{"id":47426,"date":"2025-04-18T13:28:37","date_gmt":"2025-04-18T17:28:37","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=47426"},"modified":"2025-04-18T13:28:37","modified_gmt":"2025-04-18T17:28:37","slug":"the-invalid-68030-instruction-that-accidentally-allowed-the-mac-classic-ii-to-successfully-boot-up","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/04\/18\/the-invalid-68030-instruction-that-accidentally-allowed-the-mac-classic-ii-to-successfully-boot-up\/","title":{"rendered":"The Invalid 68030 Instruction That Accidentally Allowed the Mac Classic II to Successfully Boot Up"},"content":{"rendered":"<p><a href=\"https:\/\/www.downtowndougbrown.com\/2025\/01\/the-invalid-68030-instruction-that-accidentally-allowed-the-mac-classic-ii-to-successfully-boot-up\/\">Doug Brown<\/a> (via <a href=\"https:\/\/chaos.social\/@uliwitness\/113985231065670214\">Uli Kusterer<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.downtowndougbrown.com\/2025\/01\/the-invalid-68030-instruction-that-accidentally-allowed-the-mac-classic-ii-to-successfully-boot-up\/\"><p>This is the story of how Apple made a mistake in the ROM of the Macintosh Classic II that probably should have prevented it from booting, but instead, miraculously, its Motorola MC68030 CPU accidentally prevented a crash and saved the day by executing an undefined instruction.<\/p><p>[&#8230;]<\/p><p>I didn&rsquo;t get very far while testing the command+power shortcut in MAME&rsquo;s emulated Classic II, because I observed something very odd. It booted up totally fine in 24-bit addressing mode, but I could not get it to boot at all if I enabled 32-bit addressing, which I needed in order for MacsBug to load. It would just pop up a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Macintosh_startup#Sad_Mac\">Sad Mac<\/a>, complete with the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Macintosh_startup#Chimes_of_Death\">Chimes of Death<\/a>.<\/p><p>[&#8230;]<\/p><p>This meant the bus error handler was at 0x40A026F0, which is also known as <em>GenExcps<\/em> in the ROM map. I performed a hard reset of the emulated machine, set a breakpoint on that address, and then waited until it hit the breakpoint. It looks like <em>GenExcps<\/em> is a big list of BSR instructions that all jump to 0x40A026A0, which is common error handling code identified in the ROM map as <em>ToDeepShit<\/em>. Nice name, Apple!<\/p><p>[&#8230;]<\/p><p>If you look closely at the table of branches below the JMP instruction at 0x40A43B6E, there are only 16 entries in the table, corresponding to BoxFlags 0 through 15. The Classic II is BoxFlag 17!<\/p><\/blockquote>\n<p>So it jumped into the middle of an instruction.<\/p>\n<blockquote cite=\"https:\/\/www.downtowndougbrown.com\/2025\/01\/the-invalid-68030-instruction-that-accidentally-allowed-the-mac-classic-ii-to-successfully-boot-up\/\"><p>The MAME-emulated Classic II was crashing because A1 didn&rsquo;t change, so it still contained an invalid address. On hardware, this weird instruction, which several disassemblers refused to touch, and wasn&rsquo;t even intended to be jumped to because it starts in the middle of an actual valid instruction, was changing A1 to a new value that was a good address. Was this crazy instruction accidentally fixing A1 and thus hiding a bug from Apple&rsquo;s ROM developers in the early 1990s?<\/p><\/blockquote>\n<p>This is just an amazing story and writeup.<\/p>","protected":false},"excerpt":{"rendered":"<p>Doug Brown (via Uli Kusterer): This is the story of how Apple made a mistake in the ROM of the Macintosh Classic II that probably should have prevented it from booting, but instead, miraculously, its Motorola MC68030 CPU accidentally prevented a crash and saved the day by executing an undefined instruction.[&#8230;]I didn&rsquo;t get very far [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-04-18T17:28:40Z","apple_news_api_id":"991ce7d7-b8ac-4105-a334-0b295abeff0e","apple_news_api_modified_at":"2025-04-18T17:28:40Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AmRzn17isQQWjNAspWr7_Dg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[401,770,56,733,30],"class_list":["post-47426","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-680x0","tag-assembly-language","tag-debugging","tag-emulator","tag-mac"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=47426"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47426\/revisions"}],"predecessor-version":[{"id":47427,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47426\/revisions\/47427"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=47426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=47426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=47426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}