Exploring the Pippin ROM(s), part 5: Open Firmware

According to the NetBSD/macppc FAQ, Open Firmware “is part of the boot ROMs in most PowerPC-based Macintosh systems, and we use it to load the kernel from disk or network.”

Turns out, “most PowerPC-based Macintosh systems” happens to include the Pippin. If you have the rare keyboard/tablet (or an ADB keyboard via the AppleJack dongle) attached and hold down Command-Option-O-F at startup, the Pippin boots to an Open Firmware prompt. However, you won’t see anything on screen because it outputs to a serial console by default; specifically, all console I/O is handled through the GeoPort. My Mac Plus happens to sit next to my Pippin, so tonight I temporarily switched my ImageWriter II’s cable over, booted both machines, and fired up ZTerm.

The following is what I discovered.

Open Firmware, PipPCI.
To continue booting the MacOS type:
BYE
To continue booting from the default boot device type:
BOOT
 ok
0 > dev / ls
FF829230: /PowerPC,603@0
FF829B28: /chosen@0
FF829C58: /memory@0
FF829DA0: /openprom@0
FF829E60: /AAPL,ROM@FFC00000
FF82A088: /options@0
FF82A528: /aliases@0
FF82A6F0: /packages@0
FF82A778:   /deblocker@0,0
FF82AF78:   /disk-label@0,0
FF82B4B8:   /obp-tftp@0,0
FF82D8F8:   /mac-files@0,0
FF82E0F0:   /mac-parts@0,0
FF82E850:   /aix-boot@0,0
FF82ECC8:   /fat-files@0,0
FF830298:   /iso-9660-files@0,0
FF830BE0:   /xcoff-loader@0,0
FF8315A0:   /terminal-emulator@0,0
FF831638: /aspen@F2000000
FF832900:   /gc@10
FF832D38:     /scc@13000
FF832E90:       /ch-a@13020
FF833540:       /ch-b@13000
FF833BF0:     /awacs@14000
FF833CD8:     /swim3@15000
FF834DE0:     /via-cuda@16000
FF835970:       /adb@0,0
FF835A60:         /keyboard@0,0
FF8361B0:         /mouse@1,0
FF836260:       /pram@0,0
FF836310:       /rtc@0,0
FF8367D8:       /power-mgt@0,0
FF836898:     /mesh@18000
FF838418:       /sd@0,0
FF839048:       /st@0,0
FF839CC8:     /nvram@1D000
FF839DA0: /taos@F0800000
FF839EC8: /aspenmemory@F8000000
 ok
0 > dev /openprom  ok
0 > .properties
name                    openprom
model                   Open Firmware, PipPCI.
relative-addressing

 ok
0 > printenv auto-boot?

auto-boot?          true                true
 ok
0 > printenv use-nvramrc?

use-nvramrc?        false               false
 ok
0 > printenv real-base

real-base           -1                  -1
 ok
0 > printenv load-base

load-base           4000                4000
 ok
0 > printenv boot-device

boot-device         /AAPL,ROM           /AAPL,ROM
 ok
0 > printenv boot-file

boot-file
 ok
0 > printenv input-device

input-device        ttya                ttya
 ok
0 > printenv output-device

output-device       ttya                ttya
 ok
0 > printenv nvramrc

nvramrc
 ok
0 > printenv boot-command

boot-command        boot                boot
 ok
0 > bye

This dump was generated on my @WORLD Pippin with ROM 1.2. Some observations:

  • OF doesn't report a version number, instead reporting "PipPCI" in its place. Searching the ROM for strings reveals "June 28, 1996" as the latest date I could find, so whatever Apple was using in its Power Macs at that time I imagine is what is running here.
  • The ROM is located at 0xFFC00000, which follows what I've seen from hardcoded addresses I've found.
  • "taos" is the video hardware starting at 0xF0800000. I'm not sure offhand if that address is the base of video memory, but I do know from the Pegasus Prime code that taos does allow for writing directly to VRAM.
  • There is a TFTP package(!)—wonder how it works?
  • The Pippin has a SWIM III chip onboard. There is an official floppy drive expansion dock and an unofficial floppy drive expansion board, both of which appear to be "dumb" hardware that merely connect a drive directly to pins of the Pippin's X-PCI connector on the underside of the system. The drive itself is powered and controlled entirely by hardware already built in to the Pippin. However, as far as I know, the SWIM II and later floppy controllers (including the SWIM III) lack the low-level access necessary for HD20 support, so large drives emulated by hardware such as the Floppy Emu will not work.

13 thoughts on “Exploring the Pippin ROM(s), part 5: Open Firmware”

  1. The aspenmemory node looks interesting. Is it the 128k flash? Please try this command string in Open Firmware (not including the quotes) “dev /aspenmemory .properties cr words cr f8000000 400 ‘ dump catch cr . “.

    The tftp package, like all the other ones, does not work. Old World ROM packages are universally kind of useless, as you have to know deep wizardry to use them (interposing packages is tricky, and only done for you in New World ROMs). Additionally, there is no ethernet device to use tftp on.

    I recognize the name mesh as a scsi controller. The cd drive is either the sd or st node, not sure which. In theory, you could add 5 or so interpose commands to as many different device and package ‘open’ methods to read from the cd from Open Firmware.

    Open Firmware provides yet another potential way to jailbreak the Pippin, as Mac OS will load any drivers that are in the device tree. Read “Designing PCI Cards and Drivers for Power Macintosh Computers” for more information on that. If you stick a script in the NVRAM that loads a ‘driver’ to a newly created device tree node, it will be eventually run.

    1. 0 > dev /aspenmemory .properties
      name                    aspenmemory
      reg                     F8000000  00000800
      model                   AAPL,343S0152
      
       ok
      0 > words
      
       ok
      0 > f8000000 400 ' dump catch
      F8000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000010: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000020: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000030: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000040: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000090: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80000A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80000B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80000C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000110: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000120: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000130: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000140: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000190: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80001A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80001B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80001C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000210: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000220: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000230: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000240: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000290: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80002A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80002B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80002C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000310: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000320: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000330: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000340: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000390: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80003A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80003B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80003C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ok
      1 > . 0  ok
      0 >
      1. Huh. I was really expecting a driver descriptor map or boot block.

        The data looks like address and length values, with an unknown meaning. Perhaps the cpu “translations” property (describes mmu address mappings) will have similar values. Please do this command:
        dev /PowerPC,603@0 .properties cr ” translations” active-package get-package-property . cr dump

        1. 0 > dev /PowerPC,603@0 .properties cr " translations" active-package get-package
          -property . cr dump
          name                    PowerPC,603
          device_type             cpu
          reg                     00000000  00000000
          cpu-version             00030302
          clock-frequency         03EF1480
          timebase-frequency      00FBC520
          reservation-granularity 00000020
          tlb-sets                00000020
          tlb-size                00000040
          d-cache-size            00002000
          i-cache-size            00002000
          d-cache-sets            00000040
          i-cache-sets            00000040
          i-cache-block-size      00000020
          d-cache-block-size      00000020
          existing                00000000 80000000 80000000 80000000
          available               00000000 F2000000 F4000000 0B800000 FF900000 00300000
          translations            F2000000 00010000 F2000000 00000028 F2800000 00001000 F2
          800000 00000028
                                  F2C00000 00001000 F2C00000 00000028 F3000000 01000000 F3
          000000 00000028
                                  F8000000 00001000 F8000000 00000028 FF800000 00100000 00
          200000 00000010
                                  FFC00000 00300000 FFC00000 00000000
          
          
          0
          
          FF83A730: F2 00 00 00 00 01 00 00 F2 00 00 00 00 00 00 28
          FF83A740: F2 80 00 00 00 00 10 00 F2 80 00 00 00 00 00 28
          FF83A750: F2 C0 00 00 00 00 10 00 F2 C0 00 00 00 00 00 28
          FF83A760: F3 00 00 00 01 00 00 00 F3 00 00 00 00 00 00 28
          FF83A770: F8 00 00 00 00 00 10 00 F8 00 00 00 00 00 00 28
          FF83A780: FF 80 00 00 00 10 00 00 00 20 00 00 00 00 00 10
          FF83A790: FF C0 00 00 00 30 00 00 FF C0 00 00 00 00 00 00 ok
          0 >
  2. Could you dump device tree properties for Aspen and Taos?

    > dev aspen
    > .properties

    > dev taos
    > .properties

    devalias command may shed some light on the built-in devices as well…

    1. 0 > dev /aspen .properties
      name                    aspen
      device_type             pci
      model                   AAPL,343S0152
      AAPL,interrupts         00000016
      reg                     F2000000  02000000
      #address-cells          00000003
      #size-cells             00000002
      clock-frequency         01FCA055
      slot-names              0000E000 41310042 31004331 00
      
       ok
      0 > dev /taos .properties
      name                    taos
      device_type             display
      model                   AAPL,343S0153
      AAPL,connector          monitor
      reg                     F0800000  00000800
                              F0000000  01000000
      AAPL,interrupts         0000001C
      
       ok
      0 > devalias
      vci0                /taos@F0000000
      pci1                /aspen@F2000000
      pci2                /aspen@F4000000
      fd                  /aspen/gc/swim3
      kbd                 /aspen/gc/via-cuda/adb/keyboard
      ttya                /aspen/gc/scc/ch-a
      ttyb                /aspen/gc/scc/ch-b
      scsi-int            /aspen/gc/mesh
       ok
      0 >
    2. On my Atmark with ROM 1.3, I get this:

      0 > dev / ls
      FF829220: /PowerPC,603@0
      FF829B18: /chosen@0
      FF829C48: /memory@0
      FF829D90: /openprom@0
      FF829E50: /AAPL,ROM@FFC00000
      FF82A078: /options@0
      FF82A518: /aliases@0
      FF82A6E0: /packages@0
      FF82A768:   /deblocker@0,0
      FF82AF68:   /disk-label@0,0
      FF82B4A8:   /obp-tftp@0,0
      FF82D8E8:   /mac-files@0,0
      FF82E0E0:   /mac-parts@0,0
      FF82E840:   /aix-boot@0,0
      FF82ECB8:   /fat-files@0,0
      FF830288:   /iso-9660-files@0,0
      FF830BD0:   /xcoff-loader@0,0
      FF831590:   /terminal-emulator@0,0
      FF831628: /aspen@F2000000
      FF832938:   /gc@10
      FF832D70:     /scc@13000
      FF832EC8:       /ch-a@13020
      FF833578:       /ch-b@13000
      FF833C28:     /awacs@14000
      FF833D10:     /swim3@15000
      FF834E18:     /via-cuda@16000
      FF8359A8:       /adb@0,0
      FF835A98:         /keyboard@0,0
      FF8361E8:         /mouse@1,0
      FF836298:       /pram@0,0
      FF836348:       /rtc@0,0
      FF836810:       /power-mgt@0,0
      FF8368D0:     /mesh@18000
      FF838450:       /sd@0,0
      FF839080:       /st@0,0
      FF839D00:     /nvram@1D000
      FF839DD8:     /taos@F0800000
      FF839F00: /aspenmemory@F8000000
       ok
      0 > dev /openprom .properties
      name                    openprom
      model                   Open Firmware, PipPCI2.
      relative-addressing
      
       ok
      0 > dev /aspen .properties
      name                    aspen
      device_type             pci
      model                   AAPL,343S0152
      AAPL,interrupts         0000001A
      reg                     F2000000  02000000
      #address-cells          00000003
      #size-cells             00000002
      clock-frequency         01FCA055
      slot-names              0000E000 41310042 31004331 00
      ranges                  02000000 00000000 F3000000  F3000000  00000000 01000000
                              01000000 00000000 00000000  F2000000  00000000 00800000
      bus-range               00000000 00000000
      
       ok
      0 > dev /aspen/gc/taos .properties
      name                    taos
      device_type             display
      model                   AAPL,343S0153
      AAPL,connector          monitor
      reg                     F0800000  00000800
                              F0000000  01000000
      AAPL,interrupts         0000001C
      
       ok
      0 > devalias
      vci0                /taos@F0000000
      pci1                /aspen@F2000000
      pci2                /aspen@F4000000
      fd                  /aspen/gc/swim3
      kbd                 /aspen/gc/via-cuda/adb/keyboard
      ttya                /aspen/gc/scc/ch-a
      ttyb                /aspen/gc/scc/ch-b
      scsi-int            /aspen/gc/mesh
       ok
      0 >

      Notably, Taos is grouped instead under Grand Central. The aliases are unchanged though, so trying to get properties on vci0 returns can't find device.

      1. Great! That explains why the interrupt pins vary between the ROM versions. That would be only possible for different HW or in an emulated environment.
        BTW, I’m setting up a basic emulator for Pippin in DingusPPC right now. It looks like we had almost everything we need to emulate Pippin…

  3. Could you dump the properties for the /aspen/gc node? Thank you in advance!

    1. Sure, here you go!

      0 > dev /aspen/gc .properties
      name                    gc
      device_type             dbdma
      model                   AAPL,343S1125
      reg                     00008000 00000000 00000000  00000000 00000000
                              02008010 00000000 F3000000  00000000 00100000
      assigned-addresses      82008010 00000000 F3000000  00000000 00100000
      ranges                  00000000  02008010 00000000 F3000000  00100000
      #address-cells          00000001
      #size-cells             00000001
      vendor-id               0000106B
      device-id               00000002
      revision-id             00000002
      class-code              00FF0000
      min-grant               00000000
      max-latency             00000000
      devsel-speed            00000001
      
       ok
      0 >

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.