Open Firmware is on a physical boot rom on the logic board. The initial self-test code (which is on the same ROM) does a few checks and jumps to OF. The boot rom is typically at virtual address 0xFF800000 (when OF is active), at least on machines I have checked. Old World Macs have the Mac OS Toolbox ROM in the same physical chip (or group of chips) as OF. New World Macs load the Mac OS ROM from a file. Their OF ROM is also flash-writable, which is kind of neat.
Thanks Daniel, is there anyway to make an image of the flashrom that contains OF on a new world mac?
I've done a little poking around in linux, with Flashrom, but haven't been able to figure it. Looking about the device tree I've not been able to see where the chip that contains OF is. Surely it's mapped to memory somewhere I could get a dump of it.
In the OF prompt, the ' (yes, a single apostrophe) command looks up the command in front of it and puts its address on the stack.
' shut-down .
This sequence looks up the address of the shut-down command and displays its address.
To get the address of the boot rom, type
dev /rom ls
You should see an entry that looks like boot-rom@ , with some number after the @ sign. That number is the starting virtual address of the boot rom. If you want the physical address, use the virt->real command to translate it.
To dump the rom, make sure you are saving a telnet log. Type the virtual address of the rom, followed by
o over - dump
. You will get a very very long hex dump that ends with an error. Use some kind of automanted script on the telnet log to get the binary file. You do not want to type it in by hand.