[ HP41 machine code, etc]
Where does the synthetic programming fit in? I
thought it was
a case of creating machine language code in RAM. And I remember
it being based on some ugly tricks, rather than an external device.
No, synthetic programming is not machine code.
Let me tey to explain.
The HP41 is based round a custom HP processor called a 'NUT'. It's a
bit=-serial device with 56 bit registers and 10 bit instruction word.s
In the HP41 there's 12K words of ROM containing (in part) an interpretter
program. This program interprets user programs which are stored as
sequences of bytes in the user RAM (7 bytes to a 'register'). For
example. according to the quick reference card I've just picked up,
RCL 33 90 21
PI 72
* 42
SIN 59
RTN 85
The numbers on the rigth of each line are the hex codes for the user
program instructions on the left. They are _not_ NUT machine code,
though.
Now synthetic programming is basically creating 'unusual' combinations of
those hex codes. For example, as given in the program above, the RCL
(recall a number for a user data ragister) instruciton takes up 2 bytes.
The first one is $90, the second one encodes the register number. The
HP41 allwos you to enter 4 differnce tpyes of RCL instruciton ;
RCL 00 ... RCL 99 (normal recalls) which are encoded as 90 00 to 90 63
(OK, I am deliberately missing out the 'short form recalls' to avoid
confusing everyone. If you don't understnad this comment, it doesn't matter)
RCL IND 00 ... RCL IND 99 (indirect recalls), encoded as 90 80 to 90 E3.
The high bit of the register number is set to indicate it's an indirect
address
RCL T, RCL Z , RCL Y, RCL X, RCL L (Stack recalls), encoded as 90 70 to
90 74.
RCL IND T ... RCL IND L (indirect stack recalls), encoded as 90 F0 to 90 F4
So far, so good. But of course there are several 'second bytes' not
covered by that. You can't enter such instructions directly from the
machine's keybboard, but what happens if, say, the instuction 90 65 is
exectued? The answere is that it does a RCL 101 (recalls register 101),
in other words the interpretter program doesn't do any range checking.
This is nice (normally the only way to access register 101 is to use an
indirect addresss, but it's not essential.
More interesting, though are 90 75 to 90 7F (and their indirect
equivalents). The thing is that the 5 stack registers, whuch can be
accessed using the second bytes 70-74 are actually the first 5 registers
of a 16 register area (on the very first HP41Cs it was a sepeate RAM
chip) called the 'status registers'. Other registers in that area incude
the user text (Alpha) register (4 actuall registers long), the
user/system flag regsister, user prgoram subroutine stack, and so on.
Now, amaxingly, 90 75 to 90 7F recall those registers (and, since 91 is a
the code for a STO (Store) instruction, 91 75 to 91 7F let you store
things in said registers. So you can change normally protected flags,
fiddle around with the Alpha register, and so on -- things you cna't do
any docuemtned way.
The only problem is entriing those extra instructions. You can't type
them on a normal HP41 keyboard. Synthetic programming is basically the
techniques for entering them. One trick is to make up the seqeucne of
bytes you want using 2 other instructions, like this :
RCL IND 17 90 91
RDN 75
Both those lines can be entered normally. And then, by exploiting a bug
in the HP41's ROMs, 'grab' the first byte of the first instrucion,
whereupon it ebcomes part of a text string in the program. You are then
left with the seqeunct 91 75 in program memory. Delete said text string,
and you have the instruction you want.
So yesy, you can do this on an unmodified HP41 (any model. but it doens't
work on the HP41 emulator for the HP71, or on the HP42S). But it's not
true machine code.
-tony