The chip is a Fairchild SL56660, a 5/4 NAND gate. The original design only employed four ICs but in huge quantities: this one, an alternative but slower NAND gate, 1Kx1 bipolar SRAMs (usually the Fairchild 10415FC, about 70,000 of them in the 1976 Los Alamos National Laboratory unit), and the specialized Fairchild SL82747. This chip bears a date code of 14th week 1981 and is based on emitter-coupled logic (ECL), making it very fast for the time but also very power-hungry; CMOS made ECL and MECL obsolete. The later date code can be attributed to the fact this was probably from a board installed for repair purposes.
Merry Christmas and a very happy holiday season.Saturday, December 25, 2021
Merry Old VCR Christmas
Sunday, December 19, 2021
Monitoring the vintage server room (and reverse-engineering USB sensors)
Friday, November 26, 2021
xa 2.3.12
Sunday, October 3, 2021
Shiner ESB, an Apple Network Server prototype, and what it did at Netscape/MCom
The ANS, however, was a real honest to goodness server with hotswappable drive bays and fans, and (its most notable feature) an award-winning lockable translucent door so you could keep the unwashed masses out of your drives but still watch the blinkenlights. If you bought the bigger model, you even got dual power supplies and additional rear bays.
Also notable about the ANS was that they weren't supposed to run Mac OS, and were never sold with it, not least of which because the classic Mac OS wasn't really up to the task of being a server. Unfortunately, while A/UX supported larger needs on the 68K-based Workgroup Servers that could run it, A/UX 3 couldn't run on Power Macs even under emulation. The plan with A/UX 4 was to use a new PowerPC-native OSF/1-based kernel and possibly to also integrate portions of IBM's AIX operating system, but this plan (along with Taligent and other doomed projects) stalled out with everything else in Apple around that period. For a time Apple even considered using Novell NetWare on PowerPC; the port actually existed, codenamed Wormhole, but its tepid reception eventually led to the release of the weird Workgroup Server 9150 which just ran Mac OS. Eventually, to get to market Apple reached for what was then the only professional-level Un*x running on the new PowerPC architecture, which was AIX itself. Three Apple Network Server models were developed but only two (the "Low End" 500 and "High End" 700) were released; the 3U rack 300 "Deep Dish" remained solely a prototype, which I'd still love to acquire if its current owner ever gets tired of it. Oddly, even though they were only ever sold as AIX machines, they were initially demonstrated running a custom version of MacOS which was never released with them (I'd love to see this release myself), further confusing potential customers who already didn't want to buy Workgroup Servers. Introduced in 1996 at a retail cost starting north of US$10,000, which didn't even include the AIX license, they were very poor sellers and the line was canned by Gil Amelio around a year later.
I got my ANS 500 barely used for the cost of some consulting work after Apple stopped supporting it; you can see some scanned Polaroids of when it was in production way back in 1998. Later, I acquired an ANS 700 which I use as a spare and was briefly in service while I diagnosed a hardware issue with the 500. More recently, however, I managed to land a Shiner HE prototype dated 1995 from a scrapper in San Rafael, California. That is the unit depicted in these pictures.
Tuesday, September 21, 2021
A happy ending (and future) for Plua
Well, I'm pleased to announce that Marcio himself did get in touch (he's got a lot of fun Palm and retro projects still underway, incidentally) and graciously consented to relicense Plua2c, the "cross-compiler" portion, under the same MIT license as Lua itself. You can now download the source code from Github, which I'll keep maintained.
As for Plua-the-Palm-app and its various components, I will still be hosting the .prcs on Plua Revisited indefinitely, and Marcio and I have been discussing how we can add some improvements such as expanded screen size support and the like. This means Plua has a future again, and I couldn't be happier. Thanks, Marcio!
Thursday, September 16, 2021
RIP Sir Clive Sinclair
Thursday, September 9, 2021
The Incredible KIMplement 0.2b: a KIM-1 emulator for the Commodore 64 (and the Superkim)
No, that's not a joke. The KIMplement runs real KIM-1 code using a software 6502 core I've christened "6o6" (6502-on-6502). 6o6 implements protected memory, exception handling and all legal NMOS instructions. In addition, the KIMplement not only emulates those famous six seven-segment LEDs and the hex keypad, but also is one of the few KIM-1 emulators that emulates a TTY connection (an old-school ASR-33) and a KIM-4 expander with 16K of RAM, allowing you to run "big programs" too.
The KIM-1 is one of the earliest single-board computers, at least in the sense we conceive of them today. It was introduced in 1976 as an enticement for engineers to play with the MOS Technology 6502 which was then the cheapest microprocessor on the market. MOS had just gotten its pants sued off by Motorola, who did not like the prospect of an inexpensive drop-in replacement for their 6800 CPU; the MOS 6501 was completely pin- and bus-compatible, and where the 6800 cost $179 the 6501 was priced at just $25. The "lawsuit compatible" 6502 was just as cheap, but because the pins had been rearranged, couldn't be substituted without additional design work. The KIM-1 provided a platform for engineers to become more accustomed with the 6502, featuring a 1MHz CPU, 1K of RAM, cardedge I/O, a keypad, LEDs and in-ROM support for teletypes, punch tape and cassette tape, for only $245.MOS expected this would be a low-volume item mostly of interest to circuit designers. Instead, hobbyists bought them in large numbers because it was easily the least expensive microcomputer you could purchase at the time. With a KIM-1 at its center, you could have a full system with teletype, power supply and cassette storage for around $500. No other system came close to competing on cost. When Commodore Business Machines bought the ailing MOS in 1977, they wisely kept producing the KIM-1 until 1979 even after the introduction of the PET. Several clone systems exist, most notably including the Synertek VIM-1/SYM-1, as well as one unusual clone I'll talk about in a moment. I am the proud owner of four KIMs (including an original pre-Commodore KIM-1) and they all work.
I don't know if KIMplement's CPU core could be truly considered "virtualizing" the 6502, but it's more than just a naïve emulation. Rather than manually setting results and flags, the core looks at the guest instruction and runs the same instruction (or a safe variant) in the core context so that all the side effects, in particular changes to the status register, occur "for free." There is no way that a Commodore 64 at 1.0225MHz (or, worse, 0.978MHz for PAL) can do full-speed emulation of a KIM-1 running at 1MHz, but because there is much less code running per instruction, I think this scheme is probably near the fastest way a 6502 can run "untrusted" 6502 code. In practice it is about 35-50 times slower than native code, and this upsets programs that use tight timing or cycle counts, but it's still absolutely enough to actually "do things."
What sorts of things? Besides a couple LED-based games (originally Jim Butterfield's version of Lunar Lander, and I also added the misère game variant Black Match) and toy applications, you can run Tom Pittman's Tiny BASIC in the TTY, and with the bug fixes in 0.2b now you can successfully run FOCAL-65:
This screenshot in VICE shows the emulated 64 running a full FOCAL-65 program to manually compute square roots using Newton's method. It takes it a few seconds to do each iteration, but it all works. This is also a good demonstration of the FOCAL programming language itself including its unusual "floating point" line numbers (actually module and line), which it inherited from its more complex ancestor JOSS.For this version of the emulator (0.2b), I finally finished some performance improvements to the CPU core that had been gestating in my mind for literally years -- the last version of the KIMplement was released in 2006! -- and also fixed a problem with the TTY emulation where typing characters could get out of sync under CPU load. It can still drop keystrokes if you overflow the Kernal keyboard buffer, but it's a lot smoother generally. I also worked around a bug in VICE where, if you try to load files from a directory on the host machine, the RENAME-the-file-to-itself test used to check for the file's presence doesn't work (a real 1541 would respond with error 63 FILE EXISTS but VICE says 0 OK).
The other bug I fixed was caused by the CPU core, but can't be fixed in it. The 6502 has a decimal flag which can be set in the status register and causes add and subtract instructions to operate in binary coded decimal (e.g., $90 - $01 normally is $8F, but in BCD mode it's $89). Famously, or perhaps infamously, the Commodore 64 Kernal IRQ doesn't turn off the decimal flag, and there is at least one SBC in the normal execution path. Because 6o6 executes instructions for their side effects, if a program had previously set the decimal flag (and this is not at all uncommon in KIM-1 code) it needs to be on for those math operations. The usual solution is to turn on the interrupt flag first with SEI to suppress IRQs while decimal mode is on, but the normal state of guest code is to have the interrupt flag clear because the KIM-1 doesn't have this problem. If an IRQ hits right that moment, the IRQ will be executed with the decimal flag on, and possible unexpected behaviour could result.
This is an extremely infrequent occurrence, but in a long-running system "infrequent" is a synonym for "inevitable." This can't be efficiently solved in the core because there is no atomic method for controlling two flags at once. A better solution is very simple: we just make a patched IRQ that clears the decimal flag explicitly, and calls the normal Kernal IRQ. I did the same for NMIs as a belt-and-suspenders approach.
The eventual goal is to open-source the KIMplement, and in particular 6o6, but I want to have another demonstration application for 6o6 as well before I do. A small multitasking general-purpose kernel sounds like an ideal way to show off how it works.
On my main KIM-1 site I also put in a few words about the microproducts Superkim. This 1979 variant of the KIM-1 was developed in Redondo Beach by Paul Lamar, who had been using KIM-1s for automotive performance testing but was unsatisfied with their expansion capacity. Unlike the hobbyist audience of the KIM-1, the Superkim is all business. The unit in my possession was clearly in a card cage; the hex keypad was never even fitted. It uses a custom board rather than a modified KIM-1 with sockets for RAM, ROM and up to four 6522 VIAs (this unit has 4K of static RAM and a Rockwell R6502P), and sports a full prototyping breadboard on-unit. But its most noticeable (and, I might add, intimidating) characteristic is the 200 gold wirewrap pins penetrating the board: I have no idea what the sam heck this board was doing, but it clearly did something major in whatever its application was. Don't ask me to power this thing up because I'm worried I'll short something out somewhere. I don't know how many of these were ever sold and Commodore and MOS seem to have had nothing to do with its development. Of the clones I find the Superkim the most interesting. While many people mention the Rockwell AIM-65 as a clone (my unit is above), and it is strongly based internally on the KIM-1, its substantial expansion (wide alphanumeric LED screen, full keyboard, printer) would not make it generally recognizeable as such. I think the Synertek VIM-1/SYM-1 are more characteristic, though that is one unit I don't personally possess.In the future, and hopefully that future isn't in another 15 years, I want to add actual cassette support (right now you just dump memory to and from disk) and maybe support for one of the hi-res video boards like the Visable. It may also be worth trying to port the KIMplement to a faster 6502-based system like the Commodore Plus/4 or the Commodore 128 in 80-column mode, or maybe even the Apple IIgs, though all of these would need a solution for the sprites I currently use for the LEDs. (Okay, you Atari freaks, I know, I know.) The KIM-1 is a great little machine and surprisingly capable. The fact all of mine have survived over four decades proves they don't make them like they used to.
You can download a .d64 or .sdas of the Incredible KIMplement and its demo applications, or read more about the KIM-1.
Monday, August 30, 2021
More Tomy Tutor homebrew
Monday, August 23, 2021
The Commodore Plus/4, 3-Plus-1 and computer literacy
Another aspect of the +4 that was mercilessly derided was the 3-Plus-1 pack-in software. Based on an integrated suite called Trilogy by Pacific Tri-Micro, it included a word processor, database and spreadsheet; the fact they were intended to be basic applications did not prevent critical displeasure. Popular Computing Weekly pointed out how small the working space was and their limited features, and InfoWorld complained that "[t]he word processor is the worst I've ever seen," but The Transactor's editor Richard Evers was particularly barbed, famously observing that "[t]he word processor is barely that, the data base [sic] defiles the name and the spreadsheet has little spread." But while this quote got wide currency, the rest of the article is actually far more complimentary, adding, "Each package is well written, taking into consideration the limitation of trying to make them all work within the confines of each other. Running two packages in tandem is possible with this system ... think of the software as an almost free bonus, and accept its limitations."
I certainly thought so. While I didn't pick up my first +4 until I was a starving medical student, it was a cheap thrift store purchase and I made good use of the spreadsheet as a household budget. The word processor was just good enough for letters (school papers I typed in Pocket Writer on the 128D, until I got a Macintosh IIsi) and I barely used the database at all, but the spreadsheet actually worked fairly well for basic figures. Best of all, it loaded instantly because everything was in ROM, and you really could switch back and forth from one to the other and exchange data without losing anything, neither of which was true of the programs I had on the 128. In some respects it was even more "integrated" than bigger integrated packages (think Lotus Symphony, etc.) on the PCs of the time. It is debatable how useful this feature would have been versus simply having the applications run one at a time for a larger workspace, but it did work.Something else that worked was this Plus/4 that I dredged out of storage to test. While checking the contents, I found it had this letter in the box which I don't even remember noticing before:
The previous owner, in August 1986 (granted about a year and change after the +4 had flamed out), was invited to a computer literacy class, "an introduction to computers, teaching you basic data entry terminology, to help you feel confident working with computers. You will recieve [sic] a Commodore Plus 4 [sic] computer that adapts to your television for passing the class." The class was administered in Oregon.There is no mention of any peripherals being included, and no Commodore could directly connect to a standard cassette deck for storage. Furthermore, it is likely the Plus/4 was selected solely because they got donated stock that didn't sell. Still, here was a computer that was cheap enough to just give somebody and connect up to their television. You pressed a key and almost instantaneously you got a word processor, a spreadsheet and a database that came built-in. You could type letters, do a household budget and maintain an address book. If you picked up a 1541 disk drive, which by then was selling for under $200, you could save files. If you picked up any of the cheap Commodore 1525-compatible printers on the market, you could print letters. If you cared to crack out the manual, you could learn to write your own programs.
For this person in western Oregon, this Plus/4, as idiosyncratic and artificially limited as it was, may have been their gateway to computer literacy — and at that time it very likely was all the computer they actually needed.
Thursday, August 19, 2021
Plua revisited: Lua for PalmOS (and resurrecting plua2c)
The classic Palm OS (also known as Garnet in its final revisions), not to be confused with Palm's later and technologically unrelated webOS, actually feels a lot like classic MacOS. (The "Classic" mode in webOS 1.x for running Garnet apps doesn't seem like a coincidence to me, either.) Besides the common original architecture (68K), the heavy reliance on structured resources for both applications and data storage is very reminiscent of the Mac. When ARM-based Palm OS 5 devices emerged, not only was there a 68K emulator like the Power Mac's for running older software (called PACE, the Palm Application Compatibility Environment), but the normal state of the system was to be running 68K code.
I got a lot of wear out of pre-programmed Palm apps but I'm a nerd at heart, and I like to program things. The PC-4 was easy: it was BASIC, and it had 10 segmented program spaces, so I wrote simple games and tools for school classes. The 95LX ran DOS programs, and would happily run anything I wrote in Turbo Pascal 5.5 (though optimally if formatted for the smaller screen first). However, Palm development was primarily proprietary at the time, officially requiring CodeWarrior with specific Palm support and the appropriate hardware. I used Macs (at the time, a hand-me-down Power Mac 7300), so the hardware was no problem, but I was a starving student back then and CodeWarrior wasn't cheap.
So late in 2001 it was a real boon to discover a beta Palm OS 3.1 port of the Lua programming language to Palm OS, written by Marcio Migueletto de Andrade. The part I liked best (well, other than the fact it was free!) was it was fully self-hosted, with what today we would recognize as a simple IDE, such that you could develop right on the device. In those days Plua was based on Lua 4 and offered easy graphics, serial and UI support, so I used it for writing my own internal calculation apps which (thanks to an external separate runtime, the Palm's ubiquitous IR beaming, and everyone having a Palm device) everyone on the clinical team ended up using. Eventually Plua evolved into a full-fledged 1.0 release in 2003 instead of a time-limited beta.
Plua also included a small "cross-compiler" (really, a bytecode dumper) based on luac, though with additional code to link resources as well as emit a stub PRC header to call the runtime. This allowed you to develop on a desktop PC and build the PRC there, and then HotSync it over. More about that in a moment.
Plua was already pretty great by then, but what really moved it forward was support for TCP networking in Plua 1.1. Unfortunately, networking in Plua 1.1 had several significant bugs and Marcio was already working on Plua 2.0, which was based on Lua 5, so these weren't fixed. (One of my early apps that got bitten by this was Port-A-Goph, a gopher client for Palm OS. I got a mention in Wired and the code really did exist, but the socket bugs were difficult to work around. I probably have the source code around here somewhere.) Plua 2.0 also required Palm OS 3.5 and wasn't source compatible with Plua 1.1; the functions were similar, and many function calls could be rectified with text search-and-replace, but it still had some important differences plus the jump in the core language as well. For me personally it took awhile to convert over, but Plua 2.0 was a definite improvement and the bugfixes made it a very solid package.
This screenshot, of POSE (Palm OS Emulator 3.5) running under Mac OS 9 (emulating the emulator on my Raptor Talos II), shows that Plua 2 was perfectly capable of native controls and a standard application UI. With the socket issues resolved, networking was actually stupidly easy.At the time I was an active participant in the Yahoo! Group for Plua (now gone, along with the rest of Yahoo! Groups), which was the only official place to get Plua 2. Marcio issued an analogous "cross-compiler" for Plua 2 called, analogously, plua2c, using 5.0.3's luac as the base. However, Plua was freeware but (Lua 5 is MIT-licensed) not open source, and the plua2c binaries — which, unlike Plua 1.0 and 1.1, were distributed separately — were only available for Windows and x86 Linux.
During the Plua 2.0 betas in 2006, I privately asked Marcio if I could build a PowerPC Mac OS X-compatible version of plua2c. He agreed to this with the condition that the source be kept private (I suspect, but do not know, that he had some interest in making it a commercial product or having a commercial support option). I agreed and over the next couple years ended up issuing four binary-only releases of the Mac OS X plua2c which I hosted on Floodgap. However, after Plua 2.0 left beta around 2008, although Marcio indicated he had interest in starting on a 2.1 based on Lua 5.1, I don't know if he ever actually did; the introduction of webOS in 2009 and the lack of interest in Palm OS Cobalt or further Garnet devices essentially ended classic Palm OS's market relevance in any case. I lost contact with Marcio and never received further replies from him regarding Plua or plua2c.
Still, I kept using it for various minor projects even if I didn't regularly keep a Palm in my pocket anymore. I eventually gave up on Port-A-Goph and started on a Plua 2 rewrite (the screenshot above), and turned my Zire 72 into a Plua-powered Hue light controller:
All of this development was done on my 32-bit Power Macs, using 32-bit builds, which was all that was ever supported. In the meantime, the Plua Yahoo! Group disappeared along with the rest of everything in the Yahoo! Groups genocide and along with it the only definitive source of Plua and plua2c. Although a few people have the PRCs, no one seems to have kept the cross-compiler, and other things like documentation and examples similarly evaporated.When I recently decided to continue work using my Raptor Talos II, which is a 64-bit POWER9, I decided I would dust off the source code of plua2c still sitting in my G5 and develop on the new machine. plua2c compiled and appeared to function but ended up generating defective executables that weren't compatible with the Plua runtime (Plua2RT). They were dramatically bloated in size and caused the runtime to emit a low-level VM error.
Recall that plua2c is descended from luac, which more or less just dumps the Lua data structures in place. Lua's documentation says that "[t]he binary files created by luac are portable to all architectures with the same word size." To this end, luac 5.0.3 actually emits sizeof(int), sizeof(size_t) and sizeof(Instruction) (i.e., the typedef quantity for the size of individual bytecode instructions) into the bytecode header which should make an amphibious loader capable of selecting different bit widths, but Plua2RT doesn't swing both ways, at least not in that respect. To make the Plua VM happy, I had to force all of these to be 32 bits in size and change the emitter to only emit 4-byte int and size_t quantities.
This partially fixed the size, but it was still abnormally enlarged, suggesting 8-byte quantities were still being injected into the file somewhere else. After some detective work I found it was actually coming from plua2c's PDB header struct, so I hardcoded the correctly sized types in its typedefs, and the length matched up and the Plua VM could now execute the generated PRC. plua2c was now ported to 64-bit OpenPOWER.
You'll notice I said the length matched what my Power Macs emitted, but not the file itself. Besides a timestamp, the Lua bytecode is emitted using the native system's endianness, and the dump also has an endianness flag to indicate what that was. Interestingly, this is one situation in which the Plua VM does swing both ways: although the native endianness of the 68K Palm OS is big, and Plua was never ARM-native (which for Palm OS 5 is little, and PACE handles the endianness switch as part of thunking), it transparently converts the values just fine, just like Lua would. The docs even say, "binary files created on a 32-bit platform (such as Intel) can be read without change in another 32-bit platform (such as Sparc [sic]), even if the byte order ('endianness') is different." In fact, it has to, because Marcio's builds of plua2c were for little-endian 32-bit x86. Only my PowerPC Mac OS X builds actually emitted big-endian data, since that was the native endianness there. My POWER9 system runs Fedora in little-endian, so the endianness didn't match the Power Macs, but that was no problem for Plua.
I intend to honour my gentleman's agreement with Marcio about not disclosing the source code. Even if he's unable or unwilling to discuss changing the arrangement, a deal is a deal and I would want this to be a sign to anyone else who would share code with me for porting purposes that I keep my promises even a decade and a half after the fact. Still, I think Plua is a great way for retrocomputing enthusiasts to get back into Palm development. Yes, there are tools like OnboardC which compile on the Palm as well, and some but not all of the C cross-compiler infrastructure works on modern 64-bit systems, but Plua is a lot more straightforward for beginners and has tons of built-in functionality that would require external libraries or a lot of additional code with other development systems. The use of a separate runtime is a little obnoxious but hardly a dealbreaker for me personally.
So, in the spirit of our original arrangement to issue PowerPC Mac OS X binaries, I have compiled plua2c for modern 64-bit platforms, at least the ones I have a compiler or cross-compiler for. Besides the 32-bit PowerPC OS X version, which I still offer, and the 64-bit OpenPOWER ppc64le Linux binary I personally use, I also compiled it for Intel macOS 10.14+ with clang and 64-bit Intel Windows with a cross-compiling MinGW gcc. I'm willing to consider other platforms if I can easily set up compilation without a lot of additional work or disk space.
But these aren't much good without Plua itself, so I've additionally started hosting the Palm OS package on Floodgap with the runtime, onboard IDE and online help, along with Marcio's documentation and license terms. I also had a complete copy of the Plua 2 examples, so I've provided those, like the animated fishtank you saw on the introductory image. And, because building them from scratch needs the PILot Resource Compiler, I also made a minor 64-bit fix to its bitmap handling for modern systems too (it's GPL, so for that you get the full source code). Fortunately, pilot-link is still readily available for most modern platforms to sync your binaries over to the device.
It is my hope that one of two things will happen: Marcio will get in touch and bless an open-source release, or, with this tool, someone(tm) can work on a clean-room implementation of the runtime and maybe fix a few of the issues like memory usage and custom screen sizes. Sadly, that someone(tm) can't be me, because I've obviously seen the source code and know at least some of how it's implemented and that makes me a tainted implementor. But combined with the source for Lua 5.0.3 — and none of what I've divulged here can't be inferred from it — folks should be able to tease apart how the VM is constructed and how calls get to the OS, because except for the Palm-specific bits the VM core is still regular old Lua. Which is why, by the way, Plua was so great and is worth resurrecting. Maybe we could even get later releases of Lua 5 working. Who knows?
Even if we don't get either of those outcomes, at least now folks interested in Palm OS have another solid homebrew development option available once again. I got a lot of wear out of Plua and Marcio's hard work is why. I don't think he ever made a cent off it, but even with its minor warts it's still my favourite way to program the classic Palm OS. Now you can enjoy it too.
The binaries, documentation and examples are at Floodgap. As for the gopher client you saw? Well, that's a future post. But when I push that out, you can compile it yourself.
Tuesday, August 17, 2021
Unplanned Floodgap downtime
Monday, August 2, 2021
Cracking into the Sun Ray General Dynamics-Tadpole M1400
But for however original their early designs were, in 2005 General Dynamics bought them out, merged them with their other acquisition Itronix and triggered the end of the RISCy business. General Dynamics wasn't in the retail market; they sold to the military and other large institutional customers, and those folks wanted thin clients. All the rage then was Sun Ray, launched by Sun in 1997 and killed, like many things, by Larry "The Terrible" Ellison's Snoracle in 2014.
Sun Ray clients are simply networked display devices that connect to a server using ALP, or Appliance Link Protocol. Properly configured, a user could go from terminal to terminal and have their session follow them from client to client with no interruption (with a smart card, they wouldn't even need to type their login and password). The user has no local storage access; everything is centrally administered, including their desktop and the apps they run. Naturally Sun Ray Servers were originally Solaris-based, but there was a later binary available for Linux, and the Java open-source kOpenRay (which yours truly maintains) implements portions of the protocol. Using the Sun Ray Server as a gateway, connection to "conventional" Windows Terminal Server sessions via RDP was also possible.
The clients themselves came in several distinct generations. The first generation ("Sun Ray 1") were based on the MicroSPARC IIep, first discretely, and then as a custom SoC; the second generation were MIPS, more specifically the orphaned Alchemy microarchitecture which we'll talk about in a future post, and the third generation at least initially continued with the same. However, since the firmware was CPU-agnostic (in fact, later there was even a software client you could run as a Windows application), there was nothing particular about the protocol or the implementation that irreversibly tied Sun Ray to any one specific architecture.
That brings us back to the zombified Tadpole under General Dynamics (I'll call it "GD-Tadpole"). The MIPS Sun Rays were very power-efficient (again, a topic for a future post when we look at the Accutech Gobi systems) and performed well in laptops and even several Sun Ray tablets, but the chips weren't available in volume and didn't have the economies of scale of low-end PC laptops. So GD-Tadpole chose ... a low-end PC laptop, specifically the Taiwanese Compal FT01, fitted it with Sun Ray software and a custom BIOS, and released that as the Tadpole M1400 in 2008. And here are two, one so new the sticky protective plastic cover picked up hairs:
Notice that one is badged General Dynamics and one is not. More about that in a moment. Opened up, however, they are indistinguishable: And here it is with my Gobi 8 (Sun Ray 2), both connected to a default configuration of kOpenRay. The M1400 is the larger of the two on the right. These laptops were a larger family of otherwise unremarkable PCs with weird firmware, the M1400 being the first. In 2010 General Dynamics delivered the successor Tadpole M1500, which is a rebadged Compal HL91, along with the netbookish M1000 with a smaller screen and form factor. All of these machines were only meant to run as Sun Ray clients, enforced by their modified BIOS, but the desktop Tadpole Pulsar and Pulsar Premium introduced at the same time have a hidden conventional AMIBIOS and can boot a conventional operating system. Not so the laptops: Sun Ray or bust.The FT01 wasn't a terribly flash laptop even for the time, but it didn't have to be. The M1400 variant has 512MB of RAM (one SO-DIMM with two sockets) and a Socket P receptacle with a 1.86GHz Intel Celeron 540. We can confirm that by carefully cutting the warranty stickers on the "new" 1400:
and then removing the retaining screws from the doors: This exposes the CPU (peeping out from under the heatsink), the fan, the single SO-DIMM and the Intel PRO/Wireless 3945ABG mini-PCI card. There is a second mini-PCI slot available, but the M1400's default OS probably wouldn't make use of it. Similarly, I installed a second SO-DIMM for a total 1GB of RAM as an experiment but it didn't seem to make any difference.Also notice that there is no obvious main storage; the SATA hard drive bay is empty. That's because it's actually in the optical drive slot where the smart card reader is, using a carrier tray that is the system's only custom GD-Tadpole component. It is an otherwise off-the-shelf 256MB Transcend 40-pin IDE flash module which connects to the optical drive's PATA and power port using a bespoke passive interposer board. The smart card reader connects internally with its own data cable and draws power from the drive connection using the flash module's interposer. Like all such optical drive trays of the era it is easily extracted once the data cable is disconnected by removing the retaining screw and gently pulling it out. We will take advantage of this later.
The M1400's BIOS is locked down to only boot an approved OS. It can be on a drive in the SATA bay if you pull out the flash module's carrier tray, but if it doesn't recognize the operating system, it will put up a red screen with an error message and refuse to continue. There is no obvious way to enter the BIOS setup, if it even has one. So far there are at least three OS versions, all Linux-based. By default the machines use a 1280x800 screen resolution neither my 1080p flat panel nor my INOGENI VGA2USB3 like, so these screen grabs are unfortunately not at their native resolution.The earliest version I have came with the "unbadged" laptop. This version of the firmware flashes a plain cyan screen if the discovered boot device and operating system pass muster and then starts the client. If installed in the "badged" laptop it will flash the same cyan "happy" screen, but then the screen blacks out and it doesn't get any further. As the hardware is the same I can only conclude there is a difference in the BIOS between these two units.
Once loaded it starts up directly in the typical Sun Ray On-Screen Display "OSD" client window of the time, with its MAC address as its ID and various icons and progress codes as it obtains a DHCP address and then tries to connect to its configured server.
All firmware versions of the M1400 implement the standard Sun Ray key combinations and add some unique ones. Menu-M, for example, brings up the internal configuration menu (the trackpad is also active) from which network and other system settings are adjusted. However, an unusual feature of the M1400 family is the built-in minibrowser, which can be enabled from the menu. This version of the firmware has an annoying habit of automatically resetting and trying to reconnect if it isn't connected to a Sun Ray server instance, making the minibrowser a bit less useful than it would be ordinarily. There doesn't seem to be any easy way of turning that off, so to placate it we'll startup kOpenRay on the Raptor Talos II to give it something to connect to. Here is its firmware version ("Tadpole-mb02-V3.4.0-0101," dated 15 September 2008). Although the menu says we can "enable features," there appears to be only one feature to enable (virtually all of the later generation Sun Ray clients have some sort of VPN support, including encryption). Now that we are connected to our dummy server, let's enable the minibrowser with Menu-B. Huh, that's ... a unique choice of layout engine. The übernerds have recognised this atypical choice of browser already, but for the rest of you ... it's Links! More specifically, it's 2.1pre33, which would have been approximately current at the time. The user agent also rats out the underlying operating system as Linux 2.6.25, running everything on a custom framebuffer. (A consequence of its limited user interface is that the browser window can be moved but not resized.)This is actually the only mass-produced device I've seen that comes with Links from the manufacturer as the browser of choice. It's certainly very quick and small and I delight in its quirkiness, but there were more mainstream choices available in 2008 — including one we'll examine in a moment — so I'm not sure what went into the decision.
You can browse to file:///, but it seems to exist in a very limited chroot environment (darn) that is apparently recreated on startup. For example, you can download files and they appear in your home directory, and you can use the bookmark manager and changes appear to stick, but when you reboot the machine and go back to file:///home/user everything is wiped. It would have seemed a simple matter to disable these features but for some reason they didn't.
Only four files are in the chrooted /etc; here's ld.so.conf: And here's the only inhabitant of /usr/bin, the links binary itself. TLS 1.0 is supported, which would have also been appropriate for the time. It does not seem to use the same certificates as the rest of the system; indeed, it accepted gopher.floodgap.com's Let's Encrypt certificate without complaint (it doesn't appear to validate them at all). Still, one thing they did customise, if you can call it that, was the name ("Browser"). I don't know why they just didn't keep Links. If you're going to be weird, be proud. The "badged" laptop came with a later version of the firmware. Instead of just a plain cyan "happy" screen when powered on, it also has a Bondi blue screen that says "Loading." After possibly flashing the Loading screen a couple times, it then launches into the Sun Ray client. (The "unbadged" laptop halts at this point with this firmware, by the way. It shows "Loading" and briefly displays the Sun Ray OSD status window, but then goes back to "Loading" and freezes.) Here's the firmware version ("Tadpole-mb02-V3.6.1-0101," dated 25 June 2009). This firmware version doesn't have the earlier one's obnoxious watchdog reset if it has no Sun Ray Server to connect to. This not only makes the minibrowser more functional as a standalone application, but also facilitates logging into networks using the browser itself, which the prior firmware would make rather difficult. In fact, there's even an option in the menu for it: The minibrowser (also on Menu-B) is very different in this release: It's WebKit! The toolkit is Qt for Embedded Linux; the layout engine version (527) is comparable to Safari 4.0, which again would have been roughly current at the time of release. It calls itself meteorbrowser/0.1: Meteorbrowser is both more and less functional than Links. For example, the encryption support went backwards; Meteorbrowser cannot connect to gopher.floodgap.com over TLS, even TLS 1.0, and doesn't explain why: They also closed the "hole" with file:/// (ftp://, recently killed by Firefox for no good reason, generates the same error). Still, the improved engine means its layout capability is more modern (with odd gaps like fonts and Unicode characters, however) and things like basic JavaScript work. Here, testing it on my page on California State Highway 136, popups and closes for the images work correctly (as tabs). There are undoubtedly some potential exploits possible in this version of WebKit though its JavaScriptCore version does not seem to have a JIT. Shellcode explo(it|r)ations perhaps to come in a future post ... You may have noticed that the kOpenRay session didn't look quite right. That's because it seems to bug out on this version of firmware. It's probably kOpenRay's bug, but I'm not sure why it happens yet.The third version of the firmware I've encountered was courtesy David Parkinson, who was one of the early explorers of this system and discovered it could be booted over SATA if the IDE flash module tray was ejected. He sent this firmware image to me and I flashed it to a CF card of the same size, booting it from an off-the-shelf CF-to-SATA adapter.
This firmware works on both the "badged" and "unbadged" systems. It uses a Windows XP-inspired interface and is much more sophisticated than the basic Sun Ray OSD even though it still preserves the same status codes. It is also clearly badged "General Dynamics" — not Tadpole. This image came up defaulting to the WiFi, though if you connect an Ethernet cable it would still get a DHCP address from it. It has specific tabs in its interface with better video configuration options, more user interface configurations, and a status tab showing it as Tadpole-mb02-V4.6.2-0101, but undated. If it corresponds with the M1500, then this would put it circa 2010. However, Menu-M yielded a nasty surprise, as photographed when I initially tried it: I tried all the usual typical passwords. It naturally resets if you try too many, which slows you down further. The browser was disabled and there seemed to be no way to set network information. Locked down hard! At this point I figured I should have a look at what was actually in the firmware.The 256MB image David sent me mounts as two VFAT volumes called CONFIG and CARD. Here they are in Midnight Commander.
The CARD side seems to have most of the meat. 1* files are bitwise identical copies of 0*, presumably spares if something goes wrong with the filesystem. The extensions .ime and .tle are opaque binary files. They do not appear obviously compressed and strings shows no recognisable ASCII text within them, and their magic number 80 00 00 00 doesn't match any file format I know. The only readable files are factory.conf, with two lines (KbdType=pc and Language=uk), features with some sort of hex product key, a 384-byte license file also containing ASCII hex, and 0meteor.bom and 1meteor.bom, which are identical and have lines like this:
0meteor.bom=Tadpole-mb02.bom,S,4.6.2,3.0.0,30c4[...]
0initrd.ime=mb02_initrd.ime,H,4.6.2,3.0.0,42e6[...]
0browser.tle=mb02_browser.tle,S,4.5.15,3.0.0,971d[...]
0opengl.tle=mb02_opengl.tle,H,4.5.6,3.0.0,01e2[...]
Like the license file, the hex data is 384 characters encoding 192 bytes. Best guess is some sort of checksum hash which is checked on startup. The 4.6.2 matches the version number of the firmware, but I don't know what the H or S indicate, or the 3.0.0. BOM therefore probably stands for Bill Of Materials.
The CONFIG side is mysterious in different ways. Notice that the 0* files have a different modification date than the 1* files, and they are not identical copies (their CRC32 checksums differ). The significance of this was not known to me at the time, but we'll come back to why they differ presently. These files, however, are not encrypted. In fact, 0certs.img is another mountable FAT image that despite its filename calls itself METEOR:
This is obviously the certificate store. However, I didn't find any of the configurable screen or UI settings in CARD, CONFIG or this METEOR.Were the other firmware versions the same? Time to dump them and see! Attempting to extract the IDE module started to perilously bend the pins on the interposer because of its tight fit, so I pulled a beat-up Dell Vostro 1400 out of the closet with a PATA optical drive slot to plug the whole tray in as a unit. The retaining screw didn't quite align between its drive and the GD-Tadpole tray; since I have two trays I decided it was Dremel cutting tool time for one of them:
I chose the tray from the "badged" unit since that one was in worse shape anyway. Notice that there were differences in the smart card reader too (earlier one at left), but they probably look the same to the operating system. Once installed dumping the images was then a matter of booting Clonezilla on the Dell Vostro, having it mount a second USB drive and dd the entire IDE module with both partitions over to it. To dump both modules I just switched the entire interposer board with the module attached. The older firmware versions lack factory.conf, but are otherwise laid out the same with a set of similarly mysterious binaries and corresponding license, features and *.bom files. Fewer components are in these earlier versions, and the Links-based firmware's BOM is the only one where every file's version matches the firmware's displayed version (3.4.0). They also divide themselves into CARD and CONFIG partitions.The second version firmware allows you to configure the default address for Meteorbrowser. I figured this was a useful test, so I made a single character change from "i" to "j" to see how this altered the dump and compared both images in VBinDiff. The result was unexpected:
It's cleartext ASCII! I grepped every single file in the image to determine where it was stored and found it in CONFIG/0meteor.cfg ... which turns out to be another FAT image! This image is also called METEOR: The string appeared in base.conf. You can see all the folders for the individual profiles, suggesting this is where user settings are written to. The clock was set wrong on this unit, but the times differed here as well, just as they did on David's image. I should have realized there was something special about those files in the first place.With this new information I returned to his image and mounted CONFIG/0meteor.cfg. After grepping around a little, in profiles.conf appeared this string:
Password_Enc=d8f9[...]
A theory came to mind: if I munge it to a key it doesn't recognise, then it hopefully will think it doesn't have a password at all. I directly loaded the image into a hex editor and changed every occurrence of Password_Enc to Aassword_Enc (gotta make sure the length matches). This string appeared in four places. I then flashed this to the CF card and rebooted, and pressed Menu-M.
Bingo! No password, unrestricted access! Time to turn on the minibrowser, which it calls a Mini Bowser. Unlike every other version of the firmware, this one directly allows you to update the BIOS. I didn't try this because I actually like what's there, but I bet David will try. It did not prompt for a filename and I did not click Confirm. Another nice feature: NTP is supported. Time to fix the clock. Configured and talking to kOpenRay. Whatever issue was with the second firmware version is fixed now. Unfortunately, Meteorbrowser is still the same and has all the same limitations. Fixing the clock didn't fix TLS. I haven't found any other versions of the firmware. If you have one, let's explore it.Things to do:
- Try to bust into the OS by exploiting the version of WebKit in Meteorbrowser. Hopefully it isn't similarly chrooted.
- Figure out what those hashes are and what algorithm it uses. It may have something to do with license, which could be an encryption key. However, the 192 byte length is a little unusual.
- Unmunge at least one of the files. The obvious target is ?bootarg.ime, which is small enough where brute forcing may actually be possible especially since I strongly suspect it should yield ASCII text, and at that size it probably isn't compressed.
- Links can do "more" and is more "fun," so see if I can make a hybrid firmware using the improved General Dynamics launcher but replacing ?browser.tle with the ones from the original firmware. Assuming the hashes match between releases, I should be able to just copy the needed lines from ?meteor.bom.