Index

wersja polska

Internal ROM of the HD61700 processor

A part of the Casio PB-1000 firmware is hidden in the processor's internal 16-bit ROM of size 3072 words. It can be used only as program memory, data access isn't possible (except of constants encoded as a part of immediate addressing mode instructions). Therefore, all constant tables used by the procedures in this ROM have to be placed in external memory space (for example CORDIC tables, floating point constants, keyboard data, fonts...).

Due to this limitation the internal ROM cannot be directly read out. However, I managed to extract the ROM contents by single-stepping the code (by applying an IRQ2 interrupt pulse during execution of each instruction).

For this purpose all bus signals have been lead out to a connector inserted into a test socket of an universal device programmer TopMax controlled by a PC. With this equipment I can execute any single instruction, modify and examine the register and memory contents, log all bus activities, count cycles. The instructions can then be attempted to be identified.

The archive pb1000r0.zip contains the partially commented ROM disassembly reconstructed using this method.

Ambiguity

Some instructions cannot be distinctly identified, as the same result can be obtained in various manner. Examples:

• Both following instructions can be used to clear a group of registers, they have the same number of cycles and the flags setting. An example instruction at address &H0206 could be identified as SBBM by examining adjacent codes.

  sbbm $5,$5,8
  xrm  $5,$5,8
  

• Some instructions are commutative, i.e. changing the order of operands doesn't change the result, for example:

  anc  $2,$3
  anc  $3,$2
  

Instructions encoding

In some cases not only the instruction could be identified, but also the actual memory contents. It is possible by executing the code starting from a second word of a 2-word instruction. Examples:

• Unused bytes are padded with zeros.

  0144: 4201 2E00   ld    $1,&H2E           ;actual instruction
  0145: 2E00        pps	$0                ;side-effect instruction
  

• Following examples show the encoding of an absolute jump address - the upper byte of the address appears to be stored in the 4th byte of the instruction instead of the 3rd one.

  0020: 37EE 00FF   jp    &HFFEE            ;actual instruction
  0021: 00FF 37C7   adc   $31,$23,jr &HFFDB ;side-effect instruction
  0022: 37C7 00FF   jp    &HFFC7            ;actual instruction
  0023: 00FF D113   adc   $31,$17,jr &H0037 ;side-effect instruction
  0024: D113 0900   ldw   $19,&H0009        ;actual instruction
  ...
  010A: 4100 3000   sbc   $0,&H30           ;actual instruction
  010B: 3000 B503   jp    z,&H0300          ;side-effect instruction
  010C: B503        jr    c,&H010F          ;actual instruction
  ...
  0162: 7716 0001   cal   &H0116            ;actual instruction
  0163: 0001        adc   $1,$sx            ;side-effect instruction
  

• Next examples show how the operand of a relative jump is encoded. The displacement is stored either in the 2nd byte or in the 4th byte (even for 3-byte instructions). In both memory access modes the destination address is calculated by adding the displacement value to the memory location where the displacement is stored.

  013A: 4281 2C0B   ld    $1,&H2C,jr &H0146 ;actual instruction
  013B: 2C0B        ldd   $11,(ix+$sx)      ;side-effect instruction
  ...
  0178: 89E4 0284   sbw   $4,$2,jr &H0175   ;actual instruction
  0179: 0284 8864   ld    $4,$sx,jr &H01DE  ;side-effect instruction
  017A: 8864 0200   adw   $4,$2             ;actual instruction
  

• Unused word at address &H0456 contains &HFFFF.

  0454: 379E 00FF   jp    &HFF9E            ;actual instruction
  0455: 00FF FFFF   adc   $31,$31,jr &H03D7 ;side-effect instruction
  0456: FFFF        trp                     ;unused location