User Tools

Site Tools


embedded_controller

==== 8051 Architecture ==== 1. Lets play with ITE IT8502E embedded controller firmware from Vostro V13 laptop It is available here http://xvilka.me/ite_it8502.rom 2. Find datasheet for this chip and open firmware with radare2: r2 -a 8051 ite_it8502.rom 3. 8051 firmware have simple and flat structure, so it starts from the beginning: [0x0000000]> pd 1 ,=< 0x0000000 02002e ljmp 0x2e So go to the start function at 0x2e addr: [0x0000000]> s 0x2e; pd 10 [0x0000002e]> pd 10 0x0000002e 78fe mov r0, 0xfe 0x00000030 e4 clr a 0x00000031 f6 mov @r0, a 0x00000032 d8fd djnz r0, 0xfd 0x00000034 7581d0 mov 0x81, #RAM_D0 0x00000037 901001 mov dptr, 0x1001 0x0000003a 743f mov a, 0x3f 0x0000003c f0 movx @dptr, a 0x0000003d 02007d ljmp 0x7d 0x00000040 00 nop [0x0000002e]> ... [some reversing] ... Lets see **set_SMBus_frequency** function: [0x00009954]> pd 0x00009954 901c22 mov dptr, 0x1c22 0x00009957 7415 mov a, 0x15 0x00009959 f0 movx @dptr, a 0x0000995a a3 inc dptr 0x0000995b 7425 mov a, 0x25 0x0000995d f0 movx @dptr, a 0x0000995e a3 inc dptr 0x0000995f 7403 mov a, 0x03 0x00009961 f0 movx @dptr, a 0x00009962 a3 inc dptr 0x00009963 7415 mov a, 0x15 0x00009965 f0 movx @dptr, a 0x00009966 a3 inc dptr 0x00009967 7419 mov a, 0x19 0x00009969 f0 movx @dptr, a 0x0000996a a3 inc dptr 0x0000996b 74b8 mov a, 0xb8 0x0000996d f0 movx @dptr, a 0x0000996e a3 inc dptr 0x0000996f 7401 mov a, 0x01 0x00009971 f0 movx @dptr, a 0x00009972 901c33 mov dptr, 0x1c33 0x00009975 e4 clr a 0x00009976 f0 movx @dptr, a 0x00009977 22 ret ; ------------ As we can see firstly it using **SMBUS_4P7USL** register (see datasheet), - "4.7 s Low Register, and 4.7 s high bit (in the 4.7 s and 4.0 s High Register) define the count number for the 4.7 s counter. The 4.7 s is (count number / FreqEC)." lets add this as comment: [0x00009954]> CCa 0x9954 SMBUS_4P7USL And add function body: [0x00009954]> af+ 0x9954 36 set_SMBus_frequency where 36 - length of that function in bytes Then we can see another values, coming to **DPTR** register. Lets recognize their values (with help of datasheet) and add comments for them: [0x00009954]> "CCa 0x995a 4.0s High Register (4P0USH)" [0x00009954]> "CCa 0x995e 300ns Register (300NS)" [0x00009954]> "CCa 0x9962 250ns Register (250NS)" [0x00009954]> "CCa 0x9966 25ms Register (25MS)" [0x00009954]> "CCa 0x996A 45.3s Low Register (45P3USL)" [0x00009954]> "CCa 0x996E 45.3s High Register (45P3USH)" [0x00009954]> "CCa 0x9972 4.7s and 4.0s High Register (4P7A4P0H)" Ok, lets see what we've added in VISUAL mode **Vp** [0x00009954 255 ite_it8502.rom]> pd $h ; ; SMBUS_4P7USL / function: set_SMBus_frequency (36) | 0x00009954 901c22 mov dptr, 0x1c22 | 0x00009957 7415 mov a, 0x15 | 0x00009959 f0 movx @dptr, a ; ; 4.0s High Register (4P0USH) | 0x0000995a a3 inc dptr | 0x0000995b 7425 mov a, 0x25 | 0x0000995d f0 movx @dptr, a ; ; 300ns Register (300NS) | 0x0000995e a3 inc dptr | 0x0000995f 7403 mov a, 0x03 | 0x00009961 f0 movx @dptr, a ; ; 250ns Register (250NS) | 0x00009962 a3 inc dptr | 0x00009963 7415 mov a, 0x15 | 0x00009965 f0 movx @dptr, a ; ; 25ms Register (25MS) | 0x00009966 a3 inc dptr | 0x00009967 7419 mov a, 0x19 | 0x00009969 f0 movx @dptr, a ; ; 45.3s Low Register (45P3USL) | 0x0000996a a3 inc dptr | 0x0000996b 74b8 mov a, 0xb8 | 0x0000996d f0 movx @dptr, a ; ; 45.3s High Register (45P3USH) | 0x0000996e a3 inc dptr | 0x0000996f 7401 mov a, 0x01 | 0x00009971 f0 movx @dptr, a ; ; 4.7s and 4.0s High Register (4P7A4POH) | 0x00009972 901c33 mov dptr, 0x1c33 | 0x00009975 e4 clr a | 0x00009976 f0 movx @dptr, a \ 0x00009977 22 ret ; ------------ 0x00009978 74ff mov a, 0xff 0x0000997a 9006dc mov dptr, 0x6dc 0x0000997d f0 movx @dptr, a 0x0000997e a3 inc dptr 0x0000997f f0 movx @dptr, a 0x00009980 9006dc mov dptr, 0x6dc 0x00009983 e0 movx a, @dptr 0x00009984 fe mov r6, a 0x00009985 a3 inc dptr 0x00009986 e0 movx a, @dptr 0x00009987 ff mov r7, a 0x00009988 22 ret ; ------------

embedded_controller.txt · Last modified: 2013/05/21 22:50 by xvilka