One of the coolest things to come along in the 68K Mac homebrew community is the ROM Boot Disk concept. Classic Macs have an unusually large ROM that contains a fair bit of the Mac OS, which was true even in the G3 New World Mac era (it was just on disk), so it’s somewhat surprising that only one Mac officially could boot the Mac OS entirely from ROM, namely the Macintosh Classic (hold down Cmd-Option-X-O to boot from a hidden HFS volume with System 6.0.3). For many Macs that can take a ROM SIMM, you can embed a ROM volume in the Mac ROM that can even be mirrored to a RAM disk. You can even buy them pre-populated. How’s that for immutability?

Well, it turns out Apple themselves were the first ones to implement a flashable Mac OS ROM volume in 1994, but hardly anyone noticed — because it was only ever used publicly in a minority subset of one of the most unusual of the Macintosh-derived systems, the Apple Interactive Television Box (a/k/a AITB or the Apple Set Top Box/STB). And that’s what we’re going to dig into — and reprogram! — today.

The AITB/STB was Apple’s attempt to get into the early set-top box market of the 1990s. The dominance of the Apple TV today is a late phenomenon; Apple was in no position to launch such a product on their own in that era, though with the recent introduction of their QuickTime multimedia framework in 1991, they were a strong candidate for a technology partner. Apple forged an alliance with Oracle and parallel computing vendor nCube (Larry Ellison then being its single biggest stockholder), with Apple developing the front end client box and nCube boxes running Oracle Media Server handling the back end. All of this was to occur using MPEG-1 video with QuickTime as the playback system, specifically selected because of MPEG-1’s bitrate of 1.5Mbit/sec and enough to run over a T1/E1 line. Plus, hardware decoders for the format already existed, meaning the device wouldn’t have to rely on the CPU for smooth playback.

Apple developed the STBs in their Austin, Texas campus. It was based on stripped-down 1993 Quadra 605 hardware with extra silicon for the media features but kept serial, ADB and SCSI connections to allow it to run compatible CD-ROMs, sort of a Pippin before the Pippin, with plans to sell it for $750 [2023 dollars about $1500]. You could even hook up a printer to the serial port, but no storage was onboard: this device was to strictly boot from a central network link — in this case a T1/E1 — or from CD. Units first emerged publicly at the National Association of Broadcasters Show in Las Vegas in April 1995. There were at least two major hardware versions, STB1 and STB3 (no STB2s are known), with the STB3 being the most “common.”

Apple partnered with cable TV companies for content delivery and AITBs were part of at least several trial deployments across the United States and Europe (most notably British Telecom), and Disney even used it briefly in at least one theme park. However, there were concerns about providing enough licensed and on-demand content, and while customers might buy that content, they tended to compensate by cutting subscriptions to the premium channels that the cable companies relied on as a regular income stream. The situation wasn’t much better as a retail product given that home broadband was in its infancy and the product market was already too small for a boutique system. On top of that, the $300,000 [in 2023 over $600,000!] official development system (consisting of an nCube MediaCUBE server, 8 AITBs and 10GB of storage) made the already rarefied product thoroughly unattractive to developers, and with DOCSIS on the horizon wiring up T1 lines everywhere just didn’t seem to pay off. Apple never ended up launching the hardware for retail sale, the existing trials were terminated, and most of the boxes were ultimately recalled and destroyed.

But, like all failed experiments, not all of them disappeared and various units have made their way into the hands of collectors and hackers. Over the years I’ve acquired two STB3 systems myself, one a non-working “production” model and the other a mostly functional DVT prototype. This prototype is not FCC-approved but is fundamentally identical to the “production” M4120 unit, so we’ll be discussing mostly the prototype here since it works and is in much better shape. Here it is:

The STB3 shipped in a fairly dramatic black case with a top lid. It was designed to fit into any typical home entertainment centre and will support the weight of a typical CRT television.

The only front control was a power button. Depending on the installed ROM, the power LED might show any or no colour at all. We’ll talk about that a little later. Under the Apple logo was an IR sensor for which I lack the official remote control. (That’s okay because it turns out we don’t actually need it to hack it.)

The rear ports. Standard, the STB3 came with connectors for power (using a regular LC power supply), SCSI (using the Apple HDI-30 connector), SCART TV and VCR (both blocked), RF in/out from an antenna or cable TV connection, 8P8C network (but not Ethernet: this is for a T1/E1), standard Mac Mini-DIN serial, Mac S-video out, composite video, and stereo phono audio. A rubber grommet covers the Kensington lock slot, which I imagine was used the hotel deployments. On the side, not visible here, is a single ADB port which only officially supports a mouse.

The BT version of these systems (labeled with BT branding as a “Interactive TV System Voyager 2000”) reportedly used an ADSL connection, though I’ve never seen such a unit personally.

But what this unit also has, and most STBs don’t, is a developer video card with a Mac DA-15 connector. Sadly, I’ve never been able to get it to work. More below when we open the case.

On the underside is this disclaimer that the unit is not FCC-approved. This unit is clearly further along than an EVT prototype like our “Shiner ESB” Apple Network Server prototype, but because it’s not FCC approved it’s probably not a PVT, so therefore I’m concluding it’s a DVT like our Macintosh Portable prototype.

Removing the top lid (there’s a screw you may need to remove from the back), we see the video card, the mainboard and the power supply, which is a regular Q605 supply except with a black frame around the power port (the Q605/LC475 supply is in Apple Platinum beige). Although there is a spot where a cooling fan could go, there is neither mounting nor a power connector for one in both my units. The little three solder points next to it are where one can be installed, and some units exist where a fan is present.

The CPU, like the Quadra 605, is a 25MHz 68LC040. Other chips visible here are an Apple 343S0138-A (fabbed by TI) handling the PDS slot, an Apple 34320164-b (VLSI) MEMCjr memory controller, a TI TMXE320AV110 that appears to be an audio DSP, an NCR 53C96 SCSI controller, a Zilog Z8530 SCC for the serial port, and a Philips SAA7188A digital YUV to NTSC/PAL encoder (earlier Philips chips appear in the AV Macs). The RAM and ROM SIMMs are next to that, along with 4MB of RAM soldered to the board.

In front, red lines go to the power switch and LED, blue lines to the IR sensor, and white lines to the side-mounted ADB port.

And inside the front, just next to the red lines, is the board copyright (1995) and number (820-0638-01, which would be a prototype board designation).

The board has a single PDS slot, occupied in the prototype by a video card which connects with a 90-degree adapter. This card is a simple 2D framebuffer with four 256Kx8 VRAMs to equal 1MB on board. Very few of these cards existed and seem to have only been part of developer machines.

The card identifies itself as a Micro Conversions X62SC01 (Revision A), which resembles the Micro Conversions 1724PD graphics card for the LC III and Performa 630. If there existed a driver specifically for this card, it must have been on whatever developer-bootable disk this unit didn’t come with.

Pulling the card out of my working STB was a no-go; it’s pretty much there for keeps (not interested in trying to pry it out lest I damage the card, the board, or both). Instead, we’ll fill in the gap by switching here to the non-working “production” model, which unfortunately was improperly stored and suffered from oxidation damage. The chip with the white sticker is a socketed DIP ROM labeled “A3N(LS) C/SUM 519D8 95@@” which appears in other NTSC STB3s. The MPEG decoder is conveniently marked, a C-Cube Microsystems CL450-P160, the same one Apple used earlier with their MPEG Media System card. Next to that is an Xilinx FPGA that likely serves as support video hardware.

The other marked chip, with green oxidation damage around the pins, is a Brooktree Bt8069 T1 transceiver. Other than the Zilog SCC the Bt8069 is the only networking chip obviously on the board; in particular, no Ethernet chips are visible. If the British Telecom units were truly ADSL, it would have had to have a different chip here or some sort of external transceiver box: even in situations where the T1 line is provisioned over DSL, that’s usually HDSL, and the technologies are otherwise not interchangeable.

This unit is labeled as production and has an FCC ID and clearance sticker identifying it as a model M4120 (but with no formal name). This unit came from my hometown of San Diego County, California, based on the asset tag from The Lightspan Partnership, Inc. Lightspan Partnership, later just Lightspan, was founded in 1993 to develop edutainment software and produced a line of school-oriented Sony PlayStation titles which were sold to districts for classroom use. However, the original concept was to distribute the software via cable television so that students and parents could use it at home. This unit was obviously part of that initial, unrealized initiative. In 2003 Lightspan merged with PLATO Learning, Inc. (now Edmentum), one of the inheritors of the Control Data PLATO legacy, and subsequently ceased to exist.

But despite being labeled as a production, FCC-certified unit, it still has the same prototype motherboard code as the DVT unit.

Let’s go back to the RAM and ROM for a second. There is a RAM slot here and you can put extra RAM into it, same as you would with a regular Q605, but the ROM’s the more interesting part.

No, I’m not talking about these green mask ROMs that most owners of an STB3 have:

If you dump one (I have two which are the same), you’ll get a ROM checksum (

$ff7439ee

, SHA-1

1d833125adf553a50f5994746c2c01aa5a1dbbf2

) exactly identical to the Quadra 605, which isn’t surprising because the STB is derived from it. With a Q605 ROM installed, these units won’t display a picture but they will let you boot over SCSI. Add something like Farallon/Netopia Timbuktu and a LocalTalk connection and you can remotely use one over the network from another classic Mac. Not too useful, but hey, they’re stylish and rare, and it’s great fun at parties (I’m told, I’m never invited to those sorts of parties).

Unfortunately, my unit, though it would initially boot from a BlueSCSI, one day suddenly decided it wouldn’t. I’ve never been able to get it to boot from any SCSI device since, no matter what keys are held down, Option, Cmd-Option-Shift-Delete, dead chicken burnt offering, nothing. The unit otherwise works normally which leads me to suspect a fuse somewhere and/or the SCSI controller. (Don’t kneejerk and say bad caps. I will hurt you.)

That brings us to this ROM.

This red ROM stick, labeled AP1654-01, has four 256K flash chips front and back to equal 2MB. Notice the silkscreened name “RLC FLASH SIMM.” These appear to have been made initially for the RISC LC, the famous and heavily modified LC-based development prototype that emulated a 68K Mac with full compatibility and became the direct ancestor of the Power Macintosh.

There are many versions of this ROM, and this one is not labeled like most of the others in that linked image. However, I have no reason to suspect this particular one behaves much differently from the others.

The red ROM’s biggest difference from the green ROM in that the TV outputs are enabled. When you switch on (with the back power switch) an STB3 with the red ROM, after a pause of a few seconds the LED over the power button lights red, and then shortly after yellow. In the Setup Guide, this indicates POST, followed by standby. This is very different from units with a Q605 ROM in which the LED never lights and the machine instead starts from the ADB power key, like any other Mac of this era would normally.

Pressing the power button when the LED is yellow turns the LED green and this image appears on a connected composite or S-video display, captured on my INOGENI box:

But, invariably, 30 seconds-ish later, you get this:

indicating an expected response from the server never arrived. I don’t know what the green button on the remote does (the manual simply says to “see the interactive service provider’s instructions” for the four colour buttons). I connected speakers to the audio out but the unit makes no sound.

I don’t know which human-readable version of the ROM this is, but we can dump it:

The best tool for this purpose is of course Doug Brown’s flash SIMM programmer, which can both read these ROM SIMMs (used in many 68K Macs) and write to replacement flash ROM sticks. The 2MB dump we get has a checksum of

$b7025504

(the first four bytes as a 32-bit big-endian unsigned integer), a version word of

$077d

(i.e., 1917, bytes eight and nine as a 16-bit big-endian unsigned short), and a SHA-1 of

911eaafc5ccfe6823a7be61d44aaf0a63d081118

. What we’re going to do with this dump is based on this particular ROM version. The rest of this article may or may not fully apply to other versions and of course you follow along with your real device at your own risk.

The first step with any dump is see what binwalk makes of it, and other than copyright messages, it finds a couple surprising things are present. Nine, to be exact.

% binwalk RED.rom

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
941976        0xE5F98         Copyright string: "Copyright C-Cube Microsystems 1992"
1090813       0x10A4FD        Copyright string: "Copyright 1990-91 Apple Computer Inc. Copyright 1981 Linotype AG Copyright 1990-91 Type Solutions Inc.1.0"
1090851       0x10A523        Copyright string: "Copyright 1981 Linotype AG Copyright 1990-91 Type Solutions Inc.1.0"
1090878       0x10A53E        Copyright string: "Copyright 1990-91 Type Solutions Inc.1.0"
1844352       0x1C2480        JPEG image data, JFIF standard 1.01
1846358       0x1C2C56        JPEG image data, JFIF standard 1.01
1848250       0x1C33BA        JPEG image data, JFIF standard 1.01
1849933       0x1C3A4D        JPEG image data, JFIF standard 1.01
1851587       0x1C40C3        JPEG image data, JFIF standard 1.01
1853288       0x1C4768        JPEG image data, JFIF standard 1.01
1855867       0x1C517B        JPEG image data, JFIF standard 1.01
1857571       0x1C5823        JPEG image data, JFIF standard 1.01
1859146       0x1C5E4A        JPEG image data, JFIF standard 1.01
1871674       0x1C8F3A        Copyright string: "Copyright 1987-1991"

The copyrights reference fonts, but also C-Cube, the manufacturer of the MPEG decoder. It also finds nine JPEG images:

These are obviously pictures of the development team. Do you recognize any of them? Are you any of them?

Naturally, with nine pictures, you know what we have to do.

More relevantly, though, now that we have a ROM dump we’ve just got to hack it. Since it’s displaying a message, let’s see if we can modify the message as a small proof of concept.

strings

, that always useful tool, shows that the “Sorry!” message appears in two places. Modifying the first one is sufficient:

This will change the checksum of the ROM, which is computed as the sum of all the 16-bit big endian shorts from byte 4 onward and truncated to 32 bits. The tools I wrote up to handle all this are in this Github project. Use

checksum.pl

to recompute the ROM checksum and then use the hex editor to edit the first four bytes to match.

Then get yourself a couple 2MB flash ROMs SIMMs. They must be exactly 2MB in size; larger ROMs won’t work even if you “echo” the bytes. I used the 2MB ROM-inator II from Big Mess O’Wires but CayMac’s 2MB ROM should also do the job; CayMac also sells new SIMM programmers (I am not affiliated with BMOW or CayMac).

Burn the ROM in your programmer using the SIMM programmer tool, make sure your STB3 is off, and install it in the ROM SIMM slot near the RAM slot. On the programmer, the SIMM skull and crossbones should face the skull and crossbones on the circuitboard; on the STB, the SIMM skull and crossbones should face the RAM. Connect up some sort of composite monitor and switch it on.

Our plea for help duly appears. This simple demonstration proves that the only thing we need to do to modify the ROM is update the checksum; nothing else on the board appears to check it. It’s now time to figure out what’s there and how it’s organized.

Many Apple ROMs are segmented into discrete resources, which are functionally equivalent with on-disk HFS resources attached to files, and can be accessed from the Toolbox in the same fashion. For example, here’s the header of the (unused, disabled and not implemented) .netBOOT driver resource in the green Quadra 605 ROM:

00051c80  18 00 00 00 00 00 00 00  00 0e dc 70 00 05 1c b0  |...........p....|
00051c90  44 52 56 52 00 31 58 08  2e 6e 65 74 42 4f 4f 54  |DRVR.1X..netBOOT|
00051ca0  00 00 00 00 c0 a0 00 00  00 00 08 80 00 00 03 04  |................|

We can scan the red ROM dump for similar resource headers. Starting at offset $0000, the first big-endian 32-bit word is always the ROM checksum and the second is the starting address for the boot code (technically the first sets the stack pointer, but the ROM glosses over this). We page through opaque binary data awhile until we start seeing structured patterns every so often. The first one of these patterns we get to is this.

000ac210  78 00 00 00 00 00 00 00  00 00 00 00 00 0a b3 70  |x..............p|
000ac220  62 6f 6f 74 00 03 58 04  4d 61 69 6e 6b 63 6b 63  |boot..X.Mainkckc|
000ac230  4b 75 72 74 c0 a0 00 00  00 00 07 6a 00 00 00 64  |Kurt.......j...d|

This is our first ROM resource, boot#3, named MainkckcKurt (much like the string Gary, presumably Gary Davidian, shows up a lot in Mac ROMs, the name Kurt is all over this one — from the “kc” bit I’m guessing Kurt Clark, who was an Apple senior firmware and system software engineer at the time of the AITB’s development). The hex byte 78 indicates an enabled, live resource.

The ROM resources in the red ROM are stored somewhat back to front with the “header” actually serving as a footer; the resource runs from the fourth word (here $000ab370) to the beginning of the footer. How do we know it’s laid out like that? Because of what we find a little later on:

000ac980  70 73 6c 74 00 14 70 73  6c 74 00 1a 73 6e 64 20  |pslt..pslt..snd |
000ac990  00 01 77 65 64 67 e9 81  77 65 64 67 e9 80 6b 63  |..wedg..wedg..kc|
000ac9a0  78 00 00 00 00 00 00 00  00 0a c2 10 00 0a c2 40  |x..............@|
000ac9b0  72 6f 76 6d 00 00 58 00  6b 63 6b 63 6b 63 6b 63  |rovm..X.kckckckc|
000ac9c0  4b 75 72 74 c0 a0 00 00  00 08 70 0c 00 00 00 6c  |Kurt......p....l|
000ac9d0  4c 4b 60 00 00 86 44 18  00 00 06 53 79 73 74 65  |LK`...D....Syste|
000ac9e0  6d 00 00 00 00 00 00 00  00 00 06 46 69 6e 64 65  |m..........Finde|
000ac9f0  72 00 00 00 00 00 00 00  00 00 07 4d 61 63 73 42  |r..........MacsB|
000aca00  75 67 00 00 00 00 00 00  00 00 0c 44 69 73 61 73  |ug.........Disas|
000aca10  73 65 6d 62 6c 65 72 00  00 00 0d 53 74 61 72 74  |sembler....Start|
000aca20  55 70 53 63 72 65 65 6e  00 00 06 46 69 6e 64 65  |UpScreen...Finde|
000aca30  72 00 00 00 00 00 00 00  00 00 09 43 6c 69 70 62  |r..........Clipb|
000aca40  6f 61 72 64 00 00 00 00  00 00 00 0a 00 14 00 00  |oard............|

The characters LK herald HFS boot blocks. Yes, friends, there’s an embedded disk image here, and it’s doubtful the resource code rovm is used to reference it.

There are many fun strings in that disk image:

000af1d0  46 72 65 64 54 56 aa 0d  0d 42 72 6f 75 67 68 74  |FredTV...Brought|
000af1e0  20 74 6f 20 79 6f 75 20  62 79 20 46 72 65 64 20  | to you by Fred |
000af1f0  48 75 78 68 61 6d 20 61  6e 64 20 46 72 65 64 20  |Huxham and Fred |
000af200  4d 6f 6e 72 6f 65 2e 0d  0d a9 20 41 70 70 6c 65  |Monroe.... Apple|
000af210  20 43 6f 6d 70 75 74 65  72 2c 20 49 6e 63 2e 20  | Computer, Inc. |
000af220  31 39 39 33 0d 41 6c 6c  20 52 69 67 68 74 73 20  |1993.All Rights |
000af230  52 65 73 65 72 76 65 64  2e 0d 81 e2 20 30 01 60  |Reserved.... 0.`|

Although it was known that the AITB ROM had portions of System 7.1, this red ROM actually seems to contain an entire, self-contained, miniature bootable image. There’s no reason to have the string Welcome to Macintosh. unless a working System file were part of it:

000b2930  1a 00 6c 00 c0 57 65 6c  63 6f 6d 65 20 74 6f 20  |..l..Welcome to |
000b2940  4d 61 63 69 6e 74 6f 73  68 2e 00 b1 7a 00 18 00  |Macintosh...z...|
000b2950  7e 00 c0 44 65 62 75 67  67 65 72 20 69 6e 73 74  |~..Debugger inst|
000b2960  61 6c 6c 65 64 2e 00 b1  77 00 14 00 7e 00 c0 45  |alled...w...~..E|
000b2970  78 74 65 6e 73 69 6f 6e  73 20 6f 66 66 2e 00 b1  |xtensions off...|
000b2980  79 00 ca 00 5e 00 72 54  68 69 73 20 73 74 61 72  |y...^.rThis star|
000b2990  74 75 70 20 64 69 73 6b  20 77 69 6c 6c 20 6e 6f  |tup disk will no|
000b29a0  74 20 77 6f 72 6b 20 6f  6e 20 74 68 69 73 20 4d  |t work on this M|
000b29b0  61 63 69 6e 74 6f 73 68  2f 6d 6f 64 65 6c 2e 20  |acintosh/model. |
[...]
000b3e50  6d 21 40 2d 04 42 af 06  04 00 00 00 55 54 4d 61  |m!@-.B......UTMa|
000b3e60  63 69 6e 74 6f 73 68 20  53 79 73 74 65 6d 20 76  |cintosh System v|
000b3e70  65 72 73 69 6f 6e 20 37  2e 31 0d 0d 0d a9 20 41  |ersion 7.1.... A|
000b3e80  70 70 6c 65 20 43 6f 6d  70 75 74 65 72 2c 20 49  |pple Computer, I|
000b3e90  6e 63 2e 20 31 39 38 33  2d 31 39 39 32 0d 41 6c  |nc. 1983-1992.Al|
000b3ea0  6c 20 72 69 67 68 74 73  20 72 65 73 65 72 76 65  |l rights reserve|
000b3eb0  64 2e 00 00 01 f5 a8 9f  65 72 00 12 09 01 00 00  |d.......er......|

Eventually we come to its footer, which now enables us to extract it.

001339d0  78 00 00 00 00 00 00 00  00 0a c9 a0 00 0a c9 d0  |x...............|
001339e0  64 69 73 6b 00 00 58 00  6b 63 6b 63 6b 63 6b 63  |disk..X.kckckckc|
001339f0  4b 75 72 74 c0 a0 00 00  00 00 07 50 00 00 00 74  |Kurt.......P...t|

It’s a disk, resource #0. That sounds more likely as a type code. If you look at the third and fourth 32-bit words (big-endian, again, as G-d intended), you’ll find it links back to the last footer at $000ac9a0 (the rovm resource), allowing us to scan the file by walking back references, and the address $000ac9d0 is where we found the boot block, so that must be the starting address for this resource. That means disk#0 occupies $000ac9d0 to the beginning of the footer at $001339d0.

If this is a bootable Mac OS System 7 image, it should act like it. And, to my delight, it does. The manual says nothing about connecting an ADB keyboard to it, only a mouse, but ADB keyboards work fine. If you hold down the SHIFT key while turning the rear power switch on and waiting for it to turn yellow, you’ll lose the Apple background when you power on from the front, exactly as if an extension didn’t load.

This behaviour suggests that when you first turn it on, it’s doing its memory test and POST, then turns on the red LED while searching for and booting the minimal Mac OS, then turns on the yellow LED when, I guess, the “Finder” (such as it is) is ready to find its mothership.

Other typical Mac key combinations work, too. Pressing Command-Q will reset the machine when the timeout error message appears, as if quitting any other app. If you press Command-Option-Escape in an attempt to kill the task, you’ll reset it also, or Command-Power, though possibly only at the point the timeout error message is present — one suspects this front-end program doesn’t call WaitNextEvent very much. (In fact, it turns out it doesn’t by the point, but that’s a spoiler from near the end of this article.) It seems virtually anything that would cause a quit or system error (or any system dialogue box) will immediately force a restart. Incidentally, there is no startup chime or system beep, though there does appear to be a System Beep resource (snd #1).

Can the STB3 red ROM boot from anything e