Bug Discovered in Apple IIc Series Firmware

A firmware bug which affects both the Apple IIc and the Apple IIc Plus has been discovered by programmer, Michael Guidero.  According to the posting on his blog, The bug, described in code and notes below came about as a result of his work on the Apple IIc and Apple IIc Plus emulation in MAME.

The memory expansion firmware has the following code to test the size of the memory expansion card, if installed:

numbanks  equ   $03bb         ; screen hole - $c0
sizetemp  equ   $0478         ; screen hole shared
addrl     equ   $bff8         ; slinky address reg for indirect use
addrm     equ   $bff9         ; real registers are from $c0c0-$c0c3
addrh     equ   $bffa         ; ..
data      equ   $bffb         ; slinky data reg

; at entry x is expected to have $c8 (slot * $10 + $88)
; and y is expected to contain $c4 (slot $Cn)
testsize  equ   *
          lda   #0            ; zero address reg l/m
          sta   addrl,x
          sta   addrm,x
          lda   #$10          ; start at 1 meg and go down
tsloop    sbc   #1            ; move down a bank
          sta   addrh,x
          lda   data,x        ; save existing data
          dec   addrl,x       ; fix address (undo auto-increment)
          lda   #$a5          ; common apple check byte
          sta   data,x        ; store it
          dec   addrl,x       ; fix...
          eor   data,x        ; 0 if the data is there
          dec   addrl,x       ; fix...
          cmp   #1            ; C = 0 if data okay
          sta   data,x        ; restore data
          lda   addrh,x       ; <-- SEE COMMENTS BELOW
          and   #$0f          ; only lower nibble valid
          beq   tsnoram       ; no RAM somehow!
          bcs   tsloop        ; loop until we find a bank
          adc   #1            ; C = 0 from compare
tsnoram   sta   numbanks,y
          lsr   a
          sta   sizetemp      ; sizetemp = upper byte of block count

If you note the code starting at the indicated line, you can see that the code grabs the high byte of the Slinky address register and uses the low nibble directly as a counter value.

The problem is that when there is no memory expansion card installed, there is no register, and the value there is floating bus. The only reason the code gets out of the loop is because the floating bus happens to usually have a bunch of bytes streaming by that have 0 in the low byte.

That being said, the current MAME does not float the bus for $C0C0-$C0CF. This results in ROM $03 hanging when the card is first accessed, and, due to changes in in ROM $04, hang at boot for ROM $04.

The bug thus far does not seem to affect actual hardware but is limited to the emulation within the MAME system.  When asked about his discovery of the bug, Michael said, “I’m going to work with the MAME team to fix MAME. In practice it doesn’t really affect real hardware that much. I do have a fix, though.

Interestingly enough, Michael is also creator of the ROM 04x / ROM 05x project which has been implemented by a few members of the Apple II community in their pursuit of the ultimate Apple IIc.

For more on this project and other works by Michael, check out his main blog at:

Please follow and like us:

About the Author

Bill Martens

A.P.P.L.E. Chairman of the Board and Club president -- Bill worked for the founder, Val J. Golding and A.P.P.L.E. from 1981 to 1982. In 1999, he began archiving the materials which were distributed and sold by A.P.P.L.E.. That project led to the group that remained of A.P.P.L.E. Bill was involved in the financial industry in Tokyo and has over 20 major office infrastructure projects to his name. In March 2001, he retired to write books and to spend more time pursuing personal interests. As the president of the users group, Bill is in charge of distribution of Call-A.P.P.L.E. magazine as well as the organization of this web site. Bill currently resides in Tokyo, Japan and Shelton, Wa splitting time between the places.