Exploring the Pippin ROM(s), part 5: Open Firmware

According to the NetBSD/macppc FAQ, Open Firmware “is part of the boot ROMs in most PowerPC-based Macintosh systems, and we use it to load the kernel from disk or network.”

Turns out, “most PowerPC-based Macintosh systems” happens to include the Pippin. If you have the rare keyboard/tablet (or an ADB keyboard via the AppleJack dongle) attached and hold down Command-Option-O-F at startup, the Pippin boots to an Open Firmware prompt. However, you won’t see anything on screen because it outputs to a serial console by default; specifically, all console I/O is handled through the GeoPort. My Mac Plus happens to sit next to my Pippin, so tonight I temporarily switched my ImageWriter II’s cable over, booted both machines, and fired up ZTerm.

The following is what I discovered.

Open Firmware, PipPCI.
To continue booting the MacOS type:
BYE
To continue booting from the default boot device type:
BOOT
 ok
0 > dev / ls
FF829230: /PowerPC,603@0
FF829B28: /chosen@0
FF829C58: /memory@0
FF829DA0: /openprom@0
FF829E60: /AAPL,ROM@FFC00000
FF82A088: /options@0
FF82A528: /aliases@0
FF82A6F0: /packages@0
FF82A778:   /deblocker@0,0
FF82AF78:   /disk-label@0,0
FF82B4B8:   /obp-tftp@0,0
FF82D8F8:   /mac-files@0,0
FF82E0F0:   /mac-parts@0,0
FF82E850:   /aix-boot@0,0
FF82ECC8:   /fat-files@0,0
FF830298:   /iso-9660-files@0,0
FF830BE0:   /xcoff-loader@0,0
FF8315A0:   /terminal-emulator@0,0
FF831638: /aspen@F2000000
FF832900:   /gc@10
FF832D38:     /scc@13000
FF832E90:       /ch-a@13020
FF833540:       /ch-b@13000
FF833BF0:     /awacs@14000
FF833CD8:     /swim3@15000
FF834DE0:     /via-cuda@16000
FF835970:       /adb@0,0
FF835A60:         /keyboard@0,0
FF8361B0:         /mouse@1,0
FF836260:       /pram@0,0
FF836310:       /rtc@0,0
FF8367D8:       /power-mgt@0,0
FF836898:     /mesh@18000
FF838418:       /sd@0,0
FF839048:       /st@0,0
FF839CC8:     /nvram@1D000
FF839DA0: /taos@F0800000
FF839EC8: /aspenmemory@F8000000
 ok
0 > dev /openprom  ok
0 > .properties
name                    openprom
model                   Open Firmware, PipPCI.
relative-addressing

 ok
0 > printenv auto-boot?

auto-boot?          true                true
 ok
0 > printenv use-nvramrc?

use-nvramrc?        false               false
 ok
0 > printenv real-base

real-base           -1                  -1
 ok
0 > printenv load-base

load-base           4000                4000
 ok
0 > printenv boot-device

boot-device         /AAPL,ROM           /AAPL,ROM
 ok
0 > printenv boot-file

boot-file
 ok
0 > printenv input-device

input-device        ttya                ttya
 ok
0 > printenv output-device

output-device       ttya                ttya
 ok
0 > printenv nvramrc

nvramrc
 ok
0 > printenv boot-command

boot-command        boot                boot
 ok
0 > bye

This dump was generated on my @WORLD Pippin with ROM 1.2. Some observations:

  • OF doesn't report a version number, instead reporting "PipPCI" in its place. Searching the ROM for strings reveals "June 28, 1996" as the latest date I could find, so whatever Apple was using in its Power Macs at that time I imagine is what is running here.
  • The ROM is located at 0xFFC00000, which follows what I've seen from hardcoded addresses I've found.
  • "taos" is the video hardware starting at 0xF0800000. I'm not sure offhand if that address is the base of video memory, but I do know from the Pegasus Prime code that taos does allow for writing directly to VRAM.
  • There is a TFTP package(!)—wonder how it works?
  • The Pippin has a SWIM III chip onboard. There is an official floppy drive expansion dock and an unofficial floppy drive expansion board, both of which appear to be "dumb" hardware that merely connect a drive directly to pins of the Pippin's X-PCI connector on the underside of the system. The drive itself is powered and controlled entirely by hardware already built in to the Pippin. However, as far as I know, the SWIM II and later floppy controllers (including the SWIM III) lack the low-level access necessary for HD20 support, so large drives emulated by hardware such as the Floppy Emu will not work.

4 thoughts on “Exploring the Pippin ROM(s), part 5: Open Firmware”

  1. The aspenmemory node looks interesting. Is it the 128k flash? Please try this command string in Open Firmware (not including the quotes) “dev /aspenmemory .properties cr words cr f8000000 400 ‘ dump catch cr . “.

    The tftp package, like all the other ones, does not work. Old World ROM packages are universally kind of useless, as you have to know deep wizardry to use them (interposing packages is tricky, and only done for you in New World ROMs). Additionally, there is no ethernet device to use tftp on.

    I recognize the name mesh as a scsi controller. The cd drive is either the sd or st node, not sure which. In theory, you could add 5 or so interpose commands to as many different device and package ‘open’ methods to read from the cd from Open Firmware.

    Open Firmware provides yet another potential way to jailbreak the Pippin, as Mac OS will load any drivers that are in the device tree. Read “Designing PCI Cards and Drivers for Power Macintosh Computers” for more information on that. If you stick a script in the NVRAM that loads a ‘driver’ to a newly created device tree node, it will be eventually run.

    1. 0 > dev /aspenmemory .properties
      name                    aspenmemory
      reg                     F8000000  00000800
      model                   AAPL,343S0152
      
       ok
      0 > words
      
       ok
      0 > f8000000 400 ' dump catch
      F8000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000010: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000020: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000030: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000040: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000090: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80000A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80000B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80000C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000110: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000120: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000130: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000140: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000190: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80001A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80001B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80001C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000210: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000220: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000230: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000240: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000290: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80002A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80002B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80002C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80002F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000310: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F8000320: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F8000330: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F8000340: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F8000390: 40 01 00 00 01 00 00 00 45 00 00 00 20 00 00 00
      F80003A0: 00 00 00 00 00 00 00 00 00 00 00 00 0F 80 00 00
      F80003B0: F8 00 00 00 20 00 00 00 20 00 00 00 00 00 00 00
      F80003C0: 80 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      F80003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ok
      1 > . 0  ok
      0 >
      1. Huh. I was really expecting a driver descriptor map or boot block.

        The data looks like address and length values, with an unknown meaning. Perhaps the cpu “translations” property (describes mmu address mappings) will have similar values. Please do this command:
        dev /PowerPC,603@0 .properties cr ” translations” active-package get-package-property . cr dump

        1. 0 > dev /PowerPC,603@0 .properties cr " translations" active-package get-package
          -property . cr dump
          name                    PowerPC,603
          device_type             cpu
          reg                     00000000  00000000
          cpu-version             00030302
          clock-frequency         03EF1480
          timebase-frequency      00FBC520
          reservation-granularity 00000020
          tlb-sets                00000020
          tlb-size                00000040
          d-cache-size            00002000
          i-cache-size            00002000
          d-cache-sets            00000040
          i-cache-sets            00000040
          i-cache-block-size      00000020
          d-cache-block-size      00000020
          existing                00000000 80000000 80000000 80000000
          available               00000000 F2000000 F4000000 0B800000 FF900000 00300000
          translations            F2000000 00010000 F2000000 00000028 F2800000 00001000 F2
          800000 00000028
                                  F2C00000 00001000 F2C00000 00000028 F3000000 01000000 F3
          000000 00000028
                                  F8000000 00001000 F8000000 00000028 FF800000 00100000 00
          200000 00000010
                                  FFC00000 00300000 FFC00000 00000000
          
          
          0
          
          FF83A730: F2 00 00 00 00 01 00 00 F2 00 00 00 00 00 00 28
          FF83A740: F2 80 00 00 00 00 10 00 F2 80 00 00 00 00 00 28
          FF83A750: F2 C0 00 00 00 00 10 00 F2 C0 00 00 00 00 00 28
          FF83A760: F3 00 00 00 01 00 00 00 F3 00 00 00 00 00 00 28
          FF83A770: F8 00 00 00 00 00 10 00 F8 00 00 00 00 00 00 28
          FF83A780: FF 80 00 00 00 10 00 00 00 20 00 00 00 00 00 10
          FF83A790: FF C0 00 00 00 30 00 00 FF C0 00 00 00 00 00 00 ok
          0 >

Leave a Reply to Daniel Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.