powerpc macs: exploring the firmware

Some things observed while browsing through Open Firmware boot monitor code on
a Apple Macintosh "New World" PowerPC computer:

Register usages discovered: Very important to know which cpu registers you can
use for your own probes. Also discovery of their normal usage provides a
partial outline of the computer's memory map - a vital prerequisite to more
detailed investigation.

Below are things observed when browsing while trying out "dis.of". No attempt
was made to confirm how much they conform to the ABI documented by IBM -- I
wasn't trying to be that systematic. However I noticed some of the lower level
stuff (which looks like it was compiled with C) seems to use r3 for function
args as per the ABI. Interrupts save r0-r3 and presumably restore them on rfi.

r20,r31 = forth Parameter Stack. r20 is TOS (top of stack), 0(r31) is NOS
(next on stack).
r21 used as temp NOS, avoids mem access when no need to change r31 stack depth
( r21 is often free for your own use, as is the case with r0, r3, r4, r5)
r19,r30 = forth Return Stack (similar implementation to forth paramater stack)
r26  Local variables frame pointer. Allocates/deallocates 32-byte frames.
r28  Base of fcode lookup table(s). fcode execution address = (fcode*4)(r28)
r25 Called "startvec" most executable code is located between (r25) and (r16)
r16 = 'here' = start of unallocated user mem  (%r16 always updated)
r17 always ends up = r16. %r17 pseudo-reg lags behind %r16, but an "unknown
word" typed at forth prompt will bring it back in line.

Forth's %-prefixed register defs are not "live" except for the %fr (floating
point) registers which are copied on demand direct from the cpu registers. The
others only return what was dumped last time an appropriate exception
occurred. They, and the various breakpoint routines routinely listed in Open
Firmware glossaries, unfortunately to support the "client interface" (BootX,
OS X,  Linux) but not the "user interface" (you, me and the forth prompt).
Thus .registers and .bp etc do not do for us what you might have been hoping.
However the 'debug' command does appear to update them as frequently as you
get the opportunity to look. Unfortunately they only work with standard colon
defs, not the code defs which show you how the registers are being used.

To update those pseudo-registers you need to generate a "program exception".
To do that outside of 'debug' you can
(a) make a silly mistake, eg type @ on an empty stack and maybe get one gratis
(b) deliberately trigger processor exception, eg with "0 execute" or "3000 @"
(c) press Ctrl-Z which is the more disruptive of these options on my eMac.
Also, the 'load' command will refresh them, no doubt in the expectation that a
"client" program (OS) is about to be launched.

A problem with the pseudo registers when you are trying to refresh them is
that they are usually being updated from the same place in the input loop
every time. Thus some registers, like r30 (return-stack pointer) could be
mistaken for a static pointer since it usually returns to the same address as
last time you looked. To make a live snapshot of the registers in action you
need azm. The simplest way is to find a code def which references the register
of interest, then use azm to intercept its control flow in such a way that the
register's current contents are dumped where they remain viewable back at the

One problem is that you don't want to change the contents of any register
which may be in use.

One way to avoid changing registers is to make use of their existing contents.
Since we know r16 always points to free memory, we can dump any register there
with, eg:   <address> azm stw r24,0(r16) ,   addr azm stw r25,4(r16) ,  addr
azm stw r26,8(r16)  ... etc , then, immediately afterwards, view the snapshot

here 20 dumpl      ( use 'dump' if you don't have 'dumpl' )

Or, you can make an instantaneous snapshot of ALL gpr's at a single stroke
with the instruction:

   <address> azm stmw r0, 0(r16)

(If you are doing it via  telnet, I suggest you first type 'align' then use an
offset of 10 rather than 0 as 'here' has a tendency to creep up in the
background, zapping unallocated memory as it goes, when you are accessing open
firmware via a remote terminal)

However the main problem is that overwriting some of the instructions we are
trying to study is not only bad science, but will probably crash the computer,
which means we never get to see the results.

To do it properly, you need to write a "patch" using asm, then divert the live
code to it using azm. It is fairly simple in theory. You use asm to write a
code-def in the normal way. You copy the instruction you are going to
overwrite from the code being investigated into your new code def. You then
add your register dump instruction(s), and wind up with 'asm b address' back
to the address of the instruction immediately following the instruction you

Because your code def ("the patch") ends with a "b" as opposed to "bl"
instruction, you terminate its definition with "end-code" instead of the
normal "c;"

You then go to the code about to be patched and  "azm b <address>"
substituting the execution address of your own code def for <address>. You
need to be clear about the distinction between a branch instruction's address
(its own location in memory) and its target address (the address a b or bl
instruction will branch to when executed).

Then execute the patched definition as normal. There should be nothing to
indicate anything out of the ordinary has happened. If there is, you made a
potentially serious mistake and should immediately type 'reset-all' if
possible, otherwise briefly power off and restart. Assuming nothing of the
kind happened, copies of the register contents dumped by your intercept should
be viewable using dumpl in the normal way.

Don't forget to repair the altered code back to its original form before you
define anything else. If you are unable to do so (because the instruction you
were going to copy scrolled off the screen, for example), wind up your session
by typing 'reset-all' before doing anything else (apart from examining the
register contents just captured).

I started trying to write more detailed instructions using examples, but I
abandoned the attempt because I couldn't even type them in myself without
making errors. The chances of anyone trying to cope with an unfamiliar
interface, unfamiliar language and unfamiliar cpu all at the same time without
making a critical mistake is just about zero. However as you gain familiarity
and confidence through simpler usage, you will eventually acquire the know-how
and confidence to do it your own way in response to comprehending the logic of
how it is done.

Don't underestimate the importance of being able to nut through the simplest
code defs. Pay particular attention to the way the return and parameter stacks
are implemented. Hint: the cpu saves return addresses in the link register
which will be overwritten by the next bl instruction unless they are handled
appropriately. If you can't make sense of simple definitions like

' @ dasm
' r@ dasm
' r> dasm

then you will gain nothing more than the conviction that "this stuff doesn't
work" when trying to intervene in the operation of more complex ones.

It's worth persevering with, but it requires more than comprehension.
Assembler (not to mention forth) needs practice and skill at recognizing and
manipulating its symbols. It's like algebra in that respect. If you're finding
it hard, you  probably skipped something you would have been better off
becoming more comfortable with first.

Here is something I wrote to list my eMac's fcode names, to take advantage of
my discovery that r28 points at a table of pointers to fcode routines.  Note
the dependency on .label which is defined in "dis.of".

\ "list-fcodes"
\ should terminate with "invalid memory access" on encountering invalid
\ table entries. Gaps in name column indicate valid but concealed defs.
\ fcodes above 241 = non-standard, often vendor-specific codes
\ Try it out with (eg):   %r28 list-fcodes
: list-fcodes ( ptr -- ) ( ptr = starting addr in table of addresses)
  cr ."  vector  fcode    xt    name"
  cr ." ----------------------------"
  cr BEGIN 
    dup . 2 spaces 
    dup %r28 - 4 / . space   \ %r28 = base of fcode vector table(s)
    dup @ ['] ferror = IF    \ ferror = dflt for unused table entries
      "    -- " type         ( for first instance in run of ferrors)
      BEGIN  cell+ dup @ ['] ferror <> UNTIL \ ignore rest of run
      dup @ . 
      dup @ .label 
    cr exit?               \ use keyboard to pause, stop or continue
If you add the following extra line to the definition of .label in "dis.of",
it will unlock more of the missing labels. The few that remain with blanks in
the name column have had their labels stripped -- the firmware's ultimate
level of concealment.

\ optionally insert new first line below colon header of .label def in dis.of
   dup 4 mod IF cell- THEN  \ uncovers b()-word headers in (%r28) list


1/28/2010 12:19:45 PM
comp.sys.powerpc.tech 819 articles. 1 followers. Post Follow

0 Replies

Similar Articles

[PageSpeed] 16


Similar Artilces:

Apple Mach-O PowerPC vs Mac OS X PowerPC Mach-O ??? Huh??
In the Target Settings panel in CodeWarrior 8.3, I see three very poorly named link settings for PowerPC: Macintosh PowerPC Apple Mach-O PowerPC Mac OS X PowerPC Mach-O Although all three are for "Macintosh PowerPC", the first one is clearly PEF/CFM (despite no hint of that), due to the fact that it is the only one that doesn't say Mach-O. My real question is about the two Mach-O targets. Besides the annoying reversal of "PowerPC" and "Mach-O", what is the difference between them? That one is for "Apple" and the other is for "M...

Poll (Intel Macs, PowerPC Macs)
For the following assume that Intel-based Macs come out this time next year or earlier. 1. Will you buy an Intel-based Mac immidiately, just to have one and check it out and be prepared? 2. Will you buy an Intel-based Mac instead of a PowerPC-based Mac when it is time to replace the current Mac you use? 3. Will you buy a PowerPC-based Mac when it is time to replace the current Mac you use? 4. Will you use one kind of Mac for a notebook and another for a desktop? -- Andrew J. Brehm Marx Brothers Fan PowerPC/Macintosh User Supporter of Chicken Sandwiches 5. I will load OS X and dual boot...

Hi, How to time jobs of powerpc in the EDK? Do anyone have some examples? Thanks, Terrence ...

At the Ohio inux Fest http://www.ohiolinux.org on 02Oct2004 in Columbus Ohio we plan to have a PowerPC BOF meeting where I will demonstrate at least two Mini-ITX based PowerPC systems. Since I am chairing the BOF, the best way to get additional info is to e-mail me hb then last name at earthlink dot net If you wish to attend rules require that you register beforehand. Henry Keultjes ...

Hi, I hope this is the right group for my questions. If I missed, I apologize in advance. The thing is I need to know lots of trivial details about the PEGASOS and the AmigaOne for an Open Firmware tutorial I maintain. <http://www.netneurotic.net/mac/openfirmware.html> If anybody could answer these questions, I would be very happy indeed. 1. Is there a _current_ Web site that could be seen as a home page for the AmigaOne hardware architecture? The one amiga.com points to seems outdated. The PEGASOS has a nice easy-to-find home page. 2. Can anybody send me a file contai...

x86 or mac powerpc
I'm going to buy a computer a Athlox XP 3200 (X86) or a Mac PowerPc G4 what is the best to install Linux ? Thanks VP VP <vpedro.pias@sapo.pt> writes: > I'm going to buy a computer a Athlox XP 3200 (X86) or a Mac PowerPc G4 > what is the best to install Linux ? I'd say the Athlon. If you want a PowerPC processor, try Pegasos or other CHRP PPC motherboard, but it will be more expensive than a normal Athlon motherboard. http://www.pegasosppc.com/tech_specs.php The problem with Apple hardware is that it's proprietary. There are not drivers for all the devices...

* PowerPC 7410 "Nitro" http://freedownloadablebooks.blogspot.com/2008/03/powerpc-7410-nitro.html PowerPC 7400 http://freedownloadablebooks.blogspot.com/2008/03/powerpc-7400.html POWER4 http://freedownloadablebooks.blogspot.com/2008/03/power4.html POWER5 http://freedownloadablebooks.blogspot.com/2008/03/power5.html PowerPC e600 http://freedownloadablebooks.blogspot.com/2008/03/powerpc-e600.html PowerPC G4 http://freedownloadablebooks.blogspot.com/2008/03/powerpc-g4.html Power Mac G5 http://freedownloadablebooks.blogspot.com/2008/03/power-mac-g5.html PowerPC 970 ht...

Firmware password (PowerPC)
I have just noticed that an iMac G5 with firmware password set will ask for the password when booting into the boot manager (option key) but when booting into a CD or DVD (c key). What's the point of having a firmware password if it prevents changing the boot drive but does not prevent booting from an installer CD that gives full access to the computer? -- Andrew J. Brehm Marx Brothers Fan PowerPC/Macintosh User Supporter of Chicken Sandwiches Andrew J. Brehm <ajbrehm@gmail.com> wrote: > I have just noticed that an iMac G5 with firmware password set will ask > for the pas...

Official: Mac OS X Snow Leopard doesn't support PowerPC Macs
So you understand, macFreaks; http://www.appleinsider.com/articles/08/06/11/official_mac_os_x_snow_leopard_doesnt_support_powerpc_macs.html Documentation included with copies of Mac OS X 10.6 Snow Leopard distributed during Apple's developer conference this week confirms that the next-generation operating system does not presently support Macs with PowerPC processors. In article <LDZ3k.3020$3F5.1282@bignews2.bellsouth.net>, "weedhopper" <Whopper@aol.com> wrote: > So you understand, Mac freaks: I corrected your grammar again. "weedhopper" <...

[9fans] bug in powerpc libc powerpc memccpy.s
There is only one required change, Line 22 needs to change from the MOVW to the ADD. As implemented, memccpy() returns the wrong pointer into the wrong string. The other changes are whitespace related. Oh yeah, and the Z on the store doesn't really make sense to me, so I got rid of it. The store with or without the Z results in the same instruction. -Tad diff local/sys/src/libc/power/memccpy.s dist/sys/src/libc/power/memccpy.s 3c3 < MOVW R3, s1+0(FP) --- > MOVW R3, s1+0(FP) 7d6 < 11d9 < 17c15 < MOVBU R6, 1(R3) --- > MOVBZU R6, 1(R3) 24c22 < ADD $1, R3 --- ...

flash for Mac on linux Powerpc ?
Hello, I'm sorry for my incompetence in powerpc, but I'want to solve this problem. Anyone try Flash binary compiled for Mac on a powerpc whith linux ? Can it work or it can only on a Mac operating system ? Thanks. maxi maxi wrote: > > Hello, I'm sorry for my incompetence in powerpc, but I'want to solve > this problem. Anyone try Flash binary compiled for Mac on a powerpc > whith linux ? Can it work or it can only on a Mac operating system ? I run Debian on my iBook and the swf-plugin for the galeon browser works fine. Erik -- +-----------------------------...

Wine on Mac with PowerPC chip
I thought I had read that there was some work being done on Wine for Macintosh with a PowerPC chip, but then when I visit various Wine sites all I see is the Intel chips. I doubt that I will be getting an x86-based Mac for another year, so I am still interested in this. I have Virtual PC, but all I run in Windows is FrameMaker and, once in a while, Visio. So, is there work being done for PowerPC on a Mac? Tim Murray wrote: > I thought I had read that there was some work being done on Wine for > Macintosh with a PowerPC chip, but then when I visit various Wine sites...

Availability of PowerPC Macs after 2007
When Apple phased out Macs that supported Mac OS 9 they continued to sell a special edition G4 that could stll boot OS 9 for a while. I think it likely that Apple will, possibly for a long time, continue selling low-end (but possibly high-cost) PowerPC boxen to customers who use legacy software. New developments, like new versions of Quicktime, might not be available for the platform, but I think (and hope) it will exist. And like in the last five years, Apple will probably have internal builds of Mac OS X and all their software for PowerPC anyway. You never know. -- Andrew J. Brehm Marx ...

where are the PowerPC 970 tech docs?
I apparently am not smart enough to find a single actual hardware reference document on the PowerPC 970. Just a list of all the instruction latencies will do. I don't want to believe that such a document isn't publicly available, yet I've looked high and low and haven't seen it. Can someone point me in the right direction? Thanks, jasonp In article <40a76622.549728793@news.verizon.net>, vze44bdb@verizon.net (Jason Papadopoulos) wrote: > I apparently am not smart enough to find a single actual hardware > reference document on the PowerPC 970. Just a list of...

Web resources about - powerpc macs: exploring the firmware - comp.sys.powerpc.tech

Rapidly exploring random tree - Wikipedia, the free encyclopedia
A Rapidly exploring random tree (RRT) is a data structure and algorithm designed for efficiently searching nonconvex , high-dimensional search ...

Pro PR - Exploring social media and public relationsPro PR - Exploring social media and public relations ...
You know that you have something to say. You produce and regularly publish great content to your blog, Tumblr or podcast. And now you want to ...

REPORT: Facebook Exploring Health Care Entry
Blue Cross Blue Shield, meet blue thumbs up? According to a report by Reuters , Facebook is eyeing opportunities in the health-care sector, including ...

Exploring Agile Solutions
void functionTakingFunctionPointerOldStyle(int (*pf)(int) { printf("\nold style pf = %p\n", pf); if (pf != NULL) { int x = (*pf)(12); // ...

Exploring Facebook ad trends with Boost’s Erik Ford, VP of Marketing & Business Development
Social advertising is a rapidly changing enterprise. As the pendulum swings from data to creative (and back), Boost Media balances both to handle ...

Exploring team building: the U2 way
... collaboration. Clueless where to begin my research, and not wanting to learn from the usual suspects, my quirky self naturally led me to Exploring ...

Off Exploring - Travel Blog / Travel Journal on the App Store on iTunes
Get Off Exploring - Travel Blog / Travel Journal on the App Store. See screenshots and ratings, and read customer reviews.

Exploring the abandoned Stanford Linear Collider
jurvetson posted a photo: The Stanford Linear Collider was a linear accelerator that collided electrons and positrons at SLAC. The center of ...

Exploring the Sounds of : The Brady Bunch 1 - YouTube
Exploring sound's of The Brady Bunch (1969-1974) -Includes "Pork Chops and Apple Sauce" -Includes "Oh my nose!" -Includes music from the show ...

Exploring the islands of the Gothenburg Archipelago off Sweden's west coast - The National
Though they’re within easy reach of Sweden’s second city, the peaceful islands of the Gothenburg Archipelago feel like another world that’s very ...

Resources last updated: 2/3/2016 8:18:14 AM