Author Topic: What's this 8051 clone?  (Read 2524 times)

0 Members and 1 Guest are viewing this topic.

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
What's this 8051 clone?
« on: September 23, 2021, 01:36:48 pm »
I'm helping reverse engineer an incredibly cheap 8051 clone; it seems to show up in blobs in little Chinese audio toys like Buddha machines. What's interesting about it is that it's capable of executing code out of XRAM, and loads the bulk of its application payload from a 8-pin serial flash chip, making it trivial to reprogram.

After dumping the flash, it seems to use an extended 8051 instruction set. It's got DPTR autoincrement via a bit in SFR 86, but more interestingly, it's got what appear to be a bunch of 16-bit instructions using A5 as a prefix. The only one I can positively identify so far is A5 6x which is a 16-bit compare or subtract or xor:

Code: [Select]
   CODE:2203 75 d0 00        MOV       PSW,#0x0
   CODE:2206 75 81 00        MOV       DAT_SFR_81,#0x0                                   = ??
   CODE:2209 75 87 02        MOV       DAT_SFR_87,#0x2                                   = ??
   CODE:220c e4              CLR       A
   CODE:220d 75 86 10        MOV       DAT_SFR_86,#0x10                                  = ??
   CODE:2210 90 11 00        MOV       DPTR,#0x1100
   CODE:2213 7a 00           MOV       R2,#0x0
   CODE:2215 7b 19           MOV       R3,#0x19
                         LAB_CODE_2217                                   XREF[1]:     CODE:2225(j) 
   CODE:2217 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:2218 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:2219 f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221a f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221b f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221c f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221d f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221e f0              MOVX      @DPTR=>DAT_EXTMEM_1100,A
   CODE:221f a8 82           MOV       R0,DPL
   CODE:2221 a9 83           MOV       R1,DPH
   CODE:2223 a5 61           CMP16     R0R1,R2R3
   CODE:2225 30 d1 ef        JNB       DAT_BITS_d1,LAB_CODE_2217                         = ??
   CODE:2228 75 86 00        MOV       DAT_SFR_86,#0x0                                   = ??
   CODE:222b 02 22 00        LJMP      LAB_CODE_2200

(The `CMP16` instruction is provisional. The registers are encoded in the last nibble.)

Does this look at all familiar to anyone? I'd love to know what this thing is actually called, and possibly lay my hands on a data sheet.

Thanks!
 

Offline JoeyG

  • Regular Contributor
  • *
  • Posts: 69
  • Country: au
Re: What's this 8051 clone?
« Reply #1 on: September 23, 2021, 01:55:46 pm »
are you sure it's code and not non volatile  data  stored in flash
 

Offline voltsandjolts

  • Supporter
  • ****
  • Posts: 1372
  • Country: gb
Re: What's this 8051 clone?
« Reply #2 on: September 23, 2021, 02:26:44 pm »
^^Yeh.

Maybe there is one block of ram loaded from serial flash, but at runtime some of that ram is mapped as code (psen access) and the rest as xram (data)?
 

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #3 on: September 23, 2021, 05:01:03 pm »
It definitely looks like code. There's an actual filesystem and everything, and the filename is 'code.app'. It looks like it loads the main payload at 0x1900 and then there are multiple overlays loaded at 0x2200, and the structure all looks valid. It looks like there's mask ROM up above 0x8000 that contains the init code and BIOS. This makes sense given the application, where you can use the same low-price COB for multiple different small-production-line toys, putting the actual application that's being run on the flash chip which you're going to have to customise anyway. I'll know more once I've had a chance to compare the flash chips from some different related-looking hardware.

I suspect that the way this is implemented is that they've just wired the program and xram buses together so there's a single, unified Von Neumann address space.

But the main bit I'm interested in is the instruction set. Has anyone seen anything similar to this before?
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #4 on: September 23, 2021, 06:03:00 pm »
80251?

You mention "Buddha machines", is this related in any way? https://www.eevblog.com/forum/chat/big-clive-reverse-engineering-challenge/
 
The following users thanked this post: thm_w, voltsandjolts

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #5 on: September 23, 2021, 06:19:17 pm »
It's not 80251 --- the instruction set's quite different. It's also not MX51 or AT89LP. But yes, that's the device! The flash encryption's been decoded and now there's tooling for unpacking and repacking the firmware. Obviously, once we can run our own code on it we can figure out what the instructions all do, but someone must know what it is, and tracking this down would save a lot of time.

See the Reddit thread here: https://old.reddit.com/r/BigCliveDotCom/comments/pmt390/buddha_machine_teardown_with_flash_dump/

« Last Edit: September 23, 2021, 06:25:01 pm by david.given »
 
The following users thanked this post: amyk, I wanted a rude username

Online PCB.Wiz

  • Frequent Contributor
  • **
  • Posts: 500
  • Country: au
Re: What's this 8051 clone?
« Reply #6 on: September 23, 2021, 10:09:56 pm »
... What's interesting about it is that it's capable of executing code out of XRAM, and loads the bulk of its application payload from a 8-pin serial flash chip, making it trivial to reprogram.

How much XRAM is there ?  What SysClk and clocks per opcode does it have ?

It's not 80251 --- the instruction set's quite different. It's also not MX51 or AT89LP.
Yes, it looks like custom extensions, with modest extensions targeting the use of audio file and decompression.
The 80251 was quite a large extension, so it is unlikely to be (totally) that.
« Last Edit: September 23, 2021, 11:13:10 pm by PCB.Wiz »
 

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #7 on: September 23, 2021, 10:23:52 pm »
How much XRAM is there ?

The init code I quoted clears 0x1100 to 0x1900; the main binary loads at 0x1900 and goes up to 0x2200; the overlays load at 0x2200 and the biggest one goes up to 0x2800; so that suggests at least 6kB. Of course I have no idea what XRAM is used by the BIOS (there are lots of helper routines, plus the main filesystem code which loads and decrypts the code), or how much of it is exposed on the program bus.

Quote
What SysClk and clocks per opcode does it have ?

No idea so far.

Edit: I should add that it looks like there are some memory-mapped registers above 0xff00 in the XRAM, which I believe is unusual for 8051 devices, so my thought is that someone's dropped an 8051 softcore into a design with existing devices on the bus.
« Last Edit: September 23, 2021, 10:30:25 pm by david.given »
 

Online PCB.Wiz

  • Frequent Contributor
  • **
  • Posts: 500
  • Country: au
Re: What's this 8051 clone?
« Reply #8 on: September 23, 2021, 10:55:40 pm »
How much XRAM is there ?

The init code I quoted clears 0x1100 to 0x1900; the main binary loads at 0x1900 and goes up to 0x2200; the overlays load at 0x2200 and the biggest one goes up to 0x2800; so that suggests at least 6kB. Of course I have no idea what XRAM is used by the BIOS (there are lots of helper routines, plus the main filesystem code which loads and decrypts the code), or how much of it is exposed on the program bus.

Once you have the loader reverse engineered, I guess you can upload an XRAM scanning routine, to see how large XRAM is ?


I know this is not a 80251 clone, but if you wanted to check 'Chinese thinking' around 'extended 8051', I see STC have data on their upcoming STC16, which looks like a MCS251 with 32b FPMU extension support.

https://www.stcmcudata.com/STC8F-datasheet/STC16.pdf

Addit : Some of that STC16 data is in English, and maybe they have used a subset of MCS251 - if I was doing an extended 8051, the lazy path would be to try to use existing tools, but cherry pick opcodes ?

Is there list of the bytes following 0A5H in the dumps you have so far ?



« Last Edit: September 23, 2021, 11:09:37 pm by PCB.Wiz »
 

Online PCB.Wiz

  • Frequent Contributor
  • **
  • Posts: 500
  • Country: au
Re: What's this 8051 clone?
« Reply #9 on: September 23, 2021, 11:17:11 pm »

Edit: I should add that it looks like there are some memory-mapped registers above 0xff00 in the XRAM, which I believe is unusual for 8051 devices,..

It is becoming more common for 8051 variants to MAP SFR into XDATA space, as they run out of space in the standard SFR space.
With STC's 'standard 8051'  many of the PWM etc registers are mapped into XDATA, and they use 0xff00 and above
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #10 on: September 24, 2021, 12:24:59 am »
It's not 80251 --- the instruction set's quite different. It's also not MX51 or AT89LP. But yes, that's the device! The flash encryption's been decoded and now there's tooling for unpacking and repacking the firmware. Obviously, once we can run our own code on it we can figure out what the instructions all do, but someone must know what it is, and tracking this down would save a lot of time.

See the Reddit thread here: https://old.reddit.com/r/BigCliveDotCom/comments/pmt390/buddha_machine_teardown_with_flash_dump/
Wow! There's a lot more progress there than I expected, and this chip is also far more capable than I thought would be used for such an application. Then again, I didn't expect the flash data to be obfuscated, nor the COB to be anything more than a dedicated ASIC. If someone volunteers to sacrifice one to see if the die has any markings, that might help identify the manufacturer and/or part number.

Unfortunately Google gives absolutely useless results (far worse than it used to be) for searching this sort of obscure stuff, so I'm having trouble finding 8051-variants that might fit. There's also the question of whether the companies who make these chips would have any presence on the English internet.
 

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #11 on: September 24, 2021, 10:23:41 am »
Quote
Once you have the loader reverse engineered, I guess you can upload an XRAM scanning routine, to see how large XRAM is ?

Yup. Hopefully the mask ROM will be accessible, too --- there seem to be two chunks, one at 0x8000 and one at 0xb000. Knowing what's in there would help a lot.

Quote
Is there list of the bytes following 0A5H in the dumps you have so far ?

Here's a link for a full disassembly. This combines the main application at 0x1900 and the first overlay at 0x2200, so everything's at the right address. It's using the MXC51 disassembler, which is wrong, but it's at least got the bytes in it. https://github.com/uzlonewolf/BuddhaMachineFirmwareTool/blob/main/firmware/fileparts.00.code.app.part-14-00.bin.asm

Quote
I see STC have data on their upcoming STC16, which looks like a MCS251 with 32b FPMU extension support.

I love the 8051 --- it's the Instruction Set That Will Not Die! The entire world runs off this god-awful antique ISA and shows no signs of stopping. I mean, trying to bolt on a 32-bit FPU onto it is sheer insanity, and yet people are. It's so delightfully perverse.

 
The following users thanked this post: Whales, PCB.Wiz

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #12 on: September 24, 2021, 10:17:27 pm »
Somebody found what looks like an unblobbed version of the same board, and apparently bigclive has looked at one before, so here's the link with a nice big picture of the PCB: https://youtu.be/baCLqPzuiF8?t=330

The chip is a 16-pin job with the following label:

Code: [Select]
IT80ZXD
MAREF900
1816

 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #13 on: September 25, 2021, 12:24:39 am »
Somebody found what looks like an unblobbed version of the same board, and apparently bigclive has looked at one before, so here's the link with a nice big picture of the PCB: https://youtu.be/baCLqPzuiF8?t=330

The chip is a 16-pin job with the following label:

Code: [Select]
IT80ZXD
MAREF900
1816
That's a Generalplus IC judging by the logo, but no guarantee it's going to be the same model or even manufacturer in the COB version. They do make 8051s though. (G+'s website is a horribly slow JS-ridden "modern" abomination. I tried browsing the datasheets there but gave up shortly. If I was going to be a customer, they just lost me. |O)
 

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #14 on: September 25, 2021, 09:48:12 am »
Wow, I completely failed to notice that was a manufacturer logo. I think my brain just assumed it was a smear on the chip. Bad brain. Thanks very much!

So someone's dumped the SPI flash and cracked the encryption --- same scheme, different settings --- and it's very similar to the COB version: same file system, slightly different code.app file, etc. So it's very likely it's the same chip. https://old.reddit.com/r/BigCliveDotCom/comments/pmt390/buddha_machine_teardown_with_flash_dump/he6650t/

I've poked around GeneralPlus's website (it's not that bad; at least the documents are there, mostly. When it works.). Apparently their really low-end stuff use 6502 cores! The most plausible looking devices are the GPM8 series, which are 8051s with additional XRAM. The GPM8F3496A has 12kB of XRAM, which makes it very plausible, but there's no documentation available and it's weirdly high-end for such a trivial application (like, it's got USB support). The other 8051 data sheets don't mention any extended instructions. The GPM8F3132C has 8kB of XRAM but doesn't have a unified bus, and while it's got a bunch of 16-bit ALU extensions they're all implemented via SFRs. So I think we're getting closer, but are still unfortunately cigarless.

I wonder whether this is a batch of failed chips which have been sold off cheap for use in toys?



 

Online PCB.Wiz

  • Frequent Contributor
  • **
  • Posts: 500
  • Country: au
Re: What's this 8051 clone?
« Reply #15 on: September 25, 2021, 10:08:54 pm »
I wonder whether this is a batch of failed chips which have been sold off cheap for use in toys?
Maybe.
Another angle is sometimes a customer is large enough to dictate features and the chip exists because of them.
The IC vendor is then allowed to sell the part on the open market after some time delay, and often with not all features documented. That keeps the edge for the original customer and covers the risk for the IC vendor.

... The GPM8F3496A has 12kB of XRAM, which makes it very plausible, but there's no documentation available and it's weirdly high-end for such a trivial application (like, it's got USB support).

The incremental cost of USB support is not great, and it can give a useful upgrade and late-change pathway for expanded products.

The STC 8051 parts also have some form of what I'd call 'quasi USB support', where they have a ROM loader that can use USB in software as a low cost ISP pathway.
Like the AVR SW USB efforts, it likely does not pass full USB specs, but is 'workable enough' for programming use.  That makes it a clever solution.




« Last Edit: September 25, 2021, 10:15:27 pm by PCB.Wiz »
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #16 on: September 26, 2021, 03:32:38 am »
GeneralPlus (and its parent/??? company SunPlus) definitely make more different parts than they publicly advertise. But that discovery with the nearly identical SPI flash format between the G+ chip and the COB is definitely progress, because it points to G+ being the MCU company. Following that lead, I found that Furbies use a GeneralPlus MCU too, and they can play audio encoded using something called the "GeneralPlus A1800 codec":

https://github.com/Jeija/bluefluff/blob/master/doc/dlcformat.md

From there is a link to a tool called "G+ Gadget" and the download is available on the GeneralPlus site, with description "With this gadget, users can easily make their SPI resources by automatic process, from audio converting to file packing" which sounds (no pun intended) a lot like what's happening here. Unfortunately it's a rather large download - 45MB - so perhaps I'll let someone else look into what it contains.

But looking further around those topics on the Internet I found a very old (expired), entirely-Chinese patent about audio encoding by Sunplus that also comes with source code(!):

https://patentimages.storage.googleapis.com/bd/b2/46/d4a799fa82ed8d/CN1867968B.pdf
 
The following users thanked this post: I wanted a rude username

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #17 on: September 26, 2021, 11:19:02 am »
Very nice --- thanks a lot! Although the patent PDF has no text layer, and OCR isn't having good luck with the font, so that's 83 pages of manual typing... I'll keep trying with the OCR. Unfortunately there's no license specified, unless it's in Chinese in the body text, so I probably can't upload it anywhere.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #18 on: September 26, 2021, 11:38:48 pm »
It's an expired patent, which means most likely it's in the public domain.

Besides, we're talking about the Chinese here... ;)
 

Offline neil555

  • Contributor
  • Posts: 30
  • Country: gb
Re: What's this 8051 clone?
« Reply #19 on: October 02, 2021, 06:22:52 pm »
Mine finally arrived from china and also had an unblobbed micro

The chip is branded JL and the part number is AB20CM9K17.1

I'll grab a photo later (tried on my iphone but the macro mode is awfull)
 

Offline david.given

  • Contributor
  • Posts: 19
  • Country: ch
Re: What's this 8051 clone?
« Reply #20 on: October 02, 2021, 06:57:58 pm »
I'm still waiting for mine to show up. Apparently they're stuck in Swiss customs. Lucky Swiss customs.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7644
Re: What's this 8051 clone?
« Reply #21 on: October 02, 2021, 10:42:03 pm »
Mine finally arrived from china and also had an unblobbed micro

The chip is branded JL and the part number is AB20CM9K17.1

I'll grab a photo later (tried on my iphone but the macro mode is awfull)
That's a very different part. The even more elusive company that made it is JieLi and I've done a little bit of digging on them before, but there's next to zero information about them: https://www.eevblog.com/forum/projects/datasheet-for-chinese-parts/msg2720674/#msg2720674

In other news, I did manage to download the whole "G+ Gadget" and there is about a dozen different audio codecs in it with names like A1800, A1600, A1601, etc; the audio files from Clive are unlikely to be A1800 (or possibly they have been obfuscated) but there's plenty of others to try. There are also some .S37 firmware with suggestive names like "PlayA1800FromSPIFlash.S37" but a quick search didn't match anything from the flash dump. I found a "CipherUtil.dll" which could have the relevant code.
 

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 2485
  • Country: nz
  • Formerly SiFive, Samsung R&D
Re: What's this 8051 clone?
« Reply #22 on: October 02, 2021, 11:21:19 pm »
Apparently their really low-end stuff use 6502 cores!

It should be the other way around, really!

If you squint right, the 8051 and 6502 are not all that different, except the 8051 has A plus 8 numbered registers while the 6502 has A, X, Y plus 256 registers.

If your algorithm can fit into 8 registers then 8051 code can be more compact because opcodes are generally just 1 byte (with only 3 bits needed to specify the register), but if it doesn't then the 6502 is instantly a lot easier to use. The 6502 is also easier if you have a lot of pointers or complex memory data structures.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 7776
  • Country: fr
Re: What's this 8051 clone?
« Reply #23 on: October 02, 2021, 11:39:14 pm »
If your algorithm can fit into 8 registers then 8051 code can be more compact because opcodes are generally just 1 byte (with only 3 bits needed to specify the register), but if it doesn't then the 6502 is instantly a lot easier to use. The 6502 is also easier if you have a lot of pointers or complex memory data structures.

I've never actually programmed for a 6502, but I have for 8051 cores, and I can confirm those are annoying and inefficient for memory access in general.
 

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 2485
  • Country: nz
  • Formerly SiFive, Samsung R&D
Re: What's this 8051 clone?
« Reply #24 on: October 03, 2021, 12:48:34 am »
If your algorithm can fit into 8 registers then 8051 code can be more compact because opcodes are generally just 1 byte (with only 3 bits needed to specify the register), but if it doesn't then the 6502 is instantly a lot easier to use. The 6502 is also easier if you have a lot of pointers or complex memory data structures.

I've never actually programmed for a 6502, but I have for 8051 cores, and I can confirm those are annoying and inefficient for memory access in general.

Yeah, as I understand it, access to the full external RAM is available only with MOVX @DPTR (internal RAM locations 82H & 83H) to and from A.

For accessing the full 64k of RAM 6502 has:

$nnnn     absolute
$nnnn,X  absolute indexed (8 bit index register)
$nnnn,Y
($nn,X)   index X modifies which Zero Page pair is used to hold the pointer
($nn),Y   index Y is added to the address held in the Zero Page pair

So you effectively have up to 128 ZP pairs that each work like @DPTR. And you can do an offset from that address (incrementing correctly to the next memory page if required)

And if you actually know the address in advance, you don't have to set up a DPTR at all, even if you want to index from that known location.

Note that these addressing modes are all available with LDA, STA, ADC, SBC, CMP, AND, EOR, ORA so you don't need MOV/MOVX instructions in addition to the arithmetic and the code expansion from longer opcodes isn't as bad as you might think.

The 8051 is pretty good if you only have a small amount of state to deal with.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf