Reverse-engineering plans
Message #9 Posted by Eric Smith on 3 Feb 2004, 7:28 p.m.,
in response to message #8 by Michael F. Coyle
Quote:
Keep up the good work...your posts have been very exciting lately!
I haven't had as much time to work on this stuff over the last week or so, although I did receive the 12C that Nelson Sicuro was kind enough to provide, and I've dumped the ROM from that. It has 6K words, exactly as expected. I'm still looking for a single-board 10C, but I don't know if any were made that way. The two that I've opened are the early construction with the CPU and display module separate from the keyboard. I'd rather not have to peel or cut the ESD tape on the module, and I'm not sure how well I can get logic analyzer clips to stay on the pins of those models. I expect the 10C to have 6K of ROM since that's the amount present in the 1LE2 chip, but since the 10C has less functionality than the 11C, it will probably have a lot of zero words padding it out.
I'm slowly preparing to capture bus traces from second generation calculators (Woodstock, 67, Topcat, and 19C). I'll be starting with an HP-21, since it's the simplest model with the least ROM (1K) and because I have three of them.
Since the 2nd generation models don't have a self-test, and because I don't know the entire instruction set, the plan is to initially try to capture a trace of the bus (ISA, BCD, SYNC) while I put the calculator through its paces by hand. This should capture most of the ROM, but probably not every word.
For instance, I have an experimental version of CASMSIM that lets me track which ROM words are executed while simulating a Classic calc. I did this for the HP-45. With a bit of work, I was able to get it to execute 1534 words of ROM, out of 1536 total words (not counting stopwatch mode, which uses the last 512 words). The remaining two words probably include at least one word used for entry to stopwatch mode, although I haven't gone back and studied the listing to be sure.
For a more complex calculator, particularly a programmable one, it is much more difficult to get a high percentage of ROM coverage. Also, for the 19C, 67, 92, 95C, and 97, there is more than 4K of ROM, so the bank-switching makes things more complicated.
So the real plan is to cut the ISA line from the CPU to the rest of the circuit, feed in my own addresses, and extract every ROM word. However, I'll need to enhance my romsucker hardware design a fair bit to do that. I'll add a microcontroller to it, probably a PIC18F452.
That's all well and good except that I don't want to cut a trace in the HP-95C that I have access to. So I have an even more elaborate plan for that.
The other thing I'll do with the HP-21 is desolder the ROM/Anode driver chip, and build a ROM emulator to use in its place. Possibly the romsucker with microcontroller will be able to do this, just as Diego has done with his CLONIX-41 module. (I should order one of those.) The purpose being that this will make it much easier to finish reverse-engineering the instruction set, since then I can execute arbitrary instruction sequences of my own choosing.
For instance, if I have an instruction whose effects are unknown, I can prepare a test case that initializes all the CPU registers (that I know about) to known values, executes the instruction, does a conditional branch so that I can tell if carry was set, and then dump out all the register contents to see what changed.
|
Go back to the main exhibit hall