Help me decompiling 80C188 program

Discussion in 'Embedded Systems and Microcontrollers' started by Scaramanga, Mar 24, 2013.

  1. Scaramanga

    Thread Starter New Member

    Mar 24, 2013
    6
    0
    First of All i would like to present myself:

    - I am a Telecommunications Engineer who is starting to work as professional in the matter of MicroControllers and Microprocessors.

    You have been recommended to me by a colleague because he says that you are the most experienced in what Microprocessors and Microontollers refers.

    I have the next begginer question, and I thank your time:

    - I have a program for AMD N80C188-120 written on two EPROM 27cL40, one is called "HIGH" and the other "LOW". I need to read that program and be able to decompile to a lenguage in which I can understand what the program does.

    - What I have thought is:

    1º) Read the two EPROMS (HIGH and LOW) with an EPROM reader. Once i have done this, how do i shuffle them?how do I compose the high and low to obtain the real program code?

    2º)Once i have the program in binary file (read from the EPROMS), I need to use a dissasembler to translate it to assembler. ¿Could I use IDA PRO?I do not find the 80c188 as device to use in the disassembly, is there any other device which is compatible?¿Is there any tool or IDE to do this kind of exercise with AMD 80C188 processors?

    3º)And the last thing, once I have the code in assembler, ¿Can i translate it to an Higher language like C?¿Which tool should I use for this achievement?

    I have worked with PIC from Microchip and it is very easy because all the tools are into the IDE, the MPLAB ide, bur for this kind of processors (AMD 80C188) I havent found an specific IDE, ¿does it exist?

    Thanks a lot
     
  2. ErnieM

    AAC Fanatic!

    Apr 24, 2011
    7,386
    1,605
    1. Yes

    2. Maybe. Probably easier to just do it by "hand" using cut & paste or some other scripting technique.

    3. Not a chance.
     
  3. Scaramanga

    Thread Starter New Member

    Mar 24, 2013
    6
    0
    Thanks a lot ErnieM

    I have the following doubts about your explanation:

    1º)How do I shuffle (combine them to generate the real code) the HIGH and LOW EPROMS. Having an HIGH and a LOW means that the processor is a 32 bits processor (the high word and the low word)?How do I Know if it is a 32 or a 16 bit processor ?It is an AMD N80C188-20. If i have the two binaries reaed from the two EPROMS, how do I compose the final code?

    2º)What tool or IDE do you recomend me to do this job?Why can´t I translate all the code in one translation?Why do I have to use cut and paste?

    3º)For MicroChip controllers I Know that tools (like CCS) that let you to translate to C, why doesn´t it exist for AMD N80C188?Are u sure?

    Thanks a lot
     
  4. spinnaker

    AAC Fanatic!

    Oct 29, 2009
    4,866
    988
    It will probably to rewrite the code yourself and the bonus is that it will be sure to be legal.
     
  5. takao21203

    Distinguished Member

    Apr 28, 2012
    3,577
    463
    1) You only have two variations to test. It is not difficult, you can use old QBasic, Visual Studio, or whatever you are used to.

    2) and 3) There is no such IDE, at the time when 80186 was common, software was often based on MSDOS.

    There might be no specific 80186 software now.

    Also disassembling down to the bone and even recreating C is not a good thing to do.

    Once you get some of the gist what the program is doing, recreate it, either in assembler, or C language.

    8086 language is not that difficult or uncomfortable. And your board only runs in real mode.

    The support chips the 8086 is typically using can be a pain even to program regularily, with the documentation available, and using C language.

    Disassembling?

    Do you have any idea how many bytes or KBytes are residing in these EPROMS?

    There is for instance MASM32 which you can download, and also NASM which can be used via CLI.

    Do you have the original documentation available for the board or a schematic? If not, it might be waste of time all together.

    Better off see what is doing or supposed to do, and rebuild the board using modern technology.

    I mean if you spend weeks on disassembling it to the bone, it is clearly a waste.

    Compiler produced assembler code can be a pain as well to understand it properly.

    How do I Know if it is a 32 or a 16 bit processor ?It is an AMD N80C188-20.

    16 Bits. Not much different from the plain 8086.
    I suggest to obtain the datasheet for 80186. They are all about the same, don't know what is particulary different for 80C188.

    The instruction set is the same.

    You'll be able to figure out :)

    I have here only 8086 datasheet from Intel.

    Protected mode was introduced with 80286 in 1984, and only via an ugly workaround. It was still a 16bit processor.

    Only 80386 introduced 32bit registers.

    80186 mostly was used for embedded purposes, various derivates exist but the differences are minor.
     
  6. takao21203

    Distinguished Member

    Apr 28, 2012
    3,577
    463
    I suggested that too, spending weeks on disassembly would be waste. It could make sense if any original documentation is available to OP.

    Can we see a picture eventually?
     
  7. Scaramanga

    Thread Starter New Member

    Mar 24, 2013
    6
    0
    A picture from what?

    The architecture is simple:

    - An AMD N80C188-20 connected to dos EPROMS (HIGH and LOW) and a RAM.

    ¿If it is a 16 bit processor, why it has HIGH memory and LOW memory?Does it mean that each of the EPROMS have words of 8 bits?How do I compose the final code?Once composed, which tool should I use to decompile to Assembler the binary code read composed with the EPROMS?

    I have lost the source and I need to decompile it, that is why i ask you tu help me. It is not a problem for me wasting time reading the assembler code, but i need to obtain it from the EPROMS. I can read the two EPROMS to two bynary files, I need to know how to compose the final code (one EPROM is High and the other LOW) and once it is composed, I need to use a tool to dissasemble this binary to assembler.

    Thanks a lot for your help
     
  8. Markd77

    Senior Member

    Sep 7, 2009
    2,803
    594
    It's a common misconception that the bit width of the processor is the only factor in how much memory it can address and the width of the data bus to memory.
    If it were true then once popular computers like the Spectrum would only have been able to access 256 bytes of RAM.
     
  9. kubeek

    AAC Fanatic!

    Sep 20, 2005
    4,669
    804
    You have only two options. Etiher this means that one eeprom contains the low byte of a word and the other the high byte, or one is the lower half of the memory space and the other is the high half of the memory space. According to this the chip has 8bit outer data bus, so I bet the second asumtpion is true, but you can also check by looking at how exactly the data and address lines are connected.

    After you extract the data, you might try using some normal x86 dissassembler and see where this gets you. But anyway, why do you even need to see the code of such an old thing?
     
  10. takao21203

    Distinguished Member

    Apr 28, 2012
    3,577
    463
    I see.

    NASM would include a disassembler? Or maybe MASM32 can load a binary image into memory, and then you can run single step + disassembly.

    There are only two combinations to try. The opcodes are always 16bit but the 80x86 also has varying opcode length. There are however many which are always 16bit.

    Or I am wrong? I think so.

    On the 68000, if you see a lot of "Nu" as ASCII, you know it is executable code.

    Same on the 80x86. You'd know if the ASCII makes some sense, and you'd be able to recognized a relocation table for EXE.

    So try the combinations, until you see some ASCII that look familiar.

    If it is stored with 8bit words, then the Opcodes inside are made from two. Internally both 86 and 88 are 16bit.

    Does the 80C188 have two select lines for memory? You'd really also find that information in the datasheet.

    Have you tried for 80c188 or your specific chip?
     
  11. takao21203

    Distinguished Member

    Apr 28, 2012
    3,577
    463
    I am too lazy to search + download the 188 datasheets.

    But for 8086, the address bus and data bus are multiplexed.
    There is an address latch, and ALE (address latch enable).

    The 8088 only has 8bit bus. Don't know how the latching is done. Logically, it needs two ALE lines.
     
  12. takao21203

    Distinguished Member

    Apr 28, 2012
    3,577
    463
    He obviously wants to know as a matter of fact and needs decompile as well.

    Could there more combinations than two?

    Once we have the datasheet we could rule that out.
     
  13. Papabravo

    Expert

    Feb 24, 2006
    10,135
    1,786
    The 8088 has an 8 bit data bus multiplexed with 8 address bits. They are the lower address bits if I recall correctly. The upper address bits are not latched. The Single ALE signal enables a transparent latch ('373 or '573) while high and latches the data on the trailing edge.

    The '188 is an embedded version of the 8088 which may have a different arrangement. You really have to read the datasheet. When the databus goes to 16 bits the new control signal is called BHE-bar which stands for "Bus High Enable". It is low for word transfers and high for byte transfers.
     
    absf likes this.
  14. JohnInTX

    Moderator

    Jun 26, 2012
    2,339
    1,022
    Here's the datasheet. The '1' in '188 indicates that it includes some on board peripherals that the 8088 didn't have but, like the 8088, the 16 bit bus is crammed into 8 bits. Because of this, the high and low ROMs probably are two different sections of the program i.e. 0000-3fffh and 4000h-7fffh rather than interleaved 16 bit words (as in the 80186 with a 16 bit bus-and PB would be correct re:BHE/).

    Archive versions of TurboC/BorlandC are floating around the intertubes. If you can get one with the IDE you can import the .HEX image and disassemble it. As the others have stated, no sane way to get back to C source.
     
    absf likes this.
  15. Papabravo

    Expert

    Feb 24, 2006
    10,135
    1,786
    I disagree. It is quite probable that the demultiplexed A0 is used to select one chip or the other. The generation of chip selects is done inside the chip so it may be hard to tell from the schematic. It is true that instructions are pulled from ROM a byte at a time but the BIU (Bus Interface Unit) makes that transparent to the programmer.
     
    absf and JohnInTX like this.
  16. kubeek

    AAC Fanatic!

    Sep 20, 2005
    4,669
    804
    Yes, could be, but this depends on the guy who designed the circuit. You can have it connected in such way that the byte select toggles A0 on the memories adress line and the last address line switches between the two chips, but it could also be the other way, and the processor nor the programmer could tell a difference.
     
    absf and JohnInTX like this.
  17. Papabravo

    Expert

    Feb 24, 2006
    10,135
    1,786
    Looking at the content of the two memories,especially the last 8 to 16 bytes of each will quickly reveal either reasonable instructions or garbage. The reset address in segmented form is 0xFFFF;0
     
    JohnInTX likes this.
  18. JohnInTX

    Moderator

    Jun 26, 2012
    2,339
    1,022
    Yeah... I was thinking back to an implementation I did way back when. IIRC, the memory organization looked mostly like Fig 6 in the datasheet i.e. boot/reset ROM in high memory and extra program ROMs lower in the map.. thinking HI and LOW that way. But, its so true that it could be implemented as you say. I'm not sure why they would interleave the ROM on an 8 bit bus (speed?) but who knows.

    Thanks!
     
  19. Scaramanga

    Thread Starter New Member

    Mar 24, 2013
    6
    0
    Good Morning.

    Attached are the Architecture of the processor and how it is connected with the two EPROMS. I hope it can help you and let us to know how it is.

    I have deduced that both CHIPS (EPROM HIGH and EPROM LOW) are connected to the same PIN of the N80C188 (AD0-AD7), so I can deduce that HIGH and LOW mean that the lower half of the memory space is in LOW and the other is the high half of the memory space. Can you Confirm that?

    Once we know it and I only need you to specify (if it is possible) a tool to decompile both EPROMS when they are read by a EPROM reader. I read the two EPROMS and I obtain two binary Files. I need to dissasemble each of these ones knowing that the processos is a N80C188. Which Tool should I use for Windows or Mac (I do not work with DOS). Can i dissasemble each of the binary from the eproms with a "Click" of the selected tool?

    One more time, Thanks a lot for your help
     
  20. kubeek

    AAC Fanatic!

    Sep 20, 2005
    4,669
    804
    It is exactly the opposite, they share the same address and data bus, and one is selected by the LCS signal and one by the UCS.
    Try reading this http://www.classiccmp.org/rtellason/chipdata/80188.pdf
     
Loading...