Products > Test Equipment
HP Logic Analyzer Inverse Assemblers
TimInCanada:
What is an Inverse Assembler (IA), and why would I want one?
If you are using a logic analyzer to watch the address and data buses of a microprocessor, values on the data bus represent the CPU's opcodes and operands which are the addresses and data moving to/from the CPU and I/O and memory. An inverse assembler is a kind of disassembler that translates bus data into the CPU's assembly language. It is a piece of software that has to be installed on the analyzer before use.
Modern microprocessors include features such as JTAG for debugging, but vintage microprocessors don't. A logic analyzer with an IA makes it much easier to reverse engineer or debug an old microcomputer. It doesn't give you the assembly language source of the program, but instead shows the stream of instructions that are executed and the data they operate on.
As part of the HP 64000 Logic Development System launched in 1979, an "inverse assembler language", IAL, was created and has been used by HP logic analyzers since. An IAL source file has a .S extension. It is assembled into a .R relocatable file which is formatted for and installed on particular analyzers.
Operation
A separate IA is required for each microprocessor. They only operate in the Listing view of State analysis, and just decode the data on the current screen rather than all the acquired data. The operating manual for each logic analyzer gives the details of how to install an IA. To use it, the analyzer is connected to the address, data and status buses of the CPU and in the Format menu are given the labels ADDR, DATA, and STAT, respectively. The IA needs to provide information on how the status lines are to be connected This is usually in a configuration.txt file.
Once data is acquired, in the Listing view under the label DATA there is a base selector which normally defaults to Hex. Select the field labeled "Invasm" and the inverse assembler will be activated.
Automatic/Manual Code Detection: Some processors, such as the 6502 and 8085, have status lines which indicate when a byte fetched from memory is code rather than data. The IA reads the status lines and automatically determines which lines on the display are code.
For other processors, the IA needs to be manually synchronized. When an IA that needs manual syncing is loaded there should be a "Invasm" Field displayed on the Listing page. Scroll the listing up or down until a known code instruction is in the top line, then select the "Invasm" field. The IA will start decoding that line as an opcode. The listing can be scrolled down and the IA will stay in sync, but it will not stay synced when scrolling up.
Naming Conventions
Some of the software that deals with IA files require file names to be 10 characters or less, starting with an upper case letter, letters or numbers or underscore characters only.
The general convention is:
* First letter of "I" means it is the IA file.
* First letter of "C" means it is a configuration file.
* Last letter of "P" means the IA file is for use with general purpose probing (e.g., flying leads).
* Last letter of "I" means the IA file is for use with dedicated hardware interfaces (often called "preprocessors").
Inverse Assemblers by Processor:
* invasm_v3.zip contains inverse assemblers for the
* 6800, 6809
* 68000, 68008, 68010, 68020
* 8085, 8086, 8088
* 80186, 80188, 80286, 80386
* NSC800
* Z80 In addition to the configuration and IA files, there are relocatable *.R and Invasm Field Option *.info files. (Big thanks to MarkL :-+)
* INVASM_SRC.zip contains the decompiled source code for the above IAs. (Big thanks to gslick :-+)
* Details on Z80 STAT bus connections
* 6502 (includes .S and .R files)
* 8008 (includes .S and .R files)
* 10342B_IA.zip contains IAs for the 10342B HPIB, RS-232, RS-449 bus decoder probe. (Big thanks to gslick :-+)
Logic Analyzer Notes:
1611A
This is more for historic interest. The 1611A Logic State Analyzer was described in the January 1977 HP Journal. It used "personality modules" for each microprocessor that included an IA in ROM.
1630/31
* A discussion on using IAs on these analyzers.
* Formatted IAs for the 6809, 68000, HPIB, RS232 and RS422.
* Introducing the HP1631D
* Another discussion about getting IAs onto the 1630.
1650/16500/1660/1670
* IA files for each of these is compatible with the other models.
* Z80 (ImageMagic disk image for 1650)
* Some 1650 software utilities including some Pascal source code (may work with other analyzers too).
* HP1652B Inverse Assembler
* HP16500B Experiences
16600/16700
* Loading preformatted IA files:
* Copy the IA file into a temporary directory. (Don't forget to set public read permission on the file.)
* Use the File Manager to load the IA file you just put on the analyzer.
* The File Manager does necessary formatting and puts its IA file into the /logic/ia directory.
* From the Listing screen, select Invasm then Load...
* If the above doesn't work,
* Copy a IA relocatable .R version of the file onto the analyzer.
* Use the IA Format Utility to convert the file and load it into the /logic/ia directory.
* From the Listing screen, select Invasm then Load...1680/1690/16900
* The relocatable .R files don't work directly on these analyzers, and involves creating a .DLL wrapper around them.
Getting IAs onto an analyzer:
* Older analyzers with floppy drives often used the HP LIF format for the floppies. The HPDir software can create LIF format floppies on a Windows PC.
* There are also LIF Utilities for linux.
* Some IA files turn up in ImageDisk .IMD format.
* The HPDrive software can emulate an external disk drive, but this requires a PC with a GPIB interface card.
* The IALDOWN utility in the IAL development package transmits IA files to an analyzer over RS232. It must be run in DOSBOX with the serial port configured.
Symbol Names
In addition to the IA, a handy tool when working with microprocessors is to create a Symbol Table of known addresses, such as memory-mapped I/O units and variables. See your analyzer operating manual for specific details of creating a symbol table.
In the Listing display under the label ADDR there is a selection for the base (format) to display addresses in. The default is usually "Hex". Change this to "symbol" and any addresses that are in the symbol table will have their names substituted in the listing. If a Symbol Table is loaded, the IA will also use these address names in its output.
Source Code Viewer
The 16700 analyzers have the B4620B Software Correlation Tool option. The analyzer comes with the tool installed, but needs a license to use. Fortunately, the license file is available for non-commercial use (along with licenses for the other options).
Normally, source code would be compiled with a debug option and after capturing data with the analyzer the source code could be stepped through in the Source viewer while the corresponding line is highlighted in the Listing viewer, and vice-versa. When reverse engineering old uPs, it is unlikely the source code is available. However, the Source viewer can still be useful if the uP's code is disassembled into a listing file that gives the addresses of each line of code. (If a disassembler doesn't create such a listing file, an assembler can be used to re-assemble the disassembled code and generate the listing file.)
The 16700 Help Volume, page 197 gives the General-Purpose ASCII (GPA) Symbol File Format. The symbol file is just a text file that is placed somewhere on the analyzer's drive and loaded from a Symbols tab.
Here is an example. Suppose a piece of assembly code in a listing file called test.lst is:
--- Code: ---dc19 : b701d0 staa CmdTableIndex
dc1c : 86ee ldaa #$EE
dc1e : b101d0 cmpa CmdTableIndex
dc21 : 2609 bne LDFAA ; branch if valid CmdChar
dc23 : bdd6c0 jsr subResetCmdFlags
dc26 : 7ee3a0 jmp LE768 ; set flagCmdParse bit6 and rts
--- End code ---
The first column is the start address of each line of code. The symbol file is given a [SOURCE LINES] section, e.g. for this piece of code:
--- Code: ---[SOURCE LINES]
File: test.lst
...
9029 dc19
9030 dc1c
9031 dc1e
9032 dc21
9033 dc23
9034 dc26
...
--- End code ---
The file test.lst is placed in the analyzer's /logic/source/ directory. The first column is the decimal line number in the source file and the second column is the hexadecimal address. (A spreadsheet can be used to manually extract the address values and add line numbers, for example.) The symbol file is loaded in the normal way. When run to this code, the Listing view will display (at address dc1e):
From the Listing view, on the menu bar at the top of the screen select Source/Open Source Viewer... The viewer displays the source file and highlights the corresponding source line:
The program execution can be stepped forward and backward and the captured data can be searched to see if particular lines of source were executed. The listing view shows data values that were passed, for instance, the CMPA (6800 Compare Accumulator A opcode) shows the value 07 was read from memory as the value of variable CmdTableIndex. In addition, analyzer trigger points can be set at particular lines of the source, similar to breakpoints in emulators and debuggers. The Listing Display Tool Help Volume pages 24-39 gives details.
Writing an Inverse Assembler
If you wish to write your own IA, the HP 10391B IAL Development Package includes sample source files for the 8085 and 68010 and an assembler to convert the .S source files into .R files for the analyzers. This software needs to run on a DOS computer or in DOSBOX. A hint on setting up this assembler.
If anyone has additional files, they can be posted as attachments and links can be added here, too.
Thanks!
Tim
gslick:
--- Quote from: TimInCanada on May 11, 2018, 06:52:28 pm ---Been looking for an inverse assembler for the MC6800. Haven't found one yet, but thought it might be worthwhile to summarize what is available.
--- End quote ---
The file "invasm.zip" is available in the files section of the "HP/Agilent Test Equipment" Yahoo group if you search for it there in the files section. It is a restricted group and you have to join the group first to access the files section.
https://groups.yahoo.com/neo/groups/hp_agilent_equipment/info
https://groups.yahoo.com/neo/groups/hp_agilent_equipment/files
The file is small enough that I can attach it here. It contains the following set of configuration and inverse assembler files.
c68000_i
c68000_p
c68008_i
c68008_p
c6800_i
c6800_p
c68010_i
c68010_p
c68020_i.p
c6809e_p
c6809_i
c6809_p
c80186e_.i
c80186_i
c80188e_.i
c80188_i
c80286_i
c80386_8.7
c80386_i
c8085_i
c8085_p
c8086_i
c8088_i
cnsc800_.i
cz80_i
i68000_i
i68000_p
i68008_i
i68008_p
i6800_i
i6800_p
i68010_i
i68010_p
i68020_i.p
i6809e_p
i6809_i
i6809_p
i80186e_.i
i80186_i
i80188e_.i
i80188_i
i80286_i
i80386_8.7
i80386_i
i8085_ip
i8086_i
i8088_i
insc800_.i
iz80_i
In the particular case of the 6800 / 6802 CPU the 64672A 10307B preprocessor interface contains a non-trivial state machine that does some decoding of the instruction stream as it is executed to provide addition state information that is not available with the general purpose probe version of the configuration and inverse assembler.
gslick:
When the c6800_p 6800 general purpose probe configuration file is loaded into a 16510A analyzer module the configuration is as shown in the attached screen captures.
MarkL:
Great summary, Tim, thanks!
I'll add to the party with another zip archive. gslick, in a different conversation, gave me enough information (thanks, gslick!) that I was able to write a text decoder for the configuration files he just posted in invasm.zip. Attached here is invasm_configtxt.zip, which is the same as invasm.zip, but includes the text version of the config files (plus the C program that did the decoding).
In the zip file, for processor XXX:
iXXXp - inverse assember for general (flying lead) probing
cXXXp - 16510 configuration for general (flying lead) probing
cXXXp.txt - text 16510 configuration for general (flying lead) probing
iXXXi - inverse assember for pre-processors
cXXXi - 16510 configuration for pre-processors
cXXXi.txt - text 16510 configuration for pre-processors
The significance of having a readable form of the config files is that you now have a fighting chance to use the inverse assemblers on something other than a 16510 card.
For example, I have a 16702B with a 16752A card and I've been successful using it on a 6802 processor. I can successfully load i6800_p, the inverse assembler for general purpose (flying lead) probes. No problem there. However, the IA wants to interpret the bits in the label STAT to determine what machine cycle to display. The STAT signal assignments are contained in the companion configuration file, c6800_p. If I had a 16510 it would be easy.
The decoded text of the configuration says:
Title: 6800/02 CONFIG FOR GP PROBES 1_0
Pod assigments (? = disabled)
-----------------------------
Label 0: ADDR (16 bits): A2: ******** ********
Label 1: DATA ( 8 bits): A1: ........ ********
Label 2: STAT ( 3 bits): A1: .....*** ........
Symbols
-------
Label: STAT
INVALID MEM ACCE 00X
MEMORY WRITE 010
MEMORY READ 011
DMA WRITE 1X0
DMA READ 1X1
From this, and knowing what signals exist on the 6802, it's apparent that:
STAT[2] = BA (bus available)
STAT[1] = VMA (valid memory address)
STAT[0] = R/W (read/not write)
Creating a STAT label and connecting the bits as defined above works, plus the obvious DATA and ADDR labels. Screen capture attached. There's other pins being monitored in the capture, but the IA only cares about DATA, ADDR, and STAT.
I haven't tried any of the other processors, but I've spot-checked the decoded configuration against a few processor datasheets and they at least make sense. Any feedback welcome, success or not, and especially if I got something wrong with the any of the decoded configs.
Perhaps we should add known working STAT assignments to this post, like the 6802 above, for various processors as people figure them out.
The decoded configuration files for pre-processors is also included, although they're probably not very useful unless you have a pre-processor or looking to build one.
EDIT: I should also add that in the example the clock is the falling edge of the E signal on the 6802 (or phase 2 clock on the 6800). I haven't decoded the clocking assignments, but like the STAT assignments this could be figured out after a couple of minutes looking at the datasheet.
gslick:
To add another note, if you have an IAL style .R relocatable file after the .S file has been run through the assembler, as far as I know there is no simple way to use the .R file with the 16900 series logic analyzer software (also including the 1680 and 1690 series).
However, if you install an older version of the Analysis AddIn Tool there is a wizard tool that lets you build a interpreter wrapper .DLL file around a .R file. It is non-trivial to get set up to do it. The old version of the wizard tool was set up at the time for Microsoft Visual Studio .NET 2003. I did manage to get it set up to build a .DLL file around an assembled .R file from the 8085 .S source from the 10391B tool. I should revisit that and write up some notes about it as I forget exactly what all was involved now.
If you don't have a .R file, or the .S source to build the .R file, I don't know if there is a way to use any of these old IAL style inverse assembler files with the 16900 series logic analyzer software. The files as they are normally distributed are after the IALDOWN tool has done some sort of undocumented transformation of the .R files. Maybe that transformation could be reverse engineered so that a tool could be written to do an inverse transformation back in .R files. Or maybe even disassemble the files back into functionally equivalent .S source files.
Navigation
[0] Message Index
[#] Next page
Go to full version