From: ftg0673@tamsun.tamu.edu (Rick Grevelle) Subject: HP48 HACKIT Library w/ Bank Shifting Lines: 557 This is an enhanced version of the HACKIT thing. It includes several new features which further facilitate hacking in the 48, and are as follows: o Multifunctional PEEK will now allow the normally hidden 32k of ROM to be peeked. When flag 14 is clear the 32k of memory between #70000h and #7FFFFh is RAM. When the flag is set this is shifted to #F0000h through #FFFFFh, and #70000h through #7FFFFh becomes what was previously covered by RAM; this configuration is identical to that of the built in memory scanner. o Bank switching capabilities have also been incorporated in the SEEK scheme, functioning exactly as described in the PEEK routine. o DIR-> is a new addition to the OUT-> command; it allows a directory in level 1 to be decomposed on the stack in to its constituent parts. Due to this change, it's not necessary to include the RCLDR scheme in the library as it was added to the original HACKIT post only after all first attempts to produce a successful DIR-> had failed. o Flags -28 and -29 have now been combined into one flag, 15. This flag affects the way in which the ->ASCI, and ASCI-> routines handle code objects. Currently a ->STR, and STR-> scheme is being conceived that will provide a superior editing scheme for queer objects. At the risk of being reiterative, I'm including an improved version of the documentation which appeared in the original posting of this library. It should be a bit more articulate, and contain examples for those whose time is allowing. Much work still remains to be done regarding the completely bullet proof hacking library, but since all the fun seems to be in getting there, hopefully it will take a long time. A final word of caution; do *not* attempt to implement a bank shift using either PEEK, or SEEK, if this library is stored in port 0, or anywhere in the address space being displaced. This means both of the 32k banks that are affected by setting flag 14 are off limits, as far as this feature is concerned, for the storing of this library. Should there be any question about this, or anything else, feel free to call, or write, and I shall be glad to provide any answers of which I might be capable :-). Rick Grevelle (409) 774-1169 ftg0673@tamsun.tamu.edu HACKIT ============================================================================== HACKIT is a library of utilities designed to facilitate hacking in the HP48SX. The fourteen programs it contains were conceived for two fundamental purposes: o Exploration, documentation, and accessing of the machine code, and RPL operating system contained in the 48's vast ROM. o Construction, and manipulation of the various object types not supported by the 48's editor, user language commands, functions, or operations. ->ASCI This is a generalized binary-to-ascii conversion scheme that returns a string of hexadecimal characters which are the equivalent internal representation of the argument. When USER FLAG 15 is set both the prolog and the length of code objects are truncated meaning that the result string contains in-line machine code only. When this flag is clear, which is the default, truncation does not occur. All other object types are unaffected by the flag setting. ASCI-> Reversing the result of the previous routine is made possible with this scheme, which converts ascii-to-binary, taking as its argument a string of hexadecimal characters. When USER FLAG 15 is set all strings are treated as in-line machine code, whereby a code object would be the result. When flag 15 is clear one of two things happens depending on the string argument itself, and is explained in the following summary. IMPORTANT POINTS o The above routines were intended to provide a means for *toggling* stack objects back between their internal string representation and immediately executable form, which means ROM objects must be dealt with differently. An important attribute associated with these two schemes is their ability to differentiate between ROM and RAM objects. o When an argument taken by the ->ASCI routine is a ROM object, a character string representing the five nibble address where that object is located in ROM is returned. Strings containing only five characters that are used as arguments for ASCI-> are treated as pointers; solitary prologs are not permitted though (i.e. "D9D20", "C2A20", "11920"). Future versions should be more than capable of dealing with such complexities as this. o Spaces and newline carriage returns are allowed in strings that are to be converted by ASCI->. This helps to alleviate some of the confusion when looking at long strings of hexadecimal characters in that spaces can now be used to separate groups of characters, and newline carriage returns to segment the string into several lines when editing. o Any object encoded using ->ASC can be unencoded using ASCI->. There's no longer a need for these silly schemes to delete newline carriage returns, or calculate a new checksum to tack onto an ->ASC encoded object that has been altered in order to get ASC-> to work. ->ASC, and ASC-> were written to provide a safe means of transferring data, and not for hacking. It is therefore not recommended to use these two schemes in place of ->ASC, and ACS->. o ASCI-> performs equally well on strings of odd number lengths because the RPL segments of the program correctly utilize the block allocate routine at #61C1Ch. But because of its very nature, it's still quite possible to suffer a memory loss from abusing this routine; so be careful. Example: Construct the DUP command from it ASCII string representation. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | :3: | |2: | |2: | |1: "78BF1"| |1: DUP| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Enter the string "78DF1". 2) Implement ASCI-> to obtain the command DUP. SCRC Calculates the checksum of a string of hexadecimal characters as if they were in immediately executable form. So objects which have been converted to their internal hexadecimal character string form (ASCII) using ->ASCI will have the same checksum when SCRC is used on the ASCII string, as they would have had in their binary form using the BYTES command. This allows queer objects such as libraries and backups that contain checksums which do not include the complete data structure to be altered, or even constructed from scratch, in the 48. So for an example a trivial backup object will be built utilizing SCRC, ->ASCI, and the ASCI-> routines. Example: Build a backup object named "Hex" containing the hexadecimal integer, # 123456789ABCDEF0h. o Construct the backup object's appropriate name. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: | |2: | |1: 'Hex'| |1: "84E2030845687"| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Enter the name 'Hex'. 2) Implement ->ASCI on the name. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: | |2: | |1: "30845687"| |1: "3084568730"| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 3) Edit the string to delete 4) Concatenate "30" by using the first five characters. the plus (+) key. o Prepare the backup object's contents for concatenation. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: "3084568730"| |2: "3084568730"| |1: # 123456789ABCDEF0h| |1: "E4A20510000FEDCBA..| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Enter the integer data. 2) Implement ->ASCI once again. o Make final preparations for checksumming. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: | |2: "3084568730E3A2051..| |1: "3084568730E4A2051..| |1: "33000"| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Concatenate the previous 2) DUP the result string, and two result strings using use SIZE to obtain its size. the plus (+) key again. Add 15 to the size, convert the result to a hexadecimal number, and enter backwards as a five character string. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: | |2: "330003084568730E4..| |1: "330003084568730E4..| |1: "119200"| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 3) Perform a SWAP, and using 4) Append the string "119200" the plus (+) key, prepend to the end of the string, the length onto the front DUP the result, and using of the string. SCRC calculate the object's proper checksum. o Make final preparations for coverting the string. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: "330003084568730E4..| |2: "26B20"| |1: "0B41"| |1: "330003084568730E4..| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Enter the four hexadecimal 2) Enter the prolog for the characters of the checksum backup object backwards, backwards in a string, and and perform another SWAP. append this to the string for which the checksum was calculated. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: | |2: | |1: "26B20330003084568..| |1: Backup Hex| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 3) Prepend the prolog using 4) Convert the string using the plus (+) key one last ASCI-> to its binary form. time. SEEK Appearing first in his Processor Notes, SEEK is in fact a modified version of Alonzo Gariepy's FIND routine. SEEK was specifically modified to run in the 48; it's one third the size of the original version for the 28, and should run a bit quicker too. Alonzo's predominately register, rather than memory oriented algorithm remains unchanged. Recall the overall increase in speed was only about 10% over that of the brute force approach, which he attributed to an increased time spent in the looping structures. Because it demonstrates several programming features specific to the 48, I've taken the liberty of renaming the routine. The way to use this program is to specify a memory pattern and a place to start looking. A memory pattern can be sequence of up to fifteen nibbles, and a one nibble length (one minus the number of nibbles in the pattern). An application for SEEK could be to locate the occurrences of the instruction 808C in memory. To do this enter # C8083h in level two, and a starting place such as # 0h. All that remains to be done is to implement SEEK, and to continue doing so to find any subsequent instances. This is because the result returned will be a binary integer which is the address one higher than where the pattern exist in memory. IMPORTANT POINTS o Bank shifting capabilities have been incorporated into SEEK, allowing the normally hidden 32k bank of ROM to be searched. With USER FLAG 14 clear, the 32 kilobytes of memory between #70000h, and #7FFFFh, is RAM. Setting flag 14 shifts the RAM to #F0000h through #FFFFFh, and reconfigures what was previously hidden ROM in its place. o This version does not stop until it finds an instance, or scans the entire address space. So even though the routine is fast, due to the size of the 48's address space, matching certain patterns could take several seconds. Example: Determine the first occurrence of the ARRAY prolog, # 029E8h, in the normally hidden 32k bank of ROM. (flag 14 set) _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: | |3: | |2: # 29E84h| |2: # 29E84h| |1: # 70000h| |1: # 72001h| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Enter the bit pattern with 2) The result returned is the the number of nibbles minus one higher than where the one, and the address where actual pattern was found. to begin searching. PEEK Speed is still an essential attribute of this dual functioning PEEK. Only the variable length version will slow slightly when large result strings hundreds of characters long are returned. The routine is smart enough to know which of the PEEKs to implement based on the arguments it's given. When string results are preferred, level two should contain a binary integer that's the address to be peeked, while level one should be a real number representing the length of the result string. The bank shifting features as described in SEEK scheme are also available in this version of PEEK; an example follows. Example: Using PEEK and ASCI->, recover the message array from the hidden ROM found in the previous example. (flag 14 set) _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: | |3: # 29E84h| |3: | |2: # 72000h| |2: # 29E84h| |1: 641| |1: Array of String| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Subtract one from the above 2) Now implement ASCI-> on the result, enter the number of result to obtain the ARRAY. nibbles to be returned, and implement PEEK. POKE Complimenting PEEK is this dual functioning variable length POKE scheme which will accept either a string of hexadecimal characters, or a binary integer for the level two argument that represents the data to be poked. Level one should be a binary integer that is the address to poke. It is important to note that when the level two argument is a binary integer, the wordsize of that specific integer will be used to determine the number of nibbles to poke, and isn't in any way dependent upon the current wordsize returned by RCWS. OUT-> Multifunctioning OUT-> encompasses several of the object types on which OBJ-> will not work. In addition, and analogous to the LIST-> command, ALG-> and PRG-> are intended to function on algebraics, and programs. ARR-> functions identically to ARRY->, but works on all the various array types such as the array of string, algebraic, list, etc. DIR-> decomposes a directory that is in level one into its constituent parts. XLIB-> has also been included; it decomposes visible, and hidden XLIBs into their library and command numbers. Example: Decompose the Array of String obtained in previous example into its constituent parts. _________________________ _________________________ |{HOME} | |{HOME} | |-----------------------| |-----------------------| |4: | |4: "Try To Recover Me..| |3: | |3: "Replace RAM, Pres..| |2: # 29E84h| |2: "No Mem To Config ..| |1: Array of String| |1: { 16 }| |### ### ### ### ### ###| |### ### ### ### ### ###| ------------------------- ------------------------- 1) Using the array obtained 2) Recompose the array again in the previous example, by using the ->ARR routine. implementing OUT-> will The result will look like reveal the strings. that of frame 1). ->ALG Be careful with this one; the stack arguments must be in strict RPN order. As before, ->ALG is analogous to ->LIST, only the result is an algebraic, rather than a list. ->ARR This is my version of ->ARRY; it will build an array of any kind providing all stack arguments are of the same type. (i.e. strings, reals, algebraics, etc.) It functions identically to ->ARRY, except that real and complex numbers can't be mixed. Level one can be either a real number, a list containing a real, or a list containing two reals that is the size the resulting array is to be. ->DIR Builds a directory from the stack on the stack. Level one must contain a real which is the total number of variables that the directory is to contain, level two a global name, and level three the contents of that global name. Because the entire process utilizes dynamic RAM, it is relatively fast for moderately sized directories, but slows substantially on very large ones. Using both the DIR-> feature found in the OUT-> command along with this routine, a directory on the stack can be effectively toggled between its constituent parts, and its composite form. ->PRG Functions identically to ->LIST, only the result is a program, and not a list. ->XLIB Builds an XLIB from two stack arguments. Level two can be either a real number or a binary integer that's the number of the library to which the XLIB belongs. Level one must be the same argument type as level two and should be the command number of the desired XLIB. ADDR Returns the address where the following stack arguments are located in memory: any ROM object, any XLIB belonging to a library stored in a port, any TAGGED that's either a BACKUP object or a LIBRARY stored a port. One final attribute associated with ADDR that merits mentioning, regards those XLIBs that belong to the three intrinsic ROM libraries with a link table. This routine can just as easily locate these address, as it can those in port memory. Even if the memory location happens to be that of the hidden ROM, ADDR will determine its address. RCLIB This multifunctional routine is to a library what RCL is to a directory. RCLIB will recall a library as a fully operational directory. All that is necessary to do is to put either the library's name or (real) number in level one. Again this is slowed greatly on very large libraries. RCLIB will work on any library including ROM (i.e. 2, 240, 1792). Finally, the contents of any library's XLIB can be recalled to the stack; simply put the appropriate XLIB in level one, and the result will be comparable to using RCL on variable stored in a directory.