Jump to content

Recommended Posts

I was trying to map out the opcodes for the TMS9900 and finally noticed an instruction format X in the E/A manual on page 242.  At first I thought it was a typo, that they had left off the preceding "I" for a format IX, but IX is back up on the same line as format III.  On closer inspection I found the binary shown,

 

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |          REG          |

                    |          0        |          3        |          2        |

falls neatly into a blank space in the opcode map with its 5 bit wide reg field.  In hexadecimal it is >0320  -  >033F.  I think probably this space is used on another, probably previous, TI processor, and that this table was copied over from a previously published manual, without deleting the unused format X.  Does anyone have any knowledge about this?  Is there possibly an undocumented opcode in here?

 

Thanks,

HH

  • Like 2

Share this post


Link to post
Share on other sites

How observant of you! I never spent much time on that particular page. 

 

Page 65, states there are 9 formats. I Couldn't find anything about this otherwise.

I also looked on the blue "Quick Reference Card", but found nothing relevant either.

 

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |          REG          |
                    |          0        |          3        |          2        |


If the register field is really 5 bits wide, than might not field 3, be considered a 1 rather than a 2.:evil:

  • Sad 1

Share this post


Link to post
Share on other sites
5 hours ago, HOME AUTOMATION said:

How observant of you! I never spent much time on that particular page. 

 

Page 65, states there are 9 formats. I Couldn't find anything about this otherwise.

I also looked on the blue "Quick Reference Card", but found nothing relevant either.

 

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |          REG          |
                    |          0        |          3        |          2        |


If the register field is really 5 bits wide, than might not field 3, be considered a 1 rather than a 2.:evil:

I also found that the rest of the manual only claims 9 formats.  If the opcode shown hadn't fallen so neatly into the empty spot in the opcode map I wouldn't still be looking at it.

 

A 1 rather than a 2?  I don't see how myself, unless of course it is a typo as I suggested in my original post.  In the book, Editor/Assembler, you can see there are 6 0's, 2 1's, 2 0's, and a 1.  That's 11 bits, leaving 5 bits that are designated "REG".  Anyone who doesn't have the book can have a look for themselves here:

 

https://archive.org/details/TI994a_Editor_Assembler_Manual/page/n242

 

There is a single format 10 instruction listed on Wikipedia for the TMS990 called LMF.  I'm looking through a manual on the 990 now.  I think it's going to be something for the later versions, /10 - /12.  I'll post it when I find it. 

  • Like 1

Share this post


Link to post
Share on other sites

Just a thought here, and I may be off base. 

 

You could use some DATA constructions to construct what you may believe is an opcode and operand(s), and I believe it is the NMI on the 9995 in MDOS mode you could then use to capture an illegal instruction.

 

You would need to do it on real hardware, not an emulator as the emulators only know about published opcodes.

 

Beery

 

Share this post


Link to post
Share on other sites
2 hours ago, BeeryMiller said:

You could use some DATA constructions to construct what you may believe is an opcode and operand(s), and I believe it is the NMI on the 9995 in MDOS mode you could then use to capture an illegal instruction.

I only have TI99/4A consoles.  I don't think any of the TI99/4As were made with anything but TMS9900s in them.  I am certain that none of mine were.  In fact, my recollections are telling me that only the Geneve has the TMS9995, and I don't have one of those.

Share this post


Link to post
Share on other sites

I'm currently away from my Geneve. I once showed you my Guru Meditation that could be used here:

 

Load this code in GPL mode, then another program with this command, and run it. You should then get the "Guru meditation" if the command is invalid (using the Macro Instruction Detect (MID) of the 9995).

 

Share this post


Link to post
Share on other sites

OK, it is the MID I was thinking of, not NMI. Wrong three letter abbreviation.  I figured if the instruction were on one processor the 9900, it would likely be on the 9995 as well.

 

Unfortunately, if you do not have a Geneve (not emulation), you would not be able to test.

 

Beery

 

Share this post


Link to post
Share on other sites

Here is the code. You just have to load it (E/A 3 or CALL LOAD); there is nothing to be executed. Then you can continue as usual, e.g. load another program with a test instruction. When an invalid instruction is found, you should get the "Guru meditation".

guru.dsk

 

Edit: Of course, this will only detect the invalid instructions of the 9995, and this processor already defines four instructions not included in the 9900 (LST, LWP, DIVS, MPYS).

Edited by mizapf
  • Like 1

Share this post


Link to post
Share on other sites

It's the LMF instruction - Load Memory Map File - opcode 0320 - from the 990/10 and 990/12 processors. They have 21 instruction formats - ouch!

  • Like 1

Share this post


Link to post
Share on other sites
19 hours ago, hhos said:

I was trying to map out the opcodes for the TMS9900 and finally noticed an instruction format X in the E/A manual on page 242.  At first I thought it was a typo, that they had left off the preceding "I" for a format IX, but IX is back up on the same line as format III.  On closer inspection I found the binary shown,

 

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |          REG          |

                    |          0        |          3        |          2        |

falls neatly into a blank space in the opcode map with its 5 bit wide reg field.  In hexadecimal it is >0320  -  >033F.  I think probably this space is used on another, probably previous, TI processor, and that this table was copied over from a previously published manual, without deleting the unused format X.  Does anyone have any knowledge about this?  Is there possibly an undocumented opcode in here?

 

Thanks,

HH

Is this the Geneve development forum now?  I hope I'm not the only one in here that hasn't moved on to the Geneve.😁  I'm still talking about the TI99/4A.  I found my own answer at:

http://bitsavers.trailing-edge.com/pdf/ti/990/945250-9701_990_Computer_Family_Systems_Handbook_3ed_May76.pdf

 

It's on page 97 at the top.  These opcodes at >0320 to >033F come from the TMS990/10.  They were added, as an option, to that computer in order to make 1MWords of memory available.  The mnemonic for it is LMF.  The M bit designates the memory map to load, 0 or 1, and the REG is the register that points to the 6 word map, or source data (SD), to load.

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |M  |        REG        |

                    |          0        |          3        |          2        |          SD         |

 

This is not a TMS9900, nor TMS9995, opcode.  On the 990/10+'s LMF is used only when the CPU privilege bit (bit 7,ST) is 0.  This was definitely pasted into the E/A manual by mistake. 

 

Thanks,

HH

  • Like 3

Share this post


Link to post
Share on other sites
40 minutes ago, hhos said:

Is this the Geneve development forum now?  I hope I'm not the only one in here that hasn't moved on to the Geneve.😁  I'm still talking about the TI99/4A. 

No, it's not a Geneve forum.  I only posted my comments because if those were instructions in the 9900, I thought they could have been duplicated in the 9995.  And with the 9995, there was hardware capability to test for non-processor specific opcodes through the MID capabilities of the chip.  If something did not "error" to the MID trapping, then the opcode was a valid instruction thus proving your initial inquiry to having found some possible new opcode(s) instruction.

 

The MID capability gives rise to creating "new" opcodes in software if the processor does not recognize them which could have then been specific code to do extra stuff.  It could be a sneaky way to add program protection from disassembly for instance.  Try to execute a non-operand which by disassembly would be a Data statement, it branches (or maybe a BLWP, do not recall) to the vector which then runs code to perhaps unencrypt a loaded program or modify otherwise code or variables.

 

I am guessing MAME handles the MID capability for the 9995, but it would not be able to handle undocumented and thus unknown instructions if something really existed on the actual processor chip.

 

Beery

 

Share this post


Link to post
Share on other sites

Same for me, your question triggered some interest in discovering unknown commands. MAME does support the MID (try the Guru program), but of course no undocumented functions, unless I am starting to develop a split personality. (Going to discuss that with myself later.)

 

I also thought about another way to find out whether there are undocumented instructions in the 9995. One could run a loop through the unspecified values and execute them (using X), and if they are invalid, let it branch along the MID vector. To gain control, the location in the TI ROM must be patched (like the Guru program). Then one could store that value in a list. The only problem with this idea is that one must be sure that the tested instruction does not cause a jump outside of the loop.

Share this post


Link to post
Share on other sites
On 1/21/2020 at 3:26 PM, hhos said:

I found my own answer at:

http://bitsavers.trailing-edge.com/pdf/ti/990/945250-9701_990_Computer_Family_Systems_Handbook_3ed_May76.pdf

 

It's on page 97 at the top.  These opcodes at >0320 to >033F come from the TMS990/10.  They were added, as an option, to that computer in order to make 1MWords of memory available.  The mnemonic for it is LMF.  The M bit designates the memory map to load, 0 or 1, and the REG is the register that points to the 6 word map, or source data (SD), to load.

X                  |0  |0  |0  |0  |0  |0  |1  |1  |0  |0  |1  |M  |        REG        |

                    |          0        |          3        |          2        |          SD         |

 

This is not a TMS9900, nor TMS9995, opcode.  On the 990/10+'s LMF is used only when the CPU privilege bit (bit 7,ST) is 0.  This was definitely pasted into the E/A manual by mistake. 

 

Thanks,

HH

 

Snooping through the assembler (ASSM1) program, I found a lot of goodies.

 

The LMF instruction is listed in its dictionary, and it is the only one under its format. (The formats are not the same numbers used elsewhere.)

 

The 99/4 assembler has a lot more instructions from the 990, some that I recognize from the 99110, plus some others I can't identify.

It doesn't have the 9995 instructions MPYS, DIVS, LWP, LST.

 

For instance, you can assemble this 99110 program (gibberish)

 DEF START
B DATA >B,>C
START
 AR @B    * ADD REAL TO R0-R1
 LMF R3,1 * LOAD MAP FILE 1 FROM R3 (or is it *R3)
 DCA R9   * XOP R1,0
 DCS R7   * XOP R3,1 
 LIIM R3  * XOP R3,2
 JMP $
 END

 

The Real number instructions are documented 99110A-only instructions with opcodes 0C40 to 0DC0. There are 32-bit math instructions ("double") from 0E40 to 0FC0.

 

DCA, DCS, and LIIM have their own format, but assemble into XOPs, so they must have been useful for some operating system. Oddly, they mask the register number at 3.

 

The 99/4 assembler is derived from some other TI assembler, maybe SDSMAC, maybe not, so the programmers probably just left this stuff in.

 

Internally, it has 14 instruction formats, including one for RT,  plus one for directives like DATA.

 

  • Like 2

Share this post


Link to post
Share on other sites

During the last weeks, I taught my students the MIPS R2000 assembly language. MIPS has 3 instruction formats (R, I, J), and I told them: Don't be afraid of three formats; it could really be worse, I can tell you!

  • Like 3

Share this post


Link to post
Share on other sites
On 1/22/2020 at 2:10 PM, FarmerPotato said:
 DEF START
B DATA >B,>C
START
 AR @B    * ADD REAL TO R0-R1
 LMF R3,1 * LOAD MAP FILE 1 FROM R3 (or is it *R3)
 DCA R9   * XOP R1,0
 DCS R7   * XOP R3,1 
 LIIM R3  * XOP R3,2
 JMP $
 END

Farmer Potato, I went back through that manual and I think you have it right on the execution of LMF.  The register field on opcodes >0320  - >033F has just "w" in it.  I got it mixed up with the LDD and LDS opcodes which have a "ts" and "s" fields in them.  So, presumably, "LMF 3,1" loads data from the addresses of R3-R8, not a *R3 pointer as I indicated above.  I think I would rather have it go to *R3, but it doesn't look like it would.  I see LMF, LDD, and LDS (the 3 opcodes added to the 990/10 with mapping option) are in the 99105/110 instruction set so anyone who is running a system with one of these could check this for us.  Anyone?

 

HH

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...