RSX11

Tuesday, April 16, 2024

RSX utility for converting Logical Block order virtual RX50 disks to Track, Sector order.

Several posts back. I posted a utility, TSTOLBN, that converts RX50 disk images that are in the same layout as a physical RX50 diskette (I call that Track, Sector or TS order - it has the blocks in a track interleaved every other block, and the track starting sector is skewed by two sectors/each track, plus the last track is at the first physical track on the disk) , into just a string of blocks, in numerical order - the format used by RSX and VMS virtual disks, and SIMH disks (I call that Logical Block order, LBN).

That does the business for all of my needs - I use RX50 images as files on P/OS, RSX, VMS and SIMH, and they all need LBN format. Additionally, if you have an LBN order virtual disk, you can read and write it directly ro a real RX50 diskette, and the MSCP/Pro Controller will take care of converting it to/from the physical Track Sector format on the disk for you. But I've been noticing of late that people are needing RX50 images that they can use in assorted external disk emulating gizmos - and they all required the same format as a physical RX50 uses - TS order.

Several folks have written converters in C and Python to convert LBN to TS order. But I prefer to work in the DEC environment as much as possible, so I needed a tool to do this conversion, that runs purely in the RSX and P/OS environment, no Windows/Linux/Python/C compiler required.

So I took a little time and, using the previous converter (TSTOLBN, Track Sector To LBN) as a base, created a utility called LBNTOTS (Logical Block To Track Sector).

Really, it's almost the same program - just had to make a few changes to the interleave and sector translation arrays, and the funny first track/last track logic. And I cleaned it up a little in general.

Here's the source code...

lbntots.mac

To make...
>mac lbntots=lbntots
>tkb
TKB>lbntots=lbntots
TKB>/
Enter Options:
TASK=...LTT ;stands for LBN To TS
LIBR=FCSRES:RO ;this is optional - saves memory on a busy system
//
>

To use...
>run lbntots
LTT>outfile=infile

or install it and use direct from the command line

>ins lbntots
>LTT outfile=infile

Outfile extension defaults to .dsk, infile extension to .dsk

Monday, January 22, 2024

Install prorgams via ethernet without OS - update to PDP11 version

So my 11/73 system, in a BA23, has recently developed a memory problem and won't boot. The ROM diags show...

Expected data = 052525
Bad data = 052524
Address = 02740032

Looks like one bad bit on a chip. I replaced the card with a spare card, but it's too small and now RSX can't boot, I want to run some memory diags on the failed card, hoping that they will be able to give me some more clues as to which chip has carked it.

My XXDP RX50 only had disk diags on it, so I needed to add QBUS memory diags, VSMAC0 and VMJAB0 (sometimes listed as CVMSAC0 and CVMJAB0).

I used SIMH and an RL02 XXDP disk image to create a new XXDP RX50 disk image, comtaining the memory diags and the oft used ZRCHB0, the MFM disk formatter. Next I needed to copy the RX50 image to a physical floppy.

I have a set of tools for this - the client/server disk copying tools I wrote to load VMS and RSX on systems without OSes. They should work fine on an RX50, since they are controlled by an RQDX3.

I had a look at them, and relaized that the VAX server tool, LOCALWRITE, had been upgraded a while back, and the PDP11 client tool, REMWRT, was no longer compatible with it. LOCALWRITE and REMOTEWRITE had been updated to allow entering what unit number to write to, and what file to download (per suggestions and help from Hans-Ulrich Hölscher), as well as some changes to the communiction protocol used between them. (When copying to a PDP11, the VAX LOCALWRITE server is used, since I haven't written LCLWRT yet, a PDP11 version of the server task).

So I prodced a new version of REMWRT with the needed changes. They aren't interesting enough to describe. Here's the new version of REMWRT.MAC

remwrt.mac

Please see earlier blog post for the instructions about how to assemble, link, load and use it.

So, I used LOCALWRITE and REMWRT to copy the XXDP RX50 image to a real RX50 on the system in question. Copy worked fine, disk boots OK. Next step - take out the spare memory card and reinsert the bad one, and boot XDP and run the diags. Here's hoping for some useful info....

Wednesday, September 20, 2023

RSX11D V4 boot problem update

A few posts back I posted about finding RSX11D V4, on a deceased DEC engineer's RK05 pack..

That post presented it, but with a boot problem that required a manual step or two to get it to boot. The boot problem occurred both in SIMH and on real hardware.

Tony Lawrence read the post, and figured out the problem (along with some others). In less than 24 hours. He said I could share his analysis, in a shortened form (his work was incredibly detailed). Thanks, Tony! Heres a note from him, summarizing the problem.

"The boot loader abuses a hardware-dependent "feature" of an old RK11 disk controller and reloads its word count while the operation is still in progress, so to keep the disk controller going (with what it was doing, because the only thing to stop it would be an error or the WC reaching 0): until it reaches the end of memory. More modern controllers (and certainly, simh) can't be used with such a "trick",as like I said previously, they are numb to the register write while the operation is on-going, and in case of simh, the operation just stops when it reaches the word count of 65534 (because the write is not time-simulated, it's a one-shot operation, internally, of basically one read off of the disk image -- so the new WC would not have ever been noticed)."

He included a disasasembly of the code in question, and pointed out that in the process of doing all this, the boot sector loads the system image on top of the boot sector, which isn't a problem since the code that overlays the boot sector, from the system image, is the same.

In another paragraph, he pointed out...

"I can't know why the developers chose to use this boot hack with sizing the memory using RK11 -- because that's basically what they were doing. At the boot time, the file structure of the disk is obviously unknown, but the first 245. blocks following the initial Disk Address (DA), do load the operating system. Since they kept reloading the WC, it'd cause the controller to keep on going, loading up all the following sectors (with basically unstructured garbage) until the bus timeout -- address does not exist -- converted to the NXM error by the controller. Should they load fewer than 128K because of the NXM condition (e.g. 96K phys mem), the end of the image wouldn't be read in, and the system would crash (as the tail of the image file contains something which looks like the STD -- the System Task Directory). If the NXM occurred past the 128K, it's all good and everything can actually continue! So it was not considered as an error at all, but an attempt to load as much as possible from that initial DA and to make sure the memory is not tight. There could be a problem, though, with such a logic, if the OS image was located closer to the end of the drive, then it could have triggered an OVR (overrun) controller error before the end of memory reached, and the boot would fail (would loop to address 0 to start over again). Anyways, it was a very bad example of how things should NOT be done! LOL"

He even included a patch to remove the manual steps that I had been using to get the image to boot.

"All in all, if you open the disk image (the .dsk file) with a binary editor, go to locations 146 and 6421146, and enter the following to replace the next 7 words:

Tony also pointed out that if you do a SYSGEN on this system, you'll have to apply the patches again, pointing at the new RSX.SAV file. I'm working on an automated way to take care of that - stay tuned for another update when I get it done.

xxx146: 105737 ; TSTB @#177404 ; Complete?
xxx150: 177404 ;
xxx152: 100375 ; BPL 146 ; Loop if not
xxx154: 005737 ; TST @#177404 ; Error?
xxx156: 177404 ;
xxx160: 100707 ; BMI 0 ; Loop back to boot if so
xxx162: 000240 ; NOP

Then your system will boot right away! (You can actually skip patching the boot sector, locations 146+, and only patch locations 6421146+ -- note this is an offset in octal)."

For anyone that has an interest in RSX11D V4, I include below the PDP11.INI and RSX11DV4PAT.DSK, with the above desribed patch.

rsx11dv4pat.dsk

pdp11.ini

Using them, here's what the boot looks like now

C:\simh40\PDP11\rsx11d\rsx11dv4>pdp11

PDP-11 simulator V4.0-0 Current git commit id: ab3e07a4
Disabling XQ

RSX-004A
MCR>MOU DK:
MOUNT-**VOLUME INFORMATION**
DEVICE =DK0
CLASS =FILE 11
LABEL =RSXSYS
UIC =[1,1]
ACCESS =[RWED,RWED,RWED,RWED]
CHARAC =[]
MCR>

Of some interest, but not related to the boot problem, he pointed out a few curious things in the file structure of the disk. One was that there are files that weren't completely deleted - their checksums weren't deleted as they should be. As well, there are a number of files with really crazy looking update dates - here's a couple of examples.

RUN.TSK;1 (111,2420) 9./9. C 01-APR-74 22:38 [1,5] [RWED,RWED,RWE,R]
32-SEP-73 00:01(9.)

INI.TSK;1 (112,2421) 17./17. C 01-APR-74 22:38 [1,5] [RWED,RWED,RWE,R]
32-SEP-73 00:00(9.)

I'm guessing these are results of Files-11 bugs from long ago.

Monday, August 21, 2023

Installing software on Microvax and MicroPDP11 systems - update

Recently, Hans-Ulrich Hölscher did some experimenting with the programs I wrote that allow copying a disk image from any VMS or RSX system to a MicroVAX I or PDP11, that has no software already loaded, via ethernet (see several blog posts, with VAXstation I" and "install" in their titles).

I was surprised when he reported a several things I hadn't realized about those utilities. I had assumed that they wouldn't run on SIMH systems, or on MicroVAX IIs, due to differences in their internal architecture from the MicroVAX Is and real PDP11s I wrote and tested them on. Ulli pointed out that they actually worked on SIMH instances of MicroVAX Is, and as well on SIMH images of MicroVAX IIs, and, very likely, real instances of MicroVAX IIs.

As well, he reported that DELQA ethenret cards work as well as DEQNAs.

I checked it out and his reports were correct. I reckon...1 - that the architectural features I used to make this work with MIcroVAX/VAXstation 1s were also present on the MicroVAX/VAXstation II, and...2 - SIMH MicroVAX I and II emulators also include all of those features. Bravo, SIMH developers!

OK, so he reported that they worked, and indeed produced a good disk copy, but they emitted a zillion error messages when run with an emulated system as the target. A little study showed what that problem was - I had used timing loops extensively in the downloaded code, and SIMH and real MicroVAX IIs run a whole heckuva lot faster than the real MIcroVAX I hardware does - so things were timing out and retrying a lot more than they needed to.

Another dive into the MicroVAX architecture documents produced a solution - there is an Interval Timer included in the MIcroVAX architecture. If enabled, it will produce an interrupt every .01 seconds. This will allow me to produce a delay of fixed time, regardless of how fast the machine or simualtor it is running on.

The clock interrupt is controlled by the ICCS (Interval Clock Consoltr/Status) register, internal register #^X18. When bit 6 is set in it, it will produce an interrupt via the vector at SCB offset ^XC0 every 1/100 of a second. When bit 6 is clear, the clock interrupts are turned off.

So, setup the vector for the clock interrupt.

mfpr #^X11,r7 ;move scb addr to r7
moval tick,^XC0(r7) ;point vector C0 at routine "tick".

Here's the interrupt routine. Not much to it, nicht wahr?

tick: incl clock

rei

Then, whenver I wanted to delay for some fixed amount of time, regardless of processor speed, I enable the clock interrupt, clear the clock variable, and wait until the variable "clock" reached the number of 1/100ths of a second I needed.

A macro is used to invoke it.

; Wait for specified number of .01 seconds ticks

.macro waitm beat

pushl beat

calls #1,waitm

.endm waitm

Here's the routine the macro invokes..

; Wait for a specified number of "ticks"

.entry waitm,^m<r2>

movl 4(ap),r2 ;# of ticks needed to r2

clrl clock ;start fresh

mtpr #64,#^X18 ;Enable timer interrupts

1$: cmpl r2,clock ;had enough?

bgequ 1$ ;please sir, I want some more

mtpr #0,#^X18 ;turn off the interupts when done

ret

On the plus side, it was simple and easy to write. On the negative, it will totally not be of any use if I ever start using multiple streams of execution. As is, It has to be used with caution if used in an interrupt routine, since that has the potential to step on the use of it in the non-interrrupt code. For now I elect to just be mindful of that when coding. Sketchy as hell, but, in this no-OS environment, what isn't?

As well as taking care of the timing loop issues, these new versions address a deficiency that Ulli pointed out - the disk unit targeted had to be assembled into the program. He pointed out that being able to enter what unit to target would be a lot more flexible, and less prone to writing on the wrong disk by mistake. In support of that, he figured out how to get input from the console, and provided examples to demonstrate how to specify the unit number to target at run time. Thanks again, Ulli!. I also added the ability to specify what file to load at run time as well.

Here's new versions of remotewrite.mar,localwrite.mar, localread.mar, remoteread.mar and sendcheck.mar. Note that the packet format changed, so that the older versions of these programs won't work with the newver versions - new remotewrite won't work with old localwrite, and so forth. New versions of the PDP11 programs are coming soon.

*** New versions loaded 1-SEP-2023 ***

Thursday, June 8, 2023

Unlocking the index file - an example of how to remap APRs

The other day, I was thinking about working with RSX internals. I've been doing it for a while now, and it occurred to me that I've gotten the bulk of my internals work done with just a /PR task and a call to $SWSTK. That provides access to the exec, pool and the IO page, which are the places where most internal meddling needs to get done. It also serializes access to things, so nothing can change out from under you while you're doing...whatever it is you're in there to do.

But that's a small fraction of what's on an RSX11M+ system these days. You've got secondary pool, directive commons, drivers, cache, and other tasks. All things that you may have occasion to look at or change.

An example of this came up while I was working on another project. I wanted to access the Index File of the system disk, to analyze and fix things gone wrong. It turns out that by default, Files-11 disks on RSX are mounted with the Index File write locked - you can open it for read, but not for write. As well, you can't use some VFY switches (eg, /HD) on a disk with the Index FIle write locked. There are supported ways to mount the system disk with the Index File unlocked. Instead, on that project, I just did logical QIOs to the disk and bypassed the file system completely. But I was left wondering, if there was a way to unlock the Index File without any special mounting going on.

A little research showed me that the Index File is accessed by the system as a normally opened file, using the file system. The write locked status is recorded as a 1 in the F.NLKS byte in its FCB - File Control Block - presumably NLKS stands for Number of Locks. No problem, I figured - find the FCB, change that byte to 0, and I'm on my way. FCBs are bound to be in pool, right? That's where all the interesting data structures tend to be in RSX.

Well, no, not at all. Turns out that, in recent versions of RSX11M+, the Files-11 ACP (Ancillary Control Program) task, F11ACP, constructs some of the FCBs in its own task address space - and since INDEXF.SYS for the system disk is one of the first files opened at boot time, its FCB is one of the ones that is located there. So,/PR and $SWSTK ain't gonna do the business for accessing it. If I want to manipulate that byte, I'll have to access the data in the F11ACP task in memory.

I'm sure that you've seen diagrams of what an RSX task looks like. To the average programmer, it looks like up to 64KB of contiguous bytes in memory (for the sake of simplicity, I'm leaving supervisor mode and I&D space out of the discussion) - a 16 bit linear address space. But these tasks coexist in memory with other tasks, on machines with 18 or 22 bit memory address spaces - so the task address space has to be mapped somehow to the wider address space of the machine. I'm discussing a 22 bit physical space here - if you're on an 18 bit machine, the process is pretty much the same, just with 4 less bits.

This mapping is done via memory management hardware on the system. It uses 8 APRs (Address Page Registers) to map each (up to) 8 KB chunk of the task's address space, to a same sized (up to) 8 KB sized chunk of real memory. The physical memory that is used is determined by multiplying the contents of the APR by 64 - effectively, moving it over by 6 bits, thus producing a 22 bit address - Then adding in the low 13 bits of the address from your program.

Actually each APR is two registers - the Page Address Register, where the relocation value is stored, and the Page Descriptor Register, which contains the properties of that page. But, we don't have to mess with the PDR in most cases, so I'm skipping discussing it.

Let's look at an example of how a task's 64KB could be mapped to physical memory. It's all text - if you think I have the patience to draw all that ASCII art, you're crazier than I am. Picture it in your imagination. This is a crazy example, since a real task would have several of these 8 KB chunks arranged together in contiguous physical memory, to simplify loading, but, this is just an example of using the APRs to remap "virtual" 16 bit memory address to 22 bit physical memory.

FIrst of all, the top three bits in a task address determines what APR will be used to map it. For example, task address 60000's top three bits are 011 - that means it will me mapped by APR 3. Und so weiter.

Task Top 3 bits APR Physical

Address (APR) Contents Address

000000-017777 0 000000 00000000-00017777

020000-037777 1 001000 00100000-00117777

040000-057777 2 000020 00002000-00021777

060000-077777 3 100000 10000000-10017777

100000-117777 4 004000 00400000-00417777

120000-137777 5 010000 01000000-01017777

140000-157777 6 000001 00000100-00020077

160000-177777 7 160000 16000000-16017777

Pretty wild, nicht wahr? RSX actually abstracts these two spaces, task virtual and physical, and the use of APRs, with two uber-constructs - Windows, for 16 bit task virtual space, and Regions, for physical space. But we're discussing the lowest level, raw stuff of reality here,

So, in our mapping example above, let's consider how we construct a physical address from an example task address, using task address 120366 (all addresses octal). In binary, it's 1 010 000 011 110 110. The top 3 bits are 101, so it is mapped to the 22 bit physical space according to the contents of APR 5. APR 5 contains 010000. Multiplying it by 64 (decimal) gives us 01000000. Adding the bottom 13 bits of the task address, 366, gives us the physical address of this word - 01000366. Got it? What could be easier?

Note that starting addresses of blocks in physical space are on 32 word boundaries, due to the multiplication by 64 (or, if you prefer to think of it another way, the six bit left shift) that will occur when the physcal address is constructed..

. SInce we'll be fiddling with the APRs, we're gonna need to be running as a privileged task, mapped to the exec, pool and the device page. Since we're considering kernel mode now, we'll be dealing with two sets of APRs - Kernel and User. Here's the mapping used by the Exec, using the Kernel mode APRs.

Kernel Top 3 Kernel APR Physical

Address bits APR contents Memory

000000-017777 0 KISAR0 000000 00000000-00017777

020000-037777 1 KISAR1 000200 00020000-00037777

040000-057777 2 KISAR2 000400 00040000-00057777

060000-077777 3 KISAR3 000600 00060000-00107777

100000-117777 4 KISAR4 001000 00120000-00137777

120000-137777 5 KISAR5 - -

140000-157777 6 KISAR6 - -

160000-177777 7 KISAR7 177600 17760000-17777777

It uses the Kernel Mode Instruction Space APRs to do its mapping. It maps, one for one, the first 20 K of the executive to the first 20K of physical memory. The IO page gets mapped to the highest 8KB of the physical space. APRs 5 and 6 are used for assorted dynamic mapping functions.

Now, let's have a look at a priviieged /PR task, before $SWSTK.

User Mode Top 3 User APR Physical

Address bits APR contents Memory

000000-017777 0 UISAR0 copy KISAR0 00000000-00017777

020000-037777 1 UISAR1 copy KISAR1 00020000-00037777

040000-057777 2 UISAR2 copy KISAR2 00040000-00057777

060000-077777 3 UISAR3 copy KISAR3 00060000-00107777

100000-117777 4 UISAR4 copy KISAR4 00120000-00137777

120000-137777 5 UISAR5 some value 8KB of memory

140000-157777 6 UISAR6 some value 8KB of memory

160000-177777 7 UISAR7 copy KISAR7 17760000-17777777

The /PR task, before $SWSTK, has copies of KISAR0-KISAR4 in APRs UISAR0-UISAR4. This meeans, the first 20K of the task maps the same physical memory as the exec. Starting at task address 120000, is the task. APRs 5 and 6 will contain some value, that points to two APRs worth of typical physical memory. This is what contains your program in the /PR task - hope your code is smaller than 16Kb in length... And then APR 7 contains a copy of KISAR7, and points to the IO page.

Now, when you do $SWSTK, you will be in Kernel mode, and using the Kernel mode APRs. They will have contents as described below...

Kernel Top 3 Kernel APR Physical

Address bits APR contents Memory

000000-017777 0 KISAR0 000000 00000000-00017777

020000-037777 1 KISAR1 000200 00020000-00037777

040000-057777 2 KISAR2 000400 00040000-00057777

060000-077777 3 KISAR3 000600 00060000-00107777

100000-117777 4 KISAR4 001000 00120000-00137777

120000-137777 5 KISAR5 copy UISR5 8KB of memory

140000-157777 6 KISAR6 copy UISR6 8KB of memory

160000-177777 7 KISAR7 177600 17760000-17777777

You're executing in Kernel mode now, so you are using the Kernel mode APRs. The values in the User mode APRs don't matter. The only change from the normal settings of the Kernel mode APRs is that your task's APR 5 and 6 values have been copied into KISAR5 and 6. Your access to things is serialized now, so you can modify things to be more to your liking without thngs changing out from under you...if you know what you're doing.

There are much better explanations and diagrams explaining all of this in the PDP-11/70 processor manual, and in the Task Builder manual, in the Privileged Task chapter.

Well, there's been a whole lot of typing now without any code or explanations thereof. OK, enough theory - we're actually tring to do something here. Heck. this blog entry is getting longer than the durn example program. Time to discuss what I actually did.

So anyway, like I said, so long ago, I want to alter the byte value at offset F.NLKS in the FCB for INDEXF.SYS, so I need the address of that FCB. A look at exec module THF11L.MAC gave me a general notion of how to proceed getting it, and a perusal of the Data Structures and Lists manual tells me that this is recorded in the Volume Control Block of the disk, at offset V.IFWI. The VCB is pointed to by the UCB for the disk, at offset U.VCB. And the UCB is found by examining the chain of UCBs off of the DCB for the disk controller, looking for one with the right unit number. You find the right DCB by looking from the start of the DCBs at word $DEVHD. This is all pretty straight ahead link list following and value comparing. One wrinkle that affects finding $DEVHD and some other locations in the Exec, is that many of these locations are vectored. This means that their value as recorded in the system symbol table actually contains a pointer (a vector) to the real locations. You have to use the GIN$ (Get INfomation) directvive to make the Exec yield up their true values.

Here's the directive DPB and its data structure....

vecdpb: gin$ gi.vec,vecbuf,vecsiz

vecbuf: .word 0 ;flags

$kisr6: .word kisar6 ;kernel apr

$kisr5: .word kisar5 ;kernel apr

devhd: .word $devhd ;device listhead

pool: .word $pool ;where everything used to go

exsiz: .word $exsiz ;size of the exec

vecsiz = <.-vecbuf>/2

And here's the invocation of the DPB.

dir$ #vecdpb ;Get executive vectors

The table of vectored locations contains a list of the symbols needed, specifiying the names you'll be using for them, and the directive looks up the real addresses for you.and fills them in.

Anyhow, after doing the above, the program does a middlin' amount of checking that the input made sense, and that this is a system where I can find the FCB and change it. Anything sketchy or exotic, it's outta there.

So, like I said above, the program needs to traverse the DCB linked list, starting at its head, $DEVHD, When we find a DCB with the correct name, it goes through the array of UCBs attached to that DCB until one is found that matches the unit number from the command line.

The program does some more checks on the UCB stat field - makes sure that it's mounted, not mounted foreign, and not marked for dismount.

bitb #us.mnt!us.mdm!us.for,u.sts(r2) ;it it mounted right?

Note that us.mnt has "negative" logic - bit set means not mounted, bit clear means mounted..

Then, the program gets the address of the VCB (Volume Control Block) from the UCB at offset U.VCB.

mov u.vcb(r2),r4 ;addr of vcb to r4

The VCB has the address of the Index File WCB (Window Control Block) at offset V.IFWI.

mov v.ifwi(r4),r4 ;addr of index file window block to r4

And finally, the WCB has the address of the FCB (File Control Block) at W.FCB.

mov w.fcb(r4),r3 ;get addr of fcb from the wcb

Given that address, the program does some checking to make sure that it has a value that is in the adress range of the F11ACP task. If it passes this scrutiny, we're finally there - mapping another tasks memory using APRs, the whole point of this post and program.

We need to map the F11ACP task with one of our task's APRs. Since we're a privileged task, you'll recall, we only have APR5 and 6 to work with. Our program is les than 8 KB, so it fits into APR 5. That means that APR 6 is not used - so it's the logical choice.

But where do we need to map it? The first thing we have to do is to map it to the partition that contains the F11ACP task. Most every task loaded into memory exists in its own system created subpartition. We need the physical address of that partition. Fortunately, the address of the TCB (Task Control Block) of the ACP task for a mounted disk is stored at offset U.ACP, in the UCB of that disk.

mov u.acp(r2),r2 ;get tcb address of the acp

Then we can get the PCB (Partition Control Block) address from that TCB, at offset T.PCB.

mov t.pcb(r2),r0 ;get pcb address

After we save the existing contents of KISAR6...

mov @$kisr6,-(sp) ;save current apr 6 value

...we can then load the address of the partition into KISAR6. The address of the partition is stored in the PCB at offset P.REL, in "APR" physical address style format - it's already shifted left 6 bits, so it can be loaded straight into an APR.

mov p.rel(r0),@$kisr6 ;map to the acp's partition...

Alrighty then. Now any accesses we make via our APR6 (any task addresses between 140000 anf 157777) will go to the memory used by the F11ACP's task partition. Are we ready to access the lock byte now? Not hardly. The first thing that is in a task parition is the task header. We need to access it to find the address of a data segment of the task.

There's two kinds of F11ACP tasks we could be dealing with - "regular" tasks, and I&D space tasks. These days, most everybody will be running I&D space F11ACP tasks. But, if you're on an 11 that doesn't have I&D support, we have to be prepared for that eventuality. It makes a difference, because non-I&D tasks only have two address "Windows" (remember above when I said that task address space is abstracted by an uber concept called "Windows") and I&D tasks have 4 address Windows. We have to look into the task header (that we arecurrently mapped to) and get the starting address of the data window.

OK, so we will want to access the data windows in the task header. Set up to do that.

mov @#140000+h.wnd,r1 ;get the pointer to the window blocks

;add 140000 to it, since we are now

;accessing the partition (and thus

;the header) by our APR 6

h.wnd is the offset into the task header, to the task window info.

Then - which kind of task are we? We're still pointing at the TCB with r2, so we can check easily enough

bit #t4.dsp,t.st4(r2) ;is this an i/d space task?

If that bit is not set, then this is a normal task, and the data window is the first window. We find the starting address of that Window

; This case, we want to get the offset for window #0 - root d-space.

; We need to skip the first word, that is the count of windows in the task,

; and the offset to where the windows start ,w.boff

mov 2+w.boff(r1),r4 ;window 0 for non I&D system

If it is an I&D task, the data Windows is the second Window. Add in w.blgh (len of a window)

to the address expression to skip over to it.

40$: mov 2+w.blgh+w.boff(r1),r4 ;get the second window offset

R4 now contains the offset in the partition to the desired data window. But, handily enough, it's an offset in APR, physical address format - it's been divided by 64, upper bits trimmed off, and like that So we can add it to the location of the partition that is at p.rel(r), which is also in APR format, and get a value suitable for loading into an APR to point to physical memeory. We have no further need for the task header, so we can now map KISAR6 to that data window.

add p.rel(r0),r4 ;add the base physical address/32 of

;partition

mov r4,@$kisr6 ;point kisar6 at the window

Finally, we can think about using the address of the FCB that we retrieved, lo these many lines of code ago...well. almost. F11ACP uses APR5 to access that window, and the address it stored in the WCB reflects that. We are using APR6, so we need to add 20000 (octal) to that, so that our APR6 based access uses the right address.

add #20000,r3 ;adjust for access via KISAR6

Finally, we're here - R3 points to the task address that maps to the physical location of the FCB for the Index File. Check the FIle ID and Sequence Number, to be sure we have the right victim in our sigts. Then we can adjust the count in f.lcks(r3), and we're done.

mov f.fnum(r3),fnum ;save the file ID number

mov f.fseq(r3),fseq ;save the file sequence number

mov f.nacs(r3),fnacb ;save the two bytes that have the...

;..count of accesses and count of locks

movb f.nlck(r3),plocks ;save current count of locks

And then the remaining code does some safety checks and sets or clears, or just reports the value in f.nlcks(r3) as requested)

When our changes to the lock count are done, all we have to do is restore APR 6, and fall through to the exit from the #SWSTK section. What could be easier?

mov (sp)+,@$kisr6 ;put original KISAR6 back

donex: return ;drop back to normal space

Well, that's all done. Heck, it took longer to write about all of this than it did to code the program. You'll never find a worse, more confusing and incomplete explanation of how memory management works on PDP11s. I encourage you to seek out the DEC manuals (processor architecture manuals, and the Task Builder manual) to get the complete whole story.

Here's the program.

iul.mac

Here's how to assemble and link it....assuming source is in directory [iul]

>mac iul,iul/-sp=[1,1]exemc.mlb/ml,[11,10]rsxmc/pa:1,[iul]iul

>tkb iul/pr/-cp,iul/-sp=iul,[3,54]rsxvec.stb/ss,[1,1]exelib.olb/lb

And here's how to use it....

>run iul

Target?>DU0: (whatever disk you're working on)

Switches are

/CLR

/SET

/LIS

So, to clear the locked bit,

.run iul

Target?>DU0:/CLR

Status 000001 how did it go? 1 is success anything else is an error

Locks Before 000001 number of locks before change

Locks After 000000 number of locks after change

FNUM 000001 File ID number - this better be 1....

FSEQ 000001 File Sequence number - this better be 1 as well....

FNAC Before 000401 contents of word at F.FNAC(FCB). high byte is number of locks

low byte is number of accessors

FNAC After 000001 FNAC after change

K6 before 020356 KISAR6 since before we fool with it

K6 after 013007 KISAR6 while we fool with it

Window 122250 addr of WCB

To set it back on after you're done

>run iul

Target?>DU0:/SET

Status 000001

Locks Before 000000

Locks After 000001

FNUM 000001

FSEQ 000001

FNAC Before 000001

FNAC After 000401

K6 before 020356

K6 after 013007

Window 122250

To see what value it is and not change it...

>run iul

Target?>DU0:/LST

Status 000001

Locks Before 000001

Locks After 000001

FNUM 000001

FSEQ 000001

FNAC Before 000401

FNAC After 000401

K6 before 020356

K6 after 013007

Window 122250

Target?>DU0:

The default action with no switches is to just list the state.

Once again, this is not supported, use at your own risk, This program changes mode to kernel and changes disk structures in memory - it's that sort of code.

Friday, September 9, 2022

MicroVAX and 8086 smartcards for DEC Professional

I recently came into possession of two unusual CTI bus cards, for the DEC Professional (you know, Pro-325s,Pro-350s, Pro-380s). These are apparently prototypes for never released options for the PRO line. One card has a MicroVAX II chipset on it, and apparently was for a DEC project called Meteor - a workstation with capabilities somewhere between a PRO-380 and a Vaxstation II.

Here's pictures of it, front, and back and a close up of the card name

It came with a memory daughter card - here's shots of it, back and front.

The other card has an 8086 processor on it. It was apparently going to be used to allow Pro systems to run x86 software (MS Windows? On an RSX11 derived OS? The horror!).

Presumably, "8086 SC" in the above means "8086 Softtcard". This card has had several dynamic RAM chips removed, which I am replacing before I do any testing.

Neither card had an option code on their retraction handles like normal PRO options do.

When I get some spare time, I plan to put them in a PRO-380 and read/write the slot addresses for them and see what happens. Realistically, I don't expect to get very far without more info on them. If anyone out there has any more info or any software for these prototypes, I'd sure like to hear about it...

Sunday, August 21, 2022

Booting PDT-11/150 from TU58s and TU58 emulators

A post or so back, I wrote up how to connect a TU58 (or emulator) to a PDT-11/150. Works great. But, you can't boot the PDT from a TU58 (or emulator - from here on, TU58 means TU58 or emulator - OK?), so you are still dependent on the RX01(ish) drives to get the system going. But there are a lot of PDT-11/150s out there with no software on floppies available, or with dead floppy drives. A way to boot from TU58 would enable people to load software or use them without the floppy drives.

A look at the technical manual for the PDT, available at...

PDT-11/150 Tech Manual

showed that the startup code for the PDT is in two 1K X 8 mask programmed ROMS on the memory board. I took a squint at the ICs in question, and saw that they were socketed - a good start - I'm in no mood to desolder a chip I can't replace if it gets destroyed in the process. They were mask programmed ROMs, part number NS82S2708. There is an EPROM equivalent of this ROM, with the same pinout - the 2708. No sweat, I figured - sounds like a part from the common 27xx EPROM family. I can write new boot software, burn it to 2708s, and Bob's my uncle. I'll be done in an afternoon! Alas, that was not to be. Turns out that the 2708 is an early design EPROM. It requires three different supply voltages, and almost no hobbyist grade EPROM burners support it (for sure, mine doesn't). Pro grade ones that would support it are damned hard to find these days, and really expensive.

So, that's about how these projects always go - a rush of initial enthusiasm, followed by a punch in the face from reality. Fortunately, this is an issue that has been dealt with already, by arcade video game and pinball machine enthusiasts. Arcade games and pinball tables from back in the day often came with 2708 EPROMs. These hobbyists researched it and worked out that these can be replaced by 2716 2KX8 EPROMs, with a little work. The 2716 is a more typical 27XX part - no exotic voltages required, and almost all EPROM programmers support it (most importantly, mine does). The 2716 is twice as big as a 2708 - you can program the 2708 image into the top or bottom half - the instructions below assume the code gets burned into the bottom half. You could even burn different programs into the two halves, and use a switch to select which one is active. No need for that on this project.

Here's the pinouts for the 2708 and the 2716

2708 2716
+--U--+ +--U--+
A7|1 24|Vcc(+5V) A7|1 24|Vcc(+5V)
A6| |A8 A6| |A8
A5| |A9 A5| |A9
A4| |Vbb A4| |Vpp
A3| |*CS/PE A3| |*OE
A2| |Vdd A2| |A10
A1| |Program A1| |*CE/PGM
A0| |Q8 A0| |Q8
Q1| |Q7 Q1| |Q7
Q2| |Q6 Q2| |Q6
Q3| |Q5 Q3| |Q5
Vss(GND)|12 13|Q4 Vss(GND)|12 13|Q4
+-----+ +-----+

Purty close, nicht wahr? Looking at the pinouts, you can see how to use a 2716 in a 2708 socket. You have to...

- Connect pin 21 to pin 24 (2716 requires Vpp pin be at Vcc for reading)

- Connect pin 18 to pin 20 (connect both output enable and chip enable to Chip Select)

- Connect pin 19 to pin 12 (this selects the lower half of the 2 K ROM. Connect 19 to 24 to use
upper half of 2716 instead.

- Don't connect pins 18, 19, and 21 to the 2716 from the board . The 2716 would be
discomfited by the crazy 2708 required voltages (-5 and +12) present on those pins.

The way the arcade guys accomplished this was to use two additional sockets, plugged into each other. On one of them, the bottom one, that will plug into the board, they did the first three steps - carefully soldering jumper wires between the indicated pins. On the next socket up, they got rid of pins 18, 19 and 21 (if you use machined pin sockets, you can heat the pins with a small soldering iron and push them out of the frame). Then they'd plug the 2716 into the top socket, plug the top socket into the bottom socket, and plug the bottom socket into the board where the 2708 once made its home.

Here's a site that explains this. Unfortunately, it's been archived so it doesn't have its pictures anymore, but it's the best rundown of the solution I found.

Adapter for 2708 to 2716 swap

And if you're looking for 2716s, you can also use a TMS2516 for a 2716. I didn't have any 2716s in the giant box o' salvaged obsolete through hole pin ICs, but I had plenty of TMS2516s, and they are pin and voltage compatible. There's a long story about why TMS2516s are equivalent to 2716s, but TMS2532s are not the same as 2732s, but, it's got nothing to do with this project, so I'll skip it (for now...).

Anyway, enough of this hardware talk. That reminds me, what are the three most destructive things in computing? A system programmer with a soldering iron, a hardware tech with a patch tape, and a manager with an idea - and I'm two out of three!

So, first step, I need to get the current contents of the factory boot roms, so's I can add the TU58 boot code into the normal initialization process. Hmmm...my EPROM programmer won't even read a 2708... Not a problem. The PDT tech manual reports that the boot roms occupy the addresses 170000-173777. I just booted RT11 from disk and used ODT to read the contents of that address range. This was better than reading the ROMs on a reader anyway - if I had read the two ROMs directly, on the EPROM burner, I would have had the additional step of combining the two outputs into one file, since the ROMS contain the bytes of each word - one ROM has the even bytes, one ROM has the odd bytes. The ODT just gave me the words as the PDT sees them, as combined words.

Now I needed to convert the listing of the ROM contents into MACRO-11, so I can see where to add my evil magic. I have several tools that will disassemble an RSX object file (I usually use ORCAM), but nothing that will do it to a string of words like ODT produced. I wrote an EDT macro to translate the ODT statements in the form

173242/074524
173244/062560
173246/071440

.word 074524 ;173242
.word 062560 ;173244
.word 071440 ;173246

Here's the result of that, in case there's any other hardware hackers out there that want an unmolested ROM listing for reference.

pdtrom.mac

And then I assembled the resulting file to a .obj file - which I could then input to the ORCAM utility. Well, the results were a bit of a mess (when you look at machine decoded Macro-11 and you see a bunch of floating point instructions, you know you have some hand work to do) . Since this code was written to fit in a limited space, it had all kinds of programming tricks in it that confuse automated disassembly tools. Things like using the numeric value of other instructions as literals for arguments , and the like. Some of the coding stunts didn't seem to make a lot of sense - for instance, in places, the programmer created his own JSR - RTS technique using branches and jumps instead of just using the actual instructions. One good thing I found - even though the code was littered with these space saving tricks, there was over 600 bytes of unused space in the ROM, so there wasn't really any need for exotic tactics. That's plenty of space to load the TU58 boot routine.

Here's the partially, poorly disassembled source. Feel free to correct and expand on my efforts. I only did enough to get this project done. Much of it is wrong. Some of the comments are in error as well. It might serve a starting point for someone else. It might serve as a source of amusement for those more skilled than I at reverse engineering.

pdtdis.mac

A lot of manual disassembly of the resulting mess let me find a place to put the boot code, and a place to let the user indicate that they want to boot the TU58 instead of the RX01 drives.. There is an unused space from 171630 to 172776. The boot routine is small, so I decided to load it at an even address, for convenience sake - 172000 - still plenty of space starting there.

For a boot routine, I adapted the boot code from TU58FS, by Joerge Hoppe, who credits work done by Don North and the M9312 boot code. It's important to credit other people's work, nicht wahr? Here's the boot code I used. It's pretty self explanatory - sets the line speed for terminal line 1, inits the TU58, sends a boot request, gets 512 bytes and stores 'em starting at address 0 - then jumps to 0 and starts executing.

ddboot.mac

Now I need a way to invoke that code when I want to boot from the TU58. There is a place in the original boot code where, if neither disk is loaded, the system asks you if you want to boot disk 0 or 1 - that gives you a chance to load the disk and try again. If you answer 0 or just carriage return, it retries disk 0. If you answer 1, it retries disk 1. If you answer anything else, it asks you again. It only took changing a couple of words to alter that behavior to be, if you answer anything besides 0 or 1, jump to 172000 and do the TU58 boot. I use a capital G...for Gleason...I recommend you do the same.

It looks like this...

Unload both disks and power on. The system will say

Read error

Type start unit number (0 or 1):

If you type 0 or 1, it tries to boot...disk 0 or 1. If you enter anything besides a 0 or 1, it will jump to the TU58 boot code. A banner will print

PDT-11/150 TU58 Boot LKG V01A01

and it will try to boot from the TU58.

Here's what it took to make this happen. In the boot rom, I changed the code at lines 5 and 6 in the code snippet below

Original:
CMPB (R1)+,R2 ;typed a 1?
BEQ 3122$ ;then boot from PD1:
CMPB (R1)+,R2 ;typed a 0?
BEQ 3120$ ;then boot from PD0:
CMPB (R1)+,R2 ;compare for space input
BNE 3042$
3120$: CLR R3
3122$: MTPS #340

*******************************
Modified:
CMPB (R1)+,R2 ;typed a 1?
BEQ 3122$ ;then boot from PD1:
CMPB (R1)+,R2 ;typed a 0?
BEQ 3120$
JMP @#172000 ;not 0 or 1,jump to our TU58 boot code.
3120$: CLR R3 ;clear r3 to boot from unit 0
3122$: MTPS #340

In binary, this change amounts to swapping lines

.word 122102 ;173114

.word 001351 ;173116

with

.word 137 ;173114

.word 172000 ;173116

This boot rom should work with a real TU58, or a TU58 emulator. I have only tested it with ETU58, the RSX TU58 emulator I wrote a while back (see previous TU58 post for details). A few small changes were required to ETU58, to support a boot request from the PDT. This new version of ETU58 still supports booting from the disk like normal, and accessing the DD devices just like it did before.

OK, how to put it all together? First, mod those two lines in PDTROM.MAC and save as file NROM.MAC (for new ROM) Then assemble it to produce a listing file. You don't need an obj file. Use LISPAR (see a previous blog post for the Macro-11 List File Parser utility) to convert the listing to an Intel format load file, using the /SP (split) switch on the output to produce odd and even output files (that contain the odd and even bytes of the file, that go into odd and even EPROMs).

>mac ,nrom=nrom
>run lispar
MLP>nrom/sp=nrom

That produces files NROM.EVN and NROM.ODD.

Assemble DDBOOT.MAC to produce a listing file. Use LISPAR to produce odd and even Intel format files. Use /ADR:1000 to tell it where we want the code in "EPROM address space" - that will cause it to appear at 172000 when everything gets done.

>mac ,ddboot=ddboot
>run lispar
MLP>ddboot/sp=ddboot/adr:1000

Edit nrom.odd and nrom.even. Replace the two lines that go to address 1000 with the two lines in each of ddboot.odd and ddboot.evn. Save the files and burn them to two 2716 or 2516 eproms. OK, that's a lot of work. If you're good with the state of the code as it is, I provide the current version of two files that need to be burned to the EPROMs below.

NROM.EVN

NROM.ODD

Then replace the ROMs on the memory board with these EPROMs, inserted into the double scoket adapter described above. The Odd EPROM goes on the left, if you're facing the front of the machine - the even EPROM goes on the right. Make sure and match the "U" notch orientation of the ROMs - the "U" notch faces the front of the machine.

Then, connect the TU58 or emulator to Terminal 1 on the PDT. Remove the disks from the two drives and power on. When it asks boot from 0 or 1 - enter any character, and it should boot from the TU58.

So, sweet - everything works and we're all done with this project...well, not quite. When I went to put the lid back on the PDT...the double socket style EPROM adapter discussed above sticks up too far for the top to fit. I thought about this problem for a bit. I have a dremel tool and lots of cutoff disks....but no, as much fun as putting a hole in the top would be, it would look terrible and allow junk to fall down onto the memory board. A little more study showed that the only function of the upper socket is to make sure pins 18, 19 and 21 don't get connected to the circuit board. I can get the same effect by cutting pins 18,19 and 21 off of the EPROM, and keep the lower socket with the wiring adds on it. That lowers us by one socket. Why didn't I do this from jump street? Why did the arcade and pinballs guys use two sockets? Because, once you mangle up the chip pins, you can't erase and rewrite the EPROM anymore....and believe you me, the new EPROM code took several edits before it worked.

And, like I said above, my RSX TU58 emulator, ETU58, needed a few changes to support the boot request from the PDT. I named this version of it NTU58 (New TU58). Here it is...

ntu58.mac

To use, it's just like ETU58, from previous blog post. Build instructions are also in the file itself.

If any of the 4 or 5 people in the world who are PDT-11/150 AND TU58 hobbyists try this, let me know if you have any problems.