User Tools

Site Tools


This is an old revision of the document!

8051 Architecture

1. Lets play with ITE IT8502E embedded controller firmware from Vostro V13 laptop It is available here

2. Find datasheet for this chip and open firmware with radare2:

r2 -a 8051 ite_it8502.rom

3. 8051 firmware have simple and flat structure, so it starts from the beginning:

[0x0000000]> pd 1
     ,=< 0x0000000      02002e     ljmp 0x2e

So go to the start function at 0x2e addr:

[0x0000000]> s 0x2e; pd 10
[0x0000002e]> pd 10
          0x0000002e      78fe             mov r0, 0xfe
          0x00000030      e4               clr a 
          0x00000031      f6               mov @r0, a
          0x00000032      d8fd             djnz r0, 0xfd
          0x00000034      7581d0           mov 0x81, #RAM_D0 
          0x00000037      901001           mov dptr, 0x1001
          0x0000003a      743f             mov a, 0x3f
          0x0000003c      f0               movx @dptr, a
          0x0000003d      02007d           ljmp 0x7d
          0x00000040      00               nop

… [some reversing] …

Lets see set_SMBus_frequency function:

[0x00009954]> pd
          0x00009954      901c22           mov dptr, 0x1c22
          0x00009957      7415             mov a, 0x15
          0x00009959      f0               movx @dptr, a
          0x0000995a      a3               inc dptr
          0x0000995b      7425             mov a, 0x25
          0x0000995d      f0               movx @dptr, a
          0x0000995e      a3               inc dptr
          0x0000995f      7403             mov a, 0x03
          0x00009961      f0               movx @dptr, a
          0x00009962      a3               inc dptr
          0x00009963      7415             mov a, 0x15
          0x00009965      f0               movx @dptr, a
          0x00009966      a3               inc dptr
          0x00009967      7419             mov a, 0x19
          0x00009969      f0               movx @dptr, a
          0x0000996a      a3               inc dptr
          0x0000996b      74b8             mov a, 0xb8
          0x0000996d      f0               movx @dptr, a
          0x0000996e      a3               inc dptr
          0x0000996f      7401             mov a, 0x01
          0x00009971      f0               movx @dptr, a
          0x00009972      901c33           mov dptr, 0x1c33
          0x00009975      e4               clr a 
          0x00009976      f0               movx @dptr, a
          0x00009977      22               ret
        ; ------------

As we can see firstly it using SMBUS_4P7USL register (see datasheet), - “4.7 s Low Register, and 4.7 s high bit (in the 4.7 s and 4.0 s High Register) define the count number for the 4.7 s counter. The 4.7 s is (count number / FreqEC).” lets add this as comment:

 [0x00009954]> CCa 0x9954 SMBUS_4P7USL 

And add function body:

 [0x00009954]> af+ 0x9954 36 set_SMBus_frequency

where 36 - length of that function in bytes Then we can see another values, coming to DPTR register. Lets recognize their values (with help of datasheet) and add comments for them:

 [0x00009954]> "CCa 0x995a 4.0s High Register (4P0USH)"
 [0x00009954]> "CCa 0x995e 300ns Register (300NS)"
 [0x00009954]> "CCa 0x9962 250ns Register (250NS)"
 [0x00009954]> "CCa 0x9966 25ms Register (25MS)"
embedded_controller.1369175947.txt.gz · Last modified: 2013/05/21 22:39 by xvilka