ROM Hacking...The Radius Rocket!

[eharmon]

Hey folks, I got a little distracted from regular ROM mods by some interesting quirks of the Radius Rocket. I ended up writing...a lot, so the full post is on my personal site, but I'll summarize things here:

https://eharmon.net/retro/macintosh/rocket/rom-extraction/

TL;DR: The Rocket's Macintosh ROMs are dynamically loaded into RAM by the Radius Cargo extension, and protected by a very simple encryption algorithm.

Thus, it seems possible to mod the Rocket ROM with zero flashing (just a reboot of the host after modifying the extension). While a Rocket is far more limited, it could provide and interesting platform for easy ROM modification development for anyone with a Rocket. I'll probably be looking into that further, but I figured I'd share what I learned so far!

 

[David Cook]

Really interesting writeup. I like how you used classic cryptographic attacks, but then also looked at the final ROM from the booted Mac side as well.

 

[Phipli]

Hey folks, I got a little distracted from regular ROM mods by some interesting quirks of the Radius Rocket. I ended up writing...a lot, so the full post is on my personal site, but I'll summarize things here:

https://eharmon.net/retro/macintosh/rocket/rom-extraction/

TL;DR: The Rocket's Macintosh ROMs are dynamically loaded into RAM by the Radius Cargo extension, and protected by a very simple encryption algorithm.

Thus, it seems possible to mod the Rocket ROM with zero flashing (just a reboot of the host after modifying the extension). While a Rocket is far more limited, it could provide and interesting platform for easy ROM modification development for anyone with a Rocket. I'll probably be looking into that further, but I figured I'd share what I learned so far!

One interesting thing with the ROM on the card - if you have a Rocket 25i (the one without an FPU), I realised mine was actually fitted with a 68040 with an FPU. Swapping in a ROM from a FPU enabled Rocket made the FPU appear.

So it seems the FPU availability (assuming one is physically present) is controlled based on a flag in the ROM.

 

[eharmon]

Really interesting writeup. I like how you used classic cryptographic attacks, but then also looked at the final ROM from the booted Mac side as well.

Thanks! I'm pretty curious what the runtime patches do, and how they're applied, so it was extra interesting to compare them. I could imagine a few different clever tricks the loader code might have up its sleeve.

One interesting thing with the ROM on the card - if you have a Rocket 25i (the one without an FPU), I realised mine was actually fitted with a 68040 with an FPU. Swapping in a ROM from a FPU enabled Rocket made the FPU appear.

So it seems the FPU availability (assuming one is physically present) is controlled based on a flag in the ROM.

Should be pretty easy to diff them and find out how it makes the decision. At the least to find out where the configuration bits are, which might reveal more tweakable components.

I've only seen the 25i ROM with my own eyes. Obviously not that interesting from a basic capabilities perspective (since we know you can ROM swap them to success), but I'm always curious!

 

[Bolle]

I've only seen the 25i ROM with my own eyes.

Here's dumps from my two Rockets...

 

[Phipli]

Here's some for 25i, 33 and 40.

 

[herd]

Interesting! Thanks for sharing. What do you think the point was? Were they just obfuscating apple code being used on an aftermarket product?

 

[Phipli]

Interesting! Thanks for sharing. What do you think the point was? Were they just obfuscating apple code being used on an aftermarket product?

It might have been a term of their permission to use it? The ROM was very precious to apple in that era after the trouble they had with Apple II clones.

 

[eharmon]

Here's dumps from my two Rockets...

Here's some for 25i, 33 and 40.

Thanks! Indeed, seems like just a 1-byte change (plus checksum) to sResource 129 on the Board. And the Stage IIs (v1.1) use the same flags as the 33.

Interesting! Thanks for sharing. What do you think the point was? Were they just obfuscating apple code being used on an aftermarket product?

It might have been a term of their permission to use it? The ROM was very precious to apple in that era after the trouble they had with Apple II clones.

Yeah, I think that's the case. Ultimately, though you can copy a ROM from a Mac, first you needed to buy a Mac, agree to license terms, and deliberately set out to copy it from memory with "specialized" programs.

When it ships on a floppy disk, where a user is more likely to make a backup copy, etc, I presume there was a desire to create the same level of hardware entanglement. By putting a decryption key in the hardware, it de facto creates the same limitations as a standard Mac ROM.

That said, I'm still not sure how v1.0 decrypts it...clearly it must, because RocketShare works.

 

[olePigeon]

So it is a physical limitation and not an artificial limitation that prevents Rocket IIs from working as accelerators? I always wondered if it was a ROM thing.

 

[eharmon]

So it is a physical limitation and not an artificial limitation that prevents Rocket IIs from working as accelerators? I always wondered if it was a ROM thing.

I think so. They're definitely a different board revision that has some major layout changes.

Nothing in the ROM itself is too interesting between the 33 and Stage II, but the DeclROM is mostly a stub. Bus mastering is still marked as supported, all the entries are the same except the BoardID was moved from 4 to 42, and the v1.1 ROM contains the cipher key table.

It's probably worth swapping the ROMs to see what happens, though, if only with the BoardID change.

 

[zigzagjoe]

Well done! Really interesting info. I'm rather curious what convolutions go into the accelerator mode on the earlier models since they've gotta be doing something weird.

 

[rplacd]

Oh wow, thanks for the explanation: I'd always wondered whether the "Quadra 950 ROMs" were on cards directly shucked from actual Quadra 950s to avoid having to go through Apple to license, but it looks like they genuinely distributed their own license on disk.

I've always wondered as well about how a performant (minimal latency) accelerator could be run on the NuBus, given the larger amount of glue logic needed compared to PDS, bus speeds decoupled from the actual 68k bus, etc.