(This is a guest post by Antoni Sawicki aka Tenox)
This is a Virtualization Challenge. A competition to virtualize an OS inside emulator/hypervisor. (Previously 1 / 2 / 3)
This time the object of the competition is QNX version 1.2. A demo disk is covered here. This is the set of floppy disks:

As you can see the boot disk is copy-protected. As such I have imaged these disks using both KryoFlux and SuperCard Pro. The magnetic flux stream images are available here. For verification I have converted the raw stream of the demo disk in to a sector image using HFE tool. The converted disk boots and works correctly in an emulator. The demo disk can also help with analyzing the boot process since it’s known to work.
The contest is to virtualize the OS, install it and provide a fully working hard disk image with the OS installed. Any emulator of your choice or method is acceptable as long as anyone can download and run it. The prize is $100 via PayPal and of course the fame! 🙂 The winner will be whoever comments the article first with a verifiable working solution.
A bonus $50 prize will be awarded if you can patch the boot floppy disk so that it can be installed as if the copy protection was never there.
Good luck!!!
It looks like the copy protection is on track 39 side 1 which is just garbage according to hxc in your kyroflux dump. I wonder was the track was formatted as part of the install to hide the protection or is there some really something there that hxc can’t understand. Anyway the boot process tries to read sector 0x51 from that track.
https://imgur.com/6yb1Ei1
Just had to convert qnx12_boot.img to imd and set track 39 head 1 sector 9 to sector number to 0x51. Maybe there’s more but at least it boots (in mame but I’m sure it’ll get that far with anything).
Wow thas big! Awesome work. Thats practically winning the contest. Can you send me the patched boot image? I will try to install it fully on something like PCem or 86box.
https://drive.google.com/file/d/1xnB7x_GiMwAdkwRSxU9fTcFCsvb4oxL5/view?usp=sharing
Sorry, total newbie here. What machine did you use on MAME to boot the .imd file? I tried Toshiba 1000 and IBM 5170 and they just don’t boot, the screen just waits for some kind of input.
And how can I get the imd back to raw? I tried samdisk and libdsk on Windows and they don’t seem to do the trick.
The serial mouse needs to be removed from the com port otherwise the boot fails.
Converting it back to raw won’t work because a raw image doesn’t save the sector numbers.
Try ibm5150. It takes a long time to post, well because these machines took a long time to post. Eventually it will beep.
Thanks!
Yw.
/chdman createhd –compression none –output xt-qnx12.chd -chs 306,4,17
Will create an Empty XT Type 3 hard disk.
TYpe of drive will have to be set to 3 in the dip switches menu.
Hey I sent you an email but you never replied. Whats the best way to contact u?
I sent you an email and hopped on discord.
hey how can I get in touch with you, I sent you emails, do you have discord by any chance?
hey how can I get in touch with you, I sent you emails, do you have discord by any chance?
The protection can be bypassed by modifying qnx12_boot.img in a hex editor.
Patch byte at 0x004a5a9, change from 0x74 to 0xEB
0x74 is a JZ instruction
0xEB is an unconditional JMP.
This worked for me in pcjs. I used the debugger there to come up with the patch.
Booting in pcjs debugger.
https://imgur.com/a/bumZRGg
Wow amazing job!
Booting in pcjs debugger.
https://imgur.com/a/bumZRGg
Booting the patched boot disk in pcjs.
https://imgur.com/a/o8NsJNY
Doesn’t look like there is a boot loader for hard disks, so someone will have to write their own. Probably they could patch the floppy boot loader.
It is possible to mount a 10MB XT Hard disk and backup the files.
Probably part of their insane copy protection
I honestly think they didn’t implement Hard Disk booting until 2.2
Or you needed to return your registration card, login to the BBS and pull it down from there.
Running mount shows 1:/ is only using 528 blocks. Typically 360KB floppy is 720 512k blocks.
The “kernel” appears to start at CHS 29:0:1 (522 LBA, 0x41400) and end at CHS 39:1:1, (711 LBA, 0x58E00)
The “kernel” ends up being loaded at 0060:0000 by the bootloader.
The bootloader jumps into the kernel at: 0070:0080.
Not mount sorry, query 1
Can’t post the instructions here for whatever reason. WordPress doesn’t like slashes.
https://pastebin.com/rUXS4M6w
test
It is possible to mount a 10MB XT Hard disk and backup the files.
mount disk 3 /config/xt
fdisk 3
Search 3
It is possible to mount a 10MB XT Hard disk and backup the files.
mount disk 3 /config/xt
fdisk 3
Make a partition in slot 1. Change, set OS of type 7 (QNX), start cylinder 0, end cylinder 305. Mark boot if you want. Save. Quit.
Remount disk 3
mount disk 3 /config/xt pa=qnx
Init the disk
dinit 3 +hard
Put the boot disk in A:
backup 1:/ 3:/
Put the utils disk in B:
backup 2:/ 3:/
Then for the rest of the disks, put them in B:, and run
backup 2:/ 3:/
Tell QNX to use the search path of the HD, instead of floppies.
Search 3
Made a little progress, was able to dump the kernel off the floppy to a file.
Was then able to use a slightly newer version to write the loader to the hard drive.
I can now boot the kernel off the hard drive. Unfortunately it busy loops until a floppy is installed and loads the root file system from there.
A couple comments.
The boot file is not just the kernel. It also has imaged into it a few QNX tasks. This includes the file system task, the device task, and in later version the network task. The file system task will either use (mount) the floppy driver if it was booted off of a floppy or a hard disk driver if it was booted off of a hard drive and the driver image is found in /config/hd???. After the kernel starts up and gets these tasks running, there is some mechanism that trys to execute the shell “sh” on a file in /config with the prefix like “sysinit”. I could look it up but I forget the exact name. The prefix can end with nothing, a .0 or .# indicating a node number, not something you need to worry about without a network card installed.
If the system doesn’t have an accessible drive, or the drive doesn’t have login, you can type CTRL-Z into the console and the device task will search for /cmds/login. If you are booting off of a real floppy and the boot diskette doesn’t have /cmds/login, you can see the floppy light come on looking for it. You could replace the floppy with a diskette with /cmds/login and try again and it will work. When you put in a login userid or userid/password if needed, the program /cmds/sh will be started and you will have a shell.
I’m not sure, but you might be able to put /cmds/sh at the end of the startup shell.