Deaccelerating The Apple IIc Plus

The Apple IIc Plus is arguably – very arguably from my experience – the best Apple II computer ever made. It’s portable, faster than the IIe, had a much higher capacity built-in drive, and since the Plus could run at 4MHz, it was faster than the strange eight or sixteen bit Apple IIGS. Recently, [Quinn] has been fascinated with the IIc Plus, and has gone so far as to build a custom gamepad and turn the IIc Plus into a laptop. Now, she’s turned her attention to the few things Apple got wrong with the Apple IIc Plus – the startup beep and defaulting to 4MHz on every boot instead of Apple II’s standard 1MHz that’s used in the Apple II, II Plus, IIe, and IIc non-Plus.

The original Apple II is surprisingly primitive. Apart from writing a loop of NOPs and counting cycles, there’s no way to keep time. There is no clock, no timer, no tick counters, and no interrupts. If you’re writing a game for the Apple II that depends on precise timing, the best you’ll be able to manage is a delay loop. This worked for a time, until the Apple IIc Plus was released with a default clock of 4MHz. It was a great idea for AppleWorks and other productivity apps, but [Quinn] is doing retrocomputing, and that means games. Booting the Apple IIc Plus into its 1MHz mode means turning it on and holding escape while resetting the computer every time. It’s very annoying, but a mod to make the IIc Plus run at 1MHz by default would turn her into one of the most accomplished currently active Apple II developers.

The process of booting into the IIc Plus’ 1MHz mode requires holding down escape while restarting the computer. This should tell you something: it’s not a hardware switch that changes speed. It’s in the ROM, and that means diving into the Technical Reference Manual, looking at the listings in the ROM monitor, and figuring out how everything works.

The IIc Plus ROM is incredibly complex – it’s 32k of hand assembled code with jump tables bouncing everywhere. After a ton of research, [Quinn] successfully reverse engineered the ‘slow down if the ESC key is pressed’ routine, allowing her to boot the machine at 1MHz by default, and 4MHz if there’s a soft reset with the option key pressed. Everything works great, and [Quinn] has the video to prove it

This isn’t [Quinn]’s first attempt at hacking the lowest levels of the Apple IIc Plus ROM. Because the IIc Plus ran at 4MHz by default, the startup beep was so very wrong. She fixed that, and with two very useful patches under her belt, she burned a few new chips with her ROM patches. In total, there’s only a few dozen bytes of hers in the new 32k ROM, but that’s enough to make her one of the top current firmware developers for the Apple II platform.

The Trouble With Intel’s Management Engine

Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

Continue reading “The Trouble With Intel’s Management Engine”

Saving Old Voices by Dumping ROMs

Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).

Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.

IMG_0695We tracked [David]’s website down. He posted a brief entry describing his emulation and ROM-dumping setup. He says he used it for testing out his (software) TMS5200 speech-synthesizer emulation.

The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.

The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.

Continue reading “Saving Old Voices by Dumping ROMs”

Resurrecting Duckhunt

Bringing old things back to life holds a great sense of joy for most people. The never ending pursuit of recapturing our youth leads us down roads we’ve long forgotten. Along the way, we tend to bump into forgotten memories which jostle other forgotten memories which allows us to relive happy times we haven’t thought of in years, sometimes even decades. For some, the roar of a 351 small block sweeps them back to high school and the fast nights of cruising down main street with the FM radio cranked up as high as it would go.  For those of us who were born in the 80’s and 90’s, video games can bring back such memories. Who among us can forget our first encounter with Link, the elegant theme music of Final Fantasy or up-up-down-down-left-right-left-right-b-a-select-start?

Advances in processor technology has allowed us to relive our favorite games via emulators – programs that emulate processors of older computers. The games are ‘dumped’ from the ROM chips (where they are stored) into files. These game files can then be loaded into the emulator program, which allows you to play the game as if you were playing it on the original system.

NES_02
Guts of NES Zapper

Technology is truly a beautiful thing. It allows us to move forward, allows us to do today that which was not possible yesterday. There are a few cases, however, where this paradigm does not hold true. One of these has to do with the Nintendo Entertainment System and its “Zapper” gun controller. The NES was the most popular game console of its time, and rightfully so. From the minds of Nintendo engineers, programmers and audio experts came some of the best video games ever made. Unfortunately, some of these great games cannot be played on your Raspberry Pi favorite emulator due to the incompatibility of the Zapper gun and modern digital monitors.  None of us can forget the fun that Duckhunt brought. The game came as standard issue with all NES systems, so we’ve all played it. But its nostalgia is currently entombed by a technological quirk that has yet to be solved.

From one hacker to another – this can no longer be tolerated. First, we’re going to learn how the Zapper works and why it doesn’t work with digital displays. Then we’re going to fix it.

Continue reading “Resurrecting Duckhunt”

Dumping Old PROMs With New Hardware

[ijsf] recently came across a very old synthesizer from a defunct West German company. This was one of the first wavetable synths available, and it’s exceptionally rare. Being so rare, there isn’t much documentation on the machine. In an attempt at reverse engineering, [ijsf] decided to dump the EPROMs and take a peek at what made this synth work. There wasn’t an EPROM programmer around to dump the data, but [ijsf] did have a few ARM boards around. It turns out building a 27-series PROM dumper is pretty easy, giving [ijsf] an easy way to dig into the code on this machine.

The old EPROMs in this machine have 5v logic, so [ijsf] needed to find a board that had a ton of IOs and 5v tolerant inputs. He found the LPC2148, which has a nice USB system that can be programmed to dump the contents of a PROM over serial. Interfacing the PROM is as simple as connecting the power and ground, the address lines, data, and the signal lines. After that, it’s just a matter of stepping through every address according to the timing requirements of the PROM. All the data was dumped over a serial interface, and in just a few seconds, [ijsf] had 32768 bytes of ancient data that made this old synth tick.

Fixing Sega Cartridges With Old BIOS Chips

For one reason or another, [Dragao] has an old Sonic The Hedgehog cartridge that throws an illegal instruction somewhere in the Marble Zone stage. While the cause of this illegal instruction is probably cosmic rays, how to repair this cartridge isn’t quite as clear. It can be done, though, using BIOS chips from an old computer.

[Dragao] got the idea of repairing this cartridge from Game Boy flash carts. These cartridges use chips that are a simple parallel interface to the address and data lines of the Game Boy’s CPU, and Sega Genesis / Mega Drive flash cart would work the same way. The problem was finding old DIP flash chips that would work. He eventually found some 8-bit wide chips on the motherboard of an old computer, and by stacking the chips, he had a 16-bit wide Flash chip.

To program the chips, [Dragao] wired everything up to an Arduino Mega, put a ROM on the chip, and wired it up to the old Sega cartridge. Surprisingly or unsurprisingly, everything worked, and now [Dragao] has a fully functioning copy of Sonic The Hedgehog.

Rewritable ROM for the Mac Plus

The Macintosh Classic – a small all-in-one computer with a 9″ monochrome screen –  was one of the more interesting machines ever released by Apple. It was the company’s first venture into a cost-reduced computer, and the first Macintosh to sell for less than $1000. Released in 1990, its list of features were nearly identical to the Macintosh Plus, released four years earlier. The Classic also had an interesting feature not found in any other Mac. It could boot a full OS, in this case System 6.0.3, by holding down a series of keys during boot. This made it an exceptional diskless workstation. It was cheap, and all you really needed was a word processor or spreadsheet program on a 1.44 MB floppy to do real work.

[Steve] over at Big Mess O’ Wires had the same idea as the Apple engineers back in the late 80s. Take a Macintosh Plus, give it a bit more ROM, and put an OS in there. [Steve] is going a bit farther than those Apple engineers could have dreamed. He’s built a rewritable ROM disk for the Mac Plus, turning this ancient computer into a completely configurable diskless workstation.

The build replaces the two stock ROM chips with an adapter board filled with 29F040B Flash chips. They’re exactly what you would expect – huge, old PDIPs loaded up with Flash instead of the slightly more difficult to reprogram EEPROM. Because of the additional space, two additional wires needed to connected to the CPU.  The result is a full Megabyte of Flash available to the Macintosh at boot, in a computer where the normal removable disk drive capacity was only 800kB.

The hardware adapter for stuffing these flash chips inside a Mac Plus was made by [Rob Braun], while the software part of this build came from [Rob] and [Doug Brown]. They studied how the Macintosh Classic’s ROM disk driver worked, and [Rob Braun] developed a stand-alone ROM disk driver with a new pirate-themed startup icon. [Steve] then dug in and created an old-school Mac app in Metrowerks Codewarrior to write new values to the ROM. Anything from Shufflepuck to Glider, to a copy of System 7.1  can be placed on this ROM disk.

This isn’t the first time we’ve seen ROM boot disks for old Macs. There was a lot of spare address space floating around in the old Mac II-series computers, and [Doug Brown] found a good use for it. Some of these old computers had optional ROM SIMM. You can put up to 8 Megabytes  in the address space reserved for the ROM, and using a similar ROM disk driver, [Doug] can put an entire system in ROM, or make the startup chime exceptionally long.