Intel 87c196 EEPROM image disassemble - how to?

Status
Not open for further replies.

Thread Starter

blaster_liuteniant

Joined May 11, 2017
3
Hi,

I am just an IT guy (computer engineer) and beginning my adventure with microcontrollers and embedded software. Nice to meet you all.

One of my learning tasks is -so i I decided it- disassembling a 256kb flash image, a .bin file. The information I have is:

-The target processor belongs to Intel's 87c196 family
-The target EEPROM for the .bin file is a 29F200 one

I've tried the IDA and binwalk programs on the .bin, but with no success. Therefore I am going with the manual, hard method. And here is where I want to ask you: how to proceed? Any clues about how to start? I am not able to tell apart code sections from data sections. I have downloaded some user guides for similar chips, but they do not seem to mention this kind of info (where the instructions shall be located on an external memory chip).

Thanks a lot in advance; any little piece of help will be much appreciated.

DISCLAIMER: this is just a learning-purposes project. I am not trying to publish any of my results nor take monetary profit of closed and copy-righted code in any way.
 

Papabravo

Joined Feb 24, 2006
21,159
It has been 25 years since I worked with this processor. IIRC the power on reset address is at an address like 0x2080. Usually when they do this in an architecture they put RAM at address 0x0000.
 

MrChips

Joined Oct 2, 2009
30,712
Disassemblying code for single instruction RISC architecture is a lot simpler.

For multi-byte instructions on a CISC machine you have to start with the RESET vector and work your way through.

The code begins at 2080H.
 

Papabravo

Joined Feb 24, 2006
21,159
The other helpful trick to disassembling old code is to find all of the return instructions. The next instruction word is likely the beginning of a new function or subroutine. This can be confirmed by finding CALL instructions with that destination address.
 

MrChips

Joined Oct 2, 2009
30,712
One other thing.

You are making the assumption that the EPROM was wired with the address lines and data lines in the expected manner. If the designer scrambled the address and/or data lines then that would complicate matters.
 

Thread Starter

blaster_liuteniant

Joined May 11, 2017
3
Thanks you both a lot. I have actually learnt something.

On the other hand, it seems IDA was failing because I was selecting 80196 instead of 80196NP as the target processor. Now I am obtaining a code listing, pretty large by the way.

I have confirmed in official docs that the reset vector is located at 0x2080, just as you said. However, when looking into the disassembled file, I can see these at that position:

Code:
ROM:2080 ; =============== S U B R O U T I N E =======================================
ROM:2080
ROM:2080
ROM:2080                 ; public start
ROM:2080 start:
ROM:2080                 rst
ROM:2080 ; End of function start
ROM:2080
ROM:2081 ; ---------------------------------------------------------------------------
ROM:2081                 rst
... (more rst's)
Is that normal? How can then control be transferred to the first line of code after reset if there is no 'start' function?
 

Papabravo

Joined Feb 24, 2006
21,159
Since you ask, the only way I know of is to use the NMI vector and run all of the code in the NMI interrupt routine which never executes a return from interrupt, or there is some mapping going on that overlays internal or external memory at 0x2080 so you need to keep looking for something that makes sense.
 

Thread Starter

blaster_liuteniant

Joined May 11, 2017
3
Since you ask, the only way I know of is to use the NMI vector and run all of the code in the NMI interrupt routine which never executes a return from interrupt, or there is some mapping going on that overlays internal or external memory at 0x2080 so you need to keep looking for something that makes sense.
I see. Well, thanks for your hints. I will keep working.
 
Status
Not open for further replies.
Top