diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 4c5b5d4..0000000 --- a/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -*.hqx -*.o -*.s -*tbxi* -prcl -kernel-built -PowerROM -test-boot.img diff --git a/Makefile b/Makefile deleted file mode 100644 index b01dda0..0000000 --- a/Makefile +++ /dev/null @@ -1,181 +0,0 @@ -# mount our current dir as /work in the container, and cd /work -# --rm means don't keep this container after command is done -# we are always root inside the container, but stay ourself outside -# next arg should be the image to use (e.g. elliotnunn/toolboxtools) -# then the next one should be the command to run -DOCKER=docker run --volume="$$PWD":/work --workdir=/work --env=HOME=/work --user=$(shell id -u):$(shell id -g) --rm - -# If there is a disassembled kernel (possibly edited) then use it. If not, use the stock kernel. -ifeq ($(wildcard kernel-disasm.s),) - KERNEL=kernel-stock -else - KERNEL=kernel-built -endif - -# We want these to re-run every time they are required -.PHONY: test-boot.img kernel-redisassemble kernel-revert-to-stock test clean - -Mac\ OS\ ROM.hqx: tbxi-data tbxi-rsrc - $(DOCKER) elliotnunn/toolboxtools binhexmake --data=tbxi-data --rsrc=tbxi-rsrc --type=tbxi --creator=chrp --name='Mac OS ROM' 'Mac OS ROM.hqx' - -tbxi-data tbxi-rsrc: base-tbxi rsrc-template datafork-pefs - $(DOCKER) elliotnunn/toolboxtools tbximake tbxi-data tbxi-rsrc base-tbxi rsrc-template datafork-pefs/NQDResidentCursor datafork-pefs/ProcessMgrLib - -base-tbxi: boot-script trampoline.elf prcl - $(DOCKER) elliotnunn/toolboxtools bootmake --boot-script=boot-script --trampoline=trampoline.elf --parcels=prcl base-tbxi - -PowerROM: PowerROM-nokern $(KERNEL) - cp PowerROM-nokern "$@" - dd if=$(KERNEL) of="$@" conv=notrunc seek=3211264 bs=1 - -kernel-built: kernel-disasm.s - $(DOCKER) elliotnunn/powerpc-binutils as -many -mregnames --nops=2 -o kernel-built-intermed.o "$<" - $(DOCKER) elliotnunn/powerpc-binutils objcopy -O binary -j .text kernel-built-intermed.o "$@" - rm kernel-built-intermed.o - -kernel-redisassemble: - $(DOCKER) elliotnunn/powerpc-disasm python kernel-disasm-script.py --disasm kernel-disasm.s kernel-stock - rm -f kernel-built* - -# PowerROM is likely tainted by the rebuilt kernel. Kill. -kernel-revert-to-stock: - rm -f kernel-disasm.s PowerROM - -# hfsutils rather annoyingly stores state in $HOME/.hcwd, so we put it here instead -# The rsync allows us to leave the destination read-write in qemu -test-boot.img: Mac\ OS\ ROM.hqx - rsync test-template.img "$@" - $(DOCKER) elliotnunn/hfsutils hmount "$@" - $(DOCKER) elliotnunn/hfsutils hcopy -b 'Mac OS ROM.hqx' 'QEMU HD:System Folder:' - rm .hcwd - -test: test-boot.img - qemu-system-ppc -M mac99 -m 512 -prom-env 'auto-boot?=true' -g 800x600x32 -drive format=raw,media=disk,file="$<" - -clean: - rm -f .hcwd base-tbxi 'Mac OS ROM.hqx' kernel-built kernel-built-intermed.o prcl PowerROM tbxi-data tbxi-rsrc test-boot.img - -prcl: prcl-pefs PowerROM - @echo making parcels... takes a while - @$(DOCKER) elliotnunn/toolboxtools prclmake prcl \ ---prcl -f=00020000 -t=node -n='CodePrepare Node Parcel' -c='' \ - --bin -f=00000000 -t=cstr -n=name --data AAPL,CodePrepare \ - --bin -f=00000000 -t=csta -n=AAPL,prepare_order --data Placeholder \ - --bin -f=00020094 -t=nlib -n=TimeManagerLib -l --src=prcl-pefs/CodePrepare_TimeManagerLib \ - --bin -f=00020094 -t=nlib -n=NVRAMServicesLib -l --src=prcl-pefs/CodePrepare_NVRAMServicesLib \ - --bin -f=00020094 -t=nlib -n=RTCServicesLib -l --src=prcl-pefs/CodePrepare_RTCServicesLib \ -\ ---prcl -f=00010000 -t=node -n='CodeRegister Node Parcel' -c='' \ - --bin -f=00000000 -t=cstr -n=name --data AAPL,CodeRegister \ - --bin -f=00010094 -t=nlib -n=NativePowerMgrLib -l --src=prcl-pefs/CodeRegister_NativePowerMgrLib \ - --bin -f=00010094 -t=nlib -n=AGPLib -l --src=prcl-pefs/CodeRegister_AGPLib \ - --bin -f=00010194 -t=nlib -n=EtherPrintfLib -l --src=prcl-pefs/CodeRegister_EtherPrintfLib \ - --bin -f=00010094 -t=shlb -n=StartLib -l --src=prcl-pefs/CodeRegister_StartLib \ -\ ---prcl -f=00000000 -t='rom ' -n='Mac OS ROM Parcel' -c='' \ - --bin -f=00000005 -t='rom ' -n='' -l --src=PowerROM \ -\ ---prcl -f=00000000 -t=psum -n='Property Checksum' -c='' \ - --bin -f=00000000 -t=csta -n='' --data name model compatible device_type reg assigned-addresses slot-names vendor-id device-id class-code devsel-speed fast-back-to-back bootpath mac-address \ - --bin -f=00000000 -t=csta -n='' --data boot-rom macos \ - --bin -f=00000000 -t=csta -n='' --data Placeholder \ - --bin -f=00000000 -t=csta -n='' --data Placeholder \ - --bin -f=00000000 -t=csta -n='' --data usb ieee1394 \ -\ ---prcl -f=0000000c -t=prop -n=apple21143 -c=network \ - --bin -f=00000006 -t=shlb -n=lanLib,AAPL,MacOS,PowerPC -l --src=prcl-pefs/lanLib_apple21143 \ -\ ---prcl -f=00000009 -t=prop -n=backlight -c=backlight \ - --bin -f=00000000 -t=ndrv -n=driver,AAPL,MacOS,PowerPC --src=prcl-pefs/BacklightDriver \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data BacklightDriver \ -\ ---prcl -f=0000000c -t=prop -n=bmac+ -c=network \ - --bin -f=00000006 -t=shlb -n=lanLib,AAPL,MacOS,PowerPC -l --src=prcl-pefs/lanLib_bmac+ \ -\ ---prcl -f=0000000c -t=prop -n=cmd646-ata -c=ata \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/ATA_CMD646_driver \ -\ ---prcl -f=00000008 -t=prop -n=cofb -c=display \ - --bin -f=00000024 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/Display_driver \ -\ ---prcl -f=0000000c -t=prop -n=cuda -c=via-cuda \ - --bin -f=00000000 -t=ndrv -n=pef,AAPL,MacOS,PowerPC,register -l --src=prcl-pefs/PowerMgrPlugin_CUDA \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data PowerMgrPlugin \ -\ ---prcl -f=0000000c -t=prop -n=gmac -c=network \ - --bin -f=00000006 -t=shlb -n=lanLib,AAPL,MacOS,PowerPC -l --src=prcl-pefs/lanLib_gmac \ -\ ---prcl -f=0000000c -t=prop -n=grackle -c=pci \ - --bin -f=00000016 -t=nlib -n=pef,AAPL,MacOS,PowerPC,prepare -l --src=prcl-pefs/PCICyclesLib_Grackle \ - --bin -f=00000000 -t=cstr -n=code,AAPL,MacOS,name --data Grackle_PCICyclesLib \ -\ ---prcl -f=0000000c -t=prop -n=heathrow-ata -c=ide \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/ATA_Heathrow_driver \ -\ ---prcl -f=0000000c -t=prop -n=heathrow-ata -c=ata \ - --bin -f=00000002 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/ATA_Heathrow_driver \ -\ ---prcl -f=0000000c -t=prop -n=kauai-ata -c=ata \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/ATA_Kauai_driver \ -\ ---prcl -f=0000000c -t=prop -n=keylargo-ata -c=ata \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/ATA_KeyLargo_driver \ -\ ---prcl -f=0000000c -t=prop -n=keywest-i2c -c=i2c \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/I2C_driver \ -\ ---prcl -f=0000000a -t=prop -n=mac-io -c=nvram \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/NVRAM_mac-io_driver \ -\ ---prcl -f=00000001 -t=prop -n=macos -c='' \ - --bin -f=00000000 -t=cstr -n=MacOSROMFile-version --data 9.6f1 \ -\ ---prcl -f=0000000c -t=prop -n=nvram,flash -c=nvram \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/NVRAM_flash_driver \ -\ ---prcl -f=0000000c -t=prop -n=pci104c,ac1a -c=cardbus \ - --bin -f=00000016 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/CardBus_driver \ - --bin -f=00010094 -t=nlib -n=PCCard -l --src=prcl-pefs/CardBus_PCCard_lib \ -\ ---prcl -f=0000000c -t=prop -n=pci104c,ac50 -c=cardbus \ - --bin -f=00000016 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/CardBus_driver \ - --bin -f=00010094 -t=nlib -n=PCCard -l --src=prcl-pefs/CardBus_PCCard_lib \ -\ ---prcl -f=0000020c -t=prop -n=pciclass,0c0010 -c=ieee1394 \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/FireWire_driver \ - --bin -f=00010096 -t=nlib -n=FWServicesLib -l --src=prcl-pefs/FireWire_FWServicesLib \ - --bin -f=00010096 -t=nlib -n=DevNLib -l --src=prcl-pefs/FireWire_DevNLib \ - --bin -f=00010096 -t=nlib -n=DFMLib -l --src=prcl-pefs/FireWire_DFMLib \ - --bin -f=00010096 -t=nlib -n=GenericDriverFamily -l --src=prcl-pefs/FireWire_GenericDriverFamily \ -\ ---prcl -f=0000000c -t=prop -n=pmu -c=power-mgt \ - --bin -f=00000000 -t=ndrv -n=pef,AAPL,MacOS,PowerPC,register -l --src=prcl-pefs/PowerMgrPlugin_PMU \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data PowerMgrPlugin \ - --bin -f=00000002 -t=cstr -n=target-mode-capable --data SCSI \ - --bin -f=00010096 -t=nlib -n=PMULib -l --src=prcl-pefs/PMULib \ -\ ---prcl -f=0000000c -t=prop -n=uni-n-i2c -c=i2c \ - --bin -f=00000006 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/I2C_driver \ -\ ---prcl -f=0000000c -t=prop -n=uni-north -c=pci \ - --bin -f=00000016 -t=nlib -n=pef,AAPL,MacOS,PowerPC,prepare -l --src=prcl-pefs/PCICyclesLib_UniNorth \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data UniNorth_PCICyclesLib \ -\ ---prcl -f=0000000a -t=prop -n=via-cuda -c=rtc \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/RTC_CUDA_driver \ -\ ---prcl -f=0000000a -t=prop -n=via-pmu -c=nvram \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/NVRAM_PMU_driver \ -\ ---prcl -f=0000000a -t=prop -n=via-pmu -c=rtc \ - --bin -f=00000004 -t=ndrv -n=driver,AAPL,MacOS,PowerPC -l --src=prcl-pefs/RTC_PMU_driver \ -\ ---prcl -f=0000000c -t=prop -n=via-pmu-2000 -c=power-mgt \ - --bin -f=00000000 -t=ndrv -n=pef,AAPL,MacOS,PowerPC,register -l --src=prcl-pefs/PowerMgrPlugin_PMU2000 \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data PowerMgrPlugin \ - --bin -f=00010096 -t=nlib -n=PMULib -l --src=prcl-pefs/PMULib \ -\ ---prcl -f=0000000c -t=prop -n=via-pmu-99 -c=power-mgt \ - --bin -f=00000000 -t=ndrv -n=pef,AAPL,MacOS,PowerPC,register -l --src=prcl-pefs/PowerMgrPlugin_PMU99 \ - --bin -f=00000002 -t=cstr -n=code,AAPL,MacOS,name --data PowerMgrPlugin \ - --bin -f=00010096 -t=nlib -n=PMULib -l --src=prcl-pefs/PMULib diff --git a/PowerROM-nokern b/PowerROM-nokern deleted file mode 100644 index ac47189..0000000 Binary files a/PowerROM-nokern and /dev/null differ diff --git a/README.md b/README.md index bc4ef50..8399ec9 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,19 @@ -This repo is **obsolete**. We have ported our Mac OS ROM build system to MPW. Ask about the new CDG5 build system at the MacOS9Lives forum. +# The CDG5 project +The CDG5 project is an effort to thoroughly reverse-engineer Mac OS 9.2.2, the final release of the "Classic" Mac OS. We place an emphasis on supporting late-model PowerPC G4-based Macs, and also on hacking new features into the OS (e.g. support for >1.5 GB RAM). + +Our work is spread over several GitHub repositories: + +- 3 MB 68k ROM: +- 4 MB PowerPC rom, inc. NanoKernel: +- Bootable "Mac OS ROM" file: +- Disk-based Start Manager: +- Bootloader-NanoKernel shim: + +Some code patching tools: + +- Move resources around: +- Patch PowerPC binaries: +- Patch 68k MPW code objects: + +Most of our testing, and some of our discussion, takes place on the [MacOS9Lives](http://macos9lives.com) forums. diff --git a/boot-script b/boot-script deleted file mode 100644 index e310ab1..0000000 --- a/boot-script +++ /dev/null @@ -1,237 +0,0 @@ - - -MacRISC - - -MacROM for NewWorld. - - - -0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF92FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4925B7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF92006EDBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDB0049B7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFBBBFBBBFBBBFBBBFBBBFBBBFBBBFBB252577BFDFDFDFDFDFDFDFDFDFDFDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F332F2F2F332F2F2F332F2F2F332F2A055757575757575B57575B57575B579BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F332F2F2F332F2F2F332F2F2F012E57575B575B57575757575757575777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF97132F0F2F132F0F2F132F0F2F0F2F0A0557575B5757575B57575B57575B575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F330F2F2F2F0F2F0F2F2F332F052A575B5757535357575B57575B57575B97FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F332F0F2B062F332F132F0A00575757575B25255B5757575B5757575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F132F0F332F0B060F2F0F2F2F0529575B575B572525575B575757575B575777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF970F2F2F2F0F2F0B262F0F332F0A0053575757575B25255B57575B5757575B5797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F132F2F332F0F2F332F2F0501575B575B5757534F57575B57575B57575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F132F2F2F2F132F2F0F052A575757575B5757575B57575757575B575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF77330F332F0F2F132F2F0F2F2F00535757575B5757575B575757575B57575B5777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF972F2F2F2F332F2F132F2F132A00575B575B57575B5757575B5757575B57575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF770F330F330F2F0F2F2F332F05255B575757575B5757575B57575B575757575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF972F2F2F2F332F332F0F2F2F052A575B57575757575B5757575B57575B575B5797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F0F330F2F0F2F0F332F33052A5757575757575B5757575B575757575B575777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F332F332F2F2F0F2F050000000000002E57575B5757575B575757575B97FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF77332F132F0F2F0F2F0F332F2A0A2A2A2A050053575B5757575B5757575B575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF970F2F2F2F332F332F330F2F0F332F0F330600575757575B5757575B57575B5797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F332F132F0F2F0F2F2F332F2F332F0F2504575B575B57575753575B57575777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F2F0B060A2B0F2F0F332F0F2F33050557575B574F2E2505535757575B97FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F0F330F332F2B0A0606060A0B0B2B0B05052A29250005292E575757575B5797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF970F2F2F2F0F2F132F2F0F2B0A0A060606010025292E53575B57575B575B575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F330F332F132F2F2F2F2F332F2F2F2F0501575B575757575757575757575777FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF77332F2F2F2F2F2F132F0F2F0F2F2F0F2F050057575B575B57575B575B57575B97FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF772F2F2F0F332F132F2F2F332F332F2F332600535B575757575B5757575B575797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF970F330F332F0F2F2F132F0F2F0F330F2F0A004F57575B5757575B5757575B5797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFF9B332F33332F3333332F333333332F33332F002A77777777777777777777777797FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDBDBDBDBDBDBDBDBDBDBDBDBDBDBFBDB2025B7DBDBDBDBDBDBDBDBDBDBDBDBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6E00B7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF006EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB7B7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFDBDBFFFFFFFFFFFFFFDBDBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBB57539BFFFFFFFFFFFF775377DFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFF92006EFFFFFFFFFF6E2592FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF53B7DBDBBB53DFFFFFDF97DBFBBB33FFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFF2525FFFFFFFFFF2525DBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3397DBFFFFFFDF33DBFF57B7FFFFFF97DBFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFF9225B7FFFFFFB76E25DBFFFFFFFFFFFFFFFFFFFFFFFFFFDBB7FFFFFFFF7733B7FFFFFFFFFF9B53FF3397FFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFF92496EFFFFFFB79225DBFFFFB792496EFFFFFFB7926E49FFFFFFFFFFFF2F73FFFFFFFFFFFFDF0FDB5333FFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFDBB7B725FFFFFF929225DBFF9292FFFF00DBFF6EB7FFFF6E92FFFFFFFFFF0F93FFFFFFFFFFFFFF2F979B2F33DFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFDBB7FF00B7FFDBB7B725DBFF25B7FFFF25B7DB49DBFFFFFFB7FFFFFFFFDF0F97FFFFFFFFFFFFFF3373FFBB330F53FFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFDBDBFF6E49FFB7FFFF00DBFFFFFFFFFF00B74949FFFFFFFFFFFFFFFFFFDF2F97FFFFFFFFFFFFFF3373FFFFFF972F33FFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFDBDBFFB725FF92FFFF00DBFFFFFFDB9225B7256EFFFFFFFFFFFFFFFFFFFF2F97FFFFFFFFFFFFFF2F73FFFFFFFFBB2F97FFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFB7DBFFFF006EB7FFFF00B7FFFFB7DBFF25B7256EFFFFFFFFFFFFFFFFFFFF3373FFFFFFFFFFFFDF2F97FFFFFFFFFF7773FFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFB7DBFFFF4925DBFFFF00B7FF6EB7FFFF25B76E49FFFFFFFFFFFFFFFFFFFF9B33FFFFFFFFFFFF5753B7BBFFFFFFFF7773FFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFF92DBFFFFDB49DBFFFF00B7FF25B7FFB700B7FF25DBFFFFFFFFFFFFFFFFFFFF5377FFFFFFFFBB3397DF53FFFFFFFF57B7FFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFDB2549DBFFFFB7FFDB490049DB254992DB2549DB9225DBFF92FFFFFFFFFFFFFFFF5397FFFFBB53B7FBFF3397FFFF77B7DBFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFB792DBFFFFFFFFFFB7B7B7DBB76EB7FFDB92DBFFB76E6EB7FFFFFFFFFFFFFFFFFFB7737797DBFFFFFFFF977397BBDBFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0B -0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B - - - -here >r -dev / -" model" active-package get-package-property abort" can't find MODEL" -decode-string 2swap 2drop " iMac,1" $= ?dup 0= if - " compatible" active-package get-package-property abort" can't find COMPATIBLE" - false >r - begin - dup while - decode-string here over 2swap bounds ?do - i c@ dup [char] A [char] Z between if h# 20 xor then c, - loop - 2dup " macrisc" $= r> or >r - 2drop - repeat - 2drop r> - then -r> here - allot -0= abort" this image is not for this platform" -decimal -1 load-base load-size 14 - adler32 load-base load-size + 12 - 12 ['] eval catch if - 2drop ." , bad checksum value" -1 - then - <> if - ." , checksum error" - abort - then -hex -dev /openprom -0 0 " supports-bootinfo" property device-end -" /chosen" find-package 0= abort" can't find '/chosen'" constant /chosen -" memory" /chosen get-package-property abort" memory??" decode-int constant xmem 2drop -" mmu" /chosen get-package-property abort" mmu??" decode-int constant xmmu 2drop -" AAPL,debug" " /" find-package 0= abort" can't find '/'" get-package-property if - false - else - 2drop true - then - constant debug? -debug? if cr ." checking for RELEASE-LOAD-AREA" then -" release-load-area" $find 0= if 2drop false then constant 'release-load-area -debug? if 'release-load-area if ." , found it" else ." , not found" then then -: do-translate " translate" xmmu $call-method ; -: do-map " map" xmmu $call-method ; -: do-unmap " unmap" xmmu $call-method ; -: claim-mem " claim" xmem $call-method ; -: release-mem " release" xmem $call-method ; -: claim-virt " claim" xmmu $call-method ; -: release-virt " release" xmmu $call-method ; -1000 constant pagesz -pagesz 1- constant pagesz-1 --1000 constant pagemask -h# 005000 constant elf-offset -h# 017008 constant elf-size -elf-size pagesz-1 + pagemask and constant elf-pages -h# 01C008 constant parcels-offset -h# 2617C4 constant parcels-size -parcels-size pagesz-1 + pagemask and constant parcels-pages -h# 27D7CC constant info-size -info-size pagesz-1 + pagemask and constant info-pages -0 value load-base-claim -0 value info-base -'release-load-area if - load-base to info-base - else - load-base info-pages 0 ['] claim-mem catch if 3drop 0 then to load-base-claim - info-pages 1000 claim-virt to info-base - load-base info-base info-pages 10 do-map then -\ allocate room for both images -parcels-pages 400000 claim-mem constant rom-phys parcels-pages 1000 claim-virt constant rom-virt rom-phys rom-virt parcels-pages 10 do-map -elf-pages 1000 claim-mem constant elf-phys elf-pages 1000 claim-virt constant elf-virt -elf-phys elf-virt elf-pages 10 do-map info-base elf-offset + elf-virt elf-size move debug? if cr ." elf-phys,elf-virt,elf-pages: " elf-phys u. ." , " elf-virt u. ." , " elf-pages u. then -\ copy the compressed image -debug? if cr ." copying compressed ROM image" then -rom-virt parcels-pages 0 fill -info-base parcels-offset + rom-virt parcels-size move -'release-load-area 0= if - info-base info-pages do-unmap load-base-claim ?dup if info-pages release-mem then - then -debug? if cr ." MacOS-ROM phys,virt,size: " rom-phys u. ." , " rom-virt u. ." , " parcels-size u. then -\ create the actual property -debug? if cr ." finding/creating '/rom/macos' package" then -device-end 0 to my-self -" /rom" find-device -" macos" ['] find-device catch if 2drop new-device " macos" device-name finish-device then -" /rom/macos" find-device -debug? if cr ." creating 'AAPL,toolbox-parcels' property" then -rom-virt encode-int parcels-size encode-int encode+ " AAPL,toolbox-parcels" property -device-end -debug? if cr ." copying MacOS.elf to load-base" then -'release-load-area if - load-base elf-pages + 'release-load-area execute - else - load-base elf-pages 0 claim-mem - load-base dup elf-pages 0 do-map then -elf-virt load-base elf-size move -elf-virt elf-pages do-unmap elf-virt elf-pages release-virt -elf-phys elf-pages release-mem -debug? if cr ." init-program" then -init-program -debug? if cr ." .registers" .registers then -debug? if cr ." go" cr then - -\ uncomment to show kernel log -" /" select-dev -2000000 encode-int " AAPL,debug" property - -go -cr ." end of BOOT-SCRIPT" - - -1010 -000000000000000000ABFE0000000000 -0000000000000000ABFF000000000000 -ABABABABABABABABFFABABABABABABAB -AB7F7F7F7F7F7FFF7F2A2A2A2A2A2AAB -AB7F7F7FF17F7FFF542A2AFF2A2A2AAB -AB7F7F7FF17FABFF2A2A2AFF2A2A2AAB -AB7F7F7F7F7FFF7F2A2A2A2A2A2A2AAB -AB7F7F7F7F7FFF542A2A2A2A2A2A2AAB -AB7F7F7F7F7FFFFFFFFF2A2A2A2A2AAB -AB7F7F7F7F7F7F7F7FFF2A2A2A2A2AAB -AB7F7FFFF17F7F7F7FFF2A2AFFFF2AAB -AB7F7F7F7FF1F1F1F1FFFFFF542A2AAB -AB7F7F7F7F7F7F7F7FFF2A2A2A2A2AAB -ABABABABABABABABABFFABABABABABAB -000000000000000000ABFF0000000000 -00000000000000000000ABFF00000000 -000000000000000000F3FF0000000000 -0000000000000000F3FF000000000000 -F3F3F3F3F3F3F3F3FFF3F3F3F3F3F3F3 -F3AAAAAAAAAAAAFFAA555555555555F3 -F3AAAAAAF4AAAAFF7F5555FF555555F3 -F3AAAAAAF4AAF3FF555555FF555555F3 -F3AAAAAAAAAAFFAA55555555555555F3 -F3AAAAAAAAAAFF7F55555555555555F3 -F3AAAAAAAAAAFFFFFFFF5555555555F3 -F3AAAAAAAAAAAAAAAAFF5555555555F3 -F3AAAAFFF4AAAAAAAAFF5555FFFF55F3 -F3AAAAAAAAF4F4F4F4FFFFFF7F5555F3 -F3AAAAAAAAAAAAAAAAFF5555555555F3 -F3F3F3F3F3F3F3F3F3FFF3F3F3F3F3F3 -000000000000000000F3FF0000000000 -00000000000000000000F3FF00000000 -000000000000000000FFFE0000000000 -0000000000000000FFFF000000000000 -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -000000000000000000FFFF0000000000 -00000000000000000000FFFF00000000 - - diff --git a/datafork-pefs/NQDResidentCursor b/datafork-pefs/NQDResidentCursor deleted file mode 100644 index 60c0d53..0000000 Binary files a/datafork-pefs/NQDResidentCursor and /dev/null differ diff --git a/datafork-pefs/ProcessMgrLib b/datafork-pefs/ProcessMgrLib deleted file mode 100644 index 3b5baff..0000000 Binary files a/datafork-pefs/ProcessMgrLib and /dev/null differ diff --git a/kernel-disasm-script.py b/kernel-disasm-script.py deleted file mode 100755 index 4af12e3..0000000 --- a/kernel-disasm-script.py +++ /dev/null @@ -1,1355 +0,0 @@ -#!/usr/bin/env python3 - -import disasm as da -from sys import argv -from os import path -from functools import partial -import argparse - -parser = argparse.ArgumentParser() - -parser.add_argument('SRC', help='probably called 02.28') -parser.add_argument('--disasm', action='store', metavar='DEST', help='put in cdg5/kern.asm!') -parser.add_argument('--dump-constants', action='store', metavar='DEST') - -cmdline = parser.parse_args() - - -# -# READ THE KERNEL -# - -with open(cmdline.SRC, 'rb') as f: - p = da.Project(f.read()) - - -# -# Data structures that I know about -# - -# TLAs: -# KDP = kernel data page -# EDP = emulator data page -# EWA = exception working area? -# IRP = interrupt *response* page? - -# 0x564 : 0x6e0 (the end) is code! -# some of this info from SheepShaver, so possibly dodgy -p.struct('ConfigInfo', { - 0x008: 'bl_fffff93c', - 0x024: 'bl_fffff93c', - 0x040: 'bl_fffff93c_from_start', - 0x044: 'DiagPEFBundleOffset', - 0x04c: 'KernelCodeOffset', - 0x05c: 'OpcodeTableOffset_bl_fffff93c', # replaced in NKv2? - 0x064: 'rom_version_string_16char', - 0x078: '00000100', - 0x080: 'emu_offset_80', - 0x084: 'emu_offset_e8c0', - 0x098: 'u8_pih_kind', - 0x09c: 'logi_InfoRecord', # 5fffe000 - 0x0a0: 'logi_KernelData', # 68ffe000 - 0x0a4: 'logi_EmulatorData', # 68fff000 - 0x0a8: 'logi_DispatchTable', # 68080000 - 0x0ac: 'logi_EmulatorCode', # 68060000 - 0x35c: '40820160', - 0x360: 'phys_ram_base', - 0xfd8: '68k_reset_vector', # out of range of struct -}) - -p.struct('sys_info', { - 0x00: 'u32_ram_size', - 0x2c: 'phys_toolboxrom', -}) - -p.struct('hw_info', { - 0x038: 'rtas_private_data', -}) - -p.struct('irp', { - 0xdc0: 'phys_ram', - 0xf00: 'irp_start', -}) - -p.struct('kdp', { - -0xb90: 'htab_lock', - -0xb70: 'pih_lock', - -0xb50: 'sch_lock', - -0xb30: 'thud_lock', - -0xb10: 'rtas_lock', - -0xaf0: 'dbug_lock', - -0xad0: 'pool_lock', - - -0x41c: 'system_address_space', - -0x360: 'uint16_log_window_y', - -0x35e: 'uint16_log_window_x', - -0x35c: 'uint16_log_window_height', - -0x35a: 'uint16_log_window_width', - -0x020: 'irp', - 0x288: 'bat0l', - 0x28c: 'bat0u', - 0x298: 'bat1l', - 0x29c: 'bat1u', - 0x2a8: 'bat2l', - 0x2ac: 'bat2u', - 0x2b8: 'bat3l', - 0x2bc: 'bat3u', - 0x5b0: 'pih_proc_ptr', - 0x630: 'pa_ConfigInfo', - 0x634: 'pa_edp', - 0x640: 'phys_ram_base', - 0x644: 'configinfo_40820160', - 0x64c: 'phys_kern_base', - 0x648: 'emu_e8c0', - 0x650: 'phys_funny_debug_place', - 0x658: 'system_context', - 0x6a8: 'phys_pages', - 0x6ac: 'logi_pages', - 0x6b4: 'VMMaxVirtualPages', - 0xb50: 'big_lock', - 0x908: 'rtas_proc', # 'RTAS' or 0 - 0x90c: 'rtas_private_data', - 0xec4: 'blue_task', - - # start of processor_info - 0xf20: 'u32_pvr', - 0xf24: 'u32_cpu_clock_freq', - 0xf28: 'u32_bus_freq', - 0xf2c: 'u32_timebase_freq', - # below here gets overwritten on old cpus - 0xf30: 'u32_cpuinfo_page_size', - 0xf34: 'u32_cpuinfo_dcache_size', - 0xf38: 'u32_cpuinfo_icache_size', - 0xf3c: 'u16_cpuinfo_coherency_block_size', - 0xf3e: 'u16_cpuinfo_reservation_granule_size', - 0xf40: 'u16_cpuinfo_unified_caches', - 0xf42: 'u16_cpuinfo_icache_line_size', - 0xf44: 'u16_cpuinfo_dcache_line_size', - 0xf46: 'u16_cpuinfo_dcache_block_size_touch', - 0xf48: 'u16_cpuinfo_icache_block_size', - 0xf4a: 'u16_cpuinfo_dcache_block_size', - 0xf4c: 'u16_cpuinfo_icache_assoc', - 0xf4e: 'u16_cpuinfo_dcache_assoc', - 0xf50: 'u16_cpuinfo_tlb_size', - 0xf52: 'u16_cpuinfo_tlb_assoc', - # - # 108 bytes yet unaccounted for ... 0xfc0 - # but in Trampoline processor info, mostly empty - # Probably related to L2 cache. - # end of processor_info - - 0xfe4: 'u16_version', - - 0x1184: 'la_emulator_entry', - 0x119c: 'la_opcode_tbl', -}) - -p.struct('ewa', { # same as a system context! - -0xb90: 'psa', # what's a PSA? - -0x340: 'cpu_id', - -0x338: 'sch_info_struct', - -0x116: 'cpu_which', - -0x01c: 'address_space_struct', - -0x008: 'cur_task_struct', - 0x0d4: 'xer', -}) - -p.struct('task', { - 0x00: 'id', - 0x60: 'owning_process_id', - 0x6c: 'owning_process_struct', - 0x74: 'fourcc', -}) - -p.struct('addrspc', { - 0x00: 'id', -}) - -p.struct('lock', { - 0x00: 'count', - 0x04: 'fourcc', - 0x10: 'holder', -}) - -# Strings (and sometimes arrays) between a bl and an mflr are common -# -# An alternative way to customise control flow is to add an edge before disassembly. -# - -blrls_with_data = [ - 0x17678, - 0x19018, - 0x19058, - 0x190a0, - 0x19ab0, - 0x19b00, - 0x19b20, -] - -returned_blrls = [ - 0x0665c, - 0x00bcc, - 0x00c08, - 0x00c58, - 0x00cb0, - 0x00d14, - 0x00d90, - 0x00da8, - 0x00e60, - 0x00e9c, - 0x00f88, - 0x010b8, - 0x010c4, - 0x048ac, -] - -def bl_literals(insn): - if insn.mnemonic == 'blrl': - if insn.address in blrls_with_data: - return False - elif insn.address in returned_blrls: - return True - else: - return False - - if 'lr' in insn.mnemonic or 'ctr' in insn.mnemonic: - return False - - # Try something different: - data_start = insn.address + insn.size - data_end = insn.operands[-1].imm - - if p.data[data_end] >> 2 != 0x1f: return True - - if not 4 <= (data_end - data_start) < 80: return True - - data = p.data[data_start : data_end] - if b'\x60\x00\x00\x00' in data: return True - if b'\0' not in data[::4] and not data.endswith(b'\0\0'): return True - - p.label(data_end, '1') - - # String literal? - if b'\0' not in data.rstrip(b'\0') and data.endswith(b'\0\0'): - nul_stripped = data.rstrip(b'\0') - str_end = data_start + len(nul_stripped) - - for i in range(data_start, data_end): - p.semantic_list[i] = None - p._insert_semantic(da._SemanticString(data_start, nul_stripped)) - p._insert_semantic(da._SemanticFixedSize(str_end, b'\0\0')) - - return False - -p.linkreg_data_checker = bl_literals - - -# -# Boot entry point -# -p.flow_graph.add_edge('boot_newworld', 0x00000, obj=da._FlowEdge()) -p.flow_graph.add_edge('boot_oldworld', 0x00040, obj=da._FlowEdge()) -p.flow_graph.add_edge('temp', 0x08804, obj=da._FlowEdge()) - -p.flow_graph.add_edge(0x0003c, 'ConfigInfo.bl_fffff93c_from_start', obj=da._FlowEdge()) - - -# -# This is pretty messy, because it needs to be done before disassembly time. -# - -lisori_caller_name = 'lisori_caller' - -lisori_offsets_and_callers = [ - # Earliest lisoris - (0x000e8, [lisori_caller_name, ]), - (0x00810, [lisori_caller_name, ]), - - # To functions from setup - (0x01394, [lisori_caller_name, ]), - (0x013a4, [lisori_caller_name, ]), - (0x014e8, [lisori_caller_name, ]), - (0x01530, [lisori_caller_name, ]), - (0x01554, [lisori_caller_name, ]), - (0x01568, [lisori_caller_name, ]), - (0x0157c, [lisori_caller_name, ]), - (0x01590, [lisori_caller_name, ]), - (0x015a4, [lisori_caller_name, ]), - (0x015b4, [lisori_caller_name, ]), - (0x015c4, [lisori_caller_name, ]), - (0x015d8, [lisori_caller_name, ]), - (0x015ec, [lisori_caller_name, ]), - (0x01600, [lisori_caller_name, ]), - (0x01614, [lisori_caller_name, ]), - (0x01628, [lisori_caller_name, ]), - (0x0163c, [lisori_caller_name, ]), - (0x01658, [lisori_caller_name, ]), - (0x0166c, [lisori_caller_name, ]), - (0x01684, [lisori_caller_name, ]), - (0x01694, [lisori_caller_name, ]), - (0x016a4, [lisori_caller_name, ]), - (0x016b4, [lisori_caller_name, ]), - (0x016c4, [lisori_caller_name, ]), - (0x016dc, [lisori_caller_name, ]), - (0x016ec, [lisori_caller_name, ]), - (0x016fc, [lisori_caller_name, ]), - (0x0170c, [lisori_caller_name, ]), - (0x01724, [lisori_caller_name, ]), - (0x01734, [lisori_caller_name, ]), - (0x01744, [lisori_caller_name, ]), - (0x01754, [lisori_caller_name, ]), - (0x01764, [lisori_caller_name, ]), - (0x01784, [lisori_caller_name, ]), - (0x01794, [lisori_caller_name, ]), - (0x017a4, [lisori_caller_name, ]), - (0x017b4, [lisori_caller_name, ]), - (0x017c4, [lisori_caller_name, ]), - (0x017d4, [lisori_caller_name, ]), - (0x017e4, [lisori_caller_name, ]), - (0x017f4, [lisori_caller_name, ]), - (0x01804, [lisori_caller_name, ]), - (0x01814, [lisori_caller_name, ]), - (0x01f04, [lisori_caller_name, ]), - - # And the rest - (0x0687c, [lisori_caller_name, ]), - (0x07658, [lisori_caller_name, ]), - (0x0795c, [lisori_caller_name, ]), - (0x07a88, [lisori_caller_name, ]), - (0x07d10, []), - (0x07dac, []), - (0x08788, []), - (0x08794, []), - #(0x098f4, [lisori_caller_name, ]), - (0x09ce4, [lisori_caller_name, ]), - (0x09d00, [lisori_caller_name, ]), - (0x0aef4, []), - (0x0bc2c, [lisori_caller_name, ]), - (0x0bccc, [lisori_caller_name, ]), - (0x0bdc8, [lisori_caller_name, ]), - (0x12fa0, []), -] - -for offset, callers in lisori_offsets_and_callers: - callee = p.read_lisori(offset) - for caller in callers: - p.flow_graph.add_edge(caller, callee, obj=da._FlowEdge()) - -# -# syscall jump points -# -tbl_base = 0x0acb8 -syscall_count = 134 -syscall_majors = [] - -syscall_names = { - 2: 'NKRegisterCpuPlugin', - 46: 'NKCpuPlugin', - 45: 'NKStopScheduling', - 99: 'NKSetBlueProcessID', - 126: 'NKSetTaskType', - 57: 'NKThrowException', - 68: 'NKGetPageSizeClasses', - 69: 'NKGetPageSize', - 117: 'NKCurrentAddressSpace', - 118: 'NKHomeAddressSpace', - 119: 'NKSetTaskAddressSpace', - 76: 'NKSetAreaAccess', - 100: 'NKGetFreePageCount', - 101: 'NKGetUnheldFreePageCount', - 85: 'NKMapPage', - 86: 'NKUnmapPages', - 127: 'NKMakePhysicallyContiguous', - 87: 'NKLockPages', - 88: 'NKUnlockPages', - 89: 'NKHoldPages', - 90: 'NKUnholdPages', - 104: 'NKRegisterThermalHandler', - 105: 'NKRegisterPMFHandler', - 106: 'NKMarkPMFTask', - 121: 'NKRegisterExternalHandler', - # 122: 'NKPropogateExternalInterrupt', - 131: 'NKSetClockStep', - 132: 'NKSetClockDriftCorrection', - - # As it turns out, these would only work on debug builds! - # 109: 'NKSetPrInfoPageSize', - # 110: 'NKSetPrInfoILockSizes', - # 111: 'NKSetPrInfoTransCache', - # 112: 'NKSetPrInfoL1Cache', - # 113: 'NKSetPrInfoL2Cache', -} - -for i in range(syscall_count): - entry_offset = tbl_base + i*4 - - entry = p.semantic_list[entry_offset].get_imm_val(0) - target_offset = i*4 + entry - syscall_majors.append(target_offset) - - new_expr = '(%d:^-.) + (%d:^-0:^)' % (tbl_base, target_offset) - - p.indirect_imm(entry_offset, 0, new_expr) - p.flow_graph.add_edge(0x0af08, target_offset, obj=da._FlowEdge(taken_branch=True)) - p.major_list.split_at(target_offset) - p.major_cmt_dict[target_offset].append('syscall %d' % i) - - -p.flow_graph.add_edge(0x0af08, 0x0af0c, obj=da._FlowEdge()) - - -# -# Debugger command jumps (indirect via blrl-loaded list) -# -tbl_base = 0x1769c - -cmd_names = [ - 'dumpmem_physical', - 'dumpmem_logical', - 'goto', - 'opaque_id_info', - 'display_kern_data', - 'dump_registers', - 'help', - 'help', -] - -for i in range(8): - entry_offset = tbl_base + i*4 - entry = p.semantic_list[entry_offset].get_imm_val(0) - target_offset = tbl_base + entry - - p.indirect_imm(entry_offset, 0, '%d:^ - %d:^' % (target_offset, tbl_base)) - p.flow_graph.add_edge(tbl_base-4, target_offset, obj=da._FlowEdge(taken_branch=True)) - p.label(target_offset, 'cmd_%s' % cmd_names[i]) - - -p.flow_graph.add_edge('who_the_hell_knows', 0x05800, obj=da._FlowEdge()) - -# -# Another thing that rather awkwardly must go *before* the disassembly stage -# -list_base = 0x154a8 -for short_offset in range(list_base, 0x154c0, 2): - entry_b = p.data[short_offset : short_offset+2] - entry = int.from_bytes(entry_b, byteorder='big') - target = list_base + entry - p._insert_semantic(da._SemanticFixedSize(short_offset, entry_b)) - - if not entry: continue - p.flow_graph.add_edge(0x04668, target, obj=da._FlowEdge(taken_branch=True)) - p.indirect_imm(short_offset, 0, '%d:^ - %d:^' % (target, list_base)) - - -for target in range(0x07674, 0x076b4, 4): - p.flow_graph.add_edge(0x07670, target, da._FlowEdge(taken_branch=True)) - -# -# Copied code! -# -p.flow_graph.add_edge(0x00bcc, 0x00fd4, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00c08, 0x00fd4, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00c58, 0x00fd4, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00cb0, 0x00fd4, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00d14, 0x00fd4, obj=da._FlowEdge(taken_branch=True)) - -p.flow_graph.add_edge(0x00e60, 0x01088, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00e9c, 0x01088, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00e60, 0x01088, obj=da._FlowEdge(taken_branch=True)) -p.flow_graph.add_edge(0x00f88, 0x01088, obj=da._FlowEdge(taken_branch=True)) - -# -# Duh. -# -p.disasm() - - -# -# Use the best-guess function-finder -# -p.guess_majors() - -# -# Need to use setup_lisoris from before, now that I can do indirects -# -for offset, callers in lisori_offsets_and_callers: - try: - p.indirect_lisori(offset) - except ValueError: - print('Lisori at 0x%05x not yet disassembled?' % offset) - p.major_list.split_at(offset) - - -# -# And stuff I've figured out by iterating frantically -# - -p.major(0x00000, 0x00040, 'nk_start') -p.arg('r3', 'ConfigInfo') -p.arg('r4', 'processor_info') -p.arg('r5', 'sys_info') -p.arg('r6', 'boot_r6') -p.arg('r7', 'rtas_fourcc') -p.arg('r8', 'rtas_proc') -p.arg('r9', 'boot_hw_info') -p.cmt('Entry point from Trampoline on NewWorld.') -p.cmt('Only continues loading if the DR (data address translation) bit of the MSR is unset. Be not fooled by the linking call, which never returns. If DR is set, then we RFI to a location *in* the ConfigInfo struct with DR and IR unset, and r9 containing the address of our caller ') - - -p.major(0x00040, 0x00400, 'replace_old_kernel') -p.indirect_imm(0x000d8, 0) -p.label(0x000d8, '88') -p.label(0x000dc, '99') -p.indirect_imm(0x000e0, 2, '0:^ - 0x000d8:^ - 4') - -p.major(0x00400, 0x00484, '') - -p.major(0x00484, 0x004a8, 'wipe_irp') -p.arg('r1', 'kdp') -p.cmt('Fill the irp with 0x68f1.') - -p.major(0x004a8, 0x00fd4, 'new_world') -p.arg('r3', 'ConfigInfo') -p.arg('r4', 'processor_info') -p.arg('r5', 'sys_info') -p.arg('r6', 'boot_r6') -p.arg('r7', 'rtas_fourcc', end=0x00680) -p.arg('r8', 'rtas_proc', end=0x00710) -p.arg('r9', 'boot_hw_info') -p.cmt('1. Fill segment registers very basically.') -p.cmt('2. Zero the BAT.') -p.cmt('3. Lay out the kernel\'s memory and copy some tables.') -p.cmt('4. Print the first debug message: "Hello from..."') -p.cmt('5. Choose an interrupt handler.') -p.cmt('6. Copy some ConfigInfo stuff.') -p.cmt('7. Override info for old CPUs then go to main setup.') -p.cmt('8. Do something with caches for newer G4s.') -p.cmt(0x004ac, 'Load seg reg 0 with 0x20000000 and all others with zeros') -p.cmt(0x004f8, 'Get all but lowest bit of CPU version') -p.cmt(0x00504, 'CPU is 601:') -p.label(0x00548, 'end_if_601') -p.label(0x00520, 'not_601') -p.cmt(0x00550, 'search sys_info for the physical address of the Toolbox ROM') -p.cmt(0x0055c, 'now r11=toolbox and r12=ram') -p.cmt('Some really tricky stuff happens here with the memory data.') -p.cmt('The location of the KDP and the irp get chosen.') -p.ptr(0x00618, 0x00fd4, 'r1', 'kdp') -p.ptr(0x00680, 0x0070c, 'r9', 'hw_info') -p.label(0x006ac, 'no_rtas') -p.label(0x006b4, 'end_if_rtas') -p.indirect_imm(0x00800, 0) -p.label(0x00800, '88') -p.label(0x00804, '99') -p.indirect_imm(0x00808, 2, '0:^ - 0x00800:^ - 4') -p.cmt(0x00a1c, 'check for several (some unknown) pre-7410 CPUs, and load their info') -p.indirect_imm(0x00a20, 2, '0x0120c:^ - 0:^') -p.cmt(0x00a90, 'get base of page table (why?)') -p.cmt(0x00a94, 'r21 = SDR1 & 0xffff0000') -p.cmt(0x00a98, 'r22 = (SDR1 << 16) & 0x007F0000') -p.indirect_imm(0x00b74, 1, '(0x01088:$ - 0x00fd4:^) / 4') -p.indirect_imm(0x00b80, 2, '0x01088:$ - 0:^') -p.indirect_imm(0x00dbc, 1, '(0x0114c:$ - 0x01088:^) / 4') -p.indirect_imm(0x00dc8, 2, '0x0114c:$ - 0:^') -p.label(0x00fd0, 'skip_cache_hackery_never') - -p.major(0x00fd4, 0x01088, 'copied_code_1') - -p.major(0x01088, 0x0114c, 'copied_code_2') - -p.major(0x0114c, 0x0115c, 'cpu_pre_7410_infobytes_1') -p.major(0x0115c, 0x0116c, 'cpu_7410plus_infobytes_1') -p.major(0x0116c, 0x0117c, 'cpu_pre_7410_infobytes_2') -p.major(0x0117c, 0x0118c, 'cpu_7410plus_infobytes_2') -p.major(0x0118c, 0x011cc, 'cpu_pre_7410_infolongs') -p.major(0x011cc, 0x0120c, 'cpu_7410plus_infolongs') - -p.major(0x0120c, 0x01350, 'cpuinfo_override_table') -p.cmt('For 7400(only) and earlier CPUs. Overwrites info in KDP copied from bootloader.') - -p.major(0x01350, 0x01360, 'new_world_hardcode_cpu_info') -p.cmt('All G3s and earler, plus the G4-7400 (only). Overwrite part of the CPU info that we got from the bootloader (the important bits), and go to setup.') -p.arg('r3', 'ConfigInfo') -p.arg('r4', 'processor_info') -p.arg('r5', 'sys_info') -p.arg('r6', 'boot_r6') -p.arg('r9', 'cpuinfo_size') -p.arg('r10', 'kdp_cpuinfo') -p.arg('r11', 'static_cpuinfo') - -p.major(0x01360, 0x01430, 'new_world_final_common') -p.arg('r1', 'kdp') - -p.major(0x01430, 0x01434, 'setup_new_world') -p.cmt('Sometimes (?) on NewWorld machines, blue issues a 68k reset trap to reinit the kernel. Rene says that this is necessary to set up address spaces.') -p.arg('r1', 'kdp') - -p.major(0x01434, 0x02674, 'setup') -p.cmt('Final common pathway. Prints a whole heap of stuff.') -p.cmt('cr5.eq is set for OldWorld, unset for NewWorld') -p.cmt('') -p.cmt('SPRG0: ("EWA" -- core-specific Exception Work Area)') -p.cmt('"Software may load a unique physical address in this register to identify an area of memory reserved for use by the first-level exception handler. This area must be unique for each processor in the system."') -p.cmt('') -p.cmt('SPRG1: ("r1" = "KDP" = kernel data page)') -p.cmt('"This register may be used as a scratch register by the first-level exception handler to save the content of a GPR. That GPR then can be loaded from SPRG0 and used as a base register to save other GPRs to memory."') -p.cmt('') -p.cmt('SPRG2: ("LR" = interrupt-saved link register') -p.cmt('"This register may be used by the operating system as needed."') -p.cmt('') -p.cmt('SPRG3: ("vecBase" = pointer to one of six 48-member vector tables in KDP or KCP)') -p.cmt('"This register may be used by the operating system as needed."') -p.arg('r1', 'kdp') -p.cmt(0x014b8, 'Copy 64b from 0xfc0(kdp) to 0xfc0(irp)...') -p.cmt(0x014dc, '...done') -p.cmt(0x014e8, 'Fill SIX vector tables, in kdp and below, with CRASHes...') -p.cmt(0x01530, '...done') -p.cmt(0x01530, 'Fill ONE vector table, below kdp, with something ELSE...') -p.cmt(0x01548, '...done') -p.cmt(0x0154c, 'Point SPRG3=vecBase at one of those tables.') -p.ptr(0x0154c, 0x01680, 'r9', 'kdp', p.semantic_list[0x0154c-4].get_imm_val(2)) -p.ptr(0x01554, 0x01680, 'r8', 'kdp', p.semantic_list[0x01554-4].get_imm_val(2)) -p.ptr(0x01684, 0x016d0, 'r8', 'kdp', p.semantic_list[0x01684-4].get_imm_val(2)) -p.ptr(0x016d4, 0x01720, 'r8', 'kdp', p.semantic_list[0x016d4-4].get_imm_val(2)) -p.ptr(0x01724, 0x01770, 'r8', 'kdp', p.semantic_list[0x01724-4].get_imm_val(2)) -p.ptr(0x01774, 0x01824, 'r8', 'kdp', p.semantic_list[0x01774-4].get_imm_val(2)) -p.label(0x01778, 'loop_memset') -p.cmt(0x01824, 'super boring stuff over. now cpu-specific stuff!') -p.cmt('(I have only listed CPUs that I think Apple used)') -p.cmt('PVR = version << 16 | revision') -p.cmt('') -p.cmt('Pre-G3:') -p.cmt('0001 = 601') -p.cmt('0003 = 603') -p.cmt('0006 = 603e') -p.cmt('0007 = 606ev/606r') -p.cmt('0004 = 604') -p.cmt('0004 = 604e') -p.cmt('') -p.cmt('G3:') -p.cmt('0008 = 750/750CX/750CXe/755') -p.cmt('0007 = 750FX') -p.cmt('') -p.cmt('G4:') -p.cmt('000c = 7400') -p.cmt('800c = 7410') -p.cmt('8000 = 7450') -p.cmt('8001 = 7445/7455') -p.cmt('8002 = 7447/7457 (upgrades only!)') -p.cmt('') -p.cmt('G5:') -p.cmt('0039 = 970') -p.cmt('003c = 970FX') -p.cmt(0x01834, 'pre-7410 CPUs (not that a 7400 is anything like a G3)') -p.cmt(0x01838, 'the only CPUs >= 0x0010 are G5s') -p.label(0x01840, 'skip_zeroing_G5') -p.label(0x01870, 'G4_7410_or_later') -p.cmt(0x01870, 'clear the high (8000) bit and have fun') -p.cmt(0x0187c, 'treat 8010 (doesnt exist) as 8FF0 -- why??') -p.label(0x01880, 'skip_spoofing_weird_G4') -p.cmt(0x018b0, 'im not even going to complain that this compiler is so dumb') -p.label(0x018b4, 'post_cpu_specific') -p.cmt(0x018b4, 'fill a buncha r1 stuff with 0xFFFFFFFF') - -p.cmt(0x018c8, 'Initialise the seven kernel locks with zero in the count field...') -p.cmt(0x018e8, '...and a name in the fourcc field.') -for x in range(0x018e8, 0x0193c, 12): - p.indirect_str_lisori(x) - p.cmt(x + 12, '') - -p.cmt(0x01954, 'Now what?') -p.indirect_str_lisori(0x01984) -p.indirect_str(0x0199c, 1) -p.indirect_str(0x019a4, 2) -p.indirect_str(0x01d3c, 1) -p.indirect_str(0x01d40, 2) -p.indirect_str(0x01ebc, 1) -p.indirect_str(0x01ec0, 2) -p.label(0x024e4, '*_skip_grabbing_more_pages') -p.label(0x0255c, 'finish_old_world') - -p.major(0x02674, 0x026cc, 'undo_failed_kernel_replacement') -p.cmt('Inits or reinits the log') - -p.major(0x026cc, 0x026f0, 'old_world_rfi_to_userspace_boot') -p.arg('r1', 'kdp') - -p.major(0x02700, 0x0289c, 'lock') -p.cmt('Gets something from -0x340(ewa)') -p.cmt('Lock struct: word@0=count, word@16=holder') -p.cmt('Return pretty quick-smart if we get the lock.') -p.cmt('If hands must be dirtied, put r22-r31 into EWA.') -p.arg('r8', 'lock') -p.ptr(0x0270c, 0x02714, 'r9', 'kdp') -p.ptr(0x02730, 0x0289c, 'r9', 'kdp') -p.label(0x02730, '*_already_held') - -p.major(0x0289c, 0x02940, 'spinlock_what') - -p.major(0x02940, 0x02944, 'panic_wrapper_0x02940') - -p.major(0x02960, 0x02964, 'panic_wrapper_0x02960') - -p.major(0x02cb0, 0x02ccc, 'skeleton_key') -p.cmt('Called when a Gary reset trap is called. When else?') - -p.major(0x03b40, 0x03bd8, 'dsi_vector') - -p.major(0x03d40, 0x03d98, 'int_prepare') -p.arg('r6', 'saved at *(ewa + 0x18)') -p.arg('sprg1', 'saved at *(ewa + 4)') -p.arg('rN (0,7,8,9,10,11,12,13, not r1)', 'saved at *(*(ewa - 0x14) + 0x104 + 8*N)') -p.ret('r0', '0') -p.ret('r1', '*(ewa - 4)') -p.ret('r6', 'kdp') -p.ret('r7', '*(ewa - 0x10) # flags?') -p.ret('r8', 'ewa') -p.ret('r10', 'srr0') -p.ret('r11', 'srr1') -p.ret('r12', 'sprg2') -p.ret('r13', 'cr') - -p.major(0x03ce0, 0x03d34, 'save_all_registers') - -p.major(0x037c8, 0x03934, 'memretry_machine_check') - -p.major(0x04508, 0x04518, 'wordfill') -p.arg('r8', 'dest') -p.arg('r22', 'len in bytes') -p.arg('r23', 'fillword') - -p.major(0x04520, 0x045b0, 'reset_trap') -p.cmt('Handle a 68k reset trap.') -p.cmt('Some messing around with 601 RTC vs later timebase registers.') -p.cmt("If Gary Davidian's first name and birthdate were in the 68k's A0/A1 (the 'skeleton key'), do something. Otherwise, farm it out to non_skeleton_reset_trap.") -p.arg('r3', 'a0') -p.arg('r4', 'a1') -p.indirect_str(0x0452c, 2) -p.label(0x0453c, '*_cpu_not_601') -p.label(0x04540, '*_endif') -p.indirect_str(0x04544, 1) - -p.major(0x045b0, 0x04660, 'non_skeleton_reset_trap') -p.cmt("A 68k reset trap without Gary Davidian's magic numbers.") - -p.major(0x04660, 0x0466c, 'pih_indirect') -p.arg('r1', 'kdp') - -p.major(0x04680, 0x046d0, 'regsave_debug') -p.cmt('r2-r5 and r14-r31 (real registers) and r6-r13 (regsave) into compact area, then debug.') -p.arg('r1', 'compact area') - -p.major(0x048e0, 0x04a20, 'SIGP') -p.cmt('Really need to figure out what this does...') -p.arg('r7', 'flags') -p.arg('r8', 'usually 2?') - -p.major(0x04ac0, 0x04b54, 'sc_vector') -p.cmt('Not fully sure about this one') -p.label(0x04b38, '*_not_special') - -p.major(0x04b80, 0x04bbc, 'return_to_kern_from_dummy_interrupt') - -p.major(0x04c00, 0x04c04, 'panic_wrapper_0x04c00') - -p.major(0x05278, 0x054b8, '') - -p.major(0x05524, 0x055e0, '') - -p.major(0x055e0, 0x05618, 'flush_tlb') - -p.major(0x05800, 0x05808, 'funny_debug_place') - -p.major(0x06870, 0x06a14, '') -p.cmt('Mess with some whacko undocumented SPRs. QEMU complains. Called by setup. Boots fine if clobbered? Temporarily overwrites a KDP vector with a dummy handler. Knowing what vec[7] does will help.') - -p.indirect_lisori(0x07658) - -p.major(0x08620, 0x08624, 'panic_wrapper_0x08620') - -p.major(0x09ce0, 0x09d1c, 'panic_offset_to_r1_minus_0x810_x48__0x9dfc_to_prev_plus_4_20_36') - -p.major(0x09d20, 0x09dfc, 'bootstrap_cpu') -p.cmt('NB: I was probably wrong about this.') -p.cmt('Contains a (very rare) mtsprg0 instruction.') -p.indirect_imm(0x0a408, 0) -p.label(0x0a408, '88') -p.label(0x0a40c, '99') -p.indirect_imm(0x0a410, 2, '0x0a600:^ - 0x0a408:^ - 4') - - -p.major(0x0a620, 0x0a624, 'panic_wrapper_0x0a620') - -p.major(0x0a640, 0x0a8bc, 'rtas_call') -p.arg('r1', 'kdp') -p.arg('r6', 'some kind of place') -p.arg('r7', 'some kind of flags') -p.cmt('Only major that hits the RTAS globals.') -p.cmt('RTAS requires some specific context stuff.') -p.label(0x0a654, 'rtas_is_available') -p.label(0x0a8b4, 'rtas_make_actual_call') - -p.major(0x0aca0, 0x0af0c, 'syscall') -p.arg('r1', 'kdp') -p.arg('r6', 'save area') -p.label(0x0acb8, '*_tbl') -p.label(0x0aed0, '*_tbl_end', of_start=False) -p.cmt(0x0aed0, 'Increment a counter. All but LS 10 bits ignored, giving 1024 entries.') -p.cmt('r16 = &perf_tbl') -p.cmt('r17 = offset into counter table') -p.label(0x0aeec, '*_skip_counter') -p.indirect_imm(0x0aeec, 1, '(0x0aed0:^-0x0acb8:^)/4') -p.cmt(0x0aeec, 'r14 = offset of entry in jump table') -p.cmt('r16 = offset of jump table in kernel') -p.cmt('r15 = content of entry') -p.cmt('jump assumes kernel mapped at zero') -p.indirect_lisori(0x0aef4) - -p.major(0x0af38, 0x0af58, 'syscall_return_assert_lock_unheld') -p.arg('r1', 'kdp') - -p.major(0x0af0c, 0x0af14, 'bad_syscall') -p.cmt('Handler for out-of-range or unimplemented (debug) syscalls.') - -p.major(0x0af58, 0x0af60, 'syscall_return_noErr') - -p.major(0x0b024, 0x0b02c, 'syscall_return_kMPInsufficientResourcesErr') - -p.major(0x0b04c, 0x0b054, 'syscall_return_wtf') - -p.major(0x0b074, 0x0b07c, 'syscall_return_paramErr') - -p.major(0x0b0c4, 0x0b0cc, 'syscall_return_kMPInvalidIDErr') - -p.major(0x0b0f4, 0x0b0fc, 'syscall_return_noErr_again') - -p.major(0x0b124, 0x0b144, 'syscall_return') - -p.major(0x0b144, 0x0b248, '') - -p.major(0x0b24c, 0x0b3b0, 'NKRegisterCpuPlugin') - -p.major(0x0b3b0, 0x0b3cc, 'nk_cpu_count') -p.cmt('Called by MPProcessors and MPProcessorsScheduled') -p.arg('r3', '0:all, 1:scheduled') -p.ret('r3', 'cpu_count') - -p.major(0x0b598, 0x0b640, 'nk_yield_with_hint') - -p.major(0x0b76c, 0x0b788, 'nk_get_next_id_unowned') -p.cmt('Replace the provided process/coherence/console ID with the "next" one. IDs were opaque but were only longs. Wrapped by MPGetNext*ID, which indirects the opaque ID structure.') -p.cmt('') -p.cmt('From MP docs: A coherence group is the set of processors and other bus controllers that have cache-coherent access to memory. Mac OS 9 defines only one coherence group, which is all the processors that can access internal memory (RAM). Other coherence groups are possible; for example, a PCI card with its own memory and processors can comprise a coherence group.') -p.arg('r3', 'kind (process=1,coherence=10,console=13)') -p.arg('r4', 'prev_id') -p.ret('r3', 'MP result code') -p.ret('r4', 'next_id') - -p.major(0x0bd44, 0x0bdfc, 'NKStopScheduling') - -# odd to find this here -p.major(0x0be4c, 0x0be50, '_bad_syscall') - -p.major(0x0be50, 0x0beac, 'NKxprintf') - -p.major(0x0c12c, 0x0c240, 'NKSetClockStep') -p.cmt('Debug string matches MPLibrary!') -p.cmt('0xf7e(r1) = clock_step (half-word)') -p.arg('r3', 'new_clock_step # (half-word)') - -p.major(0x0b788, 0x0b8b8, 'nk_get_next_id_owned') -p.cmt('Replace the provided address space/task/queue/semaphore/critical region/timer/event/notification ID with the "next" one. IDs were opaque but were only longs. Wrapped by MPGetNext*ID, which indirects the opaque ID structure. Differs from nk_get_next_id_unowned because it deals in objects owned by a particular process.') -p.arg('r3', 'owningProcessID') -p.arg('r4', 'kind (task=2,timer=3,queue=4,sema=5,crit_rgn=6,addr_spc=8,evt=9,notif=12)') -p.arg('r5', 'prev_id') -p.ret('r3', 'MP result code') -p.ret('r5', 'next_id') -p.label(0x0b798, 'try_another_id') -p.label(0x0b804, 'want_task_id') -p.label(0x0b828, 'want_timer_id') -p.label(0x0b838, 'want_queue_id') -p.label(0x0b848, 'want_sema_id') -p.label(0x0b858, 'want_critrgn_id') -p.label(0x0b868, 'want_addrspc_id') -p.label(0x0b878, 'want_evt_id') -p.label(0x0b888, 'want_11_id') -p.label(0x0b898, 'want_notif_id') -p.label(0x0b8a8, 'want_13_id') - -p.major(0x0c240, 0x0c3ac, 'adjust_tb_drift') -p.cmt("There's a one-billion constant in here, for fractional expression.") -p.cmt('-0x36c(r1) = tb_drift_numerator') -p.cmt('-0x368(r1) = tb_drift_denominator') -p.arg('r3', 'to') - -p.major(0x0c5d4, 0x0c5d8, 'panic_wrapper_0x0c5d4') - -p.major(0x0c8b4, 0x0c968, '') - -p.major(0x0ccf4, 0x0cd9c, '') - -p.major(0x0d35c, 0x0d504, '') - -p.major(0x0db04, 0x0dc0c, '') - -p.major(0x0dce8, 0x0dd64, '') - -p.major(0x0e280, 0x0e284, 'panic_wrapper_0x0e280') - -p.major(0x0e330, 0x0e548, 'mktask') - -p.major(0x0e95c, 0x0ea58, 'NKThrowException') -p.cmt('Throws an exception to a specified task.') -p.arg('r3', 'MPTaskID task') -p.arg('r4', 'MPExceptionKind kind') -p.ret('r3', 'result code') - -p.major(0x0f380, 0x0f384, 'panic_wrapper_0x0f380') - -p.major(0x0f384, 0x0f3b8, '') - -p.major(0x0f3b8, 0x0f7a0, 'convert_pmdts_to_areas') -p.cmt('Pretty obvious from log output.') - -p.major(0x0f7a0, 0x0f7a8, 'NKGetPageSizeClasses') -p.arg('r1', 'kdp') -p.ret('r3','pageClass') - -p.major(0x0f7a8, 0x0f7b8, 'NKGetPageSize') -p.arg('r1', 'kdp') -p.arg('r3', 'pageClass') -p.ret('r3', 'byteCount') - -p.major(0x0f824, 0x0f9f8, 'NKCreateAddressSpaceSub') -p.cmt('Guessing by strings -- but maybe that name applies to syscall?') - -p.major(0x0fbec, 0x10284, 'createarea') - -p.major(0x10284, 0x102a8, '') - -p.major(0x102a8, 0x102c8, '') - -p.major(0x102c8, 0x10320, '') - -p.major(0x10cb8, 0x10d38, '') - -p.major(0x114fc, 0x11538, 'free_list_add_page') -p.arg('r1', 'kdp') -p.arg('r8', 'maybe the page') - -p.major(0x12780, 0x12784, 'panic_wrapper_0x12780') - -p.major(0x12784, 0x1281c, 'pool_init') -p.arg('r1', 'kdp') -p.cmt('Allocate one page for the kernel pool. Same layout at Memtop starts at 7 pages below KDP.') -p.cmt('Take note of the structure from kdp-ab0 to kdp-aa0') -p.cmt(0x127ac, 'bit of a mystery') -p.indirect_str_lisori(0x127bc) -p.indirect_str_lisori(0x127d8) -p.indirect_str_lisori(0x127ec) -p.cmt(0x127f8, 'set up linked list') -p.indirect_str_lisori(0x1280c) - -p.major(0x1281c, 0x129a0, 'pool_malloc') -p.cmt('Easy to use! 0xfd8 (a page minus 10 words) is the largest request that can be satisfied.') -p.arg('r1','kdp') -p.arg('r8', 'size') -p.ret('r8', 'ptr') -p.label(0x12824, '*_with_crset') -p.indirect_str(0x128e0, 1) -p.indirect_str(0x128ec, 2) -p.indirect_str_lisori(0x12968) - -p.major(0x129a0, 0x129cc, 'looks_like_poolextend') - -p.major(0x129cc, 0x129fc, '') - -p.major(0x129fc, 0x12a34, '') - -p.major(0x12a34, 0x12a80, '') - -p.major(0x12a80, 0x12b94, 'poolextend') -p.cmt(' 0xed0(r1) = pool extends (I increment)') -p.cmt('-0xa9c(r1) = virt last page (I update)') -p.cmt('-0xaa0(r1) = phys last page (I update)') -p.cmt('Assumes that cache blocks are 32 bytes! Uh-oh.') -p.cmt('') -p.cmt('Page gets decorated like this:') -p.cmt("000: 00 00 0f e8") -p.cmt("004: 87 'B 'G 'N") -p.cmt("008: 00 00 0f e8") -p.cmt("00c: 87 'l 'o 'c") -p.cmt("... zeros << r8 passes ptr to here") -p.cmt("fe8: phys offset from here to prev page") -p.cmt("fec: 87 'E 'N 'D") -p.cmt("ff0: logical abs address of prev page") -p.cmt("ff4: 00 00 00 00") -p.cmt("ff8: 00 00 00 00") -p.cmt("ffc: 00 00 00 00") -p.cmt('') -p.arg('r1', 'kdp') -p.arg('r8', 'anywhere in new page (phys)') -p.arg('r9', 'page_virt') -p.label(0x12b18, '*_zeroloop') -p.cmt(0x12b28, 'Put the funny stuff in') -p.indirect_str(0x12b30, 1) -p.indirect_str(0x12b34, 2) -p.indirect_str(0x12b48, 1) -p.indirect_str(0x12b4c, 2) -p.indirect_str(0x12b64, 1) -p.indirect_str(0x12b68, 2) -p.cmt(0x12b78, 'Update globals') -p.cmt(0x12b80, 'Unknown func calls') - -p.major(0x12d40, 0x12d44, 'panic_wrapper_0x12d40') - -p.major(0x12d44, 0x12e88, 'say_nanodebugger_activated') - -p.major(0x1301c, 0x13060, 'say_starting_timeslicing') - -p.major(0x13060, 0x130f0, '') - -# SOMETHING IN THIS GAP IS NON-RELOCATABLE (and there sure is a lot of un-disassembled code here) - -p.major(0x13708, 0x13750, 'scale_timebase') -p.arg('r1', 'kdp') -p.arg('r8', 'multiple (pos: /250; neg: /250000)') -p.ret('r8', 'hi') -p.ret('r9', 'lo') -p.label(0x13728, '*_divisor_250000') -p.indirect_lisori(0x1372c, '250000') -p.label(0x13734, '*_divisor_250') - -p.major(0x13750, 0x137b4, 'bizarre') - -p.major(0x137c0, 0x137c4, 'panic_wrapper_0x137c0') - -p.major(0x137c4, 0x138ac, 'init_rdyqs') -p.arg('r1', 'kdp') -p.cmt('Four queues, hardcoded. Not sure why. Each queue knows about 0.001042*tbfreq -- timeslicing quantum?') -p.indirect_str(0x137f0, 1) -p.indirect_str(0x137f4, 2) - - -p.major(0x138ac, 0x138d4, 'save_registers_from_r14') -p.cmt('Save r14-r31 to 0x174(r6), 8-byte spaced.') -p.cmt('Looks very very optimised?') -p.cmt('stmw not used because registers are spaced out?') -p.arg('r6', 'ewa') -p.ret('r8', 'sprg0 (not used by me)') - -p.major(0x138d4, 0x1391c, 'save_registers_from_r20') -p.arg('r6', 'ewa') -p.ret('r8', 'sprg0 (not used by me)') - -p.major(0x1391c, 0x13988, 'restore_registers_from_r14') -p.cmt('Restore r14-r31 from 0x174(r6), 8-byte spaced.') -p.cmt('Again, well optimised') -p.arg('r6', 'ewa') - -p.major(0x13c90, 0x13e4c, '') - -p.major(0x13e4c, 0x13ed8, '') - -p.major(0x13ed8, 0x13f78, '') - -p.major(0x13f78, 0x142a8, '') - -p.major(0x142a8, 0x142dc, '') - -p.major(0x142dc, 0x144cc, '') - -p.major(0x144cc, 0x14548, 'int_teardown') -p.cmt('All syscalls get here?') -p.cmt('r0,7,8,9,10,11,12,13 restored from r6 area') -p.cmt('r1,6 restored from sprg0 area') -p.cmt('') -p.cmt('Apple used the "reserved" (not first three) bits of XER.') -p.cmt('If bit 27 of 0xedc(r1) is set:') -p.cmt(' Bit 22 of XER is cleared') -p.cmt(' Bit 10 of r7 is inserted into XER at bit 23') -p.arg('sprg0', 'for r1 and r6') -p.arg('r1', 'kdp') -p.arg('r6', 'register restore area') -p.arg('r7', 'flag to insert into XER') -p.arg('r10', 'new srr0 (return location)') -p.arg('r11', 'new srr1') -p.arg('r12', 'lr restore') -p.arg('r13', 'cr restore') - -p.major(0x14548, 0x148ec, '') - -p.major(0x148ec, 0x149d4, '') - -p.major(0x149d4, 0x14a90, '') - -p.major(0x14a90, 0x14a98, 'clear_cr0_lt') - -p.major(0x14a98, 0x14af8, '') - -p.major(0x14af8, 0x14bcc, '') - -p.major(0x15140, 0x15144, 'panic_wrapper_0x15140') - -p.major(0x15144, 0x151b0, 'index_init') -p.cmt('These are the first requests made of the pool!') -p.arg('r1', 'kdp') -p.indirect_str_lisori(0x1516c) -p.indirect_str_lisori(0x151a0) - -p.major(0x151b0, 0x152f8, 'alloc_id') -p.arg('r1', 'kdp') -p.arg('r9', 'kind') - -p.major(0x15380, 0x153e0, 'id_kind') -p.arg('r8', 'id') -p.ret('r8', 'something not sure what') -p.ret('r9', '0:inval, 1:proc, 2:task, 3:timer, 4:q, 5:sema, 6:cr, 7:cpu, 8:addrspc, 9:evtg, 10:cohg, 11:area, 12:not, 13:log') - -p.major(0x154a0, 0x154dc, 'get_pih_addr') -p.cmt('ConfigInfo specifies a one-byte primary interrupt handler kind. Look up function address in this table.') -p.label(0x154a8, 'pih_tbl') -p.arg('r3', 'ConfigInfo') -p.ret('r12', 'clobbered') -p.ret('r7', 'pih_pa') - -p.major(0x154e0, 0x15740, 'interrupt_blue') -p.arg('r1', 'kdp') -p.cmt('At least I think so.') - -p.major(0x15740, 0x15794, 'NKPropogateExternalInterrupt') -p.arg('r1', 'kdp') - -p.major(0x15800, 0x15840, 'machine_specific_lut') - -p.major(0x15840, 0x158e4, 'pdm_pih_01') -p.arg('r1', 'kdp') -p.cmt('Piltdown Man = first ("G1") Power Macs. NuBus. Models 61xx, 71xx, 81xx.') -p.indirect_lisori(0x158cc) - -p.major(0x15900, 0x159a8, 'pbx_pih_03') -p.arg('r1', 'kdp') -p.cmt('PBX = NuBus PowerBooks. Possibly not including the 5300?') - -p.major(0x159c0, 0x15ad0, 'gazelle_pih_05') -p.arg('r1', 'kdp') -p.cmt('Gazelle = later low-end "G2" Power Macs. 603 series processors. PCI. Models 54xx-55xx, 64xx-65xx.') -p.cmt('The 54xx/64xx ROM actually identifies as Alchemy, not Gazelle, and SheepShaver considers this difference when patching the ROM Nanokernels. But, Wikipedia describes these machines as minor upgrades, EveryMac calls them Gazelle, and they use the same PIH type.') - -p.major(0x15b00, 0x15be4, 'tnt_pih_02') -p.arg('r1', 'kdp') -p.cmt('TNT = High-end and mid-range "G2" Power Macs. PCI. 603 and 604 series processors. Models 7200-7600, 8500-8600, 9500-9600.') - -p.major(0x15c00, 0x15d24, 'gossamer_pih_07') -p.arg('r1', 'kdp') -p.cmt('Gossamer = beige G3. PIH 07 also used for GRX = OldWorld PowerBook G3 Series.') - -p.major(0x15d40, 0x15e20, 'nwpbg3_pih_0a') -p.arg('r1', 'kdp') -p.cmt("Only ever seen this on Mikey's (NewWorld) Lombard. So apparently the Trampoline can also change the ROM's default PIH.") - -p.major(0x15e40, 0x15ef0, 'cordyceps_pih_04') -p.arg('r1', 'kdp') -p.cmt('Cordyceps = early low-end "G2" Power Macs. 603 series processors. PCI. Models 52xx-53xx, 62xx-63xx.') - -p.major(0x15f00, 0x16160, 'newworld_pih_06') -p.arg('r1', 'kdp') -p.cmt('Trampoline leaves ConfigInfo value unchanged. PIH 06 also specified in Pippin ROM.') - -p.major(0x16180, 0x163dc, 'unknown_pih_08') -p.arg('r1', 'kdp') - -p.major(0x163e0, 0x16520, 'prints') -p.cmt('Print null-terminated string with a few special escapes. Not done figuring this out, with the serial and stuff.') -p.label(0x1643c, '*_skip_serial') -for i in range(0x1644c, 0x16494, 4): - sem = p.semantic_list[i] - if sem.mnem == 'cmpwi': - p.indirect_str(i, 1) -p.label(0x16440, '*_next_char') -p.label(0x16470, '*_escape_code') -p.label(0x16494, '*_literal_backslash_or_caret') -p.label(0x1649c, '*_normal_char') -p.label(0x164c8, '*_newline') - -p.major(0x16520, 0x165cc, 'print_common') - -p.major(0x165cc, 0x165ec, 'print_return') -p.cmt('Restores registers from EWA and returns.') - -p.major(0x165ec, 0x16710, 'printd') -p.cmt('print decimal') - -p.major(0x16710, 0x16734, 'printw') -p.cmt('print word (hex) then a space') - -p.major(0x16734, 0x1675c, 'printh') -p.cmt('print halfword (hex) then a space') - -p.major(0x1675c, 0x16784, 'printb') -p.cmt('print byte (hex) then a space') - -p.major(0x16784, 0x167ac, 'print_unknown') - -p.major(0x167ac, 0x16880, 'print_digity_common') - -p.major(0x16880, 0x168ec, 'getchar') - -p.major(0x168ec, 0x16980, 'printc') -p.cmt('print char') - -p.major(0x16980, 0x16ae8, 'serial_flush') -p.cmt('This and the following func are a bit speculative, but whatever.') - -p.major(0x16ae8, 0x16b44, 'serial_io') -p.cmt('See disclaimer above.') - -p.major(0x16b44, 0x16b70, 'serial_busywait') -p.cmt('See disclaimer above.') - -p.major(0x172e0, 0x18040, 'panic') -p.cmt(0x17534, 'gets kdp from print!!!') -p.ptr(0x17534, 0x18040, 'r1', 'kdp') -p.ptr(0x17dc8, 0x18040, 'r17', 'ewa') -p.ptr(0x17ec8, 0x17fac, 'r18', 'task') -p.ptr(0x17fac, 0x18040, 'r18', 'addrspc') -p.label(0x17574, '*_prompt') -p.label(0x17678, '*_load_commands') -p.label(0x17698, 'load_*_tbl') -p.label(0x1769c, '*_tbl') -p.label(0x17c6c, '*_load_id_kind_strings') -p.label(0x17d50, '*_load_more_jumps') -p.label(0x17d8c, '*_load_id_args') -p.label(0x17660, '*_bad_command') -p.label(0x178d8, '*_missing_physical_addr') -p.label(0x17904, '*_bad_length_1') -p.label(0x179a8, '*_missing_logical_addr') -p.label(0x179d4, '*_bad_length_2') -p.label(0x17aa0, '*_bad_resume_address') -p.label(0x17bfc, '*_missing_opaque_id') -p.label(0x17c24, '*_bad_opaque_id') -for offset in (0x1767c, 0x17d90): - while p.data[offset] != 0xff: - next_offset = p.data.index(b'\x00', offset) + 1 - data = p.data[offset:next_offset] - # print(hex(offset), repr(data)) - p._insert_semantic(da._SemanticString(offset, data)) - offset = next_offset - p._insert_semantic(da._SemanticFixedSize(offset, p.data[offset:offset+1])) - -for i in range(0x17c70, 0x17d50, 16): - p._insert_semantic(da._SemanticString(i, p.data[i:i+16])) - -p.major(0x18148, 0x18258, 'print_xpt_info') -p.indirect_lisori(0x18150, '(%d:$ - 0:^)' % len(p.data)) - -p.major(0x18258, 0x182f0, 'print_sprgs') -p.cmt('Goldmine. Tells me what the SPRGs do!') - -p.major(0x182f0, 0x183e4, 'print_sprs') -p.cmt('Both user-mode and supervisor-only') - -p.major(0x183e4, 0x18468, 'print_segment_registers') - -p.major(0x18468, 0x18544, 'print_gprs') - -p.major(0x18544, 0x1860c, 'print_memory') - -p.major(0x1860c, 0x18738, 'print_memory_logical') - -p.major(0x18738, 0x1879c, 'cmd_lookup') -p.arg('r16', 'command strings') -p.arg('r17', 'lut') -p.ret('cr0', 'found') -p.ret('r17', 'ptr to lut entry') - -p.major(0x1879c, 0x187b0, 'next_cmd_word') -p.arg('r15', 'start') -p.ret('r15', 'ptr') -p.ret('r16', 'char') - -p.major(0x18a00, 0x18a74, 'screenlog_init') -p.arg('r1', 'kdp') - -p.major(0x18a74, 0x18a98, 'screenlog_putchar') -p.arg('r1', 'kdp') - -p.major(0x18a98, 0x18bec, 'screenlog_redraw') -p.arg('r1', 'kdp') - -p.major(0x18bec, 0x18c08, '') - -p.major(0x18c08, 0x18c18, '') - -p.major(0x18c18, 0x18d10, '') - -p.major(0x18d5c, 0x18e24, '') - -p.major(0x18e24, 0x18e54, '') - -p.major(0x18e54, 0x18fd4, '') - -p.major(0x18fd4, 0x19018, 'funny_thing') - -p.major(0x19018, 0x190a0, '') - -p.major(0x190a0, 0x19aa4, 'load_log_font') - -p.major(0x19ab0, 0x19af4, '') - -p.major(0x19b00, 0x19b14, '') - -p.major(0x19b20, 0x19b2c, 'load_log_colours') -p.cmt('Each word is RGB with the high byte ignored. Background and text.') - -p.label(len(p.data), 'nk_end', of_start=False) - -# Rename syscalls with info from MPLibrary -for i, start in enumerate(syscall_majors): - try: - p.major_name_dict[start] = syscall_names[i] - except KeyError: - pass - -# -# Do what I have come for. -# - -if cmdline.disasm: - with open(cmdline.disasm, 'w') as f: - print(p, file=f) -else: - print('You chose not to output an asm file. Probably a mistake.') - - -if cmdline.dump_constants: - with open(cmdline.dump_constants, 'w') as f: - for offset, data in p.lisoris(range(0, len(p.data))): - as_int = int.from_bytes(data, byteorder='big') - - s = sum(32 <= ch < 127 for ch in data) - - # cand - # try: - # ind = '' if any(p.semantic_list[offset]._imm_exprs) else '#cnd' - # except AttributeError: - # ind = '*' - # print(repr(p.semantic_list[offset])) - - is_string = (s >= 3) - try: - indirected = any(p.semantic_list[offset]._imm_exprs) - except AttributeError: - indirected = False - shares_target = ((as_int, True) in p.backref_dict) or ((as_int, False) in p.backref_dict) - candidate = as_int <= len(p.data) and as_int % 4 == 0 - try: - promising = isinstance(p.semantic_list[as_int-4], da._SemanticInsn) and not isinstance(p.semantic_list[as_int], da._SemanticInsn) - except: - promising = False - - things = zip('itcp', (indirected, shares_target, candidate, promising)) - s = ''.join((c if b else '-') for (c, b) in things) - - show_string = ' ' + repr(data)[1:] if is_string else '' - - print(' ' + hex(as_int).rjust(10) + ', # %05x ' % offset + s + show_string, file=f) diff --git a/kernel-stock b/kernel-stock deleted file mode 100644 index 6f0954a..0000000 Binary files a/kernel-stock and /dev/null differ diff --git a/prcl-pefs/ATA_CMD646_driver b/prcl-pefs/ATA_CMD646_driver deleted file mode 100644 index f44c2ee..0000000 Binary files a/prcl-pefs/ATA_CMD646_driver and /dev/null differ diff --git a/prcl-pefs/ATA_Heathrow_driver b/prcl-pefs/ATA_Heathrow_driver deleted file mode 100644 index ceeb88d..0000000 Binary files a/prcl-pefs/ATA_Heathrow_driver and /dev/null differ diff --git a/prcl-pefs/ATA_Kauai_driver b/prcl-pefs/ATA_Kauai_driver deleted file mode 100644 index 4486836..0000000 Binary files a/prcl-pefs/ATA_Kauai_driver and /dev/null differ diff --git a/prcl-pefs/ATA_KeyLargo_driver b/prcl-pefs/ATA_KeyLargo_driver deleted file mode 100644 index 9664968..0000000 Binary files a/prcl-pefs/ATA_KeyLargo_driver and /dev/null differ diff --git a/prcl-pefs/BacklightDriver b/prcl-pefs/BacklightDriver deleted file mode 100644 index 5c666be..0000000 Binary files a/prcl-pefs/BacklightDriver and /dev/null differ diff --git a/prcl-pefs/CardBus_PCCard_lib b/prcl-pefs/CardBus_PCCard_lib deleted file mode 100644 index 95fe17f..0000000 Binary files a/prcl-pefs/CardBus_PCCard_lib and /dev/null differ diff --git a/prcl-pefs/CardBus_driver b/prcl-pefs/CardBus_driver deleted file mode 100644 index 52d3a23..0000000 Binary files a/prcl-pefs/CardBus_driver and /dev/null differ diff --git a/prcl-pefs/CodePrepare_NVRAMServicesLib b/prcl-pefs/CodePrepare_NVRAMServicesLib deleted file mode 100644 index 8f6f637..0000000 Binary files a/prcl-pefs/CodePrepare_NVRAMServicesLib and /dev/null differ diff --git a/prcl-pefs/CodePrepare_RTCServicesLib b/prcl-pefs/CodePrepare_RTCServicesLib deleted file mode 100644 index 76fab4b..0000000 Binary files a/prcl-pefs/CodePrepare_RTCServicesLib and /dev/null differ diff --git a/prcl-pefs/CodePrepare_TimeManagerLib b/prcl-pefs/CodePrepare_TimeManagerLib deleted file mode 100644 index 75a1c8c..0000000 Binary files a/prcl-pefs/CodePrepare_TimeManagerLib and /dev/null differ diff --git a/prcl-pefs/CodeRegister_AGPLib b/prcl-pefs/CodeRegister_AGPLib deleted file mode 100644 index 54a951d..0000000 Binary files a/prcl-pefs/CodeRegister_AGPLib and /dev/null differ diff --git a/prcl-pefs/CodeRegister_EtherPrintfLib b/prcl-pefs/CodeRegister_EtherPrintfLib deleted file mode 100644 index 34240d4..0000000 Binary files a/prcl-pefs/CodeRegister_EtherPrintfLib and /dev/null differ diff --git a/prcl-pefs/CodeRegister_NativePowerMgrLib b/prcl-pefs/CodeRegister_NativePowerMgrLib deleted file mode 100644 index 4d818ba..0000000 Binary files a/prcl-pefs/CodeRegister_NativePowerMgrLib and /dev/null differ diff --git a/prcl-pefs/CodeRegister_StartLib b/prcl-pefs/CodeRegister_StartLib deleted file mode 100644 index ba21faa..0000000 Binary files a/prcl-pefs/CodeRegister_StartLib and /dev/null differ diff --git a/prcl-pefs/Display_driver b/prcl-pefs/Display_driver deleted file mode 100644 index 1678b03..0000000 Binary files a/prcl-pefs/Display_driver and /dev/null differ diff --git a/prcl-pefs/FireWire_DFMLib b/prcl-pefs/FireWire_DFMLib deleted file mode 100644 index dea6be0..0000000 Binary files a/prcl-pefs/FireWire_DFMLib and /dev/null differ diff --git a/prcl-pefs/FireWire_DevNLib b/prcl-pefs/FireWire_DevNLib deleted file mode 100644 index b2c3400..0000000 Binary files a/prcl-pefs/FireWire_DevNLib and /dev/null differ diff --git a/prcl-pefs/FireWire_FWServicesLib b/prcl-pefs/FireWire_FWServicesLib deleted file mode 100644 index 8a465cc..0000000 Binary files a/prcl-pefs/FireWire_FWServicesLib and /dev/null differ diff --git a/prcl-pefs/FireWire_GenericDriverFamily b/prcl-pefs/FireWire_GenericDriverFamily deleted file mode 100644 index 8faf892..0000000 Binary files a/prcl-pefs/FireWire_GenericDriverFamily and /dev/null differ diff --git a/prcl-pefs/FireWire_driver b/prcl-pefs/FireWire_driver deleted file mode 100644 index c76d8f6..0000000 Binary files a/prcl-pefs/FireWire_driver and /dev/null differ diff --git a/prcl-pefs/I2C_driver b/prcl-pefs/I2C_driver deleted file mode 100644 index c642a4b..0000000 Binary files a/prcl-pefs/I2C_driver and /dev/null differ diff --git a/prcl-pefs/NVRAM_PMU_driver b/prcl-pefs/NVRAM_PMU_driver deleted file mode 100644 index 0c2dc8f..0000000 Binary files a/prcl-pefs/NVRAM_PMU_driver and /dev/null differ diff --git a/prcl-pefs/NVRAM_flash_driver b/prcl-pefs/NVRAM_flash_driver deleted file mode 100644 index 43cc96a..0000000 Binary files a/prcl-pefs/NVRAM_flash_driver and /dev/null differ diff --git a/prcl-pefs/NVRAM_mac-io_driver b/prcl-pefs/NVRAM_mac-io_driver deleted file mode 100644 index 94fda4f..0000000 Binary files a/prcl-pefs/NVRAM_mac-io_driver and /dev/null differ diff --git a/prcl-pefs/PCICyclesLib_Grackle b/prcl-pefs/PCICyclesLib_Grackle deleted file mode 100644 index 298636a..0000000 Binary files a/prcl-pefs/PCICyclesLib_Grackle and /dev/null differ diff --git a/prcl-pefs/PCICyclesLib_UniNorth b/prcl-pefs/PCICyclesLib_UniNorth deleted file mode 100644 index b0ee186..0000000 Binary files a/prcl-pefs/PCICyclesLib_UniNorth and /dev/null differ diff --git a/prcl-pefs/PMULib b/prcl-pefs/PMULib deleted file mode 100644 index 9a7b8c4..0000000 Binary files a/prcl-pefs/PMULib and /dev/null differ diff --git a/prcl-pefs/PowerMgrPlugin_CUDA b/prcl-pefs/PowerMgrPlugin_CUDA deleted file mode 100644 index 0189bf8..0000000 Binary files a/prcl-pefs/PowerMgrPlugin_CUDA and /dev/null differ diff --git a/prcl-pefs/PowerMgrPlugin_PMU b/prcl-pefs/PowerMgrPlugin_PMU deleted file mode 100644 index b6b5ac5..0000000 Binary files a/prcl-pefs/PowerMgrPlugin_PMU and /dev/null differ diff --git a/prcl-pefs/PowerMgrPlugin_PMU2000 b/prcl-pefs/PowerMgrPlugin_PMU2000 deleted file mode 100644 index 2628d46..0000000 Binary files a/prcl-pefs/PowerMgrPlugin_PMU2000 and /dev/null differ diff --git a/prcl-pefs/PowerMgrPlugin_PMU99 b/prcl-pefs/PowerMgrPlugin_PMU99 deleted file mode 100644 index 0456d35..0000000 Binary files a/prcl-pefs/PowerMgrPlugin_PMU99 and /dev/null differ diff --git a/prcl-pefs/RTC_CUDA_driver b/prcl-pefs/RTC_CUDA_driver deleted file mode 100644 index d6cdb6e..0000000 Binary files a/prcl-pefs/RTC_CUDA_driver and /dev/null differ diff --git a/prcl-pefs/RTC_PMU_driver b/prcl-pefs/RTC_PMU_driver deleted file mode 100644 index e09c8b6..0000000 Binary files a/prcl-pefs/RTC_PMU_driver and /dev/null differ diff --git a/prcl-pefs/lanLib_apple21143 b/prcl-pefs/lanLib_apple21143 deleted file mode 100644 index 6f7ab6a..0000000 Binary files a/prcl-pefs/lanLib_apple21143 and /dev/null differ diff --git a/prcl-pefs/lanLib_bmac+ b/prcl-pefs/lanLib_bmac+ deleted file mode 100644 index 8324dab..0000000 Binary files a/prcl-pefs/lanLib_bmac+ and /dev/null differ diff --git a/prcl-pefs/lanLib_gmac b/prcl-pefs/lanLib_gmac deleted file mode 100644 index 018467d..0000000 Binary files a/prcl-pefs/lanLib_gmac and /dev/null differ diff --git a/rsrc-template b/rsrc-template deleted file mode 100644 index 4391388..0000000 Binary files a/rsrc-template and /dev/null differ diff --git a/test-template.img b/test-template.img deleted file mode 100644 index 9df30f9..0000000 Binary files a/test-template.img and /dev/null differ diff --git a/trampoline.elf b/trampoline.elf deleted file mode 100644 index b1713e5..0000000 Binary files a/trampoline.elf and /dev/null differ