how to trace a microcontroller running it's app ?

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View


I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of  (usuall stuff):
---------------------------------------
Quoted text here. Click to load it

Any ideas on how to do this?  how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC  board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb


Re: how to trace a microcontroller running it's app ?


Its, Robb, its (not it's).



Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
thanks Bob,
ok possesive pronouns do not use ('s)
got it
always had a problem remebering written grammar details like that
...

any thoughts on the my microcontroller madness as some seem to
call it ?
robb



Re: how to trace a microcontroller running it's app ?


Quoted text here. Click to load it
Oh man, you are asking a very difficult question.

What you are asking is, "how do I reverse engineer" this hardware/code.

Not an easy project.

By your past posts, you do not have the experience to do this.

But, what are you willing to do and how much time do you have ?

This will take LOTs of time.

Its a full time job.

I reverse engineered a product recently, took 3 months.
I have the source code ( C code for an 8051 Keil compiler)
The engineer who wrote this code deleted all the comments.
I created a specification of the code that tried to map the code.

Have you ever written a specification that someone else had to read ??

Documentation is a lost art.
ISO has tried to force companies to do it, but engineers are not taught
how to do it.

Engineers love to play with the toys, not write docs.

Good Luck

donald


Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
it's
purpose
the
"Paulmon"
Quoted text here. Click to load it
and
to
program
run
hardware/code.
Quoted text here. Click to load it

hello Don, another big help on my ROM snafu , thanks !

yes, yours is much more direct and suscinct version of my
request.

i do not want to fully reverse engineer although it would be nice
to understand it well enough to at least have a documented
Assembly program.

Quoted text here. Click to load it
yes, i understand, i hope to avoid most time consuming treks with
some great advice from you guys

Quoted text here. Click to load it
consistent but not complete
so don't pigeon hole me yet :)

Quoted text here. Click to load it
well i am willing to dis-assemble my ROM object. then load and
step through code look up the 8051 Assembly op codes being
performed , check what the parameters are then go/figure/find
what those parameters mean  (signals, addresses, ports etc) and
what those parameters  affect in terms of the microcontroller
traces/ICs/etc

Quoted text here. Click to load it
or part time hobby

Quoted text here. Click to load it
code.
read ??
Quoted text here. Click to load it
yes,  requiremants/functional/design/test/etc...etc.. because i
was taught  most effort goes to proper specification

Quoted text here. Click to load it
not taught

i guess i am an engineer at heart

thanks for reply, i would appreciate any ideas  you have on how
to approach this on hobby budget and timescale.

robb


Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
The *ONLY* practical ways of tracing the *actual* program execution on
the *actual* hardware are either with a high end logic analyser
preferably with support for displaying 8051 instructions or with an
in-circuit emulator. Google 8051 ICE or 8051 JTAG for lots of links to
commercial products. CAUTION a board with servomotors *may* need a real
time emulator to do usefull debugging and that wil be $$expensive$$.
You are wasting your time if you haven't mapped out the IO decoding and
haven't allready got a printout of the dissasembly of the rom marked up
with your best guess as to which routine does what, data areas etc. If
you cant sight read a dissasembaly of the program and understand it you
are SOL untill you've put in some hard time with your 8051 development
board.  Expect to kill one tree for every program you reverse engineer
(piles of paper!!) ;-)

Quoted text here. Click to load it

NO ****ING WAY, You would need to 1. make sure there are no IO address
conflicts between the two boards, 2. disconnect all RAM and ROM on the
target board, 3. Relocate the code to run on the PJRC 8051 board without
clashing with the monitor, and 4. run it without frying the servo
drivers or the servos. 5. get everything *exactly* right first time with
no accidents with 32V supplies etc.  I wouldn't like to tackle this with
a processor I am *extremely* fammiliar with. (I used to be able to sight
read the raw HEX for *most* of the instruction set of a Z80)
Quoted text here. Click to load it
Yes, there *are* simulators that support virtual I/O. Do you have the
circuit diagram?
Quoted text here. Click to load it
Yes - Put it aside for a year while you learn 8051.  When you have built
your own development board and coded your own monitor you *will* be
ready for this.  Meanwhile, if you *must* procede, tell us which company
you get your components from so we can buy shares in a company
experiencing a *significant* upturn in sales!

--
Ian Malcolm.   London, ENGLAND.  (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
We've slightly trimmed the long signature. Click to see the full one.
Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
...snip...

To give you an idea of where to look... I used to have an old logic analyzer
made by Arium (which merged with American to become American-Arium) called
the ML4100C.  It had plug in microprocessor pods for various
microcontrollers, including the 6502, the 8039 family, the 8051 family, etc.
I used it extensively for debugging microcontroller flow on several 8031
projects I had developed.  It was indispensible.  It showed exactly how the
program was executing and showed the instructions in assembly.

I've since then gotten rid of the logic analyzer (donated to our local
college) but it was sure nice when working on 8031 projects.  I don't know
if you'd have any luck in trying to find such an animal anymore...

Good luck.

Dave



Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
wrote in message
Quoted text here. Click to load it
it's
purpose
the
execution on the
Quoted text here. Click to load it
preferably
in-circuit
Quoted text here. Click to load it
logic analyzer
American-Arium) called
Quoted text here. Click to load it
family, etc.
several 8031
exactly how the
Quoted text here. Click to load it
our local
don't know
anymore...

Thanks Dave,
lots of good info heer in  usenet.

thanks again for info and reply,
robb




Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
it's
purpose
the
[trim]
Quoted text here. Click to load it
execution on
with an
links to
need a real
Quoted text here. Click to load it
$$expensive$$.
Quoted text here. Click to load it
decoding and
marked up
etc. If
understand it you
Quoted text here. Click to load it
development
engineer

Thanks Ian,
Doesn't sound easy.

so it is dis-assemble code , print, familiarize with 8051
instruction set, map and decode the I/O , estimate
function/routine purpose.

and what will i do with the other 23 hours of that day :D.

Quoted text here. Click to load it
"Paulmon"
Quoted text here. Click to load it
and
to
program
address
on the
board without
servo
time with
this with
to sight

ok, i believe it.
i had noticed that the PJRC dev board had a row of pins (access
points) to all the MCU pins and i thought i might be able to just
connect up the relevant pins, load program into dev board, and
then step through the real program in PAUMON  with real feedback

Quoted text here. Click to load it
run
have the
have built
*will* be
Quoted text here. Click to load it
which company
NUL:


Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
address
on the
board without
servo
time with
this with
to sight

oops my reply went too early i had not finished so this is just
continue of previos.

ok, i believe it.
i thought maybe  step through the real program in PAUMON  with
real feedback

*BUT*

my brain lapse/over active imagination/etc
I see your point, the paulmonis not going to be doing any
translation for me and certainly not clearing a path to all the
I/O , i guess my hopes for paulmon (monitor) were too high

Quoted text here. Click to load it
run
have the

:( alas another project i am working on

Quoted text here. Click to load it
have built
*will* be
Quoted text here. Click to load it
which company
well i am trying to do this hobby style so probably will not
progress to that point
sorry to put a wrench in your potential windfall earnibngs :)

thanks for help and ideas Ian,
robb


Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
I have done lots of this........
Step1. Build a circuit diagram, one way or another. This may require you to
remove some components.Having the pinouts of the chips used will be a great
help, especially the 8031.
Step 2 disassemble the rom. This will give you all the op codes used. You
will have to split the code into various blocks:-
Jump Vectors- in the first 20 or so locations- these will point to various
routines....
Restart/power up/initialisation
Rx/Tx uart routines ( maybe /maybe not used)
Timer interrupt routines
Int0/Int1 hardware vector routines.
Etc.
At the restart vector, you will find all the system setup parameters for
timers/uarts/baudrates/real time clock etc.
From the disassembly draw a line under ALL RET/RETI instructions.This will
section the code into 'blocks.
try and associate blocks with functions, i.e stepper
drive/buttons/uarts/display by making reference to PORT instructions in the
listing.
Give the start of routines a 'real name' instead of numbers or letters. i.e
UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display output.
You may find the kbrd/display is an integrated solution, i.e the keys are
linked to the display. The circuit diagram will help you discover this....
You will need to read up on how the 8051 works and what the basic OP codes
do.



Re: how to trace a microcontroller running it's app ?


says...
Quoted text here. Click to load it
These are the right first steps.  After you have identified the
functional blocks,  you can try inserting  a jump instruction at
at the start of some of the functional blocks.  The code you jump
to will  store parameters or output them to unused I/O bits,  restore
the register contents at entry, execute the instruction you
overwrote to insert the jump, then jump back to the instruction
after your jump at the entry point, and continue execution.

This technique worked well when I was modifying the Visicalc code
for the Apple II so it would run on my employer's 80-column display
card.  IIRC the disassembly listing for VisiCalc ran to about
300 pages.  By the end of the project I had mods on about every
page and a few dozen pages of new code that I had to add to the
program.

A few constraints:

1.   You need some extra ROM or code space as a place to put
     the code you jump to.
2.   Make sure that your inserted jump code doesn't result
     in a mangled instruction after the jump.  Sometimes
     you need a NOP after the jump.
3.   Watch out for real-time effects.  Your extra code will
     slow the program down.
4.   Watch out for tricky code.  Assembly-language programmers
     have been known to use the status of carry and overflow bits as    
     parameters passed into subroutines.

Mark Borgerson


Re: how to trace a microcontroller running it's app ?



Quoted text here. Click to load it
it's
"Paulmon"
Quoted text here. Click to load it
and
to
program
run
require you to
Quoted text here. Click to load it
will be a great
Quoted text here. Click to load it
used. You
to various
parameters for
instructions.This will
instructions in the
Quoted text here. Click to load it
letters. i.e
output.
the keys are
Quoted text here. Click to load it
discover this....
basic OP codes
Quoted text here. Click to load it
Thanks for the help and reply TT_Man,

I've started a bit down the path you suggest already.
I printed out data sheets for all the onboard ICs for quick
reference to what the inputs and outputs should look like.
i started on creating a schematic/circuit diagram for the
micro-board  for understanding and easy lookup of
interconnections.

i have dis-asembled the ROM code with a dis52 from the 8052 web
site and i also used another dasmx130 that someone suggested but
i get two different dis-assembles ?

one treats the (02096f) in the first 3 bytes as a (long jump to
096F) where the other disassembles the (02096f) into something
else like this ...

0000 : 02   " "  db 002H
;
0001    L0001:
0001 : 09   " "  inc r1
;
0002    L0002:
0002 : 6F   "o"  xrl a,r7

so that can not be a good sign , and leads to confusion so i
suppose i will need to hand dis-asemble aways and confirm which
dis-assembler is more accurate.

Looking at some used books on 8051 by MacKenzie and others

Thanks again for advice TT_MAN,
robb



Re: how to trace a microcontroller running it's app ?


Quoted text here. Click to load it
02 09 5F is LJMP to 096F. dump the other disassembler.!



Re: how to trace a microcontroller running it's app ?


snipped-for-privacy@ntlworld.com says...
Quoted text here. Click to load it
I ran into quite a number of problems of that sort in
APPLE II assembly code where  whatever system
generated the code would intersperse defined constants
with the generated code.  The disassembler would
try to disassemble string constants and  debugging
data (such as function names, etc.) and would then
miss the first instruction of the next function.

Sometimes you may have to look at instructions
such as LJMP  096F  and  make sure that the
bytes at 096F really are executable code.

It's little things like that which make disassembling
and reverse engineering  a non-trivial excercise.
Which is OK by me as it paid the bills for almost
half a year back in the '80s.


Mark Borgerson


Re: how to trace a microcontroller running it's app ?


Quoted text here. Click to load it

Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com .

Re: how to trace a microcontroller running it's app ?



<>
Quoted text here. Click to load it

Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com .

Since when did a 51 device have JTAG? pointless post........



Re: how to trace a microcontroller running it's app ?


Quoted text here. Click to load it

A couple of them do.. I forget which but it is very uncomon.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
We've slightly trimmed the long signature. Click to see the full one.
Re: how to trace a microcontroller running it's app ?


On Sun, 13 Jan 2008 13:02:49 +0000, the renowned Chris H

Quoted text here. Click to load it

Silabs for one. Expensive, but a lot cheaper than a real-time
emulator.


Re: how to trace a microcontroller running it's app ?


Quoted text here. Click to load it

But he already stated it was an 8031...... Like I said,no chance of JTAG
whatsoever.....



Site Timeline