 PM
I don't know, looking at the firmware updates for the G4's, it's hard to tell where the firmware starts. The "firmware" file also contains a script or some sort of forth executable that does the flashing.

I think the firmware in the firmware updates is at least partially compressed.

I'm also not sure how to get a proper dump of the firmware from one of my G4 systems, but here is one that would appear to be about the correct size, however we need to alter our sed command somehow, because it's "doubling" the data it converts.

Code: [Select]
telnet 10.1.2.3 | tee -a powerbook6,7.txt
Code: [Select]
0 > dev /rom  ok
0 > ls
ff89cb08: /boot-rom@fff00000
ff89cd00: /macos ok

Code: [Select]
ff89cb08 100000 dump
Code: [Select]
sed 's/^.*:/ /p' powerbook6,7.txt | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook6,7.bin
Sed is just doubling every line of data. Maybe we can rerun Sed on the PowerBook6,7.bin, and get it to pipe only every other line to a file?

 

 
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on May 01, 2018, 02:11:00 PM
I don't know, looking at the firmware updates for the G4's, it's hard to tell where the firmware starts. The "firmware" file also contains a script or some sort of forth executable that does the flashing.

I think the firmware in the firmware updates is at least partially compressed.

I'm also not sure how to get a proper dump of the firmware from one of my G4 systems, but here is one that would appear to be about the correct size, however we need to alter our sed command somehow, because it's "doubling" the data it converts.

Code: [Select]
telnet 10.1.2.3 | tee -a powerbook6,7.txt
Code: [Select]
0 > dev /rom  ok
0 > ls
ff89cb08: /boot-rom@fff00000
ff89cd00: /macos ok

Code: [Select]
ff89cb08 100000 dump
Code: [Select]
sed 's/^.*:/ /p' powerbook6,7.txt | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook6,7.bin
Sed is just doubling every line of data. Maybe we can rerun Sed on the PowerBook6,7.bin, and get it to pipe only every other line to a file?
That ff89cb08 is definitely wrong. That is the address of a device tree structure that ls happens to be printing. Please try ff800000 100000 and send me the text. It works on my computer, and I want to know if it works on yours
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on May 02, 2018, 01:54:28 AM
Here if the dump of ff800000:

Title: Re: Where does Open Firmware "live"?
Post by: Daniel on May 17, 2018, 05:58:27 PM
I appear to have finally succeeded at getting a OF rom from a device. Here is this one from my main Mac OS 9 machine (a Pismo). I should probably try this on my Mac Mini sometime because the later models tend to have less bugs and more features. It looks like the Mini might even be able to write to files from an OF prompt, which I have never been able to do on any other OF machine.

The ROM image starts at phys address 0xFFF00000, and begins with the PPC vector table. I think offset 0x100 is the reset vector where the rom boots up. I haven't bothered tracing the execution path yet.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on May 31, 2018, 01:46:45 PM
Your ROM image is still doubling ever line of data.
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on May 31, 2018, 02:38:20 PM
It appears I really don't know how to use sed. The proper OF log to binary conversion script is:
Code: [Select]
sed 's/^.*:/ /' powerbook6,7.txt | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook6,7.binAll I needed to do was remove one character and it works :(

Here is that Pismo Rom reprocessed.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on June 01, 2018, 02:06:44 AM
It appears I really don't know how to use sed. The proper OF log to binary conversion script is:
Code: [Select]
sed 's/^.*:/ /' powerbook6,7.txt | sed -n -e 's/\|.*\|/ /p' | xxd -r -p > powerbook6,7.binAll I needed to do was remove one character and it works :(

Here is that Pismo Rom reprocessed.

Awesome, sadly Apple put the flash utility into the rom update, and I don't know if they are one off fcode, and each machine needs it's own logic to program the rom chip or we could use the fcode flasher from one Mac on any New World machine.

I've got an iBook G4 that DieHard sent may way, it has video issue, and would be a good test bed to see if we can read the ROM and flash it back.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on June 01, 2018, 02:19:05 AM
Here is some data from the 4.4.8f2 firmware update.

The file flasher.fcode doesn't look to be fcode at all, it looks like bare forth, so just rename it flasher.txt and open in you favorite text editor and you'll get a pretty good idea what is done to flash a new world rom.

Also, I have an extra logic board for my QuickSilver, as the one I'm using can't get any input in a telnet session in OF, it would be no skin off my nose if I brick it.



Title: Re: Where does Open Firmware "live"?
Post by: Daniel on June 01, 2018, 05:12:30 PM
Here is a blog post by someone who experimented with the updater for a G3 Blue and White.
https://www.downtowndougbrown.com/2012/07/power-macintosh-g3-blue-and-white-custom-startup-sound/ (https://www.downtowndougbrown.com/2012/07/power-macintosh-g3-blue-and-white-custom-startup-sound/)

Also, nvram seems to contained in the flash chip at offset 0x4000. This means that all NewWorld Macs have some capability of writing to their flash roms. Potentially we could fake it out and make it write the whole thing?

I tried looking at the forth nvram implementation on my mini, but it is very confusing. Several levels of functions referred to only by address. My head explodes before I come close to understanding it.
Title: Re: Where does Open Firmware "live"?
Post by: powermax on October 09, 2018, 04:04:55 AM
Here is a blog post by someone who experimented with the updater for a G3 Blue and White.
https://www.downtowndougbrown.com/2012/07/power-macintosh-g3-blue-and-white-custom-startup-sound/ (https://www.downtowndougbrown.com/2012/07/power-macintosh-g3-blue-and-white-custom-startup-sound/)

Also, nvram seems to contained in the flash chip at offset 0x4000. This means that all NewWorld Macs have some capability of writing to their flash roms.

NVRAM on some post-Yosemite machines (Sawtooth, for example) is just a partition of the BootROM (small & slow 8-bit Flash ROM). It's apparently controlled by "Grackle" (Motorola MPC106) that provides write-enable bits for each flash partition in its PCI space.

I've read somewhere that HWInit code does protect the BootROM partition from flashing as soon as it gains control on reset. That means that it isn't possible to flash anything to the protected areas from within OF until the write lock is released.

I don't know how it works on Yosemite machines though...
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on October 13, 2018, 02:17:32 AM
Ok, so the point of this thread was to see if we could extract/replace the version of Open Firmware on the logic board.

If it does indeed live in the 1mb boot rom, surely we can decode it, find it, and replace it. Likely it's compressed, so we'd have to figure the decompression algorithm.

Does anyone think it would be ELF format?

One day, I'd like to figure out how to replace Open Firmware with Open Bios, as we have the source code.

Also, there were some Yellowdog Power Servers with IBM's version of Open Firmware known as SLOF( Open Source ). These systems were able to use PC VBios video cards. So it would be nice, one day, as a goal, to be able to replace Apple's Open Firmware implementation with something of our own so we can use PC graphics cards in our PowerPC towers, without the need to flash them.

The nVidia drivers for OS X support a lot for later Graphics cards than the best we have Fcode Rom's for( GTX7800 ). We should be able to use 8800GT/X cards and later, it's just we have no FCode ROMs for them.

After the die shrink of the 7800/7900/7600 nVidia changed the format of the NVDA,BMP, and I was never able to fully decode the new format. This is why there are no FCode Roms for later cards, despite the fact I put a large amount of effort into it.

I could like give it a go again and make some new FCode Roms, it's just not worth the effort, and to tell the truth, it's a little maddening staring at a hex editor all day trying to decode it, edit it, and test it.

It would just be a lot better/easier to make PC VBios cards work out of the box. Tho it would require an injector kext driver to inject the properties the drivers expect to be in the device tree for FCode Rom cards. We really already have these injectors, thank to OS X86 project, I'd just have to recompile NVInject for PPC and make a few changes.
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on October 13, 2018, 10:21:20 AM
I am not sure what the contents of it are, but it probably isn't an ELF. The first few pages (page size is 0x1000) of the bootrom will be a PowerPC exception table. Execution will start at the reset location of 0x100 in the file (0xFFF00100 in the actual physical memory map for the system).

Presumably, there will be a POST (power-on self-test) and then Open Firmware will start running. I have no idea how it does any of that.
Title: Re: Where does Open Firmware "live"?
Post by: powermax on October 13, 2018, 12:23:30 PM
I am not sure what the contents of it are, but it probably isn't an ELF. The first few pages (page size is 0x1000) of the bootrom will be a PowerPC exception table. Execution will start at the reset location of 0x100 in the file (0xFFF00100 in the actual physical memory map for the system).

Yes.

Presumably, there will be a POST (power-on self-test) and then Open Firmware will start running. I have no idea how it does any of that.

POST is called "Hardware Init" in Apple's jargon and that describes really good what's going on there: various ASICs, required for the OF to run, will be initialized. These include the memory controller, the interrupt controller, the peripherals controller and some basic hardware (PRAM, sound, display). Additionally, CPU and bus speed will be determined.

Some quick tests of the built-in memory and cache will be conducted there. But these tests are mostly there for determining memory size. Other tests based on complex check patterns are simply too slow to be performed during the cold start.

Then the startup bong will be synchronously played. After that, the OF will be decompressed into RAM and ran from there. FlashROM is usually too slow for running the OF.

The hardware initialization code is highly hardware-dependent. In other words, it will be individually compiled for each hardware configuration. It doesn't do any generic HW scanning like OF does for PCI, for example. It talks to the HW directly using predefined I/O addresses and communication protocols.
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on October 18, 2018, 01:47:02 PM
Tiny bit risky, that! Would it be possible to load a new Boot ROM image from disk into RAM, then reset the machine to execute it?
I am not sure what the contents of it are, but it probably isn't an ELF. The first few pages (page size is 0x1000) of the bootrom will be a PowerPC exception table. Execution will start at the reset location of 0x100 in the file (0xFFF00100 in the actual physical memory map for the system).

Yes.

Presumably, there will be a POST (power-on self-test) and then Open Firmware will start running. I have no idea how it does any of that.

POST is called "Hardware Init" in Apple's jargon and that describes really good what's going on there: various ASICs, required for the OF to run, will be initialized. These include the memory controller, the interrupt controller, the peripherals controller and some basic hardware (PRAM, sound, display). Additionally, CPU and bus speed will be determined.

Some quick tests of the built-in memory and cache will be conducted there. But these tests are mostly there for determining memory size. Other tests based on complex check patterns are simply too slow to be performed during the cold start.

Then the startup bong will be synchronously played. After that, the OF will be decompressed into RAM and ran from there. FlashROM is usually too slow for running the OF.

The hardware initialization code is highly hardware-dependent. In other words, it will be individually compiled for each hardware configuration. It doesn't do any generic HW scanning like OF does for PCI, for example. It talks to the HW directly using predefined I/O addresses and communication protocols.
Now I really want to try and load an OF image manually. Any clue on the environment conditions like the compressed image format, starting register assignments, and memory layout when OF boots up?

I bet that if we have a client program quiesce OF, it will be able to overwrite it with a new instance that can then be run. I wonder what the level of compatibility is between OF implementations. Some of the later versions (such as the one on the Mac Mini) actually let you write to files. That would be really nice to make universal.
Title: Re: Where does Open Firmware "live"?
Post by: darthnVader on February 17, 2019, 09:07:55 AM
I appear to have finally succeeded at getting a OF rom from a device. Here is this one from my main Mac OS 9 machine (a Pismo). I should probably try this on my Mac Mini sometime because the later models tend to have less bugs and more features. It looks like the Mini might even be able to write to files from an OF prompt, which I have never been able to do on any other OF machine.

The ROM image starts at phys address 0xFFF00000, and begins with the PPC vector table. I think offset 0x100 is the reset vector where the rom boots up. I haven't bothered tracing the execution path yet.

What were the exact commands you used to dump the BootROM, that never was clear?
Title: Re: Where does Open Firmware "live"?
Post by: Daniel on February 17, 2019, 10:21:02 AM
I have no idea what I actually did back then, but my first attempt to do it worked. Just copy and paste this into the console after you get telnet working.
Code: [Select]
dev /cpus/@0
100000 4 claim dup fff00000 swap 100000 10 map 100000 dump

This only works on NewWorld machines. On OldWorld ones, phys 0xFFF00000 is already mapped in as part of the rom chip. It's even easier for them (except that you have to use serial):
Code: [Select]
fff00000 100000 dump