EmbeddedRelated.com
Forums
Memfault Beyond the Launch
   Forums    More Forums    comp.arch.embedded  

how to trace a microcontroller running it's app ?

Started by robb January 11, 2008
I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of  (usuall stuff):
---------------------------------------

> Siemens 8031, ROM, SRAM
> servo motors (+ driver ICs)
> simple user 16 char (14 seg) interactive display
> grid of buttons (24)


Any ideas on how to do this?  how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC  board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb
Reply by BobW January 11, 20082008-01-11
Its, Robb, its (not it's).
Reply by donald January 12, 20082008-01-12
robb wrote:

> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
> 
> The micro-controller consists of  (usuall stuff):
> ---------------------------------------
>> Siemens 8031, ROM, SRAM
>> servo motors (+ driver ICs)
>> simple user 16 char (14 seg) interactive display
>> grid of buttons (24)
> 
> Any ideas on how to do this?  how possible ?
> 
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
> 
> My idea/thought at first was to maybe connect the PJRC  board to
> the MCU socket of the microcontroller board and trace the program
> ??
> 
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
> 
> any help and ideas greatly appreciated,
> robb
> 

Oh man, you are asking a very difficult question.

What you are asking is, "how do I reverse engineer" this hardware/code.

Not an easy project.

By your past posts, you do not have the experience to do this.

But, what are you willing to do and how much time do you have ?

This will take LOTs of time.

Its a full time job.

I reverse engineered a product recently, took 3 months.
I have the source code ( C code for an 8051 Keil compiler)
The engineer who wrote this code deleted all the comments.
I created a specification of the code that tried to map the code.

Have you ever written a specification that someone else had to read ??

Documentation is a lost art.
ISO has tried to force companies to do it, but engineers are not taught 
how to do it.

Engineers love to play with the toys, not write docs.

Good Luck

donald
Reply by Ian Malcolm January 12, 20082008-01-12
robb wrote:


> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
> 
> The micro-controller consists of  (usuall stuff):
> ---------------------------------------
> 
>>Siemens 8031, ROM, SRAM
>>servo motors (+ driver ICs)
>>simple user 16 char (14 seg) interactive display
>>grid of buttons (24)
> 
> 
> Any ideas on how to do this?  how possible ?

The *ONLY* practical ways of tracing the *actual* program execution on 
the *actual* hardware are either with a high end logic analyser 
preferably with support for displaying 8051 instructions or with an 
in-circuit emulator. Google 8051 ICE or 8051 JTAG for lots of links to 
commercial products. CAUTION a board with servomotors *may* need a real 
time emulator to do usefull debugging and that wil be $$expensive$$.
You are wasting your time if you haven't mapped out the IO decoding and 
haven't allready got a printout of the dissasembly of the rom marked up 
with your best guess as to which routine does what, data areas etc. If 
you cant sight read a dissasembaly of the program and understand it you 
are SOL untill you've put in some hard time with your 8051 development 
board.  Expect to kill one tree for every program you reverse engineer 
(piles of paper!!) ;-)


> 
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
> 
> My idea/thought at first was to maybe connect the PJRC  board to
> the MCU socket of the microcontroller board and trace the program
> ??


NO ****ING WAY, You would need to 1. make sure there are no IO address 
conflicts between the two boards, 2. disconnect all RAM and ROM on the 
target board, 3. Relocate the code to run on the PJRC 8051 board without 
clashing with the monitor, and 4. run it without frying the servo 
drivers or the servos. 5. get everything *exactly* right first time with 
no accidents with 32V supplies etc.  I wouldn't like to tackle this with 
a processor I am *extremely* fammiliar with. (I used to be able to sight 
read the raw HEX for *most* of the instruction set of a Z80)

> 
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?

Yes, there *are* simulators that support virtual I/O. Do you have the 
circuit diagram?

> 
> any help and ideas greatly appreciated,
> robb
> 

Yes - Put it aside for a year while you learn 8051.  When you have built 
your own development board and coded your own monitor you *will* be 
ready for this.  Meanwhile, if you *must* procede, tell us which company 
you get your components from so we can buy shares in a company 
experiencing a *significant* upturn in sales!

-- 
Ian Malcolm.   London, ENGLAND.  (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
[at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL:
Reply by robb January 12, 20082008-01-12
"BobW" <nimby_NEEDSPAM@roadrunner.com> wrote in message
news:8JadnX6J2ZCqpxXanZ2dnUVZ_t2inZ2d@giganews.com...

> Its, Robb, its (not it's).
>

thanks Bob,
ok possesive pronouns do not use ('s)
got it
always had a problem remebering written grammar details like that
...

any thoughts on the my microcontroller madness as some seem to
call it ?
robb
Reply by robb January 12, 20082008-01-12
"donald" <Donald@dontdoithere.com> wrote in message
news:TY-dnQWSRJF12RXanZ2dnUVZ_qOknZ2d@comcast.com...

> robb wrote:
> > I have a (8051) micro-controller that i would like to trace

it's

> > runtime program to understand how the program works for

purpose

> > of potentialy modifying code. (The only info of program is

the

> > program binary copied off ROM )
> >
> > The micro-controller consists of  (usuall stuff):
> > ---------------------------------------
> >> Siemens 8031, ROM, SRAM
> >> servo motors (+ driver ICs)
> >> simple user 16 char (14 seg) interactive display
> >> grid of buttons (24)
> >
> > Any ideas on how to do this?  how possible ?
> >
> > I have a PJRC 8051 Rev.4 development board that runs

"Paulmon"

> > which allows you to load your program to some offset in RAM

and

> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC  board

to

> > the MCU socket of the microcontroller board and trace the

program

> > ??
> >
> > What i have tried is load in a simulator like (EdSim51) to

run

> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> Oh man, you are asking a very difficult question.
> What you are asking is, "how do I reverse engineer" this

hardware/code.

>


hello Don, another big help on my ROM snafu , thanks !

yes, yours is much more direct and suscinct version of my
request.

i do not want to fully reverse engineer although it would be nice
to understand it well enough to at least have a documented
Assembly program.


>
> Not an easy project.
>

yes, i understand, i hope to avoid most time consuming treks with
some great advice from you guys


>
> By your past posts, you do not have the experience to do this.
>

consistent but not complete
so don't pigeon hole me yet :)


>
> But, what are you willing to do and how much time do you have ?
> This will take LOTs of time.
>

well i am willing to dis-assemble my ROM object. then load and
step through code look up the 8051 Assembly op codes being
performed , check what the parameters are then go/figure/find
what those parameters mean  (signals, addresses, ports etc) and
what those parameters  affect in terms of the microcontroller
traces/ICs/etc


>
> Its a full time job.
>

or part time hobby


>
> I reverse engineered a product recently, took 3 months.
> I have the source code ( C code for an 8051 Keil compiler)
> The engineer who wrote this code deleted all the comments.
> I created a specification of the code that tried to map the

code.

>
> Have you ever written a specification that someone else had to

read ??

>

yes,  requiremants/functional/design/test/etc...etc.. because i
was taught  most effort goes to proper specification


>
> Documentation is a lost art.
> ISO has tried to force companies to do it, but engineers are

not taught

> how to do it.
>
> Engineers love to play with the toys, not write docs.
> Good Luck donald
>


i guess i am an engineer at heart

thanks for reply, i would appreciate any ideas  you have on how
to approach this on hobby budget and timescale.

robb
Reply by TT_Man January 12, 20082008-01-12
"robb" <some@where.on.net> wrote in message 
news:13og7rtskr36f6@corp.supernews.com...

>I have a (8051) micro-controller that i would like to trace it's
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC  board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb
>

I have done lots of this........
Step1. Build a circuit diagram, one way or another. This may require you to 
remove some components.Having the pinouts of the chips used will be a great 
help, especially the 8031.
Step 2 disassemble the rom. This will give you all the op codes used. You 
will have to split the code into various blocks:-
Jump Vectors- in the first 20 or so locations- these will point to various 
routines....
Restart/power up/initialisation
Rx/Tx uart routines ( maybe /maybe not used)
Timer interrupt routines
Int0/Int1 hardware vector routines.
Etc.
At the restart vector, you will find all the system setup parameters for 
timers/uarts/baudrates/real time clock etc.
From the disassembly draw a line under ALL RET/RETI instructions.This will 
section the code into 'blocks.
try and associate blocks with functions, i.e stepper 
drive/buttons/uarts/display by making reference to PORT instructions in the 
listing.
Give the start of routines a 'real name' instead of numbers or letters. i.e 
UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display output.
You may find the kbrd/display is an integrated solution, i.e the keys are 
linked to the display. The circuit diagram will help you discover this....
You will need to read up on how the 8051 works and what the basic OP codes 
do.
Reply by January 12, 20082008-01-12
On Jan 12, 4:03=A0am, "robb" <s...@where.on.net> wrote:

> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb


Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com.
Reply by Chris January 12, 20082008-01-12
On Jan 11, 8:03=A0pm, "robb" <s...@where.on.net> wrote:

> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb


Hi, robb.  To accomplish what you need for an 8031/8051, you'll need a
real-time in-circuit emulator.  This will not be inexpensive.  But
since your need is project-specific and the processor is essentially
obsolete, I'd recommend renting one.  The ICE should cost less than
$100 to $150 a month.  Make sure your rental includes the software you
need to do the job.  You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo system.

This one would be a tough go, even for an embedded controls E.E., with
the real-time control of a servo system.  Give it up, robb.

Good luck
Chris
Reply by starfire January 12, 20082008-01-12
"Ian Malcolm" <valid.address.in.signature@invalid.invalid> wrote in message 
news:fm9gru$1qj$1@inews.gazeta.pl...

> robb wrote:
>
>> I have a (8051) micro-controller that i would like to trace it's
>> runtime program to understand how the program works for purpose
>> of potentialy modifying code. (The only info of program is the
>> program binary copied off ROM )
>>
>> The micro-controller consists of  (usuall stuff):
>> ---------------------------------------
>>
>>>Siemens 8031, ROM, SRAM
>>>servo motors (+ driver ICs)
>>>simple user 16 char (14 seg) interactive display
>>>grid of buttons (24)
>>
>>
>> Any ideas on how to do this?  how possible ?
> The *ONLY* practical ways of tracing the *actual* program execution on the 
> *actual* hardware are either with a high end logic analyser preferably 
> with support for displaying 8051 instructions or with an in-circuit 
> emulator. ...

...snip...

To give you an idea of where to look... I used to have an old logic analyzer 
made by Arium (which merged with American to become American-Arium) called 
the ML4100C.  It had plug in microprocessor pods for various 
microcontrollers, including the 6502, the 8039 family, the 8051 family, etc. 
I used it extensively for debugging microcontroller flow on several 8031 
projects I had developed.  It was indispensible.  It showed exactly how the 
program was executing and showed the instructions in assembly.

I've since then gotten rid of the logic analyzer (donated to our local 
college) but it was sure nice when working on 8031 projects.  I don't know 
if you'd have any luck in trying to find such an animal anymore...

Good luck.

Dave
You might also like... (promoted content)
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Memfault Beyond the Launch