According to the NetBSD/macppc FAQ, Open Firmware “is part of the boot ROMs in most PowerPC-based Macintosh systems, and we use it to load the kernel from disk or network.”
Turns out, “most PowerPC-based Macintosh systems” happens to include the Pippin. If you have the rare keyboard/tablet (or an ADB keyboard via the AppleJack dongle) attached and hold down Command-Option-O-F at startup, the Pippin boots to an Open Firmware prompt. However, you won’t see anything on screen because it outputs to a serial console by default; specifically, all console I/O is handled through the GeoPort. My Mac Plus happens to sit next to my Pippin, so tonight I temporarily switched my ImageWriter II’s cable over, booted both machines, and fired up ZTerm.
The following is what I discovered.
Open Firmware, PipPCI.
To continue booting the MacOS type:
BYE
To continue booting from the default boot device type:
BOOT
ok
0 > dev / ls
FF829230: /PowerPC,603@0
FF829B28: /chosen@0
FF829C58: /memory@0
FF829DA0: /openprom@0
FF829E60: /AAPL,ROM@FFC00000
FF82A088: /options@0
FF82A528: /aliases@0
FF82A6F0: /packages@0
FF82A778: /deblocker@0,0
FF82AF78: /disk-label@0,0
FF82B4B8: /obp-tftp@0,0
FF82D8F8: /mac-files@0,0
FF82E0F0: /mac-parts@0,0
FF82E850: /aix-boot@0,0
FF82ECC8: /fat-files@0,0
FF830298: /iso-9660-files@0,0
FF830BE0: /xcoff-loader@0,0
FF8315A0: /terminal-emulator@0,0
FF831638: /aspen@F2000000
FF832900: /gc@10
FF832D38: /scc@13000
FF832E90: /ch-a@13020
FF833540: /ch-b@13000
FF833BF0: /awacs@14000
FF833CD8: /swim3@15000
FF834DE0: /via-cuda@16000
FF835970: /adb@0,0
FF835A60: /keyboard@0,0
FF8361B0: /mouse@1,0
FF836260: /pram@0,0
FF836310: /rtc@0,0
FF8367D8: /power-mgt@0,0
FF836898: /mesh@18000
FF838418: /sd@0,0
FF839048: /st@0,0
FF839CC8: /nvram@1D000
FF839DA0: /taos@F0800000
FF839EC8: /aspenmemory@F8000000
ok
0 > dev /openprom ok
0 > .properties
name openprom
model Open Firmware, PipPCI.
relative-addressing
ok
0 > printenv auto-boot?
auto-boot? true true
ok
0 > printenv use-nvramrc?
use-nvramrc? false false
ok
0 > printenv real-base
real-base -1 -1
ok
0 > printenv load-base
load-base 4000 4000
ok
0 > printenv boot-device
boot-device /AAPL,ROM /AAPL,ROM
ok
0 > printenv boot-file
boot-file
ok
0 > printenv input-device
input-device ttya ttya
ok
0 > printenv output-device
output-device ttya ttya
ok
0 > printenv nvramrc
nvramrc
ok
0 > printenv boot-command
boot-command boot boot
ok
0 > bye This dump was generated on my @WORLD Pippin with ROM 1.2. Some observations:
- OF doesn't report a version number, instead reporting "PipPCI" in its place. Searching the ROM for strings reveals "June 28, 1996" as the latest date I could find, so whatever Apple was using in its Power Macs at that time I imagine is what is running here.
- The ROM is located at 0xFFC00000, which follows what I've seen from hardcoded addresses I've found.
- "taos" is the video hardware starting at 0xF0800000. I'm not sure offhand if that address is the base of video memory, but I do know from the Pegasus Prime code that taos does allow for writing directly to VRAM.
- There is a TFTP package(!)—wonder how it works?
- The Pippin has a SWIM III chip onboard. There is an official floppy drive expansion dock and an unofficial floppy drive expansion board, both of which appear to be "dumb" hardware that merely connect a drive directly to pins of the Pippin's X-PCI connector on the underside of the system. The drive itself is powered and controlled entirely by hardware already built in to the Pippin. However, as far as I know, the SWIM II and later floppy controllers (including the SWIM III) lack the low-level access necessary for HD20 support, so large drives emulated by hardware such as the Floppy Emu will not work.
The aspenmemory node looks interesting. Is it the 128k flash? Please try this command string in Open Firmware (not including the quotes) “dev /aspenmemory .properties cr words cr f8000000 400 ‘ dump catch cr . “.
The tftp package, like all the other ones, does not work. Old World ROM packages are universally kind of useless, as you have to know deep wizardry to use them (interposing packages is tricky, and only done for you in New World ROMs). Additionally, there is no ethernet device to use tftp on.
I recognize the name mesh as a scsi controller. The cd drive is either the sd or st node, not sure which. In theory, you could add 5 or so interpose commands to as many different device and package ‘open’ methods to read from the cd from Open Firmware.
Open Firmware provides yet another potential way to jailbreak the Pippin, as Mac OS will load any drivers that are in the device tree. Read “Designing PCI Cards and Drivers for Power Macintosh Computers” for more information on that. If you stick a script in the NVRAM that loads a ‘driver’ to a newly created device tree node, it will be eventually run.
Huh. I was really expecting a driver descriptor map or boot block.
The data looks like address and length values, with an unknown meaning. Perhaps the cpu “translations” property (describes mmu address mappings) will have similar values. Please do this command:
dev /PowerPC,603@0 .properties cr ” translations” active-package get-package-property . cr dump
Could you dump device tree properties for Aspen and Taos?
> dev aspen
> .properties
…
> dev taos
> .properties
devalias command may shed some light on the built-in devices as well…
On my Atmark with ROM 1.3, I get this:
Notably, Taos is grouped instead under Grand Central. The aliases are unchanged though, so trying to get properties on
vci0returnscan't find device.Thanks a lot! It looks like we will be able to emulate Pippin in DingusPPC.
I’ll set up a basic emulator next.
BTW, do you have two different Pippins?
Since writing this blog post I have acquired a few more, yes. I have ROMs 1.0, 1.2, and 1.3.
Great! That explains why the interrupt pins vary between the ROM versions. That would be only possible for different HW or in an emulated environment.
BTW, I’m setting up a basic emulator for Pippin in DingusPPC right now. It looks like we had almost everything we need to emulate Pippin…
Could you dump the properties for the /aspen/gc node? Thank you in advance!
Sure, here you go!