> What undocumented instructions in HP calculators...
> Got an example
Well, I think we can safely ignore the HP49G, since the 'manual' supplied
with that machine is a total joke, so just about all the functions are
uncodumented!
OK, the classic example is the HP41 series. User programs are stored as a
series of byes -- for example SIN is 59h, CLX is 77h, etc
Some instructions -- those which take an operand, like STO, are 2 bytes
long (OK, and some are even longer). STO 32 is stored as 91 20 -- the
first byte means it's a STOre instruction, the second is the register
number (20h = 32d).
It turns out that not all possible second bytes are used in all
instructions. For example, STO offically takes 0-63 (registers 0 to 99),
70-74 (the 4 stack registers and LASTX, 80-E3 (indirect 0 to indirect 99)
and F0-F4 (indirect stack and LASTX).
If you manage to get the other possible values for the second byte into
program memory, then interesting things can happen. Values 64-6F access
regists 100 to 111 _directly_ (officially you have to access them using
indirect addressing). More interesting, values 75-7F access registers
that you shouldn't be able to access -- the 56 flags, the alpha register
as 4 separate 'normal' registers, the user program subroutine stack, the
key assignment flags and the system memory partition register.
The trick, of course, is to get those values into program mory in the
first place. You either exploit bugs in the HP41 OS which allow you to
edit memory you shouldn't, or you play tricks with deleting programs that
are running and then return to them (the machine gets confused, and tries
to execute other areas of memory -- specifically the 'buffer area' as a
program -- if you've carefully set an alarm with the right 'text' then
you can assign these new functions to a key, and then use that assigned
key to enter them into program memory.
Or you can lad them from barcode, disk, tape, cards, RS232 interface, etc.
There were some 3rd party ROM modules that let you type these
instructions directly -- my favourite is the ZenROM. In some ways this
takes all the fun out of it, though.
This was called 'synthetic programming' since the main way to enter such
codes was the synthesise them from parts of other, typeable,
instructions. I think every HP41-owning hacker has tried it at some point
Older. simpler, HP calculators had all instructions stored as 1 'word'
(often 8 bits, but 6 bits on the HP65). Not all possibilities were used
-- the HP67 has, IIRC, 250 documented instructions. The other 6 do
something, but I can't remember what. Similarly on machines like the HP34C.
You can also play games with non-normallised numbers (numbers where
either then most significant mantissa digit is 0, even though the number
is not 0, or more interestingly, numbers with illegal BCD digits). Again,
HP didn't ever document this (other than a cryptic comment in the HP41
HPIL Development ROM manual that said some functions would move data
around without normalisation).
To get these illegal bit patterns into memory on the older machines you
either used a 'phase 1 interrupt switch' (which disconnected the phi_1
clock line from the memory chips, or a 'black box' (a variable resistor
in series with the battery pack, you reduced the voltage until the
machine went crazy).
Another example of undocumented functions, this time perfectly normal
ones is the extended I/O ROM for the HP75. It's got a whole lot of
'extra' non-I/O related functions in it that don't appear in the manual.
There must be many more examples (an obvious one is programming the HP41
in NUT machine code, which neads a special memory box) but that will do
to start with.
> Yours Truly
> Dean Lampman
Hang on... That name sounds familiar. Should I associate you with the
HP65 or something?
-tony
Received on Wed Jan 29 2003 - 17:44:00 GMT
This archive was generated by hypermail 2.3.0
: Fri Oct 10 2014 - 23:36:03 BST