Here is what I have been able to reverse engineer so far:
The bytes following the AppleTalk driver version are still somewhat mysterious.. After very long analysis of Responder responses from many Macintosh/OS/Software combinations, I found out that the third byte of the ATP payload is the ROM version of the Mac (as returned by the Gestalt Manager 'romv'). The following byte is even more interesting: With version 1.0 of the Responder extension, this is the model identifier of the Mac. With later versions, this is the model identifier incremented by 1 on most Macs. This is likely due to the "insertion" of a "Macintosh XL Plus" (probably a Lisa with MacWorks Plus) into the series of Macintosh models. The following bytes are still rather obscure, but appear to relate to the Mac model or responder version.
Towards the end of the packet, there are two more obscure bytes which appear to relate to the installed AppleShare (Client?) version. Maybe this is a 16-bit integer, a zero-length pascal string or just two separate bytes, but the first appears to be always 0 and the second some kind of version number or enumeration. But depending on this value, there is a further pascal string following with the short version string of the AppleShare Client extension installed on the system.
Possible meanings of 16-bit (?) AppleShare version:
0x00 AppleShared not installed (no string follows)
0x01...0x09: Undefined,
0x??: AppleShare version 1.0
0x0A: AppleShare version 1.1
0x0B: AppleShare version 2.0 Pre-Release
0x0C: ?? Pascal string follows (seen on System 7.1)
0x0E: ?? Pascal string follows (seen with AppleShare D1 3.8.8, Mac OS 9)
For anyone willing to assist to decode the unknown bytes at the beginning of the response packet, here are some examples with the strings omitted:
Mac Plus: 75 04 01 e0 7f ff 00 00 (System US-6.0.4, Responder 1.0.0)
Mac Plus: 75 05 01 e0 7f ff 01 00 (System 6.0.5, Responder 1.1.1)
Mac Plus: 75 05 01 e0 7f ff 01 00 (System US-6.0.4, Responder 1.1.1)
Mac Plus: 75 05 01 e0 7f ff 01 01 (System SD1-6.0.8, Responder 1.1.1)
Mac SE: 76 06 01 e4 7f ff 01 00 (System 6.0.5, Responder 1.1.1)
Mac SE: 76 06 01 e4 7f ff 01 01 (System SD1-6.0.8, Responder 1.1.1)
Mac SE: 76 06 01 e4 7f ff 02 01 (System SD1-6.0.8, Responder 2.0.3)
Mac SE: 76 06 01 c4 7f ff 01 00 (System US-6.0.8, Responder 1.1.1)
Mac II: 78 07 01 fc 3f ff 01 00 (System 6.0.5, Responder 1.1.1)
Mac II: 78 07 01 fc 3f ff 02 01 (System 7.1.1)
Mac SE/30: 78 0a 01 fc 3f ff 02 01 (System D1-7.1, Responder 2.0.4)
Quadra 700:7c 17 01 fc 3f ff 02 0a (Mac OS 8.1, Reponder 2.0.4, AppleTalk 60.3)
Quadra 800:7c 24 01 fc 3f ff 02 0a (System 7.1)
CC: 7c 32 01 fc 3f ff 02 01 (System D1-7.6.1, Responder 2.0.4)
PM 8550: 7d 45 01 ec 3f ff 02 0a (Mac OS 9.2.2, Responder 2.0.4)
PM 9500: 7d 44 01 ec 3f ff 02 0a (Mac OS 8.0, Reponder 2.0.4)
iMac G4: 7d 97 01 6d 3f ff 02 0a (Mac OS 9.2.2, Responder 2.0.3!, AppleTalk 61.0)
Here is a full packet received from a Macintosh SE, recorded using Wireshark. The ATP response packet (including user bytes) is shaded blue:
The first four bytes
01 00 00 10
are the ATP user bytes. The first byte indicates a SIP/Responder response packet. The third and fourth tell the version of the Responder INIT or protocol version (in later versions of the Macintosh System Software, the Responder was integrated into other system extensions). In our case the version bytes are
00 10
, indicating version 1.0 (?). With version 2.0.4, it would be
02 04
.
The first two bytes following the four ATP user bytes indicate the AppleTalk driver version. In our case
00 30
indicates version 48.
76
is the
ROM revision of the Macintosh SE
05
is its
model identifier (With later revisions of the Responder, this byte would be 0x06)