Cross-Development for the Profi-5E Mikrocomputer
Introduction
Winter time is retro computing time. This year I got myself an Profi-5E Mikrocomputer. It’s an 8085 based computer used for educational purposes. About 30 years ago I did learn machine code programing on a similar 8085 based Mikrocomputer für Ausbildung (MFA computer). Therefore the Profi-5E looked like an interesting system to play with. Especially since it can be found on ebay for a few Euro.
Typing in programs on the hex keypad got old pretty quickly. So a way to upload binary code to the system was desired to be able to do cross-development with a cross-assembler like a85. The documentation does not have any information how that could be done with the default monitor ROM. So some reverse engineering was needed.
Profi-5E Overview
There is a Wikipedia page about the Profi-5E with some basic information. Also, there is still printed documentation available from EPV Verlag. That includes schematics and programming instructions.
A few technical details:
- CPU: 8085A
- RAM: up to 6 kB
- ROM: 8 KB monitor EPROM + additional socket
- I/O: 8255 (two of three free for user)
Available Input/Output Options
The Profi-5E has a small keypad for machine code entry and control. For output there is an 8 digit LED display. Solder bridges allow to configure memory size and type. Other settings like serial speed are done with DIP-Switches. An EEPROM contains a monitor program to interact with the system. The monitor program allows reading and writing of memory as well as starting programs.
There is an audio interface for storing and loading programs to/from a cassete deck. The signal level is a little low for -10 dbV equipment, but storing and loading works fine with an old cassette deck using a RCA connector cable and an adapter for the DIN connector.
There is also a V.24 serial port using a 25 pin D-SUB connector. The serial port can be operated at the amazing speed of 300 Baud up to 2400 Baud. The interface uses -4V and +4V levels. It can be connected to a standard FTDI-USB-serial converter (please note: that excludes the 5V or 3.2V TTL-level USB-serial converters). The cabling has to ensure that receive readiness is signaled on pin 5, or DIP-Switch 5 has to be switched to OFF. Fortunately I found a chain of adapters that converts from 25 pin to 9 pin D-SUB and connects pin 5 of the Profi-5E output to pin 1 on the USB-serial device.
There is a documented “F-8”-function (started by pressing F-8-G) that allows reading ASCII text into memory from the serial port. This looks promising for the desired goal of cross-development. But to find out whether it can be misused for binary, the monitor ROM has to be further analyzed.
Monitor ROM Analysis with Ghidra
To get the monitor ROM in binary form, one can always use an EPROM reader. That was unavailable, but there is another way. The “F-6” function allows to dump memory to the serial port. With some scripting this can be converted back into binary and loaded into Ghidra without problems. Ghidra does support 8085 code out of the box.
The Profi-5E documentation contains several useful functions with entry points. It helps to locate these functions and give them proper names in Ghidra. Following the cross-references of the serial port functions, you will find the “F-8” implementation at 0x04B6.
**************************************************************
* FUNCTION *
**************************************************************
undefined SYS_F8_ASCII_IN(void)
undefined A:1 <RETURN>
SYS_F8_ASCII_IN
ram:04b6 21 77 77 LXI HL,0x7777
ram:04b9 cd 07 07 CALL HEXIN
ram:04bc 22 ac 87 SHLD (DAT_ram_87ac)
ram:04bf 21 00 87 LXI HL,0x8700
ram:04c2 22 ae 87 SHLD (DAT_ram_87ae)
ram:04c5 cd 6b 05 CALL BAUD
ram:04c8 cd 80 03 CALL DUNKL
sys_f8_loop_next_character
ram:04cb cd f1 04 CALL ASCII
ram:04ce 2a ac 87 LHLD (DAT_ram_87ac)
ram:04d1 77 MOV (HL=>DAT_ram_7777),A
ram:04d2 fe 03 CPI 0x3
ram:04d4 ca b2 0e JZ TEXT8_ENDE
ram:04d7 cd 1f 05 CALL SYS_F8_ASCII_IN_BACKSPACE
ram:04da cd 15 05 CALL SYS_F8_ASCII_IN_CR_ADD_LF
ram:04dd 23 INX HL
ram:04de 22 ac 87 SHLD (DAT_ram_87ac)
ram:04e1 e5 PUSH HL=>DAT_ram_7778
ram:04e2 2a ae 87 LHLD (DAT_ram_87ae)
ram:04e5 eb XCHG
ram:04e6 e1 POP HL
ram:04e7 cd bf 06 CALL HLDE
ram:04ea da cb 04 JC sys_f8_loop_next_character
ram:04ed cd 25 05 CALL SYS_F8_ASCII_IN_SFENDB
ram:04f0 76 HALTThis shows that 0x03 (CTRL-C) is interpreted as end-of-transfer. Also backspace has special handling and CR is expanded to CR-LF. That doesn’t look like it works for binary transfer, although the input function does support 8 bit data.
Looking for a place that calls this function reveals a function pointer table around 0x028C with 16 function pointers. F-0, F-E and F-F are not used as they contain 0xFFFF. Interestingly F-D is used but not documented. It points to 0x0F70:
**************************************************************
* FUNCTION *
**************************************************************
undefined SYS_FD_BINARY_IN(void)
undefined A:1 <RETURN>
SYS_FD_BINARY_IN
ram:0f70 21 77 77 LXI HL,0x7777
ram:0f73 cd 07 07 CALL HEXIN
ram:0f76 22 ac 87 SHLD (DAT_ram_87ac)
ram:0f79 21 00 87 LXI HL,0x8700
ram:0f7c 22 ae 87 SHLD (DAT_ram_87ae)
ram:0f7f cd 6b 05 CALL BAUD
ram:0f82 cd 80 03 CALL DUNKL
sys_fd_loop_next_character
ram:0f85 cd f1 04 CALL ASCII
ram:0f88 2a ac 87 LHLD (DAT_ram_87ac)
ram:0f8b 77 MOV (HL=>DAT_ram_7777),A
ram:0f8c 23 INX HL
ram:0f8d 22 ac 87 SHLD (DAT_ram_87ac)
ram:0f90 e5 PUSH HL=>DAT_ram_7778
ram:0f91 2a ae 87 LHLD (DAT_ram_87ae)
ram:0f94 eb XCHG
ram:0f95 e1 POP HL
ram:0f96 cd bf 06 CALL HLDE
ram:0f99 da 85 0f JC sys_fd_loop_next_character
ram:0f9c cd 25 05 CALL SYS_F8_ASCII_IN_SFENDB
ram:0f9f 76 HALTThis “F-D” function looks very much like “F-8”, except it doe not interpret any special characters. There is no stop condition except the memory limit at 0x8700 (which should protect monitor program variables space). The missing stop condition is no problem as the interrupt key can be used instead.
Uploading Code to the Profi-5E using F-D
To upload code to the Profi-5E follow these steps:
Press the red F key and then the black D key
Press the G key to start the function
Enter start address and confirm with red S key.
The display will be turned off (“DUNKL”)
Transmit a binary from a connected computer:
cat out.bin | cu -s 300 -l /dev/cuaU0
The transmission is most reliable at lower speeds. With 2400 Baud I found that bits get lost intermittently.
Extending the monitor ROM to allow loading IHEX format
Uploading programs using F-D requires entering the start address every time. It would be much nicer if the monitor ROM could accept IHEX formatted data, which contains the address to load to in every input line:
:10810000C3148100000000000000004900000000CE :1081100000000000160801038179824FCD60033E04
While reading the monitor ROM I noticed that some of the F-functions were unused, in particular F-0, F-E, F-F. Also there is some unused space between 0x0fa0 and 0x1c00, which would allow to add functionality.
So I wrote a little IHEX parser and embedded it into the monitor monitor ROM. The result can found in my Github repository. To use this, you have to read the original EPROM content and write a patched EPROM. Patching the EPROM data is part of the build process.
Afterwards the Profi-5E computer will be able to read IHEX data from the serial port using the F-E function keys
Summary
The undocumented F-D function allows to transmit programs to the Profi-5E using the standard monitor ROM. This allows to develop with a 8085 cross-assembler and transmit the results via serial line to the target system.
With a modified monitor ROM, the Profi-5E can read IHEX data from the serial port, making cross-development even easier.