Mac68k Forums

Home


Welcome, Guest
Guest Settings
Help

Mac68k Forums » Development » Software Hacking

Thread: netBOOT ROM driver


Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 6 - Pages: 1 - Last Post: Jun 30, 2013 5:33 PM Last Post By: jduerstock Threads: [ Previous | Next ]
bbraun


Posts: 490
Registered: 7/25/12
netBOOT ROM driver
Posted: Aug 7, 2012 8:20 PM
Click to report abuse...   Click to reply to this thread Reply
There are netBOOT and ATBOOT device drivers in most 68k mac ROMs from the IIsi and up. There is even a mention to network booting in the IIsi dev notes.

I've been unable to find much information about these drivers online, so have been working on figuring out out how they work.

The progress so far is a small tool to set PRAM values sufficient to activate the driver at boot and cause it to send out a boot request with an unknown DDP protocol type. nbpram0.1.cpt.hqx

When the machine reboots after the tool has been run and the PRAM values are set, the screen will show a blank disk icon (similar to the flashing question mark disk, without the question mark), it will then send out some zone information requests, then do an NBP lookup for the server, and if it gets a response, send that server a request with DDP protocol 0x0a.



Here are some of my notes about what is going on:
The .netBOOT driver will be installed and opened if bit 0x80 is set in the byte located in offset 7 of PRAM.
If this flag is not set, the driver will not be opened.
If cmd-opt-n-b are held down, the driver will be opened, then the 0x80 flag above will be cleared, apparently to prevent subsequent netboots.
Holding down the control key will bypass netboot and continue normal booting, leaving PRAM state as is.
The netboot driver will then create a drive queue element that the system will later try to boot off.
When the system tries to boot off this "drive", the netBOOT driver gets a read/Prime call, which will check the protocol byte stored in PRAM and if set to 1, will load and synchronously open the .ATBOOT driver.
The .ATBOOT driver will then load and open the appletalk driver (.MPP).
Once the .netBOOT's synchronous open of the .ATBOOT driver returns back to the .netBOOT's read/Prime call, it will issue a Control call to the .ATBOOT driver with csCode 1,
The .ATBOOT Control call will then query for a server to boot from. The server queried for is determined by a 16bit server id number, which is then translated to an ascii encoded hex representation of the short. Except the ascii sting is backwards (not byteswpped). So, a server id of 0xEBAB will be translated into a server name of "BABE". The appletalk Service type used is "BootServer". So, "BABE:BootServer".
If something on the network responds to that NBP lookup request, it then sends the responding server a DDP packet of protocol 0x0A. This packet contains the machineID and the username, both stored in PRAM.
bbraun


Posts: 490
Registered: 7/25/12
Re: netBOOT ROM driver
Posted: Aug 9, 2012 9:00 PM   in response to: bbraun in response to: bbraun
Click to report abuse...   Click to reply to this thread Reply
To clarify, I did the test below on a 660av.
Investigating some more on the IIsi ROM, the .netBOOT driver is not actually enabled. To explain what that means, here is the ROM code to load the .netBOOT driver:

                      P_mInitNetBOOT:
1250   2149 0012                 Move.L    A1, $12(A0)
1254   A000                      _Open
1256   2F08                      Move.L    A0, -(A7)
1258   594F                      SubQ.L    $4, A7
125A   2F3C 4452 5652            Move.L    $44525652, -(A7) ; DRVR
1260   487A 0016                 Pea.L     DT28
1264   A9A1                      _GetNamedResource
1266   4A9F                      Tst.L     (A7)+
1268   205F                      Move.L    (A7)+, A0
126A   670A                      BEQ       L188
126C   43FA 000A                 Lea.L     DT28, A1
1270   2149 0012                 Move.L    A1, $12(A0)
1274   A000                      _Open
1276   4E75           L188:      Rts
1278   082E 6E65 7442 DT28:      DC.B      ' .netB'
127E   4F4F 5400                 DC.B      'OOT '


Essentially this code is trying to GetNamedResource('DRVR', "\p.netBOOT"), and if that succeeds, open the .netBOOT driver. This is actually not necessary, since _Open will fail if the driver doesn't exist, and we're not actually caring about the return value of _Open anyway.

But, that doesn't explain why it is disabled. It is disabled because there are flags associated with each ROM resource, and one of them tells the ResourceManager to ignore the resource.

The Resources in the ROM are structured like this:
Offset 0x1A in the ROM is an offset to resource information:
1A     0007 EC10                 DC.L      $0007EC10       ; offset to resources

At this location is an offset (from the beginning of ROM) to the first resource:
7EC10  0007 EB90 0408            DC.B      '      '


This (0x7EB90) is the first resource in a list of resources in the ROM:
0007eb90  78 00 00 00 00 00 00 00  00 07 eb 10 00 07 eb c0  |x...............|
0007eba0  43 55 52 53 00 01 58 00  5b 11 54 75 65 2c 20 4a  |CURS..X.[.Tue, J|
0007ebb0  75 6c 20 31 c0 a0 00 00  00 00 00 50 00 00 00 5c  |ul 1.......P...\|


The offset to the next resource is located at +8 bytes (7EB10 in this case). But the important bit here is the first byte in the resource entry: 0x78. For some comparison, the .Sony driver:
0006c3b0  78 00 00 00 00 00 00 00  00 06 ab 60 00 06 c3 e0  |x..........`....|
0006c3c0  44 52 56 52 00 04 58 05  2e 53 6f 6e 79 44 3e 3e  |DRVR..X..SonyD>>|
0006c3d0  5b 28 63 29 c0 a0 00 00  00 00 46 c0 00 00 01 84  |[(c)......F.....|


and the .netBOOT driver:
00051d40  18 00 00 00 00 00 00 00  00 00 00 00 00 05 1d 70  |...............p|
00051d50  44 52 56 52 00 31 58 08  2e 6e 65 74 42 4f 4f 54  |DRVR.1X..netBOOT|
00051d60  74 65 72 2c c0 a0 00 00  00 00 07 d0 00 00 02 44  |ter,...........D|


The .Sony driver is loaded and the .netBOOT driver is not. Changing that to 78 instead of 18 causes the driver to be loaded.
bbraun


Posts: 490
Registered: 7/25/12
Re: netBOOT ROM driver
Posted: Aug 18, 2012 12:47 AM   in response to: bbraun in response to: bbraun
Click to report abuse...   Click to reply to this thread Reply
Attachment validresponse.tiff (260.8 K)
Attachment netboot.jpg (224.1 K)
I've started on a netBOOT server, using netatalk. There's not much to it at the moment, but I've got a valid reply being sent back to the Mac after its initial query. Since that's all I've got, it's not terribly exciting, since it just sits and retries.


When a valid response is received, the screen changes to show a blank mac:
bbraun


Posts: 490
Registered: 7/25/12
Re: netBOOT ROM driver
Posted: Aug 19, 2012 8:44 PM   in response to: bbraun in response to: bbraun
Click to report abuse...   Click to reply to this thread Reply
I'm now sending the Disk Tools disk image, which I don't currently know if that's in a format the netboot driver wants, it's just something to try.
It's not booting the file, but there is a cute progress indicator. The blank Mac icon above gets filled in with eyes, nose, and mouth as pieces of the netboot image are received. Attached is a little video of the boot process so far.

Message was edited by: bbraun
Attached video
techfury90

Posts: 1
Registered: 1/16/13
Re: netBOOT ROM driver
Posted: Jan 16, 2013 4:42 PM   in response to: bbraun in response to: bbraun
Click to report abuse...   Click to reply to this thread Reply
Just curious, have you seen the source code for this driver? There's a lot more to it that you haven't mentioned... ;)

(namely, some sort of image validation stuff)

Edit: Oh, and the netboot driver only expects the boot blocks... there's actually two drivers involved. I suspect they had custom boot blocks in mind that could load from an AFP share.

Message was edited by: techfury90
bbraun


Posts: 490
Registered: 7/25/12
Re: netBOOT ROM driver
Posted: Jan 16, 2013 10:18 PM   in response to: techfury90 in response to: techfury90
Click to report abuse...   Click to reply to this thread Reply
Yeah, I've seen it. It's helpful. But the netboot driver is disabled (its resource entry has an "ignore" bit set) in all pre-AV ROMs, so you'd need the custom ROM to use it anyway. It would probably be easier to implement a different netboot driver.
I've implemented a driver that copies a file from an AFP server into ROM and treats it like a ramdisk, but appletalk isn't actually initialized in ROM prior to OS boot. This netboot driver has code to enable it, which would be a useful starting point to doing it myself, but it is rather involved.

Anyway, it would be nice to have a working netboot server and bits it can boot, but the TODO backlog is long, and this isn't near the top.
jduerstock

Posts: 10
Registered: 6/30/13
Re: netBOOT ROM driver
Posted: Jun 30, 2013 5:33 PM   in response to: bbraun in response to: bbraun
Click to report abuse...   Click to reply to this thread Reply
I spent a fair amount of time poking at this as well, and was greatly pleased to find this thread. I never go around to writing a server for it either, but I do remember finding the source and noting a "command-option-N-B" keyboard combination that was supposed to do something at boot time. Also never got around to trying this. I'd be interested to read if you'd made any progress lately.

Point your RSS reader here for a feed of the latest messages in all forums