 So this talk regards my translation of the classic reverse engineering work of Paul Corby and Sebastian Lalonde in a book that called Voyage al-Saltra de la HP 28 C slash S They took apart the Healy Packard 28 graphing calculator Which is a predecessor to the 48 the 49 and the 50 that All RPN junkies use and they documented everything about it So they started with nothing more than a physical unit and documentation for the HP 17, which was an unrelated machine that happened to use the same CPU and From that they they dumped out the memory through a piezo buzzer So they dumped ones and zeros out one full second of buzzing for a one one full second of silence for a zero Recorded this to tape fed the tapes into an Apple 2e And then with this memory dump they started looking through it and trying to recognize things. So for example, they'd look for Three one four one five nine and that would be pie and then seeing pie They could try and go backward and figure out how all floats work and then they began to inject things into memory and create new objects and mess with the operating system and They documented this perfectly in a long and very technically detailed book It's divided into three sections. The first describes the software within the computer or the HP 28 graphing calculator rather and this software is Is described such that you can write your own machine language code But the problem comes up that there's no Assembler available for the platform So the appendices contain tables and you can actually using pen and paper Write your assembly language in the left column and then you use the tables to convert everything over to the individual hexadecimal entries which form the program So I'll be discussing the Contents of the book but because it's so technically dated being like a hack that was performed 18 years ago I'm focusing on the oddity of the hardware and How impressive it is that they came up with all of this Using nothing more than an Apple 2e and a bit of ingenuity Right disclaimer. This is not my original work. All I did was translate it and my French is not terribly good So this is the HP 28 it is a four-bit architecture With registers as wide as 64 bits. It's capable of doing algebra and calculus Symbolically and it was released in 1986 With within software will be discussing how objects work within the operating system. You don't have See compilers so things aren't done in terms of functions and returns and they're not held as Primitives within registers wherever possible. You have an entry prefix and some other stuff that will describe then IO has to be performed and and We'll discuss how that's implemented in the hardware followed by the contents of RAM and different tables that are used in RAM how Video processing works. This was before video cards were available and As there was no Assembler openly available for it. We'll discuss how they initially broke into machine language how they First wrote programs for it and how they instruct the reader of the book to write programs for it then their suggestions for further discoveries and resources There are three models the 1bb and the 1cc which are both labeled as the 28c These differ not in hardware, but in firmware So entry points are different you had the firmware compiled at HP using whatever tools Were private to that organization and unavailable to the authors of this book So in a given compile you wind up with subroutines at particular addresses. They have to be found for every different firmware Otherwise, you'll jump to a location that means something entirely different from what you expect in your program crashes The 28s only had a single revision. So if you have a 28s it's much easier to figure out which opcodes to type in It used the HP Saturn, which was a chip that they designed in-house and It was documented in the HP 71b The 71b was interesting because they published their complete internal Documentation for it. You can have you can download from the HP museum every single Page of documentation that the original designers had access to At thousands of pages it has a schematic diagrams It has the source code to the firmware of the 71b. It has all of this work, and it's freely published The similar documents to the HP 28 are unavailable Trying to find them if you have any contacts with the Hewlett Packard archival department. I would appreciate being put in touch It's also an instrument because it's nibble wise little endian So instead of having On a PC you have bite-wise little endian So all of the bytes are backward and to read it you have to take those bytes and then flip them around in pairs So like abcd would become CDb CDab here. It's written backward as you would read it on paper in hexadecimal You have three different memory it's like four different memory layouts even though you only have two different major revisions So they loaded the same firmware on to two units which defer slightly in hardware So the entry points are the same But you can have extended memory Among the 28c the RAM grows Everything else remains it rather fixed addresses, but with the 28s. There are many Features that changed the row waveform driver no longer exists The screen timer was moved from near the bottom of memory to near the top and No program originally designed for any of the 28c's would ever work on the 28s The registers are far from the homogenous 32 general purpose ones that we now expect from working with risk risk systems So you've got ones of 12 16 1 4 16 20 64 bits in width So for example, you have a return stack which is eight levels deep and 20 bits wide the address space is 20 bits 20 is not evenly divisible by eight so every pointer on this system is not Eight bytes as you would expect but instead it's five nibbles You've got an entire register just for carrying that contains nothing else And then you have separate hardware and software status registers You have safeguard registers which you can copy data into and out of but you cannot do anything else with So you can't make these the source or destination of an addition They're only used for backing things up before a quick function call or subroutine All pointers are 20 bits wide of course is that's the address Space So of course everything is in nibbles or quartets as It's been translated the quartet being the more formal term So as the bike goes from zero to 255 these nibbles go from zero to F Or often they'll go from zero to nine to ease debugging They use binary coded decimal in hardware All floats are held in binary coded decimals so that it makes the same rounding mistakes that you would with pen and paper and That way when you calculate it with the calculator and you do it again on pen and paper you wind up with the same value That you have no problem representing one-fifth, which is very difficult to represent in Binary float and It's nibble wise Lendian so for the number one two three four We find that in big onion it would read just as it's written. This would be on say a power PC machine now little end in on say an MSP 430 in which I do most of my work the The less significant bite comes first followed by the more significant one so if you have a pointer and You only want the least significant bite So you want to say just find it modulus 256 all you have to do is pretend that it's a pointer to a bite But on the HP 28 they they went one step further and it's Nibble wise little Indians, so it's written exactly backward of how you would write it as a human being Every object has a prologue, which is five nibbles and specifies the type the actual values in this table aren't Important to know but it's important that they all begin with the similar prefix. You have zero two nine nine one Zero two nine three three and these define different objects within the system It's not object-oriented in the modern sense of inheritance, but every Value on the stack has this prefix code has a type specified with it And this is all carried together if you store it to a variable you are applying a type to that variable and that type carries over Types include short integers reels extended reels complex numbers extended complex numbers Arrays two types which the authors couldn't discern but found by disassembling code You can describe an algebraic expression as an object and then run it through the stack and add to it and subtract From it just as you would an integer by calling the same routine So you can call an ad routine and not know what the inputs are And the prefix is also used to imply the length So given an entry point of an object you don't know where it ends until you use a lookup table with the The object prologue now short integers prologue is zero two nine one one This is of course written backward because we're nibble wise little endian So you find one one nine two zero The prefix and then the number follows so in the case of zero it's all zeros, but in the case of one two three four five It's of course written nibble wise and backward a Real number is expressed of course with an exponent a mantissa and a sign So we have the prologue which of course is backward Followed by an exponent say five this has to be padded to fit the specified width So we find five zero zero The mantissa is pi so three point one four one five nine That's actually rendered backward and in binary coded decimal. So you Looking in memory without Doing conversions will recognize the same constant that you learned in elementary school And then this is followed by a sign which even though it could possibly have one of sixteen values is either a zero or one zero being positive Now all operations in this calculator are performed using reverse Polish notation So instead of typing in three plus five times six and then having in the order of operations Caused the multiplication be to be performed before the addition Instead everything occurs as it's seen wherever you see an integer or a float or whatever a Constant value that is pushed onto the stack whenever you see an operator Its inputs have popped off of the stack run through the operator and then the result is pushed back This takes a long time to get used to But once you're used to it You'll never want to go back because it allows you to say work with a series of numbers and flip them around and instead of seeing Complicated version history of what you knew know you typed in Above the command line. You'll instead see the values that are available to you And this also allows you to completely avoid grouping symbols You never need any parentheses unless you're trying to treat code as an object and It's trivially easy to interpret So it takes no Effort or code space to build an interpreter for this language Now given an algebraic expression like one plus ten times three We know that the multiplication happens first and We can draw this little inheritance tree of it. So we see that the Edition takes the one and the result of the multiplication as its inputs and then the multiplication takes ten and three as its inputs This can be rewritten you can put every Value between the operator that applies to it So ten three times as soon as the times hits it multiplies those two together and all we see in the calculator is 30 And then one plus Take as soon as you get the plus sign it pops the 30 and the one and it returns 31 to the stack Viewed differently if you have input ten three times one plus the ten is pushed onto the stack The three is then pushed onto the stack As soon as the multiplication hits they're combined into 30 As soon as the one hits one is pushed on top and then the addition combines them Now despite doing everything in reverse polish notation the calculator still has an algebraic type So inside of quotation marks you can say pi times ten to the fifth power and it interprets that properly But when it's stored in memory you have your entry prologue and Then you have the system in reverse polish notation So everything is rearranged and inside of memory. You'll see ten five power pi times And of course this seems difficult if you're unfamiliar with it, but it's really as easy as learning your multiplication tables Or all of that stuff that we now take for granted, but that we struggled with when we first saw it in elementary school or middle school or wherever And then once you get used to this you never want to go back It's the most efficient way to use a graphing calculator Unix has a command line calculator that uses a similar interface and Many of us that know rpn will use it out of habit because it's so much more work to use algebraic notation and Then of course within this Pi isn't just a letter. It is the pi object that we saw before as a real number You'll see its prologue of zero nine two three three at the beginning read backward of course Followed by the exponent which in this case is a zero and then the mantissa and the sign Now I always performed for infrared input and output even though the input diode never shipped on the device Although it was it had all of the hardware to do input and output and backing up files and that sort of stuff This was never supported by the software And it was never supported by the product after release You could use the output to print to an infrared printer a little thermal printer that would give you receipt paper but you couldn't back anything up to a computer you couldn't receive anything from a computer and Is all software restored all user added software restored in RAM as soon as your battery died or your program crashed You lost everything every program you had ever written you would have to type back in and That's just how things were in 1986 But by 1990 they started changing things and So they recognized that there was space in the board for a phototransistor right next to the diode They started poking memory and they found the the addresses for it And near this piece of memory. They also found timers. They found control for the contrast They found screen Like bits so they could write a bit mapped image to a particular spot in memory They could even change how physical rows were mapped to logical rows So if they had a bit map and they wanted to Scroll it very quickly. They could scroll it not by copying bits around but rather by copying the by moving the rows around They could even overclock one of the calculators in software only and All of these features were hidden from the original users You you could not do this when the device is manufactured and none of the official documents admitted that such features existed This is the printer that you could purchase the hp8 2240 You can see a graph being printed on the Right and then above that some records The road driver waveform was used to map the map lines as I mentioned earlier and For scrolling you can map or you can swap these line mappings instead of the actual data If you're doing sprites, you can actually hide half of the screen and then swap it in just as I believe mode x did on DOS video game programming so you have off-screen memory and then you swap that on screen and Because you're just swapping memory and not actually moving memory. You don't have to read it all in and then write it back out This is initialized at boot to the proper settings And then it's interpreted by a software video driver So in the 28c an interrupt will fire and when it fires its handler will actually Update the physical row that needs to be shown to the LCD lines at that moment in time The road driver waveform looks like this. I've covered the ones in Red circles you can see that the the first physical line comes initially followed by the first logical line and That they're on opposite ends So They're they run backward and then to each other So the first and the 32nd line are adjacent followed by the second and the 31st and the third and the 30th So the screen is actually updated from the top in the bottom by alternate lines working inward Until they meet in the center Wherever you see a red dot over a bit That's the bit that gets map. That's the logical line that gets mapped to a particular physical line So for example, if we changed the red dot on the second row to the very first bit the one on the far left The first logical line would be shown on two physical lines both at the top and at the bottom of the screen Setting more than one of these bits causes the screen to scramble. I believe You could do like a magnifying glass with that So you could make the top half of the screen grow to fill the entire screen and all sorts of neat little tricks Ram itself what? Contains not only Objects and variables and that sort of stuff, but it also holds sort of virtual IO addresses So these are pulled by a background process And then if you write something to them the polling process recognizes that it's not the value that it was before And it then carries out an action based upon it Or it will write to it in the background and then you read from it. For example, there's a keyboard buffer So when you press a key an interrupt fires writes that to the next key slot on the keyboard buffer and Then any user software can just watch it magically appear because it's happening in the background Interrupting the foreground process But at the same time, it's really just ran this doesn't physically connect to any IO addresses Flags the command line stacks and the temporary environment are all stored here The keyboard buffer works sort of like a clock. You've got circular buffer There's a variable that marks the start of unhandled keys and the end of unhandled keys and it's As keys are handled these two advance and the two hands are sort of chasing one another So the characters on the right side of the display Those to be treated have not yet been handled by the operating system now key end is swinging around as new characters get entered into the waiting buffer and Key start is swinging around in the same direction as keys are handled by the operating system If things slow down to the point where one crosses the other then you lose key events But the system still recovers itself And at the same time if the key end advances past key start It then ceases to advance knowing that everything has been handled Doing this in a circular buffer makes sense because you can just do a modulus operation on a pointer and Then increment it and never have to care about resetting it or decrementing anything. You need no conditionals The access machine language there is machine language program type at zero two C nine six But it's not createable by the user So you have to bootstrap it first using a program called ASS to compose an object This tricks the operating system into applying a particular object type before some given variables or some given hex digits and Then after that they had the last operation Which was a short little program that signed the object type of machine language program Now it takes his input a machine language string This is not an assembler in the sense of a PC or a workstation or Unix you cannot give it a Human readable program you have to give it individual nibbles Inhexadecimal and nothing else every single character is one nibble and It takes this machine language string and compile compiles it to a machine language object, which you can then execute So you push this string this stack you run last and then you store the resultant object to a variable and then you can execute That variable as a program When you do this your raw machine code is running on the device if you make any mistake that will cause the device to crash You quite likely lose all of memory and have to start from scratch This is an example of a program. You would have to type in seven six C two zero nine one C seven zero Six nine C two oh and so forth all of this and if you made one typo that might be enough to crash your calculator There's no debugger that allows you to single-step it at the time. There was no emulator You're on your own Further some of the addresses here are unique to the particular revision of the model of the calculator that you're running and So when you actually find the listing in the book it has this with holes in it And you have to fill in those holes with bytes from a table in the appendix You as a user have to assemble your own program just to type it into your calculator So they suggested finding further things by searching ROM and they included string tables for things like Errors so you could look up the particular error code and then search ROM for that error and They suggested two ways of doing it as a sort of sign of the times The first was to write a disassembler that and by disassembler they mean a program which gives you hexadecimal values from memory So a memory spy they don't really mean disassembler in the modern sense You could write one on the calculator and then you could sort of scroll through memory And it would show you the address on the left and the bytes on the right and then you with pen and paper could do your analysis They also suggested dumping it to a workstation Using I owe that will be described later the latter method was the one that they used for most of their research But they knew so little about the hardware when they started none of it being documented and none of this having been done before that they had to They had to write a short snippet of machine code to spit out to the only IO address they knew that being the piezo buzzer You get a full second of buzzing for one full second of silence for a zero all of this has to be recorded to audio cassette And then fed into an Apple 2e and then you've got problems changing tapes or floppy disks It takes days to dump it so I mean for days this thing was buzzing and poor Sebastian's storm room They then identify useful routines in memory so like saving and loading registers Reserving room in the heap Performing garbage collection What while this isn't object-oriented in the modern sense it did have Object creation and deletion in the modern sense, and you did have a garbage collector similar to what you would have in Java They've also identified entry points for things like a function that shows a too few memory error or A beep so if you know that something is causing you to run out of memory You can search for the call to that function and then identify what's happening They do flow charts for routines that they reverse engineered so when you call the Save registers function It reserves an address in memory Then it makes sure that there's room available if not it attempts to garbage collect And it only makes one attempt failing that it'll continue on if it runs out. It does the memory error and they Keep in mind that when they started they knew nothing of What was inside this machine? They didn't have a floppy disk drive. They didn't have a debugger They didn't have access to memory until they created it themselves and they built all the way up to Understanding how garbage collection was performed on the machine understanding all of these different routines that were essential to the operating system and then instead of keeping it to themselves or Doing a security exploit and publishing that instead they documented it and they documented it all to the point Where you as a mere mortal could go through and do the same thing and Then as you start doing the simple stuff you work your way up to the more advanced stuff So the second part of the book discusses the hardware of the device How to modify it how to add new features that didn't exist as it was initially manufactured They begin with an exterior description Then opening the machine and so forth This is what the calculator looks like when it's opened as you remember from the first slide. It has a Keyboard on the left and the right with letters being on the left and numbers being on the right So you can fold the letters behind the screen if you've no need for them All of the electronics sit beneath the screen on the top right face and then the batteries slide into the case to the side behind it There are no screws. They have plastic pins which are glued into one another So you have to either drill these out or physically break them And even after 20 years of aging They're not too keen to Fall apart so in opening this device. You're going to break a lot of it Once the calculator is open and you're looking inside of the board you'll note that there are two ROM chips On the bottom right Where all of those lines are labeled that's the memory bus There's B zero one two and three because the fundamental unit of addressing is a nibble So they only have to run for data lines At the top you'll see a diode symbol for output and you'll see two empty pads to the right of it That's initial supportive input that was never Physically attached during manufacturing and then you'll note a large capacitor with a Resistance capacitance circuit beneath it which is used for timing If you want to overclock this older model you modify the Inductor in the capacitor and in that way you can change the clock So they first describe an external power feed so you don't have to keep buying expensive end-cell batteries and They do this to get the user familiar with soldering and such Immediately after that they go into overclocking by replacing a capacitor and inductor you can speed the thing up you can slow it down and This is necessary in the 28c and the 28 s you just run a program to do it But the more interesting hardware modification was a replacement of the ram of the device by actually cutting the traces of the memory bus So they cut these gold wires or gold traces on the circuit board And then they purchased memory upgrades for the HP 71 the architectural ancestor of this device for which they had full documentation They then patch in this memory module You can see from the pricing that 64 kilobytes would cost 150 to $300 at the time that this book was published, which was four years after The calculator was first released This was never supported by the manufacturer. They knew at this point in history And the IO ports were modified it had ridiculously short range and there was no receiving Phototransistor so they got the idea that they could patch in a an opto isolator So you've got a single chip with an infrared LED and a phototransistor Embedded in silicon so the light never escapes. There's never any optical interference And then they just ran the lines through it in series with the original phototransistor and photodiode So that you can have a physical cable to connect between two devices They also did the same thing involving the buzzer So when the buzzer fires it turns on an LED and they use this to connect to the Apple 2e the Commodore Many different mini computers that you had available at the time They came up with cartridges so that you could replace what was plugged into the infrared ports on the fly They have schematics included for connecting this to an Apple 2e joystick to connect the two calculators to one another They have voltage level converters so you can run it to RS 232 and take it into your PC And they suggested adding a joystick motor control a robot and a plotter and And most interesting they suggested a telephone composer They figured that you could make clicks with it that would work as a sort of rotary telephone They never got around to freaking with this, but it would be interesting to see if it were possible Then the the book ends with Appendices and the appendices take a full third of the book They begin by describing machine language in absolute detail This is what you would expect in a manufacturer data sheet as opposed to the pros that forms the first two sections of the book They describe the Saturn microprocessor. They describe its instructions They have tables of error codes and objects and entry points and For each of these they have to have it for every single revision They had to disassemble the code of not one device, but of three or four devices and And then they include a small library of programs So if you want to say invert the video of your screen if you want to overclock your calculator they include the The original source code in their own notation Then they translate that to machine language for you and include the information that you need to Build that long series of hex that I showed you to type in So after this in history Many of events happen this book was published in 1990 Since then he the packet came up with the much more famous 48 series This supported memory expansion off the bat Which was first introduced by voyages Alcantara. They include infrared input and output Also introduced in this book for the first time. They had a serial port also introduced in this book for the first time and eventually the community wrote Program called metacolonel, which was a replacement operating system that stayed on an external memory card the sort of like Linux but for a graphing calculator and they jealously worked on this they'd spend days on it and you could actually go into a particular electronic shop in Paris and Purchase a memory card with this kernel loaded on it Leader on emulators were written Kristof Geislingk writes one called emu 28 which can emulate the HP 28 he has another for 20 at C And he has another for the 28 ass so you can Run this calculator today, and you can do it on your PC he was able to Build his emulator using the assistance of the book even though he does does not read French By reading the pictures Because there's so many diagrams in this and so many of them contain useful addresses that he was able to figure out his remaining questions about how the hardware functioned By looking at the diagrams in the tables alone Then the HP 49 series came out including Like native support for algebra and all sorts of the things that are necessary in the modern market. It has an SD card slot My HP 49 has two gigabytes of storage not that I'll ever need it, but It's certainly helpful to be able to go beyond the original memory it supports a USB port Which is powered by a USB to serial chip Infrared serial and all of that stuff. It has an arm CPU which emulates the original Saturn After the very first HP 49 they could no longer justify fabbing their own chip for this But it was impossible for them to rewrite the software on their modern budget so they built an emulator and the Official device that you buy today is an emulator of the classic device that you would have purchased a decade ago It being armed though Some enterprising folks ported GCC so you can compile a C program on your workstation Write it to an SD card copy it over Then execute it and has full access to everything in the arm device as well as Access by proxy to things within the emulated Saturn device and then Meta kernel became the official operating system. So when you turn on modern HP 49 or 50 G there's a splash screen for Meta kernel the The image of which looks more like something that you'd find at DEF CON than something that you would find in Hewlett-Packard and that's because they took this hacker operating system and they made it their official one being unable to reproduce all of its features the TI calculator hacking came into vogue and Overclocking was performed by the same method optionally cutting off a capacitor and The next step will be the Texas Instruments Inspire calculator. It's completely locked down DRM on everything you cannot run any machine code You cannot run any games. No ROM dump is available and serious work is just beginning on this so it's a sort of next step in This chain that stretches back to 1990 So I hope you've enjoyed a little history lesson. It's a departure from the MSP430 stuff that I usually speak about But do you have any questions? Yes It's on your DEF CON CD I've finished 60 to 70% of it. It's not complete and it's rather rough, but it's typeset in La Tech You get a bilingual PDF containing both Copy of the French and the English translation for each paragraph If you natively speak French or Like myself you can suffer through it. The original documentation is available at corby.fr That's COURBIS Any other questions Yes, again Because this book first came out in French They had a head start and then the authors later came out with a book on the HP48 So because this work was originally done in French and it took so long to be translated into English a good 20 years or so It set us behind here in the States and many of the good HP calculators are from outside of France But you're right in that the majority are French and then German Any other questions? If I can't see you just speak out All right. Well, thank you for your time. I'll be in room 115 by the vendor by the vendor area for Any one-on-one questions. Thank you