LisaList2

Advanced search  

News:

2022.06.03 added links to LisaList1 and LisaFAQ to the General Category

Pages: [1]   Go Down

Author Topic: AppleNet ROM disassembly attempts  (Read 13776 times)

stepleton

  • Sr. Member
  • ****
  • Karma: +127/-0
  • Offline Offline
  • Posts: 425
AppleNet ROM disassembly attempts
« on: September 01, 2020, 07:33:38 pm »

I've been trying to learn more about the AppleNet networking cards by peering at ROM disassemblies. There are two to choose from: the boot ROM that tells the Lisa how to boot from AppleNet, and the Z8 ROM for the AppleNet card's MCU. It's likely that a full understanding will require a careful analysis of both,* but I know 68k assembly best :)

So, I've had a good look through the boot ROM, and while I hardly understand everything, I may have found enough organisation for other people to delve if they're feeling curious. My commentary is here, alongside some reverse-engineered schematics I'd derived earlier:

https://github.com/stepleton/applenet/blob/master/applenet_boot_rom.txt

There are plenty of mysteries, including why the boot program overwrites $110 (the place where the Lisa's own boot ROM stores a pointer to the bitmap display RAM) and, well, anything at all about what the routine at disassembly address $3B2 is doing.

Have a look if you like a puzzle. If it's of interest, Bitsavers has the Z8 ROM disassembly as well, albeit without commentary---I've only begun looking at this code and know very little.

(Oh, and: the thread title says "attempts" --- I'd imagined that discussions of the Z8 disassembly might appear here too someday.)

* An additional item to disentangle is the PAL chip---the equations for it live on Bitsavers, but it's a bit too hard for me to understand on its own. It'll probably be useful to interpret what it does from the point of view of the Z8, which manipulates some of its inputs.
Logged

rayarachelian

  • Administrator
  • Hero Member
  • *****
  • Karma: +105/-0
  • Offline Offline
  • Posts: 772
  • writing the code,writing the code,writing the code
    • LisaEm
Re: AppleNet ROM disassembly attempts
« Reply #1 on: September 01, 2020, 08:27:50 pm »


There are plenty of mysteries, including why the boot program overwrites $110 (the place where the Lisa's own boot ROM stores a pointer to the bitmap display RAM) and, well, anything at all about what the routine at disassembly address $3B2 is doing.


My guess about the bytes being different is that it's constantly listening to the network, and so when the bytes are different, that's the start of some packet, and then the values have some sort of signature/checksum that means, "received properly"

That shift+sub block at 412 seems like an early CRC operation, generally I'm used to seeing chains of shift+xor, but this can work too. The goal here is to provide a hash.
Edit: it's a variant of, or similar to the BSD Checksum: https://en.wikipedia.org/wiki/BSD_checksum
478 is probably broadcasting those 46 bytes as a request for a boot loader aimed at whatever the server is, or broadcasting the node id or something like that.
46 bytes is too small to be anything else.
« Last Edit: September 02, 2020, 03:30:51 pm by rayarachelian »
Logged
You don't know what it's like, you don't have a clue, if you did you'd find yourselves doing the same thing, too, Writing the code, Writing the code

sigma7

  • Administrator
  • Sr. Member
  • *****
  • Karma: +150/-1
  • Offline Offline
  • Posts: 398
  • Warning: Memory errors found. Verify comments.
Re: AppleNet ROM disassembly attempts
« Reply #2 on: September 23, 2022, 06:54:40 pm »

* An additional item to disentangle is the PAL chip---the equations for it live on Bitsavers, but it's a bit too hard for me to understand on its own. It'll probably be useful to interpret what it does from the point of view of the Z8, which manipulates some of its inputs.

Using Palasm 4 to disassemble the 341-0180.JED fusemap file into raw equations...

My next step would be to replace the signal names with intelligible ones (eg. guesses derived from the schematic) and convert the equations into state machine format.

I have a vague recollection that PALASM had a utility to create a state machine from equations, but the manual is not at hand... will come back to this if I uncover it.

Code: [Select]
TITLE FILE LISANET.JED DIS-ASSEMBLED
PATTERN 001
REVISION 001
AUTHOR VOLTAGE CONTROLLED COALITION
COMPANY AMD, SANTA CLARA
DATE 01-01-80

CHIP DIS_ASM PAL16R8

PIN 1 CLK
PIN 2 I2
PIN 3 I3
PIN 4 I4
PIN 5 I5
PIN 6 I6
PIN 7 I7
PIN 8 I8
PIN 9 I9
PIN 10 GND
PIN 11 OE
PIN 12 R12
PIN 13 R13
PIN 14 R14
PIN 15 R15
PIN 16 R16
PIN 17 R17
PIN 18 R18
PIN 19 R19
PIN 20 VCC

EQUATIONS

 /R19:=   I2
      +                /R14 * /R13
      +         /R15 *        /R13
      +         /R15 * /R14
      +          R15 *  R14 *  R13

 /R18:=          I6
      +  /I5  *        /R18 *  R15 *  R14 *  R13 *  R12
      +                              /R14 *  R13
      +                               R14 * /R13
      +                        R15 * /R14 * /R13
      +  /I5  *               /R15 * /R14 * /R13

 /R17:=   I5  * /I6  *         R15 *  R14 *  R13 *  R12
      +         /I6  * /R17 *  R15 *  R14 *  R13 *  R12
      +         /I6  *                       R13 * /R12
      +         /I6  *                R14 * /R13
      +         /I6  *        /R15 *         R13 *  R12
      +         /I6  *         R15 * /R14
      +   I5  * /I6  *        /R15 * /R14 * /R13

 /R16:=          I5  * /I6  * /R15 * /R14 * /R13
      +                               R14 *  R13 * /R12
      +  /I2  *                R15 * /R14 *  R13 * /R12
      +                        R15 *  R14 * /R12
      +                /I6  *         R14 * /R13 * /R12
      +                /I6  * /R15 * /R14 *  R13 *  R12

 /R15:=  /I2  *        /I8  * /I9  *         R15 * /R14 * /R13
      +  /I2  *         I8  *  I9  *         R15 * /R14 * /R13
      +         /I6  *                       R15 * /R14
      +                                      R15 *  R14 * /R13
      +                                      R15 *  R14 *        /R12
      +         /I6  *                R18 *  R15 *  R14 *  R13 *  R12
      +  /I2  *                              R15 *  R14 *  R13 *  R12

 /R14:=  /I2  *        /I8  * /I9  *  R15 * /R14 
      +  /I2  *         I8  *  I9  *  R15 * /R14
      +         /I6  *                R15 * /R14
      +                              /R15 *  R14

 /R13:=                              /R15 * /R14 *  R13 * /R12
      +                                      R14 * /R13
      +         /I6  *               /R15 * /R14 *  R13 *  R12
      +  /I2  *         I8  * /I9  *  R15 * /R14 *  R13
      +  /I2  *        /I8  *  I9  *  R15 * /R14 *  R13
      +  /I2  *         I8  *  I9  *  R15 * /R14 * /R13
      +         /I6  *                R15 * /R14 * /R13
      +  /I2 *         /I8  * /I9  *  R15 * /R14 * /R13

 /R12:=  /I2  *                      /I8  * /I9  *        /R15 * /R14 * /R13
      +  /I2  *                       I8  *  I9  *        /R15 * /R14 * /R13 
      +          I4  *  I5  * /I6  *                      /R15 * /R14 * /R13 * /R12
      +         /I4  *  I5  * /I6  *                      /R15 * /R14 * /R13 *  R12
      +  /I2  *                      /I8  * /I9  *                             /R12
      +  /I2  *                       I8  *  I9  *                             /R12
      +                       /I6  *                      /R15 * /R14 *  R13 *  R12
      +                                            /R16 *                      /R12
     

edit: aligned columns per equation (for monospaced font)
« Last Edit: September 24, 2022, 02:14:29 pm by sigma7 »
Logged
Warning: Memory errors found. ECC non-functional. Verify comments if accuracy is important to you.

stepleton

  • Sr. Member
  • ****
  • Karma: +127/-0
  • Offline Offline
  • Posts: 425
Re: AppleNet ROM disassembly attempts
« Reply #3 on: September 25, 2022, 06:59:35 am »

Noting with interest!

I'm 100% unfamiliar with the practice of converting PAL equations to state machines, but your post is the second time I've heard mention of it. The equations themselves seem pretty complicated, so some other representation of what's going on seems very useful!

My current primary retro project isn't Lisa-related (I have a handful of Transputers inside of an IBM AT that I have to make do something interesting for an exhibition in about a month!), but this certainly makes me interested to return to the problem.

I also had missed or forgotten Ray's identification of a checksum algorithm at work.
Logged
Pages: [1]   Go Up