FYI - Defcon 16 - AUgust 2008 - Las Vegas
http://www.defcon.org/html/defcon-16...html#Goodspeed


Journey to the center of the HP28

Travis Goodspeed
Security Researcher

In 1990, a wire-bound book was published in Paris by the title of
<>. It presents a very thorough
account of the inner workings of the Hewlett Packard 28 series of
graphing calculators. Designed before the days of prepackaged
microprocessors, the series uses the Saturn architecture, which HP
designed in-house. This architecture is very different from today's
homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits
in width. The fundamental unit of addressing is the nibble, rather than
the byte. Floats are represented as binary-coded decimal, and a
fundamental object in the operating system is an algebraic expression.

This architecture is still used, albeit in emulation, in the modern
HP50g. With this talk, I intend to call attention to a fascinating,
professional, and well-documented feat of reverse engineering. Using
little more than their ingenuity and an Apple ][e, Paul Courbis and
Sebastien Lalande reverse engineered a black box calculator into a real
computer, one which became user-programmable in machine language as a
result. More than that, they documented the hack in such exquisite
detail that their book is not just a fascinating read, but also
veritable holy scripture for anyone trying to write custom software for
this machine.

Expect a thorough review, in English, of the contents of the book. This
is not a sales pitch; electronic copies of both the translation and the
original are free to all interested readers. Topics include the
datatypes of the computer algebra system, hacking an upgrade into the
memory bus, bootstrapping an assembler, writing in machine language by
tables, and adding an I/O port for software backups.

Travis Goodspeed works at the Extreme Measurement Communications Center
of the DOE's Oak Ridge National Laboratory. He has spoken at ToorCon 9
and the Texas Instruments Developer's Conference regarding stack
overflow exploits for the MSP430-based Wireless Sensor Networks. Having
demonstrated that such attacks are possible, his present research is
aimed at porting defense techniques, such as ASLR and code-auditing, to
this platform. For the past year, he has been translating < centre de la HP28 c/s>>, a fascinating work of francophone reverse
engineering, into English.