I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of (usuall stuff):
---------------------------------------
> Siemens 8031, ROM, SRAM
> servo motors (+ driver ICs)
> simple user 16 char (14 seg) interactive display
> grid of buttons (24)

Any ideas on how to do this? how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb

Its, Robb, its (not it's).

robb wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of (usuall stuff):
> ---------------------------------------
>> Siemens 8031, ROM, SRAM
>> servo motors (+ driver ICs)
>> simple user 16 char (14 seg) interactive display
>> grid of buttons (24)
>
> Any ideas on how to do this? how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb
>
Oh man, you are asking a very difficult question.

What you are asking is, "how do I reverse engineer" this hardware/code.

Not an easy project.

By your past posts, you do not have the experience to do this.

But, what are you willing to do and how much time do you have ?

This will take LOTs of time.

Its a full time job.

I reverse engineered a product recently, took 3 months.
I have the source code ( C code for an 8051 Keil compiler)
The engineer who wrote this code deleted all the comments.
I created a specification of the code that tried to map the code.

Have you ever written a specification that someone else had to read ??

Documentation is a lost art.
ISO has tried to force companies to do it, but engineers are not taught
how to do it.

Engineers love to play with the toys, not write docs.

Good Luck

donald

robb wrote:

> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of (usuall stuff):
> ---------------------------------------
>
>>Siemens 8031, ROM, SRAM
>>servo motors (+ driver ICs)
>>simple user 16 char (14 seg) interactive display
>>grid of buttons (24)
>
>
> Any ideas on how to do this? how possible ?
The *ONLY* practical ways of tracing the *actual* program execution on
the *actual* hardware are either with a high end logic analyser
preferably with support for displaying 8051 instructions or with an
in-circuit emulator. Google 8051 ICE or 8051 JTAG for lots of links to
commercial products. CAUTION a board with servomotors *may* need a real
time emulator to do usefull debugging and that wil be $$expensive$$.
You are wasting your time if you haven't mapped out the IO decoding and
haven't allready got a printout of the dissasembly of the rom marked up
with your best guess as to which routine does what, data areas etc. If
you cant sight read a dissasembaly of the program and understand it you
are SOL untill you've put in some hard time with your 8051 development
board. Expect to kill one tree for every program you reverse engineer
(piles of paper!!)

>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC board to
> the MCU socket of the microcontroller board and trace the program
> ??

NO ****ING WAY, You would need to 1. make sure there are no IO address
conflicts between the two boards, 2. disconnect all RAM and ROM on the
target board, 3. Relocate the code to run on the PJRC 8051 board without
clashing with the monitor, and 4. run it without frying the servo
drivers or the servos. 5. get everything *exactly* right first time with
no accidents with 32V supplies etc. I wouldn't like to tackle this with
a processor I am *extremely* fammiliar with. (I used to be able to sight
read the raw HEX for *most* of the instruction set of a Z80)
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
Yes, there *are* simulators that support virtual I/O. Do you have the
circuit diagram?
>
> any help and ideas greatly appreciated,
> robb
>
Yes - Put it aside for a year while you learn 8051. When you have built
your own development board and coded your own monitor you *will* be
ready for this. Meanwhile, if you *must* procede, tell us which company
you get your components from so we can buy shares in a company
experiencing a *significant* upturn in sales!

--
Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
[at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL:

"BobW" <nimby_NEEDSPAM@roadrunner.com> wrote in message
news:8JadnX6J2ZCqpxXanZ2dnUVZ_t2inZ2d@giganews.com...
> Its, Robb, its (not it's).
>
thanks Bob,
ok possesive pronouns do not use ('s)
got it
always had a problem remebering written grammar details like that
....

any thoughts on the my microcontroller madness as some seem to
call it ?
robb

"donald" <Donald@dontdoithere.com> wrote in message
news:TY-dnQWSRJF12RXanZ2dnUVZ_qOknZ2d@comcast.com...
> robb wrote:
> > I have a (8051) micro-controller that i would like to trace
it's
> > runtime program to understand how the program works for
purpose
> > of potentialy modifying code. (The only info of program is
the
> > program binary copied off ROM )
> >
> > The micro-controller consists of (usuall stuff):
> > ---------------------------------------
> >> Siemens 8031, ROM, SRAM
> >> servo motors (+ driver ICs)
> >> simple user 16 char (14 seg) interactive display
> >> grid of buttons (24)
> >
> > Any ideas on how to do this? how possible ?
> >
> > I have a PJRC 8051 Rev.4 development board that runs
"Paulmon"
> > which allows you to load your program to some offset in RAM
and
> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC board
to
> > the MCU socket of the microcontroller board and trace the
program
> > ??
> >
> > What i have tried is load in a simulator like (EdSim51) to
run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> Oh man, you are asking a very difficult question.
> What you are asking is, "how do I reverse engineer" this
hardware/code.
>

hello Don, another big help on my ROM snafu , thanks !

yes, yours is much more direct and suscinct version of my
request.

i do not want to fully reverse engineer although it would be nice
to understand it well enough to at least have a documented
Assembly program.

>
> Not an easy project.
>
yes, i understand, i hope to avoid most time consuming treks with
some great advice from you guys

>
> By your past posts, you do not have the experience to do this.
>
consistent but not complete
so don't pigeon hole me yet

>
> But, what are you willing to do and how much time do you have ?
> This will take LOTs of time.
>
well i am willing to dis-assemble my ROM object. then load and
step through code look up the 8051 Assembly op codes being
performed , check what the parameters are then go/figure/find
what those parameters mean (signals, addresses, ports etc) and
what those parameters affect in terms of the microcontroller
traces/ICs/etc

>
> Its a full time job.
>
or part time hobby

>
> I reverse engineered a product recently, took 3 months.
> I have the source code ( C code for an 8051 Keil compiler)
> The engineer who wrote this code deleted all the comments.
> I created a specification of the code that tried to map the
code.
>
> Have you ever written a specification that someone else had to
read ??
>
yes, requiremants/functional/design/test/etc...etc.. because i
was taught most effort goes to proper specification

>
> Documentation is a lost art.
> ISO has tried to force companies to do it, but engineers are
not taught
> how to do it.
>
> Engineers love to play with the toys, not write docs.
> Good Luck donald
>

i guess i am an engineer at heart

thanks for reply, i would appreciate any ideas you have on how
to approach this on hobby budget and timescale.

robb

"robb" <some@where.on.net> wrote in message
news:13og7rtskr36f6@corp.supernews.com...
>I have a (8051) micro-controller that i would like to trace it's
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb
>
I have done lots of this........
Step1. Build a circuit diagram, one way or another. This may require you to
remove some components.Having the pinouts of the chips used will be a great
help, especially the 8031.
Step 2 disassemble the rom. This will give you all the op codes used. You
will have to split the code into various blocks:-
Jump Vectors- in the first 20 or so locations- these will point to various
routines....
Restart/power up/initialisation
Rx/Tx uart routines ( maybe /maybe not used)
Timer interrupt routines
Int0/Int1 hardware vector routines.
Etc.
At the restart vector, you will find all the system setup parameters for
timers/uarts/baudrates/real time clock etc.
From the disassembly draw a line under ALL RET/RETI instructions.This will
section the code into 'blocks.
try and associate blocks with functions, i.e stepper
drive/buttons/uarts/display by making reference to PORT instructions in the
listing.
Give the start of routines a 'real name' instead of numbers or letters. i.e
UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display output.
You may find the kbrd/display is an integrated solution, i.e the keys are
linked to the display. The circuit diagram will help you discover this....
You will need to read up on how the 8051 works and what the basic OP codes
do.

On Jan 12, 4:03=A0am, "robb" <s...@where.on.net> wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com.

On Jan 11, 8:03=A0pm, "robb" <s...@where.on.net> wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Hi, robb. To accomplish what you need for an 8031/8051, you'll need a
real-time in-circuit emulator. This will not be inexpensive. But
since your need is project-specific and the processor is essentially
obsolete, I'd recommend renting one. The ICE should cost less than
$100 to $150 a month. Make sure your rental includes the software you
need to do the job. You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo system.

This one would be a tough go, even for an embedded controls E.E., with
the real-time control of a servo system. Give it up, robb.

Good luck
Chris

"Ian Malcolm" <valid.address.in.signature@invalid.invalid> wrote in message
news:fm9gru$1qj$1@inews.gazeta.pl...
> robb wrote:
>
>> I have a (8051) micro-controller that i would like to trace it's
>> runtime program to understand how the program works for purpose
>> of potentialy modifying code. (The only info of program is the
>> program binary copied off ROM )
>>
>> The micro-controller consists of (usuall stuff):
>> ---------------------------------------
>>
>>>Siemens 8031, ROM, SRAM
>>>servo motors (+ driver ICs)
>>>simple user 16 char (14 seg) interactive display
>>>grid of buttons (24)
>>
>>
>> Any ideas on how to do this? how possible ?
> The *ONLY* practical ways of tracing the *actual* program execution on the
> *actual* hardware are either with a high end logic analyser preferably
> with support for displaying 8051 instructions or with an in-circuit
> emulator. ...
....snip...

To give you an idea of where to look... I used to have an old logic analyzer
made by Arium (which merged with American to become American-Arium) called
the ML4100C. It had plug in microprocessor pods for various
microcontrollers, including the 6502, the 8039 family, the 8051 family, etc.
I used it extensively for debugging microcontroller flow on several 8031
projects I had developed. It was indispensible. It showed exactly how the
program was executing and showed the instructions in assembly.

I've since then gotten rid of the logic analyzer (donated to our local
college) but it was sure nice when working on 8031 projects. I don't know
if you'd have any luck in trying to find such an animal anymore...

Good luck.

Dave

In article <f23ij.151$WJ.81@newsfe4-win.ntli.net>, Someone@ntlworld.com
says...
>
> "robb" <some@where.on.net> wrote in message
> news:13og7rtskr36f6@corp.supernews.com...
> >I have a (8051) micro-controller that i would like to trace it's
> >
> > I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> > which allows you to load your program to some offset in RAM and
> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC board to
> > the MCU socket of the microcontroller board and trace the program
> > ??
> >
> > What i have tried is load in a simulator like (EdSim51) to run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> I have done lots of this........
> Step1. Build a circuit diagram, one way or another. This may require you to
> remove some components.Having the pinouts of the chips used will be a great
> help, especially the 8031.
> Step 2 disassemble the rom. This will give you all the op codes used. You
> will have to split the code into various blocks:-
> Jump Vectors- in the first 20 or so locations- these will point to various
> routines....
> Restart/power up/initialisation
> Rx/Tx uart routines ( maybe /maybe not used)
> Timer interrupt routines
> Int0/Int1 hardware vector routines.
> Etc.
> At the restart vector, you will find all the system setup parameters for
> timers/uarts/baudrates/real time clock etc.
> From the disassembly draw a line under ALL RET/RETI instructions.This will
> section the code into 'blocks.
> try and associate blocks with functions, i.e stepper
> drive/buttons/uarts/display by making reference to PORT instructions in the
> listing.
> Give the start of routines a 'real name' instead of numbers or letters. i.e
> UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display output.
> You may find the kbrd/display is an integrated solution, i.e the keys are
> linked to the display. The circuit diagram will help you discover this....
> You will need to read up on how the 8051 works and what the basic OP codes
> do.
>
>
>
These are the right first steps. After you have identified the
functional blocks, you can try inserting a jump instruction at
at the start of some of the functional blocks. The code you jump
to will store parameters or output them to unused I/O bits, restore
the register contents at entry, execute the instruction you
overwrote to insert the jump, then jump back to the instruction
after your jump at the entry point, and continue execution.

This technique worked well when I was modifying the Visicalc code
for the Apple II so it would run on my employer's 80-column display
card. IIRC the disassembly listing for VisiCalc ran to about
300 pages. By the end of the project I had mods on about every
page and a few dozen pages of new code that I had to add to the
program.

A few constraints:

1. You need some extra ROM or code space as a place to put
the code you jump to.
2. Make sure that your inserted jump code doesn't result
in a mangled instruction after the jump. Sometimes
you need a NOP after the jump.
3. Watch out for real-time effects. Your extra code will
slow the program down.
4. Watch out for tricky code. Assembly-language programmers
have been known to use the status of carry and overflow bits as
parameters passed into subroutines.

Mark Borgerson

On Fri, 11 Jan 2008 21:41:13 -0700, donald wrote:
> robb wrote:
>> I have a (8051) micro-controller that i would like to trace it's
>> runtime program to understand how the program works for purpose
>> of potentialy modifying code. (The only info of program is the
>> program binary copied off ROM )

> I reverse engineered a product recently, took 3 months.
> I have the source code ( C code for an 8051 Keil compiler)
> The engineer who wrote this code deleted all the comments.
> I created a specification of the code that tried to map the code.

A couple of years ago I spent five weeks reverse engineering the HCS II
home automation controller (Z180 chip, 20K I think). I disassembled
the code, commented it and put it into the correct format that the
assembler we used needed. When I got done the code was found (grr!
my code and comments matched up very closely with the original
source. mind you that I'm pretty good at reverse engineering but I'm
not a programmer or a electrical engineer (I'm a network engineer with
an EET degree).

> Have you ever written a specification that someone else had to read ??

Yes it's very tough to do proper, make sense and cover all the basis.

If you ever want to improve your writing skills just write a book (on
a topic you know). The editors will show you how to write properly.
They taught me lots of additional stuff I never learned in school. And
before anyone gets any ideas, I'm still not good at writing but I am
better at writing.

> Engineers love to play with the toys, not write docs.

Guilty!

--
Linux Home Automation Neil Cherry ncherry@linuxha.com
http://www.linuxha.com/ Main site
http://linuxha.blogspot.com/ My HA Blog
Author of: Linux Smart Homes For Dummies

<>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Can't say anything about tracing, but to see the I/O while your device
operating, I'd definitely recommend Scanseer boundary-scan software --
http://www.scanseer.com.

Since when did a 51 device have JTAG? pointless post........

> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

Hi, robb. To accomplish what you need for an 8031/8051, you'll need a
real-time in-circuit emulator. This will not be inexpensive. But
since your need is project-specific and the processor is essentially
obsolete, I'd recommend renting one. The ICE should cost less than
$100 to $150 a month. Make sure your rental includes the software you
need to do the job. You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo system.

This one would be a tough go, even for an embedded controls E.E., with
the real-time control of a servo system. Give it up, robb.

Good luck
Chris

You don't need all that stuff, just a logical, inquisitive analytical mind
Which it seems you have!

In message <DUmij.28536$ov2.14484@newsfe5-win.ntli.net>, TT_Man
<Someone@ntlworld.com> writes
>
><>
>> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
>> which allows you to load your program to some offset in RAM and
>> step through it. (i really want to see the I/O as it runs
>> though)
>>
>> My idea/thought at first was to maybe connect the PJRC board to
>> the MCU socket of the microcontroller board and trace the program
>> ??
>>
>> What i have tried is load in a simulator like (EdSim51) to run
>> and determine what program does but i would need to some how
>> simulate all the devices (input) ?
>>
>> any help and ideas greatly appreciated,
>> robb
>
>Can't say anything about tracing, but to see the I/O while your device
>operating, I'd definitely recommend Scanseer boundary-scan software --
>http://www.scanseer.com.
>
>Since when did a 51 device have JTAG? pointless post........

A couple of them do.. I forget which but it is very uncomon.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org http://www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

In message <nWmij.28537$ov2.15767@newsfe5-win.ntli.net>, TT_Man
<Someone@ntlworld.com> writes
>> What i have tried is load in a simulator like (EdSim51) to run
>> and determine what program does but i would need to some how
>> simulate all the devices (input) ?

Yes... Most will let you do this with a script.

Try uVision

>> any help and ideas greatly appreciated,
>> robb
>
>Hi, robb. To accomplish what you need for an 8031/8051, you'll need a
>real-time in-circuit emulator.

I would agree.

> This will not be inexpensive.

The costs don't look small but if it is the only tool that will do the
job.....

> But
>since your need is project-specific and the processor is essentially
>obsolete, I'd recommend renting one.

The 80561 is far from obsolete. However is the OP is only going to do
this one 8051 project renting is a good idea.

OTOH if the OP wants to do a lot of 51 work buying a good one is a good
long term investment.

> The ICE should cost less than
Costs depend on where you are and what you need. For 8051 the cables and
pods vary a lot depending on the target.

> Make sure your rental includes the software you
>need to do the job.
Not only the software but the facilities...
You need the ICE to be able to run at the bus speed of the target...
NOTE some 51's are *2, *3, *6 and *12 a standard 51.

You need trace & trace filtering, Also depending on how the trace
works the size of trace is important. Due to different methods a 2K
trace can be a effectively as big as an 8K trace

Trace should give C, ASM and raw (binary) trace.

conditional breakpoints etc

It goes without saying it should be non intrusive

You need both C and ASM debugging

> You're also going to need a logic analyzer and a
>digital storage scope to observe operation of the servo system.

If you have a decent ICE you won't need the Logic Analyser.


>This one would be a tough go, even for an embedded controls E.E., with
>the real-time control of a servo system. Give it up, robb.
>
>Good luck
>Chris
>
>You don't need all that stuff, just a logical, inquisitive analytical mind
>:) Which it seems you have!

And a lot of time and luck.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org http://www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

On Sun, 13 Jan 2008 13:02:49 +0000, the renowned Chris H
<chris@phaedsys.org> wrote:

>In message <DUmij.28536$ov2.14484@newsfe5-win.ntli.net>, TT_Man
><Someone@ntlworld.com> writes
>>
>><>
>>> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
>>> which allows you to load your program to some offset in RAM and
>>> step through it. (i really want to see the I/O as it runs
>>> though)
>>>
>>> My idea/thought at first was to maybe connect the PJRC board to
>>> the MCU socket of the microcontroller board and trace the program
>>> ??
>>>
>>> What i have tried is load in a simulator like (EdSim51) to run
>>> and determine what program does but i would need to some how
>>> simulate all the devices (input) ?
>>>
>>> any help and ideas greatly appreciated,
>>> robb
>>
>>Can't say anything about tracing, but to see the I/O while your device
>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>http://www.scanseer.com.
>>
>>Since when did a 51 device have JTAG? pointless post........
>
>A couple of them do.. I forget which but it is very uncomon.

Silabs for one. Expensive, but a lot cheaper than a real-time
emulator.

On 12 Jan., 03:03, "robb" <s...@where.on.net> wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =A0(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =A0how possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =A0board to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

1) Map your input / output devices to logical adresses (check for
example for an 74ls138 if this is an old pcb)
2) Map your rom / ram to logical adessess
3) use dasmx.zip from conquest Consoltans (best disassmbler I know and
supports the 8051) and create a source
4) use on of franks assemblers http://www.kingswood-consulting.co.uk/assembl=
ers/
(don't know if he has an assembler for the 8051...He has one listen
for the 8050, I don't know the different between these two chips...)
5) Create new binary and burn them on eprom...

I did this process successful for a number of pinballs of different
manufactures...

Look on my homepage or mail me if you want to know more..

Greetings Oliver
My collection: early bally, williams and stern with custom game roms

My homepage:http://www.pinball4you.ch

mail to: okaegi at pinball4you dot ch

>>
>>Can't say anything about tracing, but to see the I/O while your device
>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>http://www.scanseer.com.
>>
>>Since when did a 51 device have JTAG? pointless post........
>
> A couple of them do.. I forget which but it is very uncomon.
>
> --
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
> \/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
> /\/\/ chris@phaedsys.org http://www.phaedsys.org \/\/\
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>
>
>

But he already stated it was an 8031...... Like I said,no chance of JTAG
whatsoever.....

TT_Man wrote:
>>>Can't say anything about tracing, but to see the I/O while your device
>>>operating, I'd definitely recommend Scanseer boundary-scan software --
>>>http://www.scanseer.com.
>>>
>>>Since when did a 51 device have JTAG? pointless post........
>>
>>A couple of them do.. I forget which but it is very uncomon.
>>
>>--
>>\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>>\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
>>/\/\/ chris@phaedsys.org http://www.phaedsys.org \/\/\
>>\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>>
>>
>>
>
>
> But he already stated it was an 8031...... Like I said,no chance of JTAG
> whatsoever.....
>
>
Well he wanted to cross connect to his development board, so dropping a
chip in that *has* JTAG support (maybe on a converter board to 40 pin
DIL) may still be a reasonable option for ICD. I await the pro's
suggestions for any chip that could 1. be slowed down enough and 2.
comes up with extra on chip operipherals *disabled* so that its fully
code compatible with a standard 8051. Its a long shot - but if there is
a suitable chip out there it would make a couple of potential projects I
have in mind worth proceding with.

Robb has already replaced *most* of the chips on the target system, I
dont think he'd mind swapping out the CPU.
--
Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED)
ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
[at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails --> NUL:

"Ian Malcolm" <valid.address.in.signature@invalid.invalid> wrote
in message news:fm9gru$1qj$1@inews.gazeta.pl...
> robb wrote:
>
> > I have a (8051) micro-controller that i would like to trace
it's
> > runtime program to understand how the program works for
purpose
> > of potentialy modifying code. (The only info of program is
the
> > program binary copied off ROM )
> >
[trim]
> > Any ideas on how to do this? how possible ?
>
> The *ONLY* practical ways of tracing the *actual* program
execution on
> the *actual* hardware are either with a high end logic analyser
> preferably with support for displaying 8051 instructions or
with an
> in-circuit emulator. Google 8051 ICE or 8051 JTAG for lots of
links to
> commercial products. CAUTION a board with servomotors *may*
need a real
> time emulator to do usefull debugging and that wil be
$$expensive$$.
> You are wasting your time if you haven't mapped out the IO
decoding and
> haven't allready got a printout of the dissasembly of the rom
marked up
> with your best guess as to which routine does what, data areas
etc. If
> you cant sight read a dissasembaly of the program and
understand it you
> are SOL untill you've put in some hard time with your 8051
development
> board. Expect to kill one tree for every program you reverse
engineer
> (piles of paper!!)
>

Thanks Ian,
Doesn't sound easy.

so it is dis-assemble code , print, familiarize with 8051
instruction set, map and decode the I/O , estimate
function/routine purpose.

and what will i do with the other 23 hours of that day .

>
> >
> > I have a PJRC 8051 Rev.4 development board that runs
"Paulmon"
> > which allows you to load your program to some offset in RAM
and
> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC board
to
> > the MCU socket of the microcontroller board and trace the
program
> > ??
>
> NO ****ING WAY, You would need to 1. make sure there are no IO
address
> conflicts between the two boards, 2. disconnect all RAM and ROM
on the
> target board, 3. Relocate the code to run on the PJRC 8051
board without
> clashing with the monitor, and 4. run it without frying the
servo
> drivers or the servos. 5. get everything *exactly* right first
time with
> no accidents with 32V supplies etc. I wouldn't like to tackle
this with
> a processor I am *extremely* fammiliar with. (I used to be able
to sight
> read the raw HEX for *most* of the instruction set of a Z80)
>

ok, i believe it.
i had noticed that the PJRC dev board had a row of pins (access
points) to all the MCU pins and i thought i might be able to just
connect up the relevant pins, load program into dev board, and
then step through the real program in PAUMON with real feedback

> >
> > What i have tried is load in a simulator like (EdSim51) to
run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
>
> Yes, there *are* simulators that support virtual I/O. Do you
have the
> circuit diagram?
>
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> Yes - Put it aside for a year while you learn 8051. When you
have built
> your own development board and coded your own monitor you
*will* be
> ready for this. Meanwhile, if you *must* procede, tell us
which company
> you get your components from so we can buy shares in a company
> experiencing a *significant* upturn in sales!
>
> --
> Ian Malcolm. London, ENGLAND. (NEWSGROUP REPLY PREFERRED)
> ianm[at]the[dash]malcolms[dot]freeserve[dot]co[dot]uk
> [at]=@, [dash]=- & [dot]=. *Warning* HTML & >32K emails -->
NUL:

On Jan 12, 2:03=EF=BF=BDam, "robb" <s...@where.on.net> wrote:
> I have a (8051) micro-controller that i would like to trace it's
> runtime program to understand how the program works for purpose
> of potentialy modifying code. (The only info of program is the
> program binary copied off ROM )
>
> The micro-controller consists of =EF=BF=BD(usuall stuff):
> ---------------------------------------
>
> > Siemens 8031, ROM, SRAM
> > servo motors (+ driver ICs)
> > simple user 16 char (14 seg) interactive display
> > grid of buttons (24)
>
> Any ideas on how to do this? =EF=BF=BDhow possible ?
>
> I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
> which allows you to load your program to some offset in RAM and
> step through it. (i really want to see the I/O as it runs
> though)
>
> My idea/thought at first was to maybe connect the PJRC =EF=BF=BDboard to
> the MCU socket of the microcontroller board and trace the program
> ??
>
> What i have tried is load in a simulator like (EdSim51) to run
> and determine what program does but i would need to some how
> simulate all the devices (input) ?
>
> any help and ideas greatly appreciated,
> robb

You need a logic analiser, loads of cheap ones on ebay. Once you
capture a program loop you can load it onto your simulator and step
through it, if its function is not obvious. Program the analiser to
ignore that loop and repeat untill you have them all. The whole
process is suprisingly easy if your source is not too big.

"Ian Malcolm" <valid.address.in.signature@invalid.invalid> wrote
in message news:fm9gru$1qj$1@inews.gazeta.pl...
> NO ****ING WAY, You would need to 1. make sure there are no IO
address
> conflicts between the two boards, 2. disconnect all RAM and ROM
on the
> target board, 3. Relocate the code to run on the PJRC 8051
board without
> clashing with the monitor, and 4. run it without frying the
servo
> drivers or the servos. 5. get everything *exactly* right first
time with
> no accidents with 32V supplies etc. I wouldn't like to tackle
this with
> a processor I am *extremely* fammiliar with. (I used to be able
to sight
> read the raw HEX for *most* of the instruction set of a Z80)
>

oops my reply went too early i had not finished so this is just
continue of previos.

ok, i believe it.
i thought maybe step through the real program in PAUMON with
real feedback

*BUT*

my brain lapse/over active imagination/etc
I see your point, the paulmonis not going to be doing any
translation for me and certainly not clearing a path to all the
I/O , i guess my hopes for paulmon (monitor) were too high

> >
> > What i have tried is load in a simulator like (EdSim51) to
run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
>
> Yes, there *are* simulators that support virtual I/O. Do you
have the
> circuit diagram?
>

alas another project i am working on

> >
> > any help and ideas greatly appreciated,
> > robb
> >
>
> Yes - Put it aside for a year while you learn 8051. When you
have built
> your own development board and coded your own monitor you
*will* be
> ready for this. Meanwhile, if you *must* procede, tell us
which company
> you get your components from so we can buy shares in a company
> experiencing a *significant* upturn in sales!
>
well i am trying to do this hobby style so probably will not
progress to that point
sorry to put a wrench in your potential windfall earnibngs

thanks for help and ideas Ian,
robb

"TT_Man" <Someone@ntlworld.com> wrote in message
news:f23ij.151$WJ.81@newsfe4-win.ntli.net...
>
> "robb" <some@where.on.net> wrote in message
> news:13og7rtskr36f6@corp.supernews.com...
> >I have a (8051) micro-controller that i would like to trace
it's
> >
> > I have a PJRC 8051 Rev.4 development board that runs
"Paulmon"
> > which allows you to load your program to some offset in RAM
and
> > step through it. (i really want to see the I/O as it runs
> > though)
> >
> > My idea/thought at first was to maybe connect the PJRC board
to
> > the MCU socket of the microcontroller board and trace the
program
> > ??
> >
> > What i have tried is load in a simulator like (EdSim51) to
run
> > and determine what program does but i would need to some how
> > simulate all the devices (input) ?
> >
> > any help and ideas greatly appreciated,
> > robb
> >
> I have done lots of this........
> Step1. Build a circuit diagram, one way or another. This may
require you to
> remove some components.Having the pinouts of the chips used
will be a great
> help, especially the 8031.
> Step 2 disassemble the rom. This will give you all the op codes
used. You
> will have to split the code into various blocks:-
> Jump Vectors- in the first 20 or so locations- these will point
to various
> routines....
> Restart/power up/initialisation
> Rx/Tx uart routines ( maybe /maybe not used)
> Timer interrupt routines
> Int0/Int1 hardware vector routines.
> Etc.
> At the restart vector, you will find all the system setup
parameters for
> timers/uarts/baudrates/real time clock etc.
> From the disassembly draw a line under ALL RET/RETI
instructions.This will
> section the code into 'blocks.
> try and associate blocks with functions, i.e stepper
> drive/buttons/uarts/display by making reference to PORT
instructions in the
> listing.
> Give the start of routines a 'real name' instead of numbers or
letters. i.e
> UartTx/UartRx/Timer 1 setup/timer2 setup/Kbrd Scan/Display
output.
> You may find the kbrd/display is an integrated solution, i.e
the keys are
> linked to the display. The circuit diagram will help you
discover this....
> You will need to read up on how the 8051 works and what the
basic OP codes
> do.
>
Thanks for the help and reply TT_Man,

I've started a bit down the path you suggest already.
I printed out data sheets for all the onboard ICs for quick
reference to what the inputs and outputs should look like.
i started on creating a schematic/circuit diagram for the
micro-board for understanding and easy lookup of
interconnections.

i have dis-asembled the ROM code with a dis52 from the 8052 web
site and i also used another dasmx130 that someone suggested but
i get two different dis-assembles ?

one treats the (02096f) in the first 3 bytes as a (long jump to
096F) where the other disassembles the (02096f) into something
else like this ...

0000 : 02 " " db 002H
;
0001 L0001:
0001 : 09 " " inc r1
;
0002 L0002:
0002 : 6F "o" xrl a,r7

so that can not be a good sign , and leads to confusion so i
suppose i will need to hand dis-asemble aways and confirm which
dis-assembler is more accurate.

Looking at some used books on 8051 by MacKenzie and others

Thanks again for advice TT_MAN,
robb

Thanks Chris for the help and ideas,
robb

"Chris H" <chris@phaedsys.org> wrote in message
news:aljMVJLc4giHFAG2@phaedsys.demon.co.uk...
> In message <nWmij.28537$ov2.15767@newsfe5-win.ntli.net>, TT_Man
> <Someone@ntlworld.com> writes
> >> What i have tried is load in a simulator like (EdSim51) to
run
> >> and determine what program does but i would need to some how
> >> simulate all the devices (input) ?
>
> Yes... Most will let you do this with a script.
>
> Try uVision
>
> >> any help and ideas greatly appreciated,
> >> robb
> >
> >Hi, robb. To accomplish what you need for an 8031/8051,
you'll need a
> >real-time in-circuit emulator.
>
> I would agree.
>
> > This will not be inexpensive.
>
> The costs don't look small but if it is the only tool that will
do the
> job.....
>
> > But
> >since your need is project-specific and the processor is
essentially
> >obsolete, I'd recommend renting one.
>
> The 80561 is far from obsolete. However is the OP is only going
to do
> this one 8051 project renting is a good idea.
>
> OTOH if the OP wants to do a lot of 51 work buying a good one
is a good
> long term investment.
>
> > The ICE should cost less than
> Costs depend on where you are and what you need. For 8051 the
cables and
> pods vary a lot depending on the target.
>
> > Make sure your rental includes the software you
> >need to do the job.
> Not only the software but the facilities...
> You need the ICE to be able to run at the bus speed of the
target...
> NOTE some 51's are *2, *3, *6 and *12 a standard 51.
>
> You need trace & trace filtering, Also depending on how the
trace
> works the size of trace is important. Due to different methods
a 2K
> trace can be a effectively as big as an 8K trace
>
> Trace should give C, ASM and raw (binary) trace.
>
> conditional breakpoints etc
>
> It goes without saying it should be non intrusive
>
> You need both C and ASM debugging
>
> > You're also going to need a logic analyzer and a
> >digital storage scope to observe operation of the servo
system.
>
> If you have a decent ICE you won't need the Logic Analyser.
>
>
> >This one would be a tough go, even for an embedded controls
E.E., with
> >the real-time control of a servo system. Give it up, robb.
> >
> >Good luck
> >Chris
> >
> >You don't need all that stuff, just a logical, inquisitive
analytical mind
> >:) Which it seems you have!
>
> And a lot of time and luck.
>
> --
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
> \/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
> /\/\/ chris@phaedsys.org http://www.phaedsys.org \/\/\
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>
Thanks Chris for the help and ideas,
robb