https://www.downtowndougbrown.com/2023/11/how-apples-developers-reflashed-mac-roms-in-the-90s/ Downtown Doug Brown Thoughts from a combined Apple/Linux/Windows geek. * Home * About * Mac ROM SIMMs * Software * Microcontroller lessons * Contact Nov 25 How Apple's developers reflashed Mac ROMs in the '90s Doug Brown Classic Mac, Mac ROM hacking 2023-11-25 After I wrote about the possibility of programmable Mac ROM SIMMs in Quadras a couple of months ago, I suspected that there had been a way for developers at Apple in the 68k Mac era to reflash the ROM in their Macs during development, just like BIOS updates on PCs. The reason I believed this is because the ROM SIMM socket in the Quadras brought out pins for 12V (VPP) and write enable (/WE). I had verified that the write enable pin was going into the memory controller chip in several Mac models, so I was pretty confident that in-system programming was possible. As luck would have it, multiple people pointed out to me that an Apple internal utility used for ROM flashing had been uploaded to the Macintosh Garden. It was recovered from a prototype PowerBook 520 purchased in 2020. Of course, I had to download this utility and figure out how it works. [image] I ran it on my LC 475 and this is what it looked like: [image-1] Here's the About dialog, identifying Carl C. Hewitt as the author: [image-2] As you can see, it says the SIMM type is "Read-Only ROM" and the Program button is grayed out. This makes perfect sense, because it was just detecting my logic board's mask ROM chips which are definitely not programmable. All I was able to do was go to the File menu and choose "Save Onboard ROM..." to dump my existing ROM. It defaulted to a filename of "Saved RomMondo". Then I could use the Verify button to show that my onboard ROM matched the dump: [image-3] This is all very interesting, but I wanted to see what it was like to actually flash a new ROM image. I wasn't really sure where to begin though. Would this utility even support any of my Macs? What kind of ROM module would I need? What would it take to get that Program button enabled? In order to answer these questions, I had no choice but to start disassembling the Flasher(tm) utility. Fortunately, a lot of the functions in the program had their names present as a string directly afterward so it gave me some context about what was going on. The holy grail was when I discovered this big table of entries for compatible ROMs. The names of these table entries, and the table itself, were assigned by me. [image-4] A lot of the entries in this table are PDS cards. You can even see in the main UI screenshots above that there was a separate "PDS ROM Info" section on the right. I would love to see an example of what these PDS cards looked like, if anyone out there has some inside knowledge they would be willing to share! Let's look at one of the SIMM entries in detail: QuadraSIMM1. [image-6] This contains a lot of info, and I had to do further disassembly throughout the program to understand what everything meant. 0x89898989 and 0xBDBDBDBD are the flash manufacturer and device ID, repeated four times because four 8-bit chips will respond at a time on the 32-bit data bus. 0x89 is Intel's JEDEC manufacturer ID and 0xBD is the device ID for their 28F020 256-kilobyte flash chip. 0x40400000 is the base address for ROM write cycles, 0x40800000 is the base address for ROM read cycles, and 0x100000 is the size of each set of four chips (1 MB). This particular SIMM appears to have 2 banks, so it is likely a 2 MB SIMM with 8 flash chips. After that, there are various flags for special options, and a jump table for functions to perform different operations like checking presence of the SIMM, erasing, and programming. I won't go too far into the weeds about what it all means, but the other interesting part is at the end of the structure, which contains a NULL-terminated list of allowed gestalt machine IDs. We determined in my 68kmla post that the IDs listed above that don't have names are simply unreleased variants of the other models for the most part. For example, 86, 90, 93, and 95 are gestalt IDs for unreleased variants of the LC 475 and Quadra 605 running at 20 MHz and 33 MHz instead of the final 25 MHz version. So what does all this info tell us? Well, there is code elsewhere in the program that loops through the entire table one-by-one trying to determine if any items in the table are installed in the Mac it's running on. Looking through this table allows me to get an idea of which Macs this program is compatible with as well as which flash chips a compatible ROM SIMM would need to use. In the case of Quadras, it appears that a wide variety of them are all supported by the same code. The 700, 900, 950, 610, 650, 800, 475, 575, 630, and 580 are all handled by the table entry depicted above. There are also similar table entries for a 4-chip Intel 28F020 SIMM and 4- and 8-chip AMD 28F020 SIMMs. The 660av and 840av are supported by a couple of separate table entries for 8-chip 28F020 SIMMs with Intel and AMD parts. If you want to learn about other compatible Macs, see the 68kmla post I linked earlier. Before I get people's hopes up too far, this utility doesn't support earlier Macs like the SE/30 or II series. The only exception to that is the IIvx/ IIvi/Performa 600. It was around this time that I made a stupid mistake with my multimeter while checking out the SIMM /WE pin, and I think I fried it on my LC 475 by accidentally shorting it to 12V. They are right next to each other in the socket. My bad! Since then, I've bought another logic board for it so I can continue my experiments. Even though I now have a new logic board in my LC 475, I've moved over to doing most of my research on my Performa 630 instead. [630-1024x493] At least my mistake gave me the opportunity to show this machine off. Notice that it's a Performa 630; not a Performa 630CD. See that thing that suspiciously looks like a CD-ROM drive on the left? It's not. It's a blank cover to put something in the opening where the CD tray would come out. This is what the 630 series machines looked like when they didn't come from the factory with a CD drive. And yes, as I'm sure many others did too, I pressed the button thinking the CD tray would come out. If you push the button hard enough, it gets stuck back in there. Don't ask me how I found that out. Anyway, the next step was to figure out how I could find a compatible SIMM to try this program out with. The programmable SIMMs that I designed in the past wouldn't work. None of their chip IDs match, and my pinout for write enable was different. Not to mention they don't properly disable the onboard ROMs. Looking deeper, modern flash chips use different programming commands and algorithms than the chips Apple supported anyway. You may remember that I mentioned in my last post about Josh Watson finding an Apple programmable "Lobos board" SIMM on eBay a while ago. Here's the 68kmla thread about that if you're interested. Josh's pictures clearly showed a board with four Am28F020 chips -- one of the known compatible chip arrangements based on my disassembly. His pictures were detailed enough, and I'm familiar enough with the 64-pin ROM SIMM pinout, that I was able to reverse-engineer the entire PCB by looking at the pictures. I designed a replica in KiCad. It's not exactly identical, but it's very close to it. [LobosReplicaFinalTop-1024x319] [LobosReplicaFinalBottom-1024x322] It's a 4-layer PCB just like the original. That sure makes routing ground and 5V a lot easier! I ordered five boards. In the meantime, I also ordered some new-old-stock Am28F020-120 chips on eBay. Then I just had to wait for things to arrive and put it all together! [assembledpcb-1024x380] There was still a challenge to solve though. I needed a way to put an initial ROM image onto this thing. You can't program it in-system if it's blank. As soon as it's inserted into the ROM SIMM socket, it disables the onboard ROMs. Plus, it's not compatible with my SIMM programmer because it needs 12V for VPP, and /WE is in a different place. You need to use something else to bootstrap it. That's why I installed PLCC sockets on it rather than soldering the chips down. I used my XGecu T56 programmer, which helpfully also provides the ability to interleave a file across 4 chips: [prog-1024x523] [image-7] By the way, I did notice an annoying issue with this programmer and the Am28F020 while I was playing around with it. If I tell it to erase the chip, it doesn't fully erase. Most of the bits erase, but a few of them don't. I have to erase twice in order to fully erase the chip. I tried contacting XGecu about this issue but they didn't respond to my question. My guess is XGecu made a small mistake in the erase algorithm. Even though my SIMM programmer is unable to program these chips, I was still able to use it to test the programmed SIMM contents and make sure they matched the stock 630 ROM. This made me feel much safer about sticking an untested PCB design into my Performa. I was also paranoid about making sure pin 2 (12V) wasn't mistakenly shorted anywhere else on the SIMM, so I carefully double checked with my multimeter. [image-8] Next up, I needed my Performa 630 to actually have a ROM SIMM socket. Most machines of this era don't come with the socket populated. Mine didn't have the socket, and also needed to be recapped. You can see the footprint for the 64-pin socket with the holes filled with solder. [socketbefore-1024x332] Back when I was making ROM SIMMs and programmers, I bought a bunch of sockets. So that wasn't a problem at all. I got out my Hakko 808 vacuum desoldering tool and emptied out the holes. This was a breeze and allowed me to easily solder in a socket. Here it is with the socket populated and my new SIMM inserted. [socketafter-1024x394] With my reproduction Lobos SIMM installed, I was finally ready to boot up and run the Flasher utility again. The first good sign was that the machine still booted with the SIMM installed. I kind of expected that part to succeed since my programmer was able to read it, but it was still good news. [image-9] That's more like it! Flasher detected a programmable "AMD 28F020 x 4" SIMM. The Program button was enabled! In order to try in-system programming, I created a hacked ROM containing a custom startup chime. If you've been following my blog for a while, you may know that I've always loved being able to mess around with Mac startup sounds. I might make the sound customization the subject of a future blog post, but for now let's just assume that part has already been taken care of. In order to use the new ROM file "630 New ROM" in the screenshot above, I had to use ResEdit to change the type and creator code of the file. The type code is 'ROM ' and the creator code is 'HIRM'. This would have taken more disassembly to figure out, so I'm glad that the program also supports saving ROM dumps which made it easy to find the correct codes. [image-10] Now that I had a brand new ROM file ready to go, I was finally ready to load the file and program it to the SIMM. Here's a video showing the entire flashing process. You might enjoy hearing the clickety-clack sound of the original hard drive still in this thing. My new ROM is identical to the original 630-series ROM, except it plays the Power Mac 6200/6300 startup sound instead -- my favorite old Mac startup sound! If I were a particularly evil person, I could definitely create some confusion with this new startup sound if I replaced the label on the front with one of these Apple service replacement labels I recently bought on eBay from Sun Remarketing's old inventory... [6214cd-1024x724] But don't worry. I would never do such a terrible thing. What can we do with everything I've learned from this experiment? I believe it would technically be possible to hack the Flasher program so that it would recognize newer flash chips such as the SST39SF040. Basically I would have to modify one of the table entries to match a modern chip ID, and also hack the functions that do identification/ erasure/programming to perform the sequences used by modern chips instead of the older 28F020 chips. It would probably be easier to just make a new flasher program instead, but at the same time I think there would be something really cool about being able to use Apple's own internal utility if this actually becomes a thing. If I find some spare time in the future, I may very well look into modifying it. That would take care of the software changes needed, but as you may remember from my last post about Mac ROM SIMMs, there is also a hardware problem to solve. It would be nice to have a ROM SIMM that is compatible with in-system programming in these machines but also compatible with older machines and all of the SIMM programmers out there based on my original design. It turns out a solution for this is in the works from some smart people out there. One last thing I want to reiterate about this: it would only be useful for people who have a ROM SIMM socket installed on their logic board. Not many supported machines out there today have the socket populated, with the exception of the Quadra 700/900/950. It's definitely possible to solder the socket in like I did, but it's not going to be a fun time if you don't have a vacuum tool to clear the holes. Now we have all seen what it was like for developers at Apple in the '90s to reprogram the ROMs in their development Macs. I wonder how long it has been since someone last used this program to flash a Mac before I resurrected it this week? I do know that it was still in use during the PowerPC era. A newer version of this same program was used for Power Mac 7500/8500/9500 development. You can find it on this PCI Power Macintosh DDK disk. Does anyone out there know more about how Mac ROM development worked back in the day? What if you accidentally screwed up and made your SIMM unbootable? There must have been some recovery method, right? Was that one of the reasons for the existence of the PDS cards I mentioned earlier? Or was there some other external SIMM programmer device that could reflash them? I'd love to hear more about it. Address: https://www.downtowndougbrown.com/2023/11/ how-apples-developers-reflashed-mac-roms-in-the-90s/ << Upgrading my Chumby 8 kernel part 7: touchscreen Trackback 9 comments 1. Duncan Bayne @ 2023-11-26 12:32 [024] I'm guessing this Carl Hewitt? https://www.linkedin.com/in/carl-c-hewitt/ 2. Alonzo23 @ 2023-11-26 13:59 [8e5] When apple make OS7 free similar blender or netscape. Why not put old os for developers comunity and make in GPL 3. How Apple's developers reflashed Mac ROMs in the '90s - OSnews @ 2023-11-26 18:23 [...] As luck would have it, multiple people pointed out to me that an Apple internal utility used for ROM flashing had been uploaded to the Macintosh Garden. It was recovered from a prototype PowerBook 520 purchased in 2020. Of course, I had to download this utility and figure out how it works. [...] 4. defor @ 2023-11-26 18:32 [901] nice work - any thoughts about making replicas of the flashable gm rom card for the pippin? it appears? that this may be flashable in-machine as well from appearances... 5. Doug Brown @ 2023-11-26 22:19 [308] @Duncan I would guess you are correct! @Alonzo I don't know for sure but I would bet there are licensing issues that prevent them from doing that, like things they distributed but didn't write themselves. It sure would be cool though! @defor Thanks! I haven't thought about the Pippin much. It looks like the Pippin uses gestalt ID 73 according to this site: https: //www.leadedsolder.com/2023/05/30/ apple-bandai-pippin-pickup-fan-repair.html I don't see gestalt ID 73 in this program anywhere, but the Pippin is probably a little too new for the Flasher version I'm looking at. I wouldn't be surprised if there was a newer version that they used on the Pippin... 6. Doug Brown @ 2023-11-26 22:23 [308] By the way, I actually succeeded today at hacking the code of Flasher to erase and program modern flash chips. It required a lot of 68k assembly work, but luckily I had a good reference to start from in my USB SIMM programmer. There's definitely a world in which we will have in-system programmability with modern SIMMs! Unfortunately, we may be limited to 4 MB though. The ROM write address being 0x40400000 (or 0x40C00000, or other repetitions) is a real thing. I wrote a little write cycle test utility and verified it with my oscilloscope. I can only write to the upper 4 MB of the 8 MB of ROM SIMM address space. If I write to 0x40800000, the /WE pin doesn't go low. This means that even though there is 8 MB of space available in the ROM SIMM socket, it's effectively only 4 MB for in-system programming due to only the top half being writable. With a 4 MB SIMM the top and bottom halves of the 8 MB space would point to the same place, so I think that's the best bet moving forward. 7. Miles Raymond @ 2023-11-27 01:32 [2af] This is really awesome news! Especially since I was never able to get a SIMM programmer. I imagine that this could make custom ROM development quite a bit quicker! It'd be awesome if someone developed modern features in classic Macs. Imagine a picker for old SCSI Macs! 8. Joakim @ 2023-11-27 04:53 [384] Incredible work Doug! Really remarkable! Can't wait to test all this! 9. bob @ 2023-11-27 13:44 [37f] I remember that utility! I interned at Apple in the 90s and somewhere in my garage I have a Quadra 700 with a Quadra 950 flash ROM - it allowed my 700 to display higher resolutions that marketing wanted to be a 950-only feature. I also worked with the original PowerMac prototypes and their boot sounds included metallica soundbytes .. I remember "Master!! Master!" in particular. Add your comment now [ ] Name (required) [ ] Email (Will NOT be published) (required) [ ] URL [ ] [ ] [ ] [ ] [ ] [Submit] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] * Subscribe + Twitter + YouTube + GitHub + LinkedIn * Recent Posts + How Apple's developers reflashed Mac ROMs in the '90s + Upgrading my Chumby 8 kernel part 7: touchscreen + Revisiting programmable Mac ROM SIMMs in Quadras + Porting my Mac ROM SIMM programmer from AVR to ARM + How am I supposed to safely disable this warning on ARM GCC? + How to create a Qt 5 ARM/Intel universal binary for Mac + Upgrading my Chumby 8 kernel part 6: PWM backlight + Building Alex Taradov's open-source USB sniffer * Categories + Classic Mac (7) + Computer repair (8) + Electronics repair (4) + iOS (3) + Linux (33) + Mac ROM hacking (10) + Microcontroller lessons (11) + Microcontrollers (1) + Product reviews (5) + Python (1) + Qt (5) + Uncategorized (20) + Windows (5) * Archives + November 2023 (2) + September 2023 (3) + August 2023 (3) + June 2023 (1) + May 2023 (1) + April 2023 (1) + March 2023 (2) + January 2023 (1) + December 2022 (3) + August 2022 (1) + May 2022 (2) + March 2022 (1) + December 2021 (1) + June 2021 (1) + April 2021 (1) + January 2021 (1) + September 2020 (1) + August 2020 (1) + July 2020 (1) + May 2020 (1) + June 2019 (1) + April 2019 (1) + December 2018 (1) + August 2018 (1) + May 2018 (1) + April 2018 (3) + February 2018 (1) + October 2017 (1) + July 2017 (1) + May 2017 (3) + March 2017 (1) + October 2016 (1) + June 2015 (1) + March 2015 (1) + November 2014 (1) + August 2014 (3) + July 2014 (1) + April 2014 (1) + March 2014 (1) + February 2014 (1) + November 2013 (1) + August 2013 (1) + June 2013 (3) + April 2013 (1) + March 2013 (1) + January 2013 (2) + December 2012 (2) + August 2012 (1) + July 2012 (2) + June 2012 (1) + May 2012 (1) + February 2012 (3) + January 2012 (1) + November 2011 (1) + October 2011 (2) + August 2011 (3) + May 2011 (1) + April 2011 (1) + March 2011 (2) + November 2010 (2) + October 2010 (3) + July 2010 (5) * Recent Comments + bob on How Apple's developers reflashed Mac ROMs in the '90s + Joakim on How Apple's developers reflashed Mac ROMs in the '90s + Miles Raymond on How Apple's developers reflashed Mac ROMs in the '90s + Doug Brown on How Apple's developers reflashed Mac ROMs in the '90s + Doug Brown on How Apple's developers reflashed Mac ROMs in the '90s + defor on How Apple's developers reflashed Mac ROMs in the '90s + How Apple's developers reflashed Mac ROMs in the '90s - OSnews on How Apple's developers reflashed Mac ROMs in the '90s + How Apple's developers reflashed Mac ROMs in the '90s - OSnews on Revisiting programmable Mac ROM SIMMs in Quadras + Alonzo23 on How Apple's developers reflashed Mac ROMs in the '90s + Duncan Bayne on How Apple's developers reflashed Mac ROMs in the '90s * Spam Blocked 1,441,479 spam blocked by Akismet Downtown Doug Brown * coogee theme * 2008 * Privacy Policy RSS Feed * WordPress * TOP