A firmware bug which affects both the Apple IIc and the Apple IIc Plus has been discovered by programmer, Michael Guidero. According to the posting on his blog, The bug, described in code and notes below came about as a result of his work on the Apple IIc and Apple IIc Plus emulation in MAME.
The memory expansion firmware has the following code to test the size of the memory expansion card, if installed:
numbanks equ $03bb ; screen hole - $c0 sizetemp equ $0478 ; screen hole shared addrl equ $bff8 ; slinky address reg for indirect use addrm equ $bff9 ; real registers are from $c0c0-$c0c3 addrh equ $bffa ; .. data equ $bffb ; slinky data reg ; at entry x is expected to have $c8 (slot * $10 + $88) ; and y is expected to contain $c4 (slot $Cn) testsize equ * lda #0 ; zero address reg l/m sta addrl,x sta addrm,x lda #$10 ; start at 1 meg and go down sec tsloop sbc #1 ; move down a bank sta addrh,x lda data,x ; save existing data pha dec addrl,x ; fix address (undo auto-increment) lda #$a5 ; common apple check byte sta data,x ; store it dec addrl,x ; fix... eor data,x ; 0 if the data is there dec addrl,x ; fix... cmp #1 ; C = 0 if data okay pla sta data,x ; restore data lda addrh,x ; <-- SEE COMMENTS BELOW and #$0f ; only lower nibble valid beq tsnoram ; no RAM somehow! bcs tsloop ; loop until we find a bank adc #1 ; C = 0 from compare tsnoram sta numbanks,y lsr a sta sizetemp ; sizetemp = upper byte of block count rtsIf you note the code starting at the indicated line, you can see that the code grabs the high byte of the Slinky address register and uses the low nibble directly as a counter value.
The problem is that when there is no memory expansion card installed, there is no register, and the value there is floating bus. The only reason the code gets out of the loop is because the floating bus happens to usually have a bunch of bytes streaming by that have 0 in the low byte.
That being said, the current MAME does not float the bus for $C0C0-$C0CF. This results in ROM $03 hanging when the card is first accessed, and, due to changes in in ROM $04, hang at boot for ROM $04.
The bug thus far does not seem to affect actual hardware but is limited to the emulation within the MAME system. When asked about his discovery of the bug, Michael said, “I’m going to work with the MAME team to fix MAME. In practice it doesn’t really affect real hardware that much. I do have a fix, though.”
Interestingly enough, Michael is also creator of the ROM 04x / ROM 05x project which has been implemented by a few members of the Apple II community in their pursuit of the ultimate Apple IIc.
For more on this project and other works by Michael, check out his main blog at:
http://apple2.guidero.us/doku.php?id=start
