Electronics > Microcontrollers

What's this 8051 clone?

(1/7) > >>

I'm helping reverse engineer an incredibly cheap 8051 clone; it seems to show up in blobs in little Chinese audio toys like Buddha machines. What's interesting about it is that it's capable of executing code out of XRAM, and loads the bulk of its application payload from a 8-pin serial flash chip, making it trivial to reprogram.

After dumping the flash, it seems to use an extended 8051 instruction set. It's got DPTR autoincrement via a bit in SFR 86, but more interestingly, it's got what appear to be a bunch of 16-bit instructions using A5 as a prefix. The only one I can positively identify so far is A5 6x which is a 16-bit compare or subtract or xor:

--- Code: ---   CODE:2203 75 d0 00        MOV       PSW,#0x0
   CODE:2206 75 81 00        MOV       DAT_SFR_81,#0x0                                   = ??
   CODE:2209 75 87 02        MOV       DAT_SFR_87,#0x2                                   = ??
   CODE:220c e4              CLR       A
   CODE:220d 75 86 10        MOV       DAT_SFR_86,#0x10                                  = ??
   CODE:2210 90 11 00        MOV       DPTR,#0x1100
   CODE:2213 7a 00           MOV       R2,#0x0
   CODE:2215 7b 19           MOV       R3,#0x19
                         LAB_CODE_2217                                   XREF[1]:     CODE:2225(j) 
   CODE:2217 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:2218 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:2219 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221a f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221b f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221c f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221d f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221e f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221f a8 82           MOV       R0,DPL
   CODE:2221 a9 83           MOV       R1,DPH
   CODE:2223 a5 61           CMP16     R0R1,R2R3
   CODE:2225 30 d1 ef        JNB       DAT_BITS_d1,LAB_CODE_2217                         = ??
   CODE:2228 75 86 00        MOV       DAT_SFR_86,#0x0                                   = ??
   CODE:222b 02 22 00        LJMP      LAB_CODE_2200

--- End code ---

(The `CMP16` instruction is provisional. The registers are encoded in the last nibble.)

Does this look at all familiar to anyone? I'd love to know what this thing is actually called, and possibly lay my hands on a data sheet.


are you sure it's code and not non volatile  data  stored in flash


Maybe there is one block of ram loaded from serial flash, but at runtime some of that ram is mapped as code (psen access) and the rest as xram (data)?

It definitely looks like code. There's an actual filesystem and everything, and the filename is 'code.app'. It looks like it loads the main payload at 0x1900 and then there are multiple overlays loaded at 0x2200, and the structure all looks valid. It looks like there's mask ROM up above 0x8000 that contains the init code and BIOS. This makes sense given the application, where you can use the same low-price COB for multiple different small-production-line toys, putting the actual application that's being run on the flash chip which you're going to have to customise anyway. I'll know more once I've had a chance to compare the flash chips from some different related-looking hardware.

I suspect that the way this is implemented is that they've just wired the program and xram buses together so there's a single, unified Von Neumann address space.

But the main bit I'm interested in is the instruction set. Has anyone seen anything similar to this before?


You mention "Buddha machines", is this related in any way? https://www.eevblog.com/forum/chat/big-clive-reverse-engineering-challenge/


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version