8051 Architecture

1. Lets play with ITE IT8502E embedded controller firmware from Vostro V13 laptop It is available here

2. Find datasheet for this chip and open firmware with radare2:

r2 -a 8051 ite_it8502.rom

3. 8051 firmware have simple and flat structure, so it starts from the beginning:

[0x0000000]> pd 1
     ,=< 0x0000000      02002e     ljmp 0x2e

So go to the start function at 0x2e addr:

[0x0000000]> s 0x2e; pd 10
[0x0000002e]> pd 10
          0x0000002e      78fe             mov r0, 0xfe
          0x00000030      e4               clr a 
          0x00000031      f6               mov @r0, a
          0x00000032      d8fd             djnz r0, 0xfd
          0x00000034      7581d0           mov 0x81, #RAM_D0 
          0x00000037      901001           mov dptr, 0x1001
          0x0000003a      743f             mov a, 0x3f
          0x0000003c      f0               movx @dptr, a
          0x0000003d      02007d           ljmp 0x7d
          0x00000040      00               nop

… [some reversing] …

Lets see set_SMBus_frequency function:

[0x00009954]> pd
          0x00009954      901c22           mov dptr, 0x1c22
          0x00009957      7415             mov a, 0x15
          0x00009959      f0               movx @dptr, a
          0x0000995a      a3               inc dptr
          0x0000995b      7425             mov a, 0x25
          0x0000995d      f0               movx @dptr, a
          0x0000995e      a3               inc dptr
          0x0000995f      7403             mov a, 0x03
          0x00009961      f0               movx @dptr, a
          0x00009962      a3               inc dptr
          0x00009963      7415             mov a, 0x15
          0x00009965      f0               movx @dptr, a
          0x00009966      a3               inc dptr
          0x00009967      7419             mov a, 0x19
          0x00009969      f0               movx @dptr, a
          0x0000996a      a3               inc dptr
          0x0000996b      74b8             mov a, 0xb8
          0x0000996d      f0               movx @dptr, a
          0x0000996e      a3               inc dptr
          0x0000996f      7401             mov a, 0x01
          0x00009971      f0               movx @dptr, a
          0x00009972      901c33           mov dptr, 0x1c33
          0x00009975      e4               clr a 
          0x00009976      f0               movx @dptr, a
          0x00009977      22               ret
        ; ------------

As we can see firstly it using SMBUS_4P7USL register (see datasheet), - “4.7 s Low Register, and 4.7 s high bit (in the 4.7 s and 4.0 s High Register) define the count number for the 4.7 s counter. The 4.7 s is (count number / FreqEC).” lets add this as comment:

 [0x00009954]> CCa 0x9954 SMBUS_4P7USL 

And add function body:

 [0x00009954]> af+ 0x9954 36 set_SMBus_frequency

where 36 - length of that function in bytes Then we can see another values, coming to DPTR register. Lets recognize their values (with help of datasheet) and add comments for them:

 [0x00009954]> "CCa 0x995a 4.0s High Register (4P0USH)"
 [0x00009954]> "CCa 0x995e 300ns Register (300NS)"
 [0x00009954]> "CCa 0x9962 250ns Register (250NS)"
 [0x00009954]> "CCa 0x9966 25ms Register (25MS)"
