Jump to content


Another IIci ROM hack

  • Please log in to reply
1021 replies to this topic

#1 dougg3

  • 6502

Posted 23 July 2011 - 04:35 AM

[mod mode]

Introduction: by jt/Trash/Trash80to . . . whatever!

dougg3 has made the most incredible introductory post to date, period! It's quite the saga of creative hackery and collaborative effort by the 68kMLA Technical Unit's Boffins and a lot of cheerleading by the rest of us in the peanut gallery.

At p.17 a consensus was reached regarding the necessity for an index to this thread: for those wishing to read it in whole, for the rest who might want to take a peek at the highlights before diving in head first, and for the participants, to ease their search for the incredible amount of content produced along the way in dougg3's creative quest.

dougg3's left at least two of the "impossible dream" boot sequence hacks, windmills if you will, shattered along his path and the SAGA continues!

Kudos to dougg3, and a special commendation for his incredible achievements on his intrepid quest.

Where'd Dulcinea get to? :o)

[/mod mode]

[*:1bfyp5d6]First post (DIP ROM sockets, custom floppy disk blinking question mark icons)
[*:1bfyp5d6]ASC tomfoolery

[*:1bfyp5d6]Custom synthesized startup sound (first few notes of Mario tune) and beginning of sampled startup chime adventure
[*:1bfyp5d6]Sampled startup chime (newer Mac startup sounds)[*:1bfyp5d6]ROM SIMM preliminary discussions and brainstorming

[*:1bfyp5d6]Reverse-engineering Apple ROM SIMMs
[*:1bfyp5d6]trag's SIMM design
[*:1bfyp5d6]tt's IIsi ROM SIMM X-ray image
[*:1bfyp5d6]Initial order of ROM SIMM rev. 1[*:1bfyp5d6]olePigeon's Jolly Roger logo

[*:1bfyp5d6]Integrating the Jolly Roger into the SIMM PCB rev. 2[*:1bfyp5d6]Arrival, assembly, and troubleshooting of the rev. 1 SIMM PCBs

[*:1bfyp5d6]Super long Mario startup chime to test expanded ROM capacity[*:1bfyp5d6]Brainstorming for programmability without the need for a chip burner and designing rev. 2 with that in mind
[*:1bfyp5d6]tt's SE/30 with Power Mac startup chime
[*:1bfyp5d6]Summary of changes in rev. 2 and later, additional changes

[*:1bfyp5d6]Final SIMM rev. 2 ordered
[*:1bfyp5d6]SIMM rev. 2 arrival, the fight with assembling it, and eventually success[*:1bfyp5d6]IIci troubleshooting and power supply testing
[*:1bfyp5d6]Back to programmer board R&D (and other expansion brainstorming)
[*:1bfyp5d6]olePigeon's customized ROM[/list].

Hello everyone,

This is my first post, happy to have discovered this place! I've been lurking for the past weeks while working on my project. A year or so ago a coworker and I who are both classic Mac geeks were talking about how cool it would be to take a 68k Mac's ROM and modify it. We were mostly talking about changing the startup chime (but before anyone starts getting excited, I'm nowhere close to that yet).

A few weeks ago I got to thinking about it again and decided to do it. I have a couple of IIcis as well as several other machines, but I figured that the IIci would be a good one to play with since I have two of them so I can troubleshoot in case something goes wrong. When I was searching for info about pin-compatible chips for the IIci's ROMs, I stumbled upon these forums. In particular, I found Dennis Nedry's posts about his IIci ROM hacking. I thought it was pretty cool that someone else had already begun on a similar project, but I still wanted to do it myself as well. I'm not doing anything that will give my IIci more ROM capacity--just messing with the ROM.

I took the lesser of my two IIcis (won't power on unless it's been unplugged for a half hour and the sound is faint -- pretty sure it just needs new capacitors and a good cleaning) and started hacking on the motherboard! Removed the DIP ROMs intact with my trusty desoldering gun, replaced them with DIP sockets, and copied their contents over to some almost-pin-compatible flash chips (Greenliant GLS27SF010, formerly SST27SF010) using a Willem programmer. I would have forgotten about the floating programming pins if I hadn't read Dennis Nedry's posts--thanks for that! Got the IIci to boot from them, so I was in business to start customizing.

Anyway, I'm aware the IIci has a synthesized startup chime so it's probably not the best candidate for hacking that. I started disassembling the ROM using GNU binutils and some other free disassembler I found for Windows, but I lost my patience somewhere around where it was first writing to the VIA1 chip, and believe me, that's not very far into the boot process. It's tough to figure out exactly where the synthesized chime is generated. I decided to go for a simpler task and customize some of the startup icons.

I changed the floppy disk with blinking question mark icons to an alternating white and black Apple logo, redid the checksum (once again, credit to Dennis Nedry for his ROM checksum calculator!) and booted it up -- and here are the results!

I'm not sure if I'm going to go anywhere else with this project, but I just thought I'd share my initial IIci ROM hack. If anyone has any ideas about how to mess around with the IIci's synthesized sounds, I'd love to hear them, but I'm pretty sure the answer is going to be "diassemble it and find where the sounds are generated."

Attached Thumbnails

  • IMG_0223_shrunk.jpg

#2 techknight

  • 68LC040

Posted 25 July 2011 - 04:11 AM

Well if you did disassemble it, And you had access to the IIci address map, and where all the hardware was mapped, address registers, etc.. you could setup the disassembler with the proper mnemonics to find it easier, I think this can be done in IDA
Main PC: Intel core I7 920, MSI x58 platinum, Radeon4850
PB: tibook G4, ibook G4, ibook g3x2, Lombard, 160, 165, 180, 180c Duo 2300x2, Duo 270c x2, 520cPPC, 3400c, 1400c
Desktop: G3AIO, SE, SE/30, 512k, plus, LCIII, iMac G4, iMac intel, 6400/225

#3 dougg3

  • 6502

Posted 25 July 2011 - 05:11 AM

Funny that you mentioned that -- I have been looking at more stuff on the memory map today. The IIci's memory map isn't really well documented in Apple's developer notes for it (at least as far as what goes where in the I/O region).

However, they do say in the IIsi's developer notes that the Apple Sound Chip is located at addresses 0x50014000 to 0x50016000. The IIci is probably the same, or at least similar...I'll keep doing some digging to see if I can find any accesses to addresses like that.

The sound chip can do four simultaneous synthesized voices -- I'm guessing the IIci's chime of death (quick chord, then an arpeggio building back up to a chord) is using one of the voices for each note.

I love IDA--I've tried the free version on x86 code before and it's great with how it interactively disassembles code as you go. It's just too expensive for me to be buying it for this project :( Although I admit, it would be a great tool to have for more than just classic Mac hacking, so there might be some serious value in getting it someday. For now I will try my best with binutils and IRA-pc, which is another free disassembler.

On an unrelated note about my IIci: I replaced all the electrolytic capacitors, both surface mount and through-hole, and also cleaned up the leaked electrolyte with 99% isopropyl and a toothbrush. The faint audio and power on problems are both completely gone, so it's perfectly ready for some ROM hacking! Also, the hard drive I had in it wasn't spinning up, so I gave it a smack with the handle of my screwdriver while it was powered up, and now it's working perfectly even after several power cycles. Gotta love it.

#4 Trash80toHP_Mini



  • 68040
  • LocationBermuda Triangle, NC, USA

Posted 25 July 2011 - 02:57 PM

Nice FirmWare Hack! I haven't see it, as I refuse to load flash, but I can well imagine it.

Thanks for the link to the IIsi DevNote, I spent some time scrounging around for my old download of it just last night and, lo and behold, here it pops up for me again!

Gracias, and welcome to the 68kMLA, dougg3!

edit: I just wondered if there's any way to loop those two images to get a continuous grayscale evolution from one to the other?
jt [8]
Trash Hauler: call sign: eight-ball

C.O. AC130H SpecOps 68kMLAAF

#5 dougg3

  • 6502

Posted 25 July 2011 - 11:38 PM

Haha, glad to have assisted you with the IIsi dev notes! I tried to find ones for the II, IIx, and IIcx, but they don't seem to exist at least on Apple's page. For future reference here is a list of them:

http://developer.app... ... ware2.html

The main trickiness about doing the grayscale fade is that the icons are black and white, no grayscale at all. Each icon is 128 bytes of 1-bit icon data followed by 128 bytes of 1-bit mask data. I did find the routines that print them out so it might be plausible to play with that, but grayscale would probably be tough to do. I might be able to do some crude grayscale dithering in black and white if I can find some empty space in the ROM to store more icon data though.

More info on the sound chip front -- I realized that the IIsi's dev notes not only say that the sound chip is at 0x50014000, but they also say that the space from 0x50000000 to 0x5003FFFF repeats inside of 0x50000000 to 0x50FFFFFF. This means that the sound chip should be mapped at:

... to

I took a look at NetBSD and Linux device drivers for the Apple sound chip. They aren't very functional, but they tend to access 0x50F14000, which is one of the addresses in that sequence. This confirms my suspicion that the sound chip address is standard across many Mac models. There are also several references to that address in my disassembly. So there may still be some hope for playing with the startup and/or death chimes!

#6 Trash80toHP_Mini



  • 68040
  • LocationBermuda Triangle, NC, USA

Posted 25 July 2011 - 11:55 PM

IIRC, everything up to the IIfx is covered in Guide to the Macintosh Family Hardware, Second Edition. It's stored on very old fashioned wood pulp based media!

I'm not sure I've ever seen this data in electronic format . . .
. . . but I think I know someone who can get it to you in .jpg format if you'd like those specs. :lol:

PM me! ;)
jt [8]
Trash Hauler: call sign: eight-ball

C.O. AC130H SpecOps 68kMLAAF

#7 dougg3

  • 6502

Posted 26 July 2011 - 01:04 AM

Wait, are you talking about that ancient stuff that they used for printing PDFs before the era of the iPad? I think I vaguely remember that media...my brain can't seem to think of what it was called, I think it started with a P ;-)

Ahhh...that is what I feared! I looked all over for that book yesterday and all I could find were expensive used copies on Amazon. I did pick up a copy of "Designing Cards and Drivers for the Macintosh Family" on eBay but it hasn't arrived yet--not sure what it'll have in it anyway. I will definitely be getting in contact with you!

#8 techknight

  • 68LC040

Posted 26 July 2011 - 02:42 AM

No, its not in that designing cards book. It might be, But i have a copy of it, and all it talks about is nubus pretty much. and the SE/30 bus.
Main PC: Intel core I7 920, MSI x58 platinum, Radeon4850
PB: tibook G4, ibook G4, ibook g3x2, Lombard, 160, 165, 180, 180c Duo 2300x2, Duo 270c x2, 520cPPC, 3400c, 1400c
Desktop: G3AIO, SE, SE/30, 512k, plus, LCIII, iMac G4, iMac intel, 6400/225

#9 dougg3

  • 6502

Posted 26 July 2011 - 03:14 AM

Ah, rats. Thanks for the info. Oh well, it won't hurt to have the book anyway.

#10 olePigeon

  • 68LC040

Posted 28 July 2011 - 12:45 AM

I'm excited about your project. I'd love to change my IIci's firmware. Change the Happy Mac icon into a Happy IIci Mac icon. :)

I'd put the TAM's startup bong on every Mac I have. :p

#11 dougg3

  • 6502

Posted 28 July 2011 - 03:46 AM

Hi there! I should be able to change the Happy Mac -- I like the happy IIci idea! The TAM startup chime is definitely cool, but I think if I had the choice I'd use the Performa 6200 startup chime. There's something about that one that I really like...and its death chime rules too. "Dun dun DUN!!!"

I've made some interesting progress. I was thinking about taking in the IIci to work and using a logic analyzer to examine which ROM addresses were being accessed during the startup chime, but I may have found even more useful information than that. I downloaded MPW hoping to see if it has a diassembler. I was surprised to find that MPW includes ROM maps of many of the 68k Macs, including the IIci. The code I had found which referred to the ASC is actually one of the labels in the ROM map, called BOOTBEEP6. There are several labels nearby:

ERRORBEEP1 through 4

I may be on to something here...if I hit the programmer's switch and use MicroBug to jump to SYSTEMBEEP, I get the system beep sound. If I jump to any of the others directly, I either get weird crashes or nothing happens. The assembly seems to imply that a jump to those would happen from somewhere earlier, because it's using values in other registers which aren't initialized under those labels so it's not a surprise that it crashes. However, I did find labels called ERROR1HANDLER through ERROR4HANDLER which seem to correspond to ERRORBEEP1 through 4. When I jump to those, I do get very interesting stuff, including two weird death chimes that begin with different notes (I've never heard these before, maybe one of you has?). I guess I could just be triggering a nasty error that indirectly forces the IIci to play the chimes of death, but I'm hoping that this is what these routines are supposed to do.

So here's another YouTube video with the results of these sounds:

I haven't figured out a way to force it to play the startup chime yet.

Edit: Here we go! I found an address to jump to in order to play the startup chime (0x408435BC). Now that I have a starting point that isn't dependent on any previous code (to my knowledge), it should be possible to figure out what the code is doing. Woohoo!

#12 Dennis Nedry

Dennis Nedry
  • 6502
  • LocationJurassic Park Visitor Center

Posted 29 July 2011 - 03:42 AM

Very cool stuff! If you change the startup sound, I would love to try it on my ROM hack IIci!
[wiki="User]Dennis Nedry's 68kMLA Wiki Userpage[/wiki], including my extensive Mac collection.
Dennis Nedry was an awesome Mac hacker, but I hack Macs in his name to preserve, not to destroy.

#13 dougg3

  • 6502

Posted 30 July 2011 - 05:29 AM

Thanks! I'll definitely let you know. I've started disassembling the sound functions, but I don't have any real progress to add yet.

Unfortunately I've run into a small snag related to my IIci's hardware. It appears my Astec power supply has bitten the dust! Today I changed out the ROMs (more on that in a sec) and tried to boot the IIci up, and the power buttons didn't work (neither the rear power button nor the keyboard power). The power supply fan didn't turn on or anything. I checked the power supply's connector with my multimeter, and the +5V continuous pin is not showing any voltage. I cautiously plugged in the GE power supply from my other IIci and it does work (and of course, it is also showing the +5V continuous voltage when I test for it). The Astec power supply will not power my other IIci either (obviously, since I'm not seeing the +5V continuous). I tried the keyboard power button trick with a power strip but it's not working. Maybe a deeper problem...

The only change I made since the last time the Astec supply worked was:

I changed my EEPROMs from the GLS27SF010 to the GLS29EE010. The only difference in pinout is the 27SF010 has a VPP pin (which I connected to VCC -- an allowed configuration for read mode according to the datasheet), while the 29EE010 is supposed to be NC on that pin. I didn't change my hack job on the motherboard when I switched to the new EEPROM, so I left that pin at VCC even though the datasheet says NC. I checked to be sure that the pin isn't a ground pin (it's not). Hopefully I didn't royally screw something up by not disconnecting that pin on the motherboard. The new chip does work in that configuration with my good IIci power supply, so I'm guessing that it had nothing to do with the Astec failure, but I thought I'd throw that out there because it did happen at the same time. However the last time I had successfully tested that power supply was yesterday, so I don't know at what point the power supply quit working.


#14 dougg3

  • 6502

Posted 31 July 2011 - 06:23 AM

I walked my way through the sound synthesizing function which is used by both the startup chime and the death chime. I still don't really understand it much yet, but I did find some kind of a delay timer that it reads from the data passed in to it. It appears to set how fast the notes change or something along those lines. For the startup chime it was at 13, so I changed it to 255 and booted my custom IIci with the good GE power supply. Here are the results:

It's a start...I'll keep working my way through the code!

Anyway: I checked out my bad Astec power supply and both the fuses are good on it according to my continuity tester. I guess that's probably a good thing. I have the power supply completely out of the case and I don't see anything obviously wrong with it. I'm thinking I might try replacing that D15 diode as mentioned in the wiki, since my 5V always-on is no longer there. But wouldn't that have been a gradual failure rather than all of a sudden not working? Anybody have any ideas on how to troubleshoot this one? Is it even worth it to bother? I tried manually putting 5V from my bench power supply onto pin 9 before I took it apart, but nothing happened. Would that be a legitimate way to try to force the power supply to start up if it's not giving me 5V on pin 10? As you all can probably tell, I'm not much of a hardware guy.

#15 tmtomh

  • 6502
  • LocationPhiladelphia, PA, USA

Posted 31 July 2011 - 03:27 PM

Very cool hack! I really like the long startup chime.

#16 dougg3

  • 6502

Posted 02 August 2011 - 02:05 AM

Thanks! Latest update is that I have gone through all the synthesized sounds in the ROM, by modifying the IIci's ROM to play THEM rather than the startup chime at boot.

BOOTBEEP is a frontend that calls BOOTBEEP6, which is the startup chime. I think the ROM directly jumps to BOOTBEEP6 during startup, though, because BOOTBEEP needs a stack (and therefore RAM) set up (it uses the RTS instruction at the end).
ERRORBEEP1 is the initial chord you hear in the error chime.
ERRORBEEP2 is a single tone, what you hear at the beginning of the first of the two "weird" error chimes I posted on YouTube earlier
ERRORBEEP3 is the tone from ERRORBEEP2 followed by another higher pitched tone (it's what you hear at the beginning of the second of the two "weird" error chimes I posted)
ERRORBEEP4 is the familiar arpeggio error tone (but without the chord at the beginning).

So the ERROR#HANDLER functions do not directly correspond to ERRORBEEP 1 through 4. Instead, they make use of combinations of them to play different error tones.

Each one of these five sounds is represented by a set of data that's passed to a function that sets up the Apple Sound Chip and plays it. The startup chime, death chime begin chord, and death chime arpeggio are each 32 bytes long. Amazing, if you ask me.

I now pretty much understand the idea behind the sound synthesis function, as far as the basic structure of its main loop. I still have no idea what it's doing in the sound chip (or why) though. One piece of data says how long between iterations in the synthesis (that's what I changed to make the slow chime), one says how many iterations before you move on to the next sound to play, and one says how many iterations until the sound should stop playing. Unfortunately, I do not understand wave table synthesis at all, so it's going to be tough to come up with my own sounds or fully understand what's going on in the code until I learn a bit more about it. I found another good reference as to what some of the registers in the Apple Sound Chip do in the MESS source code. It'll be interesting to try to figure out how the sound chip works!

#17 Trash80toHP_Mini



  • 68040
  • LocationBermuda Triangle, NC, USA

Posted 02 August 2011 - 02:42 AM

Sorry I haven't gotten you the info to you that I promised yet. I've had 0 time, but I did have another thought, I'll bet what you're looking for is a lot more likely to be in the programmer's reference library than in the Hardware spec.

I saw a wave table chart in the earlier sound system reference material, but nothing in the ASC reference material.

Have you got "Inside Macintosh" or whatever it was called? If not, maybe another comrade could check that out for you, meanwhile I'll check out my Developer CDs for Sound Related Titles.
jt [8]
Trash Hauler: call sign: eight-ball

C.O. AC130H SpecOps 68kMLAAF

#18 dougg3

  • 6502

Posted 02 August 2011 - 04:38 AM

Hey not a problem! I've been keeping busy disassembling stuff anyway :) Like I said I'm not in a hurry, and it's possible that GTTMFH won't even have what I'm looking for anyway...

I did take a look at Inside Macintosh: Sound (Apple seems to have PDFs of it -- google for site:developer.apple.com "IM: S"), but it is talking about the Mac toolbox, and I didn't see anything about talking directly to the sound chip. It's possible that some of the stuff will still be relevant though...they do have a little info on wave tables. Perhaps that'll help me figure out what I'm doing.

#19 olePigeon

  • 68LC040

Posted 02 August 2011 - 06:58 AM

Here are the results:

It's a start...I'll keep working my way through the code!

Awesome! :D The potential for this hack is unbelievable. I know it's just changing the startup sound, but I've always wanted to do that. I'm just not a left-brain person, so a lot of these concepts are just beyond me. Probably why I have a liberal arts degree. :p

So, does the ROM have separate cords, then you modify the ROM to change which cord and how long it plays?

Out of curiosity, would it be possible to modify the ROM so that later generation G4 Macs could natively boot OS 9?

#20 bbraun

  • 6502

Posted 02 August 2011 - 10:53 PM

I did take a look at Inside Macintosh: Sound (Apple seems to have PDFs of it -- google for site:developer.apple.com "IM: S"), but it is talking about the Mac toolbox, and I didn't see anything about talking directly to the sound chip.

IM Volume II's Sound Driver section may be relevant.
Although the toolbox routines are not available, the device driver should exist in ROM and you might be able to call it directly. Or at least look up where it resides, and see what it is doing. It's documented as being element 3 of the unit table.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users