Old school 8080 EPROM disassembly - is it making sense?

[abyrvalg]

Ignoring branch outside ROM to 40D8 at address 25A2
Ignoring branch outside ROM to 40E9 at address 25B9
Ignoring branch outside ROM to 40CB at address 2555

The code at 40CB-40F9 is copied from 2309 (copy done by code at 00F8-0103)

[SilverSolder]

Attached disassembly listing from the Ghidra tool.

I still can't get over how comprehensive it is.  It knew about the reset jump table without being told, too.



We know that the absolutely first thing this instrument does when it starts, is

1) Somehow it figures out which hardware it is running in - this code is used in two different models of the instrument

2) Depending on what hardware was identified, it will display one of the two strings below in the LED display (ignore spaces in front):
       HI - 5.0.6
       HI - 6.0.7


It is not immediately obvious to me how the 8080 gets input from the outside world to help identify the hardware....

[m k]

It can use I/O channel or direct memory style, where pheripheral is just a part of RAM.
Activation can be polled or from other direction by interrupts.

Start of your code is

Code: [Select]

        ram:0000 26 c0           LD         H,0xc0
        ram:0002 36 ff           LD         (HL),0xff
        ram:0004 c3 db 02        JP         LAB_ram_02db
Mnemonics are different if you read Intel manuals, there this LD opcode is MVI and (HL) is M.

The code says: put 0xff to address 0xc0**.
So it doesn't care what is in the L-part of HL.
It can be a pheripheral decoder, where high side of address is pulling pins down and then selecting something.

Code continues

Code: [Select]

        ram:02db 3e ff           LD         A,0xff
        ram:02dd 26 e0           LD         H,0xe0
                             LAB_ram_02df                                    XREF[1]:     ram:02e1(j) 
        ram:02df 77              LD         (HL),A
        ram:02e0 24              INC        H
        ram:02e1 c2 df 02        JP         NZ,LAB_ram_02df
        ram:02e4 11 2c 45        LD         DE,0x452c
                             LAB_ram_02e7                                    XREF[1]:     ram:02ea(j) 
        ram:02e7 7a              LD         A,D
        ram:02e8 b3              OR         E
        ram:02e9 1b              DEC        DE
        ram:02ea c2 e7 02        JP         NZ,LAB_ram_02e7
        ram:02ed c3 38 00        JP         RST7                                             undefined RST7()

Now H is 0xe0 and L is ignored again.
Here 0xff is put to 0xe0**-0xff**.
Then there is a delay, keep in mind that there DE has endians sort of mixed.
Finally jump to 0x0038, from where the sort of a warm startup begins.

Code: [Select]

        ram:0038 d3 00           OUT        (0x0),A
        ram:003a f3              DI
        ram:003b 31 00 48        LD         SP,0x4800
        ram:003e cd 91 00        CALL       FUN_ram_0091                                     undefined FUN_ram_0091()
        ram:0041 af              XOR        A
        ram:0042 32 fd 41        LD         (DAT_ram_41fd),A

There A is put out to I/O port 0x0 and then interrupts are didabled.
Register A is again what ever it happens to be so it must be a result from the earlier delay.

Next stack pointer is initialized and so normal operation is pretty much ready to go.
(CALL has a rational place to put its return address)

[SilverSolder]

Very interesting,

Looking at how the instrument boots, the entire sequence is:

- Figure out what it is (out of two possible models)
- Displays "HI - 5.0.6"  or "HI - 6.0.7" to show the version number of the firmware to the world
- Short delay of about a second,
- Then it scans all installed options,
- Displays the one digit ID number of all the options across the digits of the display, leaving blanks where the option is not installed
- Another short delay of about a second,
- Finally start the main loop of the code


Are you saying the first point where the code learns something about the outside world already at 0002, when it writes to some "magic address" that may trigger an interrupt?

[Roman oh]

Hi, guys.
I just came across this thread today.

Background - I'm retired now, but cut my teeth in intel 4004, then 8080 and 8085. I've written more lines of 8080/8085 assembler than I've had hot lunches, and fielded a number of hardware devices with 8080 and (more so) 8085controllers. But that was all a long time ago.
By coincidence, as owner of two 8506's and one 8502 (and never ceasing to be amazed at how precise they are (accuracy is another matter) I started exactly this exercise on my own about 3 weeks ago, working with 6.0.6. I was thinking that maybe I could hack the IEEE488 code to make it more tractable in my environment.  I started at the beginning (location 0) and tried to follow the threads, working with the schematics. I did work out the following, from looking at the schematics. But it may or may not be correct, because the deeper I went, the less it all made sense.

For what it's worth:
- code starts executing at RST0 (address 0000), of course. Does what looks like a quick hardware reset and then jumps (via a short delay at 0x02d6 in my version (0x02db in 6.0.7)) to 0x0038 where there are calls to a list of subroutines, the first few of which appear to do housekeeping like clearing RAM, presetting some code in RAM areas that it uses, and then a loop starting at 0x004b down to 0x0079 which forms the main instrument foreground loop.
Then:
-RST1 (0x0008) looks like the entry point for the 400Hz (480Hz in the 60Hz world) interrupt
-RST2 (0x0010) looks like the entry point for interrupts from the parallel interface
-RST3 (0x0018) looks like the entry point for interrupts from the bit serial interface
-RST4 (0x0020) looks like the entry point for interrupts from the IEEE488 interface
-RST5 (0x0028) , despite having code at that point, does not appear to be capable of activation by the hardware
-RST6 (0x0030) looks like an entry for ACK timeouts. Whenever the CPU addresses a piece of hardware (other than the controller itself), it suspends the CPU until the offboard card raises an Acknowledge response. But it only waits for a short time, and if no ACK is received, this interrupt terminates the WAIT period and then the CPU.....does....something
-RST7 (0x0038) isn't used as an interrupt entry, but is the start of the main code, as described earlier.

And yes, some code executes from RAM, and a number of IO statements are not completely obvious from looking at the schematics, and after a couple of days of treating this like an interesting jigsaw puzzle, I went off to do other things. (Probably easier to fix my 488 challenges at the other end!).

Then I came across this thread... which I shall watch avidly, and may get re-enthused
Roman
-

[SilverSolder]

Hi, guys.
I just came across this thread today.

Background - I'm retired now, but cut my teeth in intel 4004, then 8080 and 8085. I've written more lines of 8080/8085 assembler than I've had hot lunches, and fielded a number of hardware devices with 8080 and (more so) 8085controllers. But that was all a long time ago.
By coincidence, as owner of two 8506's and one 8502 (and never ceasing to be amazed at how precise they are (accuracy is another matter) I started exactly this exercise on my own about 3 weeks ago, working with 6.0.6. I was thinking that maybe I could hack the IEEE488 code to make it more tractable in my environment.  I started at the beginning (location 0) and tried to follow the threads, working with the schematics. I did work out the following, from looking at the schematics. But it may or may not be correct, because the deeper I went, the less it all made sense.

For what it's worth:
- code starts executing at RST0 (address 0000), of course. Does what looks like a quick hardware reset and then jumps (via a short delay at 0x02d6 in my version (0x02db in 6.0.7)) to 0x0038 where there are calls to a list of subroutines, the first few of which appear to do housekeeping like clearing RAM, presetting some code in RAM areas that it uses, and then a loop starting at 0x004b down to 0x0079 which forms the main instrument foreground loop.
Then:
-RST1 (0x0008) looks like the entry point for the 400Hz (480Hz in the 60Hz world) interrupt
-RST2 (0x0010) looks like the entry point for interrupts from the parallel interface
-RST3 (0x0018) looks like the entry point for interrupts from the bit serial interface
-RST4 (0x0020) looks like the entry point for interrupts from the IEEE488 interface
-RST5 (0x0028) , despite having code at that point, does not appear to be capable of activation by the hardware
-RST6 (0x0030) looks like an entry for ACK timeouts. Whenever the CPU addresses a piece of hardware (other than the controller itself), it suspends the CPU until the offboard card raises an Acknowledge response. But it only waits for a short time, and if no ACK is received, this interrupt terminates the WAIT period and then the CPU.....does....something
-RST7 (0x0038) isn't used as an interrupt entry, but is the start of the main code, as described earlier.

And yes, some code executes from RAM, and a number of IO statements are not completely obvious from looking at the schematics, and after a couple of days of treating this like an interesting jigsaw puzzle, I went off to do other things. (Probably easier to fix my 488 challenges at the other end!).

Then I came across this thread... which I shall watch avidly, and may get re-enthused
Roman
-

Hey @Roman, welcome to the EEVblog where you seem to be a good fit for Dave's philosophy - "Don't turn it on, take it apart!" 

There is another thread about these meters that is not so much about the 8080 code but interesting nevertheless:

https://www.eevblog.com/forum/testgear/some-old-school-instruments-showing-how-its-done-(hp-3325a-and-fluke-8506a)/msg3086825/#msg3086825


One member recently uploaded the binaries for 6.0.7 which you could use to update your meters, if you have an EPROM programmer?


It's funny how your description of the structure of the program seems to match what the Ghidra tool extracted out of it:

Code: [Select]

void RST0(void)
{
  ushort uVar1;
  short sVar2;
  undefined in_L;
  undefined *puVar3;
  byte bVar4;
 
  *(undefined *)CONCAT11(0xc0,in_L) = 0xff;
  puVar3 = (undefined *)CONCAT11(0xe0,in_L);
  do {
    *puVar3 = 0xff;
    bVar4 = (char)((ushort)puVar3 >> 8) + 1;
    puVar3 = (undefined *)((ushort)puVar3 & 0xff | (ushort)bVar4 << 8);
  } while (bVar4 != 0);
  sVar2 = 0x452c;
  do {
    uVar1 = (ushort)sVar2 >> 8;
    bVar4 = (byte)sVar2;
    sVar2 = sVar2 + -1;
  } while ((byte)((byte)uVar1 | bVar4) != 0);
  disableMaskableInterrupts();
  _DAT_ram_47fe = 0x41;
  FUN_ram_0091();
  DAT_ram_41fd = 0;
  _DAT_ram_47fe = 0x48;
  FUN_ram_2938();
  _DAT_ram_47fe = 0x4b;
  FUN_ram_01ed();
  do {
    _DAT_ram_47fe = 0x4e;
    FUN_ram_0214();
    DAT_ram_41f8 = 0;
    _DAT_ram_47fe = 0x55;
    FUN_ram_34a3();
    _DAT_ram_47fe = 0x58;
    FUN_ram_087d();
    _DAT_ram_47fe = 0x5b;
    FUN_ram_2201();
    _DAT_ram_47fe = 0x5e;
    FUN_ram_0e62();
    _DAT_ram_47fe = 0x61;
    FUN_ram_0eab();
    _DAT_ram_47fe = 100;
    FUN_ram_0962();
    _DAT_ram_47fe = 0x67;
    FUN_ram_0445();
    _DAT_ram_47fe = 0x6a;
    FUN_ram_26e0();
    _DAT_ram_47fe = 0x6d;
    FUN_ram_0500();
    _DAT_ram_47fe = 0x73;
    FUN_ram_2848();
    _DAT_ram_47fe = 0x76;
    FUN_ram_16b8();
    _DAT_ram_47fe = 0x79;
    FUN_ram_007c();
  } while( true );
}


[m k]

Are you saying the first point where the code learns something about the outside world already at 0002, when it writes to some "magic address" that may trigger an interrupt?

Could be but it's generally too early.
Interesting part is the coding of that delay and then start of RST7.

Since delay could be easily coded without those LD and OR there are probably accurate timing something.

Then that OUT 0,A from start of RST7.
Since there are no place for return address a possible interrupt must be one way only, but situation is also known so putting something to A and jumping to RST7 is completely valid.
There also seems to be only one IN A,0.

One other thing.
I seem to have seen some irregularities in that Ghidra file, but disassembling is not an easy thing to do completely accurately.
Like Roman said RST5, like those others are known code addresses and must contain a valid code but if you check your earlier files one had one of them ignored.
Address 7 then is the opposite, it's a no code but one of your earlier files have continued from there and failed.

Generally you have to add those code and data points manually.
Good disassembler would follow all jumps and calls but it is still powerless when partial length of data is in question.

A bit more from RST7.

Code: [Select]

        ram:004b cd 14 02        CALL       FUN_ram_0214                                     undefined FUN_ram_0214()
                             LAB_ram_004e                                    XREF[1]:     FUN_ram_0d4d:0211(j) 
        ram:004e af              XOR        A
        ram:004f 32 f8 41        LD         (DAT_ram_41f8),A
        ram:0052 cd a3 34        CALL       FUN_ram_34a3                                     undefined FUN_ram_34a3()
        ram:0055 cd 7d 08        CALL       FUN_ram_087d                                     undefined FUN_ram_087d()

That 0x0055 seems to be already demanding a bit.

Code: [Select]

        ram:087d 3a 10 40        LD         A,(DAT_ram_4010)
        ram:0880 b7              OR         A
        ram:0881 c8              RET        Z
        ram:0882 cd 8e 00        CALL       FUN_ram_008e                                     undefined FUN_ram_008e()
        ram:0885 76              HALT
        ram:0886 c3 7d 08        JP         FUN_ram_087d                                     undefined FUN_ram_087d()


Code: [Select]

        ram:008e d3 40           OUT        (DAT_io_0040),A
        ram:0090 c9              RET

So when value in 0x4010 is >0 it is put out to I/O port 0x40 and CPU is halted.

[SilverSolder]

Since delay could be easily coded without those LD and OR there are probably accurate timing something.

Could that be where it identifies what model it is?

[m k]

Anything interruptible can happen before that RST7 and all non maskable ones anytime.
Some processors have interrupts disabled at the start but DI indicates that it is not the case here.

Usually things are put in order first but it's not a must.
If everything is static and inside a subroutine handled there are no need to do any initializings.

Yet my guess is that it is a delay of 1s where some other parts are timed.

At the right of the Ghidra file there are XREFs.
Those are addresses from where the local address is accessed.
There seems to be no turning backs to those early addresses.

[m k]

Wonky vision may have had issues.

Code: [Select]


ICn
(A14-8) (A15 = enable)

6543210
---111- ohms converter
---1-11 current shunts
??????? IEEE 488

6543210 20mA current loop
1-1---1 status in
1-1--1- data in
1-11--- data out
-11-1-- continue (D7 -> _INT)

6543210 parallel interface
-1-1--1 data out
-1-1-1- control out
-1-11-- D7 -> ???
1-1---1 data in
1-1--1- control in
1-1-1-- module status (GND -> _INT)

6543210 external trigger
111----

6543210
1----11 keyboard
-1---11 display
--11--1 signal conditioner
--11-1- A9 active filter
--111-- A10A2 Fast RR A/D converter
--_+11- ???
--1--11 A11A1 attenuator



[SilverSolder]

Wonky vision may have had issues.

Code: [Select]


ICn
(A14-8) (A15 = enable)

6543210
---111- ohms converter
---1-11 current shunts
??????? IEEE 488

6543210 20mA current loop
1-1---1 status in
1-1--1- data in
1-11--- data out
-11-1-- continue (D7 -> _INT)

6543210 parallel interface
-1-1--1 data out
-1-1-1- control out
-1-11-- D7 -> ???
1-1---1 data in
1-1--1- control in
1-1-1-- module status (GND -> _INT)

6543210 external trigger
111----

6543210
1----11 keyboard
-1---11 display
--11--1 signal conditioner
--11-1- A9 active filter
--111-- A10A2 Fast RR A/D converter
--_+11- ???
--1--11 A11A1 attenuator



The universe of possible options that were available as separate plug-in cards (that could be present on the system bus) are:


Option    Description
01        AC/DC Converter - Averaging (model 8505A only, mutually exclusive with option 09)
02        Ohms Converter
03        Current Shunts
05        IEEE-488 Interface (Options 5, 6, 7 are mutually exclusive)
06        Bit Serial Asynchronous Interface (Options 5, 6, 7 are mutually exclusive)
07        Parallel Interface (Options 5, 6, 7 are mutually exclusive)
08        Isolator (standard)
09        AC/DC Converter - RMS (model 8505A only, mutually exclusive with option 01)
0A        Thermal RMS Converter (model 8506A only, standard)




I am not aware of a 20mA current loop option... maybe that is the mysterious missing Option 04 in the list?

[Roman oh]

Thanks, Silversolder
Don't see how to directly quote snippets (despite reading some advice on how to) so

Quote from Silversolder:
Hey @Roman, welcome to the EEVblog where you seem to be a good fit for Dave's philosophy - "Don't turn it on, take it apart!" 
There is another thread about these meters that is not so much about the 8080 code but interesting nevertheless:
https://www.eevblog.com/forum/testgear/some-old-school-instruments-showing-how-its-done-(hp-3325a-and-fluke-8506a)/msg3086825/#msg3086825
One member recently uploaded the binaries for 6.0.7 which you could use to update your meters, if you have an EPROM programmer?
It's funny how your description of the structure of the program seems to match what the Ghidra tool extracted out of it:

OK
First - been watching, and a member and casual poster for a while, but after a quiet period came back to this thread and saw I had been declared a non-person, so I had to recreate myself
I actually got to this thread from the other that you identified; like the OP on that thread, I am continually amazed at how good and stable these things are. I have two of them from very uncertain backgrounds, not been calibrated in many many years, and seldom more than a few ppm (well...10 or 20 or so) apart on AC, DC and ohms!
And I saw the pointer to 6.0.7 - mine were 6.0.4 and 6.0.6 - I now have one at 6.0.7 and am trying to find a fourth 2764 for the second one (I am reluctant to erase the originals until I have some months of stable operation). Tried to do something clever today with a 27128, looking at the (notionally) unused A13 on pin 26, but that didn't seem to work. I'll keep working it.

And I am quite comforted (rather than amused ) at the fact that my code analysis is confirmed by Ghira. I am about to set that up (I was using DASMx) and I think the first thing has has piqued my curiosity is "what is changed from 6.0.6 to 6.0.7?"

Sadly (?) where I am there is not much Covid restriction, and it's a lovely summer, so I guess this is a longer term undertaking...

I will say (again) that I am quite impressed with how much knowledge there is out there, and the willingness of people to share. Now in MY day........!!!!!
R

[m k]

My mistake, I didn't look.
Bit Serial has both, no RS-232 controls though, it seems.
It also seems that External Trigger is Isolator (standard).

The device is also demonstrating how discretes do IEEE-488.

One thing I don't seem to understand is how that I/O is operated and where.
it seems that OUT(+A11) is only SCAN ADV and IN is only ID1-3.

Code: [Select]


ICn
(A14-8) (A15 = enable)

6543210 IEEE 488 (605-22 of manual)
-11--1- response register
1-11--- control register
-1-1--1 software reset
1-1---1 status register
1-1--1- data register

6543210 Bit Serial (606-20 of manual)
1-1---1 STATIN
1-1--1- DATIN
-11-1-- COUT
1-11--- DATOUT


A d7 a 1
B d6 b 13
C d5 c 10
D d4 d 8
E d3 e 7
F d2 f 2
G d1 g 11
H d0 dp 9

ram:015e 21 ec 3e        LD         HL,0x3eec
ram:0161 11 f6 3e        LD         DE,0x3ef6

ram:3c9a 1234567890bCdEFAHL-

(6 bytes)
ram:3eec HI-5.0.6
ram:3ef6 HI-6.0.7

OT
Seems that back in the day when this Fluke was introduced others had different meters.
I had 2, kaise SK-300 and Simpson 461.
kaise is still here but unfortunately Simpson is MIA.

[Roman oh]

Quote from: m k on Yesterday at 10:06:59 am
Wonky vision may have had issues.

Code: [Select]

ICn
(A14-8) (A15 = enable)

6543210
---111- ohms converter
---1-11 current shunts
? IEEE 488

6543210 20mA current loop
1-1---1 status in
1-1--1- data in
1-11--- data out
-11-1-- continue (D7 -> _INT)

6543210 parallel interface
-1-1--1 data out
-1-1-1- control out
-1-11-- D7 ->
1-1---1 data in
1-1--1- control in
1-1-1-- module status (GND -> _INT)

6543210 external trigger
111----

6543210
1----11 keyboard
-1---11 display
--11--1 signal conditioner
--11-1- A9 active filter
--111-- A10A2 Fast RR A/D converter
--_+11-
--1--11 A11A1 attenuator



The universe of possible options that were available as separate plug-in cards (that could be present on the system bus) are:


Option    Description
01        AC/DC Converter - Averaging (model 8505A only, mutually exclusive with option 09)
02        Ohms Converter
03        Current Shunts
05        IEEE-488 Interface (Options 5, 6, 7 are mutually exclusive)
06        Bit Serial Asynchronous Interface (Options 5, 6, 7 are mutually exclusive)
07        Parallel Interface (Options 5, 6, 7 are mutually exclusive)
08        Isolator (standard)
09        AC/DC Converter - RMS (model 8505A only, mutually exclusive with option 01)
0A        Thermal RMS Converter (model 8506A only, standard)

Guys,
It took me a couple of hours of circuit analysis to come up with this ICn table that mk generated. I think I got the same answer, and also partially traced IEEE488 but sadly the schematics don't identify the functions involved so the best I have is the IC pin numbers on my version of the schematic

6543210
-11--1-   U12-6
1-11---   U12-10
-1-1--1   U13-6
1-1---1   U13-9
1-1--1-   U13-10

Did you (m k) generate this the long way, as I did, or do you have a clever tool or some other information? And is wonky vision a Thing?

And (for SilverSolder) where did your Option List come from? Is that in one of the manuals somewhere?

[SilverSolder]

Thanks, Silversolder
Don't see how to directly quote snippets (despite reading some advice on how to) so

The only way I know is to quote the whole thing, then break it up with

Code: [Select]

[QUOTE] ...  [/UNQUOTE] BBCodes.

Quote from Silversolder:
Hey @Roman, welcome to the EEVblog where you seem to be a good fit for Dave's philosophy - "Don't turn it on, take it apart!" 
There is another thread about these meters that is not so much about the 8080 code but interesting nevertheless:
https://www.eevblog.com/forum/testgear/some-old-school-instruments-showing-how-its-done-(hp-3325a-and-fluke-8506a)/msg3086825/#msg3086825
One member recently uploaded the binaries for 6.0.7 which you could use to update your meters, if you have an EPROM programmer?
It's funny how your description of the structure of the program seems to match what the Ghidra tool extracted out of it:

OK
First - been watching, and a member and casual poster for a while, but after a quiet period came back to this thread and saw I had been declared a non-person, so I had to recreate myself
I actually got to this thread from the other that you identified; like the OP on that thread, I am continually amazed at how good and stable these things are. I have two of them from very uncertain backgrounds, not been calibrated in many many years, and seldom more than a few ppm (well...10 or 20 or so) apart on AC, DC and ohms!
And I saw the pointer to 6.0.7 - mine were 6.0.4 and 6.0.6 - I now have one at 6.0.7 and am trying to find a fourth 2764 for the second one (I am reluctant to erase the originals until I have some months of stable operation). Tried to do something clever today with a 27128, looking at the (notionally) unused A13 on pin 26, but that didn't seem to work. I'll keep working it.

And I am quite comforted (rather than amused ) at the fact that my code analysis is confirmed by Ghira. I am about to set that up (I was using DASMx) and I think the first thing has has piqued my curiosity is "what is changed from 6.0.6 to 6.0.7?"

Sadly (?) where I am there is not much Covid restriction, and it's a lovely summer, so I guess this is a longer term undertaking...

I will say (again) that I am quite impressed with how much knowledge there is out there, and the willingness of people to share. Now in MY day........!!!!!
R

I think I may have been the OP of the other thread, if we are talking about the same one.

Yes, I'd also be interested to see a diff between the various versions, but without understanding the basics of what is going on in there, I left that for another day!

Also, it would be fun to try to make a new release! 


I compiled the option list by looking in both the 8505A and 8506A manuals.

[SilverSolder]

My mistake, I didn't look.
Bit Serial has both, no RS-232 controls though, it seems.

Ah, I didn't realize.  I've never seen a Bit Serial card, in my defense! 

It also seems that External Trigger is Isolator (standard).

Yes, they are the same card and are standard.

The device is also demonstrating how discretes do IEEE-488.

One thing I don't seem to understand is how that I/O is operated and where.
it seems that OUT(+A11) is only SCAN ADV and IN is only ID1-3.
[/unquote]

Is there a clever use of a PROM or a ROM to decode addresses or anything like that?  Maybe we need to dump that too?

Code: [Select]


ICn
(A14-8) (A15 = enable)

6543210 IEEE 488 (605-22 of manual)
-11--1- response register
1-11--- control register
-1-1--1 software reset
1-1---1 status register
1-1--1- data register

6543210 Bit Serial (606-20 of manual)
1-1---1 STATIN
1-1--1- DATIN
-11-1-- COUT
1-11--- DATOUT


A d7 a 1
B d6 b 13
C d5 c 10
D d4 d 8
E d3 e 7
F d2 f 2
G d1 g 11
H d0 dp 9

ram:015e 21 ec 3e        LD         HL,0x3eec
ram:0161 11 f6 3e        LD         DE,0x3ef6

ram:3c9a 1234567890bCdEFAHL-

(6 bytes)
ram:3eec HI-5.0.6
ram:3ef6 HI-6.0.7

OT
Seems that back in the day when this Fluke was introduced others had different meters.
I had 2, kaise SK-300 and Simpson 461.
kaise is still here but unfortunately Simpson is MIA.

Back in the day, I think I had a Radio Shack analog meter! 

These Flukes cost as much as a car back then...  I wouldn't even have known they existed!

[m k]

At the very right of Ghidra CodeBrowser window are small markings.
Red ones seems to be something the browser doesn't like.

My version was missing opcode 0xAE, XOR (HL).

Ghidra\Prosessors\8085\data\languages has a file 8085.slaspec
I added there a middle XRA part from below.
Something else should probably be added also but I have absolutely no glue what it could be.

Code: [Select]

:XRI imm8  is op0_8=0xee; imm8 {
AC_flag = 0;
CY_flag = 0;
P_flag = 0;
A = A ^ imm8;
setResultFlags(A);
}

:XRA (HL)  is op0_8=0xae & HL {
AC_flag = 0;
CY_flag = 0;
P_flag = 0;
A = A ^ *:1 HL;
setResultFlags(A);
}

:CMP reg0_3  is op6_2=0x2 & bits3_3=0x7 & reg0_3 {
setSubtractFlags(A,reg0_3);
cmp:1 = A - reg0_3;
setResultFlags(cmp);
}


Did you (m k) generate this the long way, as I did, or do you have a clever tool or some other information? And is wonky vision a Thing?

Old way with market binocular enhanced pair of tomato samples.
It is not helping much eighter that manual has all circuit sheets divided in three pages.

[Roman oh]

Quote from m k:

One thing I don't seem to understand is how that I/O is operated and where.
it seems that OUT(+A11) is only SCAN ADV and IN is only ID1-3.

Code: [Select]

ICn
(A14-8) (A15 = enable)

6543210 IEEE 488 (605-22 of manual)
-11--1- response register
1-11--- control register
-1-1--1 software reset
1-1---1 status register
1-1--1- data register

6543210 Bit Serial (606-20 of manual)
1-1---1 STATIN
1-1--1- DATIN
-11-1-- COUT
1-11--- DATOUT


A d7 a 1
B d6 b 13
C d5 c 10
D d4 d 8
E d3 e 7
F d2 f 2
G d1 g 11
H d0 dp 9

I note references by you to to pages (605-22, 606-20) in "the manual". These pages don't appear in any 8505/8506 manuals that I have. 605-14 is the last page (schematic) of the IEEE488 section that I can find. Can you tell me where there is a better manual?
And it's not clear to me what the little table at the bottom of the above quote means....

[SilverSolder]

The "newest" manual I know of is this one, it is from 91 or so: 
https://xdevs.com/doc/Fluke/8505A/Manuals/fluke_8505a_multimeter_sm.pdf

It sounds like the page numbering scheme fits this version?

Don't forget the errata at the end of the manual, there are some pretty big changes (DC signal conditioner completely new circuit, among other things).

[m k]

Dang, I was using Mar-83 8506A manual from electrotanya.

I was also sure that Bit Serial U9 is something internally numbered.
Can't say I'm familiar with that chip.

Code: [Select]


6543210
--11001 DC signal Conditioner
--1-1-1 AC RMS Converter


New Ohms Converter is different, old manual is also missing or misplaced the left part of its schematics.
New model uses IC4-0 through a logic array.

Emulating with Z80 emulator with i8080 code.

ram:0147 cd 85 05        CALL       FUN_ram_0585
is not returning.

When call happens A = 3 and 0x400f = 0.

Code: [Select]

        ram:0585 21 0f 40        LXI        HL,0x400f
        ram:0588 86              ADD        (HL=>DAT_ram_400f)
                             LAB_ram_0589                                    XREF[1]:     ram:058a(j) 
        ram:0589 be              CMP        (HL=>DAT_ram_400f)
        ram:058a c2 89 05        JNZ        LAB_ram_0589
        ram:058d c9              RET


And it's not clear to me what the little table at the bottom of the above quote means....

Access of 7-segment 5082-7651, new manual has a bit more difficult type.

[SilverSolder]

All the different modules from the different years are still compatible with each other, based on getting away with swapping them freely between the different units.

The first thing seen on the display when the meter is switched on is "HI - 5.0.6" (depending on version number)  - I can't figure out where that happens! 

[Roman oh]

Quote from mk:

Dang, I was using Mar-83 8506A manual from electrotanya.

Ooops, my oversight... I didn't read the text of my manual clearly enough. The data is indeed in my manual but I was looking for PAGE 605-22 instead of PARA 605-22. Might have been late at night
Thanks

[m k]

I should get a bigger screen.

All the different modules from the different years are still compatible with each other, based on getting away with swapping them freely between the different units.

Sloppy description from me.
Their module selection gates are different.

The first thing seen on the display when the meter is switched on is "HI - 5.0.6" (depending on version number)  - I can't figure out where that happens! 

Same here.

0x1c09 it could be.

These things are very time consuming, specially this.
Following anything is also very difficult without the actual device.
One should connect an analyzing thing of some sort.

0x0788 copies greetings text to RAM area 0x4042, but in every other location.

0xc3 keyboard data
0xa3 display dataX(extras)
0xa2 display dataN(numbers*6+1)
0xa1 display/keyboard address

Chips are rising edge, means that latching is happening when address is dropped, happens shortly by _DBIN and WAIT.
When display dataX is dropped it enables display dataN and combined address if d7 was 0.
When combined address is dropped it flips in new d7.

Other stuff.

0x0720 moves ascii 8506A
0x072d reads an 8bit HW address and ascii byte, finally DFC123-56789A

0x125f seems to be some accepted ascii inputs.

[SilverSolder]

I actually found a  MIS-7191K test controller card...  but unable to find any kind of documentation for it whatsoever! 

It looks like it might be able to stop execution by suppressing ACKs on the bus - maybe it can do other things!

[SilverSolder]

I should get a bigger screen.

All the different modules from the different years are still compatible with each other, based on getting away with swapping them freely between the different units.

Sloppy description from me.
Their module selection gates are different.

The first thing seen on the display when the meter is switched on is "HI - 5.0.6" (depending on version number)  - I can't figure out where that happens! 

Same here.

0x1c09 it could be.

These things are very time consuming, specially this.
Following anything is also very difficult without the actual device.
One should connect an analyzing thing of some sort.

0x0788 copies greetings text to RAM area 0x4042, but in every other location.

0xc3 keyboard data
0xa3 display dataX(extras)
0xa2 display dataN(numbers*6+1)
0xa1 display/keyboard address

Chips are rising edge, means that latching is happening when address is dropped, happens shortly by _DBIN and WAIT.
When display dataX is dropped it enables display dataN and combined address if d7 was 0.
When combined address is dropped it flips in new d7.

Other stuff.

0x0720 moves ascii 8506A
0x072d reads an 8bit HW address and ascii byte, finally DFC123-56789A

0x125f seems to be some accepted ascii inputs.

GPIB command processing?  - it should accept single and two character commands like R2, S3, ?, and so on