User Tools

Site Tools


embedded_controller

8051 Architecture

1. Lets play with ITE IT8502E embedded controller firmware from Vostro V13 laptop It is available here http://xvilka.me/ite_it8502.rom

2. Find datasheet for this chip and open firmware with radare2:

r2 -a 8051 ite_it8502.rom

3. 8051 firmware have simple and flat structure, so it starts from the beginning:

[0x0000000]> pd 1
     ,=< 0x0000000      02002e     ljmp 0x2e

So go to the start function at 0x2e addr:

[0x0000000]> s 0x2e; pd 10
[0x0000002e]> pd 10
          0x0000002e      78fe             mov r0, 0xfe
          0x00000030      e4               clr a 
          0x00000031      f6               mov @r0, a
          0x00000032      d8fd             djnz r0, 0xfd
          0x00000034      7581d0           mov 0x81, #RAM_D0 
          0x00000037      901001           mov dptr, 0x1001
          0x0000003a      743f             mov a, 0x3f
          0x0000003c      f0               movx @dptr, a
          0x0000003d      02007d           ljmp 0x7d
          0x00000040      00               nop
[0x0000002e]>

… [some reversing] …

Lets see set_SMBus_frequency function:

[0x00009954]> pd
          0x00009954      901c22           mov dptr, 0x1c22
          0x00009957      7415             mov a, 0x15
          0x00009959      f0               movx @dptr, a
          0x0000995a      a3               inc dptr
          0x0000995b      7425             mov a, 0x25
          0x0000995d      f0               movx @dptr, a
          0x0000995e      a3               inc dptr
          0x0000995f      7403             mov a, 0x03
          0x00009961      f0               movx @dptr, a
          0x00009962      a3               inc dptr
          0x00009963      7415             mov a, 0x15
          0x00009965      f0               movx @dptr, a
          0x00009966      a3               inc dptr
          0x00009967      7419             mov a, 0x19
          0x00009969      f0               movx @dptr, a
          0x0000996a      a3               inc dptr
          0x0000996b      74b8             mov a, 0xb8
          0x0000996d      f0               movx @dptr, a
          0x0000996e      a3               inc dptr
          0x0000996f      7401             mov a, 0x01
          0x00009971      f0               movx @dptr, a
          0x00009972      901c33           mov dptr, 0x1c33
          0x00009975      e4               clr a 
          0x00009976      f0               movx @dptr, a
          0x00009977      22               ret
        ; ------------

As we can see firstly it using SMBUS_4P7USL register (see datasheet), - “4.7 s Low Register, and 4.7 s high bit (in the 4.7 s and 4.0 s High Register) define the count number for the 4.7 s counter. The 4.7 s is (count number / FreqEC).” lets add this as comment:

 [0x00009954]> CCa 0x9954 SMBUS_4P7USL 

And add function body:

 [0x00009954]> af+ 0x9954 36 set_SMBus_frequency

where 36 - length of that function in bytes Then we can see another values, coming to DPTR register. Lets recognize their values (with help of datasheet) and add comments for them:

 [0x00009954]> "CCa 0x995a 4.0s High Register (4P0USH)"
 [0x00009954]> "CCa 0x995e 300ns Register (300NS)"
 [0x00009954]> "CCa 0x9962 250ns Register (250NS)"
 [0x00009954]> "CCa 0x9966 25ms Register (25MS)"
 [0x00009954]> "CCa 0x996A 45.3s Low Register (45P3USL)"
 [0x00009954]> "CCa 0x996E 45.3s High Register (45P3USH)"
 [0x00009954]> "CCa 0x9972 4.7s and 4.0s High Register (4P7A4P0H)"

Ok, lets see what we've added in VISUAL mode Vp

[0x00009954 255 ite_it8502.rom]> pd $h                                                                                                                                    
  ;              ; SMBUS_4P7USL                                                                                                                                           
/ function: set_SMBus_frequency (36)                                                                                                                                      
|           0x00009954      901c22           mov dptr, 0x1c22                                                                                                             
|           0x00009957      7415             mov a, 0x15                                                                                                                  
|           0x00009959      f0               movx @dptr, a                                                                                                                
  ;              ; 4.0s High Register (4P0USH)                                                                                                                            
|           0x0000995a      a3               inc dptr                                                                                                                     
|           0x0000995b      7425             mov a, 0x25                                                                                                                  
|           0x0000995d      f0               movx @dptr, a                                                                                                                
  ;              ; 300ns Register (300NS)                                                                                                                                 
|           0x0000995e      a3               inc dptr                                                                                                                     
|           0x0000995f      7403             mov a, 0x03                                                                                                                  
|           0x00009961      f0               movx @dptr, a                                                                                                                
  ;              ; 250ns Register (250NS)                                                                                                                                 
|           0x00009962      a3               inc dptr                                                                                                                     
|           0x00009963      7415             mov a, 0x15                                                                                                                  
|           0x00009965      f0               movx @dptr, a                                                                                                                
  ;              ; 25ms Register (25MS)                                                                                                                                   
|           0x00009966      a3               inc dptr                                                                                                                     
|           0x00009967      7419             mov a, 0x19                                                                                                                  
|           0x00009969      f0               movx @dptr, a                                                                                                                
  ;              ; 45.3s Low Register (45P3USL)                                                                                                                           
|           0x0000996a      a3               inc dptr                                                                                                                     
|           0x0000996b      74b8             mov a, 0xb8                                                                                                                  
|           0x0000996d      f0               movx @dptr, a                                                                                                                
  ;              ; 45.3s High Register (45P3USH)                                                                                                                          
|           0x0000996e      a3               inc dptr                                                                                                                     
|           0x0000996f      7401             mov a, 0x01                                                                                                                  
|           0x00009971      f0               movx @dptr, a                                                                                                                
  ;              ; 4.7s and 4.0s High Register (4P7A4POH)                                                                                                                 
|           0x00009972      901c33           mov dptr, 0x1c33                                                                                                             
|           0x00009975      e4               clr a                                                                                                                         
|           0x00009976      f0               movx @dptr, a                                                                                                                
\           0x00009977      22               ret                                                                                                                          
            ; ------------                                                                                                                                                
            0x00009978      74ff             mov a, 0xff                                                                                                                  
            0x0000997a      9006dc           mov dptr, 0x6dc                                                                                                              
            0x0000997d      f0               movx @dptr, a                                                                                                                
            0x0000997e      a3               inc dptr                                                                                                                     
            0x0000997f      f0               movx @dptr, a                                                                                                                
            0x00009980      9006dc           mov dptr, 0x6dc                                                                                                              
            0x00009983      e0               movx a, @dptr                                                                                                               
            0x00009984      fe               mov r6, a                                                                                                                    
            0x00009985      a3               inc dptr                                                                                                                     
            0x00009986      e0               movx a, @dptr                                                                                                               
            0x00009987      ff               mov r7, a                                                                                                                    
            0x00009988      22               ret                                                                                                                          
            ; ------------
embedded_controller.txt · Last modified: 2013/05/21 22:50 by xvilka