Ghosts in the ROM

 Uncategorized  Add comments
Aug 212012

Ghosts in the ROM

While digging through dumps generated from the Apple Mac SE ROM images we noticed that there was a large amount of non-code, non-audio data. Adam Mayer tested different stride widths and found that at 67 bytes (536 pixels across) there appeared to be some sort of image data that clearly was a picture of people. The rest of the image was skewed and distorted, so we knew that it wasn’t stored as an uncompressed bitmap.

After some investigation, we were able to decode the scrambled mess above and turn it into the full image with a hidden message from “Thu, Nov 20, 1986“:

Mac SE engineers (0x1D93C)

Read on for the reverse engineering details of how we recovered this and the other three photographs stored in the ROM, and some information about the Motorola 68000 era Macintosh.

Treasure in the trash

We found this Macintosh SE on the side of the road in Brooklyn and carried it to NYC Resistor. It boots, but lacks any media, so we decided to do some further digital archeology.

Mac SE

We removed the two ROM chips (the ones in the middle of the board, above the VLSI ASIC that is the Integrated Woz Machine) and dumped them with my PROMdate device. The pinout for the chips is the same as the M27C512 PROM, but with the Vpp pin reused for A17. Since it is a mask ROM that can’t be reprogrammed there is no need for the programming pin (Thanks, Nick!). This exapnds the address space to 128 KB (1024 kilobits) compared to the 64 KB of the M27C512 programmable ROM.

PROMdate: Now with AVR support

The m68k has a 16-bit wide bus, so each 128 KB 8-bit ROM has half a word and they need to be merged into a single 256 KB binary file. We knew we had a good dump and merge when strings on the file contained human readable textlike “Chicago“, “PACK” and “CDEF” (if you have the byte order wrong these will be “APKC“, etc).

Reports of the easter egg said that it could be found by jumping to address 0x41D89A. I was able to boot the ROMs in Mini vMac and confirm that these were indeed the secret images that had already been discovered. That could have been the end of it, but we wanted to know how they were stored and displayed, and to be able to look for any other surprises stored in the ROM, so further investigation was required.

To disassemble the ROM, I found it easiest to convert the raw binary dump to an ELF file so that objdump will process it. We know from history that the ROM was mapped to address 0x0040_0000 (24 MB) in memory, so we set the starting address of the ELF file there. IDA Pro is another great tool for doing exactly this sort of reverse engineering, but we’re using free software for this analysis.

  --redefine-sym _binary_mac_se_bin_start=rom 
  --strip-symbol _binary_mac_se_bin_size 
  --strip-symbol _binary_mac_se_bin_end 
  -I binary 
  -O elf32-m68k 
  -B m68k 

Looking at the easter egg function address with m68k-elf-objdump -D roms/mac-se.elf, we see:

  41d89a:       4eba 0018       jsr %pc@(41d8b4 <rom+0x1d8b4>)
  41d89e:       5847            addqw #4,%d7
  41d8a0:       0287 0000 000c  andil #12,%d7
  41d8a6:       6100 002e       bsrw 41d8d6 <rom+0x1d8d6>
  41d8aa:       307c 00b5       moveaw #181,%a0
  41d8ae:       a03b            0120073
  41d8b0:       4efa ffec       jmp %pc@(41d89e <rom+0x1d89e>)

The 0xa03b instruction is odd — Motorola reserved all instructions that start with 0xA, so this it is not a legal m68k instruction. Instead it will trigger an illegal instruction trap, and the trap handler looks at the next word and vectors to the appropriate handler. This A-line or A-trap is the official way to enter the Macintosh Toolbox and saves significant code space over the normal system call methods. This list of codes tells us that it is _Delay and that the value in %a0 will be used as an argument for how long to delay. We’ll be refering to this list again to understand what is going on in the assembly code.
Based on this we can translate this function into something like “C”:

void easter_egg(void)
    while (1)
        d7 = (d7 + 4) & 0xC;

The first function that this calls is 0x41d8b4:

  41d8b4:       31fc ffff 0b9e  movew #-1,b9e
  41d8ba:       594f            subqw #4,%sp
  41d8bc:       2f3c 6262 6d63  movel #1650617699,%sp@-
  41d8c2:       4267            clrw %sp@-
  41d8c4:       a9a0            0124640
  41d8c6:       201f            movel %sp@+,%d0
  41d8c8:       6700 0050       beqw 41d91a <rom+0x1d91a>
  41d8cc:       2040            moveal %d0,%a0
  41d8ce:       21d0 0a78       movel %a0@,a78
  41d8d2:       7e00            moveq #0,%d7
  41d8d4:       4e75            rts
  41d91a:       a9ff            0124777

This makes the A-line call 0xA9A0, or _GetResource(0x62626d63) and sets 0xb9e, the RomInsertFlag to instruct the search function to look in the ROM tables. If the resource get fails it jumps to a debugger trap (0xA9FF), which halts the machine. Otherwise it zeros %d7 and reads the address of the resource from the address returned by _GetResource and writes that value into the global memory location 0xa78 (AppleScratch).

If you speak ASCII, the constant might look interesting. It is a multi-byte character ‘bbmc‘, which you might have noticed in the strings output at offset 0x1af4e, in what appears to be some sort of structure:

001af3e: 5041 434b 0002 006a 7463 736c 0000 008e  PACK...jtcsl....
001af4e: 6262 6d63 0000 009a 5345 5244 0000 00a6  bbmc....SERD....
001af5e: 4452 5652 0004 00b2 4344 4546 0001 00ee  DRVR....CDEF....
001af6e: 4b43 4852 0000 0106 4b4d 4150 0000 0112  KCHR....KMAP....
001af7e: 4d42 4446 0000 011e 4d44 4546 0000 012a  MBDF....MDEF...*
001af8e: 5744 4546 0001 0136 4355 5253 0003 014e  WDEF...6CURS...N
001af9e: 464f 4e54 0004 017e 0005 ffff 5801 b122  FONT...~....X.."
001afae: 0000 0000 0004 ffff 5801 c188 0000 0000  ........X.......
001afbe: 0007 ffff 5801 d348 0000 0000 0000 ffff  ....X..H........
001afce: 5801 d896 0000 0000 0000 ffff 5801 d924  X...........X..$

As of now we don’t know how to decode the structure, nor what %a0 points to when it is dereferenced into the global at 0xa78. We’ll come back to that later, but it clearly has something to do with 0x009A and the bit in red at 0x1AFDA.

Moving on to func_0x41d8d6(), with psudeo-code interspersed:

  41d8d6:       moveal a78,%a0
  41d8da:       addaw %d7,%a0
  41d8dc:       movel %a0@,%d3     d3 = _a78[d7];
  41d8de:       movel a78,a7c
  41d8e4:       addl %d3,a7c       _a7c = _a78 + d3;
  41d8e8:       movel 824,a80      _a80 = _824 // ScrnBase
  41d8ee:       movel #340,%d3     d3 = 340;
                                   do {
  41d8f4:       pea a7c
  41d8f8:       pea a80
  41d8fc:       movew #72,%sp@-        // 72 * 8 == 576 bits
  41d900:       a8d0                   _UnpackBits(&_a7c, &_a80, 72)
  41d902:       subql #8,a80           _a80 -= 8;
  41d906:       dbf %d3,41d8f4     } while (d3--)
  41d90a:       pea a7c
  41d90e:       pea a80
  41d912:       movew #64,%sp@-
  41d916:       a8d0                _Unpackbits(&_a7c, &_a80, 64);
  41d918:       rts                 return;

Rewriting these three functions entire code in something more like C:

void draw_bitmap(const uint8_t * packed)
	uint8_t * fb = _ScrnBase;

	for (int y = 0 ; y < 340 ; y++)
		_UnpackBits(&packed, &fb, 72);
		fb -= 8;

	_UnpackBits(&packed, &fb, 64);

void easter_egg(void)
	const uint8_t ** bbmc = _GetResource('bbmc');
	if (!bbmc)
	int image = 0;

	while (1)
		i = (i + 1) % 4;

Adam found the format expected by _UnpackBits defined in PackBits on wikipedia, and wrote a python that can be given the offsets of the images in the ROM. So the last piece of the puzzle was to figure out where they are located.

And this is where I cheated... Based on a binary search of the image space using, I found that the first one started at 0x1d93c. Looking slightly earlier in the ROM dump, I saw:

001d920: 0000 0064 0000 0018 0000 5618 0000 a71c  ...d......V.....
001d930: 0000 f700 0001 4281 0000 0000 30aa 552a  ......B.....0.U*
001d940: 52a5 294a 5294 a529 4a52 2449 1224 44a9  R.)JR..)JR$I.$D.

That 0x0000_0018 looks right; 0x1D924 + 0x18 = 0x1D93C. And immediately afterwards are additional offsets that look like the right spacing for the other bitmaps. That puts the others at 0x22F3C, 0x28040, 0x2D024 and something unused at 0x31BA5. Looking back at the ROM dump from the region of the resource definition, we even see an offset that points to 0x5801D924. (Don't be fooled by the leading 0x58 -- the Mac SE only had 24-bit addresses, so it will be ignored by the CPU).

Running Adam's tool, combined with my hex2png on the regions produced success for the four images!

for offset in 1D93C 22F3C 28040 2D024; do
  off_decimal=`echo 16i $offset p | dc`
  ../ $off_decimal 5000 < mac-se.bin 
	| ../hex2png -w 576 -y 384 -s 24576 
	| convert -crop 512x341+0+0 - 0x$offset.png  

So here is the team that twenty five years ago found space in the ROM to include their own images as an easter egg. Can anyone identify them? Where are they now? Are they "JCSLWRLBBMABOEMTDAHJTCFJLMBKCRCLAKEHBRDCDAFSHFT"? If you do know who they are, please send them our thanks for a fun puzzle!

Mac SE engineers (0x22F3C)

Mac SE engineers (0x28040)

Mac SE engineers (0x2D024)

What is in that fifth region? It didn't seem to have any image data of note, but it might be audio based on the strings in the ROM. Perhaps that's a project for later...

0031ba0: 00b9 00b9 0000 c000 08fc 0000 0068 600a  .............h`.
0031bb0: 0000 5345 5244 0000 0003 487a 0074 487a  ..SERD....Hz.tHz
0031bc0: 0058 487a 003c 487a 0020 76fa 3003 a53d  .XHz.<Hz. v.0..=
0031bd0: a029 2050 225f 20c9 30d1 30bc 0003 5343  .) P"_ .0.0...SC

These images are still copyright Apple Computer, of course. That means they have been:

Mac SE ROM images

 Posted by at 10:13 pm

  111 Responses to “Ghosts in the ROM”

Comments (84) Pingbacks (27)
  1. I look forward to more easter egg archaeology reports. A little bird told me there is a titillating image stored on the 12″ optical platters (write-once) used for archiving records in the early 90s at the Federal Reserve Banks of Chicago and Des Moines (and perhaps others).

  2. I miss easter eggs. And 1-bit graphics!

  3. Its great to see the original team coming out and commenting on this story. I was a proud owner of the very first Mac and take my hat off to all of you for starting the ball rolling in bringing so much joy to our digital experiences! Thank you!

  4. The stolen from Apple computer image was buried in the source code in case the bios went into the wild or was appropriated by a cloner – if I’m not mistaken. Can the team confirm this?

  5. the images are the people who created the mac including bill aktinson steve jobs and steve wozniak

  6. I really loved the hidden OS in the Macintosh Classic that you can boot by holding down Apple (command), Option, x, o.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>