Old school 8080 EPROM disassembly - is it making sense?

[m k]

Finally i noticed that backplane address lines IC0..IC6 are inverted from the 8080A address bus.

Yes,
the chip is regular(14001) NOR.
Many things are active low.

It seems to be also a norm that drawn part is a priority.
Like front panel, where address lines in and out of the chip are not parallel in picture.

It's also nesessary to check all.
Like Isolator, where IC4 has double meaning, part of Isolator address and IC4-7 as 0xF clocking ID0 as _INT, and ID1 if INA.

[m k]

If making a disassembler took few hours and assembler twice of that the emulator is a bit different.
Then, unluckily, didn't remember, I also thought that adding a flag for 8085 is a nice addendum.

Anyway, what is the absolute minimum configuration that is showing some life on screen, is it already stated somewhere?

Should the emulator treat stuff like XTHL as potential external data exchange?
(quite theoretical IMO, not here anyway)

[dietert1]

I think it's not a matter of hours. Look at this video what they used in the past:


One of those units appeared on ebay, but i thought i don't want to get into this. Also i'm a bit tired of the logic analyzer work.

So i made a STM32 board with a backplane interface, based on a Nucleo-32 STM32F303. It has 4 KByte of single cycle SRAM and 64K Flash and runs up to 72 MHz. Some of its ports are 5V tolerant, others need a level shifter. It's not yet complete.
First i thought i want a sniffer to log all backplane cycles over USB. Then i added two 374 bus registers to let it drive the bus, too. It can also be a backplane slave module or even the controller. Then i thought i can put the 8080A binary into it and implement the simulator i have been using under Win32. I mean it runs circles around a 8080A and one will need delay loops to get a similar instruction timing to the 8080A. For me this is low priority, more or less a fun exercise.

Regards, Dieter

[SilverSolder]

I think it's not a matter of hours. Look at this video what they used in the past:


One of those units appeared on ebay, but i thought i don't want to get into this. Also i'm a bit tired of the logic analyzer work.

So i made a STM32 board with a backplane interface, based on a Nucleo-32 STM32F303. It has 4 KByte of single cycle SRAM and 64K Flash and runs up to 72 MHz. Some of its ports are 5V tolerant, others need a level shifter. It's not yet complete.
First i thought i want a sniffer to log all backplane cycles over USB. Then i added two 374 bus registers to let it drive the bus, too. It can also be a backplane slave module or even the controller. Then i thought i can put the 8080A binary into it and implement the simulator i have been using under Win32. I mean it runs circles around a 8080A and one will need delay loops to get a similar instruction timing to the 8080A. For me this is low priority, more or less a fun exercise.

Regards, Dieter

That looks crazy cool! 

Step 1 in replacing the entire controller board with a new CPU! 

Can that board be programmed in the Arduino environment?

[dietert1]

Yes, there seems to be support here:
https://github.com/stm32duino and https://www.stm32duino.com/
As far as i know, that was initiated by a freelancer and is now maintained by STM. I think they have board files for the Nucleo-32 boards, that are all very similar.

Regards, Dieter

[peter-h]

I have not done disassembly for many years but the general rule used to be that you do a hex dump first to visually identify any text, and you feed that to the disassembler as exclusions.

This is vital because 8080/Z80 opcodes often look like text. In fact an old trick was to execute the copyright message so if somebody changed it, some register would end up with the wrong value

There were loads of very clever disassemblers around in the old days. Always multiple passes.

[dietert1]

The 8502A/8505/6A binaries we have been looking at are well obfuscated. For example they store strings as 7-segment display bytes instead of ASCII. Somebody made a special viewer already to discover those texts. For the GPIB commands these instruments use single character codes that are immediately fed into a large computed goto, so there are no command strings to discover, either. They run small parts of the firmware from RAM copies. They push return addresses to stack by hand in an effort to reuse code and so on and so on. Hacker work at its best, full of surprising ideas.

The 8502A firmware i looked at has about 12 KBytes of code and about 1 KByte of constants, for example those jump tables for the computed goto. I used an open-source disassembler from Adam Thompson https://hackeradam.com/lets-write-a-simple-disassembler-for-the-intel-8080-microprocessor/ that i debugged and adapted a bit.

Regards, Dieter

[SilverSolder]

Wonder how much is intentional obfuscation, and how much is the result of trying to cram as much as possible into the available space?  - The design may date as far back as the late 70's, where 16K of program space might have been eye-bleedingly expensive?

[m k]

This RAM code seems to be a calculation adjustment thing.
It also seems to be an addendum.

Maybe measurement corrections of earlier version are done with fixed tables.

[SilverSolder]

Could this be where the calibration constants are applied?

I like the way you listed the code in Excel like that, makes it easier to see what is going on.

We should have column-editors for all programming languages! 

[dietert1]

Here i have a measurement of the external trigger timing. Three signals are taken from the non-isolated side of the isolation module: INT, ACK* and X Trigger signal. The rising edge of the external trigger sets the interrupt. On average interrupt handling takes about 54 usec. There are two ACK cycles from the isolator, first the INA cycle, then a cycle with IC=0x70. Statistics and histogram are included. Difference between min and max handling time is about 15 usec.

In external trigger mode the display of the 8502A blanks. With standard data format, the maximum trigger rate is about 40 Hz. It requires reading from the communication interface, otherwise the instrument stops taking data and ignores external trigger signals. One cannot simply use a backplane sniffer to get the ADC results via USB, in order to save the delay by GPIB communication. That won't work.

Regards, Dieter

[m k]

Inverting things continue.
Hardware addressing is partially exclusive.
Addresses E5h and E6h are front panel only, zero at 18h is an exclusion part.
Then ECh has 03h as exclusion part, where it is excluding front panel and including parallel(ACh) interface something.
Ohms converter and Current shunts are also possible for E*h but not without low bits.

Somewhere was that Isolator can be less than F*h also, maybe that is the reason.
(Edit: no, it was something else)

The very first
MVI   H, 0xC0
MVI   (HL), 0xFF
is resetting everything.
Nothing is answering there but all HW gates go to off position.

Something for later use.
506_607 file has a program check at 180h and it adds the whole code.
Other versions are possibly similar.
In case the code must be changed do it so that the operation is not changing, the result is possibly used later.
Something like
0x0180  21 00 00  LXI   HL, 0x4000
0x0183  3E 00     MVI   A, 0x00    ; original result
0x0185  C3 92 01  JMP   0x0192
0x0188  00        NOP              ; free bytes
...
0x0191  00        NOP
0x0192  F5        PUSH  AF

[m k]

Wrong,
and how long since I commented it my self.
Some(much more) time lost again but totally own fault this time.

So address E3h is IC4+IC3+IC2 and nothing to do with the front panel or the Isolator.
(like dietert1 said)
First front panel access is later and addresses are DCh, DDh and DEh.

And small correction to resetting thing.
Only unguarded side of gates are reset.
Isolator is not moving that to the other(King Willie) side.

0x421D "8505A   DFC123-56789A",0
result after sending FFh to HW addresses
source 0746h

("EEPROM" = 00)
0x4234 8 * (5bytes from EEPROM + 88h + (10h - 17h))
0x426C 5 * (5bytes from EEPROM + 88h + (0 - 4))
loaded backwards from 49FEh
49FFh is first tested for 55h

0x40A7 (7seg)C1235679A
hard coded skip for '4' and hard coded change from '8' to '9'
separately added 'A'

[SilverSolder]

[...]
0x40A7 (7seg)C1235679A
hard coded skip for '4' and hard coded change from '8' to '9'
separately added 'A'

This looks like the part where it displays the installed modules (the second thing that happens during boot).
Out of the string 'C1235679A', the non-installed modules are blanked out.  I'll take a picture of the display so you can see what I mean...

[SilverSolder]

8505A and 8506A installed modules display during boot:

[m k]

Very good!

The use of that last digit of main display was still a bit fuzzy, not any more.

There also seems to be a double led use of two of those led bars.
(page 285/323 of new 8505A manual)
U26 and U24 pins 5 and 16, when other pairs have opposite parities.

I have to get those HW addresses coded to the emulator.
Now it has all possible things "installed", not very practical.

Normally the control rolls around 400Fh when it's waiting interrupts happening.
Somewhere is also a place jumping to it self, if memory serves.

Some kind of a hibernation or wait mode is also present.
Maybe it has been pointed out already somewhere.

Code: [Select]

0x087D  3A 10 40  LDA   (0x4010)
0x0880  B7        ORA   A
0x0881  C8        RZ
0x0882  CD 8E 00  CALL  0x008E  ; OUT 0x40
0x0885  76        HLT
0x0886  C3 7D 08  JMP   0x087D

If interrupt(releasing halt) is returning without resetting 4010h it's halted again in no time.

Those calibration things.
Earlier RAM code seems to be Hex but EEPROM could be BCD.
Many data parts are 5 bytes long and

0x20BA 80 19 99 99

What is this 2A34h then?
Jump to (3A17h + 12(bitC) + 2L)
Maybe it's totally practical after all.

Code: [Select]

0x2A34  79        MOV   A, C
0x2A35  06 FF     MVI   B, 0xFF
0x2A37  04        INR   B
0x2A38  1F        RAR
0x2A39  D2 37 2A  JNC   0x2A37
0x2A3C  78        MOV   A, B
0x2A3D  87        ADD   A
0x2A3E  87        ADD   A
0x2A3F  47        MOV   B, A
0x2A40  87        ADD   A
0x2A41  80        ADD   B
0x2A42  85        ADD   L
0x2A43  85        ADD   L
0x2A44  2A 0E 41  LHLD  (0x410E)
0x2A47  E5        PUSH  HL
0x2A48  21 17 3A  LXI   HL, 0x3A17
0x2A4B  5F        MOV   E, A
0x2A4C  16 00     MVI   D, 0x00
0x2A4E  19        DAD   DE
0x2A4F  5E        MOV   E, (HL)
0x2A50  23        INX   HL
0x2A51  56        MOV   D, (HL)
0x2A52  EB        XCHG
0x2A53  E9        PCHL ;---------->*


[dietert1]

I think that is a computed call via a jump table at 3A17 (array of short). The return address comes from 410E and gets pushed by hand. Actually there seem to be several jump tables indexed by B, each one with 6 destination addresses of 2 bytes. So B gets multiplied by 12 and L gets multiplied by 2.

Regards, Dieter

PS: The 8502A V3.0.0 has the same code at 205C and the code  "MOV   A, C" you start with is not an entry point. The jump table is at 2D1B and has a total of 36 destinations.

[m k]

Real entry point(293Dh) is far away.
I'd say too far for the purpose.
Though one could also say that 2A15h is more of an entry point since

Code: [Select]

0x2A15  31 00 48  LXI   SP, 0x4800
0x2A18  AF        XRA   A
0x2A19  3A B6 41  LDA   (0x41B6)
0x2A1C  B7        ORA   A
0x2A1D  C5        PUSH  BC
0x2A1E  E5        PUSH  HL
0x2A1F  C4 54 2A  CNZ   0x2A54
0x2A22  E1        POP   HL
0x2A23  C1        POP   BC
0x2A24  AF        XRA   A


But it's not called from out of this section.

First XRA is not needed so maybe this is an updated part.
Or maybe it's just a programmers habit.

In that section is

Code: [Select]

0x2963  2C        INR   L
0x2964  3E 61     MVI   A, 0x61
0x2966  BD        CMP   L
0x2967  C0        RNZ
0x2968  2E 55     MVI   L, 0x55
0x296A  C9        RET


First thought was that it's some sort of a calculation thing but it's just a simple data area limiter.
That ASCII 'a' just happened to be there.
Personally I wouldn't trust my self so much, I'd use RNC for return.

Some interrupt stuff.

I've missed the MarkINT(A14 + OUT + 8xFLine),
It's vector (manual page 297/323) is U21 pin 11 and D1 so 08h and RST1.
But it needs A14 with OUT so for pretty long time I just couldn't understand when that happens.
I've also found a polarity error in front panel stuff so no help from there.
Luckily I spotted a phrase "the port number is duplicated on the address bus" p97/224 of RS $3.95 manual.
So OUT 40h is actually OUT 4040h and use of A14 is perfectly clear.
For Scan Adv I've messed with polarities all by my self but OUT 48h actually being OUT 4848h make the use of A11 also clear.

Has this U18 and its Alt. jumper being an argumental center earlier?
Maybe it was a different hardware.

INA
ID1 (D4, 10h, RST2) Ext Trigger
ID2 (D4-3, 18h, RST3) Bit Serial, Parallel
ID3 (D5, 20h, RST4) IEEE-1488

ACK (U21 D6) is D5-4, 30h, RST6.
MARKINT (U21 D1) is D1, 08h, RST1.

Below should be everything related to RST instructions.

Code: [Select]

0x00B4  21 F8 0B  LXI   HL, 0x0BF8
0x00B7  22 12 41  SHLD  (0x4112)   ; RST3 & 4 jump
0x00BA  21 FE 0B  LXI   HL, 0x0BFE
0x00BD  22 10 41  SHLD  (0x4110)   ; RST6 jump

0x01E6  21 5F 0B  LXI   HL, 0x0B5F ; front panel stuff
0x01E9  22 10 41  SHLD  (0x4110)   ; RST6 jump

0x0BF8  C1        POP   BC
0x0BF9  D1        POP   DE
0x0BFA  E1        POP   HL
0x0BFB  F1        POP   AF
0x0BFC  FB        EI
0x0BFD  C9        RET
0x0BFE  26 C0     MVI   H, 0xC0    ; not MarkINT without
0x0C00  36 FF     MVI   (HL), 0xFF ; rising edge of OUT
0x0C02  C3 FA 0B  JMP   0x0BFA

0x0CF4  21 B4 0D  LXI   HL, 0x0DB4
0x0CF7  22 C8 41  SHLD  (0x41C8)   ; RST5 jump
; ...
0x0D0E  2A AC 41  LHLD  (0x41AC)
0x0D11  22 12 41  SHLD  (0x4112)   ; RST3 & 4 jump

0x0DEA  21 FF 0D  LXI   HL, 0x0DFF
0x0DED  22 C8 41  SHLD  (0x41C8)   ; RST5 jump
0x0DF0  21 32 0E  LXI   HL, 0x0E32
0x0DF3  22 12 41  SHLD  (0x4112)   ; RST3 & 4 jump

0x0E59  21 7B 1A  LXI   HL, 0x1A7B
0x0E5C  22 C8 41  SHLD  (0x41C8)   ; RST5 jump

0x1371  CD 88 13  CALL  0x1388
0x1374  78        MOV   A, B
0x1375  FE 31     CPI   0x31
0x1377  C2 81 13  JNZ   0x1381
0x137A  21 B4 0D  LXI   HL, 0x0DB4
0x137D  22 C8 41  SHLD  (0x41C8)   ; RST5 jump
0x1380  C9        RET
0x1381  21 B5 0D  LXI   HL, 0x0DB5
0x1384  22 C8 41  SHLD  (0x41C8)   ; RST5 jump
0x1387  C9        RET
0x1388  3A CB 41  LDA   (0x41CB)   ; RST5 Isolator=FF if 41CBbit0
0x138B  E6 01     ANI   0x01
0x138D  C8        RZ
0x138E  3E FF     MVI   A, 0xFF
0x1390  32 CA 41  STA   (0x41CA)
0x1393  C9        RET
0x1394  CD AE 13  CALL  0x13AE     ; Isolator=FF if 41CBbit0
0x1397  AF        XRA   A
0x1398  32 CA 41  STA   (0x41CA)
0x139B  2F        CMA
0x139C  32 C8 41  STA   (0x41C8)   ; RST5 jump
0x139F  32 C9 41  STA   (0x41C9)   ; FFFF (RST7?)
0x13A2  C9        RET

0x145C  21 99 15  LXI   HL, 0x1599 ; inc (400F)
0x145F  22 10 41  SHLD  (0x4110)   ; RST6 jump
0x1462  11 40 40  LXI   DE, 0x4040
0x1465  1A        LDAX  (DE)
0x1466  F6 40     ORI   0x40       ; 7th digit?
0x1468  12        STAX  (DE)       ; front or rear
0x1469  C9        RET

0x158A  26 D3     MVI   H, 0xD3
0x158C  11 98 1A  LXI   DE, 0x1A98
0x158F  36 00     MVI   (HL), 0x00
0x1591  EB        XCHG
0x1592  22 AC 41  SHLD  (0x41AC)
0x1595  22 12 41  SHLD  (0x4112)   ; RST3 & 4 jump
0x1598  C9        RET

0x3117  CD 88 13  CALL  0x1388     ; (41CA)=FF if 41CBbit0
0x311A  21 00 02  LXI   HL, 0x0200 ; 2nd code set
0x311D  22 C8 41  SHLD  (0x41C8)   ; RST5 jump
0x3120  21 40 40  LXI   HL, 0x4040
0x3123  7E        MOV   A, (HL)
0x3124  E6 20     ANI   0x20
0x3126  F5        PUSH  AF
0x3127  7E        MOV   A, (HL)
0x3128  E6 DF     ANI   0xDF
0x312A  77        MOV   (HL), A
0x312B  CD 38 29  CALL  0x2938     ; 0 to 4165h
0x312E  F1        POP   AF
0x312F  31 00 48  LXI   SP, 0x4800
0x3132  C2 14 02  JNZ   0x0214
0x3135  CD 66 10  CALL  0x1066
0x3138  C3 4E 00  JMP   0x004E     ; all done, go back

; 2nd code set
; never called directly by code starting from 0000
0x0200  CD AE 13  CALL  0x13AE
0x0203  31 00 48  LXI   SP, 0x4800
0x0206  CD 52 02  CALL  0x0252     ; clear stuff
0x0209  21 14 02  LXI   HL, 0x0214
0x020C  E5        PUSH  HL
0x020D  FB        EI
0x020E  CD 66 10  CALL  0x1066
0x0211  C3 4E 00  JMP   0x004E     ; all done, go back

0x13AE  3A CB 41  LDA   (0x41CB)
0x13B1  E6 01     ANI   0x01
0x13B3  C8        RZ
0x13B4  26 8F     MVI   H, 0x8F
0x13B6  3E FF     MVI   A, 0xFF
0x13B8  F3        DI
0x13B9  77        MOV   (HL), A
0x13BA  00        NOP
0x13BB  FB        EI
0x13BC  C9        RET

; RST1
; set front panel stuff
; depending what is in register H
; new SP from 4292h
; jump to 1C10h
; and much more from there

0x1C09  21 00 00  LXI   HL, 0x0000
0x1C0C  39        DAD   SP
0x1C0D  22 92 42  SHLD  (0x4292)
0x1C10  26 E3     MVI   H, 0xE3
0x1C12  36 0C     MVI   (HL), 0x0C

; RST2
; fill 0Ch pieces of A to 401Ah and up
0x0010  11 1A 40  LXI   DE, 0x401A
0x0013  0E 0C     MVI   C, 0x0C
0x0015  C3 14 22  JMP   0x2214

; RST3
0x0018  F5        PUSH  AF
0x0019  E5        PUSH  HL
0x001A  D5        PUSH  DE
0x001B  C5        PUSH  BC
0x001C  2A 12 41  LHLD  (0x4112)
0x001F  E9        PCHL ;---------->*

; RST4
0x0020  F5        PUSH  AF
0x0021  E5        PUSH  HL
0x0022  D5        PUSH  DE
0x0023  C5        PUSH  BC
0x0024  2A 12 41  LHLD  (0x4112)
0x0027  E9        PCHL ;---------->*

; RST5
0x0028  CD AE 13  CALL  0x13AE       ; Isolator=FF if 41CBbit0
0x002B  2A C8 41  LHLD  (0x41C8)
0x002E  E9        PCHL ;---------->*

; RST6
0x0030  F5        PUSH  AF
0x0031  E5        PUSH  HL
0x0032  2A 10 41  LHLD  (0x4110)
0x0035  E9        PCHL ;---------->*

; RST7
; pretty hard start


[mdubinko]

Hey @SilverSolder and all,

I love that folks are looking at this. Wondering if there is any new progress to report. Do you have a repo or wiki somewhere to accumulate community knowledge over time?

Has anyone looked at U20 data, which seems to store the calibration information? Understanding the format there might help decipher some of the code.
And would there be any benefit in looking at diffs between different versions? That too might give important hints to the structure of the code.

[SilverSolder]

Hey @SilverSolder and all,

I love that folks are looking at this. Wondering if there is any new progress to report. Do you have a repo or wiki somewhere to accumulate community knowledge over time?

Has anyone looked at U20 data, which seems to store the calibration information? Understanding the format there might help decipher some of the code.
And would there be any benefit in looking at diffs between different versions? That too might give important hints to the structure of the code.

Welcome to the "crazy corner"!

I am not aware of anyone deciphering U20, it may not be a super difficult project?  - perhaps, monitor the chip while updating calibration numbers?  Another approach might be to look at the firmware and perhaps try to decode where it is accessing U20...

[mdubinko]

May I suggest setting up a dedicated space for collaboration? I can imagine a wiki working well, but something with revision control might be even better. The more eyeballs, the more shallow the problem of figuring it out.

I'd offer my github space if it helps. I already have one extreme niche reverse-assembly project going on there.

[SilverSolder]

May I suggest setting up a dedicated space for collaboration? I can imagine a wiki working well, but something with revision control might be even better. The more eyeballs, the more shallow the problem of figuring it out.

I'd offer my github space if it helps. I already have one extreme niche reverse-assembly project going on there.

There are benefits to just keeping it here on the eevblog, the "barrier to entry" is extremely low for forum participants and we can kind of dip in and out, depending on how busy we are.

Eventually, these instruments will yield all their secrets to us! 

[m k]

I've not forgotten this.
Just had an unusually long period of spare time deprevation, so stuff are pretty much queued.

I also have my own 8505A now, fully loaded but otherwise unknown and said to be broken.
Possibly one for west murricans also but not sure how ebay would take that.
Wouldn't mind eighter if somebody creates a trusted bargain freight for small(ish) packages, it can be slow.

Don't know about the barrier.
Can't find a thread I was looking yesterday.
Maybe I should "RTFM" and use search.