Help reading EPROM (Intersil IM6654A) and analyze firmware

mainframetom · May 19, 2023, 10:55am

I’m not a PDP-8 expert, but to me that makes sense.

I don’t think that 7730 is a disassembly error. It’s just one of the combined opcodes. All emulators and tools have it that way. What do you mean with the validy check?

I still have to check WINEIGHT (incl 6120 mode) and the Mac emu. And other ROM combinations. (But there are few plausible ones).

I’m also not sure about the vector at 7777. I was pretty sure, that the IRQ reset vector is at 0 (7777+1). But here 2340 is also at the auto-index registers and so a vector anyway (if the file is correct).

Some emulators lagging one word and obviously printing the disassembly after execution. Sometimes the PC (program counter) is lagging especially when having undocumented 6xxx IOTs or combined or unimplemented opcodes 7xxx.
Usually emulators overriding unknown instructions. The beginning words are usually pointers.

ISZ D0140 (d8tape) D0140 means page 40 as shown on the trace run (pdp8emu).

2340 ISZ @@40 ;Increment operand and skip if zero, Current page @@40.

So I think that could happen:
Page 40 (-1=3F) is the end of the final page (=7777).
It reads the end of the ROM backwards until it finds 0000, that is right before page 36. So it reads pages 36+37 (256 words, 7400-7777) copying to “harddisk” probably RAM.

The emulator missing the hardware would have an end endless loop. So I have to manually set L=0 and set PC to 12 to continue.

Then there are 2x64 (dec) words read from pages 21+11 and copied to page 31(-1) what is exactly the empty bytes section. And the amount of 128 words is also correct.

The memory contents are not written, I have to check on other emulators.

I have to again continue manually at PC 112.
Later there are reads from pages 56+11 also to page 31.
Then I’m stuck. There are 2 IOTs. Then continue at 114 but I always end up in that loop.

EdS · May 19, 2023, 10:59am

That’s quite promising! Finding a bit of very plausible code is useful as it says the ROM decode is good. If the pdp-8 has absolute jumps or calls then perhaps you can find code which calls this code. Or, in any case, look at the code which precedes that code.

mainframetom · May 19, 2023, 11:22am

The PDP8 has conditional and unconditional jumps. But this is at the beginning and there are always jumps/resets to 0 or to the auto-index registers.

d8tape can show code and data sections and subroutines but that often don’t work properly although 2 passes.

Btw the 23 40 on the single ROM are 2 hex values. Maybe a coincidence.

It’s all very time consuming. Later code segments would also be of interest. Most is probably data anyway.

I’m not sure if my assumptions and the ROM combination is correct. But indeed some locations and length are plausible.

NoLand · May 19, 2023, 1:59pm

You are right: There are actually two CLA instructions! Once in the operate group (07200), which is the one I expected, and once in the skip group (07600), which is the one in question, to be combined with any skip instructions.

(These are the PDP-8 oddities: it may be just a 3-bit instruction set, yet, there are two opcodes for the same instruction… I totally forgot about this. Sorry for the false alarm!)

Regarding the the “validity check”: does it makes sense as a program, would we have coded it that way? While it may be executable, I still think it’s an odd way to implement things.

(E.g., I’d typically expect a jump instruction after ISZ, in order to form a count-up loop, maybe a NOP to use it as a normal increment, regardless of the incremented value, but not another skip, skipping to yet another conditional skip. Even if we do not care about the potential skip in ISZ, this seems to be quite error-prone and difficult to maintain. — As far as I can see, we increment D0140, then, if either D0140 is now zero, or AC contains a positive value and there was no overflow, we deposit AC in L0073, by this also clearing AC. Otherwise, we’re AND-ing AC, after resetting it, with L0131? Notably, the two skip instructions match complementary, but, still, I can’t see what the AND instruction is for, since AC — as I understand it — will be set to zero before this, by CLA. It’s really this CLA in that combined instruction, which makes me question the code…)

mainframetom · May 20, 2023, 12:37pm

Weird code might be clever code, but I agree that it’s too early to say that this ROM combination is correct. 2 or 3 values could be coincidence. I will check some other combinations first.

Emu WINEIGHT obviously has a bug. The first jump instruction is already wrong (both 6120 and PDP8 mode). Not sure why (extended memory)? The MAC OS9 Emu is of course better. I don’t have Mac OS 10. For the first time I encountered a memory window, I think by MAC tab Window. It’s often greyed out but it will pop up with the CPU window. Although GUI, I never liked this emu under MacOS9 emu under WIN. No fullscreen, unless I change the WIN resolution.

There’s even a 6 bit “ASCII”, 8 bit and OS8 8 bit conversion shown of 4 words, so very good searching for strings. Window is fixed in width.

I even had values after 7777, but probably remains from an earlier papertape I’ve tried.

My device has an internal RAM check. That is probably the very first thing happening after power-up. I think there’s no ROM check.

Most functions have to be initiated by the user via keys, so it’s unclear what other things are happening without pressing keys. There’s just a dot on the LCD. And there’s a regularly communication with the PLC, so my device has to check if one is attached (and sending signals). Not sure how this is done. And maybe also check if a cartridge is present and the dip switches of that and its own.

If this code is correct, I have to emulate the hard disk acting as RAM. Maybe SIMH is better, but I first try other ROM combinations.

oldben · May 20, 2023, 4:43pm

Check the Intersil docs, I think they may of had a few changes vs the PDP8/e. I know I/O may not be exactly the same. I think stack opertations were added (io device) on the later
version on the chip. Remenber too the Intersil chip does the front panel as hardware trap.
Ben.

mainframetom · May 21, 2023, 1:42pm

Yes, thanks, the Intersil is a bit different. There are 6 600x IOT opcodes. But none of my recent ROM combinations have any of those near the beginning of a run. Some more special opcodes are in the source of bindump (6120 tools). This Control panel service routine is interesting. It’s (starting) at 7777 of the ROM. Maybe only for memory larger than 4K.

So at 7777 must be 6000. The PC is stored at 0000 of the “panel memory”.
At 7777 I have 0006 (pair 4-8). Would be 6000 when bit reversed! Maybe that’s the reason for bit reversal of the 6120. I will check this. There are some more Intersil specials like extended memory, octal debugging tool etc but I don’t have any of these Intersil ICs.

The Mac emulator replaces the word at 7777 with 5370 (JMP 7770). I don’t know why. With empty bytes at the end this is wrong. Maybe with relocation or if the empty sections are replaced.

I’ve tested some more ROM combinations. Only few are plausible, not mixing with the empty bytes. All codes when starting at 0. 200 or vector 7777 make less sense. Still no strings.

5-1, 6-2, 7-3, 8-4. (7777: 0600) swapped ROM in pairs, previously pairs were 1-5, 2-6, 3-7, 4-8. 2340->4023. Also quite plausible. At least all not running into the auto-index. All end up in full loops shown.

[0000] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:4023 JMS 0023   ;Jump to subroutine ZP 0023
[0024] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5271 JMP @@71   ;Jump Current page @@71
[0071] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1077 TAD 0077   ;Add operand to AC, ZP 0077
[0072] IRQ,DLY,IE=0,0,0 L/AC:0/3112 MQ:0000 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[0074] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5235 JMP @@35   ;Jump Current page @@35
[0035] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7303 CLL CLA IAC BSW;Clear L, set AC to 0100
[0036] IRQ,DLY,IE=0,0,0 L/AC:0/0100 MQ:0000 IR:3077 DCA 0077   ;Deposit AC to memory then clear AC, ZP 0077
[0037] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1266 TAD @@66   ;Add operand to AC, Current page @@66
[0040] IRQ,DLY,IE=0,0,0 L/AC:0/0005 MQ:0000 IR:3103 DCA 0103   ;Deposit AC to memory then clear AC, ZP 0103
[0041] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1306 TAD @@06   ;Add operand to AC, Current page @@06
[0042] IRQ,DLY,IE=0,0,0 L/AC:0/3360 MQ:0000 IR:3100 DCA 0100   ;Deposit AC to memory then clear AC, ZP 0100
[0043] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:4023 JMS 0023   ;Jump to subroutine ZP 0023
[0024] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5271 JMP @@71   ;Jump Current page @@71

starting at 600 vector at 7777

[0600] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:0000 AND 0000   ;AND operand with AC, ZP 0000 
[0601] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[0602] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1103 TAD 0103   ;Add operand to AC, ZP 0103
[0603] IRQ,DLY,IE=0,1,0 L/AC:0/0062 MQ:0000 IR:3054 DCA 0054   ;Deposit AC to memory then clear AC, ZP 0054
[0604] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1104 TAD 0104   ;Add operand to AC, ZP 0104
[0605] IRQ,DLY,IE=0,1,0 L/AC:0/7770 MQ:0000 IR:3133 DCA 0133   ;Deposit AC to memory then clear AC, ZP 0133
[0606] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1105 TAD 0105   ;Add operand to AC, ZP 0105
[0607] IRQ,DLY,IE=0,1,0 L/AC:0/5673 MQ:0000 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[0611] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7327 STL CLA IAC RTL;Set L, Set AC to 0001, Rotate AC & L left twice
[0612] IRQ,DLY,IE=0,1,0 L/AC:0/0006 MQ:0000 IR:0103 AND 0103   ;AND operand with AC, ZP 0103
[0613] IRQ,DLY,IE=0,1,0 L/AC:0/0002 MQ:0000 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[0615] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1310 TAD @@10   ;Add operand to AC, Current page @@10
[0616] IRQ,DLY,IE=0,1,0 L/AC:0/1000 MQ:0000 IR:3060 DCA 0060   ;Deposit AC to memory then clear AC, ZP 0060
[0617] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1054 TAD 0054   ;Add operand to AC, ZP 0054
[0620] IRQ,DLY,IE=0,1,0 L/AC:0/0062 MQ:0000 IR:1304 TAD @@04   ;Add operand to AC, Current page @@04
[0621] IRQ,DLY,IE=0,1,0 L/AC:1/0053 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[0622] IRQ,DLY,IE=0,1,0 L/AC:1/0000 MQ:0000 IR:5263 JMP @@63   ;Jump Current page @@63
[0663] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[0664] IRQ,DLY,IE=0,0,0 L/AC:1/7770 MQ:0000 IR:7106 CLL RTL    ;Clear L, Rotate AC & L left twice
[0665] IRQ,DLY,IE=0,0,0 L/AC:1/7741 MQ:0000 IR:7006 RTL        ;Rotate AC & L left twice
[0666] IRQ,DLY,IE=0,0,0 L/AC:1/7607 MQ:0000 IR:0035 AND 0035   ;AND operand with AC, ZP 0035
[0667] IRQ,DLY,IE=0,0,0 L/AC:1/7203 MQ:0000 IR:3055 DCA 0055   ;Deposit AC to memory then clear AC, ZP 0055
[0670] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[0671] IRQ,DLY,IE=0,0,0 L/AC:1/7770 MQ:0000 IR:7002 BSW        ;Byte Swap AC
[0672] IRQ,DLY,IE=0,0,0 L/AC:1/7077 MQ:0000 IR:7112 CLL RTR    ;Clear L, Rotate AC & L right twice
[0673] IRQ,DLY,IE=0,0,0 L/AC:1/5617 MQ:0000 IR:7012 RTR        ;Rotate AC & L right twice
[0674] IRQ,DLY,IE=0,0,0 L/AC:1/7343 MQ:0000 IR:7010 RAR        ;Rotate AC & L right
[0675] IRQ,DLY,IE=0,0,0 L/AC:1/7561 MQ:0000 IR:0311 AND @@11   ;AND operand with AC, Current page @@11
[0676] IRQ,DLY,IE=0,0,0 L/AC:1/3560 MQ:0000 IR:7421 MQL        ;Load MQ from AC then clear AC
[0677] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[0700] IRQ,DLY,IE=0,0,0 L/AC:1/7770 MQ:3560 IR:0035 AND 0035   ;AND operand with AC, ZP 0035
[0701] IRQ,DLY,IE=0,0,0 L/AC:1/7300 MQ:3560 IR:7501 MQA        ;OR MQ with AC
[0702] IRQ,DLY,IE=0,0,0 L/AC:1/7760 MQ:3560 IR:3052 DCA 0052   ;Deposit AC to memory then clear AC, ZP 0052
[0703] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:5020 JMP 0020   ;Jump ZP 0020
[0020] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:1107 TAD 0107   ;Add operand to AC, ZP 0107
[0021] IRQ,DLY,IE=0,0,0 L/AC:1/5612 MQ:3560 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[0022] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:5230 JMP @@30   ;Jump Current page @@30
[0030] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:4023 JMS 0023   ;Jump to subroutine ZP 0023
[0024] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:5271 JMP @@71   ;Jump Current page @@71
[0071] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:1077 TAD 0077   ;Add operand to AC, ZP 0077
[0072] IRQ,DLY,IE=0,0,0 L/AC:1/3112 MQ:3560 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[0074] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:5235 JMP @@35   ;Jump Current page @@35
[0035] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:3560 IR:7303 CLL CLA IAC BSW;Clear L, set AC to 0100
[0036] IRQ,DLY,IE=0,0,0 L/AC:0/0100 MQ:3560 IR:3077 DCA 0077   ;Deposit AC to memory then clear AC, ZP 0077
[0037] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:3560 IR:1266 TAD @@66   ;Add operand to AC, Current page @@66
[0040] IRQ,DLY,IE=0,0,0 L/AC:0/0005 MQ:3560 IR:3103 DCA 0103   ;Deposit AC to memory then clear AC, ZP 0103
[0041] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:3560 IR:1306 TAD @@06   ;Add operand to AC, Current page @@06
[0042] IRQ,DLY,IE=0,0,0 L/AC:0/3360 MQ:3560 IR:3100 DCA 0100   ;Deposit AC to memory then clear AC, ZP 0100
[0043] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:3560 IR:4023 JMS 0023   ;Jump to subroutine ZP 0023
[0024] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:3560 IR:5271 JMP @@71   ;Jump Current page @@71
[0071] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:3560 IR:1077 TAD 0077   ;Add operand to AC, ZP 0077

Having empty bytes at the beginning is very unlikely but having these at the end is better (although not having a vector then at 7777). 4-8, 3-7, 2-6, 1-5 has no plausible code.

(4-8, 3-7, 2-6, 1-5 (words reversed, empty bytes at end), HLT and illegal opcode 7755, looks more like data than opcodes.)

8-4, 7-3, 6-2, 5-1 (words reversed), undocumented IOT 6230. 6230, 6130, 6030 5230, 1130 are more likely data.

[0000] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7657 CLA SAM    ;Clear AC, Subtract AC from MQ
[0001] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:0004 AND 0004   ;AND operand with AC, ZP 0004
[0002] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7435 MQL ASR    ;Arithmetic shift right
[0003] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2050 ISZ 0050   ;Increment operand and skip if zero, ZP 0050
[0004] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:6230            ;
[0005] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:6130 CLZE       ;DK8-EC: Clear Clock Enable Register per AC
[0006] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:6030 KCF        ;KL8-E: Clear Keyboard Flag
[0007] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:5230 JMP @@30   ;Jump Current page @@30
[0030] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1130 TAD 0130   ;Add operand to AC, ZP 0130
[0031] IRQ,DLY,IE=0,0,0 L/AC:0/3111 MQ:0000 IR:1014 TAD 0014   ;Add operand to AC, ZP 0014
[0032] IRQ,DLY,IE=0,0,0 L/AC:0/4125 MQ:0000 IR:1030 TAD 0030   ;Add operand to AC, ZP 0030
[0033] IRQ,DLY,IE=0,0,0 L/AC:0/5255 MQ:0000 IR:1714 TAD I @@14 ;Add operand to AC, Indexed Current page @@14
[0034] IRQ,DLY,IE=0,0,0 L/AC:1/3616 MQ:0000 IR:2050 ISZ 0050   ;Increment operand and skip if zero, ZP 0050
[0035] IRQ,DLY,IE=0,0,0 L/AC:1/3616 MQ:0000 IR:3753 DCA I @@53 ;Deposit AC to memory then clear AC, Indexed Current page @@53
[0036] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1320 TAD @@20   ;Add operand to AC, Current page @@20
[0037] IRQ,DLY,IE=0,0,0 L/AC:1/4170 MQ:0000 IR:1134 TAD 0134   ;Add operand to AC, ZP 0134
[0040] IRQ,DLY,IE=0,0,0 L/AC:0/2601 MQ:0000 IR:1014 TAD 0014   ;Add operand to AC, ZP 0014
[0041] IRQ,DLY,IE=0,0,0 L/AC:0/3615 MQ:0000 IR:1330 TAD @@30   ;Add operand to AC, Current page @@30
[0042] IRQ,DLY,IE=0,0,0 L/AC:0/6726 MQ:0000 IR:1714 TAD I @@14 ;Add operand to AC, Indexed Current page @@14
[0043] IRQ,DLY,IE=0,0,0 L/AC:1/5267 MQ:0000 IR:1130 TAD 0130   ;Add operand to AC, ZP 0130
[0044] IRQ,DLY,IE=0,0,0 L/AC:0/0400 MQ:0000 IR:1714 TAD I @@14 ;Add operand to AC, Indexed Current page @@14
[0045] IRQ,DLY,IE=0,0,0 L/AC:0/6741 MQ:0000 IR:1030 TAD 0030   ;Add operand to AC, ZP 0030
[0046] IRQ,DLY,IE=0,0,0 L/AC:1/0071 MQ:0000 IR:1714 TAD I @@14 ;Add operand to AC, Indexed Current page @@14
[0047] IRQ,DLY,IE=0,0,0 L/AC:1/6432 MQ:0000 IR:7707 ACL DVI    ;Load MQ into AC, Divide
[0050] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:0110 AND 0110   ;AND operand with AC, ZP 0110
[0051] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:4777 JMS I @@77 ;Jump to subroutine Indexed Current page @@77
[2714] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1077 TAD 0077   ;Add operand to AC, ZP 0077
[2715] IRQ,DLY,IE=0,0,0 L/AC:1/3430 MQ:0000 IR:5512 JMP I 0112 ;Jump Indexed ZP 0112
[3111] IRQ,DLY,IE=0,0,0 L/AC:1/3430 MQ:0000 IR:4076 JMS 0076   ;Jump to subroutine ZP 0076
[0077] IRQ,DLY,IE=0,0,0 L/AC:1/3430 MQ:0000 IR:3430 DCA I 0030 ;Deposit AC to memory then clear AC, Indexed ZP 0030
[0100] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:3013 DCA 0013   ;Deposit AC to memory then clear AC, ZP 0013
[0101] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5531 JMP I 0131 ;Jump Indexed ZP 0131
[0753] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:3154 DCA 0154   ;Deposit AC to memory then clear AC, ZP 0154
[0754] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:4630 JMS I @@30 ;Jump to subroutine Indexed Current page @@30
[1051] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:3211 DCA @@11   ;Deposit AC to memory then clear AC, Current page @@11
[1052] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:3753 DCA I @@53 ;Deposit AC to memory then clear AC, Indexed Current page @@53

EdS · May 21, 2023, 1:55pm

mainframetom:

The last 8 Bytes are 1-8:

ROM1: 2A 30 31 32 10 3C 00 3E
ROM2: 3A 38 04 28 3E 3F 2E 29
ROM3: 28 28 1E 2C 3D 1E 3B 10
ROM4: 3C 1B 0B 0F 03 24 35 00
ROM5: 18 18 18 18 28 1D 04 2F
ROM6: 3F 00 09 3E 2F 2F 1C 1E
ROM7: 0B 0B 19 0B 21 11 2B 28
ROM8: 2F 09 19 20 3A 3F 07 06

I feel this was quite useful to anyone following along, because they are raw bytes and anyone can try reordering bits or bytes or grouping in various ways.

Maybe if you could do the same again, but share 16 bytes from the end of each ROM, and then 16 bytes from the beginning of each?

mainframetom · May 21, 2023, 2:05pm

1 top line 0000, bottom 03f0
13 3D 18 3F 03 13 07 0D 13 26 13 33 0A 04 08 18
05 3D 08 08 2C 2C 2D 08 2A 30 31 32 10 3C 00 3E

2
26 00 26 00 1E 00 0A 00 02 00 12 00 02 00 08 00
3D 30 1D 03 38 20 2D 2E 3A 38 04 28 3E 3F 2E 29

3
24 16 08 3C 3C 15 15 13 22 16 03 16 12 1C 1C 3C
2F 00 31 07 28 28 28 28 28 28 1E 2C 3D 1E 3B 10

4
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0F 01 03 0F 11 01 1C 04 3C 1B 0B 0F 03 24 35 00

5
20 30 3B 18 19 20 14 2A 20 32 20 2D 11 09 3F 2A
3B 0B 18 0C 18 08 18 0C 18 18 18 18 28 1D 04 2F

6
1C 04 0A 04 18 0A 26 28 18 08 1A 2C 1A 08 1A 34
1B 1A 08 01 0B 3E 2B 2F 3F 00 09 3E 2F 2F 1C 1E

7
3B 09 3F 0B 0B 01 19 20 33 09 19 09 0B 19 0D 18
1D 22 1D 14 0B 0B 0B 0B 0B 0B 19 0B 21 11 2B 28

8
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
10 3B 01 0C 3C 3D 34 09 2F 09 19 20 3A 3F 07 06

mainframetom · May 22, 2023, 10:14am

There are dozens of plausible combinations. I had almost checked them all.
How likely is it to have ROM 2 at the beginning? If so then 2-1. Same for ROM 3.
It’s not even known for sure if there are 4 pairs. First I made no pairs, then 2 then 4.
I have now also checked splitted ROMs, so 8 pairs, so one pair within each ROM. No plausible code (on 1-8).
Bit reversal gave other results than hoped. 00 06 although same in HEX and octal didn’t result in 6000 octal.

I now have to assume that I’ve just got 2 bad dumps.

The main PLC has 4 pairs. The first pair share the year at 1776. So pair one is obviously 1-2. The rest 3-4, 5-6, 7-8.
On my device I have empty bytes at the beginning of ROM 4, so already at the beginning of pair 2 (2000-2177).

This is the beginning run of that combination. Note that at 0 is vector 2346 wich is refferred at 11 (auto-index) and then continues at 2347.
But soon it runs into the empty section. This time I haven’t put there NOPs but only changed the 2nd half of the word (FF) to 00, so I know at least what kind of instruction I have.

So it’s probably (almost) impossible to reconstruct a proper run without knowing the right instructions there.
At 7777 is 5006. Has a jump to 0 after the 4th instruction. starting at 5005 would seem a plausible start, but also jumps to 0.
Maybe I can find data or some code in later ROMs with the help of d8tape.

[5005] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7352 CLL CLA CMA RTR;Clear L, Set AC to 7777, rotate AC & L right twice

[5006] IRQ,DLY,IE=0,1,0 L/AC:1/5777 MQ:0000 IR:3105 DCA 0105   ;Deposit AC to memory then clear AC, ZP 0105
[5007] IRQ,DLY,IE=0,1,0 L/AC:1/0000 MQ:0000 IR:5050 JMP 0050   ;Jump ZP 0050
[0050] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:2312 ISZ @@12   ;Increment operand and skip if zero, Current page @@12
[0051] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5000 JMP 0000   ;Jump ZP 0000 


[0000] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2346 ISZ @@46   ;Increment operand and skip if zero, Current page @@46
[0001] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7500 SMA        ;Skip on AC < 0
[0002] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:3046 DCA 0046   ;Deposit AC to memory then clear AC, ZP 0046
[0003] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7700 SMA CLA    ;Skip on AC < 0, Clear AC
[0004] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:0336 AND @@36   ;AND operand with AC, Current page @@36
[0005] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2300 ISZ @@00   ;Increment operand and skip if zero, Current page @@00
[0006] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:0712 AND I @@12 ;AND operand with AC, Indexed Current page @@12
[0007] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1500 TAD I 0100 ;Add operand to AC, Indexed ZP 0100
[0010] IRQ,DLY,IE=0,1,0 L/AC:0/1150 MQ:0000 IR:2302 ISZ @@02   ;Increment operand and skip if zero, Current page @@02
[0011] IRQ,DLY,IE=0,1,0 L/AC:0/1150 MQ:0000 IR:4600 JMS I @@00 ;Jump to subroutine Indexed Current page @@00
[2347] IRQ,DLY,IE=0,0,0 L/AC:0/1150 MQ:0000 IR:0640 AND I @@40 ;AND operand with AC, Indexed Current page @@40
[2350] IRQ,DLY,IE=0,0,0 L/AC:0/0110 MQ:0000 IR:0665 AND I @@65 ;AND operand with AC, Indexed Current page @@65
[2351] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:0320 AND @@20   ;AND operand with AC, Current page @@20
[2352] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1070 TAD 0070   ;Add operand to AC, ZP 0070
[2353] IRQ,DLY,IE=0,0,0 L/AC:0/1440 MQ:0000 IR:2075 ISZ 0075   ;Increment operand and skip if zero, ZP 0075
[2354] IRQ,DLY,IE=0,0,0 L/AC:0/1440 MQ:0000 IR:0357 AND @@57   ;AND operand with AC, Current page @@57
[2355] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1700 TAD I @@00 ;Add operand to AC, Indexed Current page @@00
[2356] IRQ,DLY,IE=0,0,0 L/AC:0/7476 MQ:0000 IR:0442 AND I 0042 ;AND operand with AC, Indexed ZP 0042
[2357] IRQ,DLY,IE=0,0,0 L/AC:0/0036 MQ:0000 IR:2036 ISZ 0036   ;Increment operand and skip if zero, ZP 0036
[2360] IRQ,DLY,IE=0,0,0 L/AC:0/0036 MQ:0000 IR:2363 ISZ @@63   ;Increment operand and skip if zero, Current page @@63
[2361] IRQ,DLY,IE=0,0,0 L/AC:0/0036 MQ:0000 IR:7136 STL        ;Set L
[2362] IRQ,DLY,IE=0,0,0 L/AC:1/2336 MQ:0000 IR:2423 ISZ I 0023 ;Increment operand and skip if zero, Indexed ZP 0023
[2363] IRQ,DLY,IE=0,0,0 L/AC:1/2336 MQ:0000 IR:2616 ISZ I @@16 ;Increment operand and skip if zero, Indexed Current page @@16
[2364] IRQ,DLY,IE=0,0,0 L/AC:1/2336 MQ:0000 IR:3421 DCA I 0021 ;Deposit AC to memory then clear AC, Indexed ZP 0021
[2365] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1500 TAD I 0100 ;Add operand to AC, Indexed ZP 0100
[2366] IRQ,DLY,IE=0,0,0 L/AC:1/1150 MQ:0000 IR:1651 TAD I @@51 ;Add operand to AC, Indexed Current page @@51
[2367] IRQ,DLY,IE=0,0,0 L/AC:1/7536 MQ:0000 IR:1115 TAD 0115   ;Add operand to AC, ZP 0115
[2370] IRQ,DLY,IE=0,0,0 L/AC:0/6136 MQ:0000 IR:4740 JMS I @@40 ;Jump to subroutine Indexed Current page @@40
wrong instructions 26xx
[2001] IRQ,DLY,IE=0,0,0 L/AC:0/6136 MQ:0000 IR:2600 ISZ I @@00 ;Increment operand and skip if zero, Indexed Current page @@00
[2002] IRQ,DLY,IE=0,0,0 L/AC:0/6136 MQ:0000 IR:1000 TAD 0000   ;Add operand to AC, ZP 0000 
[2003] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:7400 NOP        ;No Operation
[2004] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:7400 NOP        ;No Operation
[2005] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:2500 ISZ I 0100 ;Increment operand and skip if zero, Indexed ZP 0100
[2006] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:2500 ISZ I 0100 ;Increment operand and skip if zero, Indexed ZP 0100
[2007] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:2300 ISZ @@00   ;Increment operand and skip if zero, Current page @@00
[2010] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:4200 JMS @@00   ;Jump to subroutine Current page @@00
[2001] IRQ,DLY,IE=0,0,0 L/AC:1/0504 MQ:0000 IR:2600 ISZ I @@00 ;Increment operand and skip if zero, Indexed Current page @@00
loop

mainframetom · July 27, 2023, 5:07pm

After a pause, I’ve started again reading my manuals.
The printouts /data exports are printed in 7 Bit ASCII with parity mark, (so bit 8 is always 1, LSB ?) Before that, an octal checksum is calculated, (at least) 6 digits, with preceding 4x0.

At the end of each line there’s an CR and LF. ASCII: 0D 0A. I’ve converted this to octal= 1512. I found this word (once) in my original, unpaired file (ROM 1-8). Before and after that are related control codes. All the printable characters (/D, /L /S) I previously found, stored in sixbit.
When importing data, someone can can add a title and comments after the /. That may not include a colon unless before a valid checksum.
The TTY can also print an U and I think one more single character when fixing code via TTY.
After the export to paper tape, there are 32 or 64 empty lines added and in slowest baud setting some more.

So again, my very first ROM combination might be right.

There are 2 tools from site so-much-stuff, I mentioned before, that can adding or removing the mark parity (2mark, 2asc). I tried them and hoped to maybe find the mnemonics, but no success. Maybe I have to convert with another tool before like 3to4, 4to3 or else.

The PDP-8 code is still very hard to read. There are many subroutines. And combined instructions. 6031 and 6032 (IOT teletype instructions are combined 6033 and I have 6133 what is obviously the same for another device). Emulating is also difficult (IRQ without having the hardware).

The printouts, I’ve mentioned here

mainframetom · August 24, 2023, 4:49pm

I did some big progress.
I noticed that some values of some single ROM locations are overwritten in an emulator run.
I noticed this some time ago but only on one or 2 locations and thought that it’s a bug, one location was after 7777. I always wondered about the RAM mapping.
Neverless from where I start my ROM, I will soon run into address 6312 as it’s auto indexed at 15 (4523=JMS I 0123) and at 0123 there’s the 6311(+1).
I first noticed on the online emu that (next to the Mac emu) the MB/MD registers are shown (unlike the pdp8emu and Wineight) that when reaching 6374 (lags 1) there are values read into MB/MD starting with 2352 onwards step 1 (when starting from 2375). Same on the MacOs. 3 instruction later is an IRQ (6000) and the values are moved.
But the values differ when I start from 0. I first had values starting at 4041 downwards until 4026 or 4025. Then switching to 0025 down to 0002 then upwards, I checked until 0102.

On the pdp8emu I noticed that after one loop there are ROM values replaced only at following locations: 0, 13, 20, 23, 44, 77, 125, 146, 163, 173 and 175. I have mainly checked locations below 200.
Then I’ve checked these locations after every single step (starting from different adresses).
The value at 0 changed after 1 loop to 6401. That could be the return adress after the subroutine.
There are often jumps to a subroutine at 0, but there’s always +1 added, so it continues at 1 and 0 is free for a vector or else. And I still think the start vector is at 0 (7777+1).
It’s strange, especially as adress 13 is an auto index register and that would be changed directly when starting from most adresses.
Most values are just incremented, others only change once (as far as checking is possible). 0 just once. 13 once to 1160. 77 once from 6120 to 20. 173 once from 7477 to 4770.

Another aspect are the IOTs (in/out transfer) of the PDP-8 (instructions starting with 6) are already very difficult to understand.
There’s an incomplete list showing most of the 77 possible devices (digit 2+3) here

PiDP-8/I Software: IOT Device Assignments

but some are unknown and others are for costumer use (never used by DEC).

To make things worse, the Intersil 6100 has a completely different system. Except that the first digit/3 bits is 6. It can use priority vectored hardware IRQs. The 6120 is again different and can use up to 11 6121 ICs. The instructions are more like the PDP-8. The DecMate (6120) is also different, good source is the ROM diassembly.

Usually there’s at least one, but often at least 2 ICs (DIL 40). One is called PIE, eg 6101 (Parallel Interface Elements). That has 4 registers, most notably a vector register with 10+2 bits.
Another IC is a 6402/6403 UART mainly for Teletype. That can transfer 5, 6, 7 or 8 bits. (I think I had 8 or 7 +stop bit). Up to 31 PIEs can be daisy chained together.

I haven’t found any more 40 DILs on my Festo device, but it could be hidden somewhere, or sit on an additional card, or be implemented as discrete logics or as software.
At least I found instructions for both on my (unpaired) ROM like 6340, 6014 etc. The 6102 IC would have 6275 instead of 6014.

“Ordinary” IOT instructions are already not all implemented in emulators, but these 6100s IOTs definitely not. Not even on WINEIGHT. I have added many devices, most as printer outputs and used the device addresses that appear on my code, but there isn’t any output. Some devices are used as input like keys or TTY input. But after power up, there would only a transfer from ROM to RAM make sense. A RAM or ROM check would look different, same for CRC check. Would all check every location.

I think, I have to check all this with other, paired ROM combinations.

mainframetom · August 25, 2023, 7:02pm

EdS, you were right!
I now returned to the paired ROM combination 1-5, 2-6,… (with 0006 at 7777).
When starting from 2340 (the vector assumed at 0) and after some instructions (I tried 100), there is a value written to the empty bytes section (starting at 6000) value 6324 (AC) to location 6101.
There was this instruction

[1751] IRQ,DLY,IE=0,0,0 L/AC:0/6324 MQ:0000 IR:3653 DCA I @@53 ;Deposit AC to memory then clear AC, Indexed Current page @@53

There are also some few (other) locations below 200 overwritten. At 77 is maybe the instruction word stored. At 154 maybe the AC.
I haven’t seen more words written yet, but I haven’t tried much.
But that’s very promising.
I have to check other start addresses, other emulators etc.

mainframetom · August 30, 2023, 5:55pm

I found some more differences between 6100 and other models next to the 6xxx IOTs. Most are not that clear by reading the CPU manual. But confirmed to be true (VT78 CPU diagnostic maindec-08-dkvtb-a-d, Doug Jones model site).

-Some combined instructions of group 1 (70xx) with RAL, RAR, RTL and RTR at least 7014 and 7016 are NOPs instead (PDP8/A, E and 6120 have different behaviour each). Not sure if the PC is incremented but probably. But why would someone use a 7014 NOP instead of 7000, 7400 and 7401? Regular, single RAL etc are allowed.

-Auto-index register (10-17) only works within page 0. Not 100% sure what it means when I have this on other pages. I think an indirect instruction/jump within that page.

-HLT can’t be continued just by a full reset.

-At address 0 there’s the (return) address stored after an IRQ and continued at 1. The reset vector is at 7777, but I’m still not sure if that’s incremented before execution by 1 to 0. Same question for 200.

All regular emulators don’t have this (and I have these instructions very early), so I either have to change the emulators, or my ROM code or adjust the results every single step. By now it’s OK to just test the beginning.

And when I have any of these instructions on my ROM, it’s most likely the wrong ROM combination. But there are several combinations depending on start address. (0, 1, vector at 7777 or 0, usual 200,…)

There’s an Altera FPGA emulation claiming supporting the 6100. Running under Linux M68k, written in VHDL. The SRC is interesting also confirming the 7xxx differences. Not sure if I can run this without the FPGA. The intel VHDL software (LITE version) is 5.5 GB (uncompressed 27 GB). And I think I would need an 68K emulation.

– OP 7014: RAL RAR: This instruction did a lot
– of different things…
–
– HD6120: R3L - Rotate 3 Left
– HD6100: NOP
– PDP8/A: Load AC with the next address (PC)
– PDP8/E: ANDs AC with OPCODE
– PDP8/I: What should this do?
– PDP8/S: What should this do?
– PDP8/L: What should this do?
– PDP8: What should this do?
–

github.com

douggilliland/Retro-Computers/blob/master/PDP-8/PDP8_OpenCores/pdp8/cpu/cpu.vhd

--------------------------------------------------------------------------------
--!
--! PDP-8 Processor
--!
--! \brief
--!      CPU Processor
--!
--! \details
--!      I hope you like state machines because this is implemented as one big
--!      state machine.
--!
--! \file
--!      cpu.vhd
--!
--! \author
--!      Rob Doyle - doyle (at) cox (dot) net
--!
--------------------------------------------------------------------------------
--
--  Copyright (C) 2009, 2010, 2011, 2012 Rob Doyle

This file has been truncated. show original

I mentioned this project here

mainframetom · September 5, 2023, 8:13am

I’m now sure that the ROM pairs are 1-5, 2-6. Just by reading the EPROM’s stickers. See my photo here

The 2nd digit after the dot is probably a version number and matches that from the other one. Same for the written D.
But it’s not clear if pairs, bytes/words or bits are reversed or inversed.
Starting with pair 4-8 or 8-4 would result in starting with the empty bytes what would be very unlikely. When having the empty bytes at the end (reversal of 4-8 or 8-4) that means that the reset vector at 7777 would be an invalid value >12 bit (FF).

1-5, 2-6 has some instructions that aren’t not the 6100 ones (see previous post) when starting from most locations.

More of interest is pair 5-1, 6-2. (There are no IOT instructions at the start of a run.)

Emu Wineight has the CPU option BTS6120 what means bootstrap and has partial 6100 support (SBC6120 version 1).
When enabling this, I have some other opcodes (value indexed at 0077) what is different, obviously overwritten, like the one in the ROM.

Also very interesting is on the Online Emu. When importing a BIN file, it is automatically disassembled.
When reloading that it would translated into a PAL file but has several to many error. But gives some details like instructions that don’t fit to a previous one.
Portions of the ROM are moved/changed due to the empty bytes. But also some single locations (including 0, 2 and 3 were overwritten), also the empty bytes sections themselves.

When opening a PAL file (converted with the perl script bin2pal) there are also 2 pass details (instructions/data fields) and some more details when converted on the emu. It’s still not easy. I mainly checked the beginning and have to check other locations.

mainframetom · September 14, 2023, 4:10pm

A major progress and another confirmation that the ROM pair 51 62 (but swapped) is correct.

There are very few constants in the manual. The LCD display location 4 (bottom right, load AP4 (04 0054) with adress 06…) has the operand 7356 means all 3 digits underlines _ _ _ . That is also the 12 bit bit pattern. And 6314 means 3x blanks. I found both together followed by one other word.

At location 5575 I found 0016 7356 0014 6314. 16 means the right of 2 digits is an underline, 14 blank. I have a table with the combinations of the value with the left digit. Locations are data regions according the PAL file. There are also referrences for both.

At 4144 I have 0100 0756 2132, 1000 7356 2135, 2000 7356 2135, 3000 0356 2132, 3400 2356 2132, 0031 0061 2140 and 3 more ending with 2140. Before and after all this 0000. Ending at 4177 what is the end of page 20.

So 7356. 356 is according the table _ _ (BCD encoded) and 756 and 2356 have one bit more, maybe the separation between locations 1+2 upper line or the symbols left to location 3. The display:

 EE .7777
*EE   888

1000, 2000 could be a RAM location or the address for the LCD. 2135 could also be the LCD address. Or the wandering digit when entering a number pushing the other ones to the left. The bottom line, so 5x_ is displayed when entering code.

The online emu showing the Sixbit character representations when downloading the automatic disassembly from a bin file and when reloading or for a PAL file the data locations even better than d8tape but both are not perfect, especially for the 6100 CPU. Not r obviously is data.

 4147 1000 r | 	TAD S00000
 4150 7356   | 	CLA CLL CMA RTL RTR 
 4151 2135 r | 	ISZ D00135
 4152 2000 r | 	ISZ S00000
 4153 7356   | 	CLA CLL CMA RTL RTR 
 4154 2135 r | 	ISZ D00135
 
 5575 0016 r | 	AND P00016
 5576 7356   | 	CLA CLL CMA RTL RTR 
 5577 0014 r | 	AND P00014
             | 
*5600        | 	*5600 -new page
 5600 6314   | 	6314
 5601 1104 r | 	TAD D00104

4000 is the start of the 2nd half of the ROM. Probably the complete page or even much more is data (concerning the LCD). Maybe error codes?

3770 - 7772 0070 1104 7650 5776 5777 3456 3651
--------------------------------------------- Page 20
4000 - 7344 1126 7710 1374 1374 0125 3125 4023
4010 - 6342 1126 3103 1126 1322 3134 1534 3074
4020 - 1126 3054 7301 0074 7650 5231 1341 3055
4030 - 7325 1313 3010 1410 3067 1410 3070 1410
4040 - 3071 3073 3075 5431 7346 1126 7650 5252
4050 - 2103 2126 1103 3054 3055 1126 3104 1126
4060 - 3052 3074 3070 1125 0342 3125 4017 2143
4070 - 1566 2040 1126 1126 1126 1267 3010 3074
4100 - 1410 3104 1104 7006 7006 0035 3055 1410
4110 - 3052 1410 5232 2113 6737 7774 7760 6744
4120 - 7775 7774 2123 7560 7560 7400 7410 4600
4130 - 4760 0000 0001 6753 7776 7760 6744 7775
4140 - 7760 0014 0020 0000 0100 0756 2132 1000
4150 - 7356 2135 2000 7356 2135 3000 0356 2132
4160 - 3400 2356 2132 0031 0061 2140 0032 0062
4170 - 2140 0033 0063 2140 0010 0020 2140 0000
--------------------------------------------- Page 21

The only 2 referrences for 5575 and 5577 (None for 5576). Probably both are inside data sections themselves.

 2310 5275 r | 	JMP L02275
 2311 6001   | 	ION         -usually IRQ, but probably data, RAM location for the following word?
 2312 5575 r | 	JMP I P00175  -here ref 
 2313 1363 r | 	TAD D02363

…probably still data, following from a regular disassembly including Sixbit

 02356  7774  >;    | a2356,   SPA SNA SZL CLA OSR
 02357  0077  @>    | a2357,   AND   M77    
 02360  0040  @     | a2360,   AND   M40    
 02361  1600  N@    | a2361,   TAD I M2200  
 02362  2100  Q@    | a2362,   ISZ   M100   
 02363  0060  @/    | a2363,   AND   M60    
 02364  0017  @O    | a2364,   AND   M17    
 02365  0105  AE    | a2365,   AND   M105   
 02366  4163  !2    | a2366,   JMS   C163   
 02367  0040  @     | a2367,   AND   M40    
 02370  4017   O    | a2370,   JMS   C17    
 02371  3561  ]0    | a2371,   DCA I M161   
 02372  1357  K.    | a2372,   TAD   M2357  
 02373  7744  >$    | a2373,   SMA SZA CLA OSR
 02374  7155  8-    | a2374,   CLL CMA IAC 016
 02375  2333  S[    | a2375,   ISZ   M2333

 3352 7272   | 	CLA CML CMA RTR 
 3353 6474   | 	6474        -usually an IOT but obviously all data
 3354 6267   | 	6267
 3355 0011   | D03355,	0011
 3356 0012   | D03356,	0012
 3357 0200   | D03357,	0200
 3360 7764   | D03360,	7764
 3361 7731   | D03361,	7731
 3362 5502   | D03362,	5502
 3363 5473   | D03363,	5473
 3364 5463   | D03364,	5463
 3365 0036   | D03365,	0036
 3366 7756   | D03366,	7756
 3367 5574 r | 	JMP I P00174
 3370 7313   | 	JMS 3313
 3371 5436   | D03371,	5436
 3372 5577 r | 	JMP I P00177  -here ref 
 3373 7267   | 	JMS 3267
 3374 1377 r | 	TAD D03377

Maybe 70-80% of the ROM is data, mainly bit patterns. And maybe RAM code is created/patched and relocated in a run. Start is probably at 600/601 (vector at 7777). When branching to page 00 (< 0200) with changing contents and unclear 6100 behavior I get lost. I have to search for more code locations and data like error codes. I prevously only searched for 4 digit error codes. But there are also 5 digit ones.

mainframetom · October 9, 2023, 8:54am

I’m now sure having the correct ROM combination and start address.
I almost considered giving up, but checking again a disassembly from d8tape (ROM 7-8 3-4, 5162 in 2nd half) I found what appears a code segment at 1366, a bit earlier than the 2nd appearance of one fixed LCD value.

[1366] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2
[1367] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7325 STL CLA IAC RAL;Set L, Set AC to 0001, Rotate AC & L left
[1370] IRQ,DLY,IE=0,1,0 L/AC:0/0003 MQ:0000 IR:0132 AND 0132   ;AND operand with AC, ZP 0132
[1371] IRQ,DLY,IE=0,1,0 L/AC:0/0001 MQ:0000 IR:3101 DCA 0101   ;Deposit AC to memory then clear AC, ZP 0101
[1372] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[1373] IRQ,DLY,IE=0,1,0 L/AC:0/6753 MQ:0000 IR:3102 DCA 0102   ;Deposit AC to memory then clear AC, ZP 0102
[1374] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:5750 JMP I @@50 ;Jump Indexed Current page @@50
[5330] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1373 TAD @@73   ;Add operand to AC, Current page @@73
[5331] IRQ,DLY,IE=0,0,0 L/AC:0/7332 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030

A 2nd and third manual continuation of a trace run after a skip instruction (at 5335 and 5342) revealing that value 7356 in the AC.

[5342] IRQ,DLY,IE=0,0,1 L/AC:0/7332 MQ:0000 IR:1147 TAD 0147   ;Add operand to AC, ZP 0147 (147=1000) 
[5343] IRQ,DLY,IE=0,0,1 L/AC:1/0332 MQ:0000 IR:7710 SPA CLA    ;Skip on AC >= 0, Clear AC
[5345] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150 (150=7356)
[5346] IRQ,DLY,IE=0,0,1 L/AC:1/7356 MQ:0000 IR:0036 AND 0036   ;AND operand with AC, ZP 0036  -7356 LCD loc AP4 _ _ _ 
[5347] IRQ,DLY,IE=0,0,1 L/AC:1/3050 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5350] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC

Looking back from where are jumps to 1366, it’s from 1313 which is an indexed jump, stored at 0031. There is a jump to that at 0236. And to that at 233.

As there is confirmed data below 200 (including the LCD value at 0150) and some overwritten (deposit) values, including this one, the start address is obviously at 200 (as usual for a PDP-8). (Can’t be entered by switches, though).

[0200] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1014 TAD 0014   ;Add operand to AC, ZP 0014
[0201] IRQ,DLY,IE=0,1,0 L/AC:0/1322 MQ:0000 IR:0211 AND @@11   ;AND operand with AC, Current page @@11
[0202] IRQ,DLY,IE=0,1,0 L/AC:0/1000 MQ:0000 IR:7450 SNA        ;Skip on AC <> 0
[0204] IRQ,DLY,IE=0,1,0 L/AC:0/1000 MQ:0000 IR:7041 CIA        ;2s Complement AC
[0205] IRQ,DLY,IE=0,1,0 L/AC:0/7000 MQ:0000 IR:1130 TAD 0130   ;Add operand to AC, ZP 0130
[0206] IRQ,DLY,IE=0,1,0 L/AC:1/3760 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[0207] IRQ,DLY,IE=0,1,0 L/AC:1/0000 MQ:0000 IR:5233 JMP @@33   ;Jump Current page @@33
[0233] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1072 TAD 0072   ;Add operand to AC, ZP 0072
[0234] IRQ,DLY,IE=0,0,0 L/AC:1/1126 MQ:0000 IR:7002 BSW        ;Byte Swap AC
[0235] IRQ,DLY,IE=0,0,0 L/AC:1/2611 MQ:0000 IR:7700 SMA CLA    ;Skip on AC < 0, Clear AC
[0236] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5431 JMP I 0031 ;Jump Indexed ZP 0031
[1313] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5366 JMP @@66   ;Jump Current page @@66
[1366] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2

That all make sense. The first RAM locations of written data are 101 and 102. First values 0001 and 6753. Not sure yet what 6753 is. It’s the string “Ok” in OS8 packed 8bit but that could be a coincidence. One of the first things to do is a RAM and maybe ROM/CRC check. My LCD can’t display Ok, and the k is lower case.

Both online and MacOS emu have issues and switching to extended memory like 25330 instead of 5330. I can manually fix that. But the main issue is that the ROM content is overwritten with the RAM contents. Maybe this is even right. The MacOS9 emu directly changing values like of 7777 and 5330, so I very soon have wrong instructions. So I more trust this command-line pdp8emu. (I forgot to check Wineight).
I try to go further but it’s very hard.

mainframetom · October 12, 2023, 11:55am

Another progress. Obviously start address at 7344 (vector at 0) and I obviously found a RAM check.

200 is maybe not the start adress (but code and reaching that sooner or later).
At a manual skip the word at 31 (1313) would be both data (index for a jump) and code at the same time what is rather unlikely.
The problem is when not having the correct start address, some values including jump addresses are different/wrong and so the (order) of the code is not as intended.

I tried again the 5162 ROM. That is more difficult, as there’s much more code before that. Some addresses are relative but I haven’t found plausible code concerning the LCD value and I would run into the empty bytes section. So I returned to the 7384 ROM.

On the cross reference list (palbart -x) there are many jumps to 6000. Starting fom that, it’s very plausible, soon jumping to 0 and later reaching 5542 (without manual skip) on where the LCD value show up and few instructions later jump to 7344.

7344 is the value at 0 (7777+1). Starting from that is what I now consider the start address.

[7344] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:4472 JMS I 0072 ;Jump to subroutine Indexed ZP 0072
[1127] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7071 CML        ;Complement L
[1130] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7116 CLL        ;Clear L
[1131] IRQ,DLY,IE=0,0,0 L/AC:0/1116 MQ:0000 IR:3122 DCA 0122   ;Deposit AC to memory then clear AC, ZP 0122   1116 Sixbit:  IN
[1132] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1266 TAD @@66   ;Add operand to AC, Current page @@66
[1133] IRQ,DLY,IE=0,0,0 L/AC:0/5306 MQ:0000 IR:1201 TAD @@01   ;Add operand to AC, Current page @@01
[1134] IRQ,DLY,IE=0,0,0 L/AC:0/5322 MQ:0000 IR:3057 DCA 0057   ;Deposit AC to memory then clear AC, ZP 0057      +R

… soon also to 1313 like before

[1313] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5366 JMP @@66   ;Jump Current page @@66
[1366] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2
[1367] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7325 STL CLA IAC RAL;Set L, Set AC to 0001, Rotate AC & L left
[1370] IRQ,DLY,IE=0,0,0 L/AC:0/0003 MQ:0000 IR:0132 AND 0132   ;AND operand with AC, ZP 0132
[1371] IRQ,DLY,IE=0,0,0 L/AC:0/0001 MQ:0000 IR:3101 DCA 0101   ;Deposit AC to memory then clear AC, ZP 0101     @A
[1372] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[1373] IRQ,DLY,IE=0,0,0 L/AC:0/6753 MQ:0000 IR:3102 DCA 0102   ;Deposit AC to memory then clear AC, ZP 0102     6+ (OS8: Ok) 
[1374] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5750 JMP I @@50 ;Jump Indexed Current page @@50
[5330] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1373 TAD @@73   ;Add operand to AC, Current page @@73
[5331] IRQ,DLY,IE=0,0,0 L/AC:0/7332 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030     :Z
[5332] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1154 TAD 0154   ;Add operand to AC, ZP 0154
[5333] IRQ,DLY,IE=0,0,0 L/AC:0/2135 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5334] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5432 JMP I 0032 ;Jump Indexed ZP 0032
[3010] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:3164 DCA 0164   ;Deposit AC to memory then clear AC, ZP 0164

…there is soon a loop to 1313. I continue after the skip after 5334. 14 and 16 are the values for blank and underline

[5335] IRQ,DLY,IE=0,0,0 L/AC:1/4573 MQ:0000 IR:1374 TAD @@74   ;Add operand to AC, Current page @@74
[5336] IRQ,DLY,IE=0,0,0 L/AC:1/5375 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030
[5337] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1141 TAD 0141   ;Add operand to AC, ZP 0141
[5340] IRQ,DLY,IE=0,0,0 L/AC:1/0014 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC    , 14=blank 
[5341] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5255 JMP @@55   ;Jump Current page @@55
[5255] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:7305 CLL CLA IAC RAL;Clear L, Set AC to 0001, Rotate AC & L left
[5256] IRQ,DLY,IE=0,0,0 L/AC:0/0002 MQ:0000 IR:6415 SRS1       ;DP8-EAEB: Read Status 1
[5257] IRQ,DLY,IE=0,0,0 L/AC:0/0002 MQ:0000 IR:6001 ION        ;KK8-E: Interrupts enabled
[5260] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:1141 TAD 0141   ;Add operand to AC, ZP 0141
[5261] IRQ,DLY,IE=0,0,1 L/AC:0/0016 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC     , 16=_

… soon reaching 20 and again 1313 with another loop. I now continue after the first skip from the recent section. Here I found the LCD value

[5342] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1147 TAD 0147   ;Add operand to AC, ZP 0147
[5343] IRQ,DLY,IE=0,0,1 L/AC:0/1000 MQ:0000 IR:7710 SPA CLA    ;Skip on AC >= 0, Clear AC
[5345] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150         LCD AP4 _ _ _ 
[5346] IRQ,DLY,IE=0,0,1 L/AC:0/7356 MQ:0000 IR:0036 AND 0036   ;AND operand with AC, ZP 0036
[5347] IRQ,DLY,IE=0,0,1 L/AC:0/3050 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5350] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[5351] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7700 SMA CLA    ;Skip on AC < 0, Clear AC
[5352] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5355 JMP @@55   ;Jump Current page @@55
[5355] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1137 TAD 0137   ;Add operand to AC, ZP 0137
[5356] IRQ,DLY,IE=0,0,1 L/AC:0/7775 MQ:0000 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[5360] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5311 JMP @@11   ;Jump Current page @@11
[5311] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1370 TAD @@70   ;Add operand to AC, Current page @@70
[5312] IRQ,DLY,IE=0,0,1 L/AC:0/0200 MQ:0000 IR:6414 SRS2       ;DP8-EAEB: Read Status 2
[5313] IRQ,DLY,IE=0,0,1 L/AC:0/0200 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150
[5314] IRQ,DLY,IE=0,0,1 L/AC:0/7556 MQ:0000 IR:0366 AND @@66   ;AND operand with AC, Current page @@66
[5315] IRQ,DLY,IE=0,0,1 L/AC:0/0056 MQ:0000 IR:3150 DCA 0150   ;Deposit AC to memory then clear AC, ZP 0150 56= 00101110

…soon another loop to 1313. Continue after the first skip of that section I have a full run over
0-7777 (AC) what is probably a RAM check.

[5344] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0004 MQ:0000 IR:7440 SZA        ;Skip on AC = 0

… running over to AC=7777 (>10,000 instructions) and the code skipped on AC=0, later again reaching 1313

[5361] IRQ,DLY,IE=0,0,1 L/AC:0/7777 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5364] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:5311 JMP @@11   ;Jump Current page @@11
[5311] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1370 TAD @@70   ;Add operand to AC, Current page @@70
[5312] IRQ,DLY,IE=0,0,1 L/AC:1/0200 MQ:0000 IR:6414 SRS2       ;DP8-EAEB: Read Status 2
[5313] IRQ,DLY,IE=0,0,1 L/AC:1/0200 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150
[5314] IRQ,DLY,IE=0,0,1 L/AC:1/0256 MQ:0000 IR:0366 AND @@66   ;AND operand with AC, Current page @@66
[5315] IRQ,DLY,IE=0,0,1 L/AC:1/0056 MQ:0000 IR:3150 DCA 0150   ;Deposit AC to memory then clear AC, ZP 0150
[5316] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1371 TAD @@71   ;Add operand to AC, Current page @@71
[5317] IRQ,DLY,IE=0,0,1 L/AC:1/7736 MQ:0000 IR:3154 DCA 0154   ;Deposit AC to memory then clear AC, ZP 0154

mainframetom · October 20, 2023, 5:30pm

I have now separated the code and data sections. The code starting at 7344 has a short segment with 4 skip instructions. I manually jumped into each new segment which have another skip instructions each. There are few code segments and the rest is considered data (for now).

Very helpful is also a memory dump (I mainly use the pdp8emu tool tapedump). With highlighting in editor Kate, I can quickly find same values. (The sixbit script is also interesting showing text representations as well, but I don’t have really text. It shows what appears data at the bottom of almost all pages.)

--------------------------------------------- Page 12
2400 - 6007 1354 6415 1273 6415 1300 6414 1272
2410 - 7421 1270 3000 1313 3010 7501 3410 2000 <
2420 - 5215 1270 3000 1313 3010 7501 7041 1410 <

2500 - 0400 1423 2023 5021 7400 0602 0600 0601
2510 - 0603 0604 0007 0010 0037 4314 7777 7777
2520 - 7777 0652 0600 0047 0047 4314 7777 6314

I noticed some segments with 5 identical words. First to be considered a data segment. A bit later is obviously data 600-604, also 5 words. 6314 is the fixed LCD value (3xblank). 4314 is undocumented but similar bit pattern, maybe 2x blanks. Between the 7777 again 5 values.

[2410] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7421 MQL        ;Load MQ from AC then clear AC
[2411] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1270 TAD @@70   ;Add operand to AC, Current page @@70
[2412] IRQ,DLY,IE=0,1,0 L/AC:0/7411 MQ:0000 IR:3000 DCA 0000   ;Deposit AC to memory then clear AC, ZP 0000 
[2413] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1313 TAD @@13   ;Add operand to AC, Current page @@13
[2414] IRQ,DLY,IE=0,1,0 L/AC:0/0010 MQ:0000 IR:3010 DCA 0010   ;Deposit AC to memory then clear AC, ZP 0010
[2415] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[2416] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:3410 DCA I 0010 ;Deposit AC to memory then clear AC, Indexed ZP 0010 [Auto pre-inc]
[2417] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2420] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:5215 JMP @@15   ;Jump Current page @@15
..
[2417] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2420] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5215 JMP @@15   ;Jump Current page @@15
[2415] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[2416] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:3410 DCA I 0010 ;Deposit AC to memory then clear AC, Indexed ZP 0010 [Auto pre-inc]
[2417] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2421] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1270 TAD @@70   ;Add operand to AC, Current page @@70
[2422] IRQ,DLY,IE=0,0,0 L/AC:0/7411 MQ:0000 IR:3000 DCA 0000   ;Deposit AC to memory then clear AC, ZP 0000 
[2423] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1313 TAD @@13   ;Add operand to AC, Current page @@13
[2424] IRQ,DLY,IE=0,0,0 L/AC:0/0010 MQ:0000 IR:3010 DCA 0010   ;Deposit AC to memory then clear AC, ZP 0010
[2425] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC

This code overwriting almost all ROM locations 0-377 with 0. Soon after that it would jump to 0 and tries to execute those instructions which are now 0. At a first glance this appears wrong. But later (when having other values in AC) I think this is a RAM check.

My device has 10 error codes E0-E9. (The PLC has much more like E 0020). E9 is RAM error. The display code for E9 is 0371 (table, BCD encoded).
0371 only appears twice including at 2471.
The disassemblies (best d8tape) are very useful, converting the relative addresses, and it’s easy to search for constants and jump targets and identify code segments (L).

C2471,	0371				/ AND   C2571	(371=E9=RAM error 
C2472,	2525				/ ISZ I D0125							
C2473,	2302				/ ISZ   C2502							
	AND I L0052				/ 					    @@2474=0452
L2475,
	TAD I AI7				/ AUTO INDEX REGISTER	@@2475=1417

Searching for constant C2471 (only appears once) and starting from that, the code for E9 appears and there’s an endless loop

[2535] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1271 TAD @@71   ;Add operand to AC, Current page @@71 (=2471, page start at 2400)
[2536] IRQ,DLY,IE=0,1,0 L/AC:0/0371 MQ:0000 IR:6410 SSRG       ;DP8-EAEB: Skip if Ring Flag
[2537] IRQ,DLY,IE=0,1,0 L/AC:0/0371 MQ:0000 IR:1010 TAD 0010   ;Add operand to AC, ZP 0010
[2540] IRQ,DLY,IE=0,1,0 L/AC:0/6733 MQ:0000 IR:6411 SSCA       ;DP8-EAEB: Skip if CarrierAGC Flag
[2541] IRQ,DLY,IE=0,1,0 L/AC:0/6733 MQ:0000 IR:5341 JMP @@41   ;Jump Current page @@41
[2541] IRQ,DLY,IE=0,0,0 L/AC:0/6733 MQ:0000 IR:5341 JMP @@41   ;Jump Current page @@41

Searching for L2535 (also once) that is shortly after 2425 what I have above (I now have to search for the other error codes)

L2425,
	MQA						/ 					@@2425=7501
	CIA						/ 			    	@@2426=7041
	TAD I L0				/ 					@@2427=1410
	SZA CLA					/ 					@@2430=7640
	JMP   L2535				/ 					@@2431=5335

mainframetom · November 12, 2023, 11:06am

I think I’ve now understood most.
First, the empty bytes section. There is no access (r/w) and I assume it’s the reserved location for ASCII.
According my manual it’s supposed to work by loading as decimal value. The highest value is 999 (1747 octal). Reserved for ASCII is 2200-2377 what is exactly one page. My empty section is one page earlier at 2000. But I think it’s possible. That ASCII is not for the printouts but obviously for an external display. Not sure if that has ever been realized after 1982-1986. I think in 1983 there was a next gen DOS compatible non-octal device line (101).

Missing text mnemonics for printout. I think these are on other EPROMs. Maybe on the RAM cartridges.

RAM cartridges. I found some better photos. A board has 40+1 HEF 40xx ICs, 4x 6561 RAM, a 6518 RAM and a voltage detector. And 6 daughter boards. Obviously 3xEPROM cards (Festo 8038) with 4 EPROMs each. And 3 RAM cards (8039) with 16x6518 each. 12 vertical and 4 horizontal.

Memory mapping. The main PLC has system RAM which just holds the values like counters (3000-3077), flags, error stack and CPU registers (200-277). Latter ones are the only ones having 16 bits. The PC is at 40.
The code RAM is that on the cartridge that one typed in with my device. So at 0 is the 1st instruction for the PLC.
I don’t think that the full ROM contents is copied to (internal) RAM. Probably just the actual page, maybe also the earlier and next one. There must be space for temp storage, like to keep track of open brackets.
On my device I only encountered few system RAM locations. Like PC at 0.

PDP8 ROM code. I found much plausible code. Almost all memory pages contain rather short code at the beginning, then a JMP and data in the 2nd half where most is referred just before. Easiest to identify in the middle like after the empty section at 2200, where you can better separate the values and addresses, as latter ones aren’t high. That is due to the relative addressing and page management. So it’s best to view each page separately. This is a typical content, disassembly from d8tape. Previously I mainly focussed on the DCA instrucions where a value is deposited to RAM, but more of interest are the TAD. Note the data section starting at 6356. Some data are values including 2s complement, others are indexed jump targets. So a mix of instructions and data and data is also a mix. The rest of the page 6372-6377 is probably data as well and misinterpreted as instruction. And note, that the data is the default ROM data. Most of them will be changed at runtime.

L6345,
C6345,	4172				/ JMS   D0172							
	JMP   L0020				/ 										@@6346=5020
	TAD   C6365				/ 										@@6347=1365 105 
C6350,	4175				/ JMS   C0175							
	TAD   L0141				/ 										@@6351=1141
C6352,	4172				/ JMS   D0172							
	JMP I C6371				/ long jump to L3561 					@@6353=5771
	TAD   C6366				/ 										@@6354=1366 4163 
	JMP   L6245				/ 										@@6355=5245
C6356,	7774				/ SPA SNA SZL CLA OSR			-4, 4 digits		?
C6357,	0077				/ AND   D0077			error?		error stack 		
C6360,	0040				/ AND   D0040			PC?				
C6361,	1600				/ TAD I D6200			(1600= 	LCD blank AP4					
C6362,	2100				/ ISZ   L0100							
C6363,	0060				/ AND   D0060							
C6364,	0017				/ AND   AI7								
C6365,	0105				/ AND   D0105							
C6366,	4163				/ JMS   D0163			3+2 digits +*					
C6367,	0040				/ AND   D0040							
C6370,	4017				/ JMS   AI7				4 digits	+*			
C6371,
C6371,	3561				/ DCA I D0161							
	TAD   C6357				/ 										@@6372=1357 77 error ?
	SMA SZA CLA OSR			/ 										@@6373=7744
C6374,	7155				/ CLL CMA IAC RAR RAL

I found some more fixed values for LCD output (error and functions) and printouts (like XON). Few things left to investigate. Like the syntax check. Either a logic or a table. There’s only one page containing (almost) data. And the keyboard mapping.