9825 disassembly status


 

I’ve been working on preliminary disassembly of the 9825T ROMs this week, and have some initial symbol information and comments generated for the built in extension ROMs. Nothing to the detail of those from the patent listing, but enough to start deciphering what is going on in each ROM.

I started looking at the banked 98228A disk ROM today. My disassembler currently does not understand banking, so I just have to dump the base page and each of the other banks separately. I did have to byte swap the 16-bit ROM image that Paul provided so that the byte order conformed to those of the mainframe ROMs. I expect that this is done by the ROM pin connections in his clone module. My ROM header decoder script was then happy with the 98228A base page, so I will proceed with some investigation of this ROM’s contents.


Paul Berger
 

Craig:

You understand that there are two 1K word windows into the ROM and the bank selection is done by write to the area occupied by the base page ROM, I think my writeup included with the package gives a good description of how it works.

Paul.

On 2017-02-11 4:46 PM, Craig Ruff wrote:
I’ve been working on preliminary disassembly of the 9825T ROMs this week, and have some initial symbol information and comments generated for the built in extension ROMs. Nothing to the detail of those from the patent listing, but enough to start deciphering what is going on in each ROM.

I started looking at the banked 98228A disk ROM today. My disassembler currently does not understand banking, so I just have to dump the base page and each of the other banks separately. I did have to byte swap the 16-bit ROM image that Paul provided so that the byte order conformed to those of the mainframe ROMs. I expect that this is done by the ROM pin connections in his clone module. My ROM header decoder script was then happy with the 98228A base page, so I will proceed with some investigation of this ROM’s contents.


 


On Feb 11, 2017, at 4:00 PM, Paul Berger <phb.hfx@...> wrote:

You understand that there are two 1K word windows into the  ROM and the bank selection is done by write to the area occupied by the base page ROM, I think my writeup included with the package gives a good description of how it works.

Yes.  At the moment, I’m looking at the code in bank 0 that appears to be associated with bank selection of the other banks.  There are two instructions that my disassembler flagged as invalid bit patterns.  They are at (octal) word addresses 30272 (pattern 070113) and 30313 (pattern 070117).  These do not match any instructions described in the 9825A patent, nor in the 9835 Assembly Language manual (the 9835 CPU is a superset of the 9825 CPU).  The instruction at 30272 happens immediately after a dir (disable interrupts) instruction, and the one at 30313 immediately before an eir (enable interrupts) instruction.  The rest of the code in this sequence copies blocks of 16 words from one location to another, I have not yet determined what this data is.

These apparently invalid instruction bit patterns do not occur as instructions in the entire contents of the other 9825T ROMs.  I have not yet looked at the contents of banks 2-7, nor do I have tentative labels or definitions for base page temporary locations being used.

Notes about the disassembler output.  

The second column are word attribute tags derived from the disassembly process.  The ‘r’ indicates ROM, ‘i’ the word is considered to be an instruction, ‘c’ means a conditional jump, ‘u’ means unconditional jump.

Symbols in the operand column surrounded by braces on a line following an instruction are alternative names known for the operand location.  They may or not apply semantically to that specific instruction.  For example, at 30273, the operand address is the decimal 152 constant in the base page rom.  It is also known, via an equate as b230 (octal 0230).

30256 ri   004177  selbank?  ldb  p0          ; perform pre bank select stuff?
                                  {kpa,dpa,ppa,zero} 
30257 ri   035742            stb  op1       
                                  {tvar3,op1e} 
30260 ri   004177            ldb  p0        
                                  {kpa,dpa,ppa,zero} 
30261 ri   035767            stb  77767     
30262 ri   004077            ldb  p58       
                                  {b72,colln} 
30263 ri   025044            adb  stolendsk 
30264 ri   035763            stb  77763       ; save address stolen+58
30265 ric  011335            cpa  77335     
30266 riu  067315            jmp  selbnkjmp   ; bank already selected?
30267 ri   031335            sta  77335     
30270 ri   022676            ada  31676       ; «(31676) = 055750»
30271 ri   070430            dir            
30272 ri   070113            INVALID              ; «Unknown instruction, load something into A?, something else entirely?»
30273 ri   030047            sta  p152        ; «write to 0230, select bank 0? Is this an argument word?»
                                  {b230} 
30274 ri   104000            ldb  a,i       
30275 ri   174510            sbr  9         
30276 ri   035762            stb  77762     
30277 ri   104000            ldb  a,i       
30300 ri   174606            sbl  7         
30301 ri   174506            sbr  7         
30302 ric  044000            isz  a         
30303 ri   100000            lda  a,i       
30304 ri   134001            stb  b,i       
30305 ri   005763            ldb  77763     
30306 ri   071417            xfr  16        
30307 ri   020127            ada  p16       
                                  {adr2,b20,ar2a,d16} 
30310 ri   024127            adb  p16       
                                  {adr2,b20,ar2a,d16} 
30311 ric  055762            dsz  77762     
30312 riu  067306            jmp  *-4       
30313 ri   070117            INVALID              ; «Unknown instruction, store A into something?»
30314 ri   070420            eir
30315 ri   030041  selbnkjmp  sta  00041       ; select bank (1)? and jump to code at 077763?
30316 riu  165763            jmp  77763,i


Paul Berger
 

Craig,

I can assure you that those instructions get executed and the 9825 does not blow up, I just cranked up my 16700B to check if I had saved any execution traces and there is one, it contains a little over 685,000 state captures, I do not know what commend it is a trace of any more, but it is not one of the data file functions as it does not touch the address where I found the defective bit.  I can send it to you if you are interested  , it is about 35MB in size.

Paul.



On 2017-02-11 7:18 PM, Craig Ruff wrote:

On Feb 11, 2017, at 4:00 PM, Paul Berger <phb.hfx@...> wrote:

You understand that there are two 1K word windows into the  ROM and the bank selection is done by write to the area occupied by the base page ROM, I think my writeup included with the package gives a good description of how it works.

Yes.  At the moment, I’m looking at the code in bank 0 that appears to be associated with bank selection of the other banks.  There are two instructions that my disassembler flagged as invalid bit patterns.  They are at (octal) word addresses 30272 (pattern 070113) and 30313 (pattern 070117).  These do not match any instructions described in the 9825A patent, nor in the 9835 Assembly Language manual (the 9835 CPU is a superset of the 9825 CPU).  The instruction at 30272 happens immediately after a dir (disable interrupts) instruction, and the one at 30313 immediately before an eir (enable interrupts) instruction.  The rest of the code in this sequence copies blocks of 16 words from one location to another, I have not yet determined what this data is.

These apparently invalid instruction bit patterns do not occur as instructions in the entire contents of the other 9825T ROMs.  I have not yet looked at the contents of banks 2-7, nor do I have tentative labels or definitions for base page temporary locations being used.

Notes about the disassembler output.  

The second column are word attribute tags derived from the disassembly process.  The ‘r’ indicates ROM, ‘i’ the word is considered to be an instruction, ‘c’ means a conditional jump, ‘u’ means unconditional jump.

Symbols in the operand column surrounded by braces on a line following an instruction are alternative names known for the operand location.  They may or not apply semantically to that specific instruction.  For example, at 30273, the operand address is the decimal 152 constant in the base page rom.  It is also known, via an equate as b230 (octal 0230).

30256 ri   004177  selbank?  ldb  p0          ; perform pre bank select stuff?
                                  {kpa,dpa,ppa,zero} 
30257 ri   035742            stb  op1       
                                  {tvar3,op1e} 
30260 ri   004177            ldb  p0        
                                  {kpa,dpa,ppa,zero} 
30261 ri   035767            stb  77767     
30262 ri   004077            ldb  p58       
                                  {b72,colln} 
30263 ri   025044            adb  stolendsk 
30264 ri   035763            stb  77763       ; save address stolen+58
30265 ric  011335            cpa  77335     
30266 riu  067315            jmp  selbnkjmp   ; bank already selected?
30267 ri   031335            sta  77335     
30270 ri   022676            ada  31676       ; «(31676) = 055750»
30271 ri   070430            dir            
30272 ri   070113            INVALID              ; «Unknown instruction, load something into A?, something else entirely?»
30273 ri   030047            sta  p152        ; «write to 0230, select bank 0? Is this an argument word?»
                                  {b230} 
30274 ri   104000            ldb  a,i       
30275 ri   174510            sbr  9         
30276 ri   035762            stb  77762     
30277 ri   104000            ldb  a,i       
30300 ri   174606            sbl  7         
30301 ri   174506            sbr  7         
30302 ric  044000            isz  a         
30303 ri   100000            lda  a,i       
30304 ri   134001            stb  b,i       
30305 ri   005763            ldb  77763     
30306 ri   071417            xfr  16        
30307 ri   020127            ada  p16       
                                  {adr2,b20,ar2a,d16} 
30310 ri   024127            adb  p16       
                                  {adr2,b20,ar2a,d16} 
30311 ric  055762            dsz  77762     
30312 riu  067306            jmp  *-4       
30313 ri   070117            INVALID              ; «Unknown instruction, store A into something?»
30314 ri   070420            eir
30315 ri   030041  selbnkjmp  sta  00041       ; select bank (1)? and jump to code at 077763?
30316 riu  165763            jmp  77763,i



 


On Feb 11, 2017, at 8:28 PM, Paul Berger <phb.hfx@...> wrote:

I can send it to you if you are interested  , it is about 35MB in size.

Sure, that would be great.  The 16 bit image and the 8 bit images are consistent for address 030313, I expect the other “invalid” instruction location is too.  The value being placed into A at 030270 looks odd too.  Is it possible some other page of the ROM gets mapped to 054000 (0x5800)?  It may be the instruction trace can shed some light on the issue.