Help reading EPROM (Intersil IM6654A) and analyze firmware

Hardware
61

EdS, you were right!
I now returned to the paired ROM combination 1-5, 2-6,… (with 0006 at 7777).
When starting from 2340 (the vector assumed at 0) and after some instructions (I tried 100), there is a value written to the empty bytes section (starting at 6000) value 6324 (AC) to location 6101.
There was this instruction

[1751] IRQ,DLY,IE=0,0,0 L/AC:0/6324 MQ:0000 IR:3653 DCA I @@53 ;Deposit AC to memory then clear AC, Indexed Current page @@53

There are also some few (other) locations below 200 overwritten. At 77 is maybe the instruction word stored. At 154 maybe the AC.
I haven’t seen more words written yet, but I haven’t tried much.
But that’s very promising.
I have to check other start addresses, other emulators etc.

2 Likes
62

I found some more differences between 6100 and other models next to the 6xxx IOTs. Most are not that clear by reading the CPU manual. But confirmed to be true (VT78 CPU diagnostic maindec-08-dkvtb-a-d, Doug Jones model site).

-Some combined instructions of group 1 (70xx) with RAL, RAR, RTL and RTR at least 7014 and 7016 are NOPs instead (PDP8/A, E and 6120 have different behaviour each). Not sure if the PC is incremented but probably. But why would someone use a 7014 NOP instead of 7000, 7400 and 7401? Regular, single RAL etc are allowed.

-Auto-index register (10-17) only works within page 0. Not 100% sure what it means when I have this on other pages. I think an indirect instruction/jump within that page.

-HLT can’t be continued just by a full reset.

-At address 0 there’s the (return) address stored after an IRQ and continued at 1. The reset vector is at 7777, but I’m still not sure if that’s incremented before execution by 1 to 0. Same question for 200.

All regular emulators don’t have this (and I have these instructions very early), so I either have to change the emulators, or my ROM code or adjust the results every single step. By now it’s OK to just test the beginning.

And when I have any of these instructions on my ROM, it’s most likely the wrong ROM combination. But there are several combinations depending on start address. (0, 1, vector at 7777 or 0, usual 200,…)

There’s an Altera FPGA emulation claiming supporting the 6100. Running under Linux M68k, written in VHDL. The SRC is interesting also confirming the 7xxx differences. Not sure if I can run this without the FPGA. The intel VHDL software (LITE version) is 5.5 GB (uncompressed 27 GB). And I think I would need an 68K emulation.

– OP 7014: RAL RAR: This instruction did a lot
– of different things…

– HD6120: R3L - Rotate 3 Left
– HD6100: NOP
– PDP8/A: Load AC with the next address (PC)
– PDP8/E: ANDs AC with OPCODE
– PDP8/I: What should this do?
– PDP8/S: What should this do?
– PDP8/L: What should this do?
– PDP8: What should this do?

I mentioned this project here

63

I’m now sure that the ROM pairs are 1-5, 2-6. Just by reading the EPROM’s stickers. See my photo here

The 2nd digit after the dot is probably a version number and matches that from the other one. Same for the written D.
But it’s not clear if pairs, bytes/words or bits are reversed or inversed.
Starting with pair 4-8 or 8-4 would result in starting with the empty bytes what would be very unlikely. When having the empty bytes at the end (reversal of 4-8 or 8-4) that means that the reset vector at 7777 would be an invalid value >12 bit (FF).

1-5, 2-6 has some instructions that aren’t not the 6100 ones (see previous post) when starting from most locations.

More of interest is pair 5-1, 6-2. (There are no IOT instructions at the start of a run.)

Emu Wineight has the CPU option BTS6120 what means bootstrap and has partial 6100 support (SBC6120 version 1).
When enabling this, I have some other opcodes (value indexed at 0077) what is different, obviously overwritten, like the one in the ROM.

Also very interesting is on the Online Emu. When importing a BIN file, it is automatically disassembled.
When reloading that it would translated into a PAL file but has several to many error. But gives some details like instructions that don’t fit to a previous one.
Portions of the ROM are moved/changed due to the empty bytes. But also some single locations (including 0, 2 and 3 were overwritten), also the empty bytes sections themselves.

When opening a PAL file (converted with the perl script bin2pal) there are also 2 pass details (instructions/data fields) and some more details when converted on the emu. It’s still not easy. I mainly checked the beginning and have to check other locations.

64

A major progress and another confirmation that the ROM pair 51 62 (but swapped) is correct.

There are very few constants in the manual. The LCD display location 4 (bottom right, load AP4 (04 0054) with adress 06…) has the operand 7356 means all 3 digits underlines _ _ _ . That is also the 12 bit bit pattern. And 6314 means 3x blanks. I found both together followed by one other word.

At location 5575 I found 0016 7356 0014 6314. 16 means the right of 2 digits is an underline, 14 blank. I have a table with the combinations of the value with the left digit. Locations are data regions according the PAL file. There are also referrences for both.

At 4144 I have 0100 0756 2132, 1000 7356 2135, 2000 7356 2135, 3000 0356 2132, 3400 2356 2132, 0031 0061 2140 and 3 more ending with 2140. Before and after all this 0000. Ending at 4177 what is the end of page 20.

So 7356. 356 is according the table _ _ (BCD encoded) and 756 and 2356 have one bit more, maybe the separation between locations 1+2 upper line or the symbols left to location 3. The display:

 EE .7777
*EE   888

1000, 2000 could be a RAM location or the address for the LCD. 2135 could also be the LCD address. Or the wandering digit when entering a number pushing the other ones to the left. The bottom line, so 5x_ is displayed when entering code.

The online emu showing the Sixbit character representations when downloading the automatic disassembly from a bin file and when reloading or for a PAL file the data locations even better than d8tape but both are not perfect, especially for the 6100 CPU. Not r obviously is data.

 4147 1000 r | 	TAD S00000
 4150 7356   | 	CLA CLL CMA RTL RTR 
 4151 2135 r | 	ISZ D00135
 4152 2000 r | 	ISZ S00000
 4153 7356   | 	CLA CLL CMA RTL RTR 
 4154 2135 r | 	ISZ D00135
 
 5575 0016 r | 	AND P00016
 5576 7356   | 	CLA CLL CMA RTL RTR 
 5577 0014 r | 	AND P00014
             | 
*5600        | 	*5600 -new page
 5600 6314   | 	6314
 5601 1104 r | 	TAD D00104

4000 is the start of the 2nd half of the ROM. Probably the complete page or even much more is data (concerning the LCD). Maybe error codes?

3770 - 7772 0070 1104 7650 5776 5777 3456 3651
--------------------------------------------- Page 20
4000 - 7344 1126 7710 1374 1374 0125 3125 4023
4010 - 6342 1126 3103 1126 1322 3134 1534 3074
4020 - 1126 3054 7301 0074 7650 5231 1341 3055
4030 - 7325 1313 3010 1410 3067 1410 3070 1410
4040 - 3071 3073 3075 5431 7346 1126 7650 5252
4050 - 2103 2126 1103 3054 3055 1126 3104 1126
4060 - 3052 3074 3070 1125 0342 3125 4017 2143
4070 - 1566 2040 1126 1126 1126 1267 3010 3074
4100 - 1410 3104 1104 7006 7006 0035 3055 1410
4110 - 3052 1410 5232 2113 6737 7774 7760 6744
4120 - 7775 7774 2123 7560 7560 7400 7410 4600
4130 - 4760 0000 0001 6753 7776 7760 6744 7775
4140 - 7760 0014 0020 0000 0100 0756 2132 1000
4150 - 7356 2135 2000 7356 2135 3000 0356 2132
4160 - 3400 2356 2132 0031 0061 2140 0032 0062
4170 - 2140 0033 0063 2140 0010 0020 2140 0000
--------------------------------------------- Page 21

The only 2 referrences for 5575 and 5577 (None for 5576). Probably both are inside data sections themselves.

 2310 5275 r | 	JMP L02275
 2311 6001   | 	ION         -usually IRQ, but probably data, RAM location for the following word?
 2312 5575 r | 	JMP I P00175  -here ref 
 2313 1363 r | 	TAD D02363

…probably still data, following from a regular disassembly including Sixbit

 02356  7774  >;    | a2356,   SPA SNA SZL CLA OSR
 02357  0077  @>    | a2357,   AND   M77    
 02360  0040  @     | a2360,   AND   M40    
 02361  1600  N@    | a2361,   TAD I M2200  
 02362  2100  Q@    | a2362,   ISZ   M100   
 02363  0060  @/    | a2363,   AND   M60    
 02364  0017  @O    | a2364,   AND   M17    
 02365  0105  AE    | a2365,   AND   M105   
 02366  4163  !2    | a2366,   JMS   C163   
 02367  0040  @     | a2367,   AND   M40    
 02370  4017   O    | a2370,   JMS   C17    
 02371  3561  ]0    | a2371,   DCA I M161   
 02372  1357  K.    | a2372,   TAD   M2357  
 02373  7744  >$    | a2373,   SMA SZA CLA OSR
 02374  7155  8-    | a2374,   CLL CMA IAC 016
 02375  2333  S[    | a2375,   ISZ   M2333

 3352 7272   | 	CLA CML CMA RTR 
 3353 6474   | 	6474        -usually an IOT but obviously all data
 3354 6267   | 	6267
 3355 0011   | D03355,	0011
 3356 0012   | D03356,	0012
 3357 0200   | D03357,	0200
 3360 7764   | D03360,	7764
 3361 7731   | D03361,	7731
 3362 5502   | D03362,	5502
 3363 5473   | D03363,	5473
 3364 5463   | D03364,	5463
 3365 0036   | D03365,	0036
 3366 7756   | D03366,	7756
 3367 5574 r | 	JMP I P00174
 3370 7313   | 	JMS 3313
 3371 5436   | D03371,	5436
 3372 5577 r | 	JMP I P00177  -here ref 
 3373 7267   | 	JMS 3267
 3374 1377 r | 	TAD D03377

Maybe 70-80% of the ROM is data, mainly bit patterns. And maybe RAM code is created/patched and relocated in a run. Start is probably at 600/601 (vector at 7777). When branching to page 00 (< 0200) with changing contents and unclear 6100 behavior I get lost. I have to search for more code locations and data like error codes. I prevously only searched for 4 digit error codes. But there are also 5 digit ones.

1 Like
65

I’m now sure having the correct ROM combination and start address.
I almost considered giving up, but checking again a disassembly from d8tape (ROM 7-8 3-4, 5162 in 2nd half) I found what appears a code segment at 1366, a bit earlier than the 2nd appearance of one fixed LCD value.

[1366] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2
[1367] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7325 STL CLA IAC RAL;Set L, Set AC to 0001, Rotate AC & L left
[1370] IRQ,DLY,IE=0,1,0 L/AC:0/0003 MQ:0000 IR:0132 AND 0132   ;AND operand with AC, ZP 0132
[1371] IRQ,DLY,IE=0,1,0 L/AC:0/0001 MQ:0000 IR:3101 DCA 0101   ;Deposit AC to memory then clear AC, ZP 0101
[1372] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[1373] IRQ,DLY,IE=0,1,0 L/AC:0/6753 MQ:0000 IR:3102 DCA 0102   ;Deposit AC to memory then clear AC, ZP 0102
[1374] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:5750 JMP I @@50 ;Jump Indexed Current page @@50
[5330] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1373 TAD @@73   ;Add operand to AC, Current page @@73
[5331] IRQ,DLY,IE=0,0,0 L/AC:0/7332 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030

A 2nd and third manual continuation of a trace run after a skip instruction (at 5335 and 5342) revealing that value 7356 in the AC.

[5342] IRQ,DLY,IE=0,0,1 L/AC:0/7332 MQ:0000 IR:1147 TAD 0147   ;Add operand to AC, ZP 0147 (147=1000) 
[5343] IRQ,DLY,IE=0,0,1 L/AC:1/0332 MQ:0000 IR:7710 SPA CLA    ;Skip on AC >= 0, Clear AC
[5345] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150 (150=7356)
[5346] IRQ,DLY,IE=0,0,1 L/AC:1/7356 MQ:0000 IR:0036 AND 0036   ;AND operand with AC, ZP 0036  -7356 LCD loc AP4 _ _ _ 
[5347] IRQ,DLY,IE=0,0,1 L/AC:1/3050 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5350] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC

Looking back from where are jumps to 1366, it’s from 1313 which is an indexed jump, stored at 0031. There is a jump to that at 0236. And to that at 233.

As there is confirmed data below 200 (including the LCD value at 0150) and some overwritten (deposit) values, including this one, the start address is obviously at 200 (as usual for a PDP-8). (Can’t be entered by switches, though).

[0200] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1014 TAD 0014   ;Add operand to AC, ZP 0014
[0201] IRQ,DLY,IE=0,1,0 L/AC:0/1322 MQ:0000 IR:0211 AND @@11   ;AND operand with AC, Current page @@11
[0202] IRQ,DLY,IE=0,1,0 L/AC:0/1000 MQ:0000 IR:7450 SNA        ;Skip on AC <> 0
[0204] IRQ,DLY,IE=0,1,0 L/AC:0/1000 MQ:0000 IR:7041 CIA        ;2s Complement AC
[0205] IRQ,DLY,IE=0,1,0 L/AC:0/7000 MQ:0000 IR:1130 TAD 0130   ;Add operand to AC, ZP 0130
[0206] IRQ,DLY,IE=0,1,0 L/AC:1/3760 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[0207] IRQ,DLY,IE=0,1,0 L/AC:1/0000 MQ:0000 IR:5233 JMP @@33   ;Jump Current page @@33
[0233] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1072 TAD 0072   ;Add operand to AC, ZP 0072
[0234] IRQ,DLY,IE=0,0,0 L/AC:1/1126 MQ:0000 IR:7002 BSW        ;Byte Swap AC
[0235] IRQ,DLY,IE=0,0,0 L/AC:1/2611 MQ:0000 IR:7700 SMA CLA    ;Skip on AC < 0, Clear AC
[0236] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5431 JMP I 0031 ;Jump Indexed ZP 0031
[1313] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5366 JMP @@66   ;Jump Current page @@66
[1366] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2

That all make sense. The first RAM locations of written data are 101 and 102. First values 0001 and 6753. Not sure yet what 6753 is. It’s the string “Ok” in OS8 packed 8bit but that could be a coincidence. One of the first things to do is a RAM and maybe ROM/CRC check. My LCD can’t display Ok, and the k is lower case.

Both online and MacOS emu have issues and switching to extended memory like 25330 instead of 5330. I can manually fix that. But the main issue is that the ROM content is overwritten with the RAM contents. Maybe this is even right. The MacOS9 emu directly changing values like of 7777 and 5330, so I very soon have wrong instructions. So I more trust this command-line pdp8emu. (I forgot to check Wineight).
I try to go further but it’s very hard.

66

Another progress. Obviously start address at 7344 (vector at 0) and I obviously found a RAM check.

200 is maybe not the start adress (but code and reaching that sooner or later).
At a manual skip the word at 31 (1313) would be both data (index for a jump) and code at the same time what is rather unlikely.
The problem is when not having the correct start address, some values including jump addresses are different/wrong and so the (order) of the code is not as intended.

I tried again the 5162 ROM. That is more difficult, as there’s much more code before that. Some addresses are relative but I haven’t found plausible code concerning the LCD value and I would run into the empty bytes section. So I returned to the 7384 ROM.

On the cross reference list (palbart -x) there are many jumps to 6000. Starting fom that, it’s very plausible, soon jumping to 0 and later reaching 5542 (without manual skip) on where the LCD value show up and few instructions later jump to 7344.

7344 is the value at 0 (7777+1). Starting from that is what I now consider the start address.

[7344] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:4472 JMS I 0072 ;Jump to subroutine Indexed ZP 0072
[1127] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7071 CML        ;Complement L
[1130] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7116 CLL        ;Clear L
[1131] IRQ,DLY,IE=0,0,0 L/AC:0/1116 MQ:0000 IR:3122 DCA 0122   ;Deposit AC to memory then clear AC, ZP 0122   1116 Sixbit:  IN
[1132] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1266 TAD @@66   ;Add operand to AC, Current page @@66
[1133] IRQ,DLY,IE=0,0,0 L/AC:0/5306 MQ:0000 IR:1201 TAD @@01   ;Add operand to AC, Current page @@01
[1134] IRQ,DLY,IE=0,0,0 L/AC:0/5322 MQ:0000 IR:3057 DCA 0057   ;Deposit AC to memory then clear AC, ZP 0057      +R

… soon also to 1313 like before

[1313] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5366 JMP @@66   ;Jump Current page @@66
[1366] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:6223 CDF 2 CIF 2;KM8-E: Change to Data and Instruction Field 2
[1367] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7325 STL CLA IAC RAL;Set L, Set AC to 0001, Rotate AC & L left
[1370] IRQ,DLY,IE=0,0,0 L/AC:0/0003 MQ:0000 IR:0132 AND 0132   ;AND operand with AC, ZP 0132
[1371] IRQ,DLY,IE=0,0,0 L/AC:0/0001 MQ:0000 IR:3101 DCA 0101   ;Deposit AC to memory then clear AC, ZP 0101     @A
[1372] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1133 TAD 0133   ;Add operand to AC, ZP 0133
[1373] IRQ,DLY,IE=0,0,0 L/AC:0/6753 MQ:0000 IR:3102 DCA 0102   ;Deposit AC to memory then clear AC, ZP 0102     6+ (OS8: Ok) 
[1374] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5750 JMP I @@50 ;Jump Indexed Current page @@50
[5330] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1373 TAD @@73   ;Add operand to AC, Current page @@73
[5331] IRQ,DLY,IE=0,0,0 L/AC:0/7332 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030     :Z
[5332] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1154 TAD 0154   ;Add operand to AC, ZP 0154
[5333] IRQ,DLY,IE=0,0,0 L/AC:0/2135 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5334] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5432 JMP I 0032 ;Jump Indexed ZP 0032
[3010] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:3164 DCA 0164   ;Deposit AC to memory then clear AC, ZP 0164

…there is soon a loop to 1313. I continue after the skip after 5334. 14 and 16 are the values for blank and underline

[5335] IRQ,DLY,IE=0,0,0 L/AC:1/4573 MQ:0000 IR:1374 TAD @@74   ;Add operand to AC, Current page @@74
[5336] IRQ,DLY,IE=0,0,0 L/AC:1/5375 MQ:0000 IR:3030 DCA 0030   ;Deposit AC to memory then clear AC, ZP 0030
[5337] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:1141 TAD 0141   ;Add operand to AC, ZP 0141
[5340] IRQ,DLY,IE=0,0,0 L/AC:1/0014 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC    , 14=blank 
[5341] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:5255 JMP @@55   ;Jump Current page @@55
[5255] IRQ,DLY,IE=0,0,0 L/AC:1/0000 MQ:0000 IR:7305 CLL CLA IAC RAL;Clear L, Set AC to 0001, Rotate AC & L left
[5256] IRQ,DLY,IE=0,0,0 L/AC:0/0002 MQ:0000 IR:6415 SRS1       ;DP8-EAEB: Read Status 1
[5257] IRQ,DLY,IE=0,0,0 L/AC:0/0002 MQ:0000 IR:6001 ION        ;KK8-E: Interrupts enabled
[5260] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:1141 TAD 0141   ;Add operand to AC, ZP 0141
[5261] IRQ,DLY,IE=0,0,1 L/AC:0/0016 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC     , 16=_

… soon reaching 20 and again 1313 with another loop. I now continue after the first skip from the recent section. Here I found the LCD value

[5342] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1147 TAD 0147   ;Add operand to AC, ZP 0147
[5343] IRQ,DLY,IE=0,0,1 L/AC:0/1000 MQ:0000 IR:7710 SPA CLA    ;Skip on AC >= 0, Clear AC
[5345] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150         LCD AP4 _ _ _ 
[5346] IRQ,DLY,IE=0,0,1 L/AC:0/7356 MQ:0000 IR:0036 AND 0036   ;AND operand with AC, ZP 0036
[5347] IRQ,DLY,IE=0,0,1 L/AC:0/3050 MQ:0000 IR:7640 SZA CLA    ;Skip on AC = 0, Clear AC
[5350] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[5351] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7700 SMA CLA    ;Skip on AC < 0, Clear AC
[5352] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5355 JMP @@55   ;Jump Current page @@55
[5355] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1137 TAD 0137   ;Add operand to AC, ZP 0137
[5356] IRQ,DLY,IE=0,0,1 L/AC:0/7775 MQ:0000 IR:7650 SNA CLA    ;Skip on AC <> 0, Clear AC
[5360] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5311 JMP @@11   ;Jump Current page @@11
[5311] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:1370 TAD @@70   ;Add operand to AC, Current page @@70
[5312] IRQ,DLY,IE=0,0,1 L/AC:0/0200 MQ:0000 IR:6414 SRS2       ;DP8-EAEB: Read Status 2
[5313] IRQ,DLY,IE=0,0,1 L/AC:0/0200 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150
[5314] IRQ,DLY,IE=0,0,1 L/AC:0/7556 MQ:0000 IR:0366 AND @@66   ;AND operand with AC, Current page @@66
[5315] IRQ,DLY,IE=0,0,1 L/AC:0/0056 MQ:0000 IR:3150 DCA 0150   ;Deposit AC to memory then clear AC, ZP 0150 56= 00101110

…soon another loop to 1313. Continue after the first skip of that section I have a full run over
0-7777 (AC) what is probably a RAM check.

[5344] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0000 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0001 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0002 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5363] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:5361 JMP @@61   ;Jump Current page @@61
[5361] IRQ,DLY,IE=0,0,1 L/AC:0/0003 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:0/0004 MQ:0000 IR:7440 SZA        ;Skip on AC = 0

… running over to AC=7777 (>10,000 instructions) and the code skipped on AC=0, later again reaching 1313

[5361] IRQ,DLY,IE=0,0,1 L/AC:0/7777 MQ:0000 IR:7001 IAC;Increment AC
[5362] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:7440 SZA        ;Skip on AC = 0
[5364] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:5311 JMP @@11   ;Jump Current page @@11
[5311] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1370 TAD @@70   ;Add operand to AC, Current page @@70
[5312] IRQ,DLY,IE=0,0,1 L/AC:1/0200 MQ:0000 IR:6414 SRS2       ;DP8-EAEB: Read Status 2
[5313] IRQ,DLY,IE=0,0,1 L/AC:1/0200 MQ:0000 IR:1150 TAD 0150   ;Add operand to AC, ZP 0150
[5314] IRQ,DLY,IE=0,0,1 L/AC:1/0256 MQ:0000 IR:0366 AND @@66   ;AND operand with AC, Current page @@66
[5315] IRQ,DLY,IE=0,0,1 L/AC:1/0056 MQ:0000 IR:3150 DCA 0150   ;Deposit AC to memory then clear AC, ZP 0150
[5316] IRQ,DLY,IE=0,0,1 L/AC:1/0000 MQ:0000 IR:1371 TAD @@71   ;Add operand to AC, Current page @@71
[5317] IRQ,DLY,IE=0,0,1 L/AC:1/7736 MQ:0000 IR:3154 DCA 0154   ;Deposit AC to memory then clear AC, ZP 0154
67

I have now separated the code and data sections. The code starting at 7344 has a short segment with 4 skip instructions. I manually jumped into each new segment which have another skip instructions each. There are few code segments and the rest is considered data (for now).

Very helpful is also a memory dump (I mainly use the pdp8emu tool tapedump). With highlighting in editor Kate, I can quickly find same values. (The sixbit script is also interesting showing text representations as well, but I don’t have really text. It shows what appears data at the bottom of almost all pages.)

--------------------------------------------- Page 12
2400 - 6007 1354 6415 1273 6415 1300 6414 1272
2410 - 7421 1270 3000 1313 3010 7501 3410 2000 <
2420 - 5215 1270 3000 1313 3010 7501 7041 1410 <

2500 - 0400 1423 2023 5021 7400 0602 0600 0601
2510 - 0603 0604 0007 0010 0037 4314 7777 7777
2520 - 7777 0652 0600 0047 0047 4314 7777 6314

I noticed some segments with 5 identical words. First to be considered a data segment. A bit later is obviously data 600-604, also 5 words. 6314 is the fixed LCD value (3xblank). 4314 is undocumented but similar bit pattern, maybe 2x blanks. Between the 7777 again 5 values.

[2410] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7421 MQL        ;Load MQ from AC then clear AC
[2411] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1270 TAD @@70   ;Add operand to AC, Current page @@70
[2412] IRQ,DLY,IE=0,1,0 L/AC:0/7411 MQ:0000 IR:3000 DCA 0000   ;Deposit AC to memory then clear AC, ZP 0000 
[2413] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1313 TAD @@13   ;Add operand to AC, Current page @@13
[2414] IRQ,DLY,IE=0,1,0 L/AC:0/0010 MQ:0000 IR:3010 DCA 0010   ;Deposit AC to memory then clear AC, ZP 0010
[2415] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[2416] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:3410 DCA I 0010 ;Deposit AC to memory then clear AC, Indexed ZP 0010 [Auto pre-inc]
[2417] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2420] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:5215 JMP @@15   ;Jump Current page @@15
..
[2417] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2420] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:5215 JMP @@15   ;Jump Current page @@15
[2415] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC
[2416] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:3410 DCA I 0010 ;Deposit AC to memory then clear AC, Indexed ZP 0010 [Auto pre-inc]
[2417] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:2000 ISZ 0000   ;Increment operand and skip if zero, ZP 0000 
[2421] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1270 TAD @@70   ;Add operand to AC, Current page @@70
[2422] IRQ,DLY,IE=0,0,0 L/AC:0/7411 MQ:0000 IR:3000 DCA 0000   ;Deposit AC to memory then clear AC, ZP 0000 
[2423] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:1313 TAD @@13   ;Add operand to AC, Current page @@13
[2424] IRQ,DLY,IE=0,0,0 L/AC:0/0010 MQ:0000 IR:3010 DCA 0010   ;Deposit AC to memory then clear AC, ZP 0010
[2425] IRQ,DLY,IE=0,0,0 L/AC:0/0000 MQ:0000 IR:7501 MQA        ;OR MQ with AC

This code overwriting almost all ROM locations 0-377 with 0. Soon after that it would jump to 0 and tries to execute those instructions which are now 0. At a first glance this appears wrong. But later (when having other values in AC) I think this is a RAM check.

My device has 10 error codes E0-E9. (The PLC has much more like E 0020). E9 is RAM error. The display code for E9 is 0371 (table, BCD encoded).
0371 only appears twice including at 2471.
The disassemblies (best d8tape) are very useful, converting the relative addresses, and it’s easy to search for constants and jump targets and identify code segments (L).

C2471,	0371				/ AND   C2571	(371=E9=RAM error 
C2472,	2525				/ ISZ I D0125							
C2473,	2302				/ ISZ   C2502							
	AND I L0052				/ 					    @@2474=0452
L2475,
	TAD I AI7				/ AUTO INDEX REGISTER	@@2475=1417

Searching for constant C2471 (only appears once) and starting from that, the code for E9 appears and there’s an endless loop

[2535] IRQ,DLY,IE=0,1,0 L/AC:0/0000 MQ:0000 IR:1271 TAD @@71   ;Add operand to AC, Current page @@71 (=2471, page start at 2400)
[2536] IRQ,DLY,IE=0,1,0 L/AC:0/0371 MQ:0000 IR:6410 SSRG       ;DP8-EAEB: Skip if Ring Flag
[2537] IRQ,DLY,IE=0,1,0 L/AC:0/0371 MQ:0000 IR:1010 TAD 0010   ;Add operand to AC, ZP 0010
[2540] IRQ,DLY,IE=0,1,0 L/AC:0/6733 MQ:0000 IR:6411 SSCA       ;DP8-EAEB: Skip if CarrierAGC Flag
[2541] IRQ,DLY,IE=0,1,0 L/AC:0/6733 MQ:0000 IR:5341 JMP @@41   ;Jump Current page @@41
[2541] IRQ,DLY,IE=0,0,0 L/AC:0/6733 MQ:0000 IR:5341 JMP @@41   ;Jump Current page @@41

Searching for L2535 (also once) that is shortly after 2425 what I have above (I now have to search for the other error codes)

L2425,
	MQA						/ 					@@2425=7501
	CIA						/ 			    	@@2426=7041
	TAD I L0				/ 					@@2427=1410
	SZA CLA					/ 					@@2430=7640
	JMP   L2535				/ 					@@2431=5335
68

I think I’ve now understood most.
First, the empty bytes section. There is no access (r/w) and I assume it’s the reserved location for ASCII.
According my manual it’s supposed to work by loading as decimal value. The highest value is 999 (1747 octal). Reserved for ASCII is 2200-2377 what is exactly one page. My empty section is one page earlier at 2000. But I think it’s possible. That ASCII is not for the printouts but obviously for an external display. Not sure if that has ever been realized after 1982-1986. I think in 1983 there was a next gen DOS compatible non-octal device line (101).

Missing text mnemonics for printout. I think these are on other EPROMs. Maybe on the RAM cartridges.

RAM cartridges. I found some better photos. A board has 40+1 HEF 40xx ICs, 4x 6561 RAM, a 6518 RAM and a voltage detector. And 6 daughter boards. Obviously 3xEPROM cards (Festo 8038) with 4 EPROMs each. And 3 RAM cards (8039) with 16x6518 each. 12 vertical and 4 horizontal.

Memory mapping. The main PLC has system RAM which just holds the values like counters (3000-3077), flags, error stack and CPU registers (200-277). Latter ones are the only ones having 16 bits. The PC is at 40.
The code RAM is that on the cartridge that one typed in with my device. So at 0 is the 1st instruction for the PLC.
I don’t think that the full ROM contents is copied to (internal) RAM. Probably just the actual page, maybe also the earlier and next one. There must be space for temp storage, like to keep track of open brackets.
On my device I only encountered few system RAM locations. Like PC at 0.

PDP8 ROM code. I found much plausible code. Almost all memory pages contain rather short code at the beginning, then a JMP and data in the 2nd half where most is referred just before. Easiest to identify in the middle like after the empty section at 2200, where you can better separate the values and addresses, as latter ones aren’t high. That is due to the relative addressing and page management. So it’s best to view each page separately. This is a typical content, disassembly from d8tape. Previously I mainly focussed on the DCA instrucions where a value is deposited to RAM, but more of interest are the TAD. Note the data section starting at 6356. Some data are values including 2s complement, others are indexed jump targets. So a mix of instructions and data and data is also a mix. The rest of the page 6372-6377 is probably data as well and misinterpreted as instruction. And note, that the data is the default ROM data. Most of them will be changed at runtime.

L6345,
C6345,	4172				/ JMS   D0172							
	JMP   L0020				/ 										@@6346=5020
	TAD   C6365				/ 										@@6347=1365 105 
C6350,	4175				/ JMS   C0175							
	TAD   L0141				/ 										@@6351=1141
C6352,	4172				/ JMS   D0172							
	JMP I C6371				/ long jump to L3561 					@@6353=5771
	TAD   C6366				/ 										@@6354=1366 4163 
	JMP   L6245				/ 										@@6355=5245
C6356,	7774				/ SPA SNA SZL CLA OSR			-4, 4 digits		?
C6357,	0077				/ AND   D0077			error?		error stack 		
C6360,	0040				/ AND   D0040			PC?				
C6361,	1600				/ TAD I D6200			(1600= 	LCD blank AP4					
C6362,	2100				/ ISZ   L0100							
C6363,	0060				/ AND   D0060							
C6364,	0017				/ AND   AI7								
C6365,	0105				/ AND   D0105							
C6366,	4163				/ JMS   D0163			3+2 digits +*					
C6367,	0040				/ AND   D0040							
C6370,	4017				/ JMS   AI7				4 digits	+*			
C6371,
C6371,	3561				/ DCA I D0161							
	TAD   C6357				/ 										@@6372=1357 77 error ?
	SMA SZA CLA OSR			/ 										@@6373=7744
C6374,	7155				/ CLL CMA IAC RAR RAL

I found some more fixed values for LCD output (error and functions) and printouts (like XON). Few things left to investigate. Like the syntax check. Either a logic or a table. There’s only one page containing (almost) data. And the keyboard mapping.