What is an Inverse Assembler (IA), and why would I want one?If you are using a logic analyzer to watch the address and data buses of a microprocessor, values on the data bus represent the CPU's opcodes and operands which are the addresses and data moving to/from the CPU and I/O and memory. An inverse assembler is a kind of disassembler that translates bus data into the CPU's assembly language. It is a piece of software that has to be installed on the analyzer before use.
Modern microprocessors include features such as JTAG for debugging, but vintage microprocessors don't. A logic analyzer with an IA makes it much easier to reverse engineer or debug an old microcomputer. It doesn't give you the assembly language source of the program, but instead shows the stream of instructions that are executed and the data they operate on.
As part of the HP 64000 Logic Development System launched in 1979, an "inverse assembler language", IAL, was created and has been used by HP logic analyzers since. An IAL source file has a .S extension. It is assembled into a .R relocatable file which is formatted for and installed on particular analyzers.
OperationA separate IA is required for each microprocessor. They only operate in the Listing view of State analysis, and just decode the data on the current screen rather than all the acquired data. The operating manual for each logic analyzer gives the details of how to install an IA. To use it, the analyzer is connected to the address, data and status buses of the CPU and in the Format menu are given the labels ADDR, DATA, and STAT, respectively. The IA needs to provide information on how the status lines are to be connected This is usually in a configuration.txt file.
Once data is acquired, in the Listing view under the label DATA there is a base selector which normally defaults to Hex. Select the field labeled "Invasm" and the inverse assembler will be activated.
Automatic/Manual Code Detection: Some processors, such as the 6502 and 8085, have status lines which indicate when a byte fetched from memory is code rather than data. The IA reads the status lines and automatically determines which lines on the display are code.
For other processors, the IA needs to be manually synchronized. When an IA that needs manual syncing is loaded there should be a "Invasm" Field displayed on the Listing page. Scroll the listing up or down until a known code instruction is in the top line, then select the "Invasm" field. The IA will start decoding that line as an opcode. The listing can be scrolled down and the IA will stay in sync, but it will not stay synced when scrolling up.
Naming ConventionsSome of the software that deals with IA files require file names to be 10 characters or less, starting with an upper case letter, letters or numbers or underscore characters only.
The general convention is:
- First letter of "I" means it is the IA file.
- First letter of "C" means it is a configuration file.
- Last letter of "P" means the IA file is for use with general purpose probing (e.g., flying leads).
- Last letter of "I" means the IA file is for use with dedicated hardware interfaces (often called "preprocessors").
Inverse Assemblers by Processor:- invasm_v3.zip contains inverse assemblers for the
- 6800, 6809
- 68000, 68008, 68010, 68020
- 8085, 8086, 8088
- 80186, 80188, 80286, 80386
- NSC800
- Z80
In addition to the configuration and IA files, there are relocatable *.R and Invasm Field Option *.info files. (Big thanks to MarkL
) - INVASM_SRC.zip contains the decompiled source code for the above IAs. (Big thanks to gslick
) - Details on Z80 STAT bus connections
- 6502 (includes .S and .R files)
- 8008 (includes .S and .R files)
- 10342B_IA.zip contains IAs for the 10342B HPIB, RS-232, RS-449 bus decoder probe. (Big thanks to gslick
)
Logic Analyzer Notes:1611AThis is more for historic interest. The 1611A Logic State Analyzer was described in the
January 1977 HP Journal. It used "personality modules" for each microprocessor that included an IA in ROM.
1630/311650/16500/1660/167016600/16700- Loading preformatted IA files:
- Copy the IA file into a temporary directory. (Don't forget to set public read permission on the file.)
- Use the File Manager to load the IA file you just put on the analyzer.
- The File Manager does necessary formatting and puts its IA file into the /logic/ia directory.
- From the Listing screen, select Invasm then Load...
- If the above doesn't work,
- Copy a IA relocatable .R version of the file onto the analyzer.
- Use the IA Format Utility to convert the file and load it into the /logic/ia directory.
- From the Listing screen, select Invasm then Load...
1680/1690/16900Getting IAs onto an analyzer:Symbol NamesIn addition to the IA, a handy tool when working with microprocessors is to create a Symbol Table of known addresses, such as memory-mapped I/O units and variables. See your analyzer operating manual for specific details of creating a symbol table.
In the Listing display under the label ADDR there is a selection for the base (format) to display addresses in. The default is usually "Hex". Change this to "symbol" and any addresses that are in the symbol table will have their names substituted in the listing. If a Symbol Table is loaded, the IA will also use these address names in its output.
Source Code ViewerThe 16700 analyzers have the B4620B Software Correlation Tool option. The analyzer comes with the tool installed, but needs a license to use. Fortunately, the
license file is available for non-commercial use (along with licenses for the other options).
Normally, source code would be compiled with a debug option and after capturing data with the analyzer the source code could be stepped through in the Source viewer while the corresponding line is highlighted in the Listing viewer, and vice-versa. When reverse engineering old uPs, it is unlikely the source code is available. However, the Source viewer can still be useful if the uP's code is disassembled into a listing file that gives the addresses of each line of code. (If a disassembler doesn't create such a listing file, an assembler can be used to re-assemble the disassembled code and generate the listing file.)
The
16700 Help Volume, page 197 gives the General-Purpose ASCII (GPA) Symbol File Format. The symbol file is just a text file that is placed somewhere on the analyzer's drive and loaded from a Symbols tab.
Here is an example. Suppose a piece of assembly code in a listing file called test.lst is:
dc19 : b701d0 staa CmdTableIndex
dc1c : 86ee ldaa #$EE
dc1e : b101d0 cmpa CmdTableIndex
dc21 : 2609 bne LDFAA ; branch if valid CmdChar
dc23 : bdd6c0 jsr subResetCmdFlags
dc26 : 7ee3a0 jmp LE768 ; set flagCmdParse bit6 and rts
The first column is the start address of each line of code. The symbol file is given a [SOURCE LINES] section, e.g. for this piece of code:
[SOURCE LINES]
File: test.lst
...
9029 dc19
9030 dc1c
9031 dc1e
9032 dc21
9033 dc23
9034 dc26
...
The file test.lst is placed in the analyzer's /logic/source/ directory. The first column is the decimal line number in the source file and the second column is the hexadecimal address. (A spreadsheet can be used to manually extract the address values and add line numbers, for example.) The symbol file is loaded in the normal way. When run to this code, the Listing view will display (at address dc1e):

From the Listing view, on the menu bar at the top of the screen select Source/Open Source Viewer... The viewer displays the source file and highlights the corresponding source line:

The program execution can be stepped forward and backward and the captured data can be searched to see if particular lines of source were executed. The listing view shows data values that were passed, for instance, the CMPA (6800 Compare Accumulator A opcode) shows the value 07 was read from memory as the value of variable CmdTableIndex. In addition, analyzer trigger points can be set at particular lines of the source, similar to breakpoints in emulators and debuggers. The
Listing Display Tool Help Volume pages 24-39 gives details.
Writing an Inverse AssemblerIf you wish to write your own IA, the
HP 10391B IAL Development Package includes sample source files for the 8085 and 68010 and an assembler to convert the .S source files into .R files for the analyzers. This software needs to run on a DOS computer or in
DOSBOX. A hint on
setting up this assembler.If anyone has additional files, they can be posted as attachments and links can be added here, too.
Thanks!
Tim