The last few days I’ve spent way too much time analyzing the (Super)GoldCard boot ROM. The sources supplied along with SMSQ/E are only sparsely commented disassembly that was basically impossible to read. It irked me to no end that I didn’t understand the code and finally I did something about it. The process had a strange fascination like putting together a 10000 piece puzzle
Anyway, let’s begin. The ROM consists of three parts:
Address | Name | Contents |
$0000-$7FFF | GOLD | FLP + RAM + TK2 |
$8000-$BFFF | PATCH | Patches + Basic extensions + PAR + network + DEV |
$C000-$FFFF | BOOT | Boot/patch engine |
GoldCard
On the Gold Card the memory map on boot looks like this:
Address | Contents |
$0000-$BFFF | QDOS (read), RAM (write) |
$C000-$FFFF | BOOT section of GC ROM |
$10000-$17FFF | RAM |
$18000-$1BFFF | QL hardware registers |
$1C000-$1C0FF | GoldCard hardware registers |
$1C100-$1FFFF | RAM |
$20000-$3FFFF | 128kb RAM (including VRAM) |
$40000-$4FFFF | Complete GC ROM |
QDOS boots normally, finds 128kb of RAM (because of the ROM) and executes the GC BOOT code at address $C000. This in turn initialises the hardware, copies and patches QDOS to RAM, copies parts of the GC ROM to RAM and finally issues another reset. This is why on the GoldCard the QL always boots two times.
Fun-fact: the GoldCard can boot without any firmware ROM, this makes it somewhat possible to inspect the above memory layout live.
After boot the memory map looks like this:
Address | Contents |
$0000-$BFFF | Patched QDOS in RAM, write protected |
$C000-$FFFF | ROM port extension |
$10000-$17FFF | GOLD section of the GC ROM |
$18000-$1BFFF | QL hardware registers |
$1C000-$1C0FF | GoldCard hardware registers |
$1C100-$1C1FF | GoldCard firmware variables |
$1C200-$1FFFF | PATCH section of GC ROM |
$20000-$1FFFFF | 1920kb RAM (including VRAM) |
SuperGoldCard
On the SuperGoldCard the memory map on boot looks a bit differently:
Address | Contents |
$00000-$0FFFF | SGC ROM (read), RAM (write) |
$10000-$17FFF | RAM |
$18000-$1BFFF | QL hardware registers |
$1C000-$1C0FF | SuperGoldCard hardware registers |
$1C100-$1FFFF | RAM |
$20000-$3FFFF | 128kb RAM (including VRAM) |
$40000-$4FFFF | Complete SGC ROM (again) |
$50000-$3FFFFF | RAM |
$400000-$40FFFF | QDOS ROM |
In this case the SGC ROM doubles as the boot ROM and gets executed immediately. This is why the SGC does not need to double-boot. Again QDOS is copied and patched and parts of the SGC ROM are copied, too. Unlike with the GC, the copies of the SGC ROM are write protected.
Address | Contents |
$0000-$BFFF | Patched QDOS in RAM, write protected |
$C000-$FFFF | ROM port extension |
$10000-$17FFF | GOLD section of the GC ROM, write protected |
$18000-$1BFFF | QL hardware registers |
$1C000-$1C0FF | SuperGoldCard hardware registers |
$1C100-$1C1FF | SuperGoldCard firmware variables |
$1C200-$1FFFF | PATCH section of SGC ROM, write protected |
$20000-$27FFF | VRAM1, writes are mirrored to QL hardware |
$28000-$2FFFF | VRAM2, writes are only mirrored if SCR2 is enabled |
$30000-$3FFFFF | RAM |
$400000-$40FFFF | QDOS ROM |
$4C0000-$4FFFFF | Extended I/O area |
Configuration
The (Super)GoldCard does not have any kind of RAM that survives without power but still can store a bit of configuration like if F1 should be automatically pressed on boot. Well, how can this be? This was some mayor kind of “heureka” effect while analyzing the code. The cards contain a realtime clock chip that does not possess any additional RAM either, but it has a register that controls the interrupt line. The interrupt is never used on the golden cards, so the firmware just (ab-)uses the 4-bits available to store the configuration! Really clever.
Patches
The topic of what kind of patching the cards do on boot is almost mythical and was basically the reason I started this in the first place. All patches have been decoded and commented and everybody can look at them now (download below). There are a few patches that remove the most common bugs from the original QDOS ROM and a lot more that are applied to every ROM including Minerva. In some cases bugs in Minerva have been patched, but in these cases they have also been fixed in Minerva, so they usually don’t get applied anymore. One huge part is replacement of the MDV, network and I2C code, as these are all very timing critical.
Most remaining patches are exclusive to SGC because of the added code cache handling and the difference in exception frames of the 68020 to the 68000. Also there is an emulator for the “MOVE SR,x” instruction that became privileged on later processors.
The Masterpiece
Quite many of the patches actually alter QDOS for use with a graphics card with more resolution. At first I thought this was somehow connected to the Aurora and wondered why the condition for their activation apparently could never be true. But then I saw that Aurora’s VRAM starts at $4C0000 and the patches are all for VRAM that starts at $4E0000. The only explanation is that this is all for Miracle Systems never release Masterpiece graphics card. They must have been pretty well along the development path if these patches all made their way into the default ROM already. It even goes so far as to patch PTR_GEN after it is loaded.
The interesting thing about this is that the patches could easily be altered to work with the Aurora. As I don’t own an Aurora this is not for me to do, however.
The code
Finally here is the source code for all to see. For this version it was important to me that the result is bit-identical to the original source code, even though I had a strong urge to to change some code along the way… The result is not completely bit-identical to the GC2.49 ROM, but mostly because the utility libraries have changed. I have verified that the patches are exactly the same.
I will also submit the changes to Wolfgang to incorporate back into the SMSQ/E source code.
While I dont claim to understand much of it, a cursory glance through the material suggests that this is a great piece of work! Un-teasing and beautifully documenting all that dense code must have been a true Labour of Love!
But who authored it originally? Was it Tony Tebby, Stuart Honeyball, and/or anyone else?
Thanks Per. Yes, that were too many late night hours to count, but once I‘m obsessed with something I have trouble stopping. Finally I can move on 😉
I have wondered that too and asked TT about it but he didn‘t answer that part of my mail, so I have no idea unfortunately.
Thanks Marcel! A labour of love, for sure!
Pingback: Microdrive mystery | Kilgus.net
Pingback: QL-SD ROM news | Kilgus.net