p. 79


Thanks to the ingeniousness of the members of PPC, all modules ROM HP, including the internal modules, were deciphered, in data processing one would say " disassembled ", however, to know lists D ' instructions does not say which is their goal and it is lacking of much that all was cleared up.

There is on the whole more than 500 pages of listings available to the club, it is thus no question of publishing them here all, however, we could not finish this study without analyzing some of these elements, selected a little arbitrarily like illustrations.


As all the remainder a module has its own geography. In fact, there is (external modules only):

a) with the address x000 the XR0tl number of the module and with the address x001 the number of functions existing in the module (all that into hexadecimal).

b) starting from the address X002 the catalogue of the functions contained in the module. This catalogue consists of two words per function, giving at the same time the type of program and the entry of the function.

The first two bits of the first word indicate the type of program. They are to 00 if it acts of a program microcodes some and to 10 (2) if the program is in standard language.

The last 4 bits of the first word and the last 8 bits of the second word give the 3 digits of address of the program inside the module.

When a CAT 2 is carried out the addresses of the functions are read in the order where they appear in the catalogue of the module. It is thus possible to make list the functions alphabetically if one wants of it, some is the provision of the programs in the module. The first listed function is in general the name of the module. Like such this name has Of course a number XR0M., this name does not correspond in general to any possible execution.

p. 80

If one takes the precaution to make follow this name of function RTN, an attempt at execution will be without disadvantage. If not a " planting " is extremely likely to result from it.

The catalogue of the module is finished when two successive words are to zero (cf fig. 25, p. 81).

c) at the end of the moduLe; with addresses FFB, FFC, FFD and FFE are the shortened name of the R0M (premiére letter in FFE, last in FFB).

d) The last word of the module is the sum of control (optional).

E) With the top of the name of the R0M, at the end of the module, are 7 very significant addresses particutiéres. These addresses are questioned (by a FETCH). If they contain 000 the interrogative program continues without being worried some, if not it connects at this address. This interrogation takes place at several times varying with the address (cf fig. 25, p. 81).

F) in the medium are codes which can represent:

- a program in language user,

- instructions microcodes some,

- among these instructions, of the data.

The provision of a program in language user was given in III.4, p. 36. Here an example:

IN RAM (only at the end of the memory) Program IN ROM

words of:004


C0 LBL"D0 " lC2
00   001
F3   0F3
00   000
44   044
4f   04F
02 LBL 01 " MODULATES " useless in ROM
F6   1F6
4d   04D
4f   04F
44   044
55   055
46   046
45   045
89 PSE 189
B2 GTO 01 1B2
Dl compiled 00B
C8 END lC6
02   02
29   22F

page 81

page 82


The instructions microcodes some and the data are not distinct. Only the way of using the code makes the difference as we will see it in the examples.

The internal functions of the HP are treated by direct analysis of the pressures of keys of the keyboard. But the functions of the ROM are carried out starting from the entrance point.

This entrance point of the function gives access to two types of information:

- if the reading is done upwards, the codes represent the characters composing the name of the function, coded microcodes some (cf fig.8, p. 24).

HP knows that last character is reached when its code is increased by 080, which comes down to raising the bit of left of the byte of code (bit number 7), which if not, is always to 0. Moreover, the two bits of left of the first characters of the name in 1 ' reading order manage the " prompt ones ", these features (- -) of request for argument which follow functions like STO --, GTO -- (cf appears 27b, p. 84).

- if the reading is done from top to bottom, it is the execution of the function and the codes are carried out like instructions, if the first word is 000 NOP, the function is nonprogrammable; if the second word is also 000 NOP the function is carried out immediately without possible " NULL ", '


This function appears initially in a table located in 14xx. This table gives the addresses of all the internal functions. In the fig. 26, p. 82 you can see of left on the right the numbers of line from 1400. These numbers are followed code (" microcodes ") in mode 244 then 442. I added (with the hand... with the assistance of the printer) it mnemonic of the function whose address is provided by the table (microcodes = addresses).

You find R†line 1474 with a code 260. Add un1devant the code and you will have the address of the function R†, i.e. 1260. Defer you maintaining to figure 27, p. 84.

Line 1260 is that which is immediately below the name of the function that you can read upwards. White space is there because of the passage of 125F with 1260 which corresponds to a change of paragraph by the printer. The code of # 134; is 1E, but as it is the last character of the name, it is increased by 080 and gives 09E.

The execution thus starts into 1260 downwards. You will be perhaps disappointed to note that it is not found there that a new address where the execution must continue, i.e. 1Ê5.

This " continuation " it even is satisfied to carry out under program before finishing in 00EE, one of the points of beginning of the routines of " household " in which end all the functions.


p: 85

The heart is thus it under program which starts in 1ÊD. If you program in microcodes and that you want to carry out R†, it will be enough to call it under program, it is simpler. But it is not sure that this address will be the same one on all the modéles of 4Ç. It under program starts by selecting the register R(000), then puts in reserve of A the register T Ensuite we see mounting the pile: Does Z go in T, Y of Z, X in Y and finally one recovers T to put it in X Simple, not?

VII.3 SECOND EXAMPLE: validation of the display

The display is one of the multiple peripherals of the 4Ç. to validate it and of course then to use it, it is necessary:

07F6 130-4C0 LDI S&X

07F7 010-040 16 P

07F8 270-9C0 RAM SLCT

07F9 130-4C0 LDI S&X

07FA 0FD-3F1 253


07FC É0-F80 RTN

07FD 000-000 NOP

As you see it, it is initially necessary to invalidate the read-write memory by selecting non-existent registers, of R(010) to R(01F) those which are located just at the top of the register E, in the vacuum.

Then, one charges out of C S&X the address with the display, that is to say 0FD and one selects it. From this moment we can write with the screen. You will find in appendix 10, p. l13, the detail of the instructions, but here immediately an example.


We find sometimes in memory of the codes like this one (cf fig. 28, p.86, in top on the left). This group of instructions starts with XQ 07EF, thus see what makes it under program (on the right of the figure).

Hold, POP pleasing in ADR of C the first return address. This address we let us know it, it is that which is right below XQ 07EF, therefore 2FF0.

The HP fetche, i.e. will seek the contents of this address and places it out of C S&X. These contents are code 018.

This code is written in the screen (which was selected beforehand) as a character, it was thus not an instruction!

page 86

p. 87

C=C+1 adds 1 to the address which becomes 2FF1 and the HP tests the XS; is it different from zero? If so, to arm Curry. It is not the case here, therefore to start again with the FETCH.

One thus sends to the display successively codes 018, 012, 00F, 00D then finally 220. But there, there is other thing that 0 in XS, therefore we leave the loop and by GTO ADR we will continue the execution with the following address.

This address contains a RTN and thus finishes under program by return to the main program. But what makes all these codes in the display? We will see it by correcting the listing to make apparaitre the characters. Considering?


We now will examine a particular passage of the startup of the HP (fig. 29, p. 88).

Let us start in 01EA. the machine has just ignited (major sleep) and after having begun again its spirits it comes to see whether another key is in a hurry (another that ONE). If not, it jumps with 01F4. If so, it tests to know which is this key: it charges 0C3 out of C S&X, then in A S&X, then takes out of C the contents of register KEY and transports these contents out of C S&X where it can compare it with the 0C3 which is now of A, this comparison being done only on digits 0 and 1.

If the two elements are not different, it is that the key in a hurry has well the code C3, which is that, guesses or will see Fig, 19, p. 68. In this case go to the cold departure.

If it is about very other touches, one finds oneself if there is no pressed key, in 01F4.

It is then time to relight the display and of going dare dare to check if flag 11 (autostart) is raised.

For that, it is necessary to read the register D, to move flag 11 in good place to be put in ST and to be tested whereas it is in position 0.

If this flag is not raised, one can finish the operations, if the flag is raised, one leaves to carry out the current user's program. But front, one carries out TONE 7 after having extinguished the display of manner of covering joint of eye.

We are then into 0204. It would be logical to however continue by 0205., in the chronology of the machine this passage was carried out before that which we have just seen. Nothing is simple I

Initially, in this passage (called CHECKRAM, test of the read-write memory) an up to date handing-over of the keyboard and mode of calculation of the CPU, then a desactivation of the peripherals and the selection of RAM 0, the registers of state, to be able to read C and check if the hot starting constant (ce169 which has been just put in A) is quite present out of C.

page 88

p. 89

If not, one immediately will make a cold departure. RCR 11 brings in S&X the address of R00, one removes 1e 1 and one is at the head of the programs. If operation is normal it must always y have at least a register, containing the END., here; the following instructions will check it.

When there is nothing opposite, a reading of register always gives a series of bits to 1 or one series of bits with 0 in all the register C But this provision can also exist in a normal register, how to know?

The HP takes the complement ofpart of the register C and writes the result in the register (to take the complement is to replace all the 0 by 1 and all the 1 by 0).

A new reading will give again the same contents, if the register is good, there will be thus at the same time of the 0 and the 1 in C.

If the register is bad, one will find the same thing as during the first reading,

The second catch additional thus will restore the contents of a correct register and will demolish that of a bad register, which is controlled with the following word. If the register is bad, one goes to the cold departure, if not, WRITE DATED restores the register in its original contents.

One gives in ST play 0 of the flags and, if the program is not in ROM, it is all,

If not one will proceed to a curious operation: to check so during the sleep of the HP crafty one did not subtilize the module in which is the pointer!

Therefore one reads the pointer out of B, one puts at 0 the 3 digits of right-hand side, does not remain thus more that the muméro of port, one places this address X000 which is that of the first word of the ROM in ADR, and one reads. If there is other thing that 0, the HP suppose that the ROM is always there and finishes its control. If there is 0 it returns the pointer at the beginning of the report programs (it is the significance of the instructions which follows).

This analysis suggests me a félonie. Does the HP check the existence of a ROM, but which? Here an occasion to go to put its nose in microcodes,

For celà, it is necessary to have a ROM having a program in language user and of another ROM having to the same address a program microcodes. I made the experiment with PPC ROM and the module X-functions.

Place in a port PPC ROM. Faites GTO " NK " then extinguish the machine and place in the place of PPC ROM module X-F.

Relight, PRGN ONE, you see 0l STO 03. There are the funny ones of things in this module! SST maintain the same display, but BST give 01 PR. Test lIST.., have fun.

page 90

p. 91

Let us return to microcodes. We approach the cold starting routine now, a shiver will run in your back! (cf fig. 3D, p. 90).

The first 7 lines put to you with the tuning fork: all to zero. one pushes then 0 in the 4 levels of pile SBR, one places the pointer Q at R = 13, but P in place is left.

All the flags are then erased and the routine of display of the error messages is called in lC6C. The following word, used by the routine indicates disaster MEMORY LOST.

07F6 validates the display, 0098 cleans the register of keyboard.

We arrive at a crucial point. The HP charges 3FF. It is the address of the highest register to be erased. HP thus envisaged already X reports! Engineers HP hesitated to choose this figure which lengthens the cold departure appreciably and failed to bring back it to 1FF, which would have saved the X-memories. Favours or disadvantage? It is necessary to make with.

C=0 WRITE DATED operates the screen which has been just validated, by erasing the indicators (BEATS, TO USE...) then the HP erases the possible 3FF registers after having invalidated the display (C=0 PRPH SLCT).

Should then be restored the default values OEF (4Ç and CV) for R00, therefore the EEC for END. (not of program) and CFA for REG.

Then we update by defect the flags.

It is necessary to raise the flag message (for MEMORY LOST) then to go to show the turn of the peripherals (under program 27E6) starting from item 6 (see VII.l E, p. 80) if they claim a service. Then remain to set up the hot starting constant 169 which will indicate that all this work was made.

To finish, we will check in 01F5 if a peripheral did not raise the automatic flag of execution (case of the reading of a magnetic card idoine). We saw that a few moments ago.

Here. It does work, this small of it?


We now will examine the operation of the " TONE ".


p. 93

You will see that the artificial TONE (postfixe higher than 9) have funny origin! (cf fig. 31, p. 92). The input for TONE is line 12D0 (after 149F). The HP has already in ST the number of tone to carry out. The HP checks that it has the right to make noise (flag 26) and benefits from it to give out of C the number of the TONE. It puts then at 0 the register T, which prepares the IBP Indeed it is the register T which controls, by its variation, the bipper. The number of TONE is again saved in ST and FF placed out of C M then in A Mr. a curious operation takes seat now. Let us not forget that the number of normal TONE is a decimal digit of O with 9. The HP thus takes its complement déci badly 9->0, 8->1, etc...

The TONE have one equal duration but a variable frequency; a cycle of high frequency TONE lasts less longer than a cycle of low frequency TONE. The number of cycles of TONE to be carried out for one constant duration is thus variable. The preceding value makes it possible to choose this number (lasted). This operation is carried out in C ms, therefore on only one digit.

Then we will choose in the table the suitable value. For that, by a very frequent procedure in the HP, we jump a data field to arrive on a POP ADR which takes address 16F2 and adds to it the number of TONE (from 0 to 9). You thus see that TONE 0 has the number of cycles 058, TONE 1: 065... This constant of duration is put in A S&X which will be used as meter.

Let us recall that we have out of C ms the height of the TONE. We thus will have various branches.

For TONE 9, C ms contains 0. When 1 is removed, one raises the flag of Curry and one jumps with 170D where one produces as many exchanges between ST and T (thus values FF and 00) that indicated in A.

There are here 3 lines to carry out, the possible minimum, therefore the possible high frequency.

For TONE 8, C ms contains 1, one thus does not jump to the premiére subtraction but to the second, one goes then in 1711. We have the same principle, but a NOP is intercallé, therefore a lower frequency.

For higher durations, a double meter is installed. The additional TONE (higher than 9) bring several observations:

- the constant of a number of cycles is taken in the order of the numbers of TONE. TONE 10 (decimal) thus takes as constant the code of the POP ADR... and so on, the duration of the TONE depends on the codes which were not planned for celà but to be used as instructions.

The value of the TONE which is in XP perhaps higher than 9. Does I do not know too how react the microprocessor when one asks him to take the decimal complement of a figure higher than 9? I did not consider it useful to carry out the test microcodes some, the experiment with the ear is enough.

page 94

p. 95


Initially a very simple example: REFERENCE MARK

This function, available on a baptized EPROM Toulrom 1D (Rom 1D made in Toulouse) has like object to recopy X in Y, Z and T in only one instruction.

This operation is usually carried out by ENTER, ENTER, ENTER, which is not well wizard and is used to use the faculty of duplication of the register T during calculations as constants: for example, if you faites1 REFERENCE MARK + + +.., you obtain a meter which adds 1 to each +. It is the system used in LB to calculate the number of free bytes.

To fulfill a function microcodes some, two ways open with you. To build to you even your function starting from the instructions of microcodes, and that is perfectly possible but asks you a perfect knowledge of those and especially a perfect analysis of the problem. Do not forget that with microcodes we work without net. In normal programming, it is always possible to make R/S if the program refuses to come out of a loop. In microcodes, if you do not test key R/S, the HP did not connait its existence.

Other disadvantage of this method, it leads to long programs.

The second method consists in making an intensive use of the modules which are obligemment provided to you by HP in the internal storage. The only trouble is that they should be known, which cannot be made, considering volume, which by a collaboration within a club, where the documents necessary are available.

It is this last method which I employ here, you will see at which point it is effective.

The function REFERENCE MARK, at least for the part which appears in I' EPROM, is limited to its name, READ 3(x) and?NC GO 10FA (cf, fig.32, p. 94).

Difficult to make simpler, not? The only made thing is of reading the contents of X and placing it in C.

But what is there in 10FA? As you see it on the figure, it is one of the points (it is not the usual entrance point) of routine CLST. This routine erases the pile by putting C at O by recopying C in the pile. I thus use only the part recopies this routine. Notice in the passing that routine CLST uses it also its colleague CLX.

More serious: XCAT

All those which have in their machine several modules like me were often exasperated by the difficulty that there is to find the ortho-

page 96

p. 97

graph of one function using the CAT 2. One of my friends measured approximately 2mn 30s for the total of a catalogue 2.

XCAT has the characteristic to begin the CAT 2 with the module which you indicate by his number XR0M. For example, 30 XCAT begin the catalogue with the card reader, who is however always with the Exxx address, before last of the memory. Then the catalogue continues normally. It is in particular possible SST and BST at will.

The program (cf fig.33) starts with its name, like usual. It reads in X the number of Rom which one wants the catalogue, translates it into binary using the internal routine BCDBIN which starts in 0È3. This routine takes a decimal number of 3 digits out of C and translates it into binary into S&X of C.

XCAT initializes then the registers C and B of the microprocessor. It places the number of the first possible module minus 1, that is to say 4, in the desired digit of C It arranges in A code XROM, replaces the pointer and starts the search of the ROM requested.

For that, it increments C with the pointer. If C exceeds F (hexa) the Carry flag is raised and the following instruction carried out: if one exceeds without to have found the ROM asked it is that it is not in memory, one thus goes in 0È0 which causes the display of NONEXISTENT. If the value with the pointer is lower than F one places (FETCH) out of C S&X the first word of the ROM tested. This word, let us recall, is to it number XROM. one compares it with the code put in reserve in A. If it is different one takes the following word which is the number of functions of the ROM tested. One accumulates this number of functions out of B, then the following ROM is tested. If it is the good ROM, one initializes the CAT 2 while placing out of P the number of jumped functions and the number of the catalogue (2) then one connects on catalogue 2 standard which starts with the premiére function of the wished ROM, in general its name. As you are in a CAT 2 standard, you have all the advantages of them: to go ahead or behind step by step, to slow down the run by pressing a key (or the accelérer on 4ÇX) all things which would have had to be even programmed you if not.

A proof of power: CHARGE (of Stéphane Barizien)

This program was created in France by a young member of PPC-T, Stéphane Barizien, which quickly became a virtuoso of microcodes. It illustrates in a bright way what I sought to show with REFERENCE MARK, i.e. the effectiveness which one can withdraw from a good use of the internal modules of the HP-41. This function is nonprogrammable, and thus can be carried out even if the machine is in mode programs. It displays LOAD --- and awaits a decimal number of 3 digits. This number given it introduces in report programs the corresponding byte. The only defect of this program, still rustic, is not to update the numbers of line, and to place the byte at the top of the displayed line. These defects could have been corrected, but by losing the so clear brevity of the program. The procedure is thus the following:

to assign with a key the function GIVES THE RESPONSABILITY,

to put itself in mode programs

to type ENTER†

to carry out with the assigned key (in mode TO USE) LOAD

to provide the code

page 98

to start again as many time than there are codes required.

When it is finished erasing ENTER†, in the process of return behind which follows, the HP renumbers the lines.

Example: ENTER†CHARGES 242, LOAD 068, LOAD 079, < -, place " C " in memory. This program is the equivalent microcodes LB. Comptez, if account of the name is not taken, 11 words! Who says better! In the program, the NOP indicates a nonprogrammable function, the bits of left of the beginning of the name caused the data entry of the decimal number to ' the display, its transformation into binary and its storage in A. the number is taken again out of C and stored in G, which, in the passing limits it to 8 bits and, therefore to 255. If you answer 300 the program takes 300-255. Load recovers then the meter of program (Pt) out of B (routine 2950, " GETPC "). Routine 29E6 (" INBYT ") inserts a byte contained in G in the program aprés to have incremented the PC 2337 (" PUTPC ") positions back the meter, it requires simple R=3. Tout.

End of the seventh chapter