Dale Nunns - PEEK’ing and POKE’ing hardware – Hacking a ZX Spectrum

okay hi so yeah this is the talk peeking poking memory hacking a ZX Spectrum so those of you curious I'm Dale I work by day as a software developer at Kempton called sign it I do lots of mobile stuff and all kinds other crazy things I'm not a security consultant I don't do any of that kind of stuff I just goof around on weekends if you want follow me on Twitter and that's my webpage I never update so we'll start off with the 1980s judging by the room most you probably remember this time period for those who don't will give you a quick intro I'm sure you'll recognize those guys sure you remember that and who can

forget him and my favorite MacGyver that was the 80s for those of you don't know this was what computing in the 80s looked like that is a Commodore 64 very popular old computer that there is a BBC micro and pretty much what I learned to program on and that is an Apple 2 now all those computers are really cool the problem is at that time they were very expensive this is the Sinclair ZX Spectrum it was a relatively cheap machine and even in South Africa it was very popular the computer was made by company called Sinclair research which was created by Clive Sinclair now Sir Clive Sinclair it was their third computer it was first

released on 23rd of April 1982 which means they're technically this machine is older than I am it was replaced it rose the replacement to the zx80 in the zx81 if you ever get to play with those machines they're very interesting pressing a keyboard when you type on the keyboard the screen switches off because it can't drive both the screen and the key read the keys at the same time over five million of these ZX Spectrum Xin various models were assault that excludes the clones they were copied all over Russia and places like that and I was only finally discontinued in 1992 Alan Sugar's company actually bought over most of Sinclair's research and they just carried on making them because they were

selling and people are making money so some details about the ZX Spectrum the one I have yeah and the one I've hacked is an issue three be released in 1983 it's got a zilog z80 CPU running it a hole 3.5 megahertz it's got a 16 K ROM forty-eight K Ram although technically originally they got released with 16 K and you had to buy the extra 32 K upgrade thankfully by the time they got to the 3b they decided to include it it's got an RF modulator for TV output a tape interface from air storage an edge connector and the iconic rubber keyboard which if you ever used one in things you'll know is the worst

thing ever created so for those of you who don't understand what I mean by mass storage this is what 80s mass storage looked like that's what you stored all your programs on and that's what you copied when you wanted to borrow someone else's program yeah obviously destroyed by heat Sun and all kinds of other things and good luck to anyone who actually got them successfully to load on first try they never seem to interestingly in the eighties there was actually open source github looked like this for those of you don't know in the back of magazines and that your local library you could buy books with that that is actually basic code it's all you had to type it in

there was little indicators to say hey this is a con for Commodore this is for a Sinclair etc the favorite was you type all this in someone would pull the plug in the thing would reset and you'd have to start again and worse you made a mistake somewhere I'm not joking when I say this actual code there is a zoomed in image you can see the data lines etc some of that is actually machine code so the trick to getting speed was you did you're coding basic and then the speed optimize things you did in machine code as data entries and loaded them in programming on these machines was all done in a basic interpreter those of you

played with the badges will find one on there that was the standard way the machine booted up into a basic interpreter and you coded all your pro code in basic the other option was machine code which is after you've assembled your code there was assembly available and you if you were lucky enough you could get a tape load the tape and you've got an assembler but there was no real point because the assembly matched over to the machine code relatively easy you could hand assemble the code there were no real compilers you have to remember this machine ran at 3.5 megahertz and at 48k ram you're not gonna put a C compiler in that easily you're not gonna put a

pascal compiler in that easy so normally what you would do is you would run your write your code on a much more powerful machine compile it down and transfer it across that's assuming you actually bother to use that a lot of the code was written as hand coded fine-tuned machine code so why on earth am i hacking a 35 year old computer so I guess the first thing is unlikely to be used in the AI uprising or anything else like that the other one is I'm not gonna get arrested no black helicopters going to land in my backyard or anything else no one cares about this machine anymore the copyrights have expired a lot of the

companies have opened what is there available you can download the schematics for these machines you can get all the information online truthfully that's the reason I enjoy learning new things and this seemed like a fun challenge so the cool thing about a ZX spectrum is one person can truly understand this machine what I mean by that is that is the complete mainboard of my ZX spectrum that's the z80 cpu OVA is the ula now the ula handles the drawing functions and everything else so what it does is there's a portion of the memory the ull ula takes that memory and draws it to your screen the ula is will service one support for the clock of the CPU so

what happens is there's a bunch of crystals there that generate the clock signal they flow into the ula and then the ula sends their clock signal on to the z80 cpu what this means is the ula can pause the CPU or stretch time by making those pulses shorter and longer which makes for interesting things but basically if the ula decides to draw to the screen it can hold the CPU without actually holding the CPU just saying your clock cycle is going to take a little bit longer this time around and it goes and reach from the memory and writes to the screen it means hacking this thing is really weird as you'll see other than that over here is the 16 K

Ram that's what original shift on the machine that should be on this model DRAM which means that it's got to be constantly refreshed over there's the upper ram which is the 32 k ram interestingly a lot of those ram chips were normally I think it's 8 K but they were actually 16 K RAM chips they just use half that way they could buy dodgy 16 K Ram where and then pick which half of the chip worked this machine was built to a price as youth becomes evident the more you play with them over there is the 16 K ROM which holds bate a basic interpreter and whatever minimal codes required to boot the machine that

is the RF modulator on these machines back in the day no one had you didn't have high resolution displays not at home so what you would do is you'd plug this thing into your antenna jack on your old big CRT TV and this and tune to a specific channel and then this thing would display the imaging that is the trusty tape interface this is the expansion port which I'll come to bit later and that's the beep speaker which anyone who's played with these things will know they sound terrible but you know it's got a beat and over there is the power so that is the edge connector ok you can't quite see but the edge

connector is a 50 full pin aid PCB edge connector and this is what got me interested in this whole hacking as an expectorant if you look at those various pins you'll notice something interesting this is a z80 CPU pan out there's an address bus of 16 bits an 8-bit data bus the CPU control system control and various other things if you just take a look at those names and then look at the bus again you'll see the same thing there is the address bus for the z80 CPU there's the data bus there's the i/o control lines and this one is the interesting one that they in the corner is a ROM seus or chip select

by change between that line I think it's low what happens is it disables the on-board ROM built into the ZX spectrum and allows you to plug at ROM externally now my crazy plan when I saw this was does that mean I can emulate a ROM chip in code and load my own code onto a ZX Spectrum so we'll get to that peaking of poking what do I mean by peeking and poking that's how you read memory on a ZX Spectrum you can read the entire range at the moment 4000 is the frame buffer you literally at basic prompt just say a equals peak read a value and it will read the byte that is at that

address poking is the same you can just write any value to any memory anywhere which means that if you're fooling around you can very easily reset the Machine draw finding characters onto the screen crash it or yeah do all kinds of interesting things play audio and stuff like that this is how one of the ways that people would write optimized code for it which you could actually poke values into ram for your own code or machine code jump to that location and executors so that's the memory map of their ZX spectrum the first 16k is the ROM then there's a bit of screen memory after that comes the more screen memory which stores the color data the color date is broken up

into blocks and each each bikes is 8 dots on the screen and so what happens you can only set the color for a specific block on the screen so graphics gets a little weird there are tricks by looping quickly and fiddling with RAM values you can actually set individual pixels I try to do some of this yeah my coding skills aren't that good so good luck to those who want to try it so yeah this is how you hacked a ZX spectrum in the 80s this is a wonderful tool called the multi-phase one by a company called romantic robot you have to love 80s computer campy names so this device plugged into the back of the ZX spectrum

what would happen is by pressing that fancy red button on there it sends an on it's triggers and non mosque will interrupt it causes the basically this is that eighty CPU to jump to a specific address in the ROM and execute whatever codes in there on the standards at eighty that expect from ROM all that does is reboot the machine but what the romantic robot company did is they built their own ROM image which sits in that box so when you press the button it's what they ROM in which has got a fancy little bit of code at that address so when you press the button it launches that what this application allows you to

do is poke values into the current running application you can dump the current memory to a tape drive and you can put a new general cause all kinds of havoc the most common use for this was pirating games that you couldn't otherwise parent so if you had a rom game you could dump once it was loaded into memory and then dump it out to tape and things like that so most people own these things used it for that but you can also use it for more sort of legal reasons like in the old days debugging applications and things like that on a ZX spectrum there's no real way to like do normal debugging and step throughs

and things like that that's you can but yeah it back in the 80s it wasn't easy so at least this way you could actually go and see and read memory values and stuff okay so I won't do the demo but my plan so this is how it all got started I decided I was going to take a Raspberry Pi and forcing it to the back of a ZX Spectrum unfortunately there's a few problems the Raspberry Pi is a 3.3 volt device the ZX Spectrum is a 5 volt the Raspberry Pi is not 5 volt tolerant what this means is 5 is greater than 3.3 so freedom that happens I thankfully didn't let the magic smoke out but technically you'll

damage your eyes berry pie if you plug it into the back there are ways around this you can fix it with a bi-directional level shifter the ones I use use little FETs it does work the next problem was I needed iron there's a 16 address lines 8 date of birth Alliance for their database there's 3 a minimum of 3 control lines I would need readwrite in the memory requests and then the clock line if you add all those up you come to 20 what 20 27 28 or something there's only 26 free io lines available on a Raspberry Pi you can get more by using shift registers and things like that but it greatly complex complicates

life and I was trying to do this without complicating my life so yeah so now this is what my plan was let's take a Raspberry Pi and what they call a bus expansion chip these particular chips by microchip are very cool what they allow you to do is you can talk I to them and it gives you a 16-bit GPIO open up the pant they allow for bi-directional and technically you can clock them at 20 megahertz so the plan was I will take two of those which would give me 32 I oh lines wire that up to the right to the back of the ZX spectrum and that should work right yeah I know it doesn't the problem comes in

is this Linux is not a real-time OS what I mean by real-time is there is no I don't know how long or how many clock cycles will occur between each core so what will normally happen is you'll say get me some data and then get me some more data the gap between those two gates can be anything from milliseconds to 10 minutes depending on what your system systemd and all the other rubbish running on a Linux system tax so what you can do if you brave you can write a kernel driver I don't know how many of you written kernel drivers it's not fun it's not quick and no I'm not going to do that

the other option is you can write bare metal arm code the Raspberry Pi is very cool because they're all the compilers are made available so if you really want to you can write on code and run it on the Raspberry Pi as a BEM machine the problem is it requires a lot of code just to bring up things like displays and all that kind of thing let alone the Wi-Fi networking or any of the other functions that I would like when I'm trying to integrate with us so my new plan take replace the Raspberry Pi with one of these things this is a st discovery for it's made by STMicroelectronics it's got a 168 megahertz

arm cortex-m for processor one mega or flash 192k of ram about 56 i open depending on how you configure it it's 5 volt tolerance a tiny chip registers it supports DMA which I'll get to and it's got lots and lots of yarns so the new plan goes like this USB to the STM over a serial adapter yes that is the baud rate underneath there and that's stable I tried double that and unfortunately it doesn't work you start losing character so that's about the the maximum baud rate I could get using an FTDI chip USB to serial adapter that things plugged into the back of the ZX spectrum now for those of you curious this bundle of

wires there on my desk is more or less what it looks like that does work as long as I don't touch it as long as my kid doesn't come near it as long as the wind doesn't change direction and everything else but it does work so the code on the ste discovery does this there's a interrupt routine that gets triggered on every single clock from the ZX spectrum each clock pulse I get the readwrite states of the bus I then read the address I then read the data bus and then I push all that into a buffer now if you've tried you've got to do this in as little code as possible because you are limited because

obviously there's a clock pulse every three point well it's three point five megahertz so you've got a constantly grab stuff and throw it into this buffer now you got to lying in a buffer and you've got to get that off of your microcontroller onto your PC that's what took me a number of weeks to get right in the end you use the DMA transfer DMA is really cool on these chips in that you configure the DMA controller in the background you say take the data from this array and spit it out of this port and everything will then quietly happen in the background you don't have to service it and it doesn't take any of

the clock cycles away from the standard way the CPU works in this case it's just a circular giant circular buffer so I just keep throwing things in and it keeps spitting them out on the serial port I then read this data and pull it into a Python script that I can display on screen the nice thing is now my PC only has to handle the characters coming across the serial link I don't have to try and read from ports and that's I can just use Python and display it so in the end I wrote that comm quite see but what that is is all the read values are being written to those memory addresses and

all the green values are being read from those memory addresses this application allows me to read the entire dress range on the ZX as the ZX scans through the address range I can also poke new values into all those locations so technically I can scrub my ZX everything should be happening over this data bus so I can control the keyboard and things like that I say technically because it kind of works the reading spell would be must be fast my code is good but not good enough yet at some point I will get it faster either I need to speed up my transmit speed because I'm losing a few characters and so in my circular buffer

or I need to read faster bad connections as you saw my current and that's when this box if anyone would like to see it is a lot and lots of wires or badly joint this means that anything I do I can easily lose a bet and if you know anything one but is really bad if you lose it so yeah when writing if you get your timing wrong it kills your sedex either the Zed X will crash with pretty colors if you're lucky or it just resets bus collisions if the Z X is right talking on the bus while I'm talking on the bus the two collide and whoever happened to talk last seems to one

sometimes again this resets the Zed X so how would I improve this well the first thing is make a PCB so I get rid of all my stupid wire connections if I have less connections hopefully it'd be better the correct way to do this is a Cpl D or an FPGA that way what I'm currently a lot of what I'm doing in software can be done in hardware which means speed no longer matters hardware is near-instant for this in this the other thing I tried was using SRAM so if you put a Ram chip on the address bus and the data bus it will just write to it because that's how it's being built and you can then if you have something

like dual port Ram which allows you to read while it's being written to you can actually read the information out these are sort of my plan for the future I'm not giving up yet but I had badge code to write and other things so this is sort of had a lot of fire I got for those who want to try this kind of stuff I suggest you get one of these things this is an 8 channel logic analyzer you can buy them for about 250 ran locally or for about somewhere between five and ten at ten dollars or China or please take into account the 24 range shipping fee our local post office now charges

but this is a knockoff so say da make a really really good one this is a knockoff but it's good enough it in theory goes up to 24 megahertz I wouldn't bother trying to go that fast but for the ZX Spectrum is perfectly fine there's a open source project that talks to this called sing rock this is the pulse view which is their online or they gtk to fester which is really really cool so you can see the individual pulses for the channels it's got decoding so it can decode the parallel bus it's got SPI decoding and a whole lot of other things and that like I say it costs 250 R and I used mine pretty much

constantly in this whole project because while I was trying to figure out what's wrong why bits are being lost this allows you to see it the other thing about this is that it's fully scriptable through pythons so they've actually got a Python interface you can access all the data and that which means that you can write some of the things that I've written in code you could actually just use one of these and and do it the problem is it's only a channel the jump to sixteen channel goes through the roof pricing wise you can get a 24 and a 32 channel one but yeah I know I don't have that kind of money there are much much

better ones if you own a Rygel scope the new Rygel oscilloscopes do have logic analyzers built in a lot of new hardware that comes out does have logic analyzers like I say this is cheap for those of us like me who do this as a hobby this thing is very nice so if you want to try this yourself yeah that's title wrong pin anyway so you can use emulators if you want to play around with the ZX spectrum there's the fuse gtk emulator it's really really good it actually emulates the multi phase one so you can do things like break the running app and all that kind of stuff it does the entire range of ZX

spectrum you can also read the currently running memory you can poke values into the memory you can pause it you can step through the running code and all that kind of thing so if you're interested