Journey to the center of the HP28

Presented at DEF CON 16 (2008), Aug. 8, 2008, 4 p.m. (50 minutes)

In 1990, a wire-bound book was published in Paris by the title of <<Voyage au centre de la HP28 c/s>>. It presents a very thorough account of the inner workings of the Hewlett Packard 28 series of graphing calculators. Designed before the days of prepackaged microprocessors, the series uses the Saturn architecture, which HP designed in-house. This architecture is very different from today's homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits in width. The fundamental unit of addressing is the nibble, rather than the byte. Floats are represented as binary-coded decimal, and a fundamental object in the operating system is an algebraic expression. This architecture is still used, albeit in emulation, in the modern HP50g. With this talk, I intend to call attention to a fascinating, professional, and well-documented feat of reverse engineering. Using little more than their ingenuity and an Apple ][e, Paul Courbis and Sebastien Lalande reverse engineered a black box calculator into a real computer, one which became user-programmable in machine language as a result. More than that, they documented the hack in such exquisite detail that their book is not just a fascinating read, but also veritable holy scripture for anyone trying to write custom software for this machine. Expect a thorough review, in English, of the contents of the book. This is not a sales pitch; electronic copies of both the translation and the original are free to all interested readers. Topics include the datatypes of the computer algebra system, hacking an upgrade into the memory bus, bootstrapping an assembler, writing in machine language by tables, and adding an I/O port for software backups.

Presenters:

  • Travis Goodspeed - Security Researcher
    Travis Goodspeed works at the Extreme Measurement Communications Center of the DOE's Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas Instruments Developer's Conference regarding stack overflow exploits for the MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques, such as ASLR and code-auditing, to this platform. For the past year, he has been translating <<Voyage au centre de la HP28 c/s>>, a fascinating work of francophone reverse engineering, into English.

Links: