how to trace a microcontroller running it's app ?

In article <f23ij.151$WJ.81@newsfe4-win.ntli.net>, Someone@ntlworld.com 
says...
> 
> "robb" <some@where.on.net> wrote in message 
> news:13og7rtskr36f6@corp.supernews.com...
> >I have a (8051) micro-controller that i would like to trace it's
> >
> > I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> > which allows you to load your program to some offset in RAM and
> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC  board to
> > the MCU socket of the microcontroller board and trace the program
> > ??
> >
> > What i have tried is load in a simulator like (EdSim51) to run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> I have done lots of this........
> Step1. Build a circuit diagram, one way or another. This may require you to 
> remove some components.Having the pinouts of the chips used will be a great 
> help, especially the 8031.
> Step 2 disassemble the rom. This will give you all the op codes used. You 
> will have to split the code into various blocks:-
> Jump Vectors- in the first 20 or so locations- these will point to various 
> routines....
> Restart/power up/initialisation
> Rx/Tx uart routines ( maybe /maybe not used)
> Timer interrupt routines
> Int0/Int1 hardware vector routines.
> Etc.
> At the restart vector, you will find all the system setup parameters for 
> timers/uarts/baudrates/real time clock etc.
> From the disassembly draw a line under ALL RET/RETI instructions.This will 
> section the code into 'blocks.
> try and associate blocks with functions, i.e stepper 
> drive/buttons/uarts/display by making reference to PORT instructions in the 
> listing.
> Give the start of routines a 'real name' instead of numbers or letters. i.e 
> UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display output.
> You may find the kbrd/display is an integrated solution, i.e the keys are 
> linked to the display. The circuit diagram will help you discover this....
> You will need to read up on how the 8051 works and what the basic OP codes 
> do. 
> 
> 
> 
These are the right first steps.  After you have identified the
functional blocks,  you can try inserting  a jump instruction at
at the start of some of the functional blocks.  The code you jump
to will  store parameters or output them to unused I/O bits,  restore
the register contents at entry, execute the instruction you 
overwrote to insert the jump, then jump back to the instruction
after your jump at the entry point, and continue execution.

This technique worked well when I was modifying the Visicalc code
for the Apple II so it would run on my employer's 80-column display
card.  IIRC the disassembly listing for VisiCalc ran to about
300 pages.  By the end of the project I had mods on about every
page and a few dozen pages of new code that I had to add to the
program.

A few constraints:

1.   You need some extra ROM or code space as a place to put 
     the code you jump to.
2.   Make sure that your inserted jump code doesn't result
     in a mangled instruction after the jump.  Sometimes
     you need a NOP after the jump.
3.   Watch out for real-time effects.  Your extra code will
     slow the program down.
4.   Watch out for tricky code.  Assembly-language programmers 
     have been known to use the status of carry and overflow bits as    
     parameters passed into subroutines.

Mark Borgerson

On Fri, 11 Jan 2008 21:41:13 -0700, donald wrote:
> robb wrote:
>> I have a (8051) micro-controller that i would like to trace it's
>> runtime program to understand how the program works for purpose
>> of potentialy modifying code. (The only info of program is the
>> program binary copied off ROM )

> I reverse engineered a product recently, took 3 months.
> I have the source code ( C code for an 8051 Keil compiler)
> The engineer who wrote this code deleted all the comments.
> I created a specification of the code that tried to map the code.

A couple of years ago I spent five weeks reverse engineering the HCS II
home automation controller (Z180 chip, 20K I think). I disassembled
the code, commented it and put it into the correct format that the
assembler we used needed. When I got done the code was found (grr! ;-)
my code and comments matched up very closely with the original
source. mind you that I'm pretty good at reverse engineering but I'm
not a programmer or a electrical engineer (I'm a network engineer with
an EET degree).

> Have you ever written a specification that someone else had to read ??

Yes it's very tough to do proper, make sense and cover all the basis.

If you ever want to improve your writing skills just write a book (on
a topic you know).  The editors will show you how to write properly.
They taught me lots of additional stuff I never learned in school. And
before anyone gets any ideas, I'm still not good at writing but I am
better at writing.

> Engineers love to play with the toys, not write docs.

Guilty!

-- 
Linux Home Automation         Neil Cherry       ncherry@linuxha.com
http://www.linuxha.com/                         Main site
http://linuxha.blogspot.com/                    My HA Blog
Author of:    	Linux Smart Homes For Dummies

<>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com.

Since when did a 51 device have JTAG? pointless post........ 

> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Hi, robb.  To accomplish what you need for an 8031/8051, you'll need a
real-time in-circuit emulator.  This will not be inexpensive.  But
since your need is project-specific and the processor is essentially
obsolete, I'd recommend renting one.  The ICE should cost less than
$100 to $150 a month.  Make sure your rental includes the software you
need to do the job.  You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo system.

This one would be a tough go, even for an embedded controls E.E., with
the real-time control of a servo system.  Give it up, robb.

Good luck
Chris

You don't need all that stuff, just a logical, inquisitive analytical mind 
:) Which it seems you have! 

In message <DUmij.28536$ov2.14484@newsfe5-win.ntli.net>, TT_Man 
<Someone@ntlworld.com> writes
>
><>
>> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
>> which allows you to load your program to some offset in RAM and
>> step through it. (i really want to see the I/O as it runs
>> though)
>>
>> My idea/thought at first was to maybe connect the PJRC board to
>> the MCU socket of the microcontroller board and trace the program
>> ??
>>
>> What i have tried is load in a simulator like (EdSim51) to run
>> and determine what program does but i would need to some how
>> simulate all the devices (input) ?
>>
>> any help and ideas greatly appreciated,
>> robb
>
>Can't say anything about tracing, but to see the I/O while your device
>operating, I'd definitely recommend Scanseer boundary-scan software --
>http://www.scanseer.com.
>
>Since when did a 51 device have JTAG? pointless post........

A couple of them do.. I forget which but it is very uncomon.

-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

In message <nWmij.28537$ov2.15767@newsfe5-win.ntli.net>, TT_Man 
<Someone@ntlworld.com> writes
>> What i have tried is load in a simulator like (EdSim51) to run
>> and determine what program does but i would need to some how
>> simulate all the devices (input) ?

Yes... Most will let you do this with a script.

Try uVision

>> any help and ideas greatly appreciated,
>> robb
>
>Hi, robb.  To accomplish what you need for an 8031/8051, you'll need a
>real-time in-circuit emulator.

I would agree.

> This will not be inexpensive.

The costs don't look small but if it is the only tool that will do the 
job.....

> But
>since your need is project-specific and the processor is essentially
>obsolete, I'd recommend renting one.

The 80561 is far from obsolete. However is the OP is only going to do 
this one 8051 project renting is a good idea.

OTOH if the OP wants to do a lot of 51 work buying a good one is a good 
long term investment.

> The ICE should cost less than
Costs depend on where you are and what you need. For 8051 the cables and 
pods vary a lot depending on the target.

>  Make sure your rental includes the software you
>need to do the job.
Not only the software but the facilities...
You need the ICE to be able to run at the bus speed of the target... 
NOTE some 51's are  *2, *3, *6 and *12  a standard  51.

You need trace & trace filtering,   Also depending on how the trace 
works the size of trace is important. Due to different methods a 2K 
trace can be a effectively as big  as an 8K trace

Trace should give  C, ASM and raw (binary) trace.

conditional breakpoints etc

It goes without saying it should be non intrusive

You need both C and ASM  debugging

> You're also going to need a logic analyzer and a
>digital storage scope to observe operation of the servo system.

If you have a decent ICE you won't need the Logic Analyser.


>This one would be a tough go, even for an embedded controls E.E., with
>the real-time control of a servo system.  Give it up, robb.
>
>Good luck
>Chris
>
>You don't need all that stuff, just a logical, inquisitive analytical mind
>:) Which it seems you have!

And a lot of time and luck.

-- 
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
/\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

On Sun, 13 Jan 2008 13:02:49 +0000, the renowned Chris H
<chris@phaedsys.org> wrote:

>In message <DUmij.28536$ov2.14484@newsfe5-win.ntli.net>, TT_Man 
><Someone@ntlworld.com> writes
>>
>><>
>>> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
>>> which allows you to load your program to some offset in RAM and
>>> step through it. (i really want to see the I/O as it runs
>>> though)
>>>
>>> My idea/thought at first was to maybe connect the PJRC board to
>>> the MCU socket of the microcontroller board and trace the program
>>> ??
>>>
>>> What i have tried is load in a simulator like (EdSim51) to run
>>> and determine what program does but i would need to some how
>>> simulate all the devices (input) ?
>>>
>>> any help and ideas greatly appreciated,
>>> robb
>>
>>Can't say anything about tracing, but to see the I/O while your device
>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>http://www.scanseer.com.
>>
>>Since when did a 51 device have JTAG? pointless post........
>
>A couple of them do.. I forget which but it is very uncomon.

Silabs for one. Expensive, but a lot cheaper than a real-time
emulator. 

On 12 Jan., 03:03, "robb" <s...@where.on.net> wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

1) Map your input / output devices to logical adresses (check for
example for an 74ls138 if this is an old pcb)
2) Map your rom / ram to logical adessess
3) use dasmx.zip from conquest Consoltans (best disassmbler I know and
supports the 8051) and create a source
4) use on of franks assemblers http://www.kingswood-consulting.co.uk/assembl=
ers/
(don't know if he has an assembler for the 8051...He has one listen
for the 8050, I don't know the different between these two chips...)
5) Create new binary and burn them on eprom...

I did this process successful for a number of pinballs of different
manufactures...

Look on my homepage or mail me if you want to know more..

Greetings Oliver
My collection: early bally, williams and stern with custom game roms

My homepage:http://www.pinball4you.ch

mail to: okaegi at pinball4you dot ch

>>
>>Can't say anything about tracing, but to see the I/O while your device
>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>http://www.scanseer.com.
>>
>>Since when did a 51 device have JTAG? pointless post........
>
> A couple of them do.. I forget which but it is very uncomon.
>
> -- 
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
> \/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
> /\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>
>
>

But he already stated it was an 8031...... Like I said,no chance of JTAG 
whatsoever..... 

TT_Man wrote:
>>>Can't say anything about tracing, but to see the I/O while your device
>>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>>http://www.scanseer.com.
>>>
>>>Since when did a 51 device have JTAG? pointless post........
>>
>>A couple of them do.. I forget which but it is very uncomon.
>>
>>-- 
>>\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>>\/\/\/\/\ Chris Hills  Staffs  England     /\/\/\/\/
>>/\/\/ chris@phaedsys.org      www.phaedsys.org \/\/\
>>\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>>
>>
>>
> 
> 
> But he already stated it was an 8031...... Like I said,no chance of JTAG 
> whatsoever..... 
> 
> 
Well he wanted to cross connect to his development board, so dropping a 
chip in that *has* JTAG support (maybe on a converter board to 40 pin 
DIL) may still be a reasonable option for ICD.  I await the pro's 
suggestions for any chip that could 1. be slowed down enough and 2. 
comes up with extra on chip operipherals *disabled* so that its fully 
code compatible with a standard 8051.  Its a long shot - but if there is 
a suitable chip out there it would make a couple of potential projects I 
have in mind worth proceding with.

Robb has already replaced *most* of the chips on the target system, I 
dont think he'd mind swapping out the CPU.
-- 
Ian Malcolm.   London, ENGLAND.  (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
[at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL: