how to trace a microcontroller running it's app ?

[robb]

Thanks Chris for the help and ideas,
robb

"Chris H" <chris@phaedsys.org> wrote in message
news:aljMVJLc4giHFAG2@phaedsys.demon.co.uk...

In message <nWmij.28537$ov2.15767@newsfe5-win.ntli.net>, TT_Man
Someone@ntlworld.com> writes
What i have tried is load in a simulator like (EdSim51) to
run
and determine what program does but i would need to some how
simulate all the devices (input) ?

Yes... Most will let you do this with a script.

Try uVision

any help and ideas greatly appreciated,
robb

Hi, robb. To accomplish what you need for an 8031/8051,
you'll need a
real-time in-circuit emulator.

I would agree.

This will not be inexpensive.

The costs don't look small but if it is the only tool that will
do the
job.....

But
since your need is project-specific and the processor is
essentially
obsolete, I'd recommend renting one.

The 80561 is far from obsolete. However is the OP is only going
to do
this one 8051 project renting is a good idea.

OTOH if the OP wants to do a lot of 51 work buying a good one
is a good
long term investment.

The ICE should cost less than
Costs depend on where you are and what you need. For 8051 the
cables and
pods vary a lot depending on the target.

Make sure your rental includes the software you
need to do the job.
Not only the software but the facilities...
You need the ICE to be able to run at the bus speed of the
target...
NOTE some 51's are *2, *3, *6 and *12 a standard 51.

You need trace & trace filtering, Also depending on how the
trace
works the size of trace is important. Due to different methods
a 2K
trace can be a effectively as big as an 8K trace

Trace should give C, ASM and raw (binary) trace.

conditional breakpoints etc

It goes without saying it should be non intrusive

You need both C and ASM debugging

You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo
system.

If you have a decent ICE you won't need the Logic Analyser.


This one would be a tough go, even for an embedded controls
E.E., with
the real-time control of a servo system. Give it up, robb.

Good luck
Chris

You don't need all that stuff, just a logical, inquisitive
analytical mind
Which it seems you have!

And a lot of time and luck.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Thanks Chris for the help and ideas,

robb

 

[robb]

"starfire" <starfire151@cableone.net> wrote in message
news:13ohrc4u6lqv5b@news.supernews.com...

"Ian Malcolm" <valid.address.in.signature@invalid.invalid
wrote in message
news:fm9gru$1qj$1@inews.gazeta.pl...
robb wrote:

I have a (8051) micro-controller that i would like to trace
it's
runtime program to understand how the program works for
purpose
of potentialy modifying code. (The only info of program is
the
program binary copied off ROM )

The micro-controller consists of (usuall stuff):
---------------------------------------

Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)


Any ideas on how to do this? how possible ?
The *ONLY* practical ways of tracing the *actual* program
execution on the
*actual* hardware are either with a high end logic analyser
preferably
with support for displaying 8051 instructions or with an
in-circuit
emulator. ...
...snip...

To give you an idea of where to look... I used to have an old
logic analyzer
made by Arium (which merged with American to become
American-Arium) called
the ML4100C. It had plug in microprocessor pods for various
microcontrollers, including the 6502, the 8039 family, the 8051
family, etc.
I used it extensively for debugging microcontroller flow on
several 8031
projects I had developed. It was indispensible. It showed
exactly how the
program was executing and showed the instructions in assembly.

I've since then gotten rid of the logic analyzer (donated to
our local
college) but it was sure nice when working on 8031 projects. I
don't know
if you'd have any luck in trying to find such an animal
anymore...

Good luck.
Dave

Thanks Dave,
lots of good info heer in usenet.

thanks again for info and reply,
robb

 

[TT_Man]

one treats the (02096f) in the first 3 bytes as a (long jump to
096F) where the other disassembles the (02096f) into something
else like this ...

0000 : 02 " " db 002H
;
0001 L0001:
0001 : 09 " " inc r1
;
0002 L0002:
0002 : 6F "o" xrl a,r7

02 09 5F is LJMP to 096F. dump the other disassembler.!

 

[Mark Borgerson]

In article <vOMij.47141$745.31820@newsfe1-win.ntli.net>,
Someone@ntlworld.com says...

one treats the (02096f) in the first 3 bytes as a (long jump to
096F) where the other disassembles the (02096f) into something
else like this ...

0000 : 02 " " db 002H
;
0001 L0001:
0001 : 09 " " inc r1
;
0002 L0002:
0002 : 6F "o" xrl a,r7

02 09 5F is LJMP to 096F. dump the other disassembler.!



I ran into quite a number of problems of that sort in

APPLE II assembly code where whatever system
generated the code would intersperse defined constants
with the generated code. The disassembler would
try to disassemble string constants and debugging
data (such as function names, etc.) and would then
miss the first instruction of the next function.

Sometimes you may have to look at instructions
such as LJMP 096F and make sure that the
bytes at 096F really are executable code.

It's little things like that which make disassembling
and reverse engineering a non-trivial excercise.
Which is OK by me as it paid the bills for almost
half a year back in the '80s.


Mark Borgerson

 

[Chris]

On Jan 11, 8:03 pm, "robb" <s...@where.on.net> wrote:

I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of  (usuall stuff):
---------------------------------------

Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)

Any ideas on how to do this?  how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC  board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb

Hi, robb. To accomplish what you need for an 8031/8051, you'll need a
real-time in-circuit emulator. This will not be inexpensive. But
since your need is project-specific and the processor is essentially
obsolete, I'd recommend renting one. The ICE should cost less than
$100 to $150 a month. Make sure your rental includes the software you
need to do the job. You're also going to need a logic analyzer and a
digital storage scope to observe operation of the servo system.

This one would be a tough go, even for an embedded controls E.E., with
the real-time control of a servo system. Give it up, robb.

Good luck
Chris

 

[okaegi_nospam@freesurf.ch]

On 12 Jan., 03:03, "robb" <s...@where.on.net> wrote:

I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of  (usuall stuff):
---------------------------------------

Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)

Any ideas on how to do this?  how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC  board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb

1) Map your input / output devices to logical adresses (check for
example for an 74ls138 if this is an old pcb)
2) Map your rom / ram to logical adessess
3) use dasmx.zip from conquest Consoltans (best disassmbler I know and
supports the 8051) and create a source
4) use on of franks assemblers http://www.kingswood-consulting.co.uk/assemblers/
(don't know if he has an assembler for the 8051...He has one listen
for the 8050, I don't know the different between these two chips...)
5) Create new binary and burn them on eprom...

I did this process successful for a number of pinballs of different
manufactures...

Look on my homepage or mail me if you want to know more..

Greetings Oliver
My collection: early bally, williams and stern with custom game roms

My homepage:http://www.pinball4you.ch

mail to: okaegi at pinball4you dot ch

 

On Jan 12, 2:03�am, "robb" <s...@where.on.net> wrote:

I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of ďż˝(usuall stuff):
---------------------------------------

Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)

Any ideas on how to do this? �how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC �board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb

You need a logic analiser, loads of cheap ones on ebay. Once you
capture a program loop you can load it onto your simulator and step
through it, if its function is not obvious. Program the analiser to
ignore that loop and repeat untill you have them all. The whole
process is suprisingly easy if your source is not too big.

 

[Jack Crenshaw]

robb wrote:

I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

The micro-controller consists of (usuall stuff):
---------------------------------------
Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)

Any ideas on how to do this? how possible ?

I have a PJRC 8051 Rev.4 development board that runs "Paulmon"
which allows you to load your program to some offset in RAM and
step through it. (i really want to see the I/O as it runs
though)

My idea/thought at first was to maybe connect the PJRC board to
the MCU socket of the microcontroller board and trace the program
??

What i have tried is load in a simulator like (EdSim51) to run
and determine what program does but i would need to some how
simulate all the devices (input) ?

any help and ideas greatly appreciated,
robb

It's not clear from your message what your goal is. Are you trying to
find out where performance bottlenecks are (profile), learn its
algorithms, or reverse-engineer the code?

There are a couple of things you can do cheaply. A few years ago we
built a "real-time debugger" that would let us peek into a running
system and see what it was doing. The trick was to connect one CPU as a
watchdog for the other. We set aside a few bytes of common RAM. We
inserted code in the CPU-under test to peek and poke a few registers and
memory locations during each major cycle. It could do this with only a
minor effect on execution time. Then we programmed the test CPU to peek
and poke those same areas. We synchronized the two via enable pins.
Finally, we wrote a hex monitor for the test system that could display
the current values in RAM. This program only needed to run at operator
speeds.

End result: We could watch any part of the program, by looking at data
on successive interrupt cycles.

Come to think of it, this is exactly what Heathkit built into their H-8
computer, ca. 1978. At a 60 Hz interrupt rate, they sent selected CPU
registers and RAM locations to a front panel hex display, and accepted
hex inputs from a keyboard. If you only recreate the Heathkit
electronics (which were minimal), you won't be far off the mark.

For profiling, there's also a way. It's called stochastic profiling.
Basically, it interrupts the running program and finds out where the
program counter is. Then you can draw a histogram of the time spent in
each section of the program, and thereby find bottleneck spots.

Hope this helps.

Jack

 

[Paul E. Bennett]

Jack Crenshaw wrote:

robb wrote:
I have a (8051) micro-controller that i would like to trace it's
runtime program to understand how the program works for purpose
of potentialy modifying code. (The only info of program is the
program binary copied off ROM )

So why don't you have the source code? (I know that there are sometimes
valid reasons for not having the source).

The micro-controller consists of (usuall stuff):
---------------------------------------
Siemens 8031, ROM, SRAM
servo motors (+ driver ICs)
simple user 16 char (14 seg) interactive display
grid of buttons (24)

What do the motors drive? Are there any safety implications if you mess
around with the code?

Any ideas on how to do this? how possible ?

[%X]

It's not clear from your message what your goal is. Are you trying to
find out where performance bottlenecks are (profile), learn its
algorithms, or reverse-engineer the code?

There are a couple of things you can do cheaply. A few years ago we
built a "real-time debugger" that would let us peek into a running
system and see what it was doing. The trick was to connect one CPU as a
watchdog for the other. We set aside a few bytes of common RAM. We
inserted code in the CPU-under test to peek and poke a few registers
and memory locations during each major cycle. It could do this with
only a
minor effect on execution time. Then we programmed the test CPU to
peek and poke those same areas. We synchronized the two via enable
pins. Finally, we wrote a hex monitor for the test system that could
display the current values in RAM. This program only needed to run at
operator speeds.

At least that method is non-intrusive and can give you access via a
chip-clip over the processor part. However, that only gives you a view
of what happens on the chip pins. You may still be blind on what is
going on inside.

A good dis-assembly of the code so that you can at least see the
structure of the code and data elements in the ROM might give you what
you need to re-construct it. You will have to work out and add your own
comments then you can re-build the ROM from scratch and have a much
better view when you insert the break-points. You could even consider a
change of implementation language and have much better tools.

--
********************************************************************
Paul E. Bennett...............<email://Paul_E.Bennett@topmail.co.uk>
Forth based HIDECS Consultancy
Mob: +44 (0)7811-639972
Tel: +44 (0)1235-811095
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************