              Disassembling the Spectrum ROM



             Okay, so you can decode your ROM.

            But where does it get you? In this

               article, David Horne looks at

                  practical applications.



[ This is an odd one. The title is Disassembling the

  *Spectrum* ROM, and there's a drawing of a Speccy

  illustrating the article. Nevertheless, the text

  starts by mentioning the ZX81, and all the numbers

  given in the article are correct for the ZX81. The

  Spectrum is only mentioned in the final paragraph.

  Almost all the tables are for the ZX81, and are

  incorrect for the Spectrum. Although both machine's

  tables are similar in essence, all the actual

  numbers are different.

  In the text below, I've left the numbers as they

  were, but added the Spectrum values between [square

  brackets]. I've also added a few other remarks in

  the same way.

  You should be able to find, in the same place where

  you got this text, a TZX file with the Spectrum

  versions of the programs described below.

                           Richard Bos, February 2012 ]



For practical purposes, decoding the ZX-81 ROM gives the

average user a list of symbols and numerals which provide

a level of understanding little different from the original

mass of numerical output. The resultant listings from the

disassembled published in July's Your Computer unlock the

power of the ROM, enabling machine-code programmers to use

sections of code within their own programs. This should

help you a little further along.

  The value of a disassembler is significant only if you

can use segments of the code within your own programs.

  A further breakdown of the ROM routines is required to

discover where each machine-code block begins. I have con-

tinued the theme of producing Basic equivalents to the

machine code to preserve a degree of familiarity for those

whose machine-code experience is limited.

  From Address 3113 [6728] to 3143 [6777] is a list of

pointers - table 1. Address 3113 [6728] is taken as the

starting point and the contents of the address are added

to the address to provide a pointer to another address.

Figure 4 demonstrates this function provided by the Basic

program in figure 3.

  The result is an address which further points to the

class of command being considered and the address of the

machine code for that command in ROM. The commands start at

code 225 - LPRINT [206- DEF FN], which is defined in ROM as

command 0 up to code 255 (COPY), which is defined in ROM as

command 49. Therefore if we follow DEF FN through, we see

that it is defined as command 0 and points to address 

3113 + 139 = 3252 [6728 + 177 = 6905].

  Figure 1 shows the contents; address 3252 and that which

follows. [It barely did. There's no Spectrum alternative;

your best bet would be to get a proper disassembler, rather

than the home-spun one used by Mr. Horne, and get it to do

a decent listing from address 6905.] The first address

contents give the class of command; these are found in

table 2 which commences with class 0 at address 3350. [7169

on the Spectrum; see the final paragraph for the table.]

The class determines the attributes of the commands and

also whether there should be a separator or not:

        POKE A,B

A and B are attributes, the comma is the separator.

  If the class is 0 or 5, then the next address contains

the address of the routine in ROM. Otherwise further

attributes or separators follow, until a class 0 or 5 is

reached.

  Figure 1 gives an initial breakdown of the first three

parts of ROM command tables. You can decode the remainder

if you wish; the same technique is used to unravel the

class tables.

  Where does this lead us? You can call the Basic class 0

commands from within your own machine-code programs.

        201 105  8 CALL 2153

       [205 172 14 CALL 3756 - 

        and yes, that first byte should be 205 - CALL -

        instead of 201 - RET - on the ZX81 as well.]

will copy the screen to the printer,

        CALL 3883 will set slow mode

        CALL 3883 will set fast mode

       [There is no equivalent of these

        on the Spectrum, of course.]

there are others; what can you do with them?

  Figure 5 gives the Basic program for decoding this parti-

cular table and figure 6 the unraveled response.

  As I said, the Basic programs are simplifications and

really only pick out the essentials of the machine code.

Figure 2 gives the ROM table decoder; if you followed the

series on machine code, neglecting the RC32 and RS24, it

should start to make sense. [I'm not entirely sure where

the Spectrum's equivalent begins - 6962 is my best guess -

but in any case, what with multiple-statement lines and 

other enhancements, it's certainly more complicated than

the ZX81's.]

  The Spectrum tables are decoded in a similar manner, but

in order not to fill the magazine with machine-code list-

ings of the ROM, I have just presented the final decoded

tables, figures 7 and 9, and the Basic programs for de-

coding the Spectrum ROM tables, figures 8 and 10.



[ The article was accompanied by 12 listings. For some

  reason, the first two were called "Table" 1 and 2,

  even though "Figure" 1 and 2 were in the same format:

  that of a listing from Mr. Horne's own, rather limited

  disassembler. This disassembler was published several

  months earlier, also in Your Computer, and a few months

  after that (September 1982; this article was in the

  January 1983 edition) a version for the Spectrum was

  featured. You should be able to find the latter at

  World of Spectrum, and perhaps on other sites such as

  The Type Fantastic, but be aware that it is unsuitable

  for serious use.



  Table 1 and 2, and Figure 1, were dumps (in disassem-

  bly form, inappropriately) of the various tables

  described in the article. Figure 2 was a disassembly

  (this time with reason) of the start of the ROM's

  table decoder. As noted at the top, these were the

  ZX81's versions; Spectrum versions are probably best

  found by either loading a professional disassembler

  or, these days, asking your emulator.



  Figure 3 and 4 were a program to list the raw data

  of the command index in a more useful form, and its

  output. Again, only a ZX81 version was given, but it

  was simple enough to translate, so a Spectrum version

  (two, actually) is found on the TZX.



  Figures 5 and 6 were a program to list the command

  parameter table, and its output, for the ZX81;

  figures 7 and 8 were the same for the Spectrum. The

  latter is on the TZX.



  Finally, figures 9 and 10 were a program to list the

  class routine table, and its output, this time for

  the Spectrum only. These were not given for the ZX81,

  for a reason that escapes me; the raw ZX81 data for

  this was in Table 2. The Spectrum program is also

  on the TZX, making four Spectrum programs in all. ]