Log in

No account? Create an account
Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-06-07 06:23
  Subject:   The 8051 and the Case of the Houdini-code.
  Mood:der uber-nerd
  Music:KoRn - Twisted Transistor
I've billed almost three weeks worth of hours with very little to show to one of our clients, working on a new boot loader and firmware updater scheme for their 8051-based hardware. It's been a lot of work getting my head around the hardware and planning everything so it will all work. The CPU is from the STMicro uPSD series. Very interesting devices. In addition to an 8051 core, they have a big old slab of programmable logic stuck inside the same 80-pin chip. This means you can customize a lot of stuff. Don't like which pins the address bus is on? Just go into the point and drool hardware design assistant program and change 'em all up! Want some CPLD-esque logic hardware mixed in with your microcontroller? No problem!!

But today, all my work finally paid off, and I managed to make what I consider a real moby hack. I coded up the boot loader entirely from scratch this afternoon in 8051 assembly, and rigged things so it completely disappears without a trace from the CPU just before the normal running code gets control. In computer science terms, this is about equivalent to pulling off an undetected killing of someone who's locked themselves inside a bank vault and swallowed the key.

The details are many and trivial. Suffice it to say I re-routed some bits from the CPU's page register into the chip select/address decode PLD, and used that as a covert back channel to take over the lowest addresses of instruction memory when a hard reset occurs. Then I used some other sneaky logic to map part of the RAM into ROM space, and copy some code there. Basically I hacked in self-modifying code - something you're not technically supposed to be able to do on a Harvard architecture CPU.

The upshot of all this is that when the CPU gets a hardware reset, my boot code (which lives in a separate, write-protected flash ROM) gets control. It can then do whatever it wants, including overwriting the main flash ROM, or anything else it feels like. And when it's done, it pulls its virtual cape around its shoulders and POOF... it's gone, as if it never existed. The main code gets control just as if an entirely normal reset had occured, and has no reason to think it hasn't been in control of the CPU ever since the first clock tick.


I had some very good tools to help me along the way. First, let's give mad props to Keil's ULINK JTAG debugger pod. This thing is so tight it actually intercepts the CPU's thread of execution BEFORE the first instruction executes after a power-up reset. That allowed me to debug my hardware config before the first instruction of my bootloader had even run. And second, huge-ass raves to the code ninjas over at 8052.com, whose tutorials got me up to speed on the 8051 family architecture far faster than I deserved. Yeah, when you got good tools, life is fine...
Post A Comment | 6 Comments | | Link

  User: pacchi
  Date: 2006-06-07 11:35 (UTC)
  Subject:   I'm an idiot but...
why do you need to do this? It sounds way cool, but I'm not sure what applications it has... um other than murdering innocent CPUs that happen to be hiding in a bank vault and chewing on keys... I'm thinking that this will be in a motherboard/BIOS type thing, so nothing can completely destroy and brick a computer?

Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-06-07 23:24 (UTC)
  Subject:   (no subject)
Code space is very precious in this application. They need to squeeze every last kbyte out of the space they can. If the 8k boot-up code were to stick around, it would be wasting a huge amount of space that is very badly needed. That's why this "disappearing code" trick is particularly cool here.
Reply | Parent | Thread | Link

Jon: mariohammer
  User: j_b
  Date: 2006-06-07 13:04 (UTC)
  Subject:   (no subject)
Well neat.

Do you have a handful of sample chips? (does the code setup function OK on multiple off-the-shelf bits?)
Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-06-07 23:26 (UTC)
  Subject:   (no subject)
We have one box that they loaned us for develpment. It's all custom circuit boards they built themselves. I haven't tested on more than one box, but I have no reason to think it won't work. All the hardware units are identical.
Reply | Parent | Thread | Link

  User: nickhalfasleep
  Date: 2006-06-07 15:34 (UTC)
  Subject:   (no subject)
Sweet code man, congrats.
Reply | Thread | Link

Alex Belits: iskra
  User: abelits
  Date: 2006-06-08 07:42 (UTC)
  Subject:   (no subject)
Looks like switching from protected to real mode on x86, minus relying on pre-existing hardware weirdness.
Reply | Thread | Link

May 2015