cnwietho@immd4.informatik.uni-erlangen.de (Carsten Wiethoff) (09/21/89)
Hi folks!
This is for those who always wanted to know every single bit of their
PostScript(tm) laser printer: THE "peek" OPERATOR!
It is one of the most trivial applications of the "cexec" operator.
Since the program is written in 680x0 assembler and depends on the Adobe
"cexec" interface it should run only on laser printers with such a CPU
and a PostScript(tm) interpreter from Adobe or compatible to Adobe's .
(are there any others?)
Ah, before I forget it:
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
It may or may not be legal to run this program with the intent to
read out the contents of the ROMs, since these probably(?) contain
copyrighted data. I DO NOT ENCOURAGE YOU TO USE THIS PROGRAM TO READ
OUT COPYRIGHTED DATA! When you are in doubt, see your local law-guru.
When you are still in doubt, don't use this program. Otherwise enjoy!
END OF WARNING
First comes the assembler source file as an example of an operator
definition written in assembler. At the end is the operator definition
in eexec/cexec format ready to "print" together with some examples.
The assembler program was written on a SUN 3. Other assemblers may differ.
To change the program and convert it to eexec/cexec format you will
have to do the following: (there may be more elegant ways)
- assemble it (using "as"), having the checksum set to 0x0000.
- strip symbols (if any) and the a.out header (32 bytes on a SUN 3).
- calculate the checksum (0x10000 - the 16 bit sum of the program).
- write the checksum into the program and reassemble
- strip it again
- construct a file with the following contents:
<BEGIN here vvv>
currentfile <length of stripped a.out file> string readstring
<stripped a.out file>
{cexec} {pop ioerror} ifelse
currentfile closefile
<END here ^^^>
- convert this file to eexec format using the algorithm I described
some time ago in this newsgroup (actually you will have to use the
inverse algorithm of the one that I described). If you don't have this,
send email. If there is enough interest I will post a C program that
does the job.
- print it
So here goes the assembler source:
----------------------------------cut here -------------------------------
| This is a peek program written by Carsten Wiethoff 1989
| You may do with it what you want, as long as my name stays in it.
| It may look a little weird,
| since I adapted some of the Adobe calling conventions
|
first: .word 0x07a2 | checksum
.word 0x3399
.word last-first | total length
.word 0x0001
.word 0x0402
.word entry-first | entry point
.word reloc-first | begin of relocation table
.word reloc-relocend | end of relocation table
entry:
movl sp@(4),a0
lea arg1,a1
movl a0,a1@+
movl a0@+,a1@+
movl a0@+,a1@+
movl a0@+,a1@+
bra main
peek: linkw a6,#0
bsr pop_int | pop address
movl d0,a0
clrl d0
movb a0@,d0 | access byte
movl d0,sp@- | push value
movl #0x01020000,sp@-| push object descriptor
| 01=integer, 02=no exec perm.
bsr push_general | push on postscript stack
addqw #8,sp
unlk a6
rts
main: linkw a6,#0
bsr userdict
movl d0,a0
movl a0@(4),sp@-
movl a0@,sp@-
bsr begindict
addqw #8,sp
pea peek
pea stringpeek
bsr defineop
addqw #8,sp
bsr enddict
unlk a6
rts
stringpeek: .asciz "peek"
| system jump ins go here
| The names reflect my opinion about what these routines do.
| I have no documentation about these routines, so reality may differ.
.even
begindict: movw #0x50,a0
bra jump
enddict: movw #0x80,a0
bra jump
userdict: movw #0xa0,a0
bra jump
pop_int: movw #0xe0,a0
bra jump
push_general: movw #0xf4,a0
bra jump
defineop: movw #0x11c,a0
bra jump
jump: addl arg2,a0
movl a0@,a0
jmp a0@
.align 2
arg1: .long 0
arg2: .long 0 | system entry table
arg3: .long 0
arg4: .long 0
.align 2
reloc: | relocation table
relocend: .word 0x0000
last:
------------------------- cut here ------------------------------------
Here finally comes the ready-to-print version:
--------------------------- cut here ----------------------------------
%!
% This is the peek operator written by Carsten Wiethoff 1989
% You may do with it what you want, as long as my name stays in it.
currentfile eexec
c3c703843e75cc772962e3a7fadee742b39452c3b503845648fbd351ba27c4a1
0682e041c9fa0f16614f0c04877181ee76d9e6bd87dd247a2857ccb6913dfcc1
123775eeaaab500a019e4b76d978c6e8d2383c16ed2a02acd8642efa2196cff7
dd72fc7834e096060b4259609b4a5fe03e1bce5f86e8bde12c8cdc7ee13437bc
9f1006f84253a13ed0cb41556b44df020c314ff99564f537fd0460bf77c5ac7c
a1eecc3271f4caf473668cf7c41f60b4a6702411a68490f25a96700051b3545b
91abd0161e7260f62ef55f7ab6d4e850c6e745666d29e50b045b19e96b01de4b
c5e24a59fd822ce839a8769b3830615de0781dcb0ba368ca3c8f5ca2e281149b
1a17dff0db3506609bc70393ec8f6482d798654cc171370f0b
% the previous is equivalent to
% /peek {<function>} def
% usage: <address:integer> peek -> <byte:integer>
% example:
16#00000000 peek ==
% more useful:
(start\n)print
/str 2 string def
/nullstr (00) def
/outstr 2 string def
/byte2hex
{
outstr 0 nullstr putinterval
outstr exch
16 str cvrs
dup length 2 exch sub exch
putinterval
outstr
}
def
16#40000000 1 16#4000000f
{
peek
byte2hex
print
(\n)print
}
for
------------------------- cut here -------------------------------------
The writing of the "poke" operator, when desired, is left as an exercise
for the reader.
Enjoy and remember the warning!
Carsten Wiethoff
c/o Frank Kardel
Friedrich-Alexander Universitaet
Erlangen-Nuernberg
CS Department IMMD IV
Martensstrasse 1
D-8520 Erlangen
---------------
West Germany
Voice: +49/(0)9131/85-7908
E-mail: cnwietho@immd4.informatik.uni-erlangen.de
Private: Carsten Wiethoff
Untere Karlstr.7
D-8520 Erlangen
West Germany
Tel.: +49/(0)9131/29136