Message #1 Posted by Eric Smith on 23 Jan 2004, 3:41 a.m.
In 1995 I wrote microcode-level simulators for the HP-45 and -55 (CASMSIM) and the HP-41C (NSIM). Recently I dusted off CASMSIM and resumed development. Part of the plan is to support more models in a unified simulator. For that, I'll need ROMs. Back in 1997 or so I tried dumping some ROMs but had a lot of trouble and set it aside.
I finally started working on dumping ROMs again. I cobbled together an interface to let me capture the calculator bus signals using an LTC1045 hex level translator chip and a DLP-USB245M parallel-to-USB converter module (based on the FTDI FT245BM chip).
The level translator will be necessary for the older calculators that use PMOS levels (-10 to +6V clock, ground to +6V data).
I'm using the USB chip for input only. It takes eight data bits and a strobe. I've wired the phase 2 clock to the strobe, and the SYNC and ISA signals to two of the data pins. I wired up the top three bits as "010" so that the samples are printable characters for convenience. Then it should only take "cat </dev/ttyUSB0 >foo.log" to capture a trace.
I couldn't get it to work until I ran it as root. Strange, because I'd actually set the permissions on /dev/ttyUSB0 to 666.
I hooked the hardware up to an HP-11C. By putting the calculator into self-test mode, it checks its ROM and RAM. From the trace, I was able to extra the ROM contents, 6K words of 10 bits each.
With a little bit of hacking, it should be possible to get the 11C running in my old NSIM simulator. But rather than mess around with that, I'm going to try to add the Nut architecture to CASMSIM.
I took some photos of the ROM dumping apparatus:
Now that I know the hardware works, I'll dump the rest of the Voyager series the Spice/Spike series. These all have the self-test, so capturing the ROM image will be easy. The first and second generations do not have a self-test, so dumping those is much more difficult.
When I use this on 2nd and 3rd generation calculators, I'll have to hook up a few more of the internal signals, because I'll need detailed traces in order to reverse-engineer the processor architecture.