Using QEMU to explore the Mac OS Nanokernel

About Qemu-system-ppc, a PPC Mac emulator for Windows, macOS and Linux that can run Mac OS 9.0 up to Mac OS X 10.5

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
elliotnunn
Student Driver
Posts: 17
Joined: Sun Sep 11, 2016 6:35 am

Using QEMU to explore the Mac OS Nanokernel

Post by elliotnunn »

Hello my fellow Mac OS enthusiasts,

For several months now, Nanopico and I, both of the MacOS9Lives forum, have been picking apart the Power Mac ROM. As we go, we have been writing build and "unbuild" code for NewWorld ROM images (aka "Mac OS ROM" files, Toolbox images and tbxis). The part of the ROM that we have explored to the greatest depth is the PowerPC Nanokernel -- specifically version 02.28, which seems to be the final one. This (very sanitised!) workflow best demonstrates our toolchain, which I have dubbed the "Toolbox toolbox".

Code: Select all

$ git clone https://github.com/elliotnunn/cdg5.git && cd cdg5

$ ls
boot-script              kernel-stock     prcl-pefs      test-template.img
datafork-pefs            Makefile         README.md      trampoline.elf
kernel-disasm-script.py  PowerROM-nokern  rsrc-template

$ make kernel-redisassemble 
Disasm:  05k 10k 15k 20k 25k 30k 35k 40k 45k 50k 55k 60k 65k 70k 75k 80k ...80736b

(Edit your newly-generated kernel-disasm.s, an annotated assembly code document. Maybe clobber something to see when and how the machine crashes, or change a constant to observe its effect on the PowerMacInfo application.)

$ make test
(output from kernel assembly, PowerROM construction, parcel compression,
Mac OS ROM packaging, HFS image modification and QEMU)

(QEMU will start from the included minimal OS 9 image, patched with your kernel. The Nanokernel log will come up during boot and will be redrawn intermittently. PowerMacInfo is the only startup app.)

(Now edit your kernel-disasm-script.py, the script that produced the above kernel-disasm.s, to reflect the wisdom that you have gleaned from your experiment.)

$ make kernel-redisassemble 
Disasm:  05k 10k 15k 20k 25k 30k 35k 40k 45k 50k 55k 60k 65k 70k 75k 80k ...80736b

(Admire your more beautifully disassembled kernel. And submit a pull request so that I can too!)
The Nanokernel stands right in between the PowerPC and the mostly-68k "blue" task. I am interested in it because it is the first barrier to broadening Mac OS 9's hardware support. Using QEMU's new ability to emulate the Mac OS, I have been able to make rapid iterative improvements to my disassembly script, which describes much of what I know about the kernel.

We'd be pretty chuffed if anyone wants to join in. The best test of your relevant knowledge is probably whether you know C and grok pointers -- but err on the side of having a go. I picked up PowerPC assembly as I went, and so can you.

While we have some moderately exotic build dependencies, I have neatly packaged these up as Docker images. To run the above code you only need to have Make, Docker and an OS 9-capable QEMU. You do not need to download any Docker images yourself, or even know how to use Docker. The makefile takes care of that for you. This build system is brand new, and while I think it should work for everyone, I'd like to know about build failures ASAP.

Happy hacking,

Elliot
kataetheweirdo
Master Emulator
Posts: 313
Joined: Sun Feb 01, 2009 4:55 pm

Re: Using QEMU to explore the Mac OS Nanokernel

Post by kataetheweirdo »

I've wanted to this for so long. Huge props to you guys for doing this.

I don't think it will be easy, but I do have some dev docs related to this for a Power Mac G3 B&W model. I can imagine there would be hacks to get around the hardware revisions Apple did. I can imagine the Old World ROMs being a mess, seeing as it's a mix between PPC and 68k code. Oh, and the Mac OS relies on the ROM for the 68k emulator, unless you're Sheepshaver and can supply your own.

And for those who don't know what grok means, here comes Wiktionary to the rescue.
elliotnunn
Student Driver
Posts: 17
Joined: Sun Sep 11, 2016 6:35 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by elliotnunn »

Thanks!

Broadly speaking, the top megabyte of the PowerROM contains low-level PowerPC-specific code and data: the Nanokernel, the emulator and some boot-time structures. I understand its layout pretty well. The remaining three megabytes are a mess, although we've made some progress there.

The most amazing thing you could do (plug plug) would be to try out our build system and hit me with some feedback! Any takers?
DANADAX
Student Driver
Posts: 14
Joined: Tue Jun 23, 2015 5:37 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by DANADAX »

Just curious, what hardware are you aiming at having some type of support?
maximumspatium
Space Cadet
Posts: 3
Joined: Sat Oct 24, 2015 12:24 pm

Re: Using QEMU to explore the Mac OS Nanokernel

Post by maximumspatium »

elliotnunn wrote:The part of the ROM that we have explored to the greatest depth is the PowerPC Nanokernel
Wow, very impressive work, especially the annotated assembly!

I did a vaguely similar analysis of the very first PowerPC Nanokernel used in the PDM machines (PowerMac 6100/7100/8100). I used the built-in debugger of the MAME/MESS project which is very convenient. Although MESS' emulation of the PowerMac 6100 is still preliminary (its hardware isn't supported fully yet) I was able to trace execution flow from HWInit to the 68k emulator.
elliotnunn wrote:I am interested in it because it is the first barrier to broadening Mac OS 9's hardware support
Do you need to understand the Nanokernel in order to write a device driver for unsupported hardware?

My Nanokernel research has started in 2004 after purchasing a G5 PowerMac. I already owned a G4 Mac and the Connectix VirtualPC emulation package that refused to run in the G5-driven Mac. Because M$oft that purchased VirtualPC 2003 from Connectix refused to fix it in order to work on G5, I was interested to give a try.

Unfortunately, I wasn't able to understand VirtualPC's internals because these were deeply buried in undocumented Nanokernel calls. The OS 9 version of VirtualPC uses several F-trap calls in order to install low-level hooks for switching the CPU endianness, for example. This requires operating in the PowerPC supervisor mode and could be achieved by using undocumented Nanokernel features only.

This was the first time I noticed this amazing piece of software called "Nanokernel". Today, my research is mainly motivated by the question whether it's possible to replace the Nanokernel with a shim instead of low-level emulation. This could be a great step towards freedom of proprietary software and speed improvements. Such a replacement could be only possible if the Nanokernel function and API could be fully understood. BTW, the Classic environment uses a Darwin-based shim instead of OS 9 Nanokernel.

My goal is therefore to contribute to the missing Nanokernel documentation.

Best regards
Max
superpete
Inquisitive Elf
Posts: 27
Joined: Sat Nov 26, 2011 3:08 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by superpete »

maximumspatium wrote:I already owned a G4 Mac and the Connectix VirtualPC emulation package that refused to run in the G5-driven Mac. Because M$oft that purchased VirtualPC 2003 from Connectix refused to fix it in order to work on G5, I was interested to give a try.
Off topic, but isn't this related to the lack of little endian support in the G5? The G4 and earlier PPC chips could switch between big/little endian mode without issue.
DANADAX
Student Driver
Posts: 14
Joined: Tue Jun 23, 2015 5:37 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by DANADAX »

So with broadening hardware support, do you mean something like creating more drivers for OS 9? Such as sound drivers, maybe USB 3 drivers?
User avatar
adespoton
Forum All-Star
Posts: 4226
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Using QEMU to explore the Mac OS Nanokernel

Post by adespoton »

I think he means enabling support on more recent PPC hardware, such as G5s.
maximumspatium
Space Cadet
Posts: 3
Joined: Sat Oct 24, 2015 12:24 pm

Re: Using QEMU to explore the Mac OS Nanokernel

Post by maximumspatium »

adespoton wrote:I think he means enabling support on more recent PPC hardware, such as G5s.
Rewriting the Mac OS 8/9 Nanokernel (which is actually a full-fledged microkernel) in order to support 64bit PPC CPU sounds quite ambitious and requires at least a good understanding of what is going on there. At the time being, we're very far from that.
Even considering the possibility it could be done, Mac OS 8/9 will remain 32bit only so I doubt it will worth such a huge engineering effort.
I'd look for reenabling the Classic environment instead.

Just my two cents.
Max
elliotnunn
Student Driver
Posts: 17
Joined: Sun Sep 11, 2016 6:35 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by elliotnunn »

Max,

First, thanks! It's been a lot of fun. And yes, we are hoping to get something limping along on G5 machines.

I would be extremely interested to see your notes on the PDM Nanokernel. It is interesting that the 68k F-trap mechanism is used for endian-switching instead of the PowerPC syscall mechanism. As you might know, the leaked "System 7.1 source" was actually the ROM source for PDM and a few previous 68k machines (Duo 2xx, etc)... but minus the upper megabyte of PowerPC stuff! I did have a peek at the final revision of Gary Davidian's v1 Nanokernel, and found that it shared a lot of init code with René Vega's v2.

This project (we call it "CountDown G5") is ambitious, sure, and unlikely to succeed. But a few things make it worthwhile:
- I am learning a lot about low-level kernel programming, which I find fascinating as a hobby.
- We are crafting a build system in MPW, inspired by that source leak, for very low-level assembly and linking of a NewWorld ROM. This will be useful to other hackers in the future.
- We have an intermediate goal of increasing the usable logical address space on OS 9 to near the 2 GB hardware limit.
- The G5 isn't all that different. It has facilities for running 32-bit OSes, and early G5s thankfully left the Block Allocation Table mechanism intact.

The Classic Environment patched Mac OS 9 at multiple layers of abstraction. The Nanokernel's PowerPC system call interface and public structures are fully replaced – and I don't know much about XNU, but I'm guessing that Mach's facility for multiple OS personalities is used for this. A-traps are presumably patched extensively, to the point of replacing entire Managers with shims to OS X's high-level subsystems (window management, etc). And I haven't checked yet, but I'm guessing that the more modern, non-A-trap, non-InterfaceLib libraries (MPLibrary etc) are probably left alone, because they rely directly on the kernel.

So there's my $0.02.

Cheers,

Elliot
User avatar
adespoton
Forum All-Star
Posts: 4226
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Using QEMU to explore the Mac OS Nanokernel

Post by adespoton »

elliotnunn wrote: The Classic Environment patched Mac OS 9 at multiple layers of abstraction. The Nanokernel's PowerPC system call interface and public structures are fully replaced – and I don't know much about XNU, but I'm guessing that Mach's facility for multiple OS personalities is used for this. A-traps are presumably patched extensively, to the point of replacing entire Managers with shims to OS X's high-level subsystems (window management, etc). And I haven't checked yet, but I'm guessing that the more modern, non-A-trap, non-InterfaceLib libraries (MPLibrary etc) are probably left alone, because they rely directly on the kernel.

So there's my $0.02.

Cheers,

Elliot
Thanks for the update Elliot!

The more modern libraries are left alone for the most part; the idea behind carbonlib applied not only to OS X-capable code, but the cleanup between 8.6 and 9.1 aimed to draw a separation between kernel-dependent libraries and kernel-independent libraries for just this reason. So OS 9 is essentially used by Classic as a kind of CarbonLib-heavy.
elliotnunn
Student Driver
Posts: 17
Joined: Sun Sep 11, 2016 6:35 am

Re: Using QEMU to explore the Mac OS Nanokernel

Post by elliotnunn »

adespoton, that's quite interesting. I have been poking around René Vega's old newsgroup posts, and have been quite impressed by the work that was being done in the "G4" era to modernise the Mac OS. We've also been corresponding on Twitter.

You sure seem to know what you're talking about. What's your background?
User avatar
adespoton
Forum All-Star
Posts: 4226
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Using QEMU to explore the Mac OS Nanokernel

Post by adespoton »

elliotnunn wrote:You sure seem to know what you're talking about. What's your background?
I started working on Mac security-related projects around 1991. Before that, I just wrote Mac shareware. I used to pore over the developer's notes with each hardware/software release -- sadly, I can't seem to find most of that stuff anymore Most of it was printed copy that belonged to the institution I was with at the time.

Sometime in 2003, I took over management of emulation.net from John Stiles, and was doing that until we merged it with Emuscene (now macscene.net) sometime around 2007. Along with this, I was doing a bit of research into emulating other architectures on the PPC under OS X.

I also had an iMac DV SE and the original iMac G5, so was tracking the changes that cropped up between the two. Back at the time (2004-2005), I started looking to see if there was some way I could get OS 9 booting on my G5. Eventually I realized that it was more work than I had time for, and around that time moved on from my hardware that was OS 9-only, and settled myself on using Classic for old software.

There's a lot I used to know that I really don't anymore, and a lot of resource materials I've lost along the way. But sometimes I still remember little bits of things I discovered along the way that appear to have been lost to the mists of time on the Internet :)
Post Reply